From dnataraj at trilobytesystems.com Tue Jul 1 12:37:47 2014
From: dnataraj at trilobytesystems.com (Deepak Natarajan)
Date: Tue, 01 Jul 2014 13:37:47 +0300
Subject: [midPoint] No such property: iterationToken
Message-ID: <53B28F7B.3010502@trilobytesystems.com>
Hi -
I'm trying to formulate unique uid's for the user on an inbound mapping.
I am using iterationToken (I am using a snippet from one of Ivan's
examples).
This is my attribute mapping
icfs:name0truetruetrue
input + '-apos' + iterationToken
$user/name
followed by the iteration definition :
999
I am getting the following exception, when I import users :
Caused by:
com.evolveum.midpoint.util.exception.ExpressionEvaluationException:
groovy.lang.MissingPropertyException: No such property: iterationToken
for class: Script17 expression in mapping in inbound expression for
{http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3}name
in resource:036f0100-2fe8-49e1-a8fd-5548374f8703(APOS CSV Feeder
Resource Definition)
at
com.evolveum.midpoint.model.common.expression.script.jsr223.Jsr223ScriptEvaluator.evaluate(Jsr223ScriptEvaluator.java:124)
~[model-common-3.0.jar:na]
at
com.evolveum.midpoint.model.common.expression.script.ScriptExpression.evaluate(ScriptExpression.java:108)
~[model-common-3.0.jar:na]
at
com.evolveum.midpoint.model.common.expression.script.ScriptExpressionEvaluator.transformSingleValue(ScriptExpressionEvaluator.java:58)
~[model-common-3.0.jar:na]
at
com.evolveum.midpoint.model.common.expression.evaluator.AbstractValueTransformationExpressionEvaluator$1.process(AbstractValueTransformationExpressionEvaluator.java:420)
~[model-common-3.0.jar:na]
... 50 common frames omitted
Caused by: javax.script.ScriptException:
groovy.lang.MissingPropertyException: No such property: iterationToken
for class: Script17
at
org.codehaus.groovy.jsr223.GroovyScriptEngineImpl.eval(GroovyScriptEngineImpl.java:323)
~[groovy-1.8.6.jar:1.8.6]
at
org.codehaus.groovy.jsr223.GroovyCompiledScript.eval(GroovyCompiledScript.java:41)
~[groovy-1.8.6.jar:1.8.6]
at javax.script.CompiledScript.eval(CompiledScript.java:92)
~[na:1.7.0_45]
at
com.evolveum.midpoint.model.common.expression.script.jsr223.Jsr223ScriptEvaluator.evaluate(Jsr223ScriptEvaluator.java:122)
~[model-common-3.0.jar:na]
... 53 common frames omitted
Caused by: groovy.lang.MissingPropertyException: No such property:
iterationToken for class: Script17
at
org.codehaus.groovy.runtime.ScriptBytecodeAdapter.unwrap(ScriptBytecodeAdapter.java:50)
~[groovy-1.8.6.jar:1.8.6]
at
org.codehaus.groovy.runtime.callsite.PogoGetPropertySite.getProperty(PogoGetPropertySite.java:49)
~[groovy-1.8.6.jar:1.8.6]
at
org.codehaus.groovy.runtime.callsite.AbstractCallSite.callGroovyObjectGetProperty(AbstractCallSite.java:231)
~[groovy-1.8.6.jar:1.8.6]
at Script17.run(Script17.groovy:2) ~[na:na]
at
org.codehaus.groovy.jsr223.GroovyScriptEngineImpl.eval(GroovyScriptEngineImpl.java:320)
~[groovy-1.8.6.jar:1.8.6]
... 56 common frames omitted
I seem to be following the general guidelines here :
https://wiki.evolveum.com/display/midPoint/Unique+Account+Username+HOWTO
Am I missing something?
Thanks in advance -
BR/Deepak
From dnataraj at trilobytesystems.com Tue Jul 1 12:41:51 2014
From: dnataraj at trilobytesystems.com (Deepak Natarajan)
Date: Tue, 01 Jul 2014 13:41:51 +0300
Subject: [midPoint] No such property: iterationToken
In-Reply-To: <53B28F7B.3010502@trilobytesystems.com>
References: <53B28F7B.3010502@trilobytesystems.com>
Message-ID: <53B2906F.4060303@trilobytesystems.com>
Hmmm. Looking at the documentation again, it seems inbound mappings are
mentioned nowhere.
Are these iteration tokens only valid for outbound mappings (i.e should
I move this usage on inbound mappings to a user creation template?)
Why is this so....?
> Deepak Natarajan
> July 1, 2014 at 1:37 PM
> Hi -
>
> I'm trying to formulate unique uid's for the user on an inbound mapping.
> I am using iterationToken (I am using a snippet from one of Ivan's
> examples).
>
> This is my attribute mapping
>
>
> icfs:name
>
> 0
>
> true
> true
> true
>
>
>
>
>
>
> input + '-apos' + iterationToken
>
>
>
>
> $user/name
>
>
>
>
> followed by the iteration definition :
>
>
> 999
>
>
>
>
>
> I am getting the following exception, when I import users :
>
> Caused by:
> com.evolveum.midpoint.util.exception.ExpressionEvaluationException:
> groovy.lang.MissingPropertyException: No such property: iterationToken
> for class: Script17 expression in mapping in inbound expression for
> {http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3}name
> in resource:036f0100-2fe8-49e1-a8fd-5548374f8703(APOS CSV Feeder
> Resource Definition)
> at
> com.evolveum.midpoint.model.common.expression.script.jsr223.Jsr223ScriptEvaluator.evaluate(Jsr223ScriptEvaluator.java:124)
> ~[model-common-3.0.jar:na]
> at
> com.evolveum.midpoint.model.common.expression.script.ScriptExpression.evaluate(ScriptExpression.java:108)
> ~[model-common-3.0.jar:na]
> at
> com.evolveum.midpoint.model.common.expression.script.ScriptExpressionEvaluator.transformSingleValue(ScriptExpressionEvaluator.java:58)
> ~[model-common-3.0.jar:na]
> at
> com.evolveum.midpoint.model.common.expression.evaluator.AbstractValueTransformationExpressionEvaluator$1.process(AbstractValueTransformationExpressionEvaluator.java:420)
> ~[model-common-3.0.jar:na]
> ... 50 common frames omitted
> Caused by: javax.script.ScriptException:
> groovy.lang.MissingPropertyException: No such property: iterationToken
> for class: Script17
> at
> org.codehaus.groovy.jsr223.GroovyScriptEngineImpl.eval(GroovyScriptEngineImpl.java:323)
> ~[groovy-1.8.6.jar:1.8.6]
> at
> org.codehaus.groovy.jsr223.GroovyCompiledScript.eval(GroovyCompiledScript.java:41)
> ~[groovy-1.8.6.jar:1.8.6]
> at javax.script.CompiledScript.eval(CompiledScript.java:92)
> ~[na:1.7.0_45]
> at
> com.evolveum.midpoint.model.common.expression.script.jsr223.Jsr223ScriptEvaluator.evaluate(Jsr223ScriptEvaluator.java:122)
> ~[model-common-3.0.jar:na]
> ... 53 common frames omitted
> Caused by: groovy.lang.MissingPropertyException: No such property:
> iterationToken for class: Script17
> at
> org.codehaus.groovy.runtime.ScriptBytecodeAdapter.unwrap(ScriptBytecodeAdapter.java:50)
> ~[groovy-1.8.6.jar:1.8.6]
> at
> org.codehaus.groovy.runtime.callsite.PogoGetPropertySite.getProperty(PogoGetPropertySite.java:49)
> ~[groovy-1.8.6.jar:1.8.6]
> at
> org.codehaus.groovy.runtime.callsite.AbstractCallSite.callGroovyObjectGetProperty(AbstractCallSite.java:231)
> ~[groovy-1.8.6.jar:1.8.6]
> at Script17.run(Script17.groovy:2) ~[na:na]
> at
> org.codehaus.groovy.jsr223.GroovyScriptEngineImpl.eval(GroovyScriptEngineImpl.java:320)
> ~[groovy-1.8.6.jar:1.8.6]
> ... 56 common frames omitted
>
> I seem to be following the general guidelines here :
> https://wiki.evolveum.com/display/midPoint/Unique+Account+Username+HOWTO
>
> Am I missing something?
>
> Thanks in advance -
> BR/Deepak
>
>
>
>
--
Deepak Natarajan
Director
Trilobyte Systems ApS
Falkoner Alle 1, 3 Frederikinkatu 61A, 6th Floor
2000 Frederiksberg Business Center Papula
Denmark 00100 Helsinki
Finland
Tel : +45 29375068
http://www.trilobytesystems.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: compose-unknown-contact.jpg
Type: image/jpeg
Size: 770 bytes
Desc: not available
URL:
From ivan.noris at evolveum.com Tue Jul 1 13:29:41 2014
From: ivan.noris at evolveum.com (Ivan Noris)
Date: Tue, 01 Jul 2014 13:29:41 +0200
Subject: [midPoint] No such property: iterationToken
In-Reply-To: <53B2906F.4060303@trilobytesystems.com>
References: <53B28F7B.3010502@trilobytesystems.com>
<53B2906F.4060303@trilobytesystems.com>
Message-ID: <53B29BA5.2080101@evolveum.com>
Hi Deepak,
just a note from a practice: I've never used iterations on inbound. But
you can use them in object template to generate (for example) unique
user/name property.
So in a few words, you would not set user/name from inbound expressions,
but you would compute it from object template.
I believe I've dropped some example to the list before, if not, I can
drop one later today if you're interested.
Regards
Ivan
On 07/01/2014 12:41 PM, Deepak Natarajan wrote:
>
> Hmmm. Looking at the documentation again, it seems inbound mappings
> are mentioned nowhere.
>
> Are these iteration tokens only valid for outbound mappings (i.e
> should I move this usage on inbound mappings to a user creation template?)
>
> Why is this so....?
>
>> Deepak Natarajan
>> July 1, 2014 at 1:37 PM
>> Hi -
>>
>> I'm trying to formulate unique uid's for the user on an inbound mapping.
>> I am using iterationToken (I am using a snippet from one of Ivan's
>> examples).
>>
>> This is my attribute mapping
>>
>>
>> icfs:name
>>
>> 0
>>
>> true
>> true
>> true
>>
>>
>>
>>
>>
>>
>> input + '-apos' + iterationToken
>>
>>
>>
>>
>> $user/name
>>
>>
>>
>>
>> followed by the iteration definition :
>>
>>
>> 999
>>
>>
>>
>>
>>
>> I am getting the following exception, when I import users :
>>
>> Caused by:
>> com.evolveum.midpoint.util.exception.ExpressionEvaluationException:
>> groovy.lang.MissingPropertyException: No such property: iterationToken
>> for class: Script17 expression in mapping in inbound expression for
>> {http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3}name
>> in resource:036f0100-2fe8-49e1-a8fd-5548374f8703(APOS CSV Feeder
>> Resource Definition)
>> at
>> com.evolveum.midpoint.model.common.expression.script.jsr223.Jsr223ScriptEvaluator.evaluate(Jsr223ScriptEvaluator.java:124)
>> ~[model-common-3.0.jar:na]
>> at
>> com.evolveum.midpoint.model.common.expression.script.ScriptExpression.evaluate(ScriptExpression.java:108)
>> ~[model-common-3.0.jar:na]
>> at
>> com.evolveum.midpoint.model.common.expression.script.ScriptExpressionEvaluator.transformSingleValue(ScriptExpressionEvaluator.java:58)
>> ~[model-common-3.0.jar:na]
>> at
>> com.evolveum.midpoint.model.common.expression.evaluator.AbstractValueTransformationExpressionEvaluator$1.process(AbstractValueTransformationExpressionEvaluator.java:420)
>> ~[model-common-3.0.jar:na]
>> ... 50 common frames omitted
>> Caused by: javax.script.ScriptException:
>> groovy.lang.MissingPropertyException: No such property: iterationToken
>> for class: Script17
>> at
>> org.codehaus.groovy.jsr223.GroovyScriptEngineImpl.eval(GroovyScriptEngineImpl.java:323)
>> ~[groovy-1.8.6.jar:1.8.6]
>> at
>> org.codehaus.groovy.jsr223.GroovyCompiledScript.eval(GroovyCompiledScript.java:41)
>> ~[groovy-1.8.6.jar:1.8.6]
>> at javax.script.CompiledScript.eval(CompiledScript.java:92)
>> ~[na:1.7.0_45]
>> at
>> com.evolveum.midpoint.model.common.expression.script.jsr223.Jsr223ScriptEvaluator.evaluate(Jsr223ScriptEvaluator.java:122)
>> ~[model-common-3.0.jar:na]
>> ... 53 common frames omitted
>> Caused by: groovy.lang.MissingPropertyException: No such property:
>> iterationToken for class: Script17
>> at
>> org.codehaus.groovy.runtime.ScriptBytecodeAdapter.unwrap(ScriptBytecodeAdapter.java:50)
>> ~[groovy-1.8.6.jar:1.8.6]
>> at
>> org.codehaus.groovy.runtime.callsite.PogoGetPropertySite.getProperty(PogoGetPropertySite.java:49)
>> ~[groovy-1.8.6.jar:1.8.6]
>> at
>> org.codehaus.groovy.runtime.callsite.AbstractCallSite.callGroovyObjectGetProperty(AbstractCallSite.java:231)
>> ~[groovy-1.8.6.jar:1.8.6]
>> at Script17.run(Script17.groovy:2) ~[na:na]
>> at
>> org.codehaus.groovy.jsr223.GroovyScriptEngineImpl.eval(GroovyScriptEngineImpl.java:320)
>> ~[groovy-1.8.6.jar:1.8.6]
>> ... 56 common frames omitted
>>
>> I seem to be following the general guidelines here :
>> https://wiki.evolveum.com/display/midPoint/Unique+Account+Username+HOWTO
>>
>> Am I missing something?
>>
>> Thanks in advance -
>> BR/Deepak
>>
>>
>>
>>
>
> --
> Deepak Natarajan
> Director
>
> Trilobyte Systems ApS
>
> Falkoner Alle 1, 3 Frederikinkatu 61A, 6th Floor
> 2000 Frederiksberg Business Center Papula
> Denmark 00100 Helsinki
> Finland
>
> Tel : +45 29375068
> http://www.trilobytesystems.com
>
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
--
Ing. Ivan Noris
Senior Identity Management Engineer
evolveum.com
___________________________________________
"Idem per idem - semper idem Vix."
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: compose-unknown-contact.jpg
Type: image/jpeg
Size: 770 bytes
Desc: not available
URL:
From dnataraj at trilobytesystems.com Tue Jul 1 14:46:42 2014
From: dnataraj at trilobytesystems.com (Deepak Natarajan)
Date: Tue, 01 Jul 2014 15:46:42 +0300
Subject: [midPoint] No such property: iterationToken
In-Reply-To: <53B29BA5.2080101@evolveum.com>
References: <53B28F7B.3010502@trilobytesystems.com>
<53B2906F.4060303@trilobytesystems.com>
<53B29BA5.2080101@evolveum.com>
Message-ID: <53B2ADB2.5030909@trilobytesystems.com>
Hi Ivan -
Thanks - yes, this is the first time I am trying using the script var in
inbound mappings as well - apparently Midpoint doesn't like it - so I
will have to do it in a template (like in your previous examples). I was
already setting the user name in an inbound expression - just needed the
iteration token to resolve conflicts.
I already have your example - I was just trying to move it into the
schema handling, rather than the object template, so I'll just do it
like you did.
Thanks!
BR/Deepak
> Ivan Noris
> July 1, 2014 at 2:29 PM
> Hi Deepak,
>
> just a note from a practice: I've never used iterations on inbound.
> But you can use them in object template to generate (for example)
> unique user/name property.
>
> So in a few words, you would not set user/name from inbound
> expressions, but you would compute it from object template.
>
> I believe I've dropped some example to the list before, if not, I can
> drop one later today if you're interested.
>
> Regards
>
> Ivan
>
> On 07/01/2014 12:41 PM, Deepak Natarajan wrote:
>
> --
> Ing. Ivan Noris
> Senior Identity Management Engineer
> evolveum.com
> ___________________________________________
> "Idem per idem - semper idem Vix."
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
> Deepak Natarajan
> July 1, 2014 at 1:41 PM
>
> Hmmm. Looking at the documentation again, it seems inbound mappings
> are mentioned nowhere.
>
> Are these iteration tokens only valid for outbound mappings (i.e
> should I move this usage on inbound mappings to a user creation template?)
>
> Why is this so....?
>
>
> Deepak Natarajan
> July 1, 2014 at 1:37 PM
> Hi -
>
> I'm trying to formulate unique uid's for the user on an inbound mapping.
> I am using iterationToken (I am using a snippet from one of Ivan's
> examples).
>
> This is my attribute mapping
>
>
> icfs:name
>
> 0
>
> true
> true
> true
>
>
>
>
>
>
> input + '-apos' + iterationToken
>
>
>
>
> $user/name
>
>
>
>
> followed by the iteration definition :
>
>
> 999
>
>
>
>
>
> I am getting the following exception, when I import users :
>
> Caused by:
> com.evolveum.midpoint.util.exception.ExpressionEvaluationException:
> groovy.lang.MissingPropertyException: No such property: iterationToken
> for class: Script17 expression in mapping in inbound expression for
> {http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3}name
> in resource:036f0100-2fe8-49e1-a8fd-5548374f8703(APOS CSV Feeder
> Resource Definition)
> at
> com.evolveum.midpoint.model.common.expression.script.jsr223.Jsr223ScriptEvaluator.evaluate(Jsr223ScriptEvaluator.java:124)
> ~[model-common-3.0.jar:na]
> at
> com.evolveum.midpoint.model.common.expression.script.ScriptExpression.evaluate(ScriptExpression.java:108)
> ~[model-common-3.0.jar:na]
> at
> com.evolveum.midpoint.model.common.expression.script.ScriptExpressionEvaluator.transformSingleValue(ScriptExpressionEvaluator.java:58)
> ~[model-common-3.0.jar:na]
> at
> com.evolveum.midpoint.model.common.expression.evaluator.AbstractValueTransformationExpressionEvaluator$1.process(AbstractValueTransformationExpressionEvaluator.java:420)
> ~[model-common-3.0.jar:na]
> ... 50 common frames omitted
> Caused by: javax.script.ScriptException:
> groovy.lang.MissingPropertyException: No such property: iterationToken
> for class: Script17
> at
> org.codehaus.groovy.jsr223.GroovyScriptEngineImpl.eval(GroovyScriptEngineImpl.java:323)
> ~[groovy-1.8.6.jar:1.8.6]
> at
> org.codehaus.groovy.jsr223.GroovyCompiledScript.eval(GroovyCompiledScript.java:41)
> ~[groovy-1.8.6.jar:1.8.6]
> at javax.script.CompiledScript.eval(CompiledScript.java:92)
> ~[na:1.7.0_45]
> at
> com.evolveum.midpoint.model.common.expression.script.jsr223.Jsr223ScriptEvaluator.evaluate(Jsr223ScriptEvaluator.java:122)
> ~[model-common-3.0.jar:na]
> ... 53 common frames omitted
> Caused by: groovy.lang.MissingPropertyException: No such property:
> iterationToken for class: Script17
> at
> org.codehaus.groovy.runtime.ScriptBytecodeAdapter.unwrap(ScriptBytecodeAdapter.java:50)
> ~[groovy-1.8.6.jar:1.8.6]
> at
> org.codehaus.groovy.runtime.callsite.PogoGetPropertySite.getProperty(PogoGetPropertySite.java:49)
> ~[groovy-1.8.6.jar:1.8.6]
> at
> org.codehaus.groovy.runtime.callsite.AbstractCallSite.callGroovyObjectGetProperty(AbstractCallSite.java:231)
> ~[groovy-1.8.6.jar:1.8.6]
> at Script17.run(Script17.groovy:2) ~[na:na]
> at
> org.codehaus.groovy.jsr223.GroovyScriptEngineImpl.eval(GroovyScriptEngineImpl.java:320)
> ~[groovy-1.8.6.jar:1.8.6]
> ... 56 common frames omitted
>
> I seem to be following the general guidelines here :
> https://wiki.evolveum.com/display/midPoint/Unique+Account+Username+HOWTO
>
> Am I missing something?
>
> Thanks in advance -
> BR/Deepak
>
>
>
>
--
Deepak Natarajan
Director
Trilobyte Systems ApS
Falkoner Alle 1, 3 Frederikinkatu 61A, 6th Floor
2000 Frederiksberg Business Center Papula
Denmark 00100 Helsinki
Finland
Tel : +45 29375068
http://www.trilobytesystems.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: compose-unknown-contact.jpg
Type: image/jpeg
Size: 770 bytes
Desc: not available
URL:
From radovan.semancik at evolveum.com Tue Jul 1 20:07:31 2014
From: radovan.semancik at evolveum.com (Radovan Semancik)
Date: Tue, 01 Jul 2014 20:07:31 +0200
Subject: [midPoint] No such property: iterationToken
In-Reply-To: <53B2ADB2.5030909@trilobytesystems.com>
References: <53B28F7B.3010502@trilobytesystems.com> <53B2906F.4060303@trilobytesystems.com> <53B29BA5.2080101@evolveum.com>
<53B2ADB2.5030909@trilobytesystems.com>
Message-ID: <53B2F8E3.5080400@evolveum.com>
Hi Deepak,
That's correct. iteration and iterationToken variables are only
available in outbound expressions and in object template. But these are
slightly different things. The iterationToken in outbound expression
applied to accounts (or other resource objects). The iterationToken in
object template applies to focal objects such as users and roles. These
are independently used and independently incremented. This how it make
sense to us: you may want to use iterationToken to find unique account
name then use the one in outbound expressions. If you want to determine
a unique name for user then use the iterationToken in user template.
IterationToken in inbound expressions does not make much sense to me.
The target of inbound expressions is focal object (e.g. user). Therefore
it it just cannot be the same thing as iterationToken in outbound
expression. The other thing is that midPoint needs to have a complete
user to determine whether it is unique or not. Currently we check only
uniqueness of user's name. But that will change in the future and you
should be able to set uniqueness constraint on any property. Therefore
we will need a complete user before we check uniqueness. And we also
need an ability to recompute the expressions again and again until we
find a unique combination. And this can only be done efficiently in the
object template. Therefore the iterationToken is in the object template
and not in inbound expressions. Oh yes, we could theoretically recompute
all the inbound expressions in all the resources ... but that is just
too much recomputation and it would complicate the code. Especially if
resource dependencies are used. Therefore we have decided that having
iterationToken just in object template is OK.
However there are "tricks" how to use the iterationTokens almost
everywhere. It is mostly passing it as an extension property. Or
pre-computing some "stem" names in object template and placing these in
the extension and then use them in outbound expressions. Similarly you
can pass pass interim values from inbound to user extension and the use
object template to iterate and find unique combination. There are many
ways. We haven't found a use case that we could not easily implement
with this approach. Maybe if you could describe your specific use case
we can help you with your configuration.
--
Radovan Semancik
Software Architect
evolveum.com
On 07/01/2014 02:46 PM, Deepak Natarajan wrote:
>
> Hi Ivan -
>
> Thanks - yes, this is the first time I am trying using the script var
> in inbound mappings as well - apparently Midpoint doesn't like it - so
> I will have to do it in a template (like in your previous examples). I
> was already setting the user name in an inbound expression - just
> needed the iteration token to resolve conflicts.
>
> I already have your example - I was just trying to move it into the
> schema handling, rather than the object template, so I'll just do it
> like you did.
>
> Thanks!
>
> BR/Deepak
>
>> Ivan Noris
>> July 1, 2014 at 2:29 PM
>> Hi Deepak,
>>
>> just a note from a practice: I've never used iterations on inbound.
>> But you can use them in object template to generate (for example)
>> unique user/name property.
>>
>> So in a few words, you would not set user/name from inbound
>> expressions, but you would compute it from object template.
>>
>> I believe I've dropped some example to the list before, if not, I can
>> drop one later today if you're interested.
>>
>> Regards
>>
>> Ivan
>>
>> On 07/01/2014 12:41 PM, Deepak Natarajan wrote:
>>
>> --
>> Ing. Ivan Noris
>> Senior Identity Management Engineer
>> evolveum.com
>> ___________________________________________
>> "Idem per idem - semper idem Vix."
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>> Deepak Natarajan
>> July 1, 2014 at 1:41 PM
>>
>> Hmmm. Looking at the documentation again, it seems inbound mappings
>> are mentioned nowhere.
>>
>> Are these iteration tokens only valid for outbound mappings (i.e
>> should I move this usage on inbound mappings to a user creation
>> template?)
>>
>> Why is this so....?
>>
>>
>> Deepak Natarajan
>> July 1, 2014 at 1:37 PM
>> Hi -
>>
>> I'm trying to formulate unique uid's for the user on an inbound mapping.
>> I am using iterationToken (I am using a snippet from one of Ivan's
>> examples).
>>
>> This is my attribute mapping
>>
>>
>> icfs:name
>>
>> 0
>>
>> true
>> true
>> true
>>
>>
>>
>>
>>
>>
>> input + '-apos' + iterationToken
>>
>>
>>
>>
>> $user/name
>>
>>
>>
>>
>> followed by the iteration definition :
>>
>>
>> 999
>>
>>
>>
>>
>>
>> I am getting the following exception, when I import users :
>>
>> Caused by:
>> com.evolveum.midpoint.util.exception.ExpressionEvaluationException:
>> groovy.lang.MissingPropertyException: No such property: iterationToken
>> for class: Script17 expression in mapping in inbound expression for
>> {http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3}name
>> in resource:036f0100-2fe8-49e1-a8fd-5548374f8703(APOS CSV Feeder
>> Resource Definition)
>> at
>> com.evolveum.midpoint.model.common.expression.script.jsr223.Jsr223ScriptEvaluator.evaluate(Jsr223ScriptEvaluator.java:124)
>> ~[model-common-3.0.jar:na]
>> at
>> com.evolveum.midpoint.model.common.expression.script.ScriptExpression.evaluate(ScriptExpression.java:108)
>> ~[model-common-3.0.jar:na]
>> at
>> com.evolveum.midpoint.model.common.expression.script.ScriptExpressionEvaluator.transformSingleValue(ScriptExpressionEvaluator.java:58)
>> ~[model-common-3.0.jar:na]
>> at
>> com.evolveum.midpoint.model.common.expression.evaluator.AbstractValueTransformationExpressionEvaluator$1.process(AbstractValueTransformationExpressionEvaluator.java:420)
>> ~[model-common-3.0.jar:na]
>> ... 50 common frames omitted
>> Caused by: javax.script.ScriptException:
>> groovy.lang.MissingPropertyException: No such property: iterationToken
>> for class: Script17
>> at
>> org.codehaus.groovy.jsr223.GroovyScriptEngineImpl.eval(GroovyScriptEngineImpl.java:323)
>> ~[groovy-1.8.6.jar:1.8.6]
>> at
>> org.codehaus.groovy.jsr223.GroovyCompiledScript.eval(GroovyCompiledScript.java:41)
>> ~[groovy-1.8.6.jar:1.8.6]
>> at javax.script.CompiledScript.eval(CompiledScript.java:92)
>> ~[na:1.7.0_45]
>> at
>> com.evolveum.midpoint.model.common.expression.script.jsr223.Jsr223ScriptEvaluator.evaluate(Jsr223ScriptEvaluator.java:122)
>> ~[model-common-3.0.jar:na]
>> ... 53 common frames omitted
>> Caused by: groovy.lang.MissingPropertyException: No such property:
>> iterationToken for class: Script17
>> at
>> org.codehaus.groovy.runtime.ScriptBytecodeAdapter.unwrap(ScriptBytecodeAdapter.java:50)
>> ~[groovy-1.8.6.jar:1.8.6]
>> at
>> org.codehaus.groovy.runtime.callsite.PogoGetPropertySite.getProperty(PogoGetPropertySite.java:49)
>> ~[groovy-1.8.6.jar:1.8.6]
>> at
>> org.codehaus.groovy.runtime.callsite.AbstractCallSite.callGroovyObjectGetProperty(AbstractCallSite.java:231)
>> ~[groovy-1.8.6.jar:1.8.6]
>> at Script17.run(Script17.groovy:2) ~[na:na]
>> at
>> org.codehaus.groovy.jsr223.GroovyScriptEngineImpl.eval(GroovyScriptEngineImpl.java:320)
>> ~[groovy-1.8.6.jar:1.8.6]
>> ... 56 common frames omitted
>>
>> I seem to be following the general guidelines here :
>> https://wiki.evolveum.com/display/midPoint/Unique+Account+Username+HOWTO
>>
>> Am I missing something?
>>
>> Thanks in advance -
>> BR/Deepak
>>
>>
>>
>>
>
> --
> Deepak Natarajan
> Director
>
> Trilobyte Systems ApS
>
> Falkoner Alle 1, 3 Frederikinkatu 61A, 6th Floor
> 2000 Frederiksberg Business Center Papula
> Denmark 00100 Helsinki
> Finland
>
> Tel : +45 29375068
> http://www.trilobytesystems.com
>
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: compose-unknown-contact.jpg
Type: image/jpeg
Size: 770 bytes
Desc: not available
URL:
From dnataraj at trilobytesystems.com Thu Jul 3 18:31:48 2014
From: dnataraj at trilobytesystems.com (Deepak Natarajan)
Date: Thu, 03 Jul 2014 18:31:48 +0200
Subject: [midPoint] No such property: iterationToken
In-Reply-To: <53B2F8E3.5080400@evolveum.com>
References: <53B28F7B.3010502@trilobytesystems.com> <53B2906F.4060303@trilobytesystems.com> <53B29BA5.2080101@evolveum.com>
<53B2ADB2.5030909@trilobytesystems.com>
<53B2F8E3.5080400@evolveum.com>
Message-ID: <53B58574.30604@trilobytesystems.com>
Hi Radovan -
Gotcha. Thanks for the explanation. We have a use case where there could
easily be two people with the same name (this is a common occurrence
here - e.g John Smith) working in the same department. Since our source
system does not deal with resource user account names (which are of
course unique) we need to build and attach these to the user object in
Midpoint. I remember doing this in the Object Template, but nowadays I'm
beginning to forget some of the earlier Midpoint theory when I was
starting off :) - doing this in the OT is quite fine for our requirement.
I'm trying to design a solution for a different issue though - and
perhaps you could give me some guidance here. I'll move my question to a
separate thread!
BR/Deepak
> Radovan Semancik
> July 1, 2014 at 8:07 PM
> Hi Deepak,
>
> That's correct. iteration and iterationToken variables are only
> available in outbound expressions and in object template. But these
> are slightly different things. The iterationToken in outbound
> expression applied to accounts (or other resource objects). The
> iterationToken in object template applies to focal objects such as
> users and roles. These are independently used and independently
> incremented. This how it make sense to us: you may want to use
> iterationToken to find unique account name then use the one in
> outbound expressions. If you want to determine a unique name for user
> then use the iterationToken in user template.
>
> IterationToken in inbound expressions does not make much sense to me.
> The target of inbound expressions is focal object (e.g. user).
> Therefore it it just cannot be the same thing as iterationToken in
> outbound expression. The other thing is that midPoint needs to have a
> complete user to determine whether it is unique or not. Currently we
> check only uniqueness of user's name. But that will change in the
> future and you should be able to set uniqueness constraint on any
> property. Therefore we will need a complete user before we check
> uniqueness. And we also need an ability to recompute the expressions
> again and again until we find a unique combination. And this can only
> be done efficiently in the object template. Therefore the
> iterationToken is in the object template and not in inbound
> expressions. Oh yes, we could theoretically recompute all the inbound
> expressions in all the resources ... but that is just too much
> recomputation and it would complicate the code. Especially if resource
> dependencies are used. Therefore we have decided that having
> iterationToken just in object template is OK.
>
> However there are "tricks" how to use the iterationTokens almost
> everywhere. It is mostly passing it as an extension property. Or
> pre-computing some "stem" names in object template and placing these
> in the extension and then use them in outbound expressions. Similarly
> you can pass pass interim values from inbound to user extension and
> the use object template to iterate and find unique combination. There
> are many ways. We haven't found a use case that we could not easily
> implement with this approach. Maybe if you could describe your
> specific use case we can help you with your configuration.
>
> --
>
> Radovan Semancik
> Software Architect
> evolveum.com
>
>
> On 07/01/2014 02:46 PM, Deepak Natarajan wrote:
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
> Deepak Natarajan
> July 1, 2014 at 2:46 PM
>
> Hi Ivan -
>
> Thanks - yes, this is the first time I am trying using the script var
> in inbound mappings as well - apparently Midpoint doesn't like it - so
> I will have to do it in a template (like in your previous examples). I
> was already setting the user name in an inbound expression - just
> needed the iteration token to resolve conflicts.
>
> I already have your example - I was just trying to move it into the
> schema handling, rather than the object template, so I'll just do it
> like you did.
>
> Thanks!
>
> BR/Deepak
>
>
> Ivan Noris
> July 1, 2014 at 1:29 PM
> Hi Deepak,
>
> just a note from a practice: I've never used iterations on inbound.
> But you can use them in object template to generate (for example)
> unique user/name property.
>
> So in a few words, you would not set user/name from inbound
> expressions, but you would compute it from object template.
>
> I believe I've dropped some example to the list before, if not, I can
> drop one later today if you're interested.
>
> Regards
>
> Ivan
>
> On 07/01/2014 12:41 PM, Deepak Natarajan wrote:
>
> --
> Ing. Ivan Noris
> Senior Identity Management Engineer
> evolveum.com
> ___________________________________________
> "Idem per idem - semper idem Vix."
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
> Deepak Natarajan
> July 1, 2014 at 12:41 PM
>
> Hmmm. Looking at the documentation again, it seems inbound mappings
> are mentioned nowhere.
>
> Are these iteration tokens only valid for outbound mappings (i.e
> should I move this usage on inbound mappings to a user creation template?)
>
> Why is this so....?
>
>
> Deepak Natarajan
> July 1, 2014 at 12:37 PM
> Hi -
>
> I'm trying to formulate unique uid's for the user on an inbound mapping.
> I am using iterationToken (I am using a snippet from one of Ivan's
> examples).
>
> This is my attribute mapping
>
>
> icfs:name
>
> 0
>
> true
> true
> true
>
>
>
>
>
>
> input + '-apos' + iterationToken
>
>
>
>
> $user/name
>
>
>
>
> followed by the iteration definition :
>
>
> 999
>
>
>
>
>
> I am getting the following exception, when I import users :
>
> Caused by:
> com.evolveum.midpoint.util.exception.ExpressionEvaluationException:
> groovy.lang.MissingPropertyException: No such property: iterationToken
> for class: Script17 expression in mapping in inbound expression for
> {http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3}name
> in resource:036f0100-2fe8-49e1-a8fd-5548374f8703(APOS CSV Feeder
> Resource Definition)
> at
> com.evolveum.midpoint.model.common.expression.script.jsr223.Jsr223ScriptEvaluator.evaluate(Jsr223ScriptEvaluator.java:124)
> ~[model-common-3.0.jar:na]
> at
> com.evolveum.midpoint.model.common.expression.script.ScriptExpression.evaluate(ScriptExpression.java:108)
> ~[model-common-3.0.jar:na]
> at
> com.evolveum.midpoint.model.common.expression.script.ScriptExpressionEvaluator.transformSingleValue(ScriptExpressionEvaluator.java:58)
> ~[model-common-3.0.jar:na]
> at
> com.evolveum.midpoint.model.common.expression.evaluator.AbstractValueTransformationExpressionEvaluator$1.process(AbstractValueTransformationExpressionEvaluator.java:420)
> ~[model-common-3.0.jar:na]
> ... 50 common frames omitted
> Caused by: javax.script.ScriptException:
> groovy.lang.MissingPropertyException: No such property: iterationToken
> for class: Script17
> at
> org.codehaus.groovy.jsr223.GroovyScriptEngineImpl.eval(GroovyScriptEngineImpl.java:323)
> ~[groovy-1.8.6.jar:1.8.6]
> at
> org.codehaus.groovy.jsr223.GroovyCompiledScript.eval(GroovyCompiledScript.java:41)
> ~[groovy-1.8.6.jar:1.8.6]
> at javax.script.CompiledScript.eval(CompiledScript.java:92)
> ~[na:1.7.0_45]
> at
> com.evolveum.midpoint.model.common.expression.script.jsr223.Jsr223ScriptEvaluator.evaluate(Jsr223ScriptEvaluator.java:122)
> ~[model-common-3.0.jar:na]
> ... 53 common frames omitted
> Caused by: groovy.lang.MissingPropertyException: No such property:
> iterationToken for class: Script17
> at
> org.codehaus.groovy.runtime.ScriptBytecodeAdapter.unwrap(ScriptBytecodeAdapter.java:50)
> ~[groovy-1.8.6.jar:1.8.6]
> at
> org.codehaus.groovy.runtime.callsite.PogoGetPropertySite.getProperty(PogoGetPropertySite.java:49)
> ~[groovy-1.8.6.jar:1.8.6]
> at
> org.codehaus.groovy.runtime.callsite.AbstractCallSite.callGroovyObjectGetProperty(AbstractCallSite.java:231)
> ~[groovy-1.8.6.jar:1.8.6]
> at Script17.run(Script17.groovy:2) ~[na:na]
> at
> org.codehaus.groovy.jsr223.GroovyScriptEngineImpl.eval(GroovyScriptEngineImpl.java:320)
> ~[groovy-1.8.6.jar:1.8.6]
> ... 56 common frames omitted
>
> I seem to be following the general guidelines here :
> https://wiki.evolveum.com/display/midPoint/Unique+Account+Username+HOWTO
>
> Am I missing something?
>
> Thanks in advance -
> BR/Deepak
>
>
>
>
--
Deepak Natarajan
Director
Trilobyte Systems ApS
Falkoner Alle 1, 3 Frederikinkatu 61A, 6th Floor
2000 Frederiksberg Business Center Papula
Denmark 00100 Helsinki
Finland
Tel : +45 29375068
http://www.trilobytesystems.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: postbox-contact.jpg
Type: image/jpeg
Size: 1196 bytes
Desc: not available
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: compose-unknown-contact.jpg
Type: image/jpeg
Size: 770 bytes
Desc: not available
URL:
From dnataraj at trilobytesystems.com Thu Jul 3 18:40:50 2014
From: dnataraj at trilobytesystems.com (Deepak Natarajan)
Date: Thu, 03 Jul 2014 18:40:50 +0200
Subject: [midPoint] XML attributes
In-Reply-To: <538622C7.5040308@evolveum.com>
References: <5383265F.4020103@trilobytesystems.com>
<538622C7.5040308@evolveum.com>
Message-ID: <53B58792.6000502@trilobytesystems.com>
Hi Radovan -
I would like to return to this issue we discussed earlier.
You mentioned :
"When it comes to your specific case I'm sure that the data can be
represented in an alternative way without the use of attributes. Of
course you can use this:
1a2b "
I would like to use this, but am wondering how the inbound mappings
would be set up in order to set and in separate mappings.
(and they should be for the same instance)
In our use case, we have different group "types". What this boils down
to is that these groups belong in different OU's (i.e group Foo with
type A is under ou=A,o=root,.. and group boo with Type B has a dn
cn=Boo, ou=B, o=root etc.) - And more types can arise in the future.
In your org sync example, you kept it simple and added all the groups
under on OU. I took this a bit further and examine the group name for
clues as to where it belongs (it was obvious at one point - but our
customer has introduced some new ideas *sigh*)
I am trying to build an elegant, flexible solution for this. To somehow
propagate these "group types" to my Midpoint User (who has a sequence of
's), onto my Roles and then finally use this to provision the
groups correctly in the various OU's.
I started off by trying to have a better extension schema :
fooA
...
...
I'm not sure if this is possible (I have read your detailed input on XML
usage within Midpoint) and how I would do inbound mapping for such
extension elements (considering that my source feed can provide group
name and type)
And then I would have to deal with role mappings in the user template in
order to propagate this as an extension atttribute of Role, and then use
this value to figure out the base dn for the group (I have installed my
static custom class in Midpoint that returns this value). The idea is to
be able to inject new group types at runtime.
Essentially I'm looking for a pattern to solve the general case of
mapping our source systems rich attributes onto various extended
attributes for key Midpoint focal objects such as User & Group.
A use case for us is that when a department has a new attribute in the
source system (e.g this department is only for "managers"), we need this
to translate to a group that is under a specific OU (and this is
independent of org sync - i.e users assigned to orgs).
I've dumped a lot here, but any thoughts? :)
As always, thanks in advance.
BR/Deepak
> Radovan Semancik
> May 28, 2014 at 7:54 PM
> Hi Deepak,
>
> I guess I have a bad news for you. But this is quite a long story, so
> let's start at the beginning.
>
> When we have designed midPoint a couple of years ago we have built it
> quite tightly on top of XML. That was still the obvious choice at that
> time and also some kind of a best practice. And it was not a bad
> choice. Especially considering that alternatives such as JSON were
> still it their infancy ... and actually they haven't evolved a bit in
> all these years - but that's a different story. So, we have built
> midPoint on top of XML.
>
> But the XML stroke back. I was not naive and I was aware that XML is
> not perfect when we started with midPoint. But I somehow expected that
> we can live with it at least for few years. I was wrong. XML and XSD
> and WSDL are terribly bad at handling dynamic schemas. I mean schemas
> that are only available at runtime. MidPoint schema extension is one
> example of such schema. But there are many more examples: resource
> schema, connector schema, reports, ...
>
> Most other IDM system obviously deal with this problem by ignoring it.
> They do not support schema at all. But this was not the path that we
> wanted to take with midPoint. MidPoint is fully schema-based from the
> bottom (connectors) to the top (GUI). And there are huge advantages to
> this architecture. But there are also challenges. And dealing with XSD
> and especially Sun XML libraries was a huge challenge.
>
> And that was the origin of "Prism Objects". We started to slowly
> replace XML libraries with a more generic data representation layer. See:
> https://wiki.evolveum.com/display/midPoint/Prism+Objects
>
> That was approximately the time when JSON became more popular than
> XML. And midPoint users started to ask about JSON support. I
> personally do not like JSON way of doing things. But we need to listen
> to user requests. And we have realized that we can easily support JSON
> and also other languages with our Prism layer. And I actually see an
> advantage in using readable languages such as YAML. Therefore we have
> chosen to go for language independence. XML is just one of possible
> data representation languages now. JSON and YAML will be available soon.
>
> Currently midPoint (v3.0) is almost completely based on Prism. It is
> not using the XML layer directly perhaps except for several places
> that we plan to rewrite in next releases. This gives us the ability to
> represent data theoretically in any reasonable format. XML is the
> primary one. But it is not the only one.
>
> And now it gets to the point of XML attributes. XML is a very strange
> format for data representation. It has nice features (such as safe
> extensibility with namespaces) and it has really bad features.
> Attributes are one of the worse features. Non-structured data item can
> be represented both as an attribute and as an sub-element. This
> creates a dichotomy that puzzled software engineers almost since XML
> was created. And it is a deadly trap for language-neutral data
> abstractions such as our Prism. Also languages such as JSON do not
> have attributes at all. And even though we try to have complete schema
> for everything there are some corner cases when we need to work
> without a schema. And then there may be problem whether to represent
> JSON key as XML attribute or sub-element.
>
> Therefore we have decided to slowly phase out the support for XML
> attributes. MidPoint version 3.0 interprets attributes in the same way
> as sub-elements. And in fact these are interchangeable at many places
> in midPoint XML structures. And more places will appear in next
> versions. This is the plan for the entire 3.x generation. The 4.x
> versions will probably not use attributes at all.
>
> So, the use of attributes is still somehow supported. But not
> recommended. And the way how you try to use the attributes as a map
> will not work in midPoint 3.x. It is not compatible with our data
> representation.
>
> When it comes to your specific case I'm sure that the data can be
> represented in an alternative way without the use of attributes. Of
> course you can use this:
>
> 1
> a
>
>
> 2
> b
>
>
> And there is another catch. As we are moving away from XML we also
> have to move away from XML-dependent mechanisms. Such as XPath.
> Therefore XPath has limited capabilities in midPoint 3.x. In fact if
> you define a schema then midPoint will not think about the data in XML
> terms. It will not see XML elements any more. It does not see the
> document, it sees the data. It will see the data structure as
> multi-value structured property "group". XPath may not be applicable
> here.
>
> Therefore I guess this is still not the best way to represent your
> data. Maybe I could help you design the data structure if you describe
> the way how you plan to use the group data from the user object.
>
> Deepak Natarajan
> May 26, 2014 at 1:32 PM
> Hi everyone -
>
> I am trying to achieve the following inbound mapping :
>
> from resource :
> "groups" : "a_1,b_2,c_3,d_4"
>
> to
>
>
> a
> b
> c
>
>
> My custom schema extension seems to be accepted by Midpoint. I have
> extended the UserType to support a multi-valued child element
> with an "id" attribute (I have a GroupType defined in my custom schema).
>
> I can achieve the simple case, without the "id" attribute. So I can see
> in the Admin Console that the User has several groups, which I do with
> the following mapping :
>
>
> ri:groups
>
>
>
>
>
> $user/extension/my:group
>
>
>
>
> Now I'm trying to map attributes for the group element
> ($user/extension/my:group/@id)
>
> Has anyone tried this? Thanks for any input!
>
> BR/
--
Deepak Natarajan
Director
Trilobyte Systems ApS
Falkoner Alle 1, 3 Frederikinkatu 61A, 6th Floor
2000 Frederiksberg Business Center Papula
Denmark 00100 Helsinki
Finland
Tel : +45 29375068
http://www.trilobytesystems.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: postbox-contact.jpg
Type: image/jpeg
Size: 1196 bytes
Desc: not available
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: compose-unknown-contact.jpg
Type: image/jpeg
Size: 770 bytes
Desc: not available
URL:
From radovan.semancik at evolveum.com Fri Jul 4 10:41:37 2014
From: radovan.semancik at evolveum.com (Radovan Semancik)
Date: Fri, 04 Jul 2014 10:41:37 +0200
Subject: [midPoint] XML attributes
In-Reply-To: <53B58792.6000502@trilobytesystems.com>
References: <5383265F.4020103@trilobytesystems.com> <538622C7.5040308@evolveum.com>
<53B58792.6000502@trilobytesystems.com>
Message-ID: <53B668C1.5040009@evolveum.com>
Hi,
I can see two slightly separate issues here:
Issue 1: Complex attribute that is created in two mappings.
If both mappings are inbound mappings in the same resource you may try
to use this:
attributes/fooattributes/bar.....extension/whatever
The inbound mappings and outbound mappings and user template mappings -
all work in the same way. The inbound mappings just have default pre-set
source. But you might be able to override it. The mechanism was designed
for this. But we have never tested this override and therefore I'm not
sure if it works.
If the mappings are not from the same resource then it will get very
tricky. You may try to use two separate mappings to get the "id" and
"value" into user extension and then combine it in object template. But
this will get very (I mean VERY) complex as this attribute is obviously
multi-valued.
Maybe you can simplify the situation by avoiding the XML. E.g. use
string values of "1:a", "2:b" and so on. This is not so elegant but as
we are slowly moving away from XML this may in fact be a better solution
for the future.
But ... maybe you do not need this at all ... because:
Issue 2: Handling many types of groups
MidPoint is designed for this. There is a mechanism called "intent".
This is something like "account type" or "group type". The intent is
something like a unique identifier of account/group/whatever that is
linked to a user (or role or org). Therefore if you have a specific user
that has a linked shadows, each shadow must have unique combination of
(resourceOid,kind,intent) triple. See
https://wiki.evolveum.com/display/midPoint/Kind%2C+Intent+and+ObjectClass
So, you can use "intent" as your group type identifier. Intents are
defined in schemaHandling, therefore they can be modified on runtime. We
are using a very similar mechanism in one of our solution. We are
creating the groups in different OUs as well. I'm sure Ivan can provide
more details on this.
--
Radovan Semancik
Software Architect
evolveum.com
On 07/03/2014 06:40 PM, Deepak Natarajan wrote:
>
> Hi Radovan -
>
> I would like to return to this issue we discussed earlier.
>
> You mentioned :
>
> "When it comes to your specific case I'm sure that the data can be
> represented in an alternative way without the use of attributes. Of
> course you can use this:
>
> 1
> a
>
>
> 2
> b
> "
>
> I would like to use this, but am wondering how the inbound mappings
> would be set up in order to set and in separate mappings.
> (and they should be for the same instance)
>
>
> In our use case, we have different group "types". What this boils down
> to is that these groups belong in different OU's (i.e group Foo with
> type A is under ou=A,o=root,.. and group boo with Type B has a dn
> cn=Boo, ou=B, o=root etc.) - And more types can arise in the future.
>
> In your org sync example, you kept it simple and added all the groups
> under on OU. I took this a bit further and examine the group name for
> clues as to where it belongs (it was obvious at one point - but our
> customer has introduced some new ideas *sigh*)
>
> I am trying to build an elegant, flexible solution for this. To
> somehow propagate these "group types" to my Midpoint User (who has a
> sequence of 's), onto my Roles and then finally use this to
> provision the groups correctly in the various OU's.
>
> I started off by trying to have a better extension schema :
>
>
> foo
> A
>
> ...
> ...
>
>
> I'm not sure if this is possible (I have read your detailed input on
> XML usage within Midpoint) and how I would do inbound mapping for such
> extension elements (considering that my source feed can provide group
> name and type)
>
> And then I would have to deal with role mappings in the user template
> in order to propagate this as an extension atttribute of Role, and
> then use this value to figure out the base dn for the group (I have
> installed my static custom class in Midpoint that returns this value).
> The idea is to be able to inject new group types at runtime.
>
> Essentially I'm looking for a pattern to solve the general case of
> mapping our source systems rich attributes onto various extended
> attributes for key Midpoint focal objects such as User & Group.
>
> A use case for us is that when a department has a new attribute in the
> source system (e.g this department is only for "managers"), we need
> this to translate to a group that is under a specific OU (and this is
> independent of org sync - i.e users assigned to orgs).
>
> I've dumped a lot here, but any thoughts? :)
>
> As always, thanks in advance.
>
> BR/Deepak
>
>> Radovan Semancik
>> May 28, 2014 at 7:54 PM
>> Hi Deepak,
>>
>> I guess I have a bad news for you. But this is quite a long story, so
>> let's start at the beginning.
>>
>> When we have designed midPoint a couple of years ago we have built it
>> quite tightly on top of XML. That was still the obvious choice at
>> that time and also some kind of a best practice. And it was not a bad
>> choice. Especially considering that alternatives such as JSON were
>> still it their infancy ... and actually they haven't evolved a bit in
>> all these years - but that's a different story. So, we have built
>> midPoint on top of XML.
>>
>> But the XML stroke back. I was not naive and I was aware that XML is
>> not perfect when we started with midPoint. But I somehow expected
>> that we can live with it at least for few years. I was wrong. XML and
>> XSD and WSDL are terribly bad at handling dynamic schemas. I mean
>> schemas that are only available at runtime. MidPoint schema extension
>> is one example of such schema. But there are many more examples:
>> resource schema, connector schema, reports, ...
>>
>> Most other IDM system obviously deal with this problem by ignoring
>> it. They do not support schema at all. But this was not the path that
>> we wanted to take with midPoint. MidPoint is fully schema-based from
>> the bottom (connectors) to the top (GUI). And there are huge
>> advantages to this architecture. But there are also challenges. And
>> dealing with XSD and especially Sun XML libraries was a huge challenge.
>>
>> And that was the origin of "Prism Objects". We started to slowly
>> replace XML libraries with a more generic data representation layer.
>> See:
>> https://wiki.evolveum.com/display/midPoint/Prism+Objects
>>
>> That was approximately the time when JSON became more popular than
>> XML. And midPoint users started to ask about JSON support. I
>> personally do not like JSON way of doing things. But we need to
>> listen to user requests. And we have realized that we can easily
>> support JSON and also other languages with our Prism layer. And I
>> actually see an advantage in using readable languages such as YAML.
>> Therefore we have chosen to go for language independence. XML is just
>> one of possible data representation languages now. JSON and YAML will
>> be available soon.
>>
>> Currently midPoint (v3.0) is almost completely based on Prism. It is
>> not using the XML layer directly perhaps except for several places
>> that we plan to rewrite in next releases. This gives us the ability
>> to represent data theoretically in any reasonable format. XML is the
>> primary one. But it is not the only one.
>>
>> And now it gets to the point of XML attributes. XML is a very strange
>> format for data representation. It has nice features (such as safe
>> extensibility with namespaces) and it has really bad features.
>> Attributes are one of the worse features. Non-structured data item
>> can be represented both as an attribute and as an sub-element. This
>> creates a dichotomy that puzzled software engineers almost since XML
>> was created. And it is a deadly trap for language-neutral data
>> abstractions such as our Prism. Also languages such as JSON do not
>> have attributes at all. And even though we try to have complete
>> schema for everything there are some corner cases when we need to
>> work without a schema. And then there may be problem whether to
>> represent JSON key as XML attribute or sub-element.
>>
>> Therefore we have decided to slowly phase out the support for XML
>> attributes. MidPoint version 3.0 interprets attributes in the same
>> way as sub-elements. And in fact these are interchangeable at many
>> places in midPoint XML structures. And more places will appear in
>> next versions. This is the plan for the entire 3.x generation. The
>> 4.x versions will probably not use attributes at all.
>>
>> So, the use of attributes is still somehow supported. But not
>> recommended. And the way how you try to use the attributes as a map
>> will not work in midPoint 3.x. It is not compatible with our data
>> representation.
>>
>> When it comes to your specific case I'm sure that the data can be
>> represented in an alternative way without the use of attributes. Of
>> course you can use this:
>>
>> 1
>> a
>>
>>
>> 2
>> b
>>
>>
>> And there is another catch. As we are moving away from XML we also
>> have to move away from XML-dependent mechanisms. Such as XPath.
>> Therefore XPath has limited capabilities in midPoint 3.x. In fact if
>> you define a schema then midPoint will not think about the data in
>> XML terms. It will not see XML elements any more. It does not see the
>> document, it sees the data. It will see the data structure as
>> multi-value structured property "group". XPath may not be applicable
>> here.
>>
>> Therefore I guess this is still not the best way to represent your
>> data. Maybe I could help you design the data structure if you
>> describe the way how you plan to use the group data from the user
>> object.
>>
>> Deepak Natarajan
>> May 26, 2014 at 1:32 PM
>> Hi everyone -
>>
>> I am trying to achieve the following inbound mapping :
>>
>> from resource :
>> "groups" : "a_1,b_2,c_3,d_4"
>>
>> to
>>
>>
>> a
>> b
>> c
>>
>>
>> My custom schema extension seems to be accepted by Midpoint. I have
>> extended the UserType to support a multi-valued child element
>> with an "id" attribute (I have a GroupType defined in my custom schema).
>>
>> I can achieve the simple case, without the "id" attribute. So I can see
>> in the Admin Console that the User has several groups, which I do with
>> the following mapping :
>>
>>
>> ri:groups
>>
>>
>>
>>
>>
>> $user/extension/my:group
>>
>>
>>
>>
>> Now I'm trying to map attributes for the group element
>> ($user/extension/my:group/@id)
>>
>> Has anyone tried this? Thanks for any input!
>>
>> BR/
>
> --
> Deepak Natarajan
> Director
>
> Trilobyte Systems ApS
>
> Falkoner Alle 1, 3 Frederikinkatu 61A, 6th Floor
> 2000 Frederiksberg Business Center Papula
> Denmark 00100 Helsinki
> Finland
>
> Tel : +45 29375068
> http://www.trilobytesystems.com
>
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: postbox-contact.jpg
Type: image/jpeg
Size: 1196 bytes
Desc: not available
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: compose-unknown-contact.jpg
Type: image/jpeg
Size: 770 bytes
Desc: not available
URL:
From roman.pudil at ami.cz Fri Jul 4 14:23:38 2014
From: roman.pudil at ami.cz (Roman Pudil - AMI Praha a.s.)
Date: Fri, 04 Jul 2014 14:23:38 +0200
Subject: [midPoint] Synchronize passwords AD --> MidPoint
In-Reply-To: <53B668C1.5040009@evolveum.com>
References: <5383265F.4020103@trilobytesystems.com> <538622C7.5040308@evolveum.com> <53B58792.6000502@trilobytesystems.com>
<53B668C1.5040009@evolveum.com>
Message-ID: <53B69CCA.2070204@ami.cz>
Hi all,
how to synchronize passwords between Active Directory and MidPoint (both
directions)?
Name of resource attribute where actual AD password is stored?
Thanks!
Regards
Roman Pudil
Roman Pudil
solution architect
gsm: [+420] 775 663 666
e-mail: roman.pudil at ami.cz
AMI Praha a.s.
Plánic(kova 11
162 00 Praha 6
tel./fax: [+420] 274 783 239
web: www.ami.cz
AMI Praha a.s.
Textem tohoto e-mailu podepisující neslibuje uzavr(ít ani neuzavírá za
spolec(nost AMI Praha a.s.
jakoukoliv smlouvu. Kaz(dá smlouva, pokud bude uzavr(ena, musí mít
výhradne( písemnou formu.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ami_logo.gif
Type: image/gif
Size: 2895 bytes
Desc: not available
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: AMI-podpis-IdM_1.png
Type: image/png
Size: 21628 bytes
Desc: not available
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3924 bytes
Desc: Elektronicky podpis S/MIME
URL:
From mederly at evolveum.com Fri Jul 4 19:46:30 2014
From: mederly at evolveum.com (Pavol Mederly)
Date: Fri, 04 Jul 2014 19:46:30 +0200
Subject: [midPoint] Synchronize passwords AD --> MidPoint
In-Reply-To: <53B69CCA.2070204@ami.cz>
References: <5383265F.4020103@trilobytesystems.com> <538622C7.5040308@evolveum.com> <53B58792.6000502@trilobytesystems.com> <53B668C1.5040009@evolveum.com>
<53B69CCA.2070204@ami.cz>
Message-ID: <53B6E876.408@evolveum.com>
On 4. 7. 2014 14:23, Roman Pudil - AMI Praha a.s. wrote:
> Hi all,
> how to synchronize passwords between Active Directory and MidPoint
> (both directions)?
> Name of resource attribute where actual AD password is stored?
Hello Roman,
the midPoint -> AD direction is easy. You simply have to set up
in the "account" section of the schema handling.
As for AD -> midPoint, it is not possible to get actual passwords from
Active Directory. It is not a limitation of midPoint - it is a security
feature of AD.
IDM solutions dealing with Active Directory traditionally use a feature
called password filter. It's a code sitting at AD domain controller,
listening for "password change" events and propagating those events to
the particular IDM.
Guys from Salford Software created such a component for midPoint some
time ago and posted it here. It is available at
https://github.com/Evolveum/midpoint-password-agent-ad. It has two
parts: one collects password changes and stores them in a file, and the
other one sends the changes to midPoint via its SOAP interface. However,
I haven't tried this solution yet; e.g. I'm not sure whether it is
compatible with midPoint SOAP interface changes introduced in 3.0. But
you could easily try that.
Best regards,
Pavol
>
> Thanks!
> Regards
> Roman Pudil
>
>
> Roman Pudil
> solution architect
>
> gsm: [+420] 775 663 666
> e-mail: roman.pudil at ami.cz
>
>
>
> AMI Praha a.s.
> Plánic(kova 11
> 162 00 Praha 6
> tel./fax: [+420] 274 783 239
> web: www.ami.cz
>
>
>
> AMI Praha a.s.
>
>
>
>
> Textem tohoto e-mailu podepisující neslibuje uzavr(ít ani neuzavírá za
> spolec(nost AMI Praha a.s.
> jakoukoliv smlouvu. Kaz(dá smlouva, pokud bude uzavr(ena, musí mít
> výhradne( písemnou formu.
>
>
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 2895 bytes
Desc: not available
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 21628 bytes
Desc: not available
URL:
From dnataraj at trilobytesystems.com Sat Jul 5 11:05:43 2014
From: dnataraj at trilobytesystems.com (Deepak Natarajan)
Date: Sat, 05 Jul 2014 12:05:43 +0300
Subject: [midPoint] XML attributes
In-Reply-To: <53B668C1.5040009@evolveum.com>
References: <5383265F.4020103@trilobytesystems.com> <538622C7.5040308@evolveum.com>
<53B58792.6000502@trilobytesystems.com>
<53B668C1.5040009@evolveum.com>
Message-ID: <53B7BFE7.4080306@trilobytesystems.com>
Hi Radovan -
Thanks for the explanation.
I really would like to use the (kind, intent) tuples - they seem to be
powerful concepts if used correctly. I need to study these and get back
to the drawing board - I'm getting a bit tired with hacking my way
around problems rather than using the actual Midpoint constructs meant
to solve them!
I'll write to the list if/when I get confused!
Thanks
-deepak
Radovan Semancik wrote:
> Hi,
>
> I can see two slightly separate issues here:
>
> Issue 1: Complex attribute that is created in two mappings.
>
> If both mappings are inbound mappings in the same resource you may try
> to use this:
>
> attributes/foo
> attributes/bar
> .....
> extension/whatever
>
>
> The inbound mappings and outbound mappings and user template mappings -
> all work in the same way. The inbound mappings just have default pre-set
> source. But you might be able to override it. The mechanism was designed
> for this. But we have never tested this override and therefore I'm not
> sure if it works.
>
> If the mappings are not from the same resource then it will get very
> tricky. You may try to use two separate mappings to get the "id" and
> "value" into user extension and then combine it in object template. But
> this will get very (I mean VERY) complex as this attribute is obviously
> multi-valued.
>
> Maybe you can simplify the situation by avoiding the XML. E.g. use
> string values of "1:a", "2:b" and so on. This is not so elegant but as
> we are slowly moving away from XML this may in fact be a better solution
> for the future.
>
> But ... maybe you do not need this at all ... because:
>
> Issue 2: Handling many types of groups
>
> MidPoint is designed for this. There is a mechanism called "intent".
> This is something like "account type" or "group type". The intent is
> something like a unique identifier of account/group/whatever that is
> linked to a user (or role or org). Therefore if you have a specific user
> that has a linked shadows, each shadow must have unique combination of
> (resourceOid,kind,intent) triple. See
> https://wiki.evolveum.com/display/midPoint/Kind%2C+Intent+and+ObjectClass
>
> So, you can use "intent" as your group type identifier. Intents are
> defined in schemaHandling, therefore they can be modified on runtime. We
> are using a very similar mechanism in one of our solution. We are
> creating the groups in different OUs as well. I'm sure Ivan can provide
> more details on this.
>
> --
>
> Radovan Semancik
> Software Architect
> evolveum.com
>
>
>
>
> On 07/03/2014 06:40 PM, Deepak Natarajan wrote:
>>
>> Hi Radovan -
>>
>> I would like to return to this issue we discussed earlier.
>>
>> You mentioned :
>>
>> "When it comes to your specific case I'm sure that the data can be
>> represented in an alternative way without the use of attributes. Of
>> course you can use this:
>>
>> 1
>> a
>>
>>
>> 2
>> b
>> "
>>
>> I would like to use this, but am wondering how the inbound mappings
>> would be set up in order to set and in separate mappings.
>> (and they should be for the same instance)
>>
>>
>> In our use case, we have different group "types". What this boils down
>> to is that these groups belong in different OU's (i.e group Foo with
>> type A is under ou=A,o=root,.. and group boo with Type B has a dn
>> cn=Boo, ou=B, o=root etc.) - And more types can arise in the future.
>>
>> In your org sync example, you kept it simple and added all the groups
>> under on OU. I took this a bit further and examine the group name for
>> clues as to where it belongs (it was obvious at one point - but our
>> customer has introduced some new ideas *sigh*)
>>
>> I am trying to build an elegant, flexible solution for this. To
>> somehow propagate these "group types" to my Midpoint User (who has a
>> sequence of 's), onto my Roles and then finally use this to
>> provision the groups correctly in the various OU's.
>>
>> I started off by trying to have a better extension schema :
>>
>>
>> foo
>> A
>>
>> ...
>> ...
>>
>>
>> I'm not sure if this is possible (I have read your detailed input on
>> XML usage within Midpoint) and how I would do inbound mapping for such
>> extension elements (considering that my source feed can provide group
>> name and type)
>>
>> And then I would have to deal with role mappings in the user template
>> in order to propagate this as an extension atttribute of Role, and
>> then use this value to figure out the base dn for the group (I have
>> installed my static custom class in Midpoint that returns this value).
>> The idea is to be able to inject new group types at runtime.
>>
>> Essentially I'm looking for a pattern to solve the general case of
>> mapping our source systems rich attributes onto various extended
>> attributes for key Midpoint focal objects such as User & Group.
>>
>> A use case for us is that when a department has a new attribute in the
>> source system (e.g this department is only for "managers"), we need
>> this to translate to a group that is under a specific OU (and this is
>> independent of org sync - i.e users assigned to orgs).
>>
>> I've dumped a lot here, but any thoughts? :)
>>
>> As always, thanks in advance.
>>
>> BR/Deepak
>>
>>> Radovan Semancik
>>> May 28, 2014 at 7:54 PM
>>> Hi Deepak,
>>>
>>> I guess I have a bad news for you. But this is quite a long story, so
>>> let's start at the beginning.
>>>
>>> When we have designed midPoint a couple of years ago we have built it
>>> quite tightly on top of XML. That was still the obvious choice at
>>> that time and also some kind of a best practice. And it was not a bad
>>> choice. Especially considering that alternatives such as JSON were
>>> still it their infancy ... and actually they haven't evolved a bit in
>>> all these years - but that's a different story. So, we have built
>>> midPoint on top of XML.
>>>
>>> But the XML stroke back. I was not naive and I was aware that XML is
>>> not perfect when we started with midPoint. But I somehow expected
>>> that we can live with it at least for few years. I was wrong. XML and
>>> XSD and WSDL are terribly bad at handling dynamic schemas. I mean
>>> schemas that are only available at runtime. MidPoint schema extension
>>> is one example of such schema. But there are many more examples:
>>> resource schema, connector schema, reports, ...
>>>
>>> Most other IDM system obviously deal with this problem by ignoring
>>> it. They do not support schema at all. But this was not the path that
>>> we wanted to take with midPoint. MidPoint is fully schema-based from
>>> the bottom (connectors) to the top (GUI). And there are huge
>>> advantages to this architecture. But there are also challenges. And
>>> dealing with XSD and especially Sun XML libraries was a huge challenge.
>>>
>>> And that was the origin of "Prism Objects". We started to slowly
>>> replace XML libraries with a more generic data representation layer.
>>> See:
>>> https://wiki.evolveum.com/display/midPoint/Prism+Objects
>>>
>>> That was approximately the time when JSON became more popular than
>>> XML. And midPoint users started to ask about JSON support. I
>>> personally do not like JSON way of doing things. But we need to
>>> listen to user requests. And we have realized that we can easily
>>> support JSON and also other languages with our Prism layer. And I
>>> actually see an advantage in using readable languages such as YAML.
>>> Therefore we have chosen to go for language independence. XML is just
>>> one of possible data representation languages now. JSON and YAML will
>>> be available soon.
>>>
>>> Currently midPoint (v3.0) is almost completely based on Prism. It is
>>> not using the XML layer directly perhaps except for several places
>>> that we plan to rewrite in next releases. This gives us the ability
>>> to represent data theoretically in any reasonable format. XML is the
>>> primary one. But it is not the only one.
>>>
>>> And now it gets to the point of XML attributes. XML is a very strange
>>> format for data representation. It has nice features (such as safe
>>> extensibility with namespaces) and it has really bad features.
>>> Attributes are one of the worse features. Non-structured data item
>>> can be represented both as an attribute and as an sub-element. This
>>> creates a dichotomy that puzzled software engineers almost since XML
>>> was created. And it is a deadly trap for language-neutral data
>>> abstractions such as our Prism. Also languages such as JSON do not
>>> have attributes at all. And even though we try to have complete
>>> schema for everything there are some corner cases when we need to
>>> work without a schema. And then there may be problem whether to
>>> represent JSON key as XML attribute or sub-element.
>>>
>>> Therefore we have decided to slowly phase out the support for XML
>>> attributes. MidPoint version 3.0 interprets attributes in the same
>>> way as sub-elements. And in fact these are interchangeable at many
>>> places in midPoint XML structures. And more places will appear in
>>> next versions. This is the plan for the entire 3.x generation. The
>>> 4.x versions will probably not use attributes at all.
>>>
>>> So, the use of attributes is still somehow supported. But not
>>> recommended. And the way how you try to use the attributes as a map
>>> will not work in midPoint 3.x. It is not compatible with our data
>>> representation.
>>>
>>> When it comes to your specific case I'm sure that the data can be
>>> represented in an alternative way without the use of attributes. Of
>>> course you can use this:
>>>
>>> 1
>>> a
>>>
>>>
>>> 2
>>> b
>>>
>>>
>>> And there is another catch. As we are moving away from XML we also
>>> have to move away from XML-dependent mechanisms. Such as XPath.
>>> Therefore XPath has limited capabilities in midPoint 3.x. In fact if
>>> you define a schema then midPoint will not think about the data in
>>> XML terms. It will not see XML elements any more. It does not see the
>>> document, it sees the data. It will see the data structure as
>>> multi-value structured property "group". XPath may not be applicable
>>> here.
>>>
>>> Therefore I guess this is still not the best way to represent your
>>> data. Maybe I could help you design the data structure if you
>>> describe the way how you plan to use the group data from the user
>>> object.
>>>
>>> Deepak Natarajan
>>> May 26, 2014 at 1:32 PM
>>> Hi everyone -
>>>
>>> I am trying to achieve the following inbound mapping :
>>>
>>> from resource :
>>> "groups" : "a_1,b_2,c_3,d_4"
>>>
>>> to
>>>
>>>
>>> a
>>> b
>>> c
>>>
>>>
>>> My custom schema extension seems to be accepted by Midpoint. I have
>>> extended the UserType to support a multi-valued child element
>>> with an "id" attribute (I have a GroupType defined in my custom schema).
>>>
>>> I can achieve the simple case, without the "id" attribute. So I can see
>>> in the Admin Console that the User has several groups, which I do with
>>> the following mapping :
>>>
>>>
>>> ri:groups
>>>
>>>
>>>
>>>
>>>
>>> $user/extension/my:group
>>>
>>>
>>>
>>>
>>> Now I'm trying to map attributes for the group element
>>> ($user/extension/my:group/@id)
>>>
>>> Has anyone tried this? Thanks for any input!
>>>
>>> BR/
>>
>> --
>> Deepak Natarajan
>> Director
>>
>> Trilobyte Systems ApS
>>
>> Falkoner Alle 1, 3 Frederikinkatu 61A, 6th Floor
>> 2000 Frederiksberg Business Center Papula
>> Denmark 00100 Helsinki
>> Finland
>>
>> Tel : +45 29375068
>> http://www.trilobytesystems.com
>>
>>
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
--
Deepak Natarajan
Director
Trilobyte Systems ApS
Falkoner Alle 1, 3 Frederikinkatu 61A, 6th Floor
2000 Frederiksberg Business Center Papula
Denmark 00100 Helsinki
Finland
Tel : +45 29375068
http://www.trilobytesystems.com
From dnataraj at trilobytesystems.com Sun Jul 6 15:27:33 2014
From: dnataraj at trilobytesystems.com (Deepak Natarajan)
Date: Sun, 06 Jul 2014 16:27:33 +0300
Subject: [midPoint] XML attributes
In-Reply-To: <53B668C1.5040009@evolveum.com>
References: <5383265F.4020103@trilobytesystems.com> <538622C7.5040308@evolveum.com>
<53B58792.6000502@trilobytesystems.com>
<53B668C1.5040009@evolveum.com>
Message-ID: <53B94EC5.2000606@trilobytesystems.com>
Thanks Radovan -
I've read about (kind, intent) - but I'm honestly unable to manipulate
my role and resource configurations to come out with a clear picture.
Especially at which point/where to fork out to custom intent's based on
a user extension attribute (that would dictate in which container the
group would live).
If you or Ivan could provide a simple example - that would help me move
forward.
Thanks in advance -
BR/Deepak
Radovan Semancik wrote:
> Hi,
>
> I can see two slightly separate issues here:
>
> Issue 1: Complex attribute that is created in two mappings.
>
> If both mappings are inbound mappings in the same resource you may try
> to use this:
>
> attributes/foo
> attributes/bar
> .....
> extension/whatever
>
>
> The inbound mappings and outbound mappings and user template mappings -
> all work in the same way. The inbound mappings just have default pre-set
> source. But you might be able to override it. The mechanism was designed
> for this. But we have never tested this override and therefore I'm not
> sure if it works.
>
> If the mappings are not from the same resource then it will get very
> tricky. You may try to use two separate mappings to get the "id" and
> "value" into user extension and then combine it in object template. But
> this will get very (I mean VERY) complex as this attribute is obviously
> multi-valued.
>
> Maybe you can simplify the situation by avoiding the XML. E.g. use
> string values of "1:a", "2:b" and so on. This is not so elegant but as
> we are slowly moving away from XML this may in fact be a better solution
> for the future.
>
> But ... maybe you do not need this at all ... because:
>
> Issue 2: Handling many types of groups
>
> MidPoint is designed for this. There is a mechanism called "intent".
> This is something like "account type" or "group type". The intent is
> something like a unique identifier of account/group/whatever that is
> linked to a user (or role or org). Therefore if you have a specific user
> that has a linked shadows, each shadow must have unique combination of
> (resourceOid,kind,intent) triple. See
> https://wiki.evolveum.com/display/midPoint/Kind%2C+Intent+and+ObjectClass
>
> So, you can use "intent" as your group type identifier. Intents are
> defined in schemaHandling, therefore they can be modified on runtime. We
> are using a very similar mechanism in one of our solution. We are
> creating the groups in different OUs as well. I'm sure Ivan can provide
> more details on this.
>
> --
>
> Radovan Semancik
> Software Architect
> evolveum.com
>
>
>
>
> On 07/03/2014 06:40 PM, Deepak Natarajan wrote:
>>
>> Hi Radovan -
>>
>> I would like to return to this issue we discussed earlier.
>>
>> You mentioned :
>>
>> "When it comes to your specific case I'm sure that the data can be
>> represented in an alternative way without the use of attributes. Of
>> course you can use this:
>>
>> 1
>> a
>>
>>
>> 2
>> b
>> "
>>
>> I would like to use this, but am wondering how the inbound mappings
>> would be set up in order to set and in separate mappings.
>> (and they should be for the same instance)
>>
>>
>> In our use case, we have different group "types". What this boils down
>> to is that these groups belong in different OU's (i.e group Foo with
>> type A is under ou=A,o=root,.. and group boo with Type B has a dn
>> cn=Boo, ou=B, o=root etc.) - And more types can arise in the future.
>>
>> In your org sync example, you kept it simple and added all the groups
>> under on OU. I took this a bit further and examine the group name for
>> clues as to where it belongs (it was obvious at one point - but our
>> customer has introduced some new ideas *sigh*)
>>
>> I am trying to build an elegant, flexible solution for this. To
>> somehow propagate these "group types" to my Midpoint User (who has a
>> sequence of 's), onto my Roles and then finally use this to
>> provision the groups correctly in the various OU's.
>>
>> I started off by trying to have a better extension schema :
>>
>>
>> foo
>> A
>>
>> ...
>> ...
>>
>>
>> I'm not sure if this is possible (I have read your detailed input on
>> XML usage within Midpoint) and how I would do inbound mapping for such
>> extension elements (considering that my source feed can provide group
>> name and type)
>>
>> And then I would have to deal with role mappings in the user template
>> in order to propagate this as an extension atttribute of Role, and
>> then use this value to figure out the base dn for the group (I have
>> installed my static custom class in Midpoint that returns this value).
>> The idea is to be able to inject new group types at runtime.
>>
>> Essentially I'm looking for a pattern to solve the general case of
>> mapping our source systems rich attributes onto various extended
>> attributes for key Midpoint focal objects such as User & Group.
>>
>> A use case for us is that when a department has a new attribute in the
>> source system (e.g this department is only for "managers"), we need
>> this to translate to a group that is under a specific OU (and this is
>> independent of org sync - i.e users assigned to orgs).
>>
>> I've dumped a lot here, but any thoughts? :)
>>
>> As always, thanks in advance.
>>
>> BR/Deepak
>>
>>> Radovan Semancik
>>> May 28, 2014 at 7:54 PM
>>> Hi Deepak,
>>>
>>> I guess I have a bad news for you. But this is quite a long story, so
>>> let's start at the beginning.
>>>
>>> When we have designed midPoint a couple of years ago we have built it
>>> quite tightly on top of XML. That was still the obvious choice at
>>> that time and also some kind of a best practice. And it was not a bad
>>> choice. Especially considering that alternatives such as JSON were
>>> still it their infancy ... and actually they haven't evolved a bit in
>>> all these years - but that's a different story. So, we have built
>>> midPoint on top of XML.
>>>
>>> But the XML stroke back. I was not naive and I was aware that XML is
>>> not perfect when we started with midPoint. But I somehow expected
>>> that we can live with it at least for few years. I was wrong. XML and
>>> XSD and WSDL are terribly bad at handling dynamic schemas. I mean
>>> schemas that are only available at runtime. MidPoint schema extension
>>> is one example of such schema. But there are many more examples:
>>> resource schema, connector schema, reports, ...
>>>
>>> Most other IDM system obviously deal with this problem by ignoring
>>> it. They do not support schema at all. But this was not the path that
>>> we wanted to take with midPoint. MidPoint is fully schema-based from
>>> the bottom (connectors) to the top (GUI). And there are huge
>>> advantages to this architecture. But there are also challenges. And
>>> dealing with XSD and especially Sun XML libraries was a huge challenge.
>>>
>>> And that was the origin of "Prism Objects". We started to slowly
>>> replace XML libraries with a more generic data representation layer.
>>> See:
>>> https://wiki.evolveum.com/display/midPoint/Prism+Objects
>>>
>>> That was approximately the time when JSON became more popular than
>>> XML. And midPoint users started to ask about JSON support. I
>>> personally do not like JSON way of doing things. But we need to
>>> listen to user requests. And we have realized that we can easily
>>> support JSON and also other languages with our Prism layer. And I
>>> actually see an advantage in using readable languages such as YAML.
>>> Therefore we have chosen to go for language independence. XML is just
>>> one of possible data representation languages now. JSON and YAML will
>>> be available soon.
>>>
>>> Currently midPoint (v3.0) is almost completely based on Prism. It is
>>> not using the XML layer directly perhaps except for several places
>>> that we plan to rewrite in next releases. This gives us the ability
>>> to represent data theoretically in any reasonable format. XML is the
>>> primary one. But it is not the only one.
>>>
>>> And now it gets to the point of XML attributes. XML is a very strange
>>> format for data representation. It has nice features (such as safe
>>> extensibility with namespaces) and it has really bad features.
>>> Attributes are one of the worse features. Non-structured data item
>>> can be represented both as an attribute and as an sub-element. This
>>> creates a dichotomy that puzzled software engineers almost since XML
>>> was created. And it is a deadly trap for language-neutral data
>>> abstractions such as our Prism. Also languages such as JSON do not
>>> have attributes at all. And even though we try to have complete
>>> schema for everything there are some corner cases when we need to
>>> work without a schema. And then there may be problem whether to
>>> represent JSON key as XML attribute or sub-element.
>>>
>>> Therefore we have decided to slowly phase out the support for XML
>>> attributes. MidPoint version 3.0 interprets attributes in the same
>>> way as sub-elements. And in fact these are interchangeable at many
>>> places in midPoint XML structures. And more places will appear in
>>> next versions. This is the plan for the entire 3.x generation. The
>>> 4.x versions will probably not use attributes at all.
>>>
>>> So, the use of attributes is still somehow supported. But not
>>> recommended. And the way how you try to use the attributes as a map
>>> will not work in midPoint 3.x. It is not compatible with our data
>>> representation.
>>>
>>> When it comes to your specific case I'm sure that the data can be
>>> represented in an alternative way without the use of attributes. Of
>>> course you can use this:
>>>
>>> 1
>>> a
>>>
>>>
>>> 2
>>> b
>>>
>>>
>>> And there is another catch. As we are moving away from XML we also
>>> have to move away from XML-dependent mechanisms. Such as XPath.
>>> Therefore XPath has limited capabilities in midPoint 3.x. In fact if
>>> you define a schema then midPoint will not think about the data in
>>> XML terms. It will not see XML elements any more. It does not see the
>>> document, it sees the data. It will see the data structure as
>>> multi-value structured property "group". XPath may not be applicable
>>> here.
>>>
>>> Therefore I guess this is still not the best way to represent your
>>> data. Maybe I could help you design the data structure if you
>>> describe the way how you plan to use the group data from the user
>>> object.
>>>
>>> Deepak Natarajan
>>> May 26, 2014 at 1:32 PM
>>> Hi everyone -
>>>
>>> I am trying to achieve the following inbound mapping :
>>>
>>> from resource :
>>> "groups" : "a_1,b_2,c_3,d_4"
>>>
>>> to
>>>
>>>
>>> a
>>> b
>>> c
>>>
>>>
>>> My custom schema extension seems to be accepted by Midpoint. I have
>>> extended the UserType to support a multi-valued child element
>>> with an "id" attribute (I have a GroupType defined in my custom schema).
>>>
>>> I can achieve the simple case, without the "id" attribute. So I can see
>>> in the Admin Console that the User has several groups, which I do with
>>> the following mapping :
>>>
>>>
>>> ri:groups
>>>
>>>
>>>
>>>
>>>
>>> $user/extension/my:group
>>>
>>>
>>>
>>>
>>> Now I'm trying to map attributes for the group element
>>> ($user/extension/my:group/@id)
>>>
>>> Has anyone tried this? Thanks for any input!
>>>
>>> BR/
>>
>> --
>> Deepak Natarajan
>> Director
>>
>> Trilobyte Systems ApS
>>
>> Falkoner Alle 1, 3 Frederikinkatu 61A, 6th Floor
>> 2000 Frederiksberg Business Center Papula
>> Denmark 00100 Helsinki
>> Finland
>>
>> Tel : +45 29375068
>> http://www.trilobytesystems.com
>>
>>
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
--
Deepak Natarajan
Director
Trilobyte Systems ApS
Falkoner Alle 1, 3 Fredrikinkatu 61A, 6th Floor
2000 Frederiksberg Business Center Papula
Denmark 00100 Helsinki
Finland
Tel : +45 29375068
http://www.trilobytesystems.com
From arda.nural at biznet.com.tr Wed Jul 16 13:02:26 2014
From: arda.nural at biznet.com.tr (Arda Nural)
Date: Wed, 16 Jul 2014 14:02:26 +0300
Subject: [midPoint] RoleType in workflows
Message-ID: <000001cfa0e5$713caaf0$53b600d0$@biznet.com.tr>
Greetings all,
Can we use a role in role approval workflow process? In the examples and
wiki, I only noticed that the approvers are UserType objects. I tried the
example below and the result was: a workflow process was created but the
work item didn't show up on users work items who has the approver role.
Thank you in advance.
Arda
Role approved by roledescApproval by the administrator
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From radovan.semancik at evolveum.com Mon Jul 21 12:37:11 2014
From: radovan.semancik at evolveum.com (Radovan Semancik)
Date: Mon, 21 Jul 2014 12:37:11 +0200
Subject: [midPoint] RoleType in workflows
In-Reply-To: <000001cfa0e5$713caaf0$53b600d0$@biznet.com.tr>
References: <000001cfa0e5$713caaf0$53b600d0$@biznet.com.tr>
Message-ID: <53CCED57.3040400@evolveum.com>
Hi Adra,
Fist of all I need to clarify the question a bit. Are you trying to
specify a groups of approvers for a role?
If this is the case then you should use Org to group approvers, not a
role. Roles are used for provisioning and they cannot be used for
grouping users. Orgs are used for user grouping. So use org instead. The
org OID can be used instead of user OID in the approverRef property.
I see that the "Role vs Org" issue is not obvious. Therefor I've just
explained it here: https://wiki.evolveum.com/display/midPoint/Roles+and+Orgs
--
Radovan Semancik
Software Architect
evolveum.com
On 07/16/2014 01:02 PM, Arda Nural wrote:
>
> Greetings all,
>
> Can we use a role in role approval workflow process? In the examples
> and wiki, I only noticed that the approvers are UserType objects. I
> tried the example below and the result was: a workflow process was
> created but the work item didn't show up on users work items who has
> the approver role.
>
> Thank you in advance.
>
> Arda
>
>
> xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>
> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
>
> Role approved by role
>
> desc
>
> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>
> oid="00000000-0000-0000-0000-000000000004"
>
> type="c:RoleType">
>
> Approval by the administrator
>
>
>
>
>
>
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From arda.nural at biznet.com.tr Wed Jul 23 10:53:09 2014
From: arda.nural at biznet.com.tr (Arda Nural)
Date: Wed, 23 Jul 2014 11:53:09 +0300
Subject: [midPoint] RoleType in workflows
Message-ID: <004d01cfa653$8818d960$984a8c20$@biznet.com.tr>
Thank you for the clarification Radovan. In my case, I wanted to assign the
approver of a role to another role; not a user or org. ( e.g SuperAdmin).
I didn't want a complex approval schema, just one approver of RoleType.
When this approvable role is assigned to a user, workflow process starts as
expected. I initially thought the role approval item would be directly
assigned to the user (given the super admin role which approves this role)
and appear in the 'my work items' menu or the super admin's dashboard.
Instead, it shows up in the "Work Items Claimable by me" menu. My problem
was solved in this case.
Best,
Hi Adra,
Fist of all I need to clarify the question a bit. Are you trying to specify
a groups of approvers for a role?
If this is the case then you should use Org to group approvers, not a role.
Roles are used for provisioning and they cannot be used for grouping users.
Orgs are used for user grouping. So use org instead. The org OID can be used
instead of user OID in the approverRef property.
I see that the "Role vs Org" issue is not obvious. Therefor I've just
explained it here: https://wiki.evolveum.com/display/midPoint/Roles+and+Orgs
--
Radovan Semancik
Software Architect
evolveum.com
On 07/16/2014 01:02 PM, Arda Nural wrote:
>
> Greetings all,
>
> Can we use a role in role approval workflow process? In the examples
> and wiki, I only noticed that the approvers are UserType objects. I
> tried the example below and the result was: a workflow process was
> created but the work item didn't show up on users work items who has
> the approver role.
>
> Thank you in advance.
>
> Arda
>
>
> xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>
> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
>
> Role approved by role
>
> desc
>
> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>
> oid="00000000-0000-0000-0000-000000000004"
>
> type="c:RoleType">
>
> Approval by the administrator
>
>
>
>
>
>
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
------------------------------
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
http://lists.evolveum.com/mailman/listinfo/midpoint
End of midPoint Digest, Vol 27, Issue 11
****************************************