[midPoint] User reconcile after applying user template

Martin Lízner - AMI Praha a.s. martin.lizner at ami.cz
Thu Jan 26 19:57:09 CET 2017 

Radovan, thank you for your honest and sincere reply! Martin

Martin Lízner
solution architect

gsm: [+420] 737 745 571
e-mail: martin.lizner at ami.cz


AMI Praha a.s.
Pláničkova 11
162 00 Praha 6
tel.: [+420] 274 783 239
web: www.ami.cz



[image: AMI Praha a.s.] <http://www.skyidentity.com/>

Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
písemnou formu.


2017-01-26 11:43 GMT+01:00 Radovan Semancik <radovan.semancik at evolveum.com>:

> Hi,
>
> So, this has finally happened :-) ... Please make sure you are sitting
> comfortably. There is a story to tell.
>
> Long, long ago midPoint was young and most of the current functionality
> was still just few lines on a drawing board. Even at that very early stage
> we somehow knew that we will need some kind of expressions to customize
> midpoint behavior - and especially to compute attribute values. We have
> implemented some of that functionality in early midPoint versions. It was
> only much later that we have realized how complex all of that is. That was
> a year or two until the right moment came. And that's where the concept of
> relativity was refined and the mechanism of mappings was born ... on one
> sunny autumn Saturday ... on a whiteboard and a pile of papers in my study
> :-)
>
> However, even in the early beginning we have realized that there may be
> problem with ordering of expression evaluation. Output of one expression
> may be input to another expression. But midPoint was young, there was a
> huge pile of functionality still to implement. So we had to make
> sacrifices. But being responsible developers we at least thought about it.
> We figured out that, theoretically, if we know inputs and outputs of the
> expressions then we can arrange them into an evaluation tree. Evaluate the
> independent expressions first, the evaluate those that depend on them and
> so on. The mathematical parts of our souls rejoiced at that moment: problem
> solved!  Theoretically. ... but of course, it haven't get implemented at
> that time. Firstly, at that time we had no practical way how to figure out
> inputs of the expressions. That came only later with the mapping mechanism.
> And secondly we haven't got the resources anyway.
>
> So it remained like this for years. Curiously enough midPoint users,
> subscribers and sponsors seemed to prefer fancy features instead of these
> little improvements. Vox populi, vox dei ....
>
> And that's where we stand today. Technically the proper ordering of
> expression evaluation is perfectly feasible. Mappings have clear definition
> of source and target, so it is possible to order their evaluation properly.
> The code is not there, but it can be added. And now there are (at least)
> two strong voices that ask for this. So maybe this is the right time to get
> it done. Please let me discuss that internally with out team. I'll get back
> to you shortly.
>
> --
> Radovan Semancik
> Software Architectevolveum.com
>
>
>
> On 01/24/2017 04:27 PM, Nicolas Rossi wrote:
>
> We already have an active subscription. I hope it would help to get the
> issue fixed !
>
>
>
> Ing Nicolás Rossi
> Identicum S.A.
> Jorge Newbery 3226
> Tel: +54 (11) 4552-3050 <+54%2011%204552-3050>
> <http://www.identicum.com>www.identicum.com
>
> On Tue, Jan 24, 2017 at 12:09 PM, Martin Lízner - AMI Praha a.s. <
> <martin.lizner at ami.cz>martin.lizner at ami.cz> wrote:
>
>> I wish I could help, but I just realized I have simillar problem for
>> which I have no immediate solution. I have some default roles induced by
>> user's organization membership. But when new user is created and
>> automatically assigned to org. (via assignmentTargetSearch and
>> usertemplate), provisioning is not completed fully (e.g. AD groups not
>> assigned in the resource.). Only after I do second reconcile, all is ok.
>>
>> I guess its time to buy midPoint's subscription. But that doesnt go so
>> fast for us.
>>
>> M.
>>
>> Martin Lízner
>> solution architect
>>
>> gsm: [+420] 737 745 571 <+420%20737%20745%20571>
>> e-mail:  <martin.lizner at ami.cz>martin.lizner at ami.cz
>>
>>
>> AMI Praha a.s.
>> Pláničkova 11
>> 162 00 Praha 6
>> tel.: [+420] 274 783 239 <+420%20274%20783%20239>
>> web:  <http://www.ami.cz/>www.ami.cz
>>
>>
>>
>>
>> [image: AMI Praha a.s.] <http://www.skyidentity.com/>
>>
>> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
>> společnost AMI Praha a.s.
>> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
>> písemnou formu.
>>
>>
>> 2017-01-24 15:19 GMT+01:00 Nicolas Rossi < <nrossi at identicum.com>
>> nrossi at identicum.com>:
>>
>>> Hi Martin, we have 2 phases on the UserTemplate:
>>>
>>>    1. employeeType calculation
>>>    2. Role assignment based on employeeType
>>>
>>> We added the <evaluationPhase>beforeAssignments</evaluationPhase> to
>>> the employeeType mapping but nothing changed: the user receives the Role
>>> but the indirect roles are not assigned until reconcile it.
>>>
>>> Do you know were can I find more information about the evaluation phases
>>> on the User Template ? Have you seen the issue at JIRA
>>> <https://jira.evolveum.com/browse/MID-2149> commented by Jason ?
>>>
>>> Regards,
>>>
>>>
>>>
>>> Ing Nicolás Rossi
>>> Identicum S.A.
>>> Jorge Newbery 3226
>>> Tel: +54 (11) 4552-3050 <+54%2011%204552-3050>
>>> <http://www.identicum.com>www.identicum.com
>>>
>>> On Mon, Jan 23, 2017 at 1:26 PM, Martin Lízner - AMI Praha a.s. <
>>> <martin.lizner at ami.cz>martin.lizner at ami.cz> wrote:
>>>
>>>> Try to adjust:
>>>>
>>>> <evaluationPhase>beforeAssignments</evaluationPhase>
>>>>
>>>> Martin Lízner
>>>> solution architect
>>>>
>>>> gsm: [+420] 737 745 571 <+420%20737%20745%20571>
>>>> e-mail:  <martin.lizner at ami.cz>martin.lizner at ami.cz
>>>>
>>>>
>>>> AMI Praha a.s.
>>>> Pláničkova 11
>>>> 162 00 Praha 6
>>>> tel.: [+420] 274 783 239 <+420%20274%20783%20239>
>>>> web:  <http://www.ami.cz/>www.ami.cz
>>>>
>>>>
>>>>
>>>>
>>>> [image: AMI Praha a.s.] <http://www.skyidentity.com/>
>>>>
>>>> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
>>>> společnost AMI Praha a.s.
>>>> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít
>>>> výhradně písemnou formu.
>>>>
>>>>
>>>> 2017-01-23 17:06 GMT+01:00 Nicolas Rossi < <nrossi at identicum.com>
>>>> nrossi at identicum.com>:
>>>>
>>>>> Hi guys, we have a User Template with few mappings that assigns Roles
>>>>> to Users based on their attributes. It's a simple model copied from
>>>>> here
>>>>> <https://github.com/Evolveum/midpoint/blob/master/samples/objects/object-template-user.xml>
>>>>> .
>>>>>
>>>>> The User Template is applied and the user receives the assignments but
>>>>> it is not propagated to the resources until  I run a reconcile process on
>>>>> it.
>>>>>
>>>>> Is there any way to configure the User Template to force a reconcile
>>>>> after running all mappings ? Or that's the expected behavior ?
>>>>>
>>>>> Regards,
>>>>>
>>>>>
>>>>> Ing Nicolás Rossi
>>>>> Identicum S.A.
>>>>> Jorge Newbery 3226
>>>>> Tel: +54 (11) 4552-3050 <+54%2011%204552-3050>
>>>>> <http://www.identicum.com>www.identicum.com
>>>>>
>>>>> _______________________________________________
>>>>> midPoint mailing list
>>>>> midPoint at lists.evolveum.com
>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170126/2a634d12/attachment.htm>

More information about the midPoint mailing list