From PFSJ at senado.leg.br Thu Mar 1 12:46:19 2018 From: PFSJ at senado.leg.br (Paulo Fernandes de Souza Junior) Date: Thu, 1 Mar 2018 11:46:19 +0000 Subject: [midPoint] Extending AD-LDAP connector schema In-Reply-To: <11D47B9D-CD40-4345-853D-291DB0FD5035@vives.be> References: <1519818152193.1394@senado.leg.br>, <11D47B9D-CD40-4345-853D-291DB0FD5035@vives.be> Message-ID: <1519904738908.35416@senado.leg.br> Thank you, Davy. Paulo Fernandes. ________________________________ De: midPoint em nome de Davy Priem Enviado: quarta-feira, 28 de fevereiro de 2018 08:49 Para: midPoint General Discussion Assunto: Re: [midPoint] Extending AD-LDAP connector schema Add the extra fieldname in resource configuration -> Operational attributes Op 28 feb. 2018, om 12:43 heeft Paulo Fernandes de Souza Junior > het volgende geschreven: Hello, Is there any way to extend the schema for account objects in an AD-LDAP connector? In our organization we need to populate the AD extensionAttribute6 field with the user's secondary email. I searched the wiki but only found the instructions for legacy AD connector extension.? Thanks, Paulo Fernandes. _______________________________________________ midPoint mailing list midPoint at lists.evolveum.com http://lists.evolveum.com/mailman/listinfo/midpoint -------------- next part -------------- An HTML attachment was scrubbed... URL: From srpenn at us.ibm.com Thu Mar 1 19:45:49 2018 From: srpenn at us.ibm.com (Sean R Penndorf) Date: Thu, 1 Mar 2018 13:45:49 -0500 Subject: [midPoint] Query User for Name Value Message-ID: Hi Community, I'm missing some key point somewhere. Let's say I have a Midpoint user: name = Sean I have a resource to AD. Default intent account name = Sean So far so good. Now I need to add a functional ID (faceless account). So I setup another intent called "functionalID" name = ????? In most examples I've seen, you have an outbound mapping something like this: ...which equates to funcID-Sean. But, what I REALLY need is the functionalID Name = svc-DB2Admin How do I query the user for the name rather than generating the name? Thanks!! ------------------ Sean Penndorf SaaS Operational Services (SOS) - ID Management IBM Cloud srpenn at us.ibm.com Office: 248-552-4791 TL 623-9966 -------------- next part -------------- An HTML attachment was scrubbed... URL: From sylvaire-kevin.tipa at mythalesgroup.com Fri Mar 2 12:32:27 2018 From: sylvaire-kevin.tipa at mythalesgroup.com (TIPA Sylvaire-Kevin) Date: Fri, 02 Mar 2018 12:32:27 +0100 Subject: [midPoint] Ad synch Group-User failed Message-ID: Hello, I have a really strange event in my AD synch .. I explain, I have the following setup : - 1 resource Active directory - 1 Metarole for Group Ad sync (based on sample : https://wiki.evolveum.com/display/midPoint/Active+Directory+Group+Synchronization+HOWTO) - 1 Role with assignement on the metarole - 1 User with assignement on the previous role. - When I assign metarole to my role : OK, all elements make the job and my role in now a group in my AD - When I assign a user (with or without AD constrcution already done) to my role : OK, my user have a AD account and this account is memberOf my group - When I make a reconcile on my role : NOK, Midpoint execute delta for delete all the member (delete the association memberOf, not the member himself) If i reconcile my user, nothing is do. My resource and mly metarole are like the sample.. Any Idée ? METRAROLE : metarole-ad-sync enabled 2017-08-08T14:30:44.995Z 0 entitlement group account default ri:group entitlement group 2 Resource : account User Account true ri:user ri:dn Distinguished Name true true false false false false false weak $user/fullName ri:sAMAccountName true true false gen730:stringIgnoreCase false false false false weak $user/name ri:cn 0 false false false false weak fullName ri:sn 0 familyName ri:givenName givenName ri:userPrincipalName $user/name ri:pwdLastSet -1 ri:createTimeStamp explicit ri:nTSecurityDescriptor 0 ri:instanceType 0 ri:objectCategory 0 CN=Person,CN=Schema,CN=Configuration,DC=users,DC=pprod,DC=agorat,DC=local ri:displayName false false false false normal $user/givenName $user/familyName ri:mail $user/emailAddress ri:group AD Group Membership entitlement group objectToSubject ri:member ri:dn ri:memberOf ri:dn false entitlement group Athena Groups true ri:group ri:dn false false true false normal $focus/name ri:cn false false true false normal $focus/name ri:description false false description ri:member Member false false ri:groupType false false -2147483646 ri:sAMAccountName false false true false normal $focus/name 2017-10-03T08:28:33.067Z 2af0af9006ddad16-bd8b78664df70159 resource connector false true true true true true true true resource connector true true true true true false false false false false false true true true false true Account sync ri:user account default c:UserType true c:name $user/sAMAccountName false true linked true false deleted false http://midpoint.evolveum.com/xml/ns/public/model/action-3#deleteFocus unlinked false http://midpoint.evolveum.com/xml/ns/public/model/action-3#link unmatched http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#user true false Athena User Template http://midpoint.evolveum.com/xml/ns/public/model/action-3#addFocus Athena Transversal Group sync ri:group entitlement group c:RoleType true c:name $shadow/attributes/cn false linked true false deleted false unlinked false http://midpoint.evolveum.com/xml/ns/public/model/action-3#unlink unmatched false http://midpoint.evolveum.com/xml/ns/public/model/action-3#addFocus -- Cordialement. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: EAA-5A993680-2B-7B032A80 Type: image/png Size: 58837 bytes Desc: not available URL: From charles.dc.chen at gmail.com Fri Mar 2 22:57:11 2018 From: charles.dc.chen at gmail.com (Chen Chen) Date: Sat, 3 Mar 2018 05:57:11 +0800 Subject: [midPoint] Cannot launch embedded midpoint instance for testing if including model-client component Message-ID: Hi, It will raise the following exception: Caused by: java.lang.NoSuchFieldError: COMPLEX_TYPE at com.evolveum.midpoint.prism.path.ItemPath.(ItemPath.java:41) at com.evolveum.midpoint.model.test.AbstractModelIntegrationTest.(AbstractModelIntegrationTest.java:249) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at org.testng.internal.ObjectFactoryImpl.newInstance(ObjectFactoryImpl.java:29) at org.testng.internal.ClassHelper.createInstance1(ClassHelper.java:387) ... 43 more The root cause is that infra/prism and model-client contained the same named class ItemPathType. In model-client class ItemPathType is generated code by ctx from schemas, which has not static field COMPLEX_TYPE. I am confused that why component infra/prism must include 3 packages which are not matched with other packages by name obviously: com.evolveum.prism.xml.ns._public.annotation_3 com.evolveum.prism.xml.ns._public.query_3 com.evolveum.prism.xml.ns._public.types_3 What is the right solution to solve launch error if included model-client component with prism component? Thanks. -- --------------------------------------------------------------------- Chen Chen, CC, charles.dc.chen at gmail.com Simple is Powerful, Simple is Beautiful. -------------- next part -------------- An HTML attachment was scrubbed... URL: From wojciech.staszewski at diagnostyka.pl Mon Mar 5 08:38:51 2018 From: wojciech.staszewski at diagnostyka.pl (Wojciech Staszewski) Date: Mon, 5 Mar 2018 08:38:51 +0100 Subject: [midPoint] Condition expression: Org assignment with relation Message-ID: <895d6a01-5d3b-92c9-bd57-939f0c90c376@diagnostyka.pl> Hello! I have to make a mapping condition expression that checks if the user has assignment of Org type with Manager relation. What methods should I use for this? Thanks! WS From sylvaire-kevin.tipa at mythalesgroup.com Mon Mar 5 09:29:11 2018 From: sylvaire-kevin.tipa at mythalesgroup.com (TIPA Sylvaire-Kevin) Date: Mon, 05 Mar 2018 09:29:11 +0100 Subject: [midPoint] =?utf-8?b?Pz09P3V0Zi04P3E/ICBBZCBzeW5jaCBHcm91cC1Vc2Vy?= =?utf-8?q?_failed?= In-Reply-To: Message-ID: <63c3-5a9d0000-37-4327db0@46836360> Hey, I have find my problem, the "strong" option was missing. This is the right meta-role, I think it's good to add it in your sample page (on wiki), I just found it in sample source on github. add it here : https://wiki.evolveum.com/display/midPoint/Active+Directory+Group+Synchronization+HOWTO and here : https://wiki.evolveum.com/display/midPoint/Roles,+Metaroles+and+Generic+Synchronization account default ri:group strong entitlement group 2 -- Cordialement. -------- Message original -------- Sujet: [midPoint] Ad synch Group-User failed Date: Vendredi 2 Mars 2018 12:32 CET De: "TIPA Sylvaire-Kevin" Répondre à: midPoint General Discussion Pour: midpoint at lists.evolveum.com Hello, I have a really strange event in my AD synch .. I explain, I have the following setup : - 1 resource Active directory - 1 Metarole for Group Ad sync (based on sample : https://wiki.evolveum.com/display/midPoint/Active+Directory+Group+Synchronization+HOWTO) - 1 Role with assignement on the metarole - 1 User with assignement on the previous role. - When I assign metarole to my role : OK, all elements make the job and my role in now a group in my AD - When I assign a user (with or without AD constrcution already done) to my role : OK, my user have a AD account and this account is memberOf my group - When I make a reconcile on my role : NOK, Midpoint execute delta for delete all the member (delete the association memberOf, not the member himself) If i reconcile my user, nothing is do. My resource and mly metarole are like the sample.. Any Idée ? METRAROLE : metarole-ad-sync enabled 2017-08-08T14:30:44.995Z 0 entitlement group account default ri:group entitlement group 2 Resource : account User Account true ri:user ri:dn Distinguished Name true true false false false false false weak $user/fullName ri:sAMAccountName true true false gen730:stringIgnoreCase false false false false weak $user/name ri:cn 0 false false false false weak fullName ri:sn 0 familyName ri:givenName givenName ri:userPrincipalName $user/name ri:pwdLastSet -1 ri:createTimeStamp explicit ri:nTSecurityDescriptor 0 ri:instanceType 0 ri:objectCategory 0 CN=Person,CN=Schema,CN=Configuration,DC=users,DC=pprod,DC=agorat,DC=local ri:displayName false false false false normal $user/givenName $user/familyName ri:mail $user/emailAddress ri:group AD Group Membership entitlement group objectToSubject ri:member ri:dn ri:memberOf ri:dn false entitlement group Athena Groups true ri:group ri:dn false false true false normal $focus/name ri:cn false false true false normal $focus/name ri:description false false description ri:member Member false false ri:groupType false false -2147483646 ri:sAMAccountName false false true false normal $focus/name 2017-10-03T08:28:33.067Z 2af0af9006ddad16-bd8b78664df70159 resource connector false true true true true true true true resource connector true true true true true false false false false false false true true true false true Account sync ri:user account default c:UserType true c:name $user/sAMAccountName false true linked true false deleted false http://midpoint.evolveum.com/xml/ns/public/model/action-3#deleteFocus unlinked false http://midpoint.evolveum.com/xml/ns/public/model/action-3#link unmatched http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#user true false Athena User Template http://midpoint.evolveum.com/xml/ns/public/model/action-3#addFocus Athena Transversal Group sync ri:group entitlement group c:RoleType true c:name $shadow/attributes/cn false linked true false deleted false unlinked false http://midpoint.evolveum.com/xml/ns/public/model/action-3#unlink unmatched false http://midpoint.evolveum.com/xml/ns/public/model/action-3#addFocus -- Cordialement. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ivan.noris at evolveum.com Tue Mar 6 16:58:28 2018 From: ivan.noris at evolveum.com (Ivan Noris) Date: Tue, 6 Mar 2018 16:58:28 +0100 Subject: [midPoint] Query User for Name Value In-Reply-To: References: Message-ID: <4138fedc-7980-b0b8-67a5-b1ba4ce9302a@evolveum.com> Hi Sean, I'm kind of confused what you want to achieve. If you want to create another account for the same user on the same resource, obviously the accounts must have different identifiers. E.g. "sean" and "svc-sean". That's also similar to the example you are referring to. For this you need to have multiple intent configuration for the same resource. One intent (kind=account, intent=default, default=true), second intent (kind=account, intent=whatever, default=false). The "whatever" may be e.g. "service-account", it's just a string. Then you need to have roles which allow you to create normal accounts (if you don't specify intent, midPoint assumes intent where "default=true") and also roles to create these service accounts (kind=account, intent=whatever in the inducement/construction. The part which I don't understand is the "query the user for the name". I understand that you want to use something else than $user/name (Sean). You can use any attribute from the user, the attribute might be completely different from $user/name. Example: set the user attribute "Nick name" to "DB2admin", and you can access it as $user/nickName in the outbound mapping (you need to define source path for $user/nickName). Or perhaps by "querying" you mean to "ask the user to provide the value interactively"? Best regards, Ivan On 01.03.2018 19:45, Sean R Penndorf wrote: > Hi Community, > > I'm missing some key point somewhere. > > Let's say I have a Midpoint user: name = Sean > I have a resource to AD. Default intent account name = Sean > So far so good. > > Now I need to add a functional ID (faceless account). > So I setup another intent called "functionalID" name = ????? > > In most examples I've seen, you have an outbound mapping something > like this: > > > > > ...which equates to funcID-Sean. > > But, what I REALLY need is the functionalID Name = svc-DB2Admin > How do I query the user for the name rather than generating the name? > > > Thanks!! > > > > ------------------ > *Sean Penndorf* > SaaS Operational Services (SOS) - ID Management > IBM Cloud > srpenn at us.ibm.com > Office: 248-552-4791 TL 623-9966 > > > > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint -- Ivan Noris Senior Identity Engineer evolveum.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From srpenn at us.ibm.com Tue Mar 6 18:20:15 2018 From: srpenn at us.ibm.com (Sean R Penndorf) Date: Tue, 6 Mar 2018 12:20:15 -0500 Subject: [midPoint] Query User for Name Value In-Reply-To: <4138fedc-7980-b0b8-67a5-b1ba4ce9302a@evolveum.com> References: <4138fedc-7980-b0b8-67a5-b1ba4ce9302a@evolveum.com> Message-ID: Ivan, Thank you for responding. Yes, what I was wondering is if there is a way to to have a pop up or webform for the user to provide the name interactively. The issue is I'm not able to determine the service acct names programmatically, so I need to obtain it from the human requester. I understand I will need to use intents (or possibly personas, though I fear those may be confusing to my user base). ------------------ Sean Penndorf SaaS Operational Services (SOS) - ID Management IBM Cloud srpenn at us.ibm.com Office: 248-552-4791 TL 623-9966 From: Ivan Noris To: midpoint at lists.evolveum.com Date: 03/06/2018 11:03 AM Subject: Re: [midPoint] Query User for Name Value Sent by: "midPoint" Hi Sean, I'm kind of confused what you want to achieve. If you want to create another account for the same user on the same resource, obviously the accounts must have different identifiers. E.g. "sean" and "svc-sean". That's also similar to the example you are referring to. For this you need to have multiple intent configuration for the same resource. One intent (kind=account, intent=default, default=true), second intent (kind=account, intent=whatever, default=false). The "whatever" may be e.g. "service-account", it's just a string. Then you need to have roles which allow you to create normal accounts (if you don't specify intent, midPoint assumes intent where "default=true") and also roles to create these service accounts (kind=account, intent=whatever in the inducement/construction. The part which I don't understand is the "query the user for the name". I understand that you want to use something else than $user/name (Sean). You can use any attribute from the user, the attribute might be completely different from $user/name. Example: set the user attribute "Nick name" to "DB2admin", and you can access it as $user/nickName in the outbound mapping (you need to define source path for $user/nickName). Or perhaps by "querying" you mean to "ask the user to provide the value interactively"? Best regards, Ivan On 01.03.2018 19:45, Sean R Penndorf wrote: Hi Community, I'm missing some key point somewhere. Let's say I have a Midpoint user: name = Sean I have a resource to AD. Default intent account name = Sean So far so good. Now I need to add a functional ID (faceless account). So I setup another intent called "functionalID" name = ????? In most examples I've seen, you have an outbound mapping something like this: ...which equates to funcID-Sean. But, what I REALLY need is the functionalID Name = svc-DB2Admin How do I query the user for the name rather than generating the name? Thanks!! ------------------ Sean Penndorf SaaS Operational Services (SOS) - ID Management IBM Cloud srpenn at us.ibm.com Office: 248-552-4791 TL 623-9966 _______________________________________________ midPoint mailing list midPoint at lists.evolveum.com http://lists.evolveum.com/mailman/listinfo/midpoint -- Ivan Noris Senior Identity Engineer evolveum.com _______________________________________________ midPoint mailing list midPoint at lists.evolveum.com https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.evolveum.com_mailman_listinfo_midpoint&d=DwIGaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=qEACHutvsppyidQwf1kYntDY-ZKom0n1kiWqpNpwVXg&m=q142AgaW5SOCX339iEntQ2PgVSDAlZRju00thVg5s1I&s=jSTBsEEB9CTzlvKoh_REqMJwz81RW-geqkxDZsNYtbE&e= -------------- next part -------------- An HTML attachment was scrubbed... URL: From ivan.noris at evolveum.com Wed Mar 7 09:40:30 2018 From: ivan.noris at evolveum.com (Ivan Noris) Date: Wed, 7 Mar 2018 09:40:30 +0100 Subject: [midPoint] Query User for Name Value In-Reply-To: References: <4138fedc-7980-b0b8-67a5-b1ba4ce9302a@evolveum.com> Message-ID: Hi Sean, I think currently we don't have feature like that. This are some thoughts that I have: - let the user enter the account name using self-service into some extension attribute, that will be then used. - maybe the value you want can be an assignment parameter for the assignment which will create the technical account. Related jira issue: https://jira.evolveum.com/browse/MID-3515 - completely custom GUI on your side, doing whatever, then calling midPoint REST API to do provisioning Of course, at the end, intents (or personas) will do the trick. But as you said, they would expect to already have the value you want to provision and if it's not possible to derive from the user data, there must be some interaction. Maybe there are other possibilities that I'm not aware of. In that case, my coleagues or other members of this list may have other ideas. If the jira issue referenced above makes sense for you, or if you need something completely different, please consider a subscription: https://wiki.evolveum.com/display/midPoint/I+Need+New+Feature Best regards, Ivan On 06.03.2018 18:20, Sean R Penndorf wrote: > Ivan, > > Thank you for responding. > Yes, what I was wondering is if there is a way to to have a pop up or > webform for the user to provide the name interactively. > The issue is I'm not able to determine the service acct names > programmatically, so I need to obtain it from the human requester. > > I understand I will need to use intents (or possibly personas, though > I fear those may be confusing to my user base). > > > > ------------------ > *Sean Penndorf* > SaaS Operational Services (SOS) - ID Management > IBM Cloud > srpenn at us.ibm.com > Office: 248-552-4791 TL 623-9966 > > > > > > From: Ivan Noris > To: midpoint at lists.evolveum.com > Date: 03/06/2018 11:03 AM > Subject: Re: [midPoint] Query User for Name Value > Sent by: "midPoint" > ------------------------------------------------------------------------ > > > > Hi Sean, > I'm kind of confused what you want to achieve. > If you want to create another account for the same user on the same > resource, obviously the accounts must have different identifiers. E.g. > "sean" and "svc-sean". That's also similar to the example you are > referring to. > For this you need to have multiple intent configuration for the same > resource. One intent (kind=account, intent=default, default=true), > second intent (kind=account, intent=whatever, default=false). The > "whatever" may be e.g. "service-account", it's just a string. > Then you need to have roles which allow you to create normal accounts > (if you don't specify intent, midPoint assumes intent where > "default=true") and also roles to create these service accounts > (kind=account, intent=whatever in the inducement/construction. > The part which I don't understand is the "query the user for the > name". I understand that you want to use something else than > $user/name (Sean). You can use any attribute from the user, the > attribute might be completely different from $user/name. > Example: set the user attribute "Nick name" to "DB2admin", and you can > access it as $user/nickName in the outbound mapping (you need to > define source path for $user/nickName). > Or perhaps by "querying" you mean to "ask the user to provide the > value interactively"? > > Best regards, > Ivan > > On 01.03.2018 19:45, Sean R Penndorf wrote: > Hi Community, > > I'm missing some key point somewhere. > > Let's say I have a Midpoint user: name = Sean > I have a resource to AD. Default intent account name = Sean > So far so good. > > Now I need to add a functional ID (faceless account). > So I setup another intent called "functionalID" name = ????? > > In most examples I've seen, you have an outbound mapping something > like this: > > > > > ...which equates to funcID-Sean. > > But, what I REALLY need is the functionalID Name = svc-DB2Admin > How do I query the user for the name rather than generating the name? > > > Thanks!! > > > > ------------------* > Sean Penndorf* > SaaS Operational Services (SOS) - ID Management > IBM Cloud_ > __srpenn at us.ibm.com_ > Office: 248-552-4791 TL 623-9966 > > > > > _______________________________________________ > midPoint mailing list > _midPoint at lists.evolveum.com_ > _http://lists.evolveum.com/mailman/listinfo/midpoint_ > > > > -- > Ivan Noris > Senior Identity Engineer > evolveum.com > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.evolveum.com_mailman_listinfo_midpoint&d=DwIGaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=qEACHutvsppyidQwf1kYntDY-ZKom0n1kiWqpNpwVXg&m=q142AgaW5SOCX339iEntQ2PgVSDAlZRju00thVg5s1I&s=jSTBsEEB9CTzlvKoh_REqMJwz81RW-geqkxDZsNYtbE&e= > > > > > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint -- Ivan Noris Senior Identity Engineer evolveum.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From srpenn at us.ibm.com Wed Mar 7 15:29:29 2018 From: srpenn at us.ibm.com (Sean R Penndorf) Date: Wed, 7 Mar 2018 09:29:29 -0500 Subject: [midPoint] Query User for Name Value In-Reply-To: References: <4138fedc-7980-b0b8-67a5-b1ba4ce9302a@evolveum.com>

Message-ID: That helps....gives me a few ideas to try out. I think MID-3515 would be the best solution. Thanks!!! ------------------ Sean Penndorf SaaS Operational Services (SOS) - ID Management IBM Cloud srpenn at us.ibm.com Office: 248-552-4791 TL 623-9966 From: Ivan Noris To: midpoint at lists.evolveum.com Date: 03/07/2018 03:44 AM Subject: Re: [midPoint] Query User for Name Value Sent by: "midPoint" Hi Sean, I think currently we don't have feature like that. This are some thoughts that I have: - let the user enter the account name using self-service into some extension attribute, that will be then used. - maybe the value you want can be an assignment parameter for the assignment which will create the technical account. Related jira issue: https://jira.evolveum.com/browse/MID-3515 - completely custom GUI on your side, doing whatever, then calling midPoint REST API to do provisioning Of course, at the end, intents (or personas) will do the trick. But as you said, they would expect to already have the value you want to provision and if it's not possible to derive from the user data, there must be some interaction. Maybe there are other possibilities that I'm not aware of. In that case, my coleagues or other members of this list may have other ideas. If the jira issue referenced above makes sense for you, or if you need something completely different, please consider a subscription: https://wiki.evolveum.com/display/midPoint/I+Need+New+Feature Best regards, Ivan On 06.03.2018 18:20, Sean R Penndorf wrote: Ivan, Thank you for responding. Yes, what I was wondering is if there is a way to to have a pop up or webform for the user to provide the name interactively. The issue is I'm not able to determine the service acct names programmatically, so I need to obtain it from the human requester. I understand I will need to use intents (or possibly personas, though I fear those may be confusing to my user base). ------------------ Sean Penndorf SaaS Operational Services (SOS) - ID Management IBM Cloud srpenn at us.ibm.com Office: 248-552-4791 TL 623-9966 From: Ivan Noris To: midpoint at lists.evolveum.com Date: 03/06/2018 11:03 AM Subject: Re: [midPoint] Query User for Name Value Sent by: "midPoint" Hi Sean, I'm kind of confused what you want to achieve. If you want to create another account for the same user on the same resource, obviously the accounts must have different identifiers. E.g. "sean" and "svc-sean". That's also similar to the example you are referring to. For this you need to have multiple intent configuration for the same resource. One intent (kind=account, intent=default, default=true), second intent (kind=account, intent=whatever, default=false). The "whatever" may be e.g. "service-account", it's just a string. Then you need to have roles which allow you to create normal accounts (if you don't specify intent, midPoint assumes intent where "default=true") and also roles to create these service accounts (kind=account, intent=whatever in the inducement/construction. The part which I don't understand is the "query the user for the name". I understand that you want to use something else than $user/name (Sean). You can use any attribute from the user, the attribute might be completely different from $user/name. Example: set the user attribute "Nick name" to "DB2admin", and you can access it as $user/nickName in the outbound mapping (you need to define source path for $user/nickName). Or perhaps by "querying" you mean to "ask the user to provide the value interactively"? Best regards, Ivan On 01.03.2018 19:45, Sean R Penndorf wrote: Hi Community, I'm missing some key point somewhere. Let's say I have a Midpoint user: name = Sean I have a resource to AD. Default intent account name = Sean So far so good. Now I need to add a functional ID (faceless account). So I setup another intent called "functionalID" name = ????? In most examples I've seen, you have an outbound mapping something like this: ...which equates to funcID-Sean. But, what I REALLY need is the functionalID Name = svc-DB2Admin How do I query the user for the name rather than generating the name? Thanks!! ------------------ Sean Penndorf SaaS Operational Services (SOS) - ID Management IBM Cloud srpenn at us.ibm.com Office: 248-552-4791 TL 623-9966 _______________________________________________ midPoint mailing list midPoint at lists.evolveum.com http://lists.evolveum.com/mailman/listinfo/midpoint -- Ivan Noris Senior Identity Engineer evolveum.com _______________________________________________ midPoint mailing list midPoint at lists.evolveum.com https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.evolveum.com_mailman_listinfo_midpoint&d=DwIGaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=qEACHutvsppyidQwf1kYntDY-ZKom0n1kiWqpNpwVXg&m=q142AgaW5SOCX339iEntQ2PgVSDAlZRju00thVg5s1I&s=jSTBsEEB9CTzlvKoh_REqMJwz81RW-geqkxDZsNYtbE&e= _______________________________________________ midPoint mailing list midPoint at lists.evolveum.com http://lists.evolveum.com/mailman/listinfo/midpoint -- Ivan Noris Senior Identity Engineer evolveum.com _______________________________________________ midPoint mailing list midPoint at lists.evolveum.com https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.evolveum.com_mailman_listinfo_midpoint&d=DwIGaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=qEACHutvsppyidQwf1kYntDY-ZKom0n1kiWqpNpwVXg&m=PlkHWfNwTADOnEG4-XYEH9Tq05nZZWik93K7oCZhbm0&s=JM71DSJpesgjFeCbInR_skmTVdhLeR2d3zHXUPIE4Gg&e= -------------- next part -------------- An HTML attachment was scrubbed... URL: From radovan.semancik at evolveum.com Thu Mar 8 18:42:28 2018 From: radovan.semancik at evolveum.com (Radovan Semancik) Date: Thu, 8 Mar 2018 18:42:28 +0100 Subject: [midPoint] MidPoint 3.7.1 "Darwin" Update 1 released Message-ID: <10b5a77c-fbaa-2950-9b61-81504bfb3214@evolveum.com> The Evolveum team is proud to announce the release of midPoint version 3.7.1. Release 3.7.1 is a twenty fourth midPoint release. It is the fist maintenance update for 3.7.x version family code-named Darwin. The 3.7.1 release brings stability improvements and several minor features. For more information about the 3.7.1 release please see release notes at http://wiki.evolveum.com/display/midPoint/Release+3.7.1 We would like to express a special thanks for all midPoint subscribers, partners, supporters and especially the contributors. The Evolveum team would like to express many thanks for your interest, feedback and contributions. -- Radovan Semancik Software Architect evolveum.com From esteban.jeria at cgi.com Mon Mar 12 16:50:02 2018 From: esteban.jeria at cgi.com (Jeria, Esteban) Date: Mon, 12 Mar 2018 15:50:02 +0000 Subject: [midPoint] Recovery strategy Message-ID: <678C21BCC7A3FC44B939536BD6C8DEBC159916D4@corpowt-8> Hi, We are currently have a midPoint cluster with Tomcat session replication and it uses MariaDB for the database. I was wondering what is the recommended strategy for backing up and restoring the database in case of disaster? Is there a preferred backup method (logical/physical)? Is there a specific constraint or procedure to restore the data? What is the implication when using the JDBC-based Quartz job store? Thanks, Esteban Jeria esteban.jeria at cgi.com Conseiller CGI / CGI Consultant Sécurité - Gestion des Identités et des Accès / Security - Identity and Access Management -------------- next part -------------- An HTML attachment was scrubbed... URL: From PFSJ at senado.leg.br Wed Mar 14 11:49:54 2018 From: PFSJ at senado.leg.br (Paulo Fernandes de Souza Junior) Date: Wed, 14 Mar 2018 10:49:54 +0000 Subject: [midPoint] AD authentication and REST API Message-ID: <1521024539609.91277@senado.leg.br> Hello, We are getting 401 - unauthorized response when trying to use the REST API. We did try with and without /midpoint in the url and upgraded to the 3.7.1 release, with no success. We are using AD authentication in our instalation and it works for the web interface. It worked before, when using version 3.6 and the WebSecurityConfig. Is it possible to use AD authentication for the REST interface?? Need any other configuration beyond https://wiki.evolveum.com/display/midPoint/Authentication+Configuration Many thanks, Paulo Fernandes Senado Federal Brasíla - Brasil ? -------------- next part -------------- An HTML attachment was scrubbed... URL: From berezkin.dmitriy at gmail.com Wed Mar 14 20:27:56 2018 From: berezkin.dmitriy at gmail.com (Dmitriy Berezkin) Date: Wed, 14 Mar 2018 22:27:56 +0300 Subject: [midPoint] Report with account data Message-ID: Hi! Could you tell me about reports? I want to make a report with account data and user object. For example, I have the resource "Test CSV: username». And I want to make a report that looks like this: > User Name(user.name) | Telephone Number(user.telephoneNumber) | Attribute1 from System 1(account.extattr1) | Attribute1 from System 2 (account.extattr2) > user111 | 11-11 | 10293 | Zorg How I can add account data into report? What expression should I use? Here is my resource: > xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3" > xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" > xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3" > xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3" > xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" > xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" > oid="ef2bc95b-76e0-59e2-86d6-9999cccccccc" > version="60"> > Test CSV: username > Simple CSV resource that is using single identifier (username) > > 2018-03-02T16:36:53.777+03:00 > relation="org:default" > type="c:UserType"/> > http://midpoint.evolveum.com/xml/ns/public/model/channels-3#objectImport > 2018-03-02T18:00:47.726+03:00 > relation="org:default" > type="c:UserType"/> > http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#user > > > 2018-03-02T17:56:05.227+03:00 > > > modify > c:ResourceType > > > com.evolveum.midpoint.model.impl.lens.ChangeExecutor.executeDelta > success > 1000000000000014795 > > Test CSV: username > > success > relation="org:default" > type="c:UserType"/> > http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#user > > > 2018-03-02T17:56:07.721+03:00 > > > modify > c:ResourceType > > > com.evolveum.midpoint.model.impl.lens.ChangeExecutor.executeDelta > success > 1000000000000014854 > > Test CSV: username > > success > relation="org:default" > type="c:UserType"/> > http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#user > > > 2018-03-02T17:58:36.414+03:00 > > > modify > c:ResourceType > > > com.evolveum.midpoint.model.impl.lens.ChangeExecutor.executeDelta > success > 1000000000000014995 > > Test CSV: username > > success > relation="org:default" > type="c:UserType"/> > http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#user > > > 2018-03-02T18:00:45.612+03:00 > > > modify > c:ResourceType > > > com.evolveum.midpoint.model.impl.lens.ChangeExecutor.executeDelta > success > 1000000000000015503 > > Test CSV: username > > success > relation="org:default" > type="c:UserType"/> > http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#user > > > 2018-03-02T18:00:47.826+03:00 > > > modify > c:ResourceType > > > com.evolveum.midpoint.model.impl.lens.ChangeExecutor.executeDelta > success > 1000000000000015562 > > Test CSV: username > > success > relation="org:default" > type="c:UserType"/> > http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#user > > > up > > relation="org:default" > type="c:ConnectorType"> > > > c:connectorType > com.evolveum.polygon.connector.csv.CsvConnector > > > > > > ; > /opt/midpoint/midpoint-3.7/doc/samples/resources/csv/1.csv > utf-8 > , > password > username > > > > > 2018-03-02T18:00:47.971+03:00 > d62577d6e3e25661-189f7dbae6a048af > > > xmlns:a="http://prism.evolveum.com/xml/ns/public/annotation-3" > xmlns:tns="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" > xmlns:ra="http://midpoint.evolveum.com/xml/ns/public/resource/annotation-3" > elementFormDefault="qualified" > targetNamespace="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"> > > > > > > > ri:username > ri:username > ri:username > __ACCOUNT__ > account > true > > > > > > > true > 120 > disabled > disabled > > > > > > > 130 > lastname > lastname > > > > > > > 140 > extattr2 > extattr2 > > > > > > > 150 > extattr1 > extattr1 > > > > > > > 160 > firstname > firstname > > > > > > > 100 > username > __NAME__ > > > > > > > > > > > Default Account > true > ri:AccountObjectClass > > ri:username > false > false > > false > false > normal > > $user/name > > > > true > false > normal > > $user/name > > > > > ri:firstname > false > false > > > $user/givenName > > > > true > false > normal > > $user/givenName > > > > > ri:lastname > false > false > > false > false > normal > > $user/familyName > > > > true > false > normal > > $user/familyName > > > > > ri:disabled > true > false > > > ri:extattr1 > true > > > ri:extattr2 > true > false > > > > > > > > xsi:type="c:ResourcePasswordDefinitionType"> > > > > > > > > 2018-03-02T18:00:47.965+03:00 > bc448cace5d6c36e-2884eda7e9fe424b > > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" > xsi:type="c:CapabilityCollectionType"> > > > > > > > > > > connector > > > > > > true > > > > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" > xsi:type="c:CapabilityCollectionType"> > > > ri:disabled > false > true > > > > > > > true > > > c:name > > $account/attributes/ri:username > > > > false > > linked > true > false > > > unlinked > true > > http://midpoint.evolveum.com/xml/ns/public/model/action-3#link > > > > unmatched > true > > http://midpoint.evolveum.com/xml/ns/public/model/action-3#addFocus > > > > > > > xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3" > xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" > xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3" > xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3" > xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" > xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" > oid="a7a35195-edd5-4879-a9b8-9f1c36e441a7" > version="12"> > user111 > > 2018-03-02T18:01:00.445+03:00 > success > relation="org:default" > type="c:UserType"> > relation="org:default" > type="c:TaskType"> > http://midpoint.evolveum.com/xml/ns/public/provisioning/channels-3#reconciliation > > relation="org:default" > type="c:ShadowType"> > > enabled > 2018-03-02T17:19:11.038+03:00 > > 0 > > Firstname > Lastname > 11-11 > — Dmitry -------------- next part -------------- An HTML attachment was scrubbed... URL: From bhotrock at gmail.com Wed Mar 14 21:42:47 2018 From: bhotrock at gmail.com (Brad Firestone) Date: Wed, 14 Mar 2018 15:42:47 -0500 Subject: [midPoint] How to remove User attribute value Message-ID: <5AA98947.9000304@gmail.com> I'm trying to figure out how to remove values from custom schema user attributes. When I first started with midPoint, I thought it would be a good idea to create some midPoint User attribute values as part of a read-only Active Directory Resource. That way when a midPoint user was created, they would automatically have certain attribute values. I've since figured out that isn't the best way to do this. I have removed these inbound mappings from my AD Resource. I will now handle the creation/removal of these attribute values through assignment/inducement. But I need to clean up these values so they are "blank". I've tried lots of different combinations of things in my User Template. I can change the values easily this way, but can't make it "blank". From what I see in the wiki, I would think that the following mapping in my User Template should work, but it doesn't. Clear old myAttribute true false strong $user/extension/myAttribute Does anyone have an idea of how I can completely clear any values from this midPoint User attribute? Thanks! From wojciech.staszewski at diagnostyka.pl Thu Mar 15 20:06:03 2018 From: wojciech.staszewski at diagnostyka.pl (Wojciech Staszewski) Date: Thu, 15 Mar 2018 20:06:03 +0100 Subject: [midPoint] Condition expression: Org assignment with relation In-Reply-To: <895d6a01-5d3b-92c9-bd57-939f0c90c376@diagnostyka.pl> References: <895d6a01-5d3b-92c9-bd57-939f0c90c376@diagnostyka.pl> Message-ID: Hello! Maybe I wrote my post somehow unclear... I'm looking for condition expression for mapping in the user template, that assign specified role to an organization manager. So I have to check if the user has an active assignment of Org type with org:manager relation. Unfortunately I don't know how to do it, I cannot find any example in the wiki or mailing list archives. Any help appreciated. Thanks a lot! WS W dniu 05.03.2018 o 08:38, Wojciech Staszewski pisze: > Hello! > > I have to make a mapping condition expression that checks if the user > has assignment of Org type with Manager relation. > What methods should I use for this? > > Thanks! > WS > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint From ivan.noris at evolveum.com Fri Mar 16 09:17:50 2018 From: ivan.noris at evolveum.com (Ivan Noris) Date: Fri, 16 Mar 2018 09:17:50 +0100 Subject: [midPoint] Condition expression: Org assignment with relation In-Reply-To: References: <895d6a01-5d3b-92c9-bd57-939f0c90c376@diagnostyka.pl> Message-ID: Hi Wojciech, I only did something /similar/ but not exactly what you need. I wanted to have an conditional inducement in my metarole, that would only return true if the role is not assigned with manager relation. (Actually this is from the midPoint Advanced Customization training.) . . . Inducement to create an account as a projection of user having assigned an organization with this metarole. Creates an account for user, and associates with group created for the organization assigned to the user. account default ri:ldapOrgGroup strong * $focusAssignment/targetRef * entitlement ldapOrgGroup * ** ** ** ** * weak 2 UserType . . . I believe you can have a mapping in the object template that will have assignments as a source, and you need to iterate through them and check all that are OrgType and where relation is org:manager. I don't have this handy, but maybe someone else has. Best regards, Ivan On 15.03.2018 20:06, Wojciech Staszewski wrote: > Hello! > > Maybe I wrote my post somehow unclear... > I'm looking for condition expression for mapping in the user template, > that assign specified role to an organization manager. > > So I have to check if the user has an active assignment of Org type with > org:manager relation. > Unfortunately I don't know how to do it, I cannot find any example in > the wiki or mailing list archives. > > Any help appreciated. > Thanks a lot! > WS > > > W dniu 05.03.2018 o 08:38, Wojciech Staszewski pisze: >> Hello! >> >> I have to make a mapping condition expression that checks if the user >> has assignment of Org type with Manager relation. >> What methods should I use for this? >> >> Thanks! >> WS >> _______________________________________________ >> midPoint mailing list >> midPoint at lists.evolveum.com >> http://lists.evolveum.com/mailman/listinfo/midpoint > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint -- Ivan Noris Senior Identity Engineer evolveum.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From sylvaire-kevin.tipa at mythalesgroup.com Fri Mar 16 09:36:51 2018 From: sylvaire-kevin.tipa at mythalesgroup.com (TIPA Sylvaire-Kevin) Date: Fri, 16 Mar 2018 09:36:51 +0100 Subject: [midPoint] Limite assignement information in GUI Message-ID: <336-5aab8200-7-12278460@253406626> Hello, I try to limit the field showing in the standard user's GUI. I have try many many item iin my authorization but I canno't find the right item ... I want that the user only show displayName and description of is assignement... Any idee http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read

assignment assignment/displayName assignment/name assignment/relation assignment/targetRef assignment/metadata assignment/objectRef assignment/executionStatus assignment/parent assignment/ownerRef -- Cordialement. Sylvaire-Kevin TIPA -------------- next part -------------- An HTML attachment was scrubbed... URL: From arnost.starosta at ami.cz Fri Mar 16 11:12:22 2018 From: arnost.starosta at ami.cz (=?UTF-8?Q?Arno=C5=A1t_Starosta_=2D_AMI_Praha_a=2Es=2E?=) Date: Fri, 16 Mar 2018 11:12:22 +0100 Subject: [midPoint] How to remove User attribute value In-Reply-To: <5AA98947.9000304@gmail.com> References: <5AA98947.9000304@gmail.com> Message-ID: Hi Brad, i had a similar problem and in the end removed the attribute values by bulk action. Delta with modificationType 'replace' did the trick. Hope it works for you. arnost c:UserType ... modify delta modify replace extension/yourAttribute raw true 2018-03-14 21:42 GMT+01:00 Brad Firestone : > I'm trying to figure out how to remove values from custom schema user > attributes. > > When I first started with midPoint, I thought it would be a good idea to > create some midPoint User attribute values as part of a read-only Active > Directory Resource. That way when a midPoint user was created, they would > automatically have certain attribute values. > > I've since figured out that isn't the best way to do this. I have removed > these inbound mappings from my AD Resource. I will now handle the > creation/removal of these attribute values through assignment/inducement. > > But I need to clean up these values so they are "blank". I've tried lots > of different combinations of things in my User Template. I can change the > values easily this way, but can't make it "blank". From what I see in the > wiki, I would think that the following mapping in my User Template should > work, but it doesn't. > > > Clear old myAttribute > true > false > strong > > > > > $user/extension/myAttribute > > > > Does anyone have an idea of how I can completely clear any values from > this midPoint User attribute? > Thanks! > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint > -- Arnošt Starosta solution architect gsm: [+420] 603 794 932 e-mail: arnost.starosta at ami.cz AMI Praha a.s. Pláničkova 11 162 00 Praha 6 tel.: [+420] 274 783 239 web: www.ami.cz [image: AMI Praha a.s.] [image: AMI Praha a.s.] Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za společnost AMI Praha a.s. jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně písemnou formu. -------------- next part -------------- An HTML attachment was scrubbed... URL: From wojciech.staszewski at diagnostyka.pl Sat Mar 17 23:18:53 2018 From: wojciech.staszewski at diagnostyka.pl (Wojciech Staszewski) Date: Sat, 17 Mar 2018 23:18:53 +0100 Subject: [midPoint] Condition expression: Org assignment with relation In-Reply-To: References: <895d6a01-5d3b-92c9-bd57-939f0c90c376@diagnostyka.pl>

Message-ID: <7a36d532-11e9-ddd0-6cb1-6b74b0b40f8a@diagnostyka.pl> OK, thanks! Finally I've got it working with this condition script: result = false; assignments = user.getAssignment(); for (assName in assignments) { relation = assName.getTargetRef()?.getRelation()?.getLocalPart()?.toString(); type = assName.getTargetRef()?.getType()?.getLocalPart()?.toString(); status = assName.getActivation()?.getEffectiveStatus()?.toString(); if ( type == 'OrgType' && relation == 'manager' && status == 'ENABLED' ) { result = true; } } return result; W dniu 16.03.2018 o 09:17, Ivan Noris pisze: > > Hi Wojciech, > > I only did something /similar/ but not exactly what you need. > > I wanted to have an conditional inducement in my metarole, that would > only return true if the role is not assigned with manager relation. > (Actually this is from the midPoint Advanced Customization training.) > > . . . > > > Inducement to create an account as a projection > of user having assigned an organization with this metarole. > > Creates an account for user, and associates > with group created for the organization assigned to the > user. > type="c:ResourceType"/> > account > default > > ri:ldapOrgGroup > > strong > * > $focusAssignment/targetRef > > * > > > entitlement > ldapOrgGroup > > > > * ** > ** ** > ** * > > > weak > > 2 > UserType > > . . . > > I believe you can have a mapping in the object template that will have > assignments as a source, and you need to iterate through them and > check all that are OrgType and where relation is org:manager. I don't > have this handy, but maybe someone else has. > > Best regards, > Ivan > > On 15.03.2018 20:06, Wojciech Staszewski wrote: >> Hello! >> >> Maybe I wrote my post somehow unclear... >> I'm looking for condition expression for mapping in the user template, >> that assign specified role to an organization manager. >> >> So I have to check if the user has an active assignment of Org type with >> org:manager relation. >> Unfortunately I don't know how to do it, I cannot find any example in >> the wiki or mailing list archives. >> >> Any help appreciated. >> Thanks a lot! >> WS >> >> >> W dniu 05.03.2018 o 08:38, Wojciech Staszewski pisze: >>> Hello! >>> >>> I have to make a mapping condition expression that checks if the user >>> has assignment of Org type with Manager relation. >>> What methods should I use for this? >>> >>> Thanks! >>> WS >>> _______________________________________________ >>> midPoint mailing list >>> midPoint at lists.evolveum.com >>> http://lists.evolveum.com/mailman/listinfo/midpoint >> _______________________________________________ >> midPoint mailing list >> midPoint at lists.evolveum.com >> http://lists.evolveum.com/mailman/listinfo/midpoint > > -- > Ivan Noris > Senior Identity Engineer > evolveum.com > > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint -------------- next part -------------- An HTML attachment was scrubbed... URL: From mikko.pekkarinen at datactica.fi Mon Mar 19 12:17:21 2018 From: mikko.pekkarinen at datactica.fi (Mikko Pekkarinen) Date: Mon, 19 Mar 2018 11:17:21 +0000 Subject: [midPoint] Connector reference goes missing In-Reply-To: <1519307800829.12036@datactica.fi> References: <1519307800829.12036@datactica.fi> Message-ID: <1521459074713.23197@datactica.fi> Hello, we finally figured out the problem. For the record: Background: We've defined an admin role with limited authorizations. Such admins can do little more than assign/unassign roles to users. The roles induce some group memberships in LDAP. The "Connector reference missing" error occurred whenever an admin tried to assign roles to anyone in the midPoint GUI. Assignment through the REST API has worked fine all the time. Fix/workaround: added the following authorization for the admin: read-resource-and-connector http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read

(Access to ConnectorType is not strictly needed, but it seems that without that midPoint creates a new connector instance as it cannot resolve the reference in the resource configuration. Authorization for execution phase only does not suffice, but request phase is also needed here. I have no time to bisect our history to see which configuration change has made this autz necessary.) Pondering: it seems that midPoint cannot read the resource and/or connector due to the authorizations, and then goes on to update some cache with information "there is no connectorRef in this Resource". This smells like a bug in midPoint 3.5: one failed authorization should just yield an "access denied" response instead of taking the whole installation into unusable state. Mikko Pekkarinen ________________________________ Lähettäjä: midPoint käyttäjän puolestaPertti Kellomäki Lähetetty: 22. helmikuuta 2018 15:56 Vastaanottaja: midpoint at lists.evolveum.com Aihe: [midPoint] Connector reference goes missing Hi all, Bit of a long shot I know, but has anyone encountered connector references going missing all of a sudden? It has started to happen in our test environment seemingly out of the blue. Livesyncing the resource works without problems until the connector reference goes missing and we get errors like the following in idm.log. The resource shows in the Resources list as "null(FATAL_ERROR)". The connector does show up in Configuration -> Repository objects -> connector, however. The java process does grow very large, almost 2 gigabytes. Could this be a problem? I don't see anything relevant in the logs though. TIA, Pertti 2018-02-22 13:22:26,667 [] [midPointScheduler_Worker-6] ERROR (com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl): Synchronization error: configuration problem: Connector reference missing in the resource resource:a6cd7bc2-de59-11e6-a6a9-10bf4876d25a(null) com.evolveum.midpoint.util.exception.ConfigurationException: Connector reference missing in the resource resource:a6cd7bc2-de59-11e6-a6a9-10bf4876d25a(null) at com.evolveum.midpoint.provisioning.impl.ProvisioningContext.getConnectorInstance(ProvisioningContext.java:274) ~[provisioning-impl-3.5.jar:na] at com.evolveum.midpoint.provisioning.impl.ProvisioningContext.getConnector(ProvisioningContext.java:184) ~[provisioning-impl-3.5.jar:na] at com.evolveum.midpoint.provisioning.impl.ResourceObjectConverter.fetchChanges(ResourceObjectConverter.java:1573) ~[provisioning-impl-3.5.jar:na] at com.evolveum.midpoint.provisioning.impl.ShadowCache.synchronize(ShadowCache.java:1239) ~[provisioning-impl-3.5.jar:na] at com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl.synchronize(ProvisioningServiceImpl.java:426) ~[provisioning-impl-3.5.jar:na] at com.evolveum.midpoint.model.impl.sync.LiveSyncTaskHandler.runInternal(LiveSyncTaskHandler.java:197) [model-impl-3.5.jar:na] at com.evolveum.midpoint.model.impl.sync.LiveSyncTaskHandler.run(LiveSyncTaskHandler.java:84) [model-impl-3.5.jar:na] at com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor.executeHandler(JobExecutor.java:648) [task-quartz-impl-3.5.jar:na] at com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor.executeRecurrentTask(JobExecutor.java:528) [task-quartz-impl-3.5.jar:na] at com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor.execute(JobExecutor.java:171) [task-quartz-impl-3.5.jar:na] at org.quartz.core.JobRunShell.run(JobRunShell.java:202) [quartz-2.2.3.jar:na] at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573) [quartz-2.2.3.jar:na] Caused by: com.evolveum.midpoint.util.exception.ObjectNotFoundException: Connector reference missing in the resource resource:a6cd7bc2-de59-11e6-a6a9-10bf4876d25a(null) at com.evolveum.midpoint.provisioning.impl.ConnectorManager.getConnectorTypeReadOnly(ConnectorManager.java:205) ~[provisioning-impl-3.5.jar:na] at com.evolveum.midpoint.provisioning.impl.ConnectorManager.createConfiguredConnectorInstance(ConnectorManager.java:150) ~[provisioning-impl-3.5.jar:na] at com.evolveum.midpoint.provisioning.impl.ConnectorManager.getConfiguredConnectorInstance(ConnectorManager.java:134) ~[provisioning-impl-3.5.jar:na] at com.evolveum.midpoint.provisioning.impl.ProvisioningContext.getConnectorInstance(ProvisioningContext.java:265) ~[provisioning-impl-3.5.jar:na] ... 11 common frames omitted -------------- next part -------------- An HTML attachment was scrubbed... URL: From lnovak at oaisd.org Tue Mar 20 15:01:06 2018 From: lnovak at oaisd.org (Luke Novak) Date: Tue, 20 Mar 2018 14:01:06 +0000 Subject: [midPoint] AD LDAP Connector Error Message-ID: Hey all, I am trying to setup the AD LDAP Connector. I keep getting a 500 internal error, but it also says the resource is up. I also can't access AD. I have attached the error downloads. Any help or directions would be great. Thanks Luke -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: result Type: application/octet-stream Size: 32035 bytes Desc: result URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: result(1) Type: application/octet-stream Size: 19140 bytes Desc: result(1) URL: From Ivan.Noris at evolveum.com Tue Mar 20 18:34:31 2018 From: Ivan.Noris at evolveum.com (Ivan Noris) Date: Tue, 20 Mar 2018 18:34:31 +0100 (CET) Subject: [midPoint] AD LDAP Connector Error In-Reply-To: References: Message-ID: <27489017.1092974.1521567271921.JavaMail.zimbra@evolveum.com> Hi Luke, I would say you are running out of memory: Error resolving object with oid '1cb1aeca-b36a-4f07-a8df-4a2f9860e0f0': Java heap space I would increase the memory for midpoint and use schema restriction to fetch schema information just for the object classes you need, e.g. ri:user ri:group See samples/resources/ad-ldap/ad-ldap-medusa-medium.xml I hope this helps, Ivan ----- Original Message ----- > From: "Luke Novak" > To: midpoint at lists.evolveum.com > Sent: Tuesday, March 20, 2018 3:01:06 PM > Subject: [midPoint] AD LDAP Connector Error > Hey all, > I am trying to setup the AD LDAP Connector. I keep getting a 500 internal > error, but it also says the resource is up. I also can't access AD. I have > attached the error downloads. Any help or directions would be great. > Thanks > Luke > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint -- Ivan Noris Senior Identity Engineer evolveum.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From joshua at uic.edu Wed Mar 21 06:12:22 2018 From: joshua at uic.edu (Frigerio, Joshua) Date: Wed, 21 Mar 2018 05:12:22 +0000 Subject: [midPoint] new AD resource Message-ID: I’m new to Midpoint and trying to add my first Active Directory resource, but not having any luck…. The “connection test” gives all green lights. The schema generated, and I added a default Account-type Object type under the schema handling. But when I try to list the users on the resource it gives “Fatal Error”, with these errors: Operation operation.org.identityconnectors.framework.api.ConnectorFacade.search Message IO error: LDAP error during search in ou=Accounts,dc=adtest,dc=uic,dc=edu: unavailableCriticalExtension: 000020EF: SvcErr: DSID-03140373, problem 5010 (UNAVAIL_EXTENSION), data 0?? (12) Parameters objectClass [ObjectClass: user] Context connector [class org.identityconnectors.framework.impl.api.local.LocalConnectorFacadeImpl] Error IO error: org.identityconnectors.framework.common.exceptions.ConnectorIOException(LDAP error during search in ou=Accounts,dc=adtest,dc=uic,dc=edu: unavailableCriticalExtension: 000020EF: SvcErr: DSID-03140373, problem 5010 (UNAVAIL_EXTENSION), data 0?? (12)) The midpoint.log says pretty much the same thing. It’s Midpoint 3.7. I’ll attached the resource too. But it’s the example resource that came with the distribution, which I just tweaked the host/password/bindDN, etc. Google has not been any help. Can anyone interpret this for me? -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: ExportedData_ResourceType_1521608038583.xml Type: application/xml Size: 578607 bytes Desc: ExportedData_ResourceType_1521608038583.xml URL: From Ivan.Noris at evolveum.com Wed Mar 21 19:06:13 2018 From: Ivan.Noris at evolveum.com (Ivan Noris) Date: Wed, 21 Mar 2018 19:06:13 +0100 (CET) Subject: [midPoint] new AD resource In-Reply-To: References: Message-ID: <1493395010.1125138.1521655573191.JavaMail.zimbra@evolveum.com> Hi Joshua, could you please try to add the following configuration properties to the resource? spr 100 (replace gen922 with the namespace of the other configuration properties) Best regards, Ivan ----- Original Message ----- > From: "Joshua Frigerio" > To: "midPoint General Discussion" > Sent: Wednesday, March 21, 2018 6:12:22 AM > Subject: [midPoint] new AD resource > I’m new to Midpoint and trying to add my first Active Directory resource, but > not having any luck…. > The “connection test” gives all green lights. The schema generated, and I > added a default Account-type Object type under the schema handling. But when > I try to list the users on the resource it gives “Fatal Error”, with these > errors: > Operation > operation.org.identityconnectors.framework.api.ConnectorFacade.search > MessageIO error: LDAP error during search in > ou=Accounts,dc=adtest,dc=uic,dc=edu: unavailableCriticalExtension: 000020EF: > SvcErr: DSID-03140373, problem 5010 (UNAVAIL_EXTENSION), data 0?? > (12)Parameters objectClass [ObjectClass: user] Context connector [class > org.identityconnectors.framework.impl.api.local.LocalConnectorFacadeImpl] > ErrorIO error: > org.identityconnectors.framework.common.exceptions.ConnectorIOException(LDAP > error during search in ou=Accounts,dc=adtest,dc=uic,dc=edu: > unavailableCriticalExtension: 000020EF: SvcErr: DSID-03140373, problem 5010 > (UNAVAIL_EXTENSION), data 0?? (12)) > The midpoint.log says pretty much the same thing. It’s Midpoint 3.7. I’ll > attached the resource too. But it’s the example resource that came with the > distribution, which I just tweaked the host/password/bindDN, etc. Google has > not been any help. Can anyone interpret this for me? > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint -- Ivan Noris Senior Identity Engineer evolveum.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From Francis.Vermeulen at dxcfds.com Mon Mar 26 09:46:48 2018 From: Francis.Vermeulen at dxcfds.com (Vermeulen Francis) Date: Mon, 26 Mar 2018 07:46:48 +0000 Subject: [midPoint] No automatic self-healing after communication error with Resource? Message-ID: <83582008856a406ab2cc4058c07e77b6@dxcfds.com> Hi, When I modify a User while the Resource is not reachable (comms error) I get an error message. When the Resource comes online again ('Test connection') it seems that there is no automatic discovery process to retry the failed modify operation automatically, i.e. without administrator manual action: I need to run a reconciliation task on the resource. The documentation however suggests that the self-healing should be automatic once it is detected that the Resource is online again. Did I misunderstand the documentation or is there something I need to configure for the self-healing to be automatic? I'm running version 3.7. Help greatly appreciated! Regards, Francis -------------- next part -------------- An HTML attachment was scrubbed... URL: From sylvaire-kevin.tipa at mythalesgroup.com Mon Mar 26 16:24:56 2018 From: sylvaire-kevin.tipa at mythalesgroup.com (TIPA Sylvaire-Kevin) Date: Mon, 26 Mar 2018 16:24:56 +0200 Subject: [midPoint] =?utf-8?q?=5BBUG=3F=5D_Error_when_use_phase_in_authori?= =?utf-8?q?zation?= Message-ID: <6f07-5ab90280-2d-386dd0c0@84833279> Hey all, It's seems to be a bug when we use "phase" in end user authorization. I try to showing the "My Requests" pannel for end user. If I put #read authorization on "Self" object without phase its' ok. But if I but the same authorization with execution and request phase (like in the wiki) its' not ok ... I don't know why, but If try to reduce reading information of end user, he canno't see is request ... it's in MP 3.6, I know that 3.7.1 is out, but I wan't to be sure that this error is fix. Good xml : http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read

Bad Xml : http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read request

http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read execution

Doc source : https://wiki.evolveum.com/display/midPoint/Authorization+Configuration#AuthorizationConfiguration-AuthorizationModel -- Cordialement. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ivan.noris at evolveum.com Tue Mar 27 11:15:10 2018 From: ivan.noris at evolveum.com (Ivan Noris) Date: Tue, 27 Mar 2018 11:15:10 +0200 Subject: [midPoint] No automatic self-healing after communication error with Resource? In-Reply-To: <83582008856a406ab2cc4058c07e77b6@dxcfds.com> References: <83582008856a406ab2cc4058c07e77b6@dxcfds.com> Message-ID: <32a2a8ba-824f-b23e-ef47-9f2d1a2ca710@evolveum.com> Hi Francis, the self-healing is automatic: - when reconciliation runs, /one/ of the phases is to push the unfinished operations (just like you discovered) - when midPoint fetches the data for the user from the resource and detects unfinished changes, they will be finished at that time There are, however, some issues/improvements tracked: https://jira.evolveum.com/browse/MID-2827 (Task that retries unfinished operations) https://jira.evolveum.com/browse/MID-1346 (Full and Incremental Reconciliation) and some others. They are either planned for later midPoint versions or waiting for customers that will need it as part of their subscriptions. Best regards, Ivan On 26.03.2018 09:46, Vermeulen Francis wrote: > > Hi, > > > > When I modify a User while the Resource is not reachable (comms error) > I get an error message. When the Resource comes online again (‘Test > connection’) it seems that there is no automatic discovery process to > retry the failed modify operation automatically, i.e. without > administrator manual action: I need to run a reconciliation task on > the resource. The documentation however suggests that the self-healing > should be automatic once it is detected that the Resource is online > again. Did I misunderstand the documentation or is there something I > need to configure for the self-healing to be automatic? I’m running > version 3.7. Help greatly appreciated! > > > > Regards, > > Francis > > > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint -- Ivan Noris Senior Identity Engineer evolveum.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From petr.kulheim at ibacz.eu Tue Mar 27 15:19:07 2018 From: petr.kulheim at ibacz.eu (petr.kulheim at ibacz.eu) Date: Tue, 27 Mar 2018 15:19:07 +0200 Subject: [midPoint] self registration not working in 3.7.1 ? In-Reply-To: <32a2a8ba-824f-b23e-ef47-9f2d1a2ca710@evolveum.com> References: <83582008856a406ab2cc4058c07e77b6@dxcfds.com> <32a2a8ba-824f-b23e-ef47-9f2d1a2ca710@evolveum.com> Message-ID: Hi all, does anybody using self registration with custom form on 3.7.1 ? We have configured one, attaching SecurityPolicy and Form, it is working on Midpoint version 3.6.1 an 3.7, but not on 3.7.1 There is en error in log (line 1038) : 2018-03-19 11:59:22,004 [] [http-nio-8080-exec-4] ERROR (com.evolveum.midpoint.web.component.prism.ObjectWrapperFactory): Error occurred during container wrapping. org.apache.wicket.RestartResponseException: null Attaching whole part of the log Thank you very much for any help or advice Best regards Petr Kulheim JEE Developer IBA CZ, s.r.o. Office: Petržílkova 2565/23, 158 00 Praha, CZ Phone: +420 603 272826 E-mail: petr.kulheim at ibacz.eu Disclaimer: The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by forwarding this email to ict at ibacz.eu and then delete it from your system. IBA Group is neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 48578 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: midpoint.zip Type: application/zip Size: 28363 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: ExportedData_SecurityPolicyType_1521463798159.xml Type: application/octet-stream Size: 2691 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: ExportedData_FormType_1521463806845.xml Type: application/octet-stream Size: 4255 bytes Desc: not available URL: From ealonso at identicum.com Tue Mar 27 23:18:49 2018 From: ealonso at identicum.com (Ezequiel Alonso) Date: Tue, 27 Mar 2018 18:18:49 -0300 Subject: [midPoint] Dynamically set approvers of an approval step Message-ID: Hello, We are trying to figure out how to set approvers of an approval step using a certain criteria instead of using references to roles or organizations as it is on several examples on the documentation. For example, if a user that is requesting a role needs an approval, then the approver should be the user that is referenced on an extension attribute of the user, so to set it as an approver, we need to get that attribute from the user then search the users that meets that condition in order to set it as the approver. Is this possible or we can only set approvers by members of a role or members of an Org. Thanks! -- *Ezequiel Alonso* *Identicum S.A.Jorge Newbery 3226, ArgentinaTel: +54 (11) 4552-3050* *ealonso at identicum.com www.identicum.com * -------------- next part -------------- An HTML attachment was scrubbed... URL: From petr.kulheim at ibacz.eu Wed Mar 28 11:15:05 2018 From: petr.kulheim at ibacz.eu (petr.kulheim at ibacz.eu) Date: Wed, 28 Mar 2018 11:15:05 +0200 Subject: [midPoint] Dynamically set approvers of an approval step In-Reply-To: References: Message-ID: Hi Ezequiel, actually we are using metarole with policyRule in inducement with approverExpression, e.g.: add q:any 20 Role Approvers firstDecides reject PT1H reject Perhaps you can use object and/or target objects and provide your list of approvers. Hope it helps Best regard Petr Kulheim JEE Developer IBA CZ, s.r.o. Office: Petržílkova 2565/23, 158 00 Praha, CZ Phone: +420 603 272826 E-mail: petr.kulheim at ibacz.eu From: Ezequiel Alonso To: midpoint at lists.evolveum.com Date: 27/03/2018 23:23 Subject: [midPoint] Dynamically set approvers of an approval step Sent by: "midPoint" Hello, We are trying to figure out how to set approvers of an approval step using a certain criteria instead of using references to roles or organizations as it is on several examples on the documentation. For example, if a user that is requesting a role needs an approval, then the approver should be the user that is referenced on an extension attribute of the user, so to set it as an approver, we need to get that attribute from the user then search the users that meets that condition in order to set it as the approver. Is this possible or we can only set approvers by members of a role or members of an Org. Thanks! -- Ezequiel Alonso Identicum S.A. Jorge Newbery 3226, Argentina Tel: +54 (11) 4552-3050 ealonso at identicum.com www.identicum.com_______________________________________________ midPoint mailing list midPoint at lists.evolveum.com http://lists.evolveum.com/mailman/listinfo/midpoint Disclaimer: The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by forwarding this email to ict at ibacz.eu and then delete it from your system. IBA Group is neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 48578 bytes Desc: not available URL: From radovan.semancik at evolveum.com Wed Mar 28 17:34:41 2018 From: radovan.semancik at evolveum.com (Radovan Semancik) Date: Wed, 28 Mar 2018 17:34:41 +0200 Subject: [midPoint] MidPoint 3.8 feature freeze Message-ID: Dear midPoint community, MidPoint development cycle is reaching feature freeze milestone. The freeze is scheduled for tomorrow. This means that all features scheduled for midPoint 3.8 should be implemented now. The next step is a testing and bugfixing period followed by midPoint 3.8 release. MidPoint 3.8 release is planned for late April or early May. This period is ideal for the community to help with testing fresh midPoint code - that means code built from master branch: https://wiki.evolveum.com/display/midPoint/midPoint+Development+Snapshot What is new in midPoint 3.8: The focus of midPoint 3.8 was performance and scalability improvements. MidPoint should be slightly faster now. But most importantly it should smoothly scale to millions of identities and beyond. But there is a price to pay. There was a significant change in the database schema. The midPoint (XML) schema is still compatible, but the database schema is not. Unfortunately, we are still working on upgrade and migration tools, therefore all the testing that you have to do in the meantime need to start from a fresh installation and re-importing all the configuration and data. The migration tools should be ready in a couple of weeks. There were also some improvements in the midPoint schema. The old employeeType, roleType, orgType and serviceType properties were unified to a common subType property. This is something that we wanted to do for a long time and the change in database schema has finally gave us good opportunity to do it. Old properties are still there and they still work. But the new subType is a preferred method now. There are few more properties that has been moved in the schema such as locality and costCenter. They were moved up in the type hierarchy, making them more generic. All those changes should be almost completely compatible with previous midPoint versions. On the functionality front there were improvements to user interface, password policies, authorizations, provisioning and other areas. Perhaps the best way how to follow those is to check out the issues in our Jira and new and updated pages in wiki. I will also document those in the release notes as we will get closer to the release. As for the subscribers that have used their subscription to endorse new features in midPoint 3.8: we are just conducting first round of testing and bugfixing of those new features. Also the documentation is being completed. We will let you know the details of your features in next week or two. -- Radovan Semancik Software Architect evolveum.com From ealonso at identicum.com Wed Mar 28 21:23:55 2018 From: ealonso at identicum.com (Ezequiel Alonso) Date: Wed, 28 Mar 2018 16:23:55 -0300 Subject: [midPoint] Google Apps group membership synchronization Message-ID: Hello, We are working with the google apps resource trying to synchronize group membership of users. We tried using the default google apps resource example but there is no association node. We tried adding an association node on several ways but we don't get any result. Does anyone have an example of a google apps resource with group membership synchronization? Thank you in advance! -- *Ezequiel Alonso* *Identicum S.A.Jorge Newbery 3226, ArgentinaTel: +54 (11) 4552-3050* *ealonso at identicum.com www.identicum.com * -------------- next part -------------- An HTML attachment was scrubbed... URL: From bhotrock at gmail.com Thu Mar 29 21:46:14 2018 From: bhotrock at gmail.com (Brad Firestone) Date: Thu, 29 Mar 2018 14:46:14 -0500 Subject: [midPoint] Delegated Admin Question Message-ID: <5ABD4286.4050409@gmail.com> I'm working on a delegated admin role in midPoint 3.6.1 and can't figure out a couple of things: 1. Is there any way to control the Types of objects that can be Assigned? When working with an existing or new User, I click on the Assignments Tab. Then click the "gear" icon, and choose "Assign". The "Select object(s)" window opens and defaults to Type: RoleType. I would like to ONLY be able to see Type: ServiceType and OrgType. Is there a way to hide RoleType and ResourceType? 2. Whether or not I can hide items as asked above, I'd like to know if thee's a way to have Type:ServiceType be the default selection. Is there a way to define the default option here? Thanks for any suggestions! Brad