[midPoint] Import VS Recon for Initial Accounts

Thu Jun 25 15:37:15 CEST 2015

Ok thanks for the info, I too was thinking about just removing the
outbounds temporarily then adding them back afterwards. Our AD is our main
directory, I do want two-way sync after the initial import but I just don't
want to modify during the initial import.

After I get the accounts imported I will then add our CSV resource from our
SIS system which will be authoritative on who gets assigned what, who gets
disabled/enabled, update out of date attributes, and where accounts are
placed in orgs, so I plan on doing a reconcile after I add it which I am
expecting to make a lot of changes to users since I know there are plenty
of accounts that need to be updated.

After those two are done I can add my other DB resources which are mainly
outbound.

I have done extensive testing so I am pretty sure that even without
removing the outbounds it would be very little that gets modified but I
want to be 100% sure it goes as smoothly as possible

Thanks!
JASON

On Thu, Jun 25, 2015 at 2:07 AM, Ivan Noris <ivan.noris at evolveum.com> wrote:

>  Hi Jason,
>
> yes, if there are inbound mappings, they will be evaluated and attributes
> can be modified back in the "source" resource according to the mappings.
>
> As a "hack" you can temporarily modify your resource settings by
> commenting out all the outbounds and keep only inbounds. I usually create a
> copy of the resource XML file and modify according to my needs. After the
> import is done, you can reimport your original XML resource which will have
> the outbounds. Sometimes I also change the name (not oid) of the resource
> e.g. "AD - recon only" in the second XML file to be sure what I'm using
> when I'm in GUI.
>
> If this resource will be used for import, and then it becomes a target
> resource, then *probably* you need only inbounds during import and only
> outbounds afterwards...
>
> I'm doing a lot of reconciliations these days (connecting more target
> systems) and I keep watching the email notifications during recon - because
> the data ARE changing back on the reconciled resource (e.g. the email
> address is copied from midPoint there replacing the original one), or
> accounts are being disabled if users in midPoint are disabled etc. In my
> case it's ok, because policy from midPoint is applied to these target
> systems. During the initial import it's probably safer to have only
> inbounds unless you need to modify some attribute back.
>
> Take care especially for your <credentials> mapping.
>
> Regards,
> Ivan
>
>
> On 06/24/2015 08:03 PM, Pavol Mederly wrote:
>
> Hello Jason,
>
> I would recommend import as the first step. However, concerning your last
> question, beware:
>
> The import *can* modify your AD accounts, if there are any outbound
> mappings.
>
> (Maybe Ivan could provide you with more detailed explanation.)
>
> Regards,
> Pavol
>
>
> On 24. 6. 2015 19:36, Jason Everling wrote:
>
> Should I do the import task or a recon task to add all the initial
> accounts from AD? Currently, there are not any accounts in midpoint, AD is
> the main repo for accounts that will be used to create all the accounts in
> midpoint.
>
>  Should it be a import task to import all the accounts or recon? I am
> thinking that import sounds better and then recon after i add my other
> resources?
>
>  Does import modify the accounts in AD as they are getting imported into
> midpoint?
>
>  JASON
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and confidential;
> intended for only the recipient(s) named above and may contain information
> that is privileged. You should not retain, copy or use this e-mail or any
> attachments for any purpose, or disclose all or any part of the contents to
> any person. Any views or opinions expressed in this e-mail are those of the
> author and do not represent those of the Baptist School of Health
> Professions. If you have received this e-mail in error, or are not the
> named recipient(s), you are hereby notified that any review, dissemination,
> distribution or copying of this communication is prohibited by the sender
> and to do so might constitute a violation of the Electronic Communications
> Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the
> sender and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> --
>   Ing. Ivan Noris
>   Senior Identity Management Engineer & IDM Architect
>   evolveum.com                     evolveum.com/blog/
>   ___________________________________________________
>   "Semper Id(e)M Vix."
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>

-- 

CONFIDENTIALITY NOTICE:
This e-mail together with any attachments is proprietary and confidential; 
intended for only the recipient(s) named above and may contain information 
that is privileged. You should not retain, copy or use this e-mail or any 
attachments for any purpose, or disclose all or any part of the contents to 
any person. Any views or opinions expressed in this e-mail are those of the 
author and do not represent those of the Baptist School of Health 
Professions. If you have received this e-mail in error, or are not the 
named recipient(s), you are hereby notified that any review, dissemination, 
distribution or copying of this communication is prohibited by the sender 
and to do so might constitute a violation of the Electronic Communications 
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the 
sender and delete this e-mail and any attachments from your computer. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20150625/d40e9b70/attachment.htm>