[midPoint] How to specify multiple object template ref in sync rules
HURTEVENT VINCENT
vincent.hurtevent at univ-lyon1.fr
Wed Oct 5 17:10:52 CEST 2016
Working with intents seems to be the perfect solution, and will also allow us to create, when needed, multiple accounts in our directories for one identity (staff account, student account, guest account, super user account, etc).
We’ll try this !
Thank you !
> Le 5 oct. 2016 à 16:58, Ivan Noris <Ivan.Noris at evolveum.com> a écrit :
>
> Hi Vincent,
>
> you could define multiple synchronization policies for the same resource if you can distinguish between the accounts and configure them as different intents. Then, for each intent you can have diferent synchronization policies including object template reference.
>
> Example (from the training) - only <synchronization> part, schemaHandling for both intents must be also defined with mappings.
> I have defined two intents. One is default, the other is "test" account. The accounts differ by username - test accounts always start with underscore (_). This is used to distinguish the intents, see the conditions in <objectSynchronization> parts.
>
>
> ...
> <synchronization>
> <objectSynchronization>
> <!--
> The synchronization for this resource is enabled.
> It means that the synchronization will react to changes detected by
> the system (live sync task, discovery or reconciliation) -->
> <name>Default account</name>
> <!--<objectClass>ri:AccountObjectClass</objectClass>-->
> <kind>account</kind>
> <intent>default</intent>
> <enabled>true</enabled>
>
> <condition>
> <script>
> <code>
> import static com.evolveum.midpoint.schema.constants.SchemaConstants.*
> // name = basic.lc(shadow.getName().toString())
> name = basic.getAttributeValue(shadow, ICFS_NAME)
> //log.info("XXX Synchronization condition for account/default; name (getName()) = {}; name (getAttributeValue) = {}; evaluated to {}", shadow.getName(), name, !name?.startsWith('_'))
> return !name?.startsWith('_')
> </code>
> </script>
> </condition>
> <correlation>
> <q:description>
> Correlation expression is a search query.
> Following search queury will look for users that have "employeeNumber"
> equal to the "enumber" attribute of the account.
> The condition will ensure that "enumber" is not
> empty, otherwise it would match any midPoint user
> with empty "employeeNumber" attribute, such as "administrator".
> The correlation rule by default looks for users, so it will not match
> any other object type.
> </q:description>
> <q:equal>
> <q:path>c:employeeNumber</q:path>
> <expression>
> <path>$account/attributes/ri:enumber</path>
> </expression>
> </q:equal>
> <condition>
> <script>
> <code>basic.getAttributeValue(shadow, 'enumber') != null</code>
> </script>
> </condition>
> </correlation>
>
> <reaction>
> <situation>linked</situation>
> <synchronize>true</synchronize>
> </reaction>
> <reaction>
> <situation>deleted</situation>
> <synchronize>true</synchronize>
> <action>
> <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#unlink</handlerUri>
> </action>
> </reaction>
> <reaction>
> <situation>unlinked</situation>
> <synchronize>true</synchronize>
> <action>
> <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#link</handlerUri>
> </action>
> </reaction>
> <reaction>
> <situation>unmatched</situation>
> <synchronize>true</synchronize>
> <action>
> <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#inactivateShadow</handlerUri>
> </action>
> </reaction>
> </objectSynchronization>
> <objectSynchronization>
> <!--
> The synchronization for this resource is enabled.
> It means that the synchronization will react to changes detected by
> the system (live sync task, discovery or reconciliation).
> The test account has name starting with "_". -->
> <name>Test account</name>
> <!--<objectClass>ri:AccountObjectClass</objectClass>-->
> <kind>account</kind>
> <intent>test</intent>
> <enabled>true</enabled>
> <condition>
> <script>
> <code>
> import static com.evolveum.midpoint.schema.constants.SchemaConstants.*
> // name = basic.lc(shadow.getName().toString())
> name = basic.getAttributeValue(shadow, ICFS_NAME)
> //log.info("XXX Synchronization condition for account/test; name (getName()) = {}; name (getAttribute) = {}; evaluated to {}", shadow.getName(), name, name.startsWith('_'))
> return name?.startsWith('_')
> </code>
> </script>
> </condition>
>
> <correlation>
> <q:description>
> Correlation expression is a search query.
> Following search queury will look for users that have "name"
> equal to the account name without the first character. We assume that
> the first character is "_" because of the condition above.
> The correlation rule by default looks for users, so it will not match
> any other object type.
> </q:description>
> <q:equal>
> <q:matching>polyStringNorm</q:matching>
> <q:path>c:name</q:path>
> <expression>
> <script>
> <code>
> n = shadow.getName().toString()
> n.substring(1)
> </code>
> </script>
> </expression>
> </q:equal>
> </correlation>
>
> <reaction>
> <situation>linked</situation>
> <synchronize>true</synchronize>
> </reaction>
> <reaction>
> <situation>deleted</situation>
> <synchronize>true</synchronize>
> <action>
> <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#unlink</handlerUri>
> </action>
> </reaction>
> <reaction>
> <situation>unlinked</situation>
> <synchronize>true</synchronize>
> <action>
> <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#link</handlerUri>
> </action>
> </reaction>
> <reaction>
> <situation>unmatched</situation>
> <synchronize>true</synchronize>
> <action>
> <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#inactivateShadow</handlerUri>
> </action>
> </reaction>
> </objectSynchronization>
> </synchronization>
> ...
>
> I'm not using object templates here, but this is from my real project:
> ...
> <reaction>
> <situation>deleted</situation>
> <synchronize>true</synchronize>
> <objectTemplateRef oid="73e2560a-fd87-11e5-839d-3c970e44b9e2"/>
> <action>
> <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#inactivateFocus</handlerUri>
> </action>
> </reaction>
>
> ...
>
> That template was referenced everytime deleted account was discovered, midPoint would disable it and execute the template (to set some additional attributes of that user).
>
> Hope this helps.
> Regards
> Ivan
>
> From: "HURTEVENT VINCENT" <vincent.hurtevent at univ-lyon1.fr>
> To: midpoint at lists.evolveum.com
> Sent: Wednesday, October 5, 2016 3:02:49 PM
> Subject: [midPoint] How to specify multiple object template ref in sync rules
>
> Hello,
>
> We are still working on Midpoint in order to replace our current IDM solution.
>
> We have a first ressource which our main data source ressource with all our people (staff, students, etc). Actually it’s only one table.
>
> We would like to have distinct rules for each of our people category, i.e., rules for staff, different rules for student, etc.
> The object template seems to be the right solution, with one object template for each category BUT we don’t know how to use different objet templates in the same reaction (unmatched->addFocus).
>
> Is it possible ? Or do we need to split people upstream, in our database (one table per people category) ? Ressource configuration (WHERE clause) ?
>
> Have multiple ressources pointing to the same database/table without select specific category will result to bad perf IMO, each import task will have to crawl the whole database/table.
>
> Thank you !
>
>
>
> —
> Vincent Hurtevent
> Direction du Système d’Information
> Université Claude Bernard Lyon 1
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
> --
> Ivan Noris
> Senior Identity Engineer
> evolveum.com
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161005/359e93e7/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3520 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161005/359e93e7/attachment.bin>
More information about the midPoint
mailing list