[midPoint] AD disable account on unlink
Ivan Noris
ivan.noris at evolveum.com
Thu Apr 20 11:01:10 CEST 2017
Hi Jaakko,
yes the best would be when you play with it a little.
One particularly important thing about roles (or assignments in general)
is, that if you only add projections, midPoint knows if the account
exists or not, but you cannot specify if it should exist or not.
Assignments are exactly for this: if you assign a role (account) to
midPoint user, that account should exist. If there is projection for
that account, everything is OK. If the account is missing and midPoint
has assignment for it, it can be recreated again, because that's the
policy - it should exist. If you unassign a role, again it's the policy
which says if the account should be deleted or disabled.
So the roles are good :-)
Best regards,
Ivan
On 04/20/2017 10:54 AM, Jaakko Leskinen wrote:
>
> Hi Ivan,
>
>
>
> Thanks for clarifying this. I was heading to that conclusion as well
> after reading some more about assignments and projections. The
> “disable instead of delete” is applicable only when roles are used. We
> just were not quite there yet and had no roles defined ☺I will setup
> some roles and do the tests but I assume it will work as described.
>
>
>
> I will have to see how your recommendations about restricting the
> administration of projections fit to our scenario.
>
>
>
> Thanks for such a clear and prompt response!
>
>
>
> Best regards,
>
> Jaakko
>
>
>
>
>
>
>
> --
>
> Jaakko Leskinen
> System Developer / Team Lead
> Qvantel
> Piippukatu 11
> FI-40100 Jyväskylä, Finland
> +358 44 977 3829
> jaakko.leskinen at qvantel.com <mailto:jaakko.leskinen at qvantel.com>
> www.qvantel.com <http://www.qvantel.com/>
>
>
>
>
>
> *From: *midPoint <midpoint-bounces at lists.evolveum.com> on behalf of
> Ivan Noris <ivan.noris at evolveum.com>
> *Organization: *Evolveum, s.r.o.
> *Reply-To: *midPoint General Discussion <midpoint at lists.evolveum.com>
> *Date: *Thursday, 20 April 2017 at 9.58
> *To: *"midpoint at lists.evolveum.com" <midpoint at lists.evolveum.com>
> *Subject: *Re: [midPoint] AD disable account on unlink
>
>
>
> Hi Jaakko,
>
> if you have disabled the delete capability for AD resource, midpoint
> will never allow delete operation for any object in AD (not just
> accounts, but anything, the setting is (for now) resource-specific).
> Any attempt to do so will result in "Operation not supported"
> exception in midPoint.
>
> The Disable instead of Delete
> (https://wiki.evolveum.com/display/midPoint/Disable+instead+of+Delete)
> works for unassignment: if you have that configured, and you unassign
> all roles giving AD account from the user, the account will be not
> deleted (which is default) but disabled instead. But this feature
> works only for unassignment. The attempt to unassign (last) role will
> "convert" the operation from delete to disable.
>
> If you try to delete projection or unlink, it will be not converted to
> "disable" operation. I'm not aware of such feature yet - unless my
> coleagues who work hard on upcoming 3.6 release know better.
>
> I can suggest the following: use the "disable instead of delete"
> operation + disable delete capability for AD resource + set
> authorization roles for your midPoint administrators so that they
> cannot delete the projection (delete operation on ShadowType objects).
>
> Would this cover your scenario? (This is basically what I'm proposing
> for my customer with older midPoint 3.4.x).
>
> Best regards,
>
> Ivan
>
>
>
> On 04/20/2017 08:16 AM, Jaakko Leskinen wrote:
>
> Hello all,
>
>
>
> I have tried to search high and low but, alas, my Google-fu has
> failed me. So, please excuse me and feel free to point me to the
> applicable documentation if I have indeed missed this one :)
>
>
>
> Now that being said, I am having hard time figuring out how to
> disable AD accounts when the projection is deleted or unlinked?
> Should this be possible?
>
>
>
> The authoritative data flow is somewhat standard I would suspect:
> HR system > MidPoint > AD - meaning that we will never create user
> objects from AD accounts, enforce attributes from MidPoint to AD
> and user objects in MidPoint are created, and their status
> updated, based on what we have in the HR system (unless we
> override something in MidPoint).
>
>
>
> In essence, what I am trying accomplish, is to provision new
> accounts in AD with MidPoint but I do not want to ever delete a
> single account from the AD resource. In all imaginable situations
> the AD account, once provisioned, should never get deleted.
>
>
>
> Using MidPoint 3.5 and Active Directory with
> com.evolveum.polygon.connector.ldap.ad.AdLdapConnector v1.4.3.
>
>
>
> My resource definition:
>
> <projection>
>
>
> <assignmentPolicyEnforcement>relative</assignmentPolicyEnforcement>
>
> <legalize>false</legalize>
>
> </projection>
>
> …
>
> <cap:delete>
>
> <cap:enabled>false</cap:enabled>
>
> </cap:delete>
>
> </configured>
>
> </capabilities>
>
> …
>
> <activation>
>
> <existence>
>
> <outbound>
>
> <strength>weak</strength>
>
> <expression>
>
> <c:path>$focusExists</c:path>
>
> </expression>
>
> </outbound>
>
> </existence>
>
> <administrativeStatus>
>
> <outbound>
>
> <strength>strong</strength>
>
> <expression>
>
> <script>
>
> <code>
>
> import
> com.evolveum.midpoint.xml.ns._public.common.common_3.ActivationStatusType;
>
> if (legal) {
>
> input;
>
> } else {
>
> ActivationStatusType.DISABLED;
>
> }
>
> </code>
>
> </script>
>
> </expression>
>
> </outbound>
>
> </administrativeStatus>
>
> <validFrom>
>
> <outbound/>
>
> </validFrom>
>
> <validTo>
>
> <outbound/>
>
> </validTo>
>
> </activation>
>
>
>
> From our upstream HR system we have:
>
> <activation>
>
> <existence>
>
> <inbound>
>
> <expression>
>
> <asIs/>
>
> </expression>
>
> </inbound>
>
> </existence>
>
> <administrativeStatus>
>
> <inbound>
>
> <strength>weak</strength>
>
> <source>
>
>
> <c:path>$c:account/c:attributes/ri:ad_status</c:path>
>
> </source>
>
> <expression>
>
> <script>
>
> <code>
>
> import
> com.evolveum.midpoint.xml.ns._public.common.common_3.ActivationStatusType;
>
> if (ad_status == 1) {
>
> null;
>
> } else {
>
> ActivationStatusType.DISABLED;
>
> }
>
> </code>
>
> </script>
>
> </expression>
>
> </inbound>
>
> </administrativeStatus>
>
> <validFrom>
>
> <inbound>
>
> <strength>weak</strength>
>
> </inbound>
>
> </validFrom>
>
> </activation>
>
>
>
> I have tested unlinking and deleting the projection explicitly
> from a given user in the MidPoint GUI and the AD account gets
> never disabled. It just sits there enabled or if I change the
> policy and enable resource delete capability, the account will get
> removed (as expected).
>
>
>
> Thanks!
>
>
>
> With best regards,
>
> Jaakko Leskinen
>
>
>
>
>
> --
>
> Jaakko Leskinen
> System Developer / Team Lead
> Qvantel
> Piippukatu 11
> FI-40100 Jyväskylä, Finland
> +358 44 977 3829
> jaakko.leskinen at qvantel.com <mailto:jaakko.leskinen at qvantel.com>
> www.qvantel.com <http://www.qvantel.com/>
>
>
>
>
>
>
> _______________________________________________
>
> midPoint mailing list
>
> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
> --
> Ivan Noris
> Senior Identity Engineer
> evolveum.com
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
--
Ivan Noris
Senior Identity Engineer
evolveum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170420/cb2b497c/attachment.htm>
More information about the midPoint
mailing list