[midPoint] Sync Entitlements to Role Object with DatabaseTableConnector
Harits Elfahmi
adilelfahmi at gmail.com
Tue May 3 07:50:07 CEST 2016
Hello Ivan,
Thanks for your suggestion, it works now. But now I want to associate the
entitlement to the account. I use the association example from midpoint
GitHub:
<association>
> <ref>ri:role_id</ref>
> <displayName>My Role</displayName>
> <kind>entitlement</kind>
> <intent>default</intent>
> <direction>objectToSubject</direction>
> <associationAttribute>icfs:uid</associationAttribute>
> <valueAttribute>ri:role_name</valueAttribute>
> </association>
But it causes an error, and my guess is because of the entitlements and
accounts are in different resources. Is it possible to do the association
with another resource?
Thanks
2016-05-02 14:02 GMT+07:00 Ivan Noris <ivan.noris at evolveum.com>:
> Hi Harits,
>
> On 05/02/2016 08:17 AM, Harits Elfahmi wrote:
>
> Hello all,
>
> I'm trying to sync my role data from database table to midpoint using the
> GUI. From the docs I get the impression that the entitlements and accounts
> originated from single resource, but since DatabaseTableConnector connect
> to a certain table, I think I need to make another resource to store
> entitlement data. What I don't get is:
>
> - In Schema Handling what's the attribute I use in *target*? Is it
> *$role/name*? I can't find the reference in the docs
>
>
> Instead of $user you would use $focus. (It would work for users as well.)
>
> - In Synchronization, what's the appropriate reaction? I can't find *add
> role* reaction in the dropdown list
>
>
> No, that's connected to the bug you discovered earlier. The proper action
> is addFocus.
> <handlerUri>
> http://midpoint.evolveum.com/xml/ns/public/model/action-3#addFocus
> </handlerUri>
>
> In order to synchronize resource objects to anything else than users, the
> following must be added to synchronization settings (I don't know if the
> wizard supports it):
>
> ...
> <objectSynchronization>
> <name>role sync</name>
>
> <objectClass>ri:AccountObjectClass</objectClass><!-- DB Table connector
> supports only accounts -->
> <kind>account</kind>
> <intent>default</intent>
> <focusType>*c:RoleType*</focusType>
> <enabled>true</enabled>
> <correlation>
> ...
> </correlation>
> ...
>
> This means that the object will be corelated with Roles, not Users (which
> is default). In correlation expression you will search for Roles and not
> Users. If the correlation expressions returns zero results, unmatched
> situation will occur and action (e.g. addFocus) will be executed.
> Everything is the same as for users. Just use $focus instead of $user in
> the inbound mappings.
>
> See some of our Generic Synchronization samples such as
> https://github.com/Evolveum/midpoint/blob/master/samples/resources/opendj/opendj-resource-genericsync.xml
> (it's OpenDJ, not DB Table, but you will see the things I mentioned).
>
> Also see
> https://wiki.evolveum.com/display/midPoint/Generic+Synchronization
>
> Regards,
> Ivan
>
>
> Is it possible to do this? Or do I need to manually add roles to midpoint?
> Please help.
>
> Thanks
>
> --
> Cheers,
>
> *Harits* Elfahmi
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> --
> Ing. Ivan Noris
> Senior Identity Management Engineer & IDM Architect
> evolveum.com evolveum.com/blog/
> ___________________________________________________
> "Semper ID(e)M Vix."
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
--
Cheers,
*Harits* Elfahmi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160503/846e787e/attachment.htm>
More information about the midPoint
mailing list