[midPoint] approve provisioning from LiveSync

Radovan Semancik radovan.semancik at evolveum.com
Fri May 6 10:19:07 CEST 2016 

Hi,

I would like to clarify: There is usually not much sense in approving or 
rejecting a change that was detected by livesync in the way that 
approval process usually works. The change detected by livesync have 
already happened. So there is no option to "reject" it. That's the main 
reason it is not implemented.

Similar matter are the changes to focus (e.g. User) objects that are 
mapped from the livesync using the inbound mappings. Current midPoint 
philosophy considers mappings to be always authoritative. So again, 
there is no point in approving any changes that have originated from the 
mappings. It is not easy to "reject" such changes. Well, in livesync it 
might by a possibility, as the sync event that caused them is not likely 
to be processed again. But when it comes to reconciliation there is a 
problem: if you reject a change originated from a mapping then the same 
change will re-appear on another reconciliation run and you will have to 
reject it again. And no as no livesync is ever 100% reliable then a good 
midPoint deployment always has a secondary synchronization mechanism to 
pick up changes that livesync missed. This is usually reconciliation. So 
in the end even the livesync method is likely to fail because the next 
recon run will ruin all the previous decisions.

The approval process was designed for a use-case where midPoint is the 
primary "manager" of what is legal and what is not. This is the 
principle that all IDM systems that I know follow. While midPoint goes 
into (really) great lengths to be flexible how reality is aligned with 
the policy, there still needs to be one place that authoritatively 
decides about the data that are input to the policy. That does not 
necessarily needs to be midPoint. MidPoint can take that information 
from another source (or several sources). There just needs to be an 
algorithm how to determine the policy data. The approval process is 
currently only viable for the system which is the authoritative source 
of the policy data.

But, I'm still quite curious about your use case. Can you perhaps 
describe what are you trying to achieve? I mean from a user point of 
view. Why exactly do you want to approve changes coming from a lifesync? 
What is the motivation?

-- 
Radovan Semancik
Software Architect
evolveum.com



On 05/05/2016 10:55 PM, Pavol Mederly wrote:
>
> Hello Ramiji,
>
>
> the feature you're trying to use, i.e. approving changes that were 
> detected by LiveSync, has not been implemented yet.
>
>
> We first implemented the most common scenario: approving explicitly 
> requested changes (submitted via GUI, Java, SOAP or REST API).
>
>
> What you need is probably not that hard to implement. What needs to be 
> clarified is exact expected behavior - for example, should we consider 
> changes detected only by LiveSync, or by reconciliation as well?
>
>     a) If by LiveSync only: what with changes that would get lost 
> (somehow - it might happen for reasons internal or external to 
> midPoint). Normally, such changes are covered by reconciliation. If we 
> would forbid reconciliation, we would have to have another mechanism 
> for recovering such forgotten/lost changes.
>
>     b) If by reconciliation as well: what with changes that would be 
> rejected? They would trigger new approval process at each 
> reconciliation task run.
>
>
> Best regards,
>
> Pavol
>
>
> On 05.05.2016 15:07, Rijndaal Ramiji wrote:
>>
>> Hi.
>>
>> I'm currently studying workflows, and my admin project would like to 
>> use it in the LiveSync provisioning process.
>>
>> We currently have an HR resource that has a livesync task.
>> An object template for the sync event of HR can create the CN for AD 
>> and stores it in $user/extension/CN.
>>
>> Finally, My ActiveDirectory resource has on outbound mapping  of 
>> $user/extension/CN in icfs:name.
>>
>> It works like a charm! (this product is quite of amazing ;) )
>>
>>
>> Btw,  I'm reading about workflows of approval and we would like to 
>> make the liveSync process of provisioning to be overlooked by a workflow.
>>
>> I have configured the workflow process, and it works for, example, 
>> creation of an user from MidPoint "new user".
>>
>> Before the effective provisioning on AD, it ask to the admin to 
>> reject or approve the request of creation.
>>
>> This workflow sadly, seems to not work with the automatic creation of 
>> the account from the "unmatched" reaction...
>>
>> Is this a known bug , should this be the exact flow or maybe I have 
>> made something wrong?
>>
>> Thank you all!
>>
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160506/bd515a59/attachment.htm>

More information about the midPoint mailing list