[midPoint] User reconcile after applying user template

Nicolas Rossi nrossi at identicum.com
Mon Jan 23 23:58:32 CET 2017


Hi Jason, we tried with your suggestion but it didn't work. We also tried
the recommendation of @Martin setting the evaluationPhase with the same
result.

But doing this tests we found something interesting:  if the role is
assigned directly by OID it works fine, but if we use a filter based on an
attributed calculated by the same user template it doesn't work.

Working assignment:

    <mapping>
      <strength>strong</strength>
      <expression>
         <assignmentTargetSearch>
            <targetType>c:RoleType</targetType>
            *<oid>00000000-0000-1de4-0004-000000000003</oid>*
         </assignmentTargetSearch>
      </expression>
      <target>
         <c:path>assignment</c:path>
      </target>
   </mapping>

Assignment not propagated to the resource:

    <!-- Calculate the employeeType value -->
    <mapping>
      <strength>strong</strength>
      <expression>
         <value>FUNCIONARIO</value>
      </expression>
      <target>
         <c:path>*employeeType*</c:path>
      </target>
   </mapping>

   <!-- Use the employeeType value to find the role -->
   <mapping>
      <strength>strong</strength>
      <source>
         <c:path>*employeeType*</c:path>
      </source>
      <expression>
         <assignmentTargetSearch>
            <targetType>c:RoleType</targetType>
            *<filter>*
*               <q:equal>*
*                  <q:path>c:identifier</q:path>*
*                  <expression>*
*                     <c:path>$employeeType</c:path>*
*                  </expression>*
*               </q:equal>*
*            </filter>*
         </assignmentTargetSearch>
      </expression>
      <target>
         <c:path>assignment</c:path>
      </target>
   </mapping>


If I remove the first mapping (to get the employeeType value) and create a
new user with "FUNCIONARIO" as employeeType, it works fine. So I guess
there is an issue when the user templates assign a value to a target
attribute used by the role assignment rule. Any suggestions ?


Regards,



Ing Nicolás Rossi
Identicum S.A.
Jorge Newbery 3226
Tel: +54 (11) 4552-3050
www.identicum.com

On Mon, Jan 23, 2017 at 6:51 PM, Jason Everling <jeverling at bshp.edu> wrote:

> http://lists.evolveum.com/pipermail/midpoint/2015-February/000883.html
>
> JASON
>
> On Mon, Jan 23, 2017 at 3:44 PM, Jason Everling <jeverling at bshp.edu>
> wrote:
>
>> Yes, that is what the wording says BUT... in our case, we would assign
>> the role automatically from template and the user would never be created on
>> the resource until a recon was run. After changing to 'Positive' it pushes
>> to the resource once the role is assigned.
>>
>> JASON
>>
>> On Mon, Jan 23, 2017 at 3:38 PM, Nicolas Rossi <nrossi at identicum.com>
>> wrote:
>>
>>> Hi Jason, it seems that the difference between the 'relative' and
>>> 'positive' applies only when deleting accounts. On our example we are
>>> assigning new roles to users not removing. On the user's xml we can see the
>>> assignments but it doesn't have the roleMemebershipRef until we run a
>>> reconcile on the user.
>>>
>>> Is that the expected behaviour ?
>>>
>>> Regards,
>>>
>>>
>>>
>>> Ing Nicolás Rossi
>>> Identicum S.A.
>>> Jorge Newbery 3226
>>> Tel: +54 (11) 4552-3050 <+54%2011%204552-3050>
>>> www.identicum.com
>>>
>>> On Mon, Jan 23, 2017 at 2:09 PM, Jason Everling <jeverling at bshp.edu>
>>> wrote:
>>>
>>>> You can also check the 'Assignment Policy Enforcement' , The default is
>>>> 'relative' and that was our issue, changing it to 'Positive' fixed it,
>>>>
>>>> https://wiki.evolveum.com/display/midPoint/Projection+Policy
>>>>
>>>> JASON
>>>>
>>>> On Mon, Jan 23, 2017 at 10:26 AM, Martin Lízner - AMI Praha a.s. <
>>>> martin.lizner at ami.cz> wrote:
>>>>
>>>>> Try to adjust:
>>>>>
>>>>> <evaluationPhase>beforeAssignments</evaluationPhase>
>>>>>
>>>>> Martin Lízner
>>>>> solution architect
>>>>>
>>>>> gsm: [+420] 737 745 571 <+420%20737%20745%20571>
>>>>> e-mail: martin.lizner at ami.cz
>>>>>
>>>>>
>>>>> AMI Praha a.s.
>>>>> Pláničkova 11
>>>>> 162 00 Praha 6
>>>>> tel.: [+420] 274 783 239 <+420%20274%20783%20239>
>>>>> web: www.ami.cz
>>>>>
>>>>>
>>>>>
>>>>> [image: AMI Praha a.s.] <http://www.skyidentity.com/>
>>>>>
>>>>> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
>>>>> společnost AMI Praha a.s.
>>>>> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít
>>>>> výhradně písemnou formu.
>>>>>
>>>>>
>>>>> 2017-01-23 17:06 GMT+01:00 Nicolas Rossi <nrossi at identicum.com>:
>>>>>
>>>>>> Hi guys, we have a User Template with few mappings that assigns Roles
>>>>>> to Users based on their attributes. It's a simple model copied from
>>>>>> here
>>>>>> <https://github.com/Evolveum/midpoint/blob/master/samples/objects/object-template-user.xml>
>>>>>> .
>>>>>>
>>>>>> The User Template is applied and the user receives the assignments
>>>>>> but it is not propagated to the resources until  I run a reconcile process
>>>>>> on it.
>>>>>>
>>>>>> Is there any way to configure the User Template to force a reconcile
>>>>>> after running all mappings ? Or that's the expected behavior ?
>>>>>>
>>>>>> Regards,
>>>>>>
>>>>>>
>>>>>> Ing Nicolás Rossi
>>>>>> Identicum S.A.
>>>>>> Jorge Newbery 3226
>>>>>> Tel: +54 (11) 4552-3050 <+54%2011%204552-3050>
>>>>>> www.identicum.com
>>>>>>
>>>>>> _______________________________________________
>>>>>> midPoint mailing list
>>>>>> midPoint at lists.evolveum.com
>>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>>
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> midPoint mailing list
>>>>> midPoint at lists.evolveum.com
>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170123/bd496227/attachment.htm>


More information about the midPoint mailing list