[midPoint] R: R: Re: Reevaluate entitlement association

Pavol Mederly mederly at evolveum.com
Fri Sep 8 23:20:47 CEST 2017 

I'd try this one:

https://pastebin.com/MUYd9xBz

<outbound>
*<strength>strong</strength>*
<expression>
<associationFromLink>
<projectionDiscriminator>
<kind>entitlement</kind>
<intent>group</intent>
</projectionDiscriminator>
</associationFromLink>
</expression>
</outbound>

But it's a bit of guess.

Pavol Mederly
Software developer
evolveum.com

On 08.09.2017 23:15, Marco Benucci wrote:
>
> Hi,
>
> I have created my entitlements using this schema object in my resource
>
> https://pastebin.com/zkJkwS73
>
> and an object synchronization like this
>
> https://pastebin.com/axrzXbc2
>
> the template used in sync is the following
>
> https://pastebin.com/MUYd9xBz
>
> Moreover, I have an association in the account schemaHandling
>
> https://pastebin.com/bDsHu38V
>
> This is basically what is described in 
> https://wiki.evolveum.com/display/midPoint/Active+Directory+Group+Synchronization+HOWTO
>
> Where should I put the mapping’s strenght?
>
> Thank you,
> Marco
>
> *Da: *Pavol Mederly <mailto:mederly at evolveum.com>
> *Inviato: *venerdì 8 settembre 2017 22:50
> *A: *midpoint at lists.evolveum.com <mailto:midpoint at lists.evolveum.com>
> *Oggetto: *Re: [midPoint] R: Re: Reevaluate entitlement association
>
> Hello Marco,
>
> I assume your entitlements are created using account constructions 
> containing mappings. The behavior on recompute/reconcile depends on 
> the strength of those mappings and on the tolerance level set on 
> target associations (and attributes).
>
> Generally, strength=normal (read "relative") means the mappings are 
> put into action on a value change. Recompute/reconcile does *not* 
> trigger them.
>
> If you want to be sure your mapping is employed on 
> recompute/reconcile, you have to mark it as strength=strong.
>
> See 
> https://wiki.evolveum.com/display/midPoint/Mapping#Mapping-MappingStrength.
>
> Also you can enable logging and see what mappings are triggered, and, 
> generally, what's going on when you run recompute.
>
> See https://wiki.evolveum.com/display/midPoint/Troubleshooting+Mappings.
>
> Best regards,
>
> Pavol Mederly
> Software developer
> evolveum.com
>
> On 08.09.2017 19:56, Marco Benucci wrote:
>
>     Sorry for not have specified this before, but recompute seems not
>     to work. Neither the checkbox on the user page neither a bulk with
>     the recompute action...
>
>     No errors are showed by the way.
>
>     We have planned the update asap, but before doing that we have a
>     bunch of more urgent requests...
>
>     Anyway, should be this the expected behavior?
>
>     If an account on AD is not in a given group, but his/her virtual
>     identity have the role/entitlement associated (and the account is
>     correctly linked), should a recomputation fix this?
>
>     Maybe we have a wrong resource configuration?
>
>     Il 08 set 2017 7:44 PM, Martin Lízner - AMI Praha a.s.
>     <martin.lizner at ami.cz> <mailto:martin.lizner at ami.cz> ha scritto:
>
>         Hi, simple user recompute should do it. E.g. open user in GUI,
>         check the reconcile checbox and hit save. Anyway I also
>         recommend upgrading to the latest (3.6, soon 3.6.1) mp version. M.
>
>
>         *Martin Lízner*
>         solution architect
>
>         gsm: [+420] 737 745 571
>         e-mail: martin.lizner at ami.cz <mailto:martin.lizner at ami.cz>
>
>         	
>
>         	
>
>         	
>
>         AMI Praha a.s.
>         Pláničkova 11
>         162 00 Praha 6
>         tel.: [+420] 274 783 239
>         web: www.ami.cz <http://www.ami.cz/>
>
>         	
>
>         	
>
>         	
>
>         http://www.ami.cz/images/podpis/ami_logo.gif
>
>
>
>         AMI Praha a.s. <http://www.skyidentity.com/>
>
>
>         Textem tohoto e-mailu podepisující neslibuje uzavřít ani
>         neuzavírá za společnost AMI Praha a.s.
>         jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí
>         mít výhradně písemnou formu.
>
>         2017-09-08 18:43 GMT+02:00 Marco Benucci <m.benucci at nsr.it
>         <mailto:m.benucci at nsr.it>>:
>
>             Hi,
>
>             we have midpoint 3.4 and an AD resource with configured
>             entitlements.
>
>             Now, I still do not know why, but on AD many users have
>             lost their membership of a role. Fortunately in midPoint
>             we still have the role/entitlement associated to all the
>             right users.
>
>             Is there a way to force midPoint to reevaluate the
>             entitlement association to add again users to theri group?
>
>             Thank you.
>
>
>             _______________________________________________
>             midPoint mailing list
>             midPoint at lists.evolveum.com
>             <mailto:midPoint at lists.evolveum.com>
>             http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
>     _______________________________________________
>
>     midPoint mailing list
>
>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>
>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170908/36e93dc6/attachment.htm>

More information about the midPoint mailing list