[midPoint] How to specify multiple object template ref in sync rules
Ivan Noris
Ivan.Noris at evolveum.com
Wed Oct 5 16:58:17 CEST 2016
Hi Vincent,
you could define multiple synchronization policies for the same resource if you can distinguish between the accounts and configure them as different intents. Then, for each intent you can have diferent synchronization policies including object template reference.
Example (from the training) - only <synchronization> part, schemaHandling for both intents must be also defined with mappings.
I have defined two intents. One is default, the other is "test" account. The accounts differ by username - test accounts always start with underscore (_). This is used to distinguish the intents, see the conditions in <objectSynchronization> parts.
...
<synchronization>
<objectSynchronization>
<!--
The synchronization for this resource is enabled.
It means that the synchronization will react to changes detected by
the system (live sync task, discovery or reconciliation) -->
<name>Default account</name>
<!--<objectClass>ri:AccountObjectClass</objectClass>-->
<kind>account</kind>
<intent>default</intent>
<enabled>true</enabled>
<condition>
<script>
<code>
import static com.evolveum.midpoint.schema.constants.SchemaConstants.*
// name = basic.lc(shadow.getName().toString())
name = basic.getAttributeValue(shadow, ICFS_NAME)
//log.info("XXX Synchronization condition for account/default; name (getName()) = {}; name (getAttributeValue) = {}; evaluated to {}", shadow.getName(), name, !name?.startsWith('_'))
return !name?.startsWith('_')
</code>
</script>
</condition>
<correlation>
<q:description>
Correlation expression is a search query.
Following search queury will look for users that have "employeeNumber"
equal to the "enumber" attribute of the account.
The condition will ensure that "enumber" is not
empty, otherwise it would match any midPoint user
with empty "employeeNumber" attribute, such as "administrator".
The correlation rule by default looks for users, so it will not match
any other object type.
</q:description>
<q:equal>
<q:path>c:employeeNumber</q:path>
<expression>
<path>$account/attributes/ri:enumber</path>
</expression>
</q:equal>
<condition>
<script>
<code>basic.getAttributeValue(shadow, 'enumber') != null</code>
</script>
</condition>
</correlation>
<reaction>
<situation>linked</situation>
<synchronize>true</synchronize>
</reaction>
<reaction>
<situation>deleted</situation>
<synchronize>true</synchronize>
<action>
<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#unlink</handlerUri>
</action>
</reaction>
<reaction>
<situation>unlinked</situation>
<synchronize>true</synchronize>
<action>
<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#link</handlerUri>
</action>
</reaction>
<reaction>
<situation>unmatched</situation>
<synchronize>true</synchronize>
<action>
<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#inactivateShadow</handlerUri>
</action>
</reaction>
</objectSynchronization>
<objectSynchronization>
<!--
The synchronization for this resource is enabled.
It means that the synchronization will react to changes detected by
the system (live sync task, discovery or reconciliation).
The test account has name starting with "_". -->
<name>Test account</name>
<!--<objectClass>ri:AccountObjectClass</objectClass>-->
<kind>account</kind>
<intent>test</intent>
<enabled>true</enabled>
<condition>
<script>
<code>
import static com.evolveum.midpoint.schema.constants.SchemaConstants.*
// name = basic.lc(shadow.getName().toString())
name = basic.getAttributeValue(shadow, ICFS_NAME)
//log.info("XXX Synchronization condition for account/test; name (getName()) = {}; name (getAttribute) = {}; evaluated to {}", shadow.getName(), name, name.startsWith('_'))
return name?.startsWith('_')
</code>
</script>
</condition>
<correlation>
<q:description>
Correlation expression is a search query.
Following search queury will look for users that have "name"
equal to the account name without the first character. We assume that
the first character is "_" because of the condition above.
The correlation rule by default looks for users, so it will not match
any other object type.
</q:description>
<q:equal>
<q:matching>polyStringNorm</q:matching>
<q:path>c:name</q:path>
<expression>
<script>
<code>
n = shadow.getName().toString()
n.substring(1)
</code>
</script>
</expression>
</q:equal>
</correlation>
<reaction>
<situation>linked</situation>
<synchronize>true</synchronize>
</reaction>
<reaction>
<situation>deleted</situation>
<synchronize>true</synchronize>
<action>
<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#unlink</handlerUri>
</action>
</reaction>
<reaction>
<situation>unlinked</situation>
<synchronize>true</synchronize>
<action>
<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#link</handlerUri>
</action>
</reaction>
<reaction>
<situation>unmatched</situation>
<synchronize>true</synchronize>
<action>
<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#inactivateShadow</handlerUri>
</action>
</reaction>
</objectSynchronization>
</synchronization>
...
I'm not using object templates here, but this is from my real project:
...
<reaction>
<situation>deleted</situation>
<synchronize>true</synchronize>
<objectTemplateRef oid="73e2560a-fd87-11e5-839d-3c970e44b9e2"/>
<action>
<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#inactivateFocus</handlerUri>
</action>
</reaction>
...
That template was referenced everytime deleted account was discovered, midPoint would disable it and execute the template (to set some additional attributes of that user).
Hope this helps.
Regards
Ivan
----- Original Message -----
> From: "HURTEVENT VINCENT" <vincent.hurtevent at univ-lyon1.fr>
> To: midpoint at lists.evolveum.com
> Sent: Wednesday, October 5, 2016 3:02:49 PM
> Subject: [midPoint] How to specify multiple object template ref in sync rules
> Hello,
> We are still working on Midpoint in order to replace our current IDM
> solution.
> We have a first ressource which our main data source ressource with all our
> people (staff, students, etc). Actually it’s only one table.
> We would like to have distinct rules for each of our people category, i.e.,
> rules for staff, different rules for student, etc.
> The object template seems to be the right solution, with one object template
> for each category BUT we don’t know how to use different objet templates in
> the same reaction (unmatched->addFocus).
> Is it possible ? Or do we need to split people upstream, in our database (one
> table per people category) ? Ressource configuration (WHERE clause) ?
> Have multiple ressources pointing to the same database/table without select
> specific category will result to bad perf IMO, each import task will have to
> crawl the whole database/table.
> Thank you !
> —
> Vincent Hurtevent
> Direction du Système d’Information
> Université Claude Bernard Lyon 1
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
--
Ivan Noris
Senior Identity Engineer
evolveum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161005/b0912763/attachment.htm>
More information about the midPoint
mailing list