[midPoint] Syncing only specific groups
Ivan Noris
ivan.noris at evolveum.com
Mon Dec 1 23:28:38 CET 2014
Glad to hear that it worked :-)
Regards,
Ivan
On 12/01/2014 08:06 PM, Jason Everling wrote:
> Awesome, it works just by using either of these values in the roleType
> field, 2, 4, 8, -2147483646, -2147483644, or -2147483640
>
> <attribute>
> <ref>ri:groupType</ref>
> <outbound>
> <strength>strong</strength>
> <source>
> <path>roleType</path>
> </source>
> </outbound>
> <inbound>
> <strength>strong</strength>
> <target>
> <path>$focus/roleType</path>
> </target>
> </inbound>
> </attribute>
>
> So now I am going to do some mappings and auto input those fields when
> creating a role based on conditions!
>
> This is great that it works!
>
> JASON
>
> On Mon, Dec 1, 2014 at 11:11 AM, Pavol Mederly <mederly at evolveum.com
> <mailto:mederly at evolveum.com>> wrote:
>
> Hello Jason,
>
> I would suggest looking at
> http://msdn.microsoft.com/en-us/library/cc223142.aspx.
>
> Then e.g. Security + Global group would be 0x80000002, i.e.
> decimally either 2147483650 <tel:2147483650> or -2147483646
> <tel:2147483646>, depending on whether the connector expects the
> value as unsigned int32/64 or signed int32. I have not used that
> yet; so please try them both and see what works for you.
>
> Best regards,
> Pavol
>
>
> On 1. 12. 2014 17:58, Jason Everling wrote:
>> Yeah I was going to try to set the grouptType attribute which
>> controls what group type it is but it is a integer and not a
>> string, if not then no big deal, was just wondering.
>>
>> JASON
>>
>> On Mon, Dec 1, 2014 at 10:22 AM, Ivan Noris
>> <ivan.noris at evolveum.com <mailto:ivan.noris at evolveum.com>> wrote:
>>
>> Hi Jason,
>>
>> I don't have AD right now handy, so this one is a meta-answer:
>>
>> - Try to lookup some other-than-global/security groups in
>> your AD, and see their attributes right in AD.
>> - Then try to see if those attributes are managable by the
>> connector (in schema, CustomGroupObjectClass AFAIK).
>> - Then you can try to set corresponding values.
>>
>> In my projects, I've only needed Security and standard
>> groups, I didn't set the other attribute/values, so they were
>> pretty much filled by AD or the connector itself.
>>
>> I'm sure Pavol can give you more precise answer regarding the
>> support of this; and I may have some time later today or
>> tomorrow to explore this myself.
>>
>> Regards,
>> Ivan
>>
>>
>> On 12/01/2014 05:12 PM, Jason Everling wrote:
>>> I think that would be a bit much, more than likely, I will
>>> move all groups that would be sync'd to Midpoint into its
>>> own container in AD and move all our other groups to another
>>> container and use the <protected> to filter them out so they
>>> are not sync'd.
>>>
>>> Is there a way to build a specific group type instead of
>>> just Global | Security, maybe Domain Local or Universal or
>>> is it hard coded to Global Security?
>>>
>>> Thanks!
>>> JASON
>>>
>>> On Mon, Dec 1, 2014 at 4:12 AM, Radovan Semancik
>>> <radovan.semancik at evolveum.com
>>> <mailto:radovan.semancik at evolveum.com>> wrote:
>>>
>>> Hi Jason,
>>>
>>> This is slightly different. The condition tells whether
>>> to apply the specific <objectSynchronization> block or
>>> on. The primary use of the condition is to sort objects
>>> of the same object class to "intents" (see
>>> https://wiki.evolveum.com/display/midPoint/Kind%2C+Intent+and+ObjectClass).
>>> The primary meaning of this is to synchronize group
>>> object with a role object (or org object). But it does
>>> not synchronize account-group association (i.e. group
>>> membership) with a user-role assignment.
>>>
>>> With a bit of trickery it could theoretically work for
>>> your case. But I doubt that it will be practical. You
>>> will need one <objectSynchronization> block for each
>>> group that you are trying to synchronize.
>>>
>>> --
>>>
>>> Radovan Semancik
>>> Software Architect
>>> evolveum.com <http://evolveum.com>
>>>
>>>
>>>
>>> On 11/29/2014 05:21 PM, Jason Everling wrote:
>>>> Is what I was asking, in the wiki it says you can add a
>>>> condition to the synchronization policy,
>>>> under https://wiki.evolveum.com/display/midPoint/Synchronization+Configuration
>>>>
>>>>
>>>> * *condition* is an expression which has to evaluate
>>>> to true for the policy to be used. It can be used
>>>> for a very fine-grain selection of applicable policies.
>>>>
>>>>
>>>> I found a sample, kind of
>>>> here, https://github.com/Evolveum/midpoint/blob/a6c023945dbea34db69a8ff17c9a61b7184c42cc/testing/consistency-mechanism/src/test/resources/request/resource-modify-synchronization.xml
>>>>
>>>> I am just a little confused on the condition statement,
>>>> I was thinking it would look something like,
>>>>
>>>> <condition>
>>>> <script>
>>>> <code>
>>>> declare default namespace
>>>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3";
>>>> basic.getAttributeValue(account,
>>>> 'http://midpoint.evolveum.com/xml/ns/public/common/common-3',
>>>> 'info') = replicated
>>>> </code>
>>>> </script>
>>>> </condition>
>>>>
>>>>
>>>> JASON
>>>>
>>>>
>>>> On Sat, Nov 29, 2014 at 2:47 AM, Pavol Mederly
>>>> <mederly at evolveum.com <mailto:mederly at evolveum.com>> wrote:
>>>>
>>>> Hello Jason,
>>>>
>>>> although I don't understand what you would like to
>>>> achieve, a quick answer though:
>>>>
>>>> If you would apply a condition to a mapping
>>>> (incoming or outgoing, it does not matter), you can
>>>> use <condition> subelement directly under
>>>> <incoming> or <outgoing> one.
>>>> However, take this only as a quick hint. I haven't
>>>> done that, nor I'm sure it's implemented. Please
>>>> try it.
>>>>
>>>> Best regards,
>>>> Pavol
>>>>
>>>>
>>>> On 28. 11. 2014 22:46, Jason Everling wrote:
>>>>> So I have the roleType syncing to the AD
>>>>> attribute, info, the info or roleType. I want any
>>>>> group that contains this roleType or info
>>>>> attribute sync'd, any other s will not be sync'd.
>>>>>
>>>>> I know how to do this in objectTemplate but how in
>>>>> the resource so that it only syncs those groups
>>>>> and not all groups.
>>>>>
>>>>> Where do I put in the condition statement in the
>>>>> resource definition? I searched through what I
>>>>> could in the samples but couldn't find anything
>>>>> like this.
>>>>>
>>>>> JASON
>>>>>
>>>>>
>>>>>
>>>>> CONFIDENTIALITY NOTICE:
>>>>> This e-mail together with any attachments is
>>>>> proprietary and confidential; intended for only
>>>>> the recipient(s) named above and may contain
>>>>> information that is privileged. You should not
>>>>> retain, copy or use this e-mail or any attachments
>>>>> for any purpose, or disclose all or any part of
>>>>> the contents to any person. Any views or opinions
>>>>> expressed in this e-mail are those of the author
>>>>> and do not represent those of the Baptist School
>>>>> of Health Professions. If you have received this
>>>>> e-mail in error, or are not the named
>>>>> recipient(s), you are hereby notified that any
>>>>> review, dissemination, distribution or copying of
>>>>> this communication is prohibited by the sender and
>>>>> to do so might constitute a violation of the
>>>>> Electronic Communications Privacy Act, 18 U.S.C.
>>>>> section 2510-2521. Please immediately notify the
>>>>> sender and delete this e-mail and any attachments
>>>>> from your computer.
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> midPoint mailing list
>>>>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> <mailto:midPoint at lists.evolveum.com>
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> CONFIDENTIALITY NOTICE:
>>>> This e-mail together with any attachments is
>>>> proprietary and confidential; intended for only the
>>>> recipient(s) named above and may contain information
>>>> that is privileged. You should not retain, copy or use
>>>> this e-mail or any attachments for any purpose, or
>>>> disclose all or any part of the contents to any person.
>>>> Any views or opinions expressed in this e-mail are
>>>> those of the author and do not represent those of the
>>>> Baptist School of Health Professions. If you have
>>>> received this e-mail in error, or are not the named
>>>> recipient(s), you are hereby notified that any review,
>>>> dissemination, distribution or copying of this
>>>> communication is prohibited by the sender and to do so
>>>> might constitute a violation of the Electronic
>>>> Communications Privacy Act, 18 U.S.C. section
>>>> 2510-2521. Please immediately notify the sender and
>>>> delete this e-mail and any attachments from your computer.
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> <mailto:midPoint at lists.evolveum.com>
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>>
>>>
>>>
>>> CONFIDENTIALITY NOTICE:
>>> This e-mail together with any attachments is proprietary and
>>> confidential; intended for only the recipient(s) named above
>>> and may contain information that is privileged. You should
>>> not retain, copy or use this e-mail or any attachments for
>>> any purpose, or disclose all or any part of the contents to
>>> any person. Any views or opinions expressed in this e-mail
>>> are those of the author and do not represent those of the
>>> Baptist School of Health Professions. If you have received
>>> this e-mail in error, or are not the named recipient(s), you
>>> are hereby notified that any review, dissemination,
>>> distribution or copying of this communication is prohibited
>>> by the sender and to do so might constitute a violation of
>>> the Electronic Communications Privacy Act, 18 U.S.C. section
>>> 2510-2521. Please immediately notify the sender and delete
>>> this e-mail and any attachments from your computer.
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>> --
>> Ing. Ivan Noris
>> Senior Identity Management Engineer
>> evolveum.com <http://evolveum.com> evolveum.com/blog/ <http://evolveum.com/blog/>
>> _____________________________________________
>> "Semper Id(e)M Vix."
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>>
>>
>> CONFIDENTIALITY NOTICE:
>> This e-mail together with any attachments is proprietary and
>> confidential; intended for only the recipient(s) named above and
>> may contain information that is privileged. You should not
>> retain, copy or use this e-mail or any attachments for any
>> purpose, or disclose all or any part of the contents to any
>> person. Any views or opinions expressed in this e-mail are those
>> of the author and do not represent those of the Baptist School of
>> Health Professions. If you have received this e-mail in error, or
>> are not the named recipient(s), you are hereby notified that any
>> review, dissemination, distribution or copying of this
>> communication is prohibited by the sender and to do so might
>> constitute a violation of the Electronic Communications Privacy
>> Act, 18 U.S.C. section 2510-2521. Please immediately notify the
>> sender and delete this e-mail and any attachments from your
>> computer.
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and
> confidential; intended for only the recipient(s) named above and may
> contain information that is privileged. You should not retain, copy or
> use this e-mail or any attachments for any purpose, or disclose all or
> any part of the contents to any person. Any views or opinions
> expressed in this e-mail are those of the author and do not represent
> those of the Baptist School of Health Professions. If you have
> received this e-mail in error, or are not the named recipient(s), you
> are hereby notified that any review, dissemination, distribution or
> copying of this communication is prohibited by the sender and to do so
> might constitute a violation of the Electronic Communications Privacy
> Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender
> and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
--
Ing. Ivan Noris
Senior Identity Management Engineer
evolveum.com evolveum.com/blog/
_____________________________________________
"Semper Id(e)M Vix."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141201/73978d7a/attachment.htm>
More information about the midPoint
mailing list