[midPoint] Examples or explanation Tolerant Pattern

Ivan Noris ivan.noris at evolveum.com
Wed Jun 1 14:57:54 CEST 2016 

Hi Dick,

I was just testing this and this is how it works:

1) if attribute is set as tolerant, it means, that *during
reconciliation*, the other values of the attribute (not mandated by
midPoint mappings) will be tolerated, i.e. kept, not removed. This is
fine if you manage some group membership by midPoint and other
membership by other means, i.e. manually and  you wish to have both. If
attribute is not tolerant, midPoint would remove the values that are not
provided by mappings in resource schema handling and/or role mappings.

2) tolerantValuePattern and intolerantValuePattern work also only during
reconciliation, but you can specify regexps to match.
Sample for carLicense in LDAP resource:
         <attribute>
            <c:ref>ri:carLicense</c:ref>
            <tolerant>true</tolerant>
            <tolerantValuePattern>^Secret.*$</tolerantValuePattern>
            <intolerantValuePattern>^.*$</intolerantValuePattern>
         </attribute>

This means, that during reconciliation, only values starting with Secret
will be kept and all other will be removed.
To test this silly example, I've done the following:

- put the above attribute definition to OpenLDAP sample
- added OpenLDAP account as projection / assigned role constructing the
account
- added several values of carLicense attribute manually or using
midPoint (Projections-OpenLDAP-expand-carLicense-"+"). From these
values, one is "Secret is my food", second is "XXX", third is "Too many
secrets".
- edited the user again in midPoint, checked "reconcile" checkbox and saved.

After the save (with reconcile checkbox) all values except the "Secret
is my food" are removed from the attribute carLicense, because they are
not mandated by any mapping. The value "Secret is my food" is not
removed, because it matches the "tolerantValuePattern".

The documentation for these little beasts is also in schema:
https://github.com/Evolveum/midpoint/blob/master/infra/schema/src/main/resources/xml/ns/public/common/common-core-3.xsd

Hope this helps. I have not yet used this tolerant patterns, so if there
are further questions please ask.

Regards,
Ivan

On 05/26/2016 04:00 PM, Dick Muller wrote:
>
> Hi,
>
>  
>
> Is there somebody that can explain how the tolerant checkbox and
> tolerant patterns work.
>
>  
>
> I want to allow values with the tolerant pattern that end with
> dc=domainname, dc=com.
>
> Is that possible with this function?
>
>  
>
> Kindest regards,
>
>  
>
>  
>
> ------------------------------------------------------------------------
>
> *Dick Muller*
>
> Senior Systems Engineer
>
> Delftechpark 37i
> 2628 XJ Delft*
> d*: +31 88 2682586 
> *m:* +31 6 46477690
>
> <http://www.tahzoo.com/>
>
>  
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer & IDM Architect
  evolveum.com                     evolveum.com/blog/
  ___________________________________________________
  "Semper ID(e)M Vix."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160601/3d81f135/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 7589 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160601/3d81f135/attachment.png>

More information about the midPoint mailing list