[midPoint] ldap account attribute filtering
Tim.Strong at sita.aero
Tim.Strong at sita.aero
Fri Jun 19 15:57:46 CEST 2015
That's what I was looking for. Thanks!
Tim
Tim Strong, CISSP, GSEC, G2700, GSNA
Sr. Security Manager
Global Operations
SITA Global Services
Montreal - Canada
Tel: +1 514 982 4318 | CVS: 225 4318
From: Ivan Noris <ivan.noris at evolveum.com>
To: midpoint at lists.evolveum.com,
Date: 06/18/2015 03:01 PM
Subject: Re: [midPoint] ldap account attribute filtering
Sent by: "midPoint" <midpoint-bounces at lists.evolveum.com>
Hi Tim,
if you mean that in GUI you see the attributes on the right side, then the
behaviour is OK. Mapping define only the rules of how the attribute value
is transformed from midPoint to resource (outbound) or from the resource
to midPoint (inbound). All attributes that are in schema, are displayed by
default.
You can use <ignore>true</ignore> in the <attribute> you wish do hide. It
will not be displayed in GUI.
https://wiki.evolveum.com/display/midPoint/Resource+Schema+Handling#ResourceSchemaHandling-AttributeDefinitions
There is also a way how to disable attribute editing and display it as
read only using <limitations> (see also the above or our samples).
And, the user/account form honors the security authorizations, so some
users can see / edit different values as other if the security
authorizations are configured and assigned to user (as roles).
Regards,
Ivan
On 06/18/2015 06:30 PM, Tim.Strong at sita.aero wrote:
Hi Ivan,
That is what I expected, but I have all attributes shown in my resource
accounts. (Still unmatched to users, haven't made it there yet/one step
at a time.)
I have one inbound mapping expression as per below, so shouldn't that mean
all other attributes should *not* appear in the resource accounts? For
passing the attributes from the resource to the midPoint user, I can see
how that works, no mapping=no attribute for the user.
<schemaHandling>
<objectType>
<displayName>AD-LDAP Accounts</displayName>
<default>true</default>
<objectClass>ri:AccountObjectClass</objectClass>
<attribute>
<c:ref>icfs:uid</c:ref>
<exclusiveStrong>false</exclusiveStrong>
<tolerant>true</tolerant>
<inbound>
<authoritative>true</authoritative>
<exclusive>false</exclusive>
<strength>normal</strength>
<target>
<c:path>$user/employeeNumber</c:path>
</target>
</inbound>
</attribute>
<credentials>
<password/>
</credentials>
</objectType>
</schemaHandling>
Thanks
Ts
From: Ivan Noris <ivan.noris at evolveum.com>
To: midpoint at lists.evolveum.com,
Date: 06/18/2015 11:23 AM
Subject: Re: [midPoint] ldap account attribute filtering
Sent by: "midPoint" <midpoint-bounces at lists.evolveum.com>
Hi Tim,
if an attribute definition has no inbound expression, the value of the
resource attribute will not be synchronized to midPoint.
Regards,
Ivan
On 06/18/2015 04:56 PM, Tim.Strong at sita.aero wrote:
Hi folks,
How do I restrict which attributes are synchronized from an LDAP resource?
Is this going to be in schema handling, attributes, fetch
strategy=>explicit for each attribute?
If so, is there a a way to default explicit for attributes and then only
specify the ones we want to synchronize to midpoint?
I suspect this comes up fairly often since, but I haven't been able to
quickly find any references to it.
Thanks
Tim
See you at the 2015 Air Transport IT Summit, Brussels, 16-18 June Click
here to register your place now.. http://www.sitasummit.aero/ This
document is strictly confidential and intended only for use by the
addressee unless otherwise stated. If you are not the intended recipient,
please notify the sender immediately and delete it from your system.
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
http://lists.evolveum.com/mailman/listinfo/midpoint
--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
evolveum.com evolveum.com/blog/
___________________________________________________
"Semper Id(e)M Vix."
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
http://lists.evolveum.com/mailman/listinfo/midpoint
See you at the 2015 Air Transport IT Summit, Brussels, 16-18 June Click
here to register your place now.. http://www.sitasummit.aero/ This
document is strictly confidential and intended only for use by the
addressee unless otherwise stated. If you are not the intended recipient,
please notify the sender immediately and delete it from your system.
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
http://lists.evolveum.com/mailman/listinfo/midpoint
--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
evolveum.com evolveum.com/blog/
___________________________________________________
"Semper Id(e)M Vix."
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
http://lists.evolveum.com/mailman/listinfo/midpoint
See you at the 2015 Air Transport IT Summit, Brussels, 16-18 June
Click here to register your place now.. http://www.sitasummit.aero/
This document is strictly confidential and intended only for use by the
addressee unless otherwise stated. If you are not the intended recipient,
please notify the sender immediately and delete it from your system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20150619/2537f54f/attachment.htm>
More information about the midPoint
mailing list