[midPoint] Principle of Relativity

Ivan Noris ivan.noris at evolveum.com
Thu Jan 11 10:19:16 CET 2018 

Hi Oleksandr,

one thing is to have strong mappings for assigning the roles through the
template. But to really apply anything to target systems you also have
to have strong mappings in schema handling/roles (outbound mappings) in
all resources where you want this.

Then reconciliation (or any other synchronization, including
provisioning) will always try to push the values which should be in the
target system account attributes.

The default mapping strength is normal as Martin said; that means, only
changes are synchronized.

Regards,

Ivan


On 10.01.2018 16:29, Oleksandr Nekriach wrote:
> Hi Martin,
> I have already tried this approach but had not success in my case.
>
>    <mapping>
>       <description>Assigment Agents to Agents Role</description>
>       <authoritative>true</authoritative>
>       <strength>strong</strength>
>       <source>
>          <c:path>$user/employeeType</c:path>
>       </source>
>       <source>
>          <name>formerEmployee</name>
>          <c:path>$user/extension/formerEmployee</c:path>
>       </source>
>       <expression>
>          <value>
>             <targetRef oid="cdbe899a-527b-4774-accc-8d1a7f000000"
> type="c:RoleType"/>
>          </value>
>       </expression>
>       <target>
>          <c:path>assignment</c:path>
>       </target>
>       <condition>
>          <script xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>                  xsi:type="c:ScriptExpressionEvaluatorType">
>             <code>employeeType =='Agent' && formerEmployee ==
> 'false'</code>
>          </script>
>       </condition>
>    </mapping>
>
> On 10 January 2018 at 16:33, Martin Lízner - AMI Praha a.s.
> <martin.lizner at ami.cz <mailto:martin.lizner at ami.cz>> wrote:
>
>     Hi, try using strength=strong for your object template mappings.
>     Should do for most cases. Default is strength=normal, which
>     triggers mapping only when mapping sources are changed. M.
>
>     Martin Lízner
>     solution architect
>
>     gsm: [+420] 737 745 571 <tel:+420%20737%20745%20571>
>     e-mail: martin.lizner at ami.cz <mailto:martin.lizner at ami.cz>
>
>     	    	    	
>
>     AMI Praha a.s.
>     Pláničkova 11
>     162 00 Praha 6
>     tel.: [+420] 274 783 239 <tel:+420%20274%20783%20239>
>     web: www.ami.cz <http://www.ami.cz/>
>
>     	    	    	
>
>
>
>     AMI Praha a.s. <http://www.skyidentity.com/>
>
>     Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá
>     za společnost AMI Praha a.s.
>     jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít
>     výhradně písemnou formu.
>
>
>
>     2018-01-08 15:49 GMT+01:00 Oleksandr Nekriach
>     <o.nekriach at dynatech.lv <mailto:o.nekriach at dynatech.lv>>:
>
>         Hi guys,
>         Please answer me whether there is a way to recalculate all the
>         attributes and assignments that are assigned to users
>         according to its
>         ObjectTemplate. Or the principle of Relativity can not be
>         bypassed.
>         Example:
>         We have ObjectTemplate wich is applied during reconciliation. This
>         ObjectTemplate  assigns roles to the users. But after some
>         time I have
>         found that the IDM administrators (Help Desk guys)  made some
>         changes.
>         And I'm not sure whether all users have those assignments that
>         were
>         automatically calculated according to ObjectTemplates or there is
>         something superfluous. And I would like to remove this unnecessary
>         assignments automatically.
>
>         --
>         Best regards,
>
>         Oleksandr Nekriach | Identity and access management engineer
>
>         Dynatech, Mednieku str. 4a, Riga, LV-1010, Latvia
>
>         +37125314685 <tel:%2B37125314685>
>         ,
>         o.nekriach at dynatech.lv <mailto:o.nekriach at dynatech.lv>
>         |
>         www.dynatech.lv <http://www.dynatech.lv>
>
>
>
>
>         Stay connected:
>
>
>         Confidentiality Notice: This message contains confidential
>         information
>         and is intended only for the named recipient(s). If you are
>         not the
>         addressee you may not copy, distribute or perform any other
>         activities
>         with this information. If you have received this transmission in
>         error, please notify us by e-mail immediately. E-mail transmission
>         cannot be guaranteed to be secure or error-free as information
>         could
>         be intercepted, corrupted, lost, destroyed, arrive late or
>         incomplete,
>         or contain viruses.
>         _______________________________________________
>         midPoint mailing list
>         midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>         http://lists.evolveum.com/mailman/listinfo/midpoint
>         <http://lists.evolveum.com/mailman/listinfo/midpoint>
>
>
>
>     _______________________________________________
>     midPoint mailing list
>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>     http://lists.evolveum.com/mailman/listinfo/midpoint
>     <http://lists.evolveum.com/mailman/listinfo/midpoint>
>
>
>
>
> -- 
> Best regards,
>
> Oleksandr Nekriach | Identity and access management engineer
>
> Dynatech, Mednieku str. 4a, Riga, LV-1010, Latvia
>
> +37125314685 <tel:+371%2025%20314%20685>
> ,
> o.nekriach at dynatech.lv <mailto:o.nekriach at dynatech.lv>
> |
> www.dynatech.lv <http://www.dynatech.lv>
>
>
>
>
> Stay connected:
> <https://www.facebook.com/DynatechLatvia/?ref=br_rs>
> <https://www.linkedin.com/company-beta/17893047/>
>
>
> Confidentiality Notice: This message contains confidential information
> and is intended only for the named recipient(s). If you are not the
> addressee you may not copy, distribute or perform any other activities
> with this information. If you have received this transmission in
> error, please notify us by e-mail immediately. E-mail transmission
> cannot be guaranteed to be secure or error-free as information could
> be intercepted, corrupted, lost, destroyed, arrive late or incomplete,
> or contain viruses.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
Ivan Noris
Senior Identity Engineer
evolveum.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180111/3a3382a0/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: o.nekriach at dynatech.lv1502777022855-7770
Type: image/png
Size: 2602 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180111/3a3382a0/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: o.nekriach at dynatech.lv1502777022855-7771
Type: image/png
Size: 790 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180111/3a3382a0/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: o.nekriach at dynatech.lv1502777022855-7772
Type: image/png
Size: 786 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180111/3a3382a0/attachment-0002.png>

More information about the midPoint mailing list