[midPoint] User reconcile after applying user template
Radovan Semancik
radovan.semancik at evolveum.com
Thu Jan 26 11:43:16 CET 2017
Hi,
So, this has finally happened :-) ... Please make sure you are sitting
comfortably. There is a story to tell.
Long, long ago midPoint was young and most of the current functionality
was still just few lines on a drawing board. Even at that very early
stage we somehow knew that we will need some kind of expressions to
customize midpoint behavior - and especially to compute attribute
values. We have implemented some of that functionality in early midPoint
versions. It was only much later that we have realized how complex all
of that is. That was a year or two until the right moment came. And
that's where the concept of relativity was refined and the mechanism of
mappings was born ... on one sunny autumn Saturday ... on a whiteboard
and a pile of papers in my study :-)
However, even in the early beginning we have realized that there may be
problem with ordering of expression evaluation. Output of one expression
may be input to another expression. But midPoint was young, there was a
huge pile of functionality still to implement. So we had to make
sacrifices. But being responsible developers we at least thought about
it. We figured out that, theoretically, if we know inputs and outputs of
the expressions then we can arrange them into an evaluation tree.
Evaluate the independent expressions first, the evaluate those that
depend on them and so on. The mathematical parts of our souls rejoiced
at that moment: problem solved! Theoretically. ... but of course, it
haven't get implemented at that time. Firstly, at that time we had no
practical way how to figure out inputs of the expressions. That came
only later with the mapping mechanism. And secondly we haven't got the
resources anyway.
So it remained like this for years. Curiously enough midPoint users,
subscribers and sponsors seemed to prefer fancy features instead of
these little improvements. Vox populi, vox dei ....
And that's where we stand today. Technically the proper ordering of
expression evaluation is perfectly feasible. Mappings have clear
definition of source and target, so it is possible to order their
evaluation properly. The code is not there, but it can be added. And now
there are (at least) two strong voices that ask for this. So maybe this
is the right time to get it done. Please let me discuss that internally
with out team. I'll get back to you shortly.
--
Radovan Semancik
Software Architect
evolveum.com
On 01/24/2017 04:27 PM, Nicolas Rossi wrote:
> We already have an active subscription. I hope it would help to get
> the issue fixed !
>
>
>
> Ing Nicolás Rossi
> Identicum S.A.
> Jorge Newbery 3226
> Tel: +54 (11) 4552-3050
> www.identicum.com <http://www.identicum.com>
>
> On Tue, Jan 24, 2017 at 12:09 PM, Martin Lízner - AMI Praha a.s.
> <martin.lizner at ami.cz <mailto:martin.lizner at ami.cz>> wrote:
>
> I wish I could help, but I just realized I have simillar problem
> for which I have no immediate solution. I have some default roles
> induced by user's organization membership. But when new user is
> created and automatically assigned to org. (via
> assignmentTargetSearch and usertemplate), provisioning is not
> completed fully (e.g. AD groups not assigned in the resource.).
> Only after I do second reconcile, all is ok.
>
> I guess its time to buy midPoint's subscription. But that doesnt
> go so fast for us.
>
> M.
>
> Martin Lízner
> solution architect
>
> gsm: [+420] 737 745 571
> e-mail: martin.lizner at ami.cz <mailto:martin.lizner at ami.cz>
>
>
>
> AMI Praha a.s.
> Pláničkova 11
> 162 00 Praha 6
> tel.: [+420] 274 783 239
> web: www.ami.cz <http://www.ami.cz/>
>
>
>
>
>
> AMI Praha a.s. <http://www.skyidentity.com/>
>
> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá
> za společnost AMI Praha a.s.
> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít
> výhradně písemnou formu.
>
>
>
> 2017-01-24 15:19 GMT+01:00 Nicolas Rossi <nrossi at identicum.com
> <mailto:nrossi at identicum.com>>:
>
> Hi Martin, we have 2 phases on the UserTemplate:
>
> 1. employeeType calculation
> 2. Role assignment based on employeeType
>
> We added the
> <evaluationPhase>beforeAssignments</evaluationPhase> to the
> employeeType mapping but nothing changed: the user receives
> the Role but the indirect roles are not assigned until
> reconcile it.
>
> Do you know were can I find more information about the
> evaluation phases on the User Template ? Have you seen the
> issue at JIRA <https://jira.evolveum.com/browse/MID-2149>
> commented by Jason ?
>
> Regards,
>
>
>
> Ing Nicolás Rossi
> Identicum S.A.
> Jorge Newbery 3226
> Tel: +54 (11) 4552-3050 <tel:+54%2011%204552-3050>
> www.identicum.com <http://www.identicum.com>
>
> On Mon, Jan 23, 2017 at 1:26 PM, Martin Lízner - AMI Praha
> a.s. <martin.lizner at ami.cz <mailto:martin.lizner at ami.cz>> wrote:
>
> Try to adjust:
>
> <evaluationPhase>beforeAssignments</evaluationPhase>
>
> Martin Lízner
> solution architect
>
> gsm: [+420] 737 745 571 <tel:+420%20737%20745%20571>
> e-mail: martin.lizner at ami.cz <mailto:martin.lizner at ami.cz>
>
>
>
> AMI Praha a.s.
> Pláničkova 11
> 162 00 Praha 6
> tel.: [+420] 274 783 239 <tel:+420%20274%20783%20239>
> web: www.ami.cz <http://www.ami.cz/>
>
>
>
>
>
> AMI Praha a.s. <http://www.skyidentity.com/>
>
> Textem tohoto e-mailu podepisující neslibuje uzavřít ani
> neuzavírá za společnost AMI Praha a.s.
> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena,
> musí mít výhradně písemnou formu.
>
>
>
> 2017-01-23 17:06 GMT+01:00 Nicolas Rossi
> <nrossi at identicum.com <mailto:nrossi at identicum.com>>:
>
> Hi guys, we have a User Template with few mappings
> that assigns Roles to Users based on their attributes.
> It's a simple model copied from here
> <https://github.com/Evolveum/midpoint/blob/master/samples/objects/object-template-user.xml>.
>
> The User Template is applied and the user receives the
> assignments but it is not propagated to the resources
> until I run a reconcile process on it.
>
> Is there any way to configure the User Template to
> force a reconcile after running all mappings ? Or
> that's the expected behavior ?
>
> Regards,
>
>
> Ing Nicolás Rossi
> Identicum S.A.
> Jorge Newbery 3226
> Tel: +54 (11) 4552-3050 <tel:+54%2011%204552-3050>
> www.identicum.com <http://www.identicum.com>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> <mailto:midPoint at lists.evolveum.com>
> http://lists.evolveum.com/mailman/listinfo/midpoint
> <http://lists.evolveum.com/mailman/listinfo/midpoint>
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> <mailto:midPoint at lists.evolveum.com>
> http://lists.evolveum.com/mailman/listinfo/midpoint
> <http://lists.evolveum.com/mailman/listinfo/midpoint>
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
> http://lists.evolveum.com/mailman/listinfo/midpoint
> <http://lists.evolveum.com/mailman/listinfo/midpoint>
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
> http://lists.evolveum.com/mailman/listinfo/midpoint
> <http://lists.evolveum.com/mailman/listinfo/midpoint>
>
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170126/7ba948d3/attachment.htm>
More information about the midPoint
mailing list