[midPoint] Syncing only specific groups

Ivan Noris ivan.noris at evolveum.com
Mon Dec 1 17:22:15 CET 2014 

Hi Jason,

I don't have AD right now handy, so this one is a meta-answer:

- Try to lookup some other-than-global/security groups in your AD, and
see their attributes right in AD.
- Then try to see if those attributes are managable by the connector (in
schema, CustomGroupObjectClass AFAIK).
- Then you can try to set corresponding values.

In my projects, I've only needed Security and standard groups, I didn't
set the other attribute/values, so they were pretty much filled by AD or
the connector itself.

I'm sure Pavol can give you more precise answer regarding the support of
this; and I may have some time later today or tomorrow to explore this
myself.

Regards,
Ivan

On 12/01/2014 05:12 PM, Jason Everling wrote:
> I think that would be a bit much, more than likely, I will move all
> groups that would be sync'd to Midpoint into its own container in AD
> and move all our other groups to another container and use the
> <protected> to filter them out so they are not sync'd.
>
> Is there a way to build a specific group type instead of just Global |
> Security, maybe Domain Local or Universal or is it hard coded to
> Global Security?
>
> Thanks!
> JASON
>
> On Mon, Dec 1, 2014 at 4:12 AM, Radovan Semancik
> <radovan.semancik at evolveum.com <mailto:radovan.semancik at evolveum.com>>
> wrote:
>
>     Hi Jason,
>
>     This is slightly different. The condition tells whether to apply
>     the specific <objectSynchronization> block or on. The primary use
>     of the condition is to sort objects of the same object class to
>     "intents" (see
>     https://wiki.evolveum.com/display/midPoint/Kind%2C+Intent+and+ObjectClass).
>     The primary meaning of this is to synchronize group object with a
>     role object (or org object). But it does not synchronize
>     account-group association (i.e. group membership) with a user-role
>     assignment.
>
>     With a bit of trickery it could theoretically work for your case.
>     But I doubt that it will be practical. You will need one
>     <objectSynchronization> block for each group that you are trying
>     to synchronize.
>
>     -- 
>
>                                                Radovan Semancik
>                                               Software Architect
>                                                  evolveum.com <http://evolveum.com>
>
>
>
>     On 11/29/2014 05:21 PM, Jason Everling wrote:
>>     Is what I was asking, in the wiki it says you can add a condition
>>     to the synchronization policy,
>>     under https://wiki.evolveum.com/display/midPoint/Synchronization+Configuration
>>
>>
>>       * *condition* is an expression which has to evaluate to true
>>         for the policy to be used. It can be used for a very
>>         fine-grain selection of applicable policies.
>>
>>
>>     I found a sample, kind of
>>     here, https://github.com/Evolveum/midpoint/blob/a6c023945dbea34db69a8ff17c9a61b7184c42cc/testing/consistency-mechanism/src/test/resources/request/resource-modify-synchronization.xml
>>
>>     I am just a little confused on the condition statement, I was
>>     thinking it would look something like,
>>
>>     <condition>
>>        <script>
>>          <code>
>>             declare default namespace
>>     "http://midpoint.evolveum.com/xml/ns/public/common/common-3";
>>             basic.getAttributeValue(account,
>>     'http://midpoint.evolveum.com/xml/ns/public/common/common-3',
>>     'info') = replicated
>>          </code>
>>       </script>
>>     </condition>
>>
>>
>>     JASON
>>
>>
>>     On Sat, Nov 29, 2014 at 2:47 AM, Pavol Mederly
>>     <mederly at evolveum.com <mailto:mederly at evolveum.com>> wrote:
>>
>>         Hello Jason,
>>
>>         although I don't understand what you would like to achieve, a
>>         quick answer though:
>>
>>         If you would apply a condition to a mapping (incoming or
>>         outgoing, it does not matter), you can use <condition>
>>         subelement directly under <incoming> or <outgoing> one.
>>         However, take this only as a quick hint. I haven't done that,
>>         nor I'm sure it's implemented. Please try it.
>>
>>         Best regards,
>>         Pavol
>>
>>
>>         On 28. 11. 2014 22:46, Jason Everling wrote:
>>>         So I have the roleType syncing to the AD attribute, info,
>>>         the info or roleType. I want any group that contains this
>>>         roleType or info attribute sync'd, any other s will not be
>>>         sync'd.
>>>
>>>         I know how to do this in objectTemplate but how in the
>>>         resource so that it only syncs those groups and not all groups.
>>>
>>>         Where do I put in the condition statement in the resource
>>>         definition? I searched through what I could in the samples
>>>         but couldn't find anything like this.
>>>
>>>         JASON
>>>
>>>
>>>
>>>         CONFIDENTIALITY NOTICE:
>>>         This e-mail together with any attachments is proprietary and
>>>         confidential; intended for only the recipient(s) named above
>>>         and may contain information that is privileged. You should
>>>         not retain, copy or use this e-mail or any attachments for
>>>         any purpose, or disclose all or any part of the contents to
>>>         any person. Any views or opinions expressed in this e-mail
>>>         are those of the author and do not represent those of the
>>>         Baptist School of Health Professions. If you have received
>>>         this e-mail in error, or are not the named recipient(s), you
>>>         are hereby notified that any review, dissemination,
>>>         distribution or copying of this communication is prohibited
>>>         by the sender and to do so might constitute a violation of
>>>         the Electronic Communications Privacy Act, 18 U.S.C. section
>>>         2510-2521. Please immediately notify the sender and delete
>>>         this e-mail and any attachments from your computer.
>>>
>>>
>>>         _______________________________________________
>>>         midPoint mailing list
>>>         midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>>         http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>         _______________________________________________
>>         midPoint mailing list
>>         midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>         http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>>
>>
>>     CONFIDENTIALITY NOTICE:
>>     This e-mail together with any attachments is proprietary and
>>     confidential; intended for only the recipient(s) named above and
>>     may contain information that is privileged. You should not
>>     retain, copy or use this e-mail or any attachments for any
>>     purpose, or disclose all or any part of the contents to any
>>     person. Any views or opinions expressed in this e-mail are those
>>     of the author and do not represent those of the Baptist School of
>>     Health Professions. If you have received this e-mail in error, or
>>     are not the named recipient(s), you are hereby notified that any
>>     review, dissemination, distribution or copying of this
>>     communication is prohibited by the sender and to do so might
>>     constitute a violation of the Electronic Communications Privacy
>>     Act, 18 U.S.C. section 2510-2521. Please immediately notify the
>>     sender and delete this e-mail and any attachments from your
>>     computer.
>>
>>
>>     _______________________________________________
>>     midPoint mailing list
>>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>     _______________________________________________
>     midPoint mailing list
>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and
> confidential; intended for only the recipient(s) named above and may
> contain information that is privileged. You should not retain, copy or
> use this e-mail or any attachments for any purpose, or disclose all or
> any part of the contents to any person. Any views or opinions
> expressed in this e-mail are those of the author and do not represent
> those of the Baptist School of Health Professions. If you have
> received this e-mail in error, or are not the named recipient(s), you
> are hereby notified that any review, dissemination, distribution or
> copying of this communication is prohibited by the sender and to do so
> might constitute a violation of the Electronic Communications Privacy
> Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender
> and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer
  evolveum.com     evolveum.com/blog/
  _____________________________________________
  "Semper Id(e)M Vix."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141201/265bde8a/attachment.htm>

More information about the midPoint mailing list