[midPoint] Editing Role Resource Inducement
Pavol Mederly
pavol.mederly at gmail.com
Wed Nov 26 10:08:30 CET 2014
Hello Dharmendra,
actually, it is possible to recompute users having a given role
(directly assigned!) via SOAP API.
You have to execute the following bulk action (a.k.a. midPoint script).
<s:search xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
xmlns:s="http://midpoint.evolveum.com/xml/ns/public/model/scripting-3"
xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3">
<s:type>c:UserType</s:type>
<s:searchFilter>
<q:ref>
<q:path>assignment/targetRef</q:path>
<q:value>
<oid>00000000-0000-0000-0000-000000000004</oid>
<type>RoleType</type>
</q:value>
</q:ref>
</s:searchFilter>
<s:action>
<s:type>recompute</s:type>
</s:action>
</s:search>
(of course, replace oid with your role's OID)
You can use the runScript sample
(samples\model-client-sample\src\main\java\com\evolveum\midpoint\testing\model\client\sample\RunScript.java)
to see how bulk actions can be executed via SOAP API.
Note: it is quite experimental yet; however, it works.
More to read:
https://wiki.evolveum.com/display/midPoint/runscript+command+line+tool
https://wiki.evolveum.com/display/midPoint/Bulk+actions
Regards,
Pavol
On 26. 11. 2014 9:48, dharmendra parakh wrote:
> Hi Ivan
>
> Thanks for the information, I will try this, between you have
> mentioned that doing this on a role level is not implemented yet in
> GUI but is there any API which can do this?
>
> I was thinking to write a client which can perform this operation for
> specific role.
>
>
>
> Regards
> Dharmendra
>
>
> On Wed, Nov 26, 2014 at 2:13 PM, Ivan Noris <ivan.noris at evolveum.com
> <mailto:ivan.noris at evolveum.com>> wrote:
>
> Hi Dharmendra,
>
> GUI part for doing this on a role level is planned, not
> implemented yet.
>
> It is however possible with User Recomputation Task. The task
> (without any query conditions) can be created from Server Tasks -
> New Task menu. It will process all user and recompute them. The
> task can be scheduled, e.g. to run once a day.
>
> You can also create User Recomputation Task with conditions/query,
> if you want to recompute only users with some role assigned. Be
> adwised this currently works only if the role is assigned
> directly, not as a subrole of other role:
>
> <task
>
> xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> <http://www.w3.org/2001/XMLSchema-instance>
> xmlns:xsd="http://www.w3.org/2001/XMLSchema"
> <http://www.w3.org/2001/XMLSchema>>
>
> <name>User Recompute - having role
> *00000000-0000-0000-0000-000000000008*</name>
> <extension
> xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
> <http://prism.evolveum.com/xml/ns/public/query-3>>
> <mext:objectQuery
> xmlns:mext="http://midpoint.evolveum.com/xml/ns/public/model/extension-3"
> <http://midpoint.evolveum.com/xml/ns/public/model/extension-3>>
> <q:filter>
> <q:ref>
> <q:path>assignment/targetRef</q:path>
> <q:value>
>
> <oid>*00000000-0000-0000-0000-000000000008*</oid>
> <type>RoleType</type>
> </q:value>
> </q:ref>
> </q:filter>
> </mext:objectQuery>
> </extension>
> <ownerRef oid="00000000-0000-0000-0000-000000000002"/>
> <executionStatus>runnable</executionStatus>
> <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/synchronization/task/recompute/handler-3</handlerUri>
> <recurrence>single</recurrence>
> <binding>tight</binding>
> </task>
>
> Replace the <oid>..</oid> with the oid of the role you wish to
> recompute and import this task using Configuration - Import object
> - Embedded editor - paste this example. The task will execute
> immediately.
>
> NB: the ..00008 oid je End User role, I've tested if the task is
> importable. It is.
>
> Regards,
> Ivan
>
>
> On 11/26/2014 08:04 AM, dharmendra parakh wrote:
>> Hi Ivan/ Pavol
>>
>> Thanks for the information, i tried it and it works well. but
>> rather than doing it at user level i would like to do it at role
>> level.
>>
>> For example:
>> - I change a role definition - added an additional group assignment
>> - Now i want to propagate this change to all the member users.
>> - If i go and do this at user level it is not scalable.
>>
>> So is there any way where we can say recompute all the user
>> accounts affected by the change in role definition?
>>
>> Regards
>> Dharmendra
>>
>>
>> On Tue, Nov 25, 2014 at 7:49 PM, Ivan Noris
>> <ivan.noris at evolveum.com <mailto:ivan.noris at evolveum.com>> wrote:
>>
>> Hi,
>>
>>
>>> Hi
>>>
>>> - How can we recompute the account?
>>> - Yes, after changing the role newly members get correct groups.
>>>
>>
>> For one single user, it should be sufficient to:
>> - go to Users
>> - find your user
>> - click the "wheel" icon in the user line and select "Reconcile"
>>
>> The same should be possible for multiple selected users,
>> using the "wheel" icon in the user list header (the same
>> option "Reconcile").
>>
>> Be adwised, all roles assigned to selected user(s) will be
>> recomputed.
>>
>> Regards,
>> Ivan
>>
>>
>>> Regards
>>> Dharmendra
>>>
>>>
>>>
>>> On Tue, Nov 25, 2014 at 7:01 PM, Pavol Mederly
>>> <pavol.mederly at gmail.com <mailto:pavol.mederly at gmail.com>>
>>> wrote:
>>>
>>> Dharmendra,
>>>
>>> after changing the role, user accounts have to be
>>> recomputed for the change to be applied onto the resource.
>>>
>>> A quick check: if you create a new user and assign him
>>> this modified role, is the group membership OK for the
>>> newly created account?
>>>
>>> Best regards,
>>> Pavol
>>>
>>> On 25. 11. 2014 12:14, dharmendra parakh wrote:
>>>> Hi
>>>>
>>>> Thanks for the information, I didn't get chance to go
>>>> through these documents but i will look into this for
>>>> sure.
>>>> What i understand is i can not modify the groups
>>>> assigned as role inducement from GUI.
>>>>
>>>> I tried changing the groups from xml but then this
>>>> change is not enforced to member users account. I need
>>>> it for my project for which i am evaluating midpoint,
>>>> how can i do that?
>>>>
>>>>
>>>> Thanks
>>>> Dharmendra
>>>>
>>>>
>>>> On Sun, Nov 23, 2014 at 2:32 AM, Pavol Mederly
>>>> <pavol.mederly at gmail.com
>>>> <mailto:pavol.mederly at gmail.com>> wrote:
>>>>
>>>> Dharmendra,
>>>>
>>>> thank you for the explanation.
>>>>
>>>> Currently, GUI allows only to change "regular"
>>>> attributes of induced accounts (directly when
>>>> creating the inducement, or later when editing it
>>>> by clicking on "Show empty" button and changing
>>>> what you need*).
>>>>
>>>> If you want to work with associations, you have to
>>>> write it in XML, e.g. via
>>>> *Con**figuration->Repository objects* page.
>>>>
>>>> For an example, please see e.g.
>>>> https://wiki.evolveum.com/display/midPoint/Assignment+Configuration#AssignmentConfiguration-EntitlementAssociations.
>>>>
>>>> But before trying that, I would strongly recommend
>>>> reading about the concept of entitlements, starting
>>>> here:
>>>> https://wiki.evolveum.com/display/midPoint/Entitlements
>>>> and then about assignments:
>>>> https://wiki.evolveum.com/display/midPoint/Assignment
>>>> and
>>>> https://wiki.evolveum.com/display/midPoint/Assignment+Configuration
>>>>
>>>> Anyway, if you would have any questions, we're here
>>>> to help.
>>>>
>>>> Best regards,
>>>> Pavol
>>>>
>>>> (*) Due to a bug in GUI, attribute changes are
>>>> applied, but are not shown back in GUI. But they
>>>> can be seen via Repository objects page. Hope we'll
>>>> fix that soon.
>>>> ---
>>>>
>>>> On 22. 11. 2014 19:50, dharmendra parakh wrote:
>>>>> Hi Pavol
>>>>>
>>>>> What i have done is pretty straight forward, I
>>>>> have configured a role to induce an ldap resource
>>>>> using GUI (PFA).
>>>>>
>>>>> So as per my understanding when i add this
>>>>> resource to role inducement all the role members
>>>>> will get this resource provisioned, I have tested
>>>>> this and it is working very well.
>>>>>
>>>>> Now i want to change the resource data which i
>>>>> provided while adding this resource inducement to
>>>>> role for example container or group assignment
>>>>> information. I am not sure how can i do this.
>>>>>
>>>>>
>>>>> Thanks!
>>>>> Dharmendra
>>>>>
>>>>> On Sat, Nov 22, 2014 at 10:52 PM, Pavol Mederly
>>>>> <mederly at evolveum.com
>>>>> <mailto:mederly at evolveum.com>> wrote:
>>>>>
>>>>> Hello Dharmendra,
>>>>>
>>>>> I'm not sure what exactly you have done and
>>>>> what you would like to achieve.
>>>>>
>>>>> You've created a role and configured it to
>>>>> induce an LDAP resource. Did you do this using
>>>>> a GUI or via XML?
>>>>> If via GUI, please send here a screenshot what
>>>>> have you done and what you want to achieve.
>>>>> If via XML, please do the same (sending here
>>>>> appropriate pieces of your XML configuration).
>>>>>
>>>>> Best regards,
>>>>> Pavol Mederly
>>>>>
>>>>>
>>>>> On 22. 11. 2014 11:33, dharmendra parakh wrote:
>>>>>> Hi Everyone
>>>>>>
>>>>>> I just downloaded and started learning
>>>>>> midpoint for my personal learning purpose. I
>>>>>> really liked it and I am very excited to
>>>>>> learn using it.
>>>>>>
>>>>>> I have a question about inducements in midpoint.
>>>>>>
>>>>>> I have created a role and configured it to
>>>>>> induce a ldap resource with some ldap groups.
>>>>>> Now I want to change the configured
>>>>>> groups/resource information but i could not
>>>>>> find the way to do it.
>>>>>>
>>>>>> Can you help me doing this or there is no
>>>>>> such implementation in midpoint currently.
>>>>>> Please help me with this let me know if you
>>>>>> need more information on this.
>>>>>>
>>>>>>
>>>>>> Thanks
>>>>>> Dharmendra Parakh
>>>>>> +91-9730648544 <tel:%2B91-9730648544>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> midPoint mailing list
>>>>>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> midPoint mailing list
>>>>> midPoint at lists.evolveum.com
>>>>> <mailto:midPoint at lists.evolveum.com>
>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> midPoint mailing list
>>>>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> <mailto:midPoint at lists.evolveum.com>
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> <mailto:midPoint at lists.evolveum.com>
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>> --
>> Ing. Ivan Noris
>> Senior Identity Management Engineer
>> evolveum.com <http://evolveum.com> evolveum.com/blog/ <http://evolveum.com/blog/>
>> _____________________________________________
>> "Semper Id(e)M Vix."
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>
> --
> Ing. Ivan Noris
> Senior Identity Management Engineer
> evolveum.com <http://evolveum.com> evolveum.com/blog/ <http://evolveum.com/blog/>
> _____________________________________________
> "Semper Id(e)M Vix."
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141126/deb0a683/attachment.htm>
More information about the midPoint
mailing list