[midPoint] How to Filter HR Input
Sean R Penndorf
srpenn at us.ibm.com
Wed Jan 3 22:54:32 CET 2018
Hi,
I'm working on a Midpoint proof of concept for my company.
One requirement we have is that a Midpoint user must exist in our HR
directory. Employees deleted from HR must disable or delete the Midpoint
user within 24 hours.
On the surface, sounds easy enough. Here is where I'm having
difficulties.
The HR directory contains approximately 380,000 employees and other
accounts.
Our estimated use case for Midpoint for production is currently 5000
users.
We have absolutely no authority to update any record in the HR directory.
The HR directory has enforced limitations on query sizes (in other words
we can't just do a (uid=*)). I need to double-check, but I believe the
maximum object query return is 10,000. Because there are thousands of apps
that query our HR directory, the limit is there to keep the directory
servers from getting bogged down.
Currently, when I run a Reconcile task, Midpoint processes about 1000-1200
users or so and then it just hangs. No errors are recorded and the GUI
appears as though the task is still running, but it is not updating.
Also, it seems rather pointless to have 380,000 shadow objects if we will
only have 5000 Midpoint users.
Is there a way to filter, limit, or change the logic, so that we only pull
(or create shadow objects) from the HR directory for those employees who
already have a Midpoint user? (Hope I'm making sense here).
If so, how?
Let me know if you need more info from me.
Thanks!
------------------
Sean Penndorf
SaaS Operational Services (SOS) - ID Management
IBM Cloud
srpenn at us.ibm.com
Office: 248-552-4791 TL 623-9966
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180103/e4cd8279/attachment.htm>
More information about the midPoint
mailing list