[midPoint] Creating (!) and associating Groupmembership in AD with midpoint

[Radovan Semancik]

Hi,

On 10/06/2016 03:18 PM, Daniel.Sommer at itconcepts.net wrote:
> Are we right, that the creation on the resource (account or group) is 
> always associated with the act of the assignment in midpoint (and 
> therefor creating the
> projection at the concerned focus object)? 

Yes. Account or groups are the "real side" of the projection. Therefore 
if you want to create account or group you have to create a projection 
in midPoint.

This also goes with midPoint philosophy: we want every object to be 
accountable. In ideal state every object (projection) must have an 
owner. Therefore the projection is always created in a "linked" state to 
some midPoint (focal) object (user, role, org, service). This applies to 
accounts, but it also applies to groups, privileges, organizational 
units ... and every resource-side object that midpoint creates.

> So what could be the solution? I would think of create such a role 
> construction that on assignment to the user two projections are 
> created for him:
> first one creates (ensures the presence of)  the group and second 
> creates the account and associates. But how will be defined the 
> assignment (or inducement)
> for the group creation, since the name of the group should (of course) 
> not be the name of the user... ?

I'm not sure that I understand that.

Do you want to create a group that is "personal" for each user? E.g. 
user "foo" will have group "foo-group", user "bar" will have group 
"bar-group", etc. If that is the case then simply create a new 
projection for the user on the same resource. Add new construction to 
the role/metarole that gives the account to the user. A user can have 
any number of projections on one resource as long as each projection has 
different kind+intent combination.

Or are you trying to create a group that is not "personal" to user? A 
group that is shared by several users, but it is created "on demand" 
when the first user is assigned to that group? If that is the case you 
need to have an object in midPoint that has the same lifecycle as the 
group. This can be role, org or service (let's assume it is a role). And 
instead of trying to create the group directly create the midPoint role 
instead. One elegant way to do this is the use of assignmentTargetSearch 
expression with "create on demand" feature. See here:
https://wiki.evolveum.com/display/midPoint/Expression#Expression-AssignmentTargetSearch
... and it is used in a full example here:
https://wiki.evolveum.com/display/midPoint/OrgSync+Story+Test
Once that on-demand role is created you can easily create the group as a 
projection of this role. And you can use associationFromLink expression 
to add users to that group.

-- 
Radovan Semancik
Software Architect
evolveum.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161108/017e9dd7/attachment.htm>