[midPoint] Sync Entitlements to Role Object with DatabaseTableConnector

Ivan Noris ivan.noris at evolveum.com
Mon May 2 09:02:38 CEST 2016


Hi Harits,

On 05/02/2016 08:17 AM, Harits Elfahmi wrote:
> Hello all,
>
> I'm trying to sync my role data from database table to midpoint using
> the GUI. From the docs I get the impression that the entitlements and
> accounts originated from single resource, but since
> DatabaseTableConnector connect to a certain table, I think I need to
> make another resource to store entitlement data. What I don't get is:
>
> - In Schema Handling what's the attribute I use in *target*? Is it
> *$role/name*? I can't find the reference in the docs

Instead of $user you would use $focus. (It would work for users as well.)

> - In Synchronization, what's the appropriate reaction? I can't find
> *add role* reaction in the dropdown list

No, that's connected to the bug you discovered earlier. The proper
action is addFocus.
<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#addFocus</handlerUri>

In order to synchronize resource objects to anything else than users,
the following must be added to synchronization settings (I don't know if
the wizard supports it):

...
               <objectSynchronization>
                        <name>role sync</name>
                        
<objectClass>ri:AccountObjectClass</objectClass><!-- DB Table connector
supports only accounts -->
                        <kind>account</kind>
                        <intent>default</intent>
                        <focusType>*c:RoleType*</focusType>
                <enabled>true</enabled>
                <correlation>
...
                </correlation>
...

This means that the object will be corelated with Roles, not Users
(which is default). In correlation expression you will search for Roles
and not Users. If the correlation expressions returns zero results,
unmatched situation will occur and action (e.g. addFocus) will be
executed. Everything is the same as for users. Just use $focus instead
of $user in the inbound mappings.

See some of our Generic Synchronization samples such as
https://github.com/Evolveum/midpoint/blob/master/samples/resources/opendj/opendj-resource-genericsync.xml
(it's OpenDJ, not DB Table, but you will see the things I mentioned).

Also see https://wiki.evolveum.com/display/midPoint/Generic+Synchronization

Regards,
Ivan

>
> Is it possible to do this? Or do I need to manually add roles to
> midpoint? Please help.
>
> Thanks
>
> -- 
> Cheers,
> *
> *
> *Harits* Elfahmi
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer & IDM Architect
  evolveum.com                     evolveum.com/blog/
  ___________________________________________________
  "Semper ID(e)M Vix."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160502/0d73c98d/attachment.htm>


More information about the midPoint mailing list