[midPoint] Synchronization: no focus deletion after account deleted on HR

Ivan Noris ivan.noris at evolveum.com
Mon Jul 6 13:42:55 CEST 2015 

Hi Giovanni,

On 07/06/2015 01:29 PM, Giovanni Rosavini wrote:
> Hello Ivan,
>
> thank you for the answer, and above all for explaining the discovery
> mechanism.
>
> Regarding the "deleted" column on the table, that was the approach we
> used to apply in other projects; this time we are still not really
> sure about the customer needs (e.g. if users will be removed from HR
> or if they will be flagged as deleted), so we were exploring midPoint
> features to see if "deletion after synchronization" was feasible.
>

OK, understood. This is the (obvious) feature of the DB Table / CSV
connectors. For example with OpenDJ changelog mechanism you can react to
the events applied to OpenDJ objects, including delete.

Regards,
Ivan

> Il 06/07/2015 11:51, Ivan Noris ha scritto:
>> Hi Giovanni,
>>
>> thanks. As it seems, Pavol has just pointed out the real issue - the
>> inability to detect deletes in DBTable connector - as the connector
>> is watching for modifications and delete means the record just
>> dissapears.
>>
>> This also explains why the discovery has been when editing the
>> user... during fetching account, it was detected as deleted
>> (situation DELETED), so the synchronization has been started and the
>> (just edited) user was deleted causing the error.
>>
>> If you add some column for marking "deleted" accounts in DBTable, you
>> could synchronize these to midPoint as disabled and the user and all
>> corresponding accounts would be disabled (but not deleted).
>>
>> The other way is reconciliation as Pavol has recommended, to detect
>> the deleted accounts and react.
>>
>> In most deployments (regardless of the input feed being database
>> table, CSV export or other data) customers usually have flags to
>> distinguish former employees, or flags regarding the maternity leave
>> etc. on which you can react by disabling the User and all his/her
>> accounts.
>>
>> But off course, having the accounts deleted from DB table is OK too,
>> but the connector will not detect them using LiveSync, but
>> Reconciliation will work.
>>
>> Regards,
>> Ivan
>>
>> On 07/06/2015 11:13 AM, Giovanni Rosavini wrote:
>>> Hello Ivan,
>>>
>>> here is the task. It was mostly a copy of the one available in
>>> "samples/resources/opendj/opendj-localhost-resource-sync-advanced.xml".
>>>
>>> Thanks,
>>> Giovanni Rosavini <g.rosavini at nsr.it <mailto:g.rosavini at nsr.it>>
>>>
>>> *nova systems roma / nsr*
>>>
>>> via della foce micina, 74
>>> 00054 Fiumicino (RM) - Italia
>>> t. +39 06 6504 7521 <tel:%2B39%2006%206504%207521>
>>> f. +39 06 6504 7519 <tel:%2B39%2006%206504%207519>
>>>
>>> web: http://www.nsr.it <http://www.nsr.it/>
>>> Il 06/07/2015 10:58, Ivan Noris ha scritto:
>>>> Hi Giovanni,
>>>>
>>>> quick and stupid question: is Livesync task running? How often?
>>>>
>>>> Thanks,
>>>> Ivan
>>>>
>>>> On 07/06/2015 10:55 AM, Giovanni Rosavini wrote:
>>>>> Hello Pavol,
>>>>>
>>>>> I'm sorry, I accidentally disabled some of the loggers while
>>>>> testing another scenario. Now I have changed my settings enabling
>>>>> the logging for Model (attached is my System Configuration).
>>>>> Here is the test I made:
>>>>>
>>>>>   * at 10:32 I deleted my user from HR;
>>>>>   * at 10:33 I listed the users in the GUI: the to-be-deleted user
>>>>>     was still there;
>>>>>   * at 10:34 I tried to access the user details from the GUI,
>>>>>     receiving the "user not found" error.
>>>>>
>>>>> I previously forgot to mention that I am using Midpoint version 3.1.1.
>>>>>
>>>>> Thank you for your help
>>>>>
>>>>> Best regards,
>>>>>
>>>>> Giovanni Rosavini <g.rosavini at nsr.it <mailto:g.rosavini at nsr.it>>
>>>>>
>>>>> *nova systems roma / nsr*
>>>>>
>>>>> via della foce micina, 74
>>>>> 00054 Fiumicino (RM) - Italia
>>>>> t. +39 06 6504 7521 <tel:%2B39%2006%206504%207521>
>>>>> f. +39 06 6504 7519 <tel:%2B39%2006%206504%207519>
>>>>>
>>>>> web: http://www.nsr.it <http://www.nsr.it/>
>>>>> Il 06/07/2015 09:29, Pavol Mederly ha scritto:
>>>>>> Hello Giovanni,
>>>>>>
>>>>>> I've looked at your resource configuration and your log, but so
>>>>>> far I don't see the cause of the behavior you observe.
>>>>>>
>>>>>> However, we could perhaps help you more if you could send us
>>>>>> complete log files. First of all, I think the current log
>>>>>> describes only the "discovery" part of the process (and shows
>>>>>> that midPoint correctly decided to delete the user). What would
>>>>>> be more useful is the log covering the situation when you delete
>>>>>> the row in DB, execute the LiveSync cycle and observe that no
>>>>>> reaction is performed. Also, currently there seems to be only
>>>>>> logs from the Projector. Could you enable the TRACE logging for
>>>>>> the whole Model component?
>>>>>>
>>>>>> Best regards,
>>>>>> Pavol
>>>>>>
>>>>>> On 3. 7. 2015 17:40, Giovanni Rosavini wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> I have a problem with synchronization against a DB read-only
>>>>>>> resource (my "HR" resource).
>>>>>>> When a new row is inserted in HR, Midpoint reacts and correctly
>>>>>>> creates the relative user (inbound mappings evaluations and
>>>>>>> object template application are OK), but when a row is deleted
>>>>>>> no reaction is performed; also, when I try to access the user in
>>>>>>> the GUI, discovery occurs and I receive the error message:
>>>>>>> "Object of type 'UserType' with oid
>>>>>>> 'ffa976d3-1700-476f-a6ba-a1d8c7f0875e' was not found".
>>>>>>> In the attachments you can find the relevant log lines and the
>>>>>>> resource configuration.
>>>>>>>
>>>>>>> Can you please help us?
>>>>>>>
>>>>>>> Thanks in advance.
>>>>>>>
>>>>>>> -- 
>>>>>>> Giovanni Rosavini <g.rosavini at nsr.it <mailto:g.rosavini at nsr.it>>
>>>>>>>
>>>>>>> *nova systems roma / nsr*
>>>>>>>
>>>>>>> via della foce micina, 74
>>>>>>> 00054 Fiumicino (RM) - Italia
>>>>>>> t. +39 06 6504 7521 <tel:%2B39%2006%206504%207521>
>>>>>>> f. +39 06 6504 7519 <tel:%2B39%2006%206504%207519>
>>>>>>>
>>>>>>> web: http://www.nsr.it <http://www.nsr.it/>
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> midPoint mailing list
>>>>>>> midPoint at lists.evolveum.com
>>>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> midPoint mailing list
>>>>>> midPoint at lists.evolveum.com
>>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> midPoint mailing list
>>>>> midPoint at lists.evolveum.com
>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>> -- 
>>>>   Ing. Ivan Noris
>>>>   Senior Identity Management Engineer & IDM Architect
>>>>   evolveum.com                     evolveum.com/blog/
>>>>   ___________________________________________________
>>>>   "Semper Id(e)M Vix."
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>> -- 
>>   Ing. Ivan Noris
>>   Senior Identity Management Engineer & IDM Architect
>>   evolveum.com                     evolveum.com/blog/
>>   ___________________________________________________
>>   "Semper Id(e)M Vix."
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer & IDM Architect
  evolveum.com                     evolveum.com/blog/
  ___________________________________________________
  "Semper Id(e)M Vix."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20150706/ea8d2f73/attachment.htm>

More information about the midPoint mailing list