[midPoint] objectTemplate account create base on account fail
Ivan Noris
ivan.noris at evolveum.com
Tue Nov 21 12:40:41 CET 2017
You defined mapping, that all users should have that assignment.
Midpoint did it. Now you try to break the rule.
As the mapping is strong, the value must always be there (i.e. you
cannot remove the assignment using GUI).
See
https://wiki.evolveum.com/display/midPoint/Mapping#Mapping-MappingStrength
It would help if you describe what you want to achieve. One thing is to
understand how the mechanism works, the other thing is to know what
exactly you want. You should not mix something that should be done
automatically with manual actions. The object template mappings for
assignment should cover whatever can be done and enforced automatic.
Best regards,
Ivan
On 21.11.2017 11:23, HAQUET Serge wrote:
>
> What i don’t understand why this behavior different from the behavior
> of the user interface
>
>
>
> I can’t remove the assignment created
>
>
>
> *Operation*
>
> *Save (GUI)*
>
> *Message*
>
> Attempt to delete value
> PCV(null):[PC({http://midpoint.evolveum.com/xml/ns/public/common/common-3}construction):[PCV(null):[PrismReference({.../common/common-3}resourceRef):[PRV(oid=0e70c40e-d952-45ee-9780-10845afdc126,
> targetType={.../common/common-3}ResourceType)]]]] from item assignment
> but that value is mandated by a strong mapping (in object template
> objectTemplate:10000000-0000-0000-0000-000000000222(Complex User
> Template) for focus user:54faf55b-c588-4ab0-9892-5ff6d3181577(Test2))
>
>
> *Error*
>
> Attempt to delete value
> PCV(null):[PC({http://midpoint.evolveum.com/xml/ns/public/common/common-3}construction):[PCV(null):[PrismReference({.../common/common-3}resourceRef):[PRV(oid=0e70c40e-d952-45ee-9780-10845afdc126,
> targetType={.../common/common-3}ResourceType)]]]] from item assignment
> but that value is mandated by a strong mapping (in object template
> objectTemplate:10000000-0000-0000-0000-000000000222(Complex User
> Template) for focus user:54faf55b-c588-4ab0-9892-5ff6d3181577(Test2))
>
> show <javascript:;>
>
>
>
>
>
> So it is hard to me to believe that everything is working correctly
>
>
>
> *From:*midPoint [mailto:midpoint-bounces at lists.evolveum.com] *On
> Behalf Of *Ivan Noris
> *Sent:* mardi 21 novembre 2017 10:43
> *To:* midpoint at lists.evolveum.com
> *Subject:* Re: [midPoint] objectTemplate account create base on
> account fail
>
>
>
> Hi Serge,
>
> once again; you are NOT creating a role. You are assigning a resource
> account. That's the relation meaning "I wish the account on the
> resource to be created and exist". That is the assignment.
>
> As a result, MidPoint will create the resource account. That's the
> relation meaning "There is the account on that resource currently".
> That's the projection.
>
> The role icon and resource assignment icon differ. See the attached
> screenshots:
>
> - my user has assigned role Employee and also resource account on
> CSV-1 resource (Assignment tab; notice the icons)
>
> - my user has three accounts (CSV-1, CSV-2, CSV-3) (Projections tab)
>
> The existence of CSV-1 account in projection is the result of that
> resource account being assigned. The name of the resource assignment
> is the same as the name of the resource.
>
> No role is created. The resource account is assigned and midPoint
> creates it. This is one of the main midPoint concepts. If there is an
> assignment, midPoint will create the account(s) and keep them until
> you unassign the assignment.
>
> I personally use roles (also through object template mappings) and not
> resource assignments.
>
> In your case, as the name of the resource assignment has always the
> same as the name of the resource, everything is working correctly.
>
> Best regards,
>
> Ivan
>
>
>
> On 16.11.2017 08:03, HAQUET Serge wrote:
>
> Ok so how can I fix the issue of the role created when I assign
> the account?
>
>
>
> *From:*midPoint [mailto:midpoint-bounces at lists.evolveum.com] *On
> Behalf Of *Ivan Noris
> *Sent:* mercredi 15 novembre 2017 17:53
> *To:* midpoint at lists.evolveum.com <mailto:midpoint at lists.evolveum.com>
> *Subject:* Re: [midPoint] objectTemplate account create base on
> account fail
>
>
>
> Hi,
>
> I don't know if that's entirely possible, but it's not a good idea
> to "assign" resource account just by linking. As stated in the
> wiki page I referenced, link is just a relationship between
> midPoint user and resource account, and that link can be deleted
> if the account is deleted directly on the resource. Assignment is
> able to re-create that account even in this situation.
>
> Ivan
>
>
>
> On 15.11.2017 08:32, HAQUET Serge wrote:
>
> What target I should use to avoid to create this role.
>
> I try linkref but nothing happend
>
>
>
>
>
> *From:*midPoint [mailto:midpoint-bounces at lists.evolveum.com]
> *On Behalf Of *Ivan Noris
> *Sent:* mardi 14 novembre 2017 15:54
> *To:* midpoint at lists.evolveum.com
> <mailto:midpoint at lists.evolveum.com>
> *Subject:* Re: [midPoint] objectTemplate account create base
> on account fail
>
>
>
> Serge,
>
> what you have in assignments is the resource account
> assignment, for which the projection has been created. If you
> assign resource account (as you do), this is the expected state.
>
> See
> https://wiki.evolveum.com/display/midPoint/Assigning+vs+Linking
>
> Best regards,
>
> Ivan
>
>
>
> On 09.11.2017 15:19, HAQUET Serge wrote:
>
> When i look via the gui I have the projection but in
> assignment I have also a “role” with the same name of my
> resource
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> *From:*midPoint
> [mailto:midpoint-bounces at lists.evolveum.com] *On Behalf Of
> *Ivan Noris
> *Sent:* jeudi 9 novembre 2017 13:12
> *To:* midpoint at lists.evolveum.com
> <mailto:midpoint at lists.evolveum.com>
> *Subject:* Re: [midPoint] objectTemplate account create
> base on account fail
>
>
>
> Hi Serge,
>
> can you specify exact file/sample where this was?
>
> I have not used direct account assignment, but just roles,
> in the object template, but I can see this:
>
> samples/demo/user-template.xml
>
> <mapping>
> <description>A hack to avoid feedback to HR feed -
> deleting accounts because they are not assigned</description>
> <strength>strong</strength>
> <source>
> <path>employeeType</path>
> </source>
> <expression>
> <value>
> <!--<assignment>-->
> <construction>
>
> <resourceRef oid="8844dcca-775d-11e2-a0ac-001e8c717e5b"
> type="c:ResourceType"/>
> </construction>
> <!--</assignment>-->
> </value>
> </expression>
> <target>
> <path>assignment</path>
> </target>
> <condition>
> <script>
> <code>employeeType != null</code>
> </script>
> </condition>
> </mapping>
>
> See how the <assignment> element is commented out; hope
> this is the problem.
>
> If you specify the sample from which you have seen the
> original construction, we can have a look at it.
>
> Best regards,
>
> Ivan
>
>
>
> On 08.11.2017 12:43, HAQUET Serge wrote:
>
> I get this example from midpoint git and it didn’t
> work , look like missing something to validate the xml
>
>
>
> <mapping>
>
> <strength>strong</strength>
>
> <expression>
>
> <value>
>
> <assignment>
>
> <construction>
>
> <resourceRef
> oid="0e70c40e-d952-45ee-9780-10845afdc126"
> type="ResourceType"/>
>
> </construction>
>
> </assignment>
>
> </value>
>
> </expression>
>
> <target>
>
> <path>assignment</path>
>
> </target>
>
> </mapping>
>
> * *
>
> *Midpoint version :*3.6
>
>
>
> *Goal :*when create new user , create a new account an
> link it base on the some resources
>
>
>
> *Actions:*
>
> * using the Complex User Template , from the
> midpoint git.
> * only use the account create part.
> * import the file in midpoint
> * create new user
>
>
>
> *Error (see file)*: Message
>
> Item
> {http://midpoint.evolveum.com/xml/ns/public/common/common-3}assignment
> has no definition (in container value CTD
> ({.../common/common-3}AssignmentType))while parsing (
> {...common/common-3}assignment => (
> {...common/common-3}construction => (
> {...common/common-3}resourceRef => ( oid => parser
> ValueParser(DOMa, oid:
> 0e70c40e-d952-45ee-9780-10845afdc126) type => parser
> ValueParser(DOMa, type: ResourceType) ) ) ) )
>
>
>
> *When *: trying to create user
>
>
>
>
>
>
>
>
>
> imap://vix@mail.evolveum.com:993/fetch%3EUID%3E/INBOX/Lists/midPoint%3E1540915?header=quotebody&part=1.1.2&filename=image001.png
>
>
>
> *Serge HAQUET*
> Project Analyst
> Operations - Project Analyst
> Avenue des Arts 21, 1000 Bruxelles - cirb.brussels
> <http://cirb.brussels/>- disclaimer
> <http://cirb.brussels/disclaimer-1>
> T +32 2 801 12 41 | G +32 497 44 44 99 | Helpdesk +32
> 2 801 00 00
> Be green, leave it on the screen
> ! imap://vix@mail.evolveum.com:993/fetch%3EUID%3E/INBOX/Lists/midPoint%3E1540915?header=quotebody&part=1.1.3&filename=image002.png
> <https://www.linkedin.com/company/cirb_cibg> imap://vix@mail.evolveum.com:993/fetch%3EUID%3E/INBOX/Lists/midPoint%3E1540915?header=quotebody&part=1.1.4&filename=image003.png
> <https://twitter.com/CIRB_CIBG> imap://vix@mail.evolveum.com:993/fetch%3EUID%3E/INBOX/Lists/midPoint%3E1540915?header=quotebody&part=1.1.5&filename=image004.jpg
> <http://www.environnement.brussels/thematiques/ville-durable/le-label-entreprise-ecodynamique>
>
>
>
>
>
>
>
> _______________________________________________
>
> midPoint mailing list
>
> midPoint at lists.evolveum.com
> <mailto:midPoint at lists.evolveum.com>
>
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
>
>
> --
>
> Ivan Noris
>
> Senior Identity Engineer
>
> evolveum.com
>
>
>
>
>
>
> _______________________________________________
>
> midPoint mailing list
>
> midPoint at lists.evolveum.com
> <mailto:midPoint at lists.evolveum.com>
>
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
>
> --
>
> Ivan Noris
>
> Senior Identity Engineer
>
> evolveum.com
>
>
>
>
>
> _______________________________________________
>
> midPoint mailing list
>
> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
> --
>
> Ivan Noris
>
> Senior Identity Engineer
>
> evolveum.com
>
>
>
>
> _______________________________________________
>
> midPoint mailing list
>
> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
> --
> Ivan Noris
> Senior Identity Engineer
> evolveum.com
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
--
Ivan Noris
Senior Identity Engineer
evolveum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20171121/2f667b87/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 17152 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20171121/2f667b87/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 537 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20171121/2f667b87/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 658 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20171121/2f667b87/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.jpg
Type: image/jpeg
Size: 1336 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20171121/2f667b87/attachment.jpg>
More information about the midPoint
mailing list