[midPoint] Synchronize multiple accounts per user?

Dick Muller dick.muller at tahzoo.com
Tue Dec 20 10:15:11 CET 2016

Hi Mikko,

I have done more or less the same thing with groups.

I had an existing Domain with users and groups.

I created a custom attribute ADRoles and important the membership to that attribute.

In the default intent I created a little script that read the values in that attribute and assigned them to existing roles that were imported, but if the role didn't exists it was created.

You could do the same thing with organisations.

Create Organizational Units for the organisations with the ID and the name is the displayname.

During Reconcile the users are created only once and the organisation ID's are collected in the User attribute and assigned to the Organisational Unit it will lookup.

Hope this is an interesting way?




Dick Muller
Senior Systems Engineer
P: 0031 8 82682586 | M: 0031 6 46477690
E: dick.muller at tahzoo.com | W: www.tahzoo.com
A: Delftechpark 37I, 2628 XJDelft, Netherlands

Van: midPoint <midpoint-bounces at lists.evolveum.com> namens Mikko Pekkarinen <mikko.pekkarinen at datactica.fi>
Verzonden: dinsdag 20 december 2016 09:36:22
Aan: midpoint at lists.evolveum.com
Onderwerp: [midPoint] Synchronize multiple accounts per user?


Use case: A resource maintains user accounts and organization information. I need to synchronize these to midPoint.
The user accounts are associated to the organizations, and one person may have an account in multiple organizations.
The accounts have an ID field that uniquely identifies the person who owns the account, and I use this ID to correlate the accounts to midPoint Users. Straigthforward synchronization leads to constraint violation exceptions, as the different accounts have same (resource, kind, intent).

I can see some possible solutions:
 - Writing a script that creates N copies of the resource configuration, with different 'intent' values.
   This is ugly, possibly inefficient, and limits the maximum number of accounts per user.
 - Create a separate User in midPoint for each account.
   Feels wrong. Seems simple in the short term, but leads at least to usability problems.
   Probably other problems as well?

Are there better choices or any best practices for this situation?
Would the new "identity merging" feature help, i.e. can it merge Users whose shadows have identical
(resource, kind, intent)?

midPoint mailing list
midPoint at lists.evolveum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.evolveum.com/pipermail/midpoint/attachments/20161220/a84ea07e/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image534000.png
Type: image/png
Size: 1293 bytes
Desc: image534000.png
URL: <http://lists.evolveum.com/pipermail/midpoint/attachments/20161220/a84ea07e/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image965001.png
Type: image/png
Size: 1068 bytes
Desc: image965001.png
URL: <http://lists.evolveum.com/pipermail/midpoint/attachments/20161220/a84ea07e/attachment-0003.png>

More information about the midPoint mailing list