[midPoint] Editing Role Resource Inducement
dharmendra parakh
dharm.parakh at gmail.com
Wed Nov 26 09:48:02 CET 2014
Hi Ivan
Thanks for the information, I will try this, between you have mentioned
that doing this on a role level is not implemented yet in GUI but is there
any API which can do this?
I was thinking to write a client which can perform this operation for
specific role.
Regards
Dharmendra
On Wed, Nov 26, 2014 at 2:13 PM, Ivan Noris <ivan.noris at evolveum.com> wrote:
> Hi Dharmendra,
>
> GUI part for doing this on a role level is planned, not implemented yet.
>
> It is however possible with User Recomputation Task. The task (without any
> query conditions) can be created from Server Tasks - New Task menu. It will
> process all user and recompute them. The task can be scheduled, e.g. to run
> once a day.
>
> You can also create User Recomputation Task with conditions/query, if you
> want to recompute only users with some role assigned. Be adwised this
> currently works only if the role is assigned directly, not as a subrole of
> other role:
>
> <task
> xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> <http://www.w3.org/2001/XMLSchema-instance>
> xmlns:xsd="http://www.w3.org/2001/XMLSchema"
> <http://www.w3.org/2001/XMLSchema>>
>
> <name>User Recompute - having role
> *00000000-0000-0000-0000-000000000008*</name>
> <extension xmlns:q=
> "http://prism.evolveum.com/xml/ns/public/query-3"
> <http://prism.evolveum.com/xml/ns/public/query-3>>
> <mext:objectQuery xmlns:mext=
> "http://midpoint.evolveum.com/xml/ns/public/model/extension-3"
> <http://midpoint.evolveum.com/xml/ns/public/model/extension-3>>
> <q:filter>
> <q:ref>
> <q:path>assignment/targetRef</q:path>
> <q:value>
> <oid>*00000000-0000-0000-0000-000000000008*</oid>
> <type>RoleType</type>
> </q:value>
> </q:ref>
> </q:filter>
> </mext:objectQuery>
> </extension>
> <ownerRef oid="00000000-0000-0000-0000-000000000002"/>
> <executionStatus>runnable</executionStatus>
> <handlerUri>
> http://midpoint.evolveum.com/xml/ns/public/model/synchronization/task/recompute/handler-3
> </handlerUri>
> <recurrence>single</recurrence>
> <binding>tight</binding>
> </task>
>
> Replace the <oid>..</oid> with the oid of the role you wish to recompute
> and import this task using Configuration - Import object - Embedded editor
> - paste this example. The task will execute immediately.
>
> NB: the ..00008 oid je End User role, I've tested if the task is
> importable. It is.
>
> Regards,
> Ivan
>
>
> On 11/26/2014 08:04 AM, dharmendra parakh wrote:
>
> Hi Ivan/ Pavol
>
> Thanks for the information, i tried it and it works well. but rather
> than doing it at user level i would like to do it at role level.
>
> For example:
> - I change a role definition - added an additional group assignment
> - Now i want to propagate this change to all the member users.
> - If i go and do this at user level it is not scalable.
>
> So is there any way where we can say recompute all the user accounts
> affected by the change in role definition?
>
> Regards
> Dharmendra
>
>
> On Tue, Nov 25, 2014 at 7:49 PM, Ivan Noris <ivan.noris at evolveum.com>
> wrote:
>
>> Hi,
>>
>>
>> Hi
>>
>> - How can we recompute the account?
>> - Yes, after changing the role newly members get correct groups.
>>
>>
>> For one single user, it should be sufficient to:
>> - go to Users
>> - find your user
>> - click the "wheel" icon in the user line and select "Reconcile"
>>
>> The same should be possible for multiple selected users, using the
>> "wheel" icon in the user list header (the same option "Reconcile").
>>
>> Be adwised, all roles assigned to selected user(s) will be recomputed.
>>
>> Regards,
>> Ivan
>>
>>
>> Regards
>> Dharmendra
>>
>>
>>
>> On Tue, Nov 25, 2014 at 7:01 PM, Pavol Mederly <pavol.mederly at gmail.com>
>> wrote:
>>
>>> Dharmendra,
>>>
>>> after changing the role, user accounts have to be recomputed for the
>>> change to be applied onto the resource.
>>>
>>> A quick check: if you create a new user and assign him this modified
>>> role, is the group membership OK for the newly created account?
>>>
>>> Best regards,
>>> Pavol
>>>
>>> On 25. 11. 2014 12:14, dharmendra parakh wrote:
>>>
>>> Hi
>>>
>>> Thanks for the information, I didn't get chance to go through these
>>> documents but i will look into this for sure.
>>> What i understand is i can not modify the groups assigned as role
>>> inducement from GUI.
>>>
>>> I tried changing the groups from xml but then this change is not
>>> enforced to member users account. I need it for my project for which i am
>>> evaluating midpoint, how can i do that?
>>>
>>>
>>> Thanks
>>> Dharmendra
>>>
>>>
>>> On Sun, Nov 23, 2014 at 2:32 AM, Pavol Mederly <pavol.mederly at gmail.com>
>>> wrote:
>>>
>>>> Dharmendra,
>>>>
>>>> thank you for the explanation.
>>>>
>>>> Currently, GUI allows only to change "regular" attributes of induced
>>>> accounts (directly when creating the inducement, or later when editing it
>>>> by clicking on "Show empty" button and changing what you need*).
>>>>
>>>> If you want to work with associations, you have to write it in XML,
>>>> e.g. via *Con**figuration->Repository objects* page.
>>>>
>>>> For an example, please see e.g.
>>>> https://wiki.evolveum.com/display/midPoint/Assignment+Configuration#AssignmentConfiguration-EntitlementAssociations
>>>> .
>>>>
>>>> But before trying that, I would strongly recommend reading about the
>>>> concept of entitlements, starting here:
>>>> https://wiki.evolveum.com/display/midPoint/Entitlements
>>>> and then about assignments:
>>>> https://wiki.evolveum.com/display/midPoint/Assignment
>>>> and https://wiki.evolveum.com/display/midPoint/Assignment+Configuration
>>>>
>>>> Anyway, if you would have any questions, we're here to help.
>>>>
>>>> Best regards,
>>>> Pavol
>>>>
>>>> (*) Due to a bug in GUI, attribute changes are applied, but are not
>>>> shown back in GUI. But they can be seen via Repository objects page. Hope
>>>> we'll fix that soon.
>>>> ---
>>>>
>>>> On 22. 11. 2014 19:50, dharmendra parakh wrote:
>>>>
>>>> Hi Pavol
>>>>
>>>> What i have done is pretty straight forward, I have configured a role
>>>> to induce an ldap resource using GUI (PFA).
>>>>
>>>> So as per my understanding when i add this resource to role
>>>> inducement all the role members will get this resource provisioned, I have
>>>> tested this and it is working very well.
>>>>
>>>> Now i want to change the resource data which i provided while adding
>>>> this resource inducement to role for example container or group assignment
>>>> information. I am not sure how can i do this.
>>>>
>>>>
>>>> Thanks!
>>>> Dharmendra
>>>>
>>>> On Sat, Nov 22, 2014 at 10:52 PM, Pavol Mederly <mederly at evolveum.com>
>>>> wrote:
>>>>
>>>>> Hello Dharmendra,
>>>>>
>>>>> I'm not sure what exactly you have done and what you would like to
>>>>> achieve.
>>>>>
>>>>> You've created a role and configured it to induce an LDAP resource.
>>>>> Did you do this using a GUI or via XML?
>>>>> If via GUI, please send here a screenshot what have you done and what
>>>>> you want to achieve.
>>>>> If via XML, please do the same (sending here appropriate pieces of
>>>>> your XML configuration).
>>>>>
>>>>> Best regards,
>>>>> Pavol Mederly
>>>>>
>>>>>
>>>>> On 22. 11. 2014 11:33, dharmendra parakh wrote:
>>>>>
>>>>> Hi Everyone
>>>>>
>>>>> I just downloaded and started learning midpoint for my personal
>>>>> learning purpose. I really liked it and I am very excited to learn using it.
>>>>>
>>>>> I have a question about inducements in midpoint.
>>>>>
>>>>> I have created a role and configured it to induce a ldap resource
>>>>> with some ldap groups. Now I want to change the configured groups/resource
>>>>> information but i could not find the way to do it.
>>>>>
>>>>> Can you help me doing this or there is no such implementation in
>>>>> midpoint currently.
>>>>> Please help me with this let me know if you need more information on
>>>>> this.
>>>>>
>>>>>
>>>>> Thanks
>>>>> Dharmendra Parakh
>>>>> +91-9730648544
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> midPoint mailing list
>>>>> midPoint at lists.evolveum.com
>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>
>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>
>>
>> _______________________________________________
>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>> --
>> Ing. Ivan Noris
>> Senior Identity Management Engineer
>> evolveum.com evolveum.com/blog/
>> _____________________________________________
>> "Semper Id(e)M Vix."
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> --
> Ing. Ivan Noris
> Senior Identity Management Engineer
> evolveum.com evolveum.com/blog/
> _____________________________________________
> "Semper Id(e)M Vix."
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141126/e4ee12d2/attachment.htm>
More information about the midPoint
mailing list