[midPoint] RE : RE : RE : RE : RE : Namespace problem

Radovan Semancik radovan.semancik at evolveum.com
Mon Sep 30 17:15:18 CEST 2013 

On 09/30/2013 04:10 PM, Belleville-Rioux, Vincent wrote:
> We have about 10k new students each semester and also have about the 
> same number of students that get "offboarded" from some services due 
> to various reasons.
>
> What we're trying to evaluate is how we could automate such state 
> changes so we can do something like :
>
> - 1 month before the start of the semester, all students registered to 
> at least one class will get their account created / activated.  A 
> notification message will be sent.
>
> - 12 months after the end of the last semester where the student had 
> at least one class, the account will be deactivated and a notification 
> message will be sent.

This is quite common scenario both in enterprise and academia. And this 
was actually a reason to create time-based mappings. Therefore it should 
work even in v2.2 but the limitation is that is should be applied to the 
entire account and not just a single role. The basic idea is like this:

MidPoint user will be created in midPoint as soon as we know about such 
record. E.g. it can be synchronized from HR (or any equivalent academic 
source system). The key idea is that user's validFrom date will be set 
to onboarding date (or hire date or sunrise date or whateverYouCallIt 
;-). The activation administrativeStatus of the user should be empty 
(null). This will cause that midPoint will compute effective user 
activation status based on validFrom, validTo and current date.

Assign any roles to the user, e.g. using an object template. The roles 
should represent a state of the user as it should look like during 
semester. You do not need to specify any conditions in the object 
template mappings nor any conditions in the role outbound mappings. The 
roles can be assigned anytime, even before semester.

Define a time-based activation mapping for the resources that you want 
to "pre-provision" or for whose you want to delay de-provisioning. An 
example is here: 
https://wiki.evolveum.com/display/midPoint/Resource+Schema+Handling%3A+Activation 
(see "Mapping Time Constraints" section).

And that's it. Before the semester the user has all the roles, but as 
the time is before user's validFrom the activation mapping in the 
resource definitions will not be used and the accounts will not be 
created. When the semester starts the time passes through validFrom. 
MidPoint detects that (automatically) and the mapping will be evaluated 
differently. The accounts will get created. And similar mechanism also 
applies to delayed deprovisioning. The examples are actually slightly 
more complex than your requirement as they are set up to create a 
disabled account 5 days before onboarding and then enable it right on 
the onboarding date.

The current limitation is that this applies to all accounts on the 
resource. If you want to apply it only to some accounts you have to play 
with the mapping conditions. This may be tricky but it should work. 
However, this is not the ideal way how to create maintainable system. 
Therefore we plan couple of improvements:
1: support account types (this is called "intent" in midPoint 
terminology), e.g. account type "user", "student", "admin", "tester", 
.... you can specify different mappings for each type. Most of the work 
on this feature is already done. But nobody stated that this is 
important enough to give us enough motivation to finally complete and 
test it. :-)
2: support similar time-based mappings in assignment/inducement 
conditions. In such a case you can specify this behaviour per role. This 
is slightly more difficult to finish, but still possible.

> The startDate and endDate are properties we can read from an SQL table 
> (but I'm simulating that with a CSV file for now).  I guess we'll have 
> to reconcile at least once a day because that table will have updates 
> to those dates as students use our online tools to register / 
> unregister themselves to classes.

If it is really a DB table and it has a timestamp column you may rely on 
livesync instead. It is more efficient and much faster. Use 
reconciliation just as a "last instance" in case that livesync missed 
something (e.g. due to bug in mapping script, because the system was 
down for a long time, etc.)
MidPoint is designed to use livesync as a primary mechanism as often as 
possible and use reconciliation only as a "safety net".

Anyway, unlike some other IDM systems midPoint configuration is almost 
entirely the same whether you use livesync or reconciliation. Therefore 
it is easy to experiment with it and fine-tune the setup that works for you.

> We should also have the ability to override those values with other 
> dates like "bannedOn" or "temporaryExtension" :
>
> The bannedOn date would make any student which has that date as a 
> non-null value be kept inactive for 7 years from that date.
>
> The temporaryExtension date would make any student account active for 
> 12 months from that date, regardless of the endDate imported from SQL.

Interesting requirement. Really. I quite like it :-) And I guess you can 
implement this behaviour by using the correct conditions in activation 
mappings. I quite wonder how "clean" or maintainable the result will be 
though. Anyway, it is worth trying. And if you find that you cannot do 
it or that it is unreadable and confusing then let me know. Maybe we 
could think about some way how to improve our mapping code to make it 
better. Maintainability of the system is very important for me.

It is also import for you to realize whether these rules apply to users 
(students as physical persons), to accounts, or to assignments (relation 
of user to an account). As far as I know it is usual that a person may 
be a student on faculty X and work on faculty Y while the onboarding 
dates may be different. Then is would be best to store the dates in 
assignments. If this is the case then midPoint is designed to handle 
situation like this quite well. The system of "assignments" is designed 
primarily for this purpose. While most of the functionality for 
assignments is already there some pieces of code may still be missing 
(e.g. the assignment activation mappings). Therefore it may be best for 
you to start with a partial solution such as storing the dates in users. 
This can work well for a first phase of your project. And you can work 
with us to plan the required features in the roadmap so you can have it 
ready for subsequent phases. IDM projects are not deployed overnight 
therefore I believe that we can agree on a reasonable delivery dates 
that can work for you.

> So, as you can see, dates are really useful for our use cases.  I 
> understand that this was added rather quickly to 2.2.  Would you 
> suggest we upgrade our test environment to the latest snapshots and 
> try and follow the development from there on?

Not yet :-) .. if you decide to use time-based activation mappings then 
it should work well in 2.2. If you find some bug in this part we will 
fix it in 2.2.1 as this is important feature. If you decide that you 
need more than activation mappings then there is no point to switching 
to the development branch yet. The code is not yet there. In such a case 
please let us know and we will figure out when we can deliver that. But 
I quite believe that activation mappings are almost entirely what you 
need now. And once you have your first version working we can talk about 
how to improve it in the future.

-- 

                                            Radovan Semancik
                                           Software Architect
                                              evolveum.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20130930/c38c0c66/attachment.htm>

More information about the midPoint mailing list