[midPoint] How can I synchronize users from the authoritative resource where the user is currently active?
fthul c
0xfthul at gmail.com
Thu May 18 19:28:22 CEST 2023
I kind of solved this problem with archetypes.
Dropping all configuration that I've used in my previous configuration
(roles, multisource etc), I've created two archetypes:
- trainee
- outsourced
In my resources, I try to associate the focus with one of the archetypes,
in the schema handling/objectType tag:
...
<focus>
<type>c:UserType</type>
<archetypeRef oid="fefefefe-ffff-aaaa-0000-00000000000c"
relation="org:default" type="c:ArchetypeType" />
<!-- trainee archetype -->
</focus>
...
When there is a conflict (the same person exists in both systems), MIDPOINT
fails to synchronize the resource associated with the different archetype
(that is one thing that I wanted).
If the identity should be synchronized with that resource, the
administrator corrects the situation by manually changing the archetype of
the identity.
The problem I'm having now is that there are unending stacktraces
complaining about the fact that MP cannot set a different archetype to the
existing identity.
For example:
1) The system is working fine and User_A is a trainee and working every day
2) User_A contract ends and he is not a trainee anymore
3) User_A starts working as an outsourced employee
Now we have a conflict because User_A exists in MP as an identity with the
trainee archetype, but he appeared as an outsourced employee (his new
position in the company).
The administrator changed the archetype to outsourced and MP starts
correctly to synchronize User_A with the outsourced employee system.
But the logs starts to grow with stacktraces, reporting that MP cannot
synchronize the disabled User_A (exists in the trainee system), because the
identity have a different archetype.
Also, when the conflict happens, the live synchronization recurring tasks
are automatically suspended.
How could I deal with these problems? Do anybody have any hints?
In the example above, I would like to avoid synchronizing the the identity
with the resource associated with the different archetype.
Thanks in advance!
Fthul
Em qua., 3 de mai. de 2023 às 20:31, fthul c <0xfthul at gmail.com> escreveu:
> Hello,
>
> I'm evaluating midpoint (I'm new to IDMs in general) and I'm having
> trouble getting midpoint to work as follows:
>
> I have two authoritative resources for users:
> A trainee system (TS)
> An outsourced employee system (OES)
>
> Someone can exist and be active in the trainee system or can exist an be
> active in the outsourced employee system, but cannot be active at both
> systems at the same time (including begin/end dates). Some attributes can
> be a little different (for example, the person's name, organizational unit,
> phone, etc), and I would like to synchronize only the attributes from the
> resource in which the identity is active.
>
> Sorry if my question is too basic, but how could I configure midpoint to
> work with this policy?
>
> I've tried to create 2 "radio button" roles: trainee and outsourced and I
> could make only one of them be assigned.
> My problem here was with synchronization, since midpoint kept updating the
> name based on the resource in which the user was disabled.
> Sometimes it worked, but the history for the identity started to grow with
> each synchronization execution, because resources were "competing" to
> update the attributes.
>
> I tried to use defaultAuthoritativeSource (and multisourced fields), but
> I'm having difficulty with the selection of the resource in which the
> identity is currently active.
> My defaultAuthoritativeSource configuration (below) doesn't work properly.
>
> <multiSource>
> <defaultAuthoritativeSource>
> <expression>
> <script>
> <code>
> import com.evolveum.midpoint.util.MiscUtil
> import com.evolveum.midpoint.prism.delta.*
> import
> com.evolveum.midpoint.xml.ns._public.common.common_3.*
> import com.evolveum.midpoint.util.DebugUtil
> import
> com.evolveum.midpoint.xml.ns._public.common.common_3.ActivationStatusType
> import com.evolveum.midpoint.util.exception.*
>
> if(identity == null){
> return null
> }
>
> def RESOURCE_TRAINEE =
> '466c4e70-ed4b-48f6-8842-99f8c12f9d9d'
> def RESOURCE_OUTSOURCED =
> '82f6b6cf-eaf2-45e1-9e27-5349279248c2'
> def res = [RESOURCE_TRAINEE, RESOURCE_OUTSOURCED]
>
> // trying to find what is the resource in which the user is
> active
> def sources = identity
> .collect { it.source }
> .findAll { source ->
> res.contains(source?.resourceRef?.oid) }
> .findAll { source ->
> midpoint.getObject(ShadowType.class, source.shadowRef.oid)?.isExists() }
>
> if (sources?.size() == 1) {
> // found only one, return it
> return sources.get(0)
> }
>
> if (sources?.size() > 1) {
> throw new PolicyViolationException("The identity is
> active in multiple authoritative resources")
> }
>
> return null
> </code>
> </script>
> </expression>
> </defaultAuthoritativeSource>
> </multiSource>
>
> The code above seems to work initially, but fails when I execute these
> steps:
> 1) I manually import the user from the trainee resource
> 2) I delete the user in the trainee resource
> 3) I run reconciliation for the user, and he becomes disabled
> 4) I manually import the user from the outsourced employee resource
> 5) he is correctly updated and is not a trainee anymore
> 6) I create the user again in the trainee resource
> 7) in this moment, when I try to manually import the trainee again,
> midpoint allows (shouldn't it throw the exception I programmed in the
> defaultAuthoritativeSource?)
>
> Does anyone know what I'm doing wrong?
>
> Additionally, in the code above I tried to interrupt the execution when I
> detected that the identity existed in multiple resources with an exception
> (is it done this way?).
>
> Thanks in advance and sorry if my question is too basic!
>
>
>
>
>
>
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20230518/7cdd4ede/attachment.htm>
More information about the midPoint
mailing list