[midPoint] Synchronization: no focus deletion after account deleted on HR

Giovanni Rosavini g.rosavini at nsr.it
Mon Jul 6 13:29:51 CEST 2015 

Hello Ivan,

thank you for the answer, and above all for explaining the discovery 
mechanism.

Regarding the "deleted" column on the table, that was the approach we 
used to apply in other projects; this time we are still not really sure 
about the customer needs (e.g. if users will be removed from HR or if 
they will be flagged as deleted), so we were exploring midPoint features 
to see if "deletion after synchronization" was feasible.

Best regards,

Giovanni Rosavini <g.rosavini at nsr.it <mailto:g.rosavini at nsr.it>>

*nova systems roma / nsr*

via della foce micina, 74
00054 Fiumicino (RM) - Italia
t. +39 06 6504 7521 <tel:%2B39%2006%206504%207521>
f. +39 06 6504 7519 <tel:%2B39%2006%206504%207519>

web:http://www.nsr.it <http://www.nsr.it/>
Il 06/07/2015 11:51, Ivan Noris ha scritto:
> Hi Giovanni,
>
> thanks. As it seems, Pavol has just pointed out the real issue - the 
> inability to detect deletes in DBTable connector - as the connector is 
> watching for modifications and delete means the record just dissapears.
>
> This also explains why the discovery has been when editing the user... 
> during fetching account, it was detected as deleted (situation 
> DELETED), so the synchronization has been started and the (just 
> edited) user was deleted causing the error.
>
> If you add some column for marking "deleted" accounts in DBTable, you 
> could synchronize these to midPoint as disabled and the user and all 
> corresponding accounts would be disabled (but not deleted).
>
> The other way is reconciliation as Pavol has recommended, to detect 
> the deleted accounts and react.
>
> In most deployments (regardless of the input feed being database 
> table, CSV export or other data) customers usually have flags to 
> distinguish former employees, or flags regarding the maternity leave 
> etc. on which you can react by disabling the User and all his/her 
> accounts.
>
> But off course, having the accounts deleted from DB table is OK too, 
> but the connector will not detect them using LiveSync, but 
> Reconciliation will work.
>
> Regards,
> Ivan
>
> On 07/06/2015 11:13 AM, Giovanni Rosavini wrote:
>> Hello Ivan,
>>
>> here is the task. It was mostly a copy of the one available in 
>> "samples/resources/opendj/opendj-localhost-resource-sync-advanced.xml".
>>
>> Thanks,
>> Giovanni Rosavini <g.rosavini at nsr.it <mailto:g.rosavini at nsr.it>>
>>
>> *nova systems roma / nsr*
>>
>> via della foce micina, 74
>> 00054 Fiumicino (RM) - Italia
>> t. +39 06 6504 7521 <tel:%2B39%2006%206504%207521>
>> f. +39 06 6504 7519 <tel:%2B39%2006%206504%207519>
>>
>> web:http://www.nsr.it <http://www.nsr.it/>
>> Il 06/07/2015 10:58, Ivan Noris ha scritto:
>>> Hi Giovanni,
>>>
>>> quick and stupid question: is Livesync task running? How often?
>>>
>>> Thanks,
>>> Ivan
>>>
>>> On 07/06/2015 10:55 AM, Giovanni Rosavini wrote:
>>>> Hello Pavol,
>>>>
>>>> I'm sorry, I accidentally disabled some of the loggers while 
>>>> testing another scenario. Now I have changed my settings enabling 
>>>> the logging for Model (attached is my System Configuration).
>>>> Here is the test I made:
>>>>
>>>>   * at 10:32 I deleted my user from HR;
>>>>   * at 10:33 I listed the users in the GUI: the to-be-deleted user
>>>>     was still there;
>>>>   * at 10:34 I tried to access the user details from the GUI,
>>>>     receiving the "user not found" error.
>>>>
>>>> I previously forgot to mention that I am using Midpoint version 3.1.1.
>>>>
>>>> Thank you for your help
>>>>
>>>> Best regards,
>>>>
>>>> Giovanni Rosavini <g.rosavini at nsr.it <mailto:g.rosavini at nsr.it>>
>>>>
>>>> *nova systems roma / nsr*
>>>>
>>>> via della foce micina, 74
>>>> 00054 Fiumicino (RM) - Italia
>>>> t. +39 06 6504 7521 <tel:%2B39%2006%206504%207521>
>>>> f. +39 06 6504 7519 <tel:%2B39%2006%206504%207519>
>>>>
>>>> web:http://www.nsr.it <http://www.nsr.it/>
>>>> Il 06/07/2015 09:29, Pavol Mederly ha scritto:
>>>>> Hello Giovanni,
>>>>>
>>>>> I've looked at your resource configuration and your log, but so 
>>>>> far I don't see the cause of the behavior you observe.
>>>>>
>>>>> However, we could perhaps help you more if you could send us 
>>>>> complete log files. First of all, I think the current log 
>>>>> describes only the "discovery" part of the process (and shows that 
>>>>> midPoint correctly decided to delete the user). What would be more 
>>>>> useful is the log covering the situation when you delete the row 
>>>>> in DB, execute the LiveSync cycle and observe that no reaction is 
>>>>> performed. Also, currently there seems to be only logs from the 
>>>>> Projector. Could you enable the TRACE logging for the whole Model 
>>>>> component?
>>>>>
>>>>> Best regards,
>>>>> Pavol
>>>>>
>>>>> On 3. 7. 2015 17:40, Giovanni Rosavini wrote:
>>>>>> Hi,
>>>>>>
>>>>>> I have a problem with synchronization against a DB read-only 
>>>>>> resource (my "HR" resource).
>>>>>> When a new row is inserted in HR, Midpoint reacts and correctly 
>>>>>> creates the relative user (inbound mappings evaluations and 
>>>>>> object template application are OK), but when a row is deleted no 
>>>>>> reaction is performed; also, when I try to access the user in the 
>>>>>> GUI, discovery occurs and I receive the error message: "Object of 
>>>>>> type 'UserType' with oid 'ffa976d3-1700-476f-a6ba-a1d8c7f0875e' 
>>>>>> was not found".
>>>>>> In the attachments you can find the relevant log lines and the 
>>>>>> resource configuration.
>>>>>>
>>>>>> Can you please help us?
>>>>>>
>>>>>> Thanks in advance.
>>>>>>
>>>>>> -- 
>>>>>> Giovanni Rosavini <g.rosavini at nsr.it <mailto:g.rosavini at nsr.it>>
>>>>>>
>>>>>> *nova systems roma / nsr*
>>>>>>
>>>>>> via della foce micina, 74
>>>>>> 00054 Fiumicino (RM) - Italia
>>>>>> t. +39 06 6504 7521 <tel:%2B39%2006%206504%207521>
>>>>>> f. +39 06 6504 7519 <tel:%2B39%2006%206504%207519>
>>>>>>
>>>>>> web:http://www.nsr.it <http://www.nsr.it/>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> midPoint mailing list
>>>>>> midPoint at lists.evolveum.com
>>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> midPoint mailing list
>>>>> midPoint at lists.evolveum.com
>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>> -- 
>>>    Ing. Ivan Noris
>>>    Senior Identity Management Engineer & IDM Architect
>>>    evolveum.com                     evolveum.com/blog/
>>>    ___________________________________________________
>>>    "Semper Id(e)M Vix."
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>
> -- 
>    Ing. Ivan Noris
>    Senior Identity Management Engineer & IDM Architect
>    evolveum.com                     evolveum.com/blog/
>    ___________________________________________________
>    "Semper Id(e)M Vix."
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20150706/cd4e6b0f/attachment.htm>

More information about the midPoint mailing list