[midPoint] ldap account attribute filtering

Ivan Noris ivan.noris at evolveum.com
Thu Jun 18 21:00:55 CEST 2015


Hi Tim,

if you mean that in GUI you see the attributes on the right side, then
the behaviour is OK. Mapping define only the rules of how the attribute
value is transformed from midPoint to resource (outbound) or from the
resource to midPoint (inbound). All attributes that are in schema, are
displayed by default.

You can use <ignore>true</ignore> in the <attribute> you wish do hide.
It will not be displayed in GUI.

https://wiki.evolveum.com/display/midPoint/Resource+Schema+Handling#ResourceSchemaHandling-AttributeDefinitions

There is also a way how to disable attribute editing and display it as
read only using <limitations> (see also the above or our samples).

And, the user/account form honors the security authorizations, so some
users can see / edit different values as other if the security
authorizations are configured and assigned to user (as roles).

Regards,
Ivan

On 06/18/2015 06:30 PM, Tim.Strong at sita.aero wrote:
> Hi Ivan,
> That is what I expected, but I have all attributes shown in my
> resource accounts.    (Still unmatched to users, haven't made it there
> yet/one step at a time.)
>
> I have one inbound mapping expression as per below, so shouldn't that
> mean all other attributes should *not* appear in the resource
> accounts?  For passing the attributes from the resource to the
> midPoint user, I can see how that works, no mapping=no attribute for
> the user.
>
> <schemaHandling>
>       <objectType>
>          <displayName>AD-LDAP Accounts</displayName>
>          <default>true</default>
>          <objectClass>ri:AccountObjectClass</objectClass>
>          <attribute>
>             <c:ref>icfs:uid</c:ref>
>             <exclusiveStrong>false</exclusiveStrong>
>             <tolerant>true</tolerant>
>             <inbound>
>                <authoritative>true</authoritative>
>                <exclusive>false</exclusive>
>                <strength>normal</strength>
>                <target>
>                   <c:path>$user/employeeNumber</c:path>
>                </target>
>             </inbound>
>          </attribute>
>          <credentials>
>             <password/>
>          </credentials>
>       </objectType>
>    </schemaHandling>
>
>
> Thanks
> Ts
>
>
>
>
>
> From:        Ivan Noris <ivan.noris at evolveum.com>
> To:        midpoint at lists.evolveum.com,
> Date:        06/18/2015 11:23 AM
> Subject:        Re: [midPoint] ldap account attribute filtering
> Sent by:        "midPoint" <midpoint-bounces at lists.evolveum.com>
> ------------------------------------------------------------------------
>
>
>
> Hi Tim,
>
> if an attribute definition has no inbound expression, the value of the
> resource attribute will not be synchronized to midPoint.
>
> Regards,
> Ivan
>
> On 06/18/2015 04:56 PM, _Tim.Strong at sita.aero_
> <mailto:Tim.Strong at sita.aero>wrote:
> Hi folks,
> How do I restrict which attributes are synchronized from an LDAP resource?
> Is this going to be in schema handling, attributes, fetch
> strategy=>explicit  for each attribute?
>
> If so, is there a a way to default explicit for attributes and then
> only specify the ones we want to synchronize to midpoint?
>
> I suspect this comes up fairly often since, but I haven't been able to
> quickly find any references to it.
>
> Thanks
> Tim
>
> See you at the 2015 Air Transport IT Summit, Brussels, 16-18 June
> Click here to register your place now..
> _http://www.sitasummit.aero/_This document is strictly confidential
> and intended only for use by the addressee unless otherwise stated. If
> you are not the intended recipient, please notify the sender
> immediately and delete it from your system.
>
>
>
> _______________________________________________
> midPoint mailing list
> _midPoint at lists.evolveum.com_ <mailto:midPoint at lists.evolveum.com>
> _http://lists.evolveum.com/mailman/listinfo/midpoint_
>
>
> -- 
>  Ing. Ivan Noris
>  Senior Identity Management Engineer & IDM Architect
>  evolveum.com                     evolveum.com/blog/
>  ___________________________________________________
>  "Semper Id(e)M Vix."
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> See you at the 2015 Air Transport IT Summit, Brussels, 16-18 June
> Click here to register your place now.. http://www.sitasummit.aero/
> This document is strictly confidential and intended only for use by
> the addressee unless otherwise stated. If you are not the intended
> recipient, please notify the sender immediately and delete it from
> your system.
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer & IDM Architect
  evolveum.com                     evolveum.com/blog/
  ___________________________________________________
  "Semper Id(e)M Vix."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20150618/93dc5247/attachment.htm>


More information about the midPoint mailing list