[midPoint] Import VS Recon for Initial Accounts

Thu Jun 25 09:07:19 CEST 2015

Hi Jason,

yes, if there are inbound mappings, they will be evaluated and
attributes can be modified back in the "source" resource according to
the mappings.

As a "hack" you can temporarily modify your resource settings by
commenting out all the outbounds and keep only inbounds. I usually
create a copy of the resource XML file and modify according to my needs.
After the import is done, you can reimport your original XML resource
which will have the outbounds. Sometimes I also change the name (not
oid) of the resource e.g. "AD - recon only" in the second XML file to be
sure what I'm using when I'm in GUI.

If this resource will be used for import, and then it becomes a target
resource, then /probably/ you need only inbounds during import and only
outbounds afterwards...

I'm doing a lot of reconciliations these days (connecting more target
systems) and I keep watching the email notifications during recon -
because the data ARE changing back on the reconciled resource (e.g. the
email address is copied from midPoint there replacing the original one),
or accounts are being disabled if users in midPoint are disabled etc. In
my case it's ok, because policy from midPoint is applied to these target
systems. During the initial import it's probably safer to have only
inbounds unless you need to modify some attribute back.

Take care especially for your <credentials> mapping.

Regards,
Ivan

On 06/24/2015 08:03 PM, Pavol Mederly wrote:
> Hello Jason,
>
> I would recommend import as the first step. However, concerning your
> last question, beware:
>
> The import *can* modify your AD accounts, if there are any outbound
> mappings.
>
> (Maybe Ivan could provide you with more detailed explanation.)
>
> Regards,
> Pavol
>
>
> On 24. 6. 2015 19:36, Jason Everling wrote:
>> Should I do the import task or a recon task to add all the initial
>> accounts from AD? Currently, there are not any accounts in midpoint,
>> AD is the main repo for accounts that will be used to create all the
>> accounts in midpoint.
>>
>> Should it be a import task to import all the accounts or recon? I am
>> thinking that import sounds better and then recon after i add my
>> other resources?
>>
>> Does import modify the accounts in AD as they are getting imported
>> into midpoint?
>>
>> JASON
>>
>>
>>
>> CONFIDENTIALITY NOTICE:
>> This e-mail together with any attachments is proprietary and
>> confidential; intended for only the recipient(s) named above and may
>> contain information that is privileged. You should not retain, copy
>> or use this e-mail or any attachments for any purpose, or disclose
>> all or any part of the contents to any person. Any views or opinions
>> expressed in this e-mail are those of the author and do not represent
>> those of the Baptist School of Health Professions. If you have
>> received this e-mail in error, or are not the named recipient(s), you
>> are hereby notified that any review, dissemination, distribution or
>> copying of this communication is prohibited by the sender and to do
>> so might constitute a violation of the Electronic Communications
>> Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify
>> the sender and delete this e-mail and any attachments from your
>> computer.
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer & IDM Architect
  evolveum.com                     evolveum.com/blog/
  ___________________________________________________
  "Semper Id(e)M Vix."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20150625/eb54a47a/attachment.htm>