[midPoint] Undeletable object

Belleville-Rioux, Vincent rioux.vincent at uqam.ca
Mon Sep 30 20:36:53 CEST 2013


Ok, I understand.

I've been trying to set it up the way your suggest with limited success...

For some reason, in one of my tests, I ended up with an undeletable object in the shadow object types...    I think the only way to fix that for me would be to go into the h2db and do manual queries.  Just wanted to share the problem :


Object :


<object xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-2a"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        oid="f17ab2a1-a6ce-4ad1-b057-6537bfc49cc8"
        version="6"
        xsi:type="ShadowType">
   <name>
      <orig xmlns="http://prism.evolveum.com/xml/ns/public/types-2">undeletableobject</orig>
      <norm xmlns="http://prism.evolveum.com/xml/ns/public/types-2">undeletableobject</norm>
   </name>
   <trigger id="1">
      <timestamp>2018-01-01T00:00:00.000-05:00</timestamp>
      <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/trigger/recompute/handler-2</handlerUri>
   </trigger>
   <metadata>
      <createTimestamp>2013-09-30T14:23:23.817-04:00</createTimestamp>
      <creatorRef xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-2a"
                  oid="00000000-0000-0000-0000-000000000002"
                  type="c:UserType"/>
      <createChannel>http://midpoint.evolveum.com/xml/ns/public/provisioning/channels-2#discovery</createChannel>
      <modifyTimestamp>2013-09-30T14:26:27.965-04:00</modifyTimestamp>
      <modifierRef oid="00000000-0000-0000-0000-000000000002"/>
      <modifyChannel>http://midpoint.evolveum.com/xml/ns/public/gui/channels-2#user</modifyChannel>
   </metadata>
   <resourceRef xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-2a"
                oid="af2bc95b-76e0-48e2-86d6-3d4f02d3fafe"
                type="c:ResourceType"/>
   <objectClass xmlns:qn363="http://midpoint.evolveum.com/xml/ns/public/resource/instance-2">qn363:AccountObjectClass</objectClass>
   <c:kind xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-2a"
           xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-2"
           xmlns:t="http://prism.evolveum.com/xml/ns/public/types-2"
           xmlns:icfc="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/connector-schema-2"
           xmlns:q="http://prism.evolveum.com/xml/ns/public/query-2"
           xmlns:cap="http://midpoint.evolveum.com/xml/ns/public/resource/capabilities-2"
           xmlns:apti="http://midpoint.evolveum.com/xml/ns/public/common/api-types-2"
           xmlns:wfcf="http://midpoint.evolveum.com/xml/ns/model/workflow/common-forms-2"
           xmlns:m="http://midpoint.evolveum.com/xml/ns/public/model/model-context-2"
           xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
           xmlns:enc="http://www.w3.org/2001/04/xmlenc#">account</c:kind>
   <intent>default</intent>
   <iteration>0</iteration>
   <iterationToken/>
</object>


-----------------------------

Error when trying to delete it :



  *
Couldn't delete object 'undeletableobject'.

     *
Delete object (Gui)
     *   Cause:

Subresult com.evolveum.midpoint.provisioning.api.ProvisioningService.deleteObject of operation com.evolveum.midpoint.model.api.ModelService.executeChanges is still UNKNOWN during cleanup; during handling of exception com.evolveum.midpoint.util.exception.SystemException: Referential integrity constraint violation: "FK_TRIGGER_OWNER: PUBLIC.M_TRIGGER FOREIGN KEY(OWNER_ID, OWNER_OID) REFERENCES PUBLIC.M_OBJECT(ID, OID) (0, 'f17ab2a1-a6ce-4ad1-b057-6537bfc49cc8')"; SQL statement:
delete from m_object where id=? and oid=? [23503-171]

     *
[ SHOW ERROR STACK ]
Collapse all Expand all Export to XML
     *   Execute changes (Model)
        *   Referential integrity constraint violation: "FK_TRIGGER_OWNER: PUBLIC.M_TRIGGER FOREIGN KEY(OWNER_ID, OWNER_OID) REFERENCES PUBLIC.M_OBJECT(ID, OID) (0, 'f17ab2a1-a6ce-4ad1-b057-6537bfc49cc8')"; SQL statement: delete from m_object where id=? and oid=? [23503-171]
        *   Param: options: com.evolveum.midpoint.model.api.ModelExecuteOptions at 4653a06c
        *   Cause:

Referential integrity constraint violation: "FK_TRIGGER_OWNER: PUBLIC.M_TRIGGER FOREIGN KEY(OWNER_ID, OWNER_OID) REFERENCES PUBLIC.M_OBJECT(ID, OID) (0, 'f17ab2a1-a6ce-4ad1-b057-6537bfc49cc8')"; SQL statement:
delete from m_object where id=? and oid=? [23503-171]

 [ SHOW ERROR STACK ]
        *   Delete object (Provisioning)
           *
           *   Param: scripts:
           *   Param: oid: f17ab2a1-a6ce-4ad1-b057-6537bfc49cc8
           *   Context: implementationClass: class com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl
           *   Get object (Repository)
           *   Delete object (Repository)
              *   Referential integrity constraint violation: "FK_TRIGGER_OWNER: PUBLIC.M_TRIGGER FOREIGN KEY(OWNER_ID, OWNER_OID) REFERENCES PUBLIC.M_OBJECT(ID, OID) (0, 'f17ab2a1-a6ce-4ad1-b057-6537bfc49cc8')"; SQL statement: delete from m_object where id=? and oid=? [23503-171]
              *   Param: oid: f17ab2a1-a6ce-4ad1-b057-6537bfc49cc8
              *   Param: type: com.evolveum.midpoint.xml.ns._public.common.common_2a.ShadowType
              *   Cause:

Referential integrity constraint violation: "FK_TRIGGER_OWNER: PUBLIC.M_TRIGGER FOREIGN KEY(OWNER_ID, OWNER_OID) REFERENCES PUBLIC.M_OBJECT(ID, OID) (0, 'f17ab2a1-a6ce-4ad1-b057-6537bfc49cc8')"; SQL statement:
delete from m_object where id=? and oid=? [23503-171]

 [ HIDE ERROR STACK ]

org.hibernate.exception.ConstraintViolationException: Referential integrity constraint violation: "FK_TRIGGER_OWNER: PUBLIC.M_TRIGGER FOREIGN KEY(OWNER_ID, OWNER_OID) REFERENCES PUBLIC.M_OBJECT(ID, OID) (0, 'f17ab2a1-a6ce-4ad1-b057-6537bfc49cc8')"; SQL statement:
delete from m_object where id=? and oid=? [23503-171]
at org.hibernate.exception.internal.SQLStateConversionDelegate.convert(SQLStateConversionDelegate.java:128)
at org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:49)
at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:125)
at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:110)
at org.hibernate.engine.jdbc.internal.proxy.AbstractStatementProxyHandler.continueInvocation(AbstractStatementProxyHandler.java:129)
at org.hibernate.engine.jdbc.internal.proxy.AbstractProxyHandler.invoke(AbstractProxyHandler.java:81)
at com.sun.proxy.$Proxy113.executeUpdate(Unknown Source)
at org.hibernate.persister.entity.AbstractEntityPersister.delete(AbstractEntityPersister.java:3240)
at org.hibernate.persister.entity.AbstractEntityPersister.delete(AbstractEntityPersister.java:3440)
at org.hibernate.action.internal.EntityDeleteAction.execute(EntityDeleteAction.java:100)
at org.hibernate.engine.spi.ActionQueue.execute(ActionQueue.java:362)
at org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:354)
at org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:280)
at org.hibernate.event.internal.AbstractFlushingEventListener.performExecutions(AbstractFlushingEventListener.java:326)
at org.hibernate.event.internal.DefaultFlushEventListener.onFlush(DefaultFlushEventListener.java:52)
at org.hibernate.internal.SessionImpl.flush(SessionImpl.java:1210)
at org.hibernate.internal.SessionImpl.managedFlush(SessionImpl.java:399)
at org.hibernate.engine.transaction.internal.jdbc.JdbcTransaction.beforeTransactionCommit(JdbcTransaction.java:101)
at org.hibernate.engine.transaction.spi.AbstractTransactionImpl.commit(AbstractTransactionImpl.java:175)
at com.evolveum.midpoint.repo.sql.SqlRepositoryServiceImpl.deleteObjectAttempt(SqlRepositoryServiceImpl.java:651)
at com.evolveum.midpoint.repo.sql.SqlRepositoryServiceImpl.deleteObject_aroundBody6(SqlRepositoryServiceImpl.java:609)
at com.evolveum.midpoint.repo.sql.SqlRepositoryServiceImpl$AjcClosure7.run(SqlRepositoryServiceImpl.java:1)
at org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149)
at com.evolveum.midpoint.util.aspect.MidpointAspect.wrapSubsystem(MidpointAspect.java:169)
at com.evolveum.midpoint.util.aspect.MidpointAspect.ajc$inlineAccessMethod$com_evolveum_midpoint_util_aspect_MidpointAspect$com_evolveum_midpoint_util_aspect_MidpointAspect$wrapSubsystem(MidpointAspect.java:1)
at com.evolveum.midpoint.util.aspect.MidpointAspect.processRepositoryNdc(MidpointAspect.java:59)
at com.evolveum.midpoint.repo.sql.SqlRepositoryServiceImpl.deleteObject(SqlRepositoryServiceImpl.java:590)
at com.evolveum.midpoint.repo.cache.RepositoryCache.deleteObject_aroundBody12(RepositoryCache.java:249)
at com.evolveum.midpoint.repo.cache.RepositoryCache$AjcClosure13.run(RepositoryCache.java:1)
at org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149)
at com.evolveum.midpoint.util.aspect.MidpointAspect.wrapSubsystem(MidpointAspect.java:169)
at com.evolveum.midpoint.util.aspect.MidpointAspect.ajc$inlineAccessMethod$com_evolveum_midpoint_util_aspect_MidpointAspect$com_evolveum_midpoint_util_aspect_MidpointAspect$wrapSubsystem(MidpointAspect.java:1)
at com.evolveum.midpoint.util.aspect.MidpointAspect.processRepositoryNdc(MidpointAspect.java:59)
at com.evolveum.midpoint.repo.cache.RepositoryCache.deleteObject(RepositoryCache.java:247)
at com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl.deleteObject_aroundBody12(ProvisioningServiceImpl.java:870)
at com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl$AjcClosure13.run(ProvisioningServiceImpl.java:1)
at org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149)
at com.evolveum.midpoint.util.aspect.MidpointAspect.wrapSubsystem(MidpointAspect.java:169)
at com.evolveum.midpoint.util.aspect.MidpointAspect.ajc$inlineAccessMethod$com_evolveum_midpoint_util_aspect_MidpointAspect$com_evolveum_midpoint_util_aspect_MidpointAspect$wrapSubsystem(MidpointAspect.java:1)
at com.evolveum.midpoint.util.aspect.MidpointAspect.processProvisioningNdc(MidpointAspect.java:69)
at com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl.deleteObject(ProvisioningServiceImpl.java:818)
at com.evolveum.midpoint.model.controller.ModelController.executeChanges_aroundBody2(ModelController.java:363)
at com.evolveum.midpoint.model.controller.ModelController$AjcClosure3.run(ModelController.java:1)
at org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149)
at com.evolveum.midpoint.util.aspect.MidpointAspect.wrapSubsystem(MidpointAspect.java:169)
at com.evolveum.midpoint.util.aspect.MidpointAspect.ajc$inlineAccessMethod$com_evolveum_midpoint_util_aspect_MidpointAspect$com_evolveum_midpoint_util_aspect_MidpointAspect$wrapSubsystem(MidpointAspect.java:1)
at com.evolveum.midpoint.util.aspect.MidpointAspect.processModelNdc(MidpointAspect.java:79)
at com.evolveum.midpoint.model.controller.ModelController.executeChanges(ModelController.java:313)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.apache.wicket.proxy.LazyInitProxyFactory$JdkHandler.invoke(LazyInitProxyFactory.java:434)
at com.sun.proxy.$Proxy7.executeChanges(Unknown Source)
at com.evolveum.midpoint.web.page.admin.configuration.PageDebugList.deleteObjectConfirmedPerformed(PageDebugList.java:515)
at com.evolveum.midpoint.web.page.admin.configuration.PageDebugList.access$3(PageDebugList.java:509)
at com.evolveum.midpoint.web.page.admin.configuration.PageDebugList$1.yesPerformed(PageDebugList.java:141)
at com.evolveum.midpoint.web.component.dialog.ConfirmationDialog$3.onClick(ConfirmationDialog.java:87)
at org.apache.wicket.ajax.markup.html.AjaxLink$1.onEvent(AjaxLink.java:86)
at org.apache.wicket.ajax.AjaxEventBehavior.respond(AjaxEventBehavior.java:131)
at org.apache.wicket.ajax.AbstractDefaultAjaxBehavior.onRequest(AbstractDefaultAjaxBehavior.java:603)
at sun.reflect.GeneratedMethodAccessor544.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.apache.wicket.RequestListenerInterface.internalInvoke(RequestListenerInterface.java:258)
at org.apache.wicket.RequestListenerInterface.invoke(RequestListenerInterface.java:241)
at org.apache.wicket.core.request.handler.ListenerInterfaceRequestHandler.invokeListener(ListenerInterfaceRequestHandler.java:247)
at org.apache.wicket.core.request.handler.ListenerInterfaceRequestHandler.respond(ListenerInterfaceRequestHandler.java:226)
at org.apache.wicket.request.cycle.RequestCycle$HandlerExecutor.respond(RequestCycle.java:840)
at org.apache.wicket.request.RequestHandlerStack.execute(RequestHandlerStack.java:64)
at org.apache.wicket.request.cycle.RequestCycle.execute(RequestCycle.java:254)
at org.apache.wicket.request.cycle.RequestCycle.processRequest(RequestCycle.java:211)
at org.apache.wicket.request.cycle.RequestCycle.processRequestAndDetach(RequestCycle.java:282)
at org.apache.wicket.protocol.http.WicketFilter.processRequestCycle(WicketFilter.java:244)
at org.apache.wicket.protocol.http.WicketFilter.processRequest(WicketFilter.java:188)
at org.apache.wicket.protocol.http.WicketFilter.doFilter(WicketFilter.java:267)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:311)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:116)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:101)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:150)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:182)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at org.springframework.security.web.session.ConcurrentSessionFilter.doFilter(ConcurrentSessionFilter.java:125)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:173)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.evolveum.midpoint.web.util.MidPointProfilingServletFilter.doFilter_aroundBody0(MidPointProfilingServletFilter.java:69)
at com.evolveum.midpoint.web.util.MidPointProfilingServletFilter$AjcClosure1.run(MidPointProfilingServletFilter.java:1)
at org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149)
at com.evolveum.midpoint.util.aspect.MidpointAspect.wrapSubsystem(MidpointAspect.java:169)
at com.evolveum.midpoint.util.aspect.MidpointAspect.ajc$inlineAccessMethod$com_evolveum_midpoint_util_aspect_MidpointAspect$com_evolveum_midpoint_util_aspect_MidpointAspect$wrapSubsystem(MidpointAspect.java:1)
at com.evolveum.midpoint.util.aspect.MidpointAspect.processWebNdc(MidpointAspect.java:84)
at com.evolveum.midpoint.web.util.MidPointProfilingServletFilter.doFilter(MidPointProfilingServletFilter.java:65)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
at org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:879)
at org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:617)
at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1760)
at java.lang.Thread.run(Thread.java:724)
Caused by: org.h2.jdbc.JdbcSQLException: Referential integrity constraint violation: "FK_TRIGGER_OWNER: PUBLIC.M_TRIGGER FOREIGN KEY(OWNER_ID, OWNER_OID) REFERENCES PUBLIC.M_OBJECT(ID, OID) (0, 'f17ab2a1-a6ce-4ad1-b057-6537bfc49cc8')"; SQL statement:
delete from m_object where id=? and oid=? [23503-171]
at org.h2.message.DbException.getJdbcSQLException(DbException.java:329)
at org.h2.message.DbException.get(DbException.java:169)
at org.h2.message.DbException.get(DbException.java:146)
at org.h2.constraint.ConstraintReferential.checkRow(ConstraintReferential.java:414)
at org.h2.constraint.ConstraintReferential.checkRowRefTable(ConstraintReferential.java:431)
at org.h2.constraint.ConstraintReferential.checkRow(ConstraintReferential.java:307)
at org.h2.table.Table.fireConstraints(Table.java:873)
at org.h2.table.Table.fireAfterRow(Table.java:890)
at org.h2.command.dml.Delete.update(Delete.java:99)
at org.h2.command.CommandContainer.update(CommandContainer.java:75)
at org.h2.command.Command.executeUpdate(Command.java:230)
at org.h2.server.TcpServerThread.process(TcpServerThread.java:334)
at org.h2.server.TcpServerThread.run(TcpServerThread.java:150)
at java.lang.Thread.run(Thread.java:724)

at org.h2.engine.SessionRemote.done(SessionRemote.java:568)
at org.h2.command.CommandRemote.executeUpdate(CommandRemote.java:181)
at org.h2.jdbc.JdbcPreparedStatement.executeUpdateInternal(JdbcPreparedStatement.java:156)
at org.h2.jdbc.JdbcPreparedStatement.executeUpdate(JdbcPreparedStatement.java:142)
at com.mchange.v2.c3p0.impl.NewProxyPreparedStatement.executeUpdate(NewProxyPreparedStatement.java:105)
at sun.reflect.GeneratedMethodAccessor407.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.hibernate.engine.jdbc.internal.proxy.AbstractStatementProxyHandler.continueInvocation(AbstractStatementProxyHandler.java:122)
... 121 more

________________________________
De : midpoint-bounces at lists.evolveum.com [midpoint-bounces at lists.evolveum.com] de la part de Radovan Semancik [radovan.semancik at evolveum.com]
Date d'envoi : 30 septembre 2013 11:15
À : midpoint at lists.evolveum.com
Objet : Re: [midPoint] RE : RE : RE : RE : RE : Namespace problem

On 09/30/2013 04:10 PM, Belleville-Rioux, Vincent wrote:
We have about 10k new students each semester and also have about the same number of students that get "offboarded" from some services due to various reasons.

What we're trying to evaluate is how we could automate such state changes so we can do something like :

- 1 month before the start of the semester, all students registered to at least one class will get their account created / activated.  A notification message will be sent.

- 12 months after the end of the last semester where the student had at least one class, the account will be deactivated and a notification message will be sent.

This is quite common scenario both in enterprise and academia. And this was actually a reason to create time-based mappings. Therefore it should work even in v2.2 but the limitation is that is should be applied to the entire account and not just a single role. The basic idea is like this:

MidPoint user will be created in midPoint as soon as we know about such record. E.g. it can be synchronized from HR (or any equivalent academic source system). The key idea is that user's validFrom date will be set to onboarding date (or hire date or sunrise date or whateverYouCallIt ;-). The activation administrativeStatus of the user should be empty (null). This will cause that midPoint will compute effective user activation status based on validFrom, validTo and current date.

Assign any roles to the user, e.g. using an object template. The roles should represent a state of the user as it should look like during semester. You do not need to specify any conditions in the object template mappings nor any conditions in the role outbound mappings. The roles can be assigned anytime, even before semester.

Define a time-based activation mapping for the resources that you want to "pre-provision" or for whose you want to delay de-provisioning. An example is here: https://wiki.evolveum.com/display/midPoint/Resource+Schema+Handling%3A+Activation (see "Mapping Time Constraints" section).

And that's it. Before the semester the user has all the roles, but as the time is before user's validFrom the activation mapping in the resource definitions will not be used and the accounts will not be created. When the semester starts the time passes through validFrom. MidPoint detects that (automatically) and the mapping will be evaluated differently. The accounts will get created. And similar mechanism also applies to delayed deprovisioning. The examples are actually slightly more complex than your requirement as they are set up to create a disabled account 5 days before onboarding and then enable it right on the onboarding date.

The current limitation is that this applies to all accounts on the resource. If you want to apply it only to some accounts you have to play with the mapping conditions. This may be tricky but it should work. However, this is not the ideal way how to create maintainable system. Therefore we plan couple of improvements:
1: support account types (this is called "intent" in midPoint terminology), e.g. account type "user", "student", "admin", "tester", .... you can specify different mappings for each type. Most of the work on this feature is already done. But nobody stated that this is important enough to give us enough motivation to finally complete and test it. :-)
2: support similar time-based mappings in assignment/inducement conditions. In such a case you can specify this behaviour per role. This is slightly more difficult to finish, but still possible.

The startDate and endDate are properties we can read from an SQL table (but I'm simulating that with a CSV file for now).  I guess we'll have to reconcile at least once a day because that table will have updates to those dates as students use our online tools to register / unregister themselves to classes.

If it is really a DB table and it has a timestamp column you may rely on livesync instead. It is more efficient and much faster. Use reconciliation just as a "last instance" in case that livesync missed something (e.g. due to bug in mapping script, because the system was down for a long time, etc.)
MidPoint is designed to use livesync as a primary mechanism as often as possible and use reconciliation only as a "safety net".

Anyway, unlike some other IDM systems midPoint configuration is almost entirely the same whether you use livesync or reconciliation. Therefore it is easy to experiment with it and fine-tune the setup that works for you.

We should also have the ability to override those values with other dates like "bannedOn" or "temporaryExtension" :

The bannedOn date would make any student which has that date as a non-null value be kept inactive for 7 years from that date.

The temporaryExtension date would make any student account active for 12 months from that date, regardless of the endDate imported from SQL.

Interesting requirement. Really. I quite like it :-) And I guess you can implement this behaviour by using the correct conditions in activation mappings. I quite wonder how "clean" or maintainable the result will be though. Anyway, it is worth trying. And if you find that you cannot do it or that it is unreadable and confusing then let me know. Maybe we could think about some way how to improve our mapping code to make it better. Maintainability of the system is very important for me.

It is also import for you to realize whether these rules apply to users (students as physical persons), to accounts, or to assignments (relation of user to an account). As far as I know it is usual that a person may be a student on faculty X and work on faculty Y while the onboarding dates may be different. Then is would be best to store the dates in assignments. If this is the case then midPoint is designed to handle situation like this quite well. The system of "assignments" is designed primarily for this purpose. While most of the functionality for assignments is already there some pieces of code may still be missing (e.g. the assignment activation mappings). Therefore it may be best for you to start with a partial solution such as storing the dates in users. This can work well for a first phase of your project. And you can work with us to plan the required features in the roadmap so you can have it ready for subsequent phases. IDM projects are not deployed overnight therefore I believe that we can agree on a reasonable delivery dates that can work for you.

So, as you can see, dates are really useful for our use cases.  I understand that this was added rather quickly to 2.2.  Would you suggest we upgrade our test environment to the latest snapshots and try and follow the development from there on?

Not yet :-) .. if you decide to use time-based activation mappings then it should work well in 2.2. If you find some bug in this part we will fix it in 2.2.1 as this is important feature. If you decide that you need more than activation mappings then there is no point to switching to the development branch yet. The code is not yet there. In such a case please let us know and we will figure out when we can deliver that. But I quite believe that activation mappings are almost entirely what you need now. And once you have your first version working we can talk about how to improve it in the future.


--

                                           Radovan Semancik
                                          Software Architect
                                             evolveum.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20130930/41a7c19e/attachment.htm>


More information about the midPoint mailing list