[midPoint] Editing Role Resource Inducement
Ivan Noris
ivan.noris at evolveum.com
Wed Nov 26 09:43:34 CET 2014
Hi Dharmendra,
GUI part for doing this on a role level is planned, not implemented yet.
It is however possible with User Recomputation Task. The task (without
any query conditions) can be created from Server Tasks - New Task menu.
It will process all user and recompute them. The task can be scheduled,
e.g. to run once a day.
You can also create User Recomputation Task with conditions/query, if
you want to recompute only users with some role assigned. Be adwised
this currently works only if the role is assigned directly, not as a
subrole of other role:
<task
xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<name>User Recompute - having role
*00000000-0000-0000-0000-000000000008*</name>
<extension
xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3">
<mext:objectQuery
xmlns:mext="http://midpoint.evolveum.com/xml/ns/public/model/extension-3">
<q:filter>
<q:ref>
<q:path>assignment/targetRef</q:path>
<q:value>
<oid>*00000000-0000-0000-0000-000000000008*</oid>
<type>RoleType</type>
</q:value>
</q:ref>
</q:filter>
</mext:objectQuery>
</extension>
<ownerRef oid="00000000-0000-0000-0000-000000000002"/>
<executionStatus>runnable</executionStatus>
<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/synchronization/task/recompute/handler-3</handlerUri>
<recurrence>single</recurrence>
<binding>tight</binding>
</task>
Replace the <oid>..</oid> with the oid of the role you wish to recompute
and import this task using Configuration - Import object - Embedded
editor - paste this example. The task will execute immediately.
NB: the ..00008 oid je End User role, I've tested if the task is
importable. It is.
Regards,
Ivan
On 11/26/2014 08:04 AM, dharmendra parakh wrote:
> Hi Ivan/ Pavol
>
> Thanks for the information, i tried it and it works well. but rather
> than doing it at user level i would like to do it at role level.
>
> For example:
> - I change a role definition - added an additional group assignment
> - Now i want to propagate this change to all the member users.
> - If i go and do this at user level it is not scalable.
>
> So is there any way where we can say recompute all the user accounts
> affected by the change in role definition?
>
> Regards
> Dharmendra
>
>
> On Tue, Nov 25, 2014 at 7:49 PM, Ivan Noris <ivan.noris at evolveum.com
> <mailto:ivan.noris at evolveum.com>> wrote:
>
> Hi,
>
>
>> Hi
>>
>> - How can we recompute the account?
>> - Yes, after changing the role newly members get correct groups.
>>
>
> For one single user, it should be sufficient to:
> - go to Users
> - find your user
> - click the "wheel" icon in the user line and select "Reconcile"
>
> The same should be possible for multiple selected users, using the
> "wheel" icon in the user list header (the same option "Reconcile").
>
> Be adwised, all roles assigned to selected user(s) will be recomputed.
>
> Regards,
> Ivan
>
>
>> Regards
>> Dharmendra
>>
>>
>>
>> On Tue, Nov 25, 2014 at 7:01 PM, Pavol Mederly
>> <pavol.mederly at gmail.com <mailto:pavol.mederly at gmail.com>> wrote:
>>
>> Dharmendra,
>>
>> after changing the role, user accounts have to be recomputed
>> for the change to be applied onto the resource.
>>
>> A quick check: if you create a new user and assign him this
>> modified role, is the group membership OK for the newly
>> created account?
>>
>> Best regards,
>> Pavol
>>
>> On 25. 11. 2014 12:14, dharmendra parakh wrote:
>>> Hi
>>>
>>> Thanks for the information, I didn't get chance to go
>>> through these documents but i will look into this for sure.
>>> What i understand is i can not modify the groups assigned as
>>> role inducement from GUI.
>>>
>>> I tried changing the groups from xml but then this change is
>>> not enforced to member users account. I need it for my
>>> project for which i am evaluating midpoint, how can i do that?
>>>
>>>
>>> Thanks
>>> Dharmendra
>>>
>>>
>>> On Sun, Nov 23, 2014 at 2:32 AM, Pavol Mederly
>>> <pavol.mederly at gmail.com <mailto:pavol.mederly at gmail.com>>
>>> wrote:
>>>
>>> Dharmendra,
>>>
>>> thank you for the explanation.
>>>
>>> Currently, GUI allows only to change "regular"
>>> attributes of induced accounts (directly when creating
>>> the inducement, or later when editing it by clicking on
>>> "Show empty" button and changing what you need*).
>>>
>>> If you want to work with associations, you have to write
>>> it in XML, e.g. via *Con**figuration->Repository
>>> objects* page.
>>>
>>> For an example, please see e.g.
>>> https://wiki.evolveum.com/display/midPoint/Assignment+Configuration#AssignmentConfiguration-EntitlementAssociations.
>>>
>>> But before trying that, I would strongly recommend
>>> reading about the concept of entitlements, starting here:
>>> https://wiki.evolveum.com/display/midPoint/Entitlements
>>> and then about assignments:
>>> https://wiki.evolveum.com/display/midPoint/Assignment
>>> and
>>> https://wiki.evolveum.com/display/midPoint/Assignment+Configuration
>>>
>>> Anyway, if you would have any questions, we're here to help.
>>>
>>> Best regards,
>>> Pavol
>>>
>>> (*) Due to a bug in GUI, attribute changes are applied,
>>> but are not shown back in GUI. But they can be seen via
>>> Repository objects page. Hope we'll fix that soon.
>>> ---
>>>
>>> On 22. 11. 2014 19:50, dharmendra parakh wrote:
>>>> Hi Pavol
>>>>
>>>> What i have done is pretty straight forward, I have
>>>> configured a role to induce an ldap resource using GUI
>>>> (PFA).
>>>>
>>>> So as per my understanding when i add this resource to
>>>> role inducement all the role members will get this
>>>> resource provisioned, I have tested this and it is
>>>> working very well.
>>>>
>>>> Now i want to change the resource data which i provided
>>>> while adding this resource inducement to role for
>>>> example container or group assignment information. I am
>>>> not sure how can i do this.
>>>>
>>>>
>>>> Thanks!
>>>> Dharmendra
>>>>
>>>> On Sat, Nov 22, 2014 at 10:52 PM, Pavol Mederly
>>>> <mederly at evolveum.com <mailto:mederly at evolveum.com>> wrote:
>>>>
>>>> Hello Dharmendra,
>>>>
>>>> I'm not sure what exactly you have done and what
>>>> you would like to achieve.
>>>>
>>>> You've created a role and configured it to induce
>>>> an LDAP resource. Did you do this using a GUI or
>>>> via XML?
>>>> If via GUI, please send here a screenshot what have
>>>> you done and what you want to achieve.
>>>> If via XML, please do the same (sending here
>>>> appropriate pieces of your XML configuration).
>>>>
>>>> Best regards,
>>>> Pavol Mederly
>>>>
>>>>
>>>> On 22. 11. 2014 11:33, dharmendra parakh wrote:
>>>>> Hi Everyone
>>>>>
>>>>> I just downloaded and started learning midpoint
>>>>> for my personal learning purpose. I really liked
>>>>> it and I am very excited to learn using it.
>>>>>
>>>>> I have a question about inducements in midpoint.
>>>>>
>>>>> I have created a role and configured it to induce
>>>>> a ldap resource with some ldap groups. Now I want
>>>>> to change the configured groups/resource
>>>>> information but i could not find the way to do it.
>>>>>
>>>>> Can you help me doing this or there is no such
>>>>> implementation in midpoint currently.
>>>>> Please help me with this let me know if you need
>>>>> more information on this.
>>>>>
>>>>>
>>>>> Thanks
>>>>> Dharmendra Parakh
>>>>> +91-9730648544 <tel:%2B91-9730648544>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> midPoint mailing list
>>>>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> <mailto:midPoint at lists.evolveum.com>
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> <mailto:midPoint at lists.evolveum.com>
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>
> --
> Ing. Ivan Noris
> Senior Identity Management Engineer
> evolveum.com <http://evolveum.com> evolveum.com/blog/ <http://evolveum.com/blog/>
> _____________________________________________
> "Semper Id(e)M Vix."
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
--
Ing. Ivan Noris
Senior Identity Management Engineer
evolveum.com evolveum.com/blog/
_____________________________________________
"Semper Id(e)M Vix."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141126/f46dc54b/attachment.htm>
More information about the midPoint
mailing list