[midPoint] Shadow Object update issue
Martin Herbert
martinh at tahzoo.com
Mon Sep 5 17:04:49 CEST 2016
Hi Ivan,
So this is the main meta role we use to determine which Domain an account belongs to.
<role xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
oid="aef77645-a406-4598-be2e-6c7217944fe1"
version="74">
<name>Metarole for groups</name>
<metadata>
<createTimestamp>2016-07-01T13:16:03.549Z</createTimestamp>
<creatorRef oid="a507b312-69a5-422a-852a-3d1d5f1f02b9" type="c:UserType"><!-- admin.dm --></creatorRef>
<createChannel>http://midpoint.evolveum.com/xml/ns/public/model/channels-3#objectImport</createChannel>
</metadata>
<inducement id="1">
<construction>
<resourceRef oid="58535b46-2326-4b4e-9d9c-67c8cfa8fdfa" type="c:ResourceType"><!-- Active Directory eu1.tahzooint.com (LDAP) --></resourceRef>
<kind>entitlement</kind>
<intent>group</intent>
</construction>
<condition>
<source>
<c:path>$immediateRole/roleType</c:path>
</source>
<expression>
<script>
<code>roleType != "system"</code>
</script>
</expression>
</condition>
</inducement>
<inducement id="2">
<construction>
<resourceRef oid="58535b46-2326-4b4e-9d9c-67c8cfa8fdfa" type="c:ResourceType"><!-- Active Directory eu1.tahzooint.com (LDAP) --></resourceRef>
<kind>account</kind>
<intent>user</intent>
<association>
<c:ref>ri:group</c:ref>
<outbound>
<expression>
<associationFromLink>
<projectionDiscriminator>
<kind>entitlement</kind>
<intent>group</intent>
</projectionDiscriminator>
</associationFromLink>
</expression>
</outbound>
</association>
</construction>
<order>2</order>
<condition>
<source>
<c:path>$user/organizationalUnit</c:path>
</source>
<expression>
<script>
<code>organizationalUnit.toString() == 'Employees Delft' || organizationalUnit.toString() == 'Employees Milton Keynes' || organizationalUnit.toString() == 'Employees Maarssen' || organizationalUnit.toString() == 'Employees Borlange' || organizationalUnit.toString() == 'Contractors EXLRT' || organizationalUnit.toString() == 'Contractors EU' || organizationalUnit.toString() == 'Customers EU'</code>
</script>
</expression>
</condition>
</inducement>
<inducement id="4">
<construction>
<resourceRef oid="f8939b78-2bd6-4eb4-b886-548b414ae9ff" type="c:ResourceType"><!-- Active Directory NA1.tahzooint.com (LDAP) --></resourceRef>
<kind>account</kind>
<intent>user</intent>
<association>
<c:ref>ri:group</c:ref>
<outbound>
<expression>
<associationFromLink>
<projectionDiscriminator>
<kind>entitlement</kind>
<intent>group</intent>
</projectionDiscriminator>
</associationFromLink>
</expression>
</outbound>
</association>
</construction>
<order>2</order>
<condition>
<source>
<c:path>$user/organizationalUnit</c:path>
</source>
<expression>
<script>
<code>organizationalUnit.toString() == 'Employees DC' || organizationalUnit.toString() == 'Employees Richmond' || organizationalUnit.toString() == 'Contractors USEast' || organizationalUnit.toString() == 'Customers USEast'</code>
</script>
</expression>
</condition>
</inducement>
<inducement id="6">
<construction>
<resourceRef oid="9ebeffc4-d1ce-4e6e-8077-4a77883cb04f" type="c:ResourceType"><!-- Active Directory NA2.tahzooint.com (LDAP) --></resourceRef>
<kind>account</kind>
<intent>user</intent>
<association>
<c:ref>ri:group</c:ref>
<outbound>
<expression>
<associationFromLink>
<projectionDiscriminator>
<kind>entitlement</kind>
<intent>group</intent>
</projectionDiscriminator>
</associationFromLink>
</expression>
</outbound>
</association>
</construction>
<order>2</order>
<condition>
<source>
<c:path>$immediateRole/organizationalUnit</c:path>
</source>
<expression>
<script>
<code>organizationalUnit.toString() == 'Employees Seattle' || organizationalUnit.toString() == 'Contractors USWest' || organizationalUnit.toString() == 'Customers USWest'</code>
</script>
</expression>
</condition>
</inducement>
<inducement id="3">
<construction>
<resourceRef oid="f8939b78-2bd6-4eb4-b886-548b414ae9ff" type="c:ResourceType"><!-- Active Directory NA1.tahzooint.com (LDAP) --></resourceRef>
<kind>entitlement</kind>
<intent>group</intent>
</construction>
<condition>
<source>
<c:path>$immediateRole/roleType</c:path>
</source>
<expression>
<script>
<code>roleType != 'system'</code>
</script>
</expression>
</condition>
</inducement>
<inducement id="5">
<construction>
<resourceRef oid="9ebeffc4-d1ce-4e6e-8077-4a77883cb04f" type="c:ResourceType"><!-- Active Directory NA2.tahzooint.com (LDAP) --></resourceRef>
<kind>entitlement</kind>
<intent>group</intent>
</construction>
<condition>
<source>
<c:path>$immediateRole/roleType</c:path>
</source>
<expression>
<script>
<code>roleType != 'system'</code>
</script>
</expression>
</condition>
</inducement>
</role>
From: midPoint <midpoint-bounces at lists.evolveum.com> on behalf of Ivan Noris <ivan.noris at evolveum.com>
Organization: Evolveum, s.r.o.
Reply-To: midPoint General Discussion <midpoint at lists.evolveum.com>
Date: Monday, 5 September 2016 at 15:57
To: "midpoint at lists.evolveum.com" <midpoint at lists.evolveum.com>
Subject: Re: [midPoint] Shadow Object update issue
Hi Martin,
could you please share one of the roles which you assign for AD? Or at least mappings to show how you compute associations (associationTargetSearch)?
Thanks,
Ivan
On 09/05/2016 04:43 PM, Martin Herbert wrote:
Hi Guys,
We’ve successfully implemented Midpoint in to our production environment with multiple Active Directory domains. However, when user accounts are updated for any piece of information (password, assignment or otherwise) midpoint automatically appears to update all shadow object associations on the AD environment.
This is causing us a fair amount of issues, as a number of our users have in excess of 30 assignments with various AD groups and any level of change takes a number of minutes. Even a password change takes a long time to complete. Is there a way to stop this update of all assignments/projections with every change and just handle that during a re-synchronise task say at the end of each day?
Thanks
[cid:image001.png at 01D2078F.393220F0]<http://www.tahzoo.com>
Martin Herbert
Hosting Manager / Head of IT & Hosting Services
M:
+44 7862 993 003<tel:+44%207862%20993%20003>
E:
martinh at tahzoo.com<mailto:martinh at tahzoo.com>
|
W:
www.tahzoo.com<http://www.tahzoo.com>
A:
399 Silbury Blvd, Milton Keynes, MK9 2AH, <https://www.google.com/maps/place/399+Silbury+Blvd,+Milton+Keynes+MK9+2AH,+UK/@52.0414531,-0.7670066,17z/data=%213m1%214b1%214m5%213m4%211s0x4877aa98b50bb921:0xef39de0bd21f30c6%218m2%213d52.0414531%214d-0.7648179>
[cid:image002.png at 01D2078F.393220F0]
Martin Herbert
Hosting Manager / Head of IT & Hosting Services
M: +44 7862 993 003
E: martinh at tahzoo.com | W: www.tahzoo.com
A: 399 Silbury Blvd, Milton Keynes, MK9 2AH,
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
http://lists.evolveum.com/mailman/listinfo/midpoint
--
Ivan Noris
Senior Identity Engineer
evolveum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160905/dbcba8de/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 1294 bytes
Desc: image001.png
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160905/dbcba8de/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 1069 bytes
Desc: image002.png
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160905/dbcba8de/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image580000.png
Type: image/png
Size: 1293 bytes
Desc: image580000.png
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160905/dbcba8de/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image724001.png
Type: image/png
Size: 1068 bytes
Desc: image724001.png
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160905/dbcba8de/attachment-0003.png>
More information about the midPoint
mailing list