[midPoint] User reconcile after applying user template

Nicolas Rossi nrossi at identicum.com
Tue Jan 24 02:28:55 CET 2017 

Thank you Jason, that explains everything ! We will try to move chained
rules to the resource's mappings and keep the User Template as clean as we
could.

​Kind regards,
​


Ing Nicolás Rossi
Identicum S.A.
Jorge Newbery 3226
Tel: +54 (11) 4552-3050
www.identicum.com

On Mon, Jan 23, 2017 at 9:10 PM, Jason Everling <jeverling at bshp.edu> wrote:

> Yes, that was also an issue within the same email thread,
>
> https://jira.evolveum.com/browse/MID-2149
>
>
>
>
>
>
> JASON
>
> On Mon, Jan 23, 2017 at 4:58 PM, Nicolas Rossi <nrossi at identicum.com>
> wrote:
>
>> Hi Jason, we tried with your suggestion but it didn't work. We also tried
>> the recommendation of @Martin setting the evaluationPhase with the same
>> result.
>>
>> But doing this tests we found something interesting:  if the role is
>> assigned directly by OID it works fine, but if we use a filter based on an
>> attributed calculated by the same user template it doesn't work.
>>
>> Working assignment:
>>
>>     <mapping>
>>       <strength>strong</strength>
>>       <expression>
>>          <assignmentTargetSearch>
>>             <targetType>c:RoleType</targetType>
>>             *<oid>00000000-0000-1de4-0004-000000000003</oid>*
>>          </assignmentTargetSearch>
>>       </expression>
>>       <target>
>>          <c:path>assignment</c:path>
>>       </target>
>>    </mapping>
>>
>> Assignment not propagated to the resource:
>>
>>     <!-- Calculate the employeeType value -->
>>     <mapping>
>>       <strength>strong</strength>
>>       <expression>
>>          <value>FUNCIONARIO</value>
>>       </expression>
>>       <target>
>>          <c:path>*employeeType*</c:path>
>>       </target>
>>    </mapping>
>>
>>    <!-- Use the employeeType value to find the role -->
>>    <mapping>
>>       <strength>strong</strength>
>>       <source>
>>          <c:path>*employeeType*</c:path>
>>       </source>
>>       <expression>
>>          <assignmentTargetSearch>
>>             <targetType>c:RoleType</targetType>
>>             *<filter>*
>> *               <q:equal>*
>> *                  <q:path>c:identifier</q:path>*
>> *                  <expression>*
>> *                     <c:path>$employeeType</c:path>*
>> *                  </expression>*
>> *               </q:equal>*
>> *            </filter>*
>>          </assignmentTargetSearch>
>>       </expression>
>>       <target>
>>          <c:path>assignment</c:path>
>>       </target>
>>    </mapping>
>>
>>
>> If I remove the first mapping (to get the employeeType value) and create
>> a new user with "FUNCIONARIO" as employeeType, it works fine. So I guess
>> there is an issue when the user templates assign a value to a target
>> attribute used by the role assignment rule. Any suggestions ?
>>
>>
>> Regards,
>>
>>
>>
>> Ing Nicolás Rossi
>> Identicum S.A.
>> Jorge Newbery 3226
>> Tel: +54 (11) 4552-3050 <+54%2011%204552-3050>
>> www.identicum.com
>>
>> On Mon, Jan 23, 2017 at 6:51 PM, Jason Everling <jeverling at bshp.edu>
>> wrote:
>>
>>> http://lists.evolveum.com/pipermail/midpoint/2015-February/000883.html
>>>
>>> JASON
>>>
>>> On Mon, Jan 23, 2017 at 3:44 PM, Jason Everling <jeverling at bshp.edu>
>>> wrote:
>>>
>>>> Yes, that is what the wording says BUT... in our case, we would assign
>>>> the role automatically from template and the user would never be created on
>>>> the resource until a recon was run. After changing to 'Positive' it pushes
>>>> to the resource once the role is assigned.
>>>>
>>>> JASON
>>>>
>>>> On Mon, Jan 23, 2017 at 3:38 PM, Nicolas Rossi <nrossi at identicum.com>
>>>> wrote:
>>>>
>>>>> Hi Jason, it seems that the difference between the 'relative' and
>>>>> 'positive' applies only when deleting accounts. On our example we are
>>>>> assigning new roles to users not removing. On the user's xml we can see the
>>>>> assignments but it doesn't have the roleMemebershipRef until we run a
>>>>> reconcile on the user.
>>>>>
>>>>> Is that the expected behaviour ?
>>>>>
>>>>> Regards,
>>>>>
>>>>>
>>>>>
>>>>> Ing Nicolás Rossi
>>>>> Identicum S.A.
>>>>> Jorge Newbery 3226
>>>>> Tel: +54 (11) 4552-3050 <+54%2011%204552-3050>
>>>>> www.identicum.com
>>>>>
>>>>> On Mon, Jan 23, 2017 at 2:09 PM, Jason Everling <jeverling at bshp.edu>
>>>>> wrote:
>>>>>
>>>>>> You can also check the 'Assignment Policy Enforcement' , The default
>>>>>> is 'relative' and that was our issue, changing it to 'Positive' fixed it,
>>>>>>
>>>>>> https://wiki.evolveum.com/display/midPoint/Projection+Policy
>>>>>>
>>>>>> JASON
>>>>>>
>>>>>> On Mon, Jan 23, 2017 at 10:26 AM, Martin Lízner - AMI Praha a.s. <
>>>>>> martin.lizner at ami.cz> wrote:
>>>>>>
>>>>>>> Try to adjust:
>>>>>>>
>>>>>>> <evaluationPhase>beforeAssignments</evaluationPhase>
>>>>>>>
>>>>>>> Martin Lízner
>>>>>>> solution architect
>>>>>>>
>>>>>>> gsm: [+420] 737 745 571 <+420%20737%20745%20571>
>>>>>>> e-mail: martin.lizner at ami.cz
>>>>>>>
>>>>>>>
>>>>>>> AMI Praha a.s.
>>>>>>> Pláničkova 11
>>>>>>> 162 00 Praha 6
>>>>>>> tel.: [+420] 274 783 239 <+420%20274%20783%20239>
>>>>>>> web: www.ami.cz
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> [image: AMI Praha a.s.] <http://www.skyidentity.com/>
>>>>>>>
>>>>>>> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá
>>>>>>> za společnost AMI Praha a.s.
>>>>>>> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít
>>>>>>> výhradně písemnou formu.
>>>>>>>
>>>>>>>
>>>>>>> 2017-01-23 17:06 GMT+01:00 Nicolas Rossi <nrossi at identicum.com>:
>>>>>>>
>>>>>>>> Hi guys, we have a User Template with few mappings that assigns
>>>>>>>> Roles to Users based on their attributes. It's a simple model copied from
>>>>>>>> here
>>>>>>>> <https://github.com/Evolveum/midpoint/blob/master/samples/objects/object-template-user.xml>
>>>>>>>> .
>>>>>>>>
>>>>>>>> The User Template is applied and the user receives the assignments
>>>>>>>> but it is not propagated to the resources until  I run a reconcile process
>>>>>>>> on it.
>>>>>>>>
>>>>>>>> Is there any way to configure the User Template to force a
>>>>>>>> reconcile after running all mappings ? Or that's the expected behavior ?
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>>
>>>>>>>>
>>>>>>>> Ing Nicolás Rossi
>>>>>>>> Identicum S.A.
>>>>>>>> Jorge Newbery 3226
>>>>>>>> Tel: +54 (11) 4552-3050 <+54%2011%204552-3050>
>>>>>>>> www.identicum.com
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> midPoint mailing list
>>>>>>>> midPoint at lists.evolveum.com
>>>>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> midPoint mailing list
>>>>>>> midPoint at lists.evolveum.com
>>>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> midPoint mailing list
>>>>>> midPoint at lists.evolveum.com
>>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>>
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> midPoint mailing list
>>>>> midPoint at lists.evolveum.com
>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>
>>>>>
>>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170123/424627dc/attachment.htm>

More information about the midPoint mailing list