[midPoint] AD disable account on unlink
Jaakko Leskinen
jaakko.leskinen at qvantel.com
Thu Apr 20 10:54:43 CEST 2017
Hi Ivan,
Thanks for clarifying this. I was heading to that conclusion as well after reading some more about assignments and projections. The “disable instead of delete” is applicable only when roles are used. We just were not quite there yet and had no roles defined ☺I will setup some roles and do the tests but I assume it will work as described.
I will have to see how your recommendations about restricting the administration of projections fit to our scenario.
Thanks for such a clear and prompt response!
Best regards,
Jaakko
--
Jaakko Leskinen
System Developer / Team Lead
Qvantel
Piippukatu 11
FI-40100 Jyväskylä, Finland
+358 44 977 3829
jaakko.leskinen at qvantel.com<mailto:jaakko.leskinen at qvantel.com>
www.qvantel.com<http://www.qvantel.com/>
From: midPoint <midpoint-bounces at lists.evolveum.com> on behalf of Ivan Noris <ivan.noris at evolveum.com>
Organization: Evolveum, s.r.o.
Reply-To: midPoint General Discussion <midpoint at lists.evolveum.com>
Date: Thursday, 20 April 2017 at 9.58
To: "midpoint at lists.evolveum.com" <midpoint at lists.evolveum.com>
Subject: Re: [midPoint] AD disable account on unlink
Hi Jaakko,
if you have disabled the delete capability for AD resource, midpoint will never allow delete operation for any object in AD (not just accounts, but anything, the setting is (for now) resource-specific). Any attempt to do so will result in "Operation not supported" exception in midPoint.
The Disable instead of Delete (https://wiki.evolveum.com/display/midPoint/Disable+instead+of+Delete) works for unassignment: if you have that configured, and you unassign all roles giving AD account from the user, the account will be not deleted (which is default) but disabled instead. But this feature works only for unassignment. The attempt to unassign (last) role will "convert" the operation from delete to disable.
If you try to delete projection or unlink, it will be not converted to "disable" operation. I'm not aware of such feature yet - unless my coleagues who work hard on upcoming 3.6 release know better.
I can suggest the following: use the "disable instead of delete" operation + disable delete capability for AD resource + set authorization roles for your midPoint administrators so that they cannot delete the projection (delete operation on ShadowType objects).
Would this cover your scenario? (This is basically what I'm proposing for my customer with older midPoint 3.4.x).
Best regards,
Ivan
On 04/20/2017 08:16 AM, Jaakko Leskinen wrote:
Hello all,
I have tried to search high and low but, alas, my Google-fu has failed me. So, please excuse me and feel free to point me to the applicable documentation if I have indeed missed this one :)
Now that being said, I am having hard time figuring out how to disable AD accounts when the projection is deleted or unlinked? Should this be possible?
The authoritative data flow is somewhat standard I would suspect: HR system > MidPoint > AD - meaning that we will never create user objects from AD accounts, enforce attributes from MidPoint to AD and user objects in MidPoint are created, and their status updated, based on what we have in the HR system (unless we override something in MidPoint).
In essence, what I am trying accomplish, is to provision new accounts in AD with MidPoint but I do not want to ever delete a single account from the AD resource. In all imaginable situations the AD account, once provisioned, should never get deleted.
Using MidPoint 3.5 and Active Directory with com.evolveum.polygon.connector.ldap.ad.AdLdapConnector v1.4.3.
My resource definition:
<projection>
<assignmentPolicyEnforcement>relative</assignmentPolicyEnforcement>
<legalize>false</legalize>
</projection>
…
<cap:delete>
<cap:enabled>false</cap:enabled>
</cap:delete>
</configured>
</capabilities>
…
<activation>
<existence>
<outbound>
<strength>weak</strength>
<expression>
<c:path>$focusExists</c:path>
</expression>
</outbound>
</existence>
<administrativeStatus>
<outbound>
<strength>strong</strength>
<expression>
<script>
<code>
import com.evolveum.midpoint.xml.ns._public.common.common_3.ActivationStatusType;
if (legal) {
input;
} else {
ActivationStatusType.DISABLED;
}
</code>
</script>
</expression>
</outbound>
</administrativeStatus>
<validFrom>
<outbound/>
</validFrom>
<validTo>
<outbound/>
</validTo>
</activation>
From our upstream HR system we have:
<activation>
<existence>
<inbound>
<expression>
<asIs/>
</expression>
</inbound>
</existence>
<administrativeStatus>
<inbound>
<strength>weak</strength>
<source>
<c:path>$c:account/c:attributes/ri:ad_status</c:path>
</source>
<expression>
<script>
<code>
import com.evolveum.midpoint.xml.ns._public.common.common_3.ActivationStatusType;
if (ad_status == 1) {
null;
} else {
ActivationStatusType.DISABLED;
}
</code>
</script>
</expression>
</inbound>
</administrativeStatus>
<validFrom>
<inbound>
<strength>weak</strength>
</inbound>
</validFrom>
</activation>
I have tested unlinking and deleting the projection explicitly from a given user in the MidPoint GUI and the AD account gets never disabled. It just sits there enabled or if I change the policy and enable resource delete capability, the account will get removed (as expected).
Thanks!
With best regards,
Jaakko Leskinen
--
Jaakko Leskinen
System Developer / Team Lead
Qvantel
Piippukatu 11
FI-40100 Jyväskylä, Finland
+358 44 977 3829
jaakko.leskinen at qvantel.com<mailto:jaakko.leskinen at qvantel.com>
www.qvantel.com<http://www.qvantel.com/>
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
http://lists.evolveum.com/mailman/listinfo/midpoint
--
Ivan Noris
Senior Identity Engineer
evolveum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170420/adc7a220/attachment.htm>
More information about the midPoint
mailing list