[midPoint] User reconcile after applying user template
Radovan Semancik
radovan.semancik at evolveum.com
Fri Jan 27 11:27:32 CET 2017
Hi,
So the decision is that we are going to listen to the subscribers and we
are going to implement the mapping chaining in 3.6:
https://jira.evolveum.com/browse/MID-2149
However, this is likely to come a bit later in the development cycle.
And there is still a small chance that this may be moved out if the
development plan slips too much.
--
Radovan Semancik
Software Architect
evolveum.com
On 01/26/2017 11:43 AM, Radovan Semancik wrote:
> Hi,
>
> So, this has finally happened :-) ... Please make sure you are sitting
> comfortably. There is a story to tell.
>
> Long, long ago midPoint was young and most of the current
> functionality was still just few lines on a drawing board. Even at
> that very early stage we somehow knew that we will need some kind of
> expressions to customize midpoint behavior - and especially to compute
> attribute values. We have implemented some of that functionality in
> early midPoint versions. It was only much later that we have realized
> how complex all of that is. That was a year or two until the right
> moment came. And that's where the concept of relativity was refined
> and the mechanism of mappings was born ... on one sunny autumn
> Saturday ... on a whiteboard and a pile of papers in my study :-)
>
> However, even in the early beginning we have realized that there may
> be problem with ordering of expression evaluation. Output of one
> expression may be input to another expression. But midPoint was young,
> there was a huge pile of functionality still to implement. So we had
> to make sacrifices. But being responsible developers we at least
> thought about it. We figured out that, theoretically, if we know
> inputs and outputs of the expressions then we can arrange them into an
> evaluation tree. Evaluate the independent expressions first, the
> evaluate those that depend on them and so on. The mathematical parts
> of our souls rejoiced at that moment: problem solved! Theoretically.
> ... but of course, it haven't get implemented at that time. Firstly,
> at that time we had no practical way how to figure out inputs of the
> expressions. That came only later with the mapping mechanism. And
> secondly we haven't got the resources anyway.
>
> So it remained like this for years. Curiously enough midPoint users,
> subscribers and sponsors seemed to prefer fancy features instead of
> these little improvements. Vox populi, vox dei ....
>
> And that's where we stand today. Technically the proper ordering of
> expression evaluation is perfectly feasible. Mappings have clear
> definition of source and target, so it is possible to order their
> evaluation properly. The code is not there, but it can be added. And
> now there are (at least) two strong voices that ask for this. So maybe
> this is the right time to get it done. Please let me discuss that
> internally with out team. I'll get back to you shortly.
>
> --
> Radovan Semancik
> Software Architect
> evolveum.com
>
>
> On 01/24/2017 04:27 PM, Nicolas Rossi wrote:
>> We already have an active subscription. I hope it would help to get
>> the issue fixed !
>>
>>
>>
>> Ing Nicolás Rossi
>> Identicum S.A.
>> Jorge Newbery 3226
>> Tel: +54 (11) 4552-3050
>> www.identicum.com
>>
>> On Tue, Jan 24, 2017 at 12:09 PM, Martin Lízner - AMI Praha a.s.
>> <martin.lizner at ami.cz> wrote:
>>
>> I wish I could help, but I just realized I have simillar problem
>> for which I have no immediate solution. I have some default roles
>> induced by user's organization membership. But when new user is
>> created and automatically assigned to org. (via
>> assignmentTargetSearch and usertemplate), provisioning is not
>> completed fully (e.g. AD groups not assigned in the resource.).
>> Only after I do second reconcile, all is ok.
>>
>> I guess its time to buy midPoint's subscription. But that doesnt
>> go so fast for us.
>>
>> M.
>>
>> Martin Lízner
>> solution architect
>>
>> gsm: [+420] 737 745 571
>> e-mail: martin.lizner at ami.cz
>>
>>
>>
>> AMI Praha a.s.
>> Pláničkova 11
>> 162 00 Praha 6
>> tel.: [+420] 274 783 239
>> web: www.ami.cz
>>
>>
>>
>>
>>
>> AMI Praha a.s. <http://www.skyidentity.com/>
>>
>> Textem tohoto e-mailu podepisující neslibuje uzavřít ani
>> neuzavírá za společnost AMI Praha a.s.
>> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít
>> výhradně písemnou formu.
>>
>>
>>
>> 2017-01-24 15:19 GMT+01:00 Nicolas Rossi <nrossi at identicum.com>:
>>
>> Hi Martin, we have 2 phases on the UserTemplate:
>>
>> 1. employeeType calculation
>> 2. Role assignment based on employeeType
>>
>> We added the
>> <evaluationPhase>beforeAssignments</evaluationPhase> to the
>> employeeType mapping but nothing changed: the user receives
>> the Role but the indirect roles are not assigned until
>> reconcile it.
>>
>> Do you know were can I find more information about the
>> evaluation phases on the User Template ? Have you seen the
>> issue at JIRA <https://jira.evolveum.com/browse/MID-2149>
>> commented by Jason ?
>>
>> Regards,
>>
>>
>>
>> Ing Nicolás Rossi
>> Identicum S.A.
>> Jorge Newbery 3226
>> Tel: +54 (11) 4552-3050 <tel:+54%2011%204552-3050>
>> www.identicum.com
>>
>> On Mon, Jan 23, 2017 at 1:26 PM, Martin Lízner - AMI Praha
>> a.s. <martin.lizner at ami.cz> wrote:
>>
>> Try to adjust:
>>
>> <evaluationPhase>beforeAssignments</evaluationPhase>
>>
>> Martin Lízner
>> solution architect
>>
>> gsm: [+420] 737 745 571 <tel:+420%20737%20745%20571>
>> e-mail: martin.lizner at ami.cz
>>
>>
>>
>> AMI Praha a.s.
>> Pláničkova 11
>> 162 00 Praha 6
>> tel.: [+420] 274 783 239 <tel:+420%20274%20783%20239>
>> web: www.ami.cz
>>
>>
>>
>>
>>
>> AMI Praha a.s. <http://www.skyidentity.com/>
>>
>> Textem tohoto e-mailu podepisující neslibuje uzavřít ani
>> neuzavírá za společnost AMI Praha a.s.
>> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena,
>> musí mít výhradně písemnou formu.
>>
>>
>>
>> 2017-01-23 17:06 GMT+01:00 Nicolas Rossi
>> <nrossi at identicum.com>:
>>
>> Hi guys, we have a User Template with few mappings
>> that assigns Roles to Users based on their
>> attributes. It's a simple model copied from here
>> <https://github.com/Evolveum/midpoint/blob/master/samples/objects/object-template-user.xml>.
>>
>> The User Template is applied and the user receives
>> the assignments but it is not propagated to the
>> resources until I run a reconcile process on it.
>>
>> Is there any way to configure the User Template to
>> force a reconcile after running all mappings ? Or
>> that's the expected behavior ?
>>
>> Regards,
>>
>>
>> Ing Nicolás Rossi
>> Identicum S.A.
>> Jorge Newbery 3226
>> Tel: +54 (11) 4552-3050 <tel:+54%2011%204552-3050>
>> www.identicum.com
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> <mailto:midPoint at lists.evolveum.com>
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>> <http://lists.evolveum.com/mailman/listinfo/midpoint>
>>
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> <mailto:midPoint at lists.evolveum.com>
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>> <http://lists.evolveum.com/mailman/listinfo/midpoint>
>>
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>> <http://lists.evolveum.com/mailman/listinfo/midpoint>
>>
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>> <http://lists.evolveum.com/mailman/listinfo/midpoint>
>>
>>
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170127/a21e0130/attachment.htm>
More information about the midPoint
mailing list