From patrik.sidler at itconcepts.ch Thu Dec 1 11:36:51 2022 From: patrik.sidler at itconcepts.ch (Patrik Sidler) Date: Thu, 1 Dec 2022 10:36:51 +0000 Subject: [midPoint] ProvisionScript not running scriptedSQL Connector Message-ID: Hi All, We are having an issue at one of our customers. The following ProvisionScript is configured in our ScriptedSQL Connector: Whenever we reconcile n account on this resource, we get the following error: 2022-11-24 15:22:01,066 [] [pool-3-thread-169] ERROR (com.evolveum.midpoint.gui.impl.page.admin.ProgressAwareChangesExecutorImpl): Error executing changes. com.evolveum.midpoint.util.exception.SystemException: Generic provisioning framework error: groovy.lang.MissingPropertyException(No such property: givenNameOfficially for class: Script1) Has anyone an idea what is wrong here? Thank you in advance for your help. Best Regards Patrik Sidler -------------- next part -------------- An HTML attachment was scrubbed... URL: From pascal.perichon at u-paris.fr Thu Dec 1 14:26:19 2022 From: pascal.perichon at u-paris.fr (Pascal PERICHON) Date: Thu, 1 Dec 2022 14:26:19 +0100 Subject: [midPoint] ProvisionScript not running scriptedSQL Connector In-Reply-To: References: Message-ID: <7aa7ce76-3894-fc09-4f37-858e9f513735@u-paris.fr> Hi, namespace of your extension with "givenNameOfficially" is probably unknown. You should specify it in your xml or access it by program. Could you try that : givenNameOfficially = basic.getExtensionPropertyValue(user, 'http://the/namespace/of/the/extension/schema', 'givenNameOfficially') if the var "user" is not present, you should catch it by var "focus" or something like that. Check what var are available in your context with the groovy command: this.binding.variables.each {k,v -> log.info("-------> {} = {}", k, v)} Best regards Le 01/12/2022 à 11:36, Patrik Sidler via midPoint a écrit : > > Hi All, > > We are having an issue at one of our customers. > > The following ProvisionScript is configured in our ScriptedSQL Connector: > > > > > > > > Whenever we reconcile n account on this resource, we get the following > error: > > 2022-11-24 15:22:01,066 [] [pool-3-thread-169] ERROR > (com.evolveum.midpoint.gui.impl.page.admin.ProgressAwareChangesExecutorImpl): > Error executing changes. > com.evolveum.midpoint.util.exception.SystemException: Generic > provisioning framework error: groovy.lang.MissingPropertyException(No > such property: givenNameOfficially for class: Script1) > > Has anyone an idea what is wrong here? > > Thank you in advance for your help. > > Best Regards > > Patrik Sidler > > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > https://lists.evolveum.com/mailman/listinfo/midpoint -------------- next part -------------- An HTML attachment was scrubbed... URL: From aogurekova at evolveum.com Fri Dec 2 10:05:29 2022 From: aogurekova at evolveum.com (Anna Ogurekova) Date: Fri, 2 Dec 2022 10:05:29 +0100 (CET) Subject: [midPoint] TechEx Message-ID: <979538469.69124.1669971929390.JavaMail.zimbra@evolveum.com> Dear midPoint community, Me and Slavek Licehammer, Evolveum's Identity Engineer Leader for Academia, are excited about our upcoming trip to Denver, CO! We will be attending the [ https://internet2.edu/2022-technology-exchange/ | Technology Exchange Conference ] organized by Internet2. Come and join us on Tuesday, December 6th, 11:20AM-12:10PM at a "Panel Talk: MidPoint Considerations" (lead by Jim Lookabaugh, ProvisionIAM); listen to Slavek's presentation "Advancing MidPoint with IGA Principles" at 1:40-2:30PM, or ask us questions on Wednesday, December 7th, during "The InCommon Catalysts for the Community" session at 1:40PM-2:30PM (lead by Charise Arrowood, Unicon). We are looking forward to meet everyone! Anna Ogurekova | Sales, Marketing & Partnerships Leader -------------- next part -------------- An HTML attachment was scrubbed... URL: From William.Velasco at devry.edu Wed Dec 7 00:43:38 2022 From: William.Velasco at devry.edu (Velasco, William) Date: Tue, 6 Dec 2022 23:43:38 +0000 Subject: [midPoint] Tasks not running after upgrade to v4.4.3 In-Reply-To: References: Message-ID: I have an update related to this issue. This is now fixed and it ended up being caused by the sql jdbc driver. Now, although to reproduce the issue, there are what seem to be very specific conditions, I would like to document them here in case someone else finds them. Environment: MidPoint v.4.4.3 Apache Tomcat 9 OpenJDK_11 MSSQL as backend database SQL JDBC driver 7.2 (v7.2.0 specifically) Two server nodes in clustered mode A possible bug in the driver (specifically v7.2.0) caused the error mentioned below to appear when running two nodes in clustered mode (No errors when running a single node). The fix was to update the driver to v7.2.2. Regards, William Velasco From: Velasco, William Sent: Monday, November 14, 2022 9:22 AM To: midPoint General Discussion Subject: RE: Tasks not running after upgrade to v4.4.3 There is one more piece of information to add: This issue seems to be specific to a cluster configuration. We completed the same upgrade path (v4.0.4->v4.4.3) on a single node installation and there are no issues at all with the tasks triggering and running. However, after attempting the upgrade on another instance with a two nodes cluster, we saw the same issues as reported in my previous email. The only error showing in the logs is exactly the same as reported in my previous email too. Regards, William Velasco From: midPoint > On Behalf Of Velasco, William via midPoint Sent: Thursday, November 3, 2022 9:23 AM To: midPoint General Discussion > Cc: Velasco, William > Subject: Re: [midPoint] Tasks not running after upgrade to v4.4.3 I want to point out that the custom tasks were migrated to the new task definition style using midPoint Studio and then re-uploaded. Also, the system tasks (cleanup, trigger, validation) have been recreated (deleted using the GUI and restarting the nodes). The issue is that none of the tasks run at all. Whether by the scheduler, manually running the task, or being called via the REST API. Whenever the task is submitted to run, there are no errors or activity in the logs that indicates the task is indeed running. Regards, William Velasco From: midPoint > On Behalf Of Velasco, William via midPoint Sent: Tuesday, November 1, 2022 5:39 PM To: midpoint at lists.evolveum.com Cc: Velasco, William > Subject: [midPoint] Tasks not running after upgrade to v4.4.3 Hi, We have recently upgraded to MidPoint v4.4.3 from v4.0.4, and while the upgrade of the different components was completed without any issues or warnings, we have noticed that none of the tasks (system or custom) would run at all after the upgrade. The task configuration looks fine, and the scheduler seems to think they are running (The Status tab shows "In Progress"). However, no actions seem to be performed (no activities in the logs). Eventually, the Scheduled to start again tab shows as "already passed". Although the timestamp does not seem to relate directly to when the task is supposed to trigger, there is an error that seems to be recurrent on the logs (about every four minutes in each of the two nodes we run). 2022-11-01 17:31:32,308 [] [QuartzScheduler_midPointScheduler-Node1_MisfireHandler] ERROR (org.quartz.impl.jdbcjobstore.JobStoreTX): MisfireHandler: Error handling misfires: Database error recovering from misfires. org.quartz.JobPersistenceException: Database error recovering from misfires. Can you please advise how to handle this issue? Regards, William Velasco [https://get.paubox.com/hubfs/Email%20folder/green_lock_v2.png]Secured by Paubox - HITRUST CSF certified [https://get.paubox.com/hubfs/Email%20folder/green_lock_v2.png]Secured by Paubox - HITRUST CSF certified ---- Secured by Paubox - HITRUST CSF certified https://www.paubox.com ---- -------------- next part -------------- An HTML attachment was scrubbed... URL: From yrevyakin at gmail.com Wed Dec 7 08:37:48 2022 From: yrevyakin at gmail.com (Yakov Revyakin) Date: Wed, 7 Dec 2022 09:37:48 +0200 Subject: [midPoint] Discovery, Object Already Exists In-Reply-To: References:

Message-ID: Unfortunately the problem hasn't gone. It has another nature. - Midpoint tries to get shadow from Google resource right after its creation. So, at this moment shadow exists, but Midpoint tries to check its existence (Discovery) - Midpoint receives ObjectNotFoundException and runs ObjectNotFoundHandler.discoverDeletedShadow() - At the end this results in that Midpoint tries to create the object in resource again and gets ObjectAlreadyExistsException because the object was actually created in the very beginning. - In result just created projection goes to dead state - In audit log this process reflects in a Discovery record with fatal error as result I think this happens because Midpoint tries to get created object too early. Or, probably, it is not a responsibility of Midpoint but of the connector. Can this case be managed in resource configuration? What is the place responsible for managing this situation? Guys, I really need help with this. Thanks in advance, J On Fri, 18 Nov 2022 at 21:26, Yakov Revyakin wrote: > Graph connector has a phrase that to support discovery we must import > Microsoft certificates. > In case of googleapps connector when I imported Google certificates the > problem had gone. > > On Fri, 21 Oct 2022 at 20:23, Yakov Revyakin wrote: > >> Any suggestions? >> >> On Mon, 17 Oct 2022 at 20:18, Yakov Revyakin wrote: >> >>> Hi all, >>> I'm playing with connector-gooogleapps. >>> I assign the resource to a user via a role assigned to an org with >>> order=2 UserType inducement. >>> If I use Admin UI and enable reconcile option after clicking Save I can >>> see, in the audit log report, that right after successful creation of a new >>> Google account Midpoint starts Sync Discovery. During this stage Midpoint >>> tries to create the account again and this stage goes down because of >>> exception ObjectAlreadyExists. After that successfully created projection >>> gets Dead status. >>> But, If I run reconciliation of a trusted CVS source, creation of an >>> account is successful and there is no any Discovery after creation. >>> Could you advise how to manage this case and have alive accounts instead >>> of dead using UI? >>> >>> Tnx, >>> J >>> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: From patrik.sidler at itconcepts.ch Wed Dec 7 08:58:38 2022 From: patrik.sidler at itconcepts.ch (Patrik Sidler) Date: Wed, 7 Dec 2022 07:58:38 +0000 Subject: [midPoint] LDAP Role not unassigned when validTo is reached Message-ID: Hi All, I am having a problem with a LDAP Role that not gets unassigned when the validTo is reached. The role assignment on the particular user changes its effectiveStatus to disabled (because validTo is reached), but the role will not be unassigned and therefore the user is still member of the LDAP Group. What do I have to configure that the Role will be unassigned when validTo is reached? I am working with midPoint 4.6 by the way. My LDAP Role: cn=biouser,cn=groups,cn=accounts,dc=dsone-dev,dc=aspectra,dc=net http://midpoint.evolveum.com/xml/ns/public/common/channels-3#import Metarole LDAP Group Assignment enabled http://midpoint.evolveum.com/xml/ns/public/common/channels-3#import Metarole Line Manager Approval enabled enabled 2022-11-23T16:26:51.664+01:00 defaultuser jira-notification true My LDAP Group Add MetaRole: Metarole LDAP Group Assignment Assign this Meta Role to all LDAP Group Roles, that can be assigned to users. enabled 2022-11-15T11:23:42.723+01:00 Metarole: assign Users to LDAP Group Inducement to add the User to the correct LDAP Group and to create an account as a projection of user having assigned a LDAP Group Role with this metarole. Creates an account for user, and associates with group created for the Role assigned to the user. weak account ldapAccount ri:ldapGroupMember strong $focusAssignment/targetRef entitlement ldapGroup 2 UserType Inducement to add the User to the correct LDAP Group Creates an object (group) for organization entitlement ldapGroup Thank you in advance for your help. Regards Patrik Sidler ITConcepts -------------- next part -------------- An HTML attachment was scrubbed... URL: From pascal.perichon at u-paris.fr Wed Dec 7 11:47:09 2022 From: pascal.perichon at u-paris.fr (Pascal PERICHON) Date: Wed, 7 Dec 2022 11:47:09 +0100 Subject: [midPoint] LDAP Role not unassigned when validTo is reached In-Reply-To: References: Message-ID: <984a68e9-5081-5a85-f3c5-9a60fbb915a9@u-paris.fr> Hi again ;) validTo is just validTo : enabled or disabled things but not distroyed the thing (maybe you like disable thing but keep it) Check here: https://docs.evolveum.com/midpoint/reference/resources/entitlements/#entitlement-membership-removal or maybe... Did you add some rules for your group in your LDAP resource file ? Something with "activation"/"existence" like : ... ... ... entitlement group My LDAP Group ri:groupOfNames ... weak $focus/effectiveStatus // the code to suppress on not the association if (myCondition) return false; ... ... ... Best regards ------- *Pascal PÉRICHON* Direction des systèmes d'information et du numérique Université Paris Cité Le 07/12/2022 à 08:58, Patrik Sidler via midPoint a écrit : > > Hi All, > > I am having a problem with a LDAP Role that not gets unassigned when > the validTo is reached. > > The role assignment on the particular user changes its effectiveStatus > to disabled (because validTo is reached), but the role will not be > unassigned and therefore the user is still member of the LDAP Group. > > What do I have to configure that the Role will be unassigned when > validTo is reached? > > I am working with midPoint 4.6 by the way. > > *My LDAP Role:* > > xmlns:c=http://midpoint.evolveum.com/xml/ns/public/common/common-3 > xmlns:icfs=http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3 > xmlns:org=http://midpoint.evolveum.com/xml/ns/public/common/org-3 > xmlns:q=http://prism.evolveum.com/xml/ns/public/query-3 > xmlns:ri=http://midpoint.evolveum.com/xml/ns/public/resource/instance-3 > xmlns:t=http://prism.evolveum.com/xml/ns/public/types-3 > xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance > oid="f2906bc1-4b33-4bf1-9233-981614e70195" version="8"> > > cn=biouser,cn=groups,cn=accounts,dc=dsone-dev,dc=aspectra,dc=net > > > > > > > http://midpoint.evolveum.com/xml/ns/public/common/channels-3#import > > > Metarole LDAP Group > Assignment > > > > relation="org:default" type="c:RoleType"> > > > > > > > > enabled > > > > > > > > > > > http://midpoint.evolveum.com/xml/ns/public/common/channels-3#import > > > Metarole Line Manager > Approval > > > > relation="org:default" type="c:RoleType"> > > > > > > > > enabled > > > > > > relation="org:default" type="c:RoleType"> > > > > > > relation="org:default" type="c:RoleType"> > > > > > > relation="org:default" type="c:ShadowType"> > > > > > > > > enabled > > 2022-11-23T16:26:51.664+01:00 > > > > defaultuser > > jira-notification > > true > > > > *My LDAP Group Add MetaRole:* > > xmlns:c=http://midpoint.evolveum.com/xml/ns/public/common/common-3 > xmlns:icfs=http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3 > xmlns:org=http://midpoint.evolveum.com/xml/ns/public/common/org-3 > xmlns:q=http://prism.evolveum.com/xml/ns/public/query-3 > xmlns:ri=http://midpoint.evolveum.com/xml/ns/public/resource/instance-3 > xmlns:t=http://prism.evolveum.com/xml/ns/public/types-3 > xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance > oid="ed3e5df8-2217-11e8-9d57-9793344c7aa6" version="21"> > > Metarole LDAP Group Assignment > > Assign this Meta Role to all LDAP Group Roles, that > can be assigned to users. > > > > enabled > > 2022-11-15T11:23:42.723+01:00 > > > > Metarole: assign Users to LDAP Group > > > > Inducement to add the User to the correct LDAP > Group and to create an account as a projection of user having assigned > a LDAP Group Role with this metarole. > > > > Creates an account for user, and associates > with group created for the Role assigned to the user. > > weak > > relation="org:default" type="c:ResourceType"> > > > > > > account > > ldapAccount > > > > ri:ldapGroupMember > > > > strong > > > > $focusAssignment/targetRef > > > > > > > > > > entitlement > > ldapGroup > > > > > > > > > > > > > > 2 > > UserType > > > > > > Inducement to add the User to the correct LDAP > Group > > > > Creates an object (group) for > organization > > relation="org:default" type="c:ResourceType"> > > > > > > entitlement > > ldapGroup > > > > > > > > Thank you in advance for your help. > > Regards > > Patrik Sidler ITConcepts > > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > https://lists.evolveum.com/mailman/listinfo/midpoint -------------- next part -------------- An HTML attachment was scrubbed... URL: From ivan.noris at evolveum.com Wed Dec 7 11:58:28 2022 From: ivan.noris at evolveum.com (Ivan Noris) Date: Wed, 7 Dec 2022 11:58:28 +0100 Subject: [midPoint] LDAP Role not unassigned when validTo is reached In-Reply-To: References: Message-ID: Hi Patrik, please note that even if there is validTo exceeded, role itself will /not/ be unassigned. Just the /assignment/ of the role will be /inactive/. Whatever the role does, will be "undone". ... but in this case, I think you need to set tolerant=false in the schema handling - if the role provides associations, then you need to configure it ther. That's just the page mentioned by Pascal. (https://docs.evolveum.com/midpoint/reference/resources/entitlements/#entitlement-membership-removal for the reference) Before you set tolerance to false, you should be sure there are no other groups than provided by midPoint. Best regards, Ivan On 7. 12. 2022 8:58, Patrik Sidler via midPoint wrote: > > Hi All, > > I am having a problem with a LDAP Role that not gets unassigned when > the validTo is reached. > > The role assignment on the particular user changes its effectiveStatus > to disabled (because validTo is reached), but the role will not be > unassigned and therefore the user is still member of the LDAP Group. > > What do I have to configure that the Role will be unassigned when > validTo is reached? > > I am working with midPoint 4.6 by the way. > > *My LDAP Role:* > > xmlns:c=http://midpoint.evolveum.com/xml/ns/public/common/common-3 > xmlns:icfs=http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3 > xmlns:org=http://midpoint.evolveum.com/xml/ns/public/common/org-3 > xmlns:q=http://prism.evolveum.com/xml/ns/public/query-3 > xmlns:ri=http://midpoint.evolveum.com/xml/ns/public/resource/instance-3 > xmlns:t=http://prism.evolveum.com/xml/ns/public/types-3 > xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance > oid="f2906bc1-4b33-4bf1-9233-981614e70195" version="8"> > > cn=biouser,cn=groups,cn=accounts,dc=dsone-dev,dc=aspectra,dc=net > > > > > > > http://midpoint.evolveum.com/xml/ns/public/common/channels-3#import > > > Metarole LDAP Group > Assignment > > > > relation="org:default" type="c:RoleType"> > > > > > > > > enabled > > > > > > > > > > > http://midpoint.evolveum.com/xml/ns/public/common/channels-3#import > > > Metarole Line Manager > Approval > > > > relation="org:default" type="c:RoleType"> > > > > > > > > enabled > > > > > > relation="org:default" type="c:RoleType"> > > > > > > relation="org:default" type="c:RoleType"> > > > > > > relation="org:default" type="c:ShadowType"> > > > > > > > > enabled > > 2022-11-23T16:26:51.664+01:00 > > > > defaultuser > > jira-notification > > true > > > > *My LDAP Group Add MetaRole:* > > xmlns:c=http://midpoint.evolveum.com/xml/ns/public/common/common-3 > xmlns:icfs=http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3 > xmlns:org=http://midpoint.evolveum.com/xml/ns/public/common/org-3 > xmlns:q=http://prism.evolveum.com/xml/ns/public/query-3 > xmlns:ri=http://midpoint.evolveum.com/xml/ns/public/resource/instance-3 > xmlns:t=http://prism.evolveum.com/xml/ns/public/types-3 > xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance > oid="ed3e5df8-2217-11e8-9d57-9793344c7aa6" version="21"> > > Metarole LDAP Group Assignment > > Assign this Meta Role to all LDAP Group Roles, that > can be assigned to users. > > > > enabled > > 2022-11-15T11:23:42.723+01:00 > > > > Metarole: assign Users to LDAP Group > > > > Inducement to add the User to the correct LDAP > Group and to create an account as a projection of user having assigned > a LDAP Group Role with this metarole. > > > > Creates an account for user, and associates > with group created for the Role assigned to the user. > > weak > > relation="org:default" type="c:ResourceType"> > > > > > > account > > ldapAccount > > > > ri:ldapGroupMember > > > > strong > > > > $focusAssignment/targetRef > > > > > > > > > > entitlement > > ldapGroup > > > > > > > > > > > > > > 2 > > UserType > > > > > > Inducement to add the User to the correct LDAP > Group > > > > Creates an object (group) for > organization > > relation="org:default" type="c:ResourceType"> > > > > > > entitlement > > ldapGroup > > > > > > > > Thank you in advance for your help. > > Regards > > Patrik Sidler ITConcepts > > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > https://lists.evolveum.com/mailman/listinfo/midpoint -- Ivan Noris Expert Identity Engineer evolveum.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From patrik.sidler at itconcepts.ch Mon Dec 12 14:19:46 2022 From: patrik.sidler at itconcepts.ch (Patrik Sidler) Date: Mon, 12 Dec 2022 13:19:46 +0000 Subject: [midPoint] LDAP Role not unassigned when validTo is reached In-Reply-To: References:

Message-ID: Hi Ivan, Pascal, Thank you for your help. I have implemented your proposals and it works. Regards, Patrik Von: midPoint Im Auftrag von Ivan Noris via midPoint Gesendet: Mittwoch, 7. Dezember 2022 11:58 An: midpoint at lists.evolveum.com Cc: Ivan Noris Betreff: Re: [midPoint] LDAP Role not unassigned when validTo is reached Hi Patrik, please note that even if there is validTo exceeded, role itself will not be unassigned. Just the assignment of the role will be inactive. Whatever the role does, will be "undone". ... but in this case, I think you need to set tolerant=false in the schema handling - if the role provides associations, then you need to configure it ther. That's just the page mentioned by Pascal. (https://docs.evolveum.com/midpoint/reference/resources/entitlements/#entitlement-membership-removal for the reference) Before you set tolerance to false, you should be sure there are no other groups than provided by midPoint. Best regards, Ivan On 7. 12. 2022 8:58, Patrik Sidler via midPoint wrote: Hi All, I am having a problem with a LDAP Role that not gets unassigned when the validTo is reached. The role assignment on the particular user changes its effectiveStatus to disabled (because validTo is reached), but the role will not be unassigned and therefore the user is still member of the LDAP Group. What do I have to configure that the Role will be unassigned when validTo is reached? I am working with midPoint 4.6 by the way. My LDAP Role: cn=biouser,cn=groups,cn=accounts,dc=dsone-dev,dc=aspectra,dc=net http://midpoint.evolveum.com/xml/ns/public/common/channels-3#import Metarole LDAP Group Assignment enabled http://midpoint.evolveum.com/xml/ns/public/common/channels-3#import Metarole Line Manager Approval enabled enabled 2022-11-23T16:26:51.664+01:00 defaultuser jira-notification true My LDAP Group Add MetaRole: Metarole LDAP Group Assignment Assign this Meta Role to all LDAP Group Roles, that can be assigned to users. enabled 2022-11-15T11:23:42.723+01:00 Metarole: assign Users to LDAP Group Inducement to add the User to the correct LDAP Group and to create an account as a projection of user having assigned a LDAP Group Role with this metarole. Creates an account for user, and associates with group created for the Role assigned to the user. weak account ldapAccount ri:ldapGroupMember strong $focusAssignment/targetRef entitlement ldapGroup 2 UserType Inducement to add the User to the correct LDAP Group Creates an object (group) for organization entitlement ldapGroup Thank you in advance for your help. Regards Patrik Sidler ITConcepts _______________________________________________ midPoint mailing list midPoint at lists.evolveum.com https://lists.evolveum.com/mailman/listinfo/midpoint -- Ivan Noris Expert Identity Engineer evolveum.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From abhishek.thalesdis at gmail.com Sun Dec 18 19:55:10 2022 From: abhishek.thalesdis at gmail.com (Abhshek Singh) Date: Mon, 19 Dec 2022 00:25:10 +0530 Subject: [midPoint] Automate assignment to groups (roles) Message-ID: Hello, I was trying to synchronize AD groups and membership to some other resource. The meta role option is working fine. But this process is manual, so not feasible for a large number of users. Whenever a user is imported into midpoint, it should automatically get assigned to a role corresponding to the group it is a member of. Is there any example, of how to do this? Thanks in advance, Abhishek -------------- next part -------------- An HTML attachment was scrubbed... URL: From Sven.Feyerabend at stuvus.uni-stuttgart.de Sun Dec 18 23:06:30 2022 From: Sven.Feyerabend at stuvus.uni-stuttgart.de (Sven Feyerabend) Date: Sun, 18 Dec 2022 23:06:30 +0100 Subject: [midPoint] Automate assignment to groups (roles) In-Reply-To: References: Message-ID: Hello Abhishek, if you want to assign a role in midpoint based on group membership in AD, take a look at the association option for inbound mappings in the schema handling part of your resource: https://docs.evolveum.com/midpoint/reference/expressions/mappings/inbound-mapping/#association There you can define a custom expression that maps the group membership to the correct role. Kind regards Sven Am 18.12.22 um 19:55 schrieb Abhshek Singh via midPoint: > > Hello, > > I was trying to synchronize AD groups and membership to some other > resource. > > The meta role option is working fine. But this process is manual, so > not feasible for a large number of users. > > Whenever a user is imported into midpoint, it should automatically get > assigned to a role corresponding to the group it is a member of. > > Is there any example, of how to do this? > > Thanks in advance, > > Abhishek > > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > https://lists.evolveum.com/mailman/listinfo/midpoint -------------- next part -------------- An HTML attachment was scrubbed... URL: From abhishek-kumar.singh at thalesgroup.com Mon Dec 19 11:59:08 2022 From: abhishek-kumar.singh at thalesgroup.com (SINGH Abhishek Kumar) Date: Mon, 19 Dec 2022 10:59:08 +0000 Subject: [midPoint] Automate assignment to groups (roles) Message-ID: Hello, I was trying to synchronize AD groups along with membership to some other resource. The metarole option is working fine. But this process is manual, so not feasible for large number of users. I want that whenever a user is imported into midpoint, it should automatically get assigned to a role corresponding to the group it is member of. Is there any example, how to do this? Thanks in advance, Abhishek -------------- next part -------------- An HTML attachment was scrubbed... URL: From charles.boynton at non.keysight.com Mon Dec 19 15:41:19 2022 From: charles.boynton at non.keysight.com (Charles Boynton) Date: Mon, 19 Dec 2022 14:41:19 +0000 Subject: [midPoint] Automate assignment to groups (roles) In-Reply-To: References: Message-ID: Hello Abhshek, Not sure exactly what you are asking for, maybe you can clarify the ask? However, most of the folks won’t be back until January. Thanks, Have A Wonderful Day! Charles Boynton AD Support Engineer Tata Consultancy Services From: midPoint On Behalf Of Abhshek Singh via midPoint Sent: Sunday, December 18, 2022 11:55 AM To: midpoint at lists.evolveum.com Cc: Abhshek Singh Subject: [midPoint] Automate assignment to groups (roles) CAUTION: This message originates from an external sender. Hello, I was trying to synchronize AD groups and membership to some other resource. The meta role option is working fine. But this process is manual, so not feasible for a large number of users. Whenever a user is imported into midpoint, it should automatically get assigned to a role corresponding to the group it is a member of. Is there any example, of how to do this? Thanks in advance, Abhishek -------------- next part -------------- An HTML attachment was scrubbed... URL: From charles.boynton at non.keysight.com Mon Dec 19 15:43:30 2022 From: charles.boynton at non.keysight.com (Charles Boynton) Date: Mon, 19 Dec 2022 14:43:30 +0000 Subject: [midPoint] Automate assignment to groups (roles) In-Reply-To: References: Message-ID: Disregard this. Thanks, Have A Wonderful Day! Charles Boynton AD Support Engineer Tata Consultancy Services From: Charles Boynton Sent: Monday, December 19, 2022 7:41 AM To: 'midPoint General Discussion' Cc: Abhshek Singh Subject: RE: [midPoint] Automate assignment to groups (roles) Hello Abhshek, Not sure exactly what you are asking for, maybe you can clarify the ask? However, most of the folks won’t be back until January. Thanks, Have A Wonderful Day! Charles Boynton AD Support Engineer Tata Consultancy Services From: midPoint > On Behalf Of Abhshek Singh via midPoint Sent: Sunday, December 18, 2022 11:55 AM To: midpoint at lists.evolveum.com Cc: Abhshek Singh > Subject: [midPoint] Automate assignment to groups (roles) CAUTION: This message originates from an external sender. Hello, I was trying to synchronize AD groups and membership to some other resource. The meta role option is working fine. But this process is manual, so not feasible for a large number of users. Whenever a user is imported into midpoint, it should automatically get assigned to a role corresponding to the group it is a member of. Is there any example, of how to do this? Thanks in advance, Abhishek -------------- next part -------------- An HTML attachment was scrubbed... URL: