[midPoint] Populating parentOrgRef in an Org from a database resource
Ivan Noris
ivan.noris at evolveum.com
Fri Jul 29 10:10:09 CEST 2016
Hi Andrew,
now I'm a little confused.
You are doing synchronization, where, using inbound, you populare *user*
extension attribute parentIdentifier.
Then you have object template for *OrgType*, where you use this.
You are probably mixing things.
What I'd suppose you wish to create is:
1) synchronize users from your source
2) have external attribute for user, which should be used to
automatically assign the organization to user (based on the query
org/identifier == user/extension/parentId)
This means that the mapping should be in the user template, not org
template. Provided that the organizations already exist in midPoint.
I'm not sure if your source contains only users with org reference, or
only organizations with their parent reference or both...
If your source contains the organizations, you probably wish to have
inbounds to populate attributes of organizations, not users. Then the
object template which you have configured, will be executed.
Regards,
Ivan
On 07/29/2016 07:19 AM, Andrew Brock wrote:
> Ok, so I've added an extension attribute to the OrgType that I map through like this:
>
> <attribute>
> <c:ref>ri:parent_id</c:ref>
> <tolerant>true</tolerant>
> <exclusiveStrong>false</exclusiveStrong>
> <inbound>
> <authoritative>true</authoritative>
> <exclusive>true</exclusive>
> <strength>strong</strength>
> <target>
> <c:path>$user/extension/parentIdentifier</c:path>
> </target>
> </inbound>
> </attribute>
>
>
> This works fine. I've then added an object template as suggested:
>
> <objectTemplate oid="10000000-0000-0000-0000-000000000231"
> xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
> xmlns='http://midpoint.evolveum.com/xml/ns/public/common/common-3'
> xmlns:c='http://midpoint.evolveum.com/xml/ns/public/common/common-3'
> xmlns:t='http://prism.evolveum.com/xml/ns/public/types-3'
> xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
> xmlns:ext="xmlns:tns=http://sahmri.com/xml/ns/organisation">
> <name>Org Template</name>
>
> <mapping>
> <name>Org-org mapping</name>
> <authoritative>true</authoritative>
> <strength>strong</strength>
> <source>
> <path>extension/ext:parentIdentifier</path>
> </source>
> <expression>
> <assignmentTargetSearch>
> <targetType>c:OrgType</targetType>
> <filter>
> <q:equal>
> <q:path>c:identifier</q:path>
> <expression>
> <path>$parentIdentifier</path>
> </expression>
> </q:equal>
> </filter>
> </assignmentTargetSearch>
> </expression>
> <target>
> <path>assignment</path>
> </target>
> </mapping>
> </objectTemplate>
>
>
>
> ...and I've added it to the system configuration like so:
>
>
> <defaultObjectPolicyConfiguration>
> <type>c:OrgType</type>
> <objectTemplateRef oid="10000000-0000-0000-0000-000000000231" type="c:ObjectTemplateType"><!-- Org Template --></objectTemplateRef>
> </defaultObjectPolicyConfiguration>
>
>
> ...but the template doesn't seem to be triggered when a new Organisation is created - i.e. I don't see an error message but the assignment isn't created either.
>
>
> Thoughts?
>
> Thanks,
> Andrew
>
>
> -----Original Message-----
>
> Hello Andrew,
>
>> My understanding is that an org-to-org relationship shouldn't be an
>> assignment, but a population of the parentOrgRef (see
>> https://wiki.evolveum.com/display/midPoint/Organizational+Structure)
>> and then midpoint handles the rest.
> Actually, that wiki article is a bit out-of-date in this respect.
> Currently, the preferred way of linking any focal objects (users, roles, orgs, services) to organization structure is via assignments.
>
> One possibility is to map parent_id column to an extension attribute of the org object, and then use an object template to create appropriate assignment for a given Org object. Something like this:
> https://github.com/Evolveum/midpoint/blob/master/samples/objects/object-template-org.xml.
> <https://github.com/Evolveum/midpoint/blob/master/samples/objects/object-template-org.xml>
>
> (But maybe someone would propose a better solution.)
>
> Best regards,
>
> --
> Pavol Mederly
> Software developer
> evolveum.com
>
>
> On 28.07.2016 8:38, Andrew Brock wrote:
>> Hi,
>>
>> I have a database resource that gives me the following organisation
>> info in its columns:
>>
>> 1.)An ID (an integer)
>>
>> 2.)A Name (a string)
>>
>> 3.)The ID of the parent organisation in a column called parent_id (an
>> integer). This value is present for all organisations except for the
>> top parent one.
>>
>> This resource can be considered the definitive authority for this data
>> (i.e. it's not present in LDAP).
>>
>> I currently have a schemaHandling like so:
>>
>> <schemaHandling>
>>
>> <objectType>
>>
>> <kind>account</kind>
>>
>> <intent>HRM</intent>
>>
>> <default>true</default>
>>
>> <objectClass>ri:AccountObjectClass</objectClass>
>>
>> <attribute>
>>
>> <c:ref>icfs:uid</c:ref>
>>
>> <tolerant>true</tolerant>
>>
>> <exclusiveStrong>false</exclusiveStrong>
>>
>> <inbound>
>>
>> <authoritative>true</authoritative>
>>
>> <exclusive>false</exclusive>
>>
>> <strength>normal</strength>
>>
>> <target>
>>
>> <c:path>identifier</c:path>
>>
>> </target>
>>
>> </inbound>
>>
>> </attribute>
>>
>> <attribute>
>>
>> <c:ref>ri:name</c:ref>
>>
>> <tolerant>true</tolerant>
>>
>> <exclusiveStrong>false</exclusiveStrong>
>>
>> <inbound>
>>
>> <authoritative>true</authoritative>
>>
>> <exclusive>false</exclusive>
>>
>> <strength>normal</strength>
>>
>> <target>
>>
>> <c:path>name</c:path>
>>
>> </target>
>>
>> </inbound>
>>
>> </attribute>
>>
>> </objectType>
>>
>> </schemaHandling>
>>
>> The current behaviour when I sync from this resource is all the
>> Organisations are being created with the correct name and unique ID
>> that is copied to the OrgType "Identifier" field, but they are all at
>> the same (top) level in the Org. structure.
>>
>> I now want to put them into their proper hierarchy!
>>
>> My understanding is that an org-to-org relationship shouldn't be an
>> assignment, but a population of the parentOrgRef (see
>> https://wiki.evolveum.com/display/midPoint/Organizational+Structure)
>> and then midpoint handles the rest. What do I need to do to my current
>> configuration to populate the parentOrgRef property using the value of
>> the parent_id column from my database? I can't assign the parent_id
>> value directly to parentOrgRef as it's an integer, so I need to get a
>> reference to the parent organisation.
>>
>> I've seen some references to a referenceSearch expression on Github,
>> which I think may be what I need, but I haven't seen an example of
>> this in action. This is what I've got so far (which goes just above
>> the </objectType> tag in my first example), but it doesn't appear to
>> do anything when I sync:
>>
>> <attribute>
>>
>> <c:ref>ri:parent_id</c:ref>
>>
>> <matchingRule
>> xmlns:gen426="http://prism.evolveum.com/xml/ns/public/matching-rule-3">gen426:default</matchingRule>
>>
>> <tolerant>true</tolerant>
>>
>> <exclusiveStrong>false</exclusiveStrong>
>>
>> <fetchStrategy>implicit</fetchStrategy>
>>
>> <inbound>
>>
>> <authoritative>true</authoritative>
>>
>> <exclusive>false</exclusive>
>>
>> <strength>normal</strength>
>>
>> <expression>
>>
>> <referenceSearch>
>>
>> <targetType>c:OrgType</targetType>
>>
>> <filter>
>>
>> <q:equal>
>>
>> <!-- Property from OrgType -->
>>
>> <q:path>identifier</q:path>
>>
>> <expression>
>>
>> <!-- database column -->
>>
>> <c:path>$c:account/c:attributes/parent_id</c:path>
>>
>> </expression>
>>
>> </q:equal>
>>
>> </filter>
>>
>> </referenceSearch>
>>
>> </expression>
>>
>> <target>
>>
>> <!-- Field on the organisation that is being created -->
>>
>> <c:path>parentOrgRef</c:path>
>>
>> </target>
>>
>> </inbound>
>>
>> </attribute>
>>
>> The database table is sorted in such a way that the organisations at
>> level 1 are first, then level 2, then level 3, etc. so I don't think
>> it's trying to create or update organisations before their parent
>> organisation has already been created.
>>
>> Any clues?
>>
>> Thanks,
>>
>> Andrew
>>
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>> http://lists.evolveum.com/mailman/listinfo/midpoint
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
--
Ivan Noris
Senior Identity Engineer
evolveum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160729/ea44df11/attachment.htm>
More information about the midPoint
mailing list