[Midpoint-dev] Group/Team management using Midpoint GUI
Tibor Král
Tibor.Kral at pantheon.tech
Mon Aug 12 14:08:44 UTC 2019
Hi,
I am working on custom Connector for MyServer and I am having trouble with associations between Accounts and Org. Structs (teams in MyServer). I implemented support for Account Management (fully functional, tested) and Team Management (issue with testing).
Accounts and Teams were successfuly imported from resource MyServer, which created Users and Organizations in MidPoint. Now all I need is to configure the association between them, so that users can be assigned/unassigned to/from various teams. Following the SubjectToObject direction, I created multiVal attribute "teams" in account and used it as the associationAttribute. But this doesn't seem to work.
At this point I can't figure out, how to configure the <association> to actually change the content of <associationAttribute> of Account when assigned to Org. struct.
Consider the following example:
1) create user TestUser, test at example.com, testPassword
2) create Role MyServerUser (kind: Account, Intent: account)
3) Assign role MyServerUser to TestUser - creates new Account on MyServer(verified directly on MyServer) and its Projection in TestUser's detail page.
4) Opening TestUser's detail page, selecting tab Assignments - 1 assignment can be seen(the MyServer Account)
5) trying to add new Assignment (green PLUS button) of type Org. The List shows many Organizations imported from MyServer Resource. They were imported as Kind: Entitlement, Intent: Team, Obj. Class: GroupObjectClass.
6) Selecting one of the organizations(teams) called TestTeam with Relation set to default, clicking Add button
7) Saving this change of TestUser's detail page.
8) TestUser's detail page - Assignments shows 2 assignments (MyServer Account and TestTeam)
9) Checking the Org. Structure TestTeam in midpoint shows 1 member - TestUser
Everything SEEMS to be right here.
HOWEVER - This operation(assigning TestUser to TestTeam) happens only in MidPoint. Connector's interface wasn't called at all.
It seems that the "ri:TeamMembership" association defined in schemaHandling is not invoked at all. And since this association defines the <associationAttribute>ri:teams</associationAttribute> (updates attribute ri:teams), only that would have invoked the UpdateAttributeValuesOp interface of the connector.
If I open TestUser's Projection (projection of MyServer account), I can see the Associations category and "MyServer Team membership" field. I can edit it which shows the list of teams. Selecting one and then saving this change actually invokes the connector's UpdateAttributeValuesOp interface and this way the Account is successfully added to the TestTeam (verified on MyServer). But even this approach has an issue. The name of the team (TestTeam) wasn't appended to attribute "teams".
Resource schema, Object Templates and Roles will be attached.
Simplyfied Resource schema containing key components can be found at the bottom of this message.
Please let me know, what I am missing.
Thank you.
Tibor Kral
<resource>
<name>myserver</name>
<schema>
<xsd:complexType name="GroupObjectClass">
<xsd:annotation>
<xsd:appinfo>
<ra:resourceObject/>
<ra:identifier>icfs:uid</ra:identifier>
<ra:secondaryIdentifier>icfs:name</ra:secondaryIdentifier>
<ra:displayNameAttribute>icfs:name</ra:displayNameAttribute>
<ra:namingAttribute>icfs:name</ra:namingAttribute>
<ra:nativeObjectClass>__GROUP__</ra:nativeObjectClass>
</xsd:appinfo>
</xsd:annotation>
</xsd:complexType>
<xsd:complexType name="AccountObjectClass">
<xsd:annotation>
<xsd:appinfo>
<ra:resourceObject/>
<ra:identifier>icfs:uid</ra:identifier>
<ra:secondaryIdentifier>icfs:name</ra:secondaryIdentifier>
<ra:displayNameAttribute>icfs:name</ra:displayNameAttribute>
<ra:namingAttribute>icfs:name</ra:namingAttribute>
<ra:nativeObjectClass>__ACCOUNT__</ra:nativeObjectClass>
<ra:kind>account</ra:kind>
<ra:default>true</ra:default>
</xsd:appinfo>
</xsd:annotation>
<xsd:sequence>
<xsd:element maxOccurs="unbounded" minOccurs="0" name="teams" type="xsd:string">
<xsd:annotation>
<xsd:appinfo>
<a:displayOrder>190</a:displayOrder>
<ra:frameworkAttributeName>teams</ra:frameworkAttributeName>
</xsd:appinfo>
</xsd:annotation>
</xsd:element>
</xsd:sequence>
</xsd:complexType>
</schema>
<schemaHandling>
<objectType>
<kind>account</kind>
<intent>Account</intent>
<displayName>MyServerAccount</displayName>
<default>true</default>
<objectClass>ri:AccountObjectClass</objectClass>
<association id="142">
<c:ref>ri:TeamMembership</c:ref>
<displayName>MyServer Team membership</displayName>
<kind>entitlement</kind>
<intent>Team</intent>
<direction>subjectToObject</direction>
<associationAttribute>ri:teams</associationAttribute>
<valueAttribute>icfs:name</valueAttribute>
</association>
</schemaHandling>
<synchronization>
<objectSynchronization>
<objectClass>AccountObjectClass</objectClass>
<intent>Account</intent>
<enabled>true</enabled>
<correlation>
<q:equal>
<q:path>name</q:path>
<expression>
<path>$account/attributes/username</path>
</expression>
</q:equal>
</correlation>
<reconcile>false</reconcile>
<reaction>
<situation>linked</situation>
<reconcile>true</reconcile>
</reaction>
<reaction>
<situation>deleted</situation>
<action>
<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#deleteFocus</handlerUri>
</action>
</reaction>
<reaction>
<situation>unlinked</situation>
<reconcile>true</reconcile>
<action>
<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#link</handlerUri>
</action>
</reaction>
<reaction>
<situation>unmatched</situation>
<reconcile>true</reconcile>
<action>
<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#addFocus</handlerUri>
</action>
</reaction>
</objectSynchronization>
<objectSynchronization>
<objectClass>GroupObjectClass</objectClass>
<kind>entitlement</kind>
<intent>Team</intent>
<focusType>c:OrgType</focusType>
<enabled>true</enabled>
<correlation>
<q:equal>
<q:path>name</q:path>
<expression xmlns="">
<path>$focus/name</path>
</expression>
</q:equal>
</correlation>
<objectTemplateRef oid="63cc1d77-dedc-4269-a051-b001231a9c78" relation="org:default" type="c:ObjectTemplateType">
<targetName>Team Template MyServer sync</targetName>
</objectTemplateRef>
<reconcile>false</reconcile>
<reaction>
<situation>linked</situation>
<reconcile>true</reconcile>
</reaction>
<reaction>
<situation>deleted</situation>
<action>
<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#deleteFocus</handlerUri>
</action>
</reaction>
<reaction>
<situation>unlinked</situation>
<reconcile>true</reconcile>
<action>
<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#link</handlerUri>
</action>
</reaction>
<reaction>
<situation>unmatched</situation>
<reconcile>true</reconcile>
<action>
<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#addFocus</handlerUri>
</action>
</reaction>
</objectSynchronization>
</synchronization>
</resource>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.evolveum.com/pipermail/midpoint-dev/attachments/20190812/cc459e9f/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Midpoint_Connector_configs.zip
Type: application/x-zip-compressed
Size: 5113 bytes
Desc: Midpoint_Connector_configs.zip
URL: <http://lists.evolveum.com/pipermail/midpoint-dev/attachments/20190812/cc459e9f/attachment-0001.bin>
More information about the midPoint-dev
mailing list