[midPoint] User reconcile after applying user template

Jason Everling jeverling at bshp.edu
Tue Jan 24 01:10:06 CET 2017 

Yes, that was also an issue within the same email thread,

https://jira.evolveum.com/browse/MID-2149






JASON

On Mon, Jan 23, 2017 at 4:58 PM, Nicolas Rossi <nrossi at identicum.com> wrote:

> Hi Jason, we tried with your suggestion but it didn't work. We also tried
> the recommendation of @Martin setting the evaluationPhase with the same
> result.
>
> But doing this tests we found something interesting:  if the role is
> assigned directly by OID it works fine, but if we use a filter based on an
> attributed calculated by the same user template it doesn't work.
>
> Working assignment:
>
>     <mapping>
>       <strength>strong</strength>
>       <expression>
>          <assignmentTargetSearch>
>             <targetType>c:RoleType</targetType>
>             *<oid>00000000-0000-1de4-0004-000000000003</oid>*
>          </assignmentTargetSearch>
>       </expression>
>       <target>
>          <c:path>assignment</c:path>
>       </target>
>    </mapping>
>
> Assignment not propagated to the resource:
>
>     <!-- Calculate the employeeType value -->
>     <mapping>
>       <strength>strong</strength>
>       <expression>
>          <value>FUNCIONARIO</value>
>       </expression>
>       <target>
>          <c:path>*employeeType*</c:path>
>       </target>
>    </mapping>
>
>    <!-- Use the employeeType value to find the role -->
>    <mapping>
>       <strength>strong</strength>
>       <source>
>          <c:path>*employeeType*</c:path>
>       </source>
>       <expression>
>          <assignmentTargetSearch>
>             <targetType>c:RoleType</targetType>
>             *<filter>*
> *               <q:equal>*
> *                  <q:path>c:identifier</q:path>*
> *                  <expression>*
> *                     <c:path>$employeeType</c:path>*
> *                  </expression>*
> *               </q:equal>*
> *            </filter>*
>          </assignmentTargetSearch>
>       </expression>
>       <target>
>          <c:path>assignment</c:path>
>       </target>
>    </mapping>
>
>
> If I remove the first mapping (to get the employeeType value) and create a
> new user with "FUNCIONARIO" as employeeType, it works fine. So I guess
> there is an issue when the user templates assign a value to a target
> attribute used by the role assignment rule. Any suggestions ?
>
>
> Regards,
>
>
>
> Ing Nicolás Rossi
> Identicum S.A.
> Jorge Newbery 3226
> Tel: +54 (11) 4552-3050 <+54%2011%204552-3050>
> www.identicum.com
>
> On Mon, Jan 23, 2017 at 6:51 PM, Jason Everling <jeverling at bshp.edu>
> wrote:
>
>> http://lists.evolveum.com/pipermail/midpoint/2015-February/000883.html
>>
>> JASON
>>
>> On Mon, Jan 23, 2017 at 3:44 PM, Jason Everling <jeverling at bshp.edu>
>> wrote:
>>
>>> Yes, that is what the wording says BUT... in our case, we would assign
>>> the role automatically from template and the user would never be created on
>>> the resource until a recon was run. After changing to 'Positive' it pushes
>>> to the resource once the role is assigned.
>>>
>>> JASON
>>>
>>> On Mon, Jan 23, 2017 at 3:38 PM, Nicolas Rossi <nrossi at identicum.com>
>>> wrote:
>>>
>>>> Hi Jason, it seems that the difference between the 'relative' and
>>>> 'positive' applies only when deleting accounts. On our example we are
>>>> assigning new roles to users not removing. On the user's xml we can see the
>>>> assignments but it doesn't have the roleMemebershipRef until we run a
>>>> reconcile on the user.
>>>>
>>>> Is that the expected behaviour ?
>>>>
>>>> Regards,
>>>>
>>>>
>>>>
>>>> Ing Nicolás Rossi
>>>> Identicum S.A.
>>>> Jorge Newbery 3226
>>>> Tel: +54 (11) 4552-3050 <+54%2011%204552-3050>
>>>> www.identicum.com
>>>>
>>>> On Mon, Jan 23, 2017 at 2:09 PM, Jason Everling <jeverling at bshp.edu>
>>>> wrote:
>>>>
>>>>> You can also check the 'Assignment Policy Enforcement' , The default
>>>>> is 'relative' and that was our issue, changing it to 'Positive' fixed it,
>>>>>
>>>>> https://wiki.evolveum.com/display/midPoint/Projection+Policy
>>>>>
>>>>> JASON
>>>>>
>>>>> On Mon, Jan 23, 2017 at 10:26 AM, Martin Lízner - AMI Praha a.s. <
>>>>> martin.lizner at ami.cz> wrote:
>>>>>
>>>>>> Try to adjust:
>>>>>>
>>>>>> <evaluationPhase>beforeAssignments</evaluationPhase>
>>>>>>
>>>>>> Martin Lízner
>>>>>> solution architect
>>>>>>
>>>>>> gsm: [+420] 737 745 571 <+420%20737%20745%20571>
>>>>>> e-mail: martin.lizner at ami.cz
>>>>>>
>>>>>>
>>>>>> AMI Praha a.s.
>>>>>> Pláničkova 11
>>>>>> 162 00 Praha 6
>>>>>> tel.: [+420] 274 783 239 <+420%20274%20783%20239>
>>>>>> web: www.ami.cz
>>>>>>
>>>>>>
>>>>>>
>>>>>> [image: AMI Praha a.s.] <http://www.skyidentity.com/>
>>>>>>
>>>>>> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
>>>>>> společnost AMI Praha a.s.
>>>>>> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít
>>>>>> výhradně písemnou formu.
>>>>>>
>>>>>>
>>>>>> 2017-01-23 17:06 GMT+01:00 Nicolas Rossi <nrossi at identicum.com>:
>>>>>>
>>>>>>> Hi guys, we have a User Template with few mappings that assigns
>>>>>>> Roles to Users based on their attributes. It's a simple model copied from
>>>>>>> here
>>>>>>> <https://github.com/Evolveum/midpoint/blob/master/samples/objects/object-template-user.xml>
>>>>>>> .
>>>>>>>
>>>>>>> The User Template is applied and the user receives the assignments
>>>>>>> but it is not propagated to the resources until  I run a reconcile process
>>>>>>> on it.
>>>>>>>
>>>>>>> Is there any way to configure the User Template to force a reconcile
>>>>>>> after running all mappings ? Or that's the expected behavior ?
>>>>>>>
>>>>>>> Regards,
>>>>>>>
>>>>>>>
>>>>>>> Ing Nicolás Rossi
>>>>>>> Identicum S.A.
>>>>>>> Jorge Newbery 3226
>>>>>>> Tel: +54 (11) 4552-3050 <+54%2011%204552-3050>
>>>>>>> www.identicum.com
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> midPoint mailing list
>>>>>>> midPoint at lists.evolveum.com
>>>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> midPoint mailing list
>>>>>> midPoint at lists.evolveum.com
>>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>>
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> midPoint mailing list
>>>>> midPoint at lists.evolveum.com
>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170123/522a1465/attachment.htm>

More information about the midPoint mailing list