[midPoint] How to specify multiple object template ref in sync rules
Ivan Noris
Ivan.Noris at evolveum.com
Wed Oct 5 17:19:58 CEST 2016
Hi Vincent,
the intents are exactly to support the "multiple accounts for the same user" feature. :)
Ivan
----- Original Message -----
> From: "HURTEVENT VINCENT" <vincent.hurtevent at univ-lyon1.fr>
> To: "midPoint General Discussion" <midpoint at lists.evolveum.com>
> Sent: Wednesday, October 5, 2016 5:10:52 PM
> Subject: Re: [midPoint] How to specify multiple object template ref in sync
> rules
> Working with intents seems to be the perfect solution, and will also allow us
> to create, when needed, multiple accounts in our directories for one
> identity (staff account, student account, guest account, super user account,
> etc).
> We’ll try this !
> Thank you !
> > Le 5 oct. 2016 à 16:58, Ivan Noris < Ivan.Noris at evolveum.com > a écrit :
>
> > Hi Vincent,
>
> > you could define multiple synchronization policies for the same resource if
> > you can distinguish between the accounts and configure them as different
> > intents. Then, for each intent you can have diferent synchronization
> > policies including object template reference.
>
> > Example (from the training) - only <synchronization> part, schemaHandling
> > for
> > both intents must be also defined with mappings.
>
> > I have defined two intents. One is default, the other is "test" account.
> > The
> > accounts differ by username - test accounts always start with underscore
> > (_). This is used to distinguish the intents, see the conditions in
> > <objectSynchronization> parts.
>
> > ...
>
> > <synchronization>
>
> > <objectSynchronization>
>
> > <!--
>
> > The synchronization for this resource is enabled.
>
> > It means that the synchronization will react to changes detected by
>
> > the system (live sync task, discovery or reconciliation) -->
>
> > <name>Default account</name>
>
> > <!--<objectClass>ri:AccountObjectClass</objectClass>-->
>
> > <kind>account</kind>
>
> > <intent>default</intent>
>
> > <enabled>true</enabled>
>
> > <condition>
>
> > <script>
>
> > <code>
>
> > import static com.evolveum.midpoint.schema.constants.SchemaConstants.*
>
> > // name = basic.lc(shadow.getName().toString())
>
> > name = basic.getAttributeValue(shadow, ICFS_NAME)
>
> > // log.info ("XXX Synchronization condition for account/default; name
> > (getName()) = {}; name (getAttributeValue) = {}; evaluated to {}",
> > shadow.getName(), name, !name?.startsWith('_'))
>
> > return !name?.startsWith('_')
>
> > </code>
>
> > </script>
>
> > </condition>
>
> > <correlation>
>
> > <q:description>
>
> > Correlation expression is a search query.
>
> > Following search queury will look for users that have "employeeNumber"
>
> > equal to the "enumber" attribute of the account.
>
> > The condition will ensure that "enumber" is not
>
> > empty, otherwise it would match any midPoint user
>
> > with empty "employeeNumber" attribute, such as "administrator".
>
> > The correlation rule by default looks for users, so it will not match
>
> > any other object type.
>
> > </q:description>
>
> > <q:equal>
>
> > <q:path>c:employeeNumber</q:path>
>
> > <expression>
>
> > <path>$account/attributes/ri:enumber</path>
>
> > </expression>
>
> > </q:equal>
>
> > <condition>
>
> > <script>
>
> > <code>basic.getAttributeValue(shadow, 'enumber') != null</code>
>
> > </script>
>
> > </condition>
>
> > </correlation>
>
> > <reaction>
>
> > <situation>linked</situation>
>
> > <synchronize>true</synchronize>
>
> > </reaction>
>
> > <reaction>
>
> > <situation>deleted</situation>
>
> > <synchronize>true</synchronize>
>
> > <action>
>
> > <handlerUri>
> > http://midpoint.evolveum.com/xml/ns/public/model/action-3#unlink</handlerUri>
>
> > </action>
>
> > </reaction>
>
> > <reaction>
>
> > <situation>unlinked</situation>
>
> > <synchronize>true</synchronize>
>
> > <action>
>
> > <handlerUri>
> > http://midpoint.evolveum.com/xml/ns/public/model/action-3#link</handlerUri>
>
> > </action>
>
> > </reaction>
>
> > <reaction>
>
> > <situation>unmatched</situation>
>
> > <synchronize>true</synchronize>
>
> > <action>
>
> > <handlerUri>
> > http://midpoint.evolveum.com/xml/ns/public/model/action-3#inactivateShadow</handlerUri>
>
> > </action>
>
> > </reaction>
>
> > </objectSynchronization>
>
> > <objectSynchronization>
>
> > <!--
>
> > The synchronization for this resource is enabled.
>
> > It means that the synchronization will react to changes detected by
>
> > the system (live sync task, discovery or reconciliation).
>
> > The test account has name starting with "_". -->
>
> > <name>Test account</name>
>
> > <!--<objectClass>ri:AccountObjectClass</objectClass>-->
>
> > <kind>account</kind>
>
> > <intent>test</intent>
>
> > <enabled>true</enabled>
>
> > <condition>
>
> > <script>
>
> > <code>
>
> > import static com.evolveum.midpoint.schema.constants.SchemaConstants.*
>
> > // name = basic.lc(shadow.getName().toString())
>
> > name = basic.getAttributeValue(shadow, ICFS_NAME)
>
> > // log.info ("XXX Synchronization condition for account/test; name
> > (getName()) = {}; name (getAttribute) = {}; evaluated to {}",
> > shadow.getName(), name, name.startsWith('_'))
>
> > return name?.startsWith('_')
>
> > </code>
>
> > </script>
>
> > </condition>
>
> > <correlation>
>
> > <q:description>
>
> > Correlation expression is a search query.
>
> > Following search queury will look for users that have "name"
>
> > equal to the account name without the first character. We assume that
>
> > the first character is "_" because of the condition above.
>
> > The correlation rule by default looks for users, so it will not match
>
> > any other object type.
>
> > </q:description>
>
> > <q:equal>
>
> > <q:matching>polyStringNorm</q:matching>
>
> > <q:path>c:name</q:path>
>
> > <expression>
>
> > <script>
>
> > <code>
>
> > n = shadow.getName().toString()
>
> > n.substring(1)
>
> > </code>
>
> > </script>
>
> > </expression>
>
> > </q:equal>
>
> > </correlation>
>
> > <reaction>
>
> > <situation>linked</situation>
>
> > <synchronize>true</synchronize>
>
> > </reaction>
>
> > <reaction>
>
> > <situation>deleted</situation>
>
> > <synchronize>true</synchronize>
>
> > <action>
>
> > <handlerUri>
> > http://midpoint.evolveum.com/xml/ns/public/model/action-3#unlink</handlerUri>
>
> > </action>
>
> > </reaction>
>
> > <reaction>
>
> > <situation>unlinked</situation>
>
> > <synchronize>true</synchronize>
>
> > <action>
>
> > <handlerUri>
> > http://midpoint.evolveum.com/xml/ns/public/model/action-3#link</handlerUri>
>
> > </action>
>
> > </reaction>
>
> > <reaction>
>
> > <situation>unmatched</situation>
>
> > <synchronize>true</synchronize>
>
> > <action>
>
> > <handlerUri>
> > http://midpoint.evolveum.com/xml/ns/public/model/action-3#inactivateShadow</handlerUri>
>
> > </action>
>
> > </reaction>
>
> > </objectSynchronization>
>
> > </synchronization>
>
> > ...
>
> > I'm not using object templates here, but this is from my real project:
>
> > ...
>
> > <reaction>
>
> > <situation>deleted</situation>
>
> > <synchronize>true</synchronize>
>
> > <objectTemplateRef oid="73e2560a-fd87-11e5-839d-3c970e44b9e2"/>
>
> > <action>
>
> > <handlerUri>
> > http://midpoint.evolveum.com/xml/ns/public/model/action-3#inactivateFocus</handlerUri>
>
> > </action>
>
> > </reaction>
>
> > ...
>
> > That template was referenced everytime deleted account was discovered,
> > midPoint would disable it and execute the template (to set some additional
> > attributes of that user).
>
> > Hope this helps.
>
> > Regards
>
> > Ivan
>
> > ----- Original Message -----
>
> > > From: "HURTEVENT VINCENT" < vincent.hurtevent at univ-lyon1.fr >
> >
>
> > > To: midpoint at lists.evolveum.com
> >
>
> > > Sent: Wednesday, October 5, 2016 3:02:49 PM
> >
>
> > > Subject: [midPoint] How to specify multiple object template ref in sync
> > > rules
> >
>
> > > Hello,
> >
>
> > > We are still working on Midpoint in order to replace our current IDM
> > > solution.
> >
>
> > > We have a first ressource which our main data source ressource with all
> > > our
> > > people (staff, students, etc). Actually it’s only one table.
> >
>
> > > We would like to have distinct rules for each of our people category,
> > > i.e.,
> > > rules for staff, different rules for student, etc.
> >
>
> > > The object template seems to be the right solution, with one object
> > > template
> > > for each category BUT we don’t know how to use different objet templates
> > > in
> > > the same reaction (unmatched->addFocus).
> >
>
> > > Is it possible ? Or do we need to split people upstream, in our database
> > > (one
> > > table per people category) ? Ressource configuration (WHERE clause) ?
> >
>
> > > Have multiple ressources pointing to the same database/table without
> > > select
> > > specific category will result to bad perf IMO, each import task will have
> > > to
> > > crawl the whole database/table.
> >
>
> > > Thank you !
> >
>
> > > —
> >
>
> > > Vincent Hurtevent
> >
>
> > > Direction du Système d’Information
> >
>
> > > Université Claude Bernard Lyon 1
> >
>
> > > _______________________________________________
> >
>
> > > midPoint mailing list
> >
>
> > > midPoint at lists.evolveum.com
> >
>
> > > http://lists.evolveum.com/mailman/listinfo/midpoint
> >
>
> > --
>
> > Ivan Noris
>
> > Senior Identity Engineer
>
> > evolveum.com
>
> > _______________________________________________
>
> > midPoint mailing list
>
> > midPoint at lists.evolveum.com
>
> > http://lists.evolveum.com/mailman/listinfo/midpoint
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
--
Ivan Noris
Senior Identity Engineer
evolveum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161005/c33204a5/attachment.htm>
More information about the midPoint
mailing list