[midPoint] Manual connector questions
Brandon Powers
brandon at exclamationlabs.com
Thu Sep 13 01:24:06 CEST 2018
Alexandre,
* - Once operators close the case, "shadow refresh task" process the
shadows, but shadows still contain the related pending operations not
closed / finished*
* - If it is a delete account operation, Shadow account is not deleted
and we have to delete the shadows manually*
You are correct assuming that there is an issue with the pending operations
being applied to the shadow attributes. This is an issue we recently
identified ourselves. We have applied a fix and submitted a Pull Request
for inclusion in a future midPoint release.
In the mean time, we currently use a custom task script to delete shadows
containing a pending delete operation.
The pull request is here for reference:
https://github.com/Evolveum/midpoint/pull/85
With these changes, the shadow refresh task correctly updates shadow
(cache) attributes as well as removes deleted shadows. Pending operations
that are completed are also removed from the shadow.
Note, we are also working on a fix to the shadow refresh task to update the
shadow *name* when a namingAttribute is modified.
Hope this helps.
Brandon
On Wed, Sep 12, 2018 at 5:27 PM Alexandre Zia <alexandre.zia at ifood.com.br>
wrote:
> Hi Brandon,
>
> Thanks for the thorough explanation about manual connector
> And double thanks about your company contribution to Midpoint regarding
> the cases UI and everything related.
>
> It took me a while to put all of this to work according to your
> instructions because we were stuck on MP 3.7.2 , I had to make Google
> connector work with MP 3.8 and upgrade our MP Prod server cluster.
>
> Now we did several tests and configuration on manual connectors, and we
> have almost everything working as expected, however still have small issues
> that I would like to check if we are doing something wrong or if this is
> how MP works.
>
> - We have created and configured manual connector resource
> - We have created a "shadow refresh task"
>
> - Users are able to request Roles
> - MP put the requests under Approval Workflow
> - Once requests are approved a case is started, email notifications are
> sent to operators asking them to execute the changes and close the case
> - Operators close the case
>
> - At this point, I would like to get advice:
> - Once operators close the case, "shadow refresh task" process the
> shadows, but shadows still contain the related pending operations not
> closed / finished
> - If it is a delete account operation, Shadow account is not deleted
> and we have to delete the shadows manually
>
> Is this behavior ok?
> MP will not delete the shadows even after operator close the delete
> account case?
> Is the same for other operations? pending operations will remain in the
> shadow?
>
> Looking at the shadows, after Operatos closes the case, the pending
> operation shows "unknown" resultStatus:
> <executionStatus>executing</executionStatus>
> <resultStatus>unknown</resultStatus>
>
> I'm trying to test now semi-manual Resource using Manual-Connector as base
> connector and Scripted-Rest-Connector as additional connector
> Because we have several systems were we have to manually create, delete
> and modify accounts, but we have REST API to list users and get users
> details
> This way MP will be able to verify if the remote system status is the way
> it should be according to MP state,
> Do you think this semi-manual resource will be able to update the shadows,
> finishing pending operations, deleting shadows, etc?
>
> Thais again,
> Alexandre
>
>
>
>
>
>
>
>
>
>
>
>
> On Wed, Sep 5, 2018 at 10:39 AM, Brandon Powers <
> brandon at exclamationlabs.com> wrote:
>
>> Hello,
>> We have provided the following information in a similar question from
>> another contact. Hope this helps (I know its a long response, but I've
>> tried to explain the manual resource / case process well):
>>
>> The MidPoint Cases UI is a combination of pages allowing administrators
>> to view, close, and audit cases both created automatically using
>> manual/semi-manual resource connectors, and those created manually by the
>> user.
>>
>> A quick overview of cases and case work items:
>> A case is a task that needs to be completed associated with a particular
>> resource, and most often, a change to a resource account (shadow). A case
>> is assigned to users through "case work items". A case can have any number
>> of case work items. Each case work item is assigned to a single user.
>> Closing any case work item closes the entire case.
>>
>> To view the Cases UI, simply add the appropriate authorizations for the
>> user roles needing access. Here are some common authorizations:
>>
>> UI Authorization Actions
>> -
>> http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#caseWorkItemsAll -
>> enables the "All case work items" page showing all case work items assigned
>> to any user.
>> -
>> http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#caseWorkItemsAllocatedToMe -
>> enables the "My case work items" page showing all case work items assigned
>> to the logged in user.
>> -
>> http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#caseWorkItem -
>> allows access to create a case page
>>
>> Model Authorization Actions
>> -
>> http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#readAllWorkItems -
>> used in conjunction with object type `CaseWorkItemType`, allows reading all
>> case work items
>> - Standard model actions in conjunction with object type `CaseType` to
>> allow read/modify/etc access on Cases
>>
>> Once the appropriate authorizations are present, the Cases UI will be
>> accessible from the menu
>> Work Items -> All Cases - All Case objects
>> Work Items -> My Cases - All case objects assigned to logged in user
>> Work Items -> All Case Work Items - all case work items, filterable by
>> resource, actor (assignee), and case state (open/closed)
>> Work Items -> My Case Work Items - all case work items assigned to the
>> logged in user
>>
>> Clicking on the case work item "description" in the table will display a
>> page showing detailed information about the case and case work item, such
>> as assignee, timestamps, change deltas, etc. This page also offers the
>> ability to "close" the case with option to add a comment or upload a file
>> for evidence (useful for purely manual resources where midPoint has no way
>> of accurately knowing the result of a change on an external system,
>> provides evidence for auditing purposes).
>>
>> Cases are automatically generated by midPoint for manual and semi-manual
>> resources when their respective resource accounts (shadows) change (account
>> details such as first/last name, or entitlements such as permission/roles).
>>
>> For this to happen, a resource must be configured with the connector type
>> `ManualConnector`. Additionally, another connector may be specified as an
>> `additionalConnnector` for semi-manual resources (see
>> https://wiki.evolveum.com/display/midPoint/Manual+Resource+Configuration#ManualResourceConfiguration-Semi-ManualResources
>> )
>> To specify users that should be assigned to the automatically generated
>> cases, you must add business operators to the resource. See the example
>> here:
>> https://github.com/Evolveum/midpoint/blob/master/provisioning/provisioning-impl/src/test/resources/manual/resource-manual.xml
>> (Note that `operatorRef`s can include a specific user OID, or a filter
>> can be used to select a user based on attributes, such as username.
>>
>> Additionally, if you would like email notifications, the
>> `simpleCaseManagementNotifier` can be configured in the system
>> configuration. (I don't believe Evolveum has any documentation on this yet
>> either, but it operates similar to the other notifiers. Here is a link to
>> the class:
>> https://github.com/Evolveum/midpoint/blob/master/model/notifications-impl/src/main/java/com/evolveum/midpoint/notifications/impl/notifiers/SimpleCaseManagementNotifier.java
>> )
>>
>> As you mentioned, there is also the option to use ITSM plugin instead of
>> the internal midPoint case management functionality.
>>
>> - Brandon
>>
>> On Wed, Sep 5, 2018 at 3:24 AM Radovan Semancik <
>> radovan.semancik at evolveum.com> wrote:
>>
>>> Hi,
>>>
>>> Manual connectors are quite an interesting functionality of midPoint.
>>> However, it was created in small parts. It was never a completely funded
>>> work. As mostly unfunded work we have focused on the code. The code is
>>> solid, and in fact it recently went over a significant consolidation and
>>> cleanup as part of Galileo development. However, the documentation leaves
>>> much to be desired. We have made significant investment to manual connector
>>> functionality during last few years. And unfortunately, we do not have any
>>> more resources to invest even more funds in the documentation.
>>>
>>> Therefore I can only recommend the options that I'm recommending all the
>>> time (with a little twist):
>>>
>>> 1) Get midPoint subscription. Ideally platform subscription. Income from
>>> the subscription can be used to improve documentation.
>>>
>>> 2) Sponsor the work on midPoint book:
>>>
>>> https://evolveum.com/midpoint/midpoint-guide-about-practical-identity-management/
>>> The book was praised by many people. However, Evolveum has been the only
>>> sponsor of this effort so far. It was quite an effort already. But there is
>>> still too many things to write down. And the book is not going to write
>>> itself. I can do it. In fact, I would absolutely love to do it. But further
>>> work on the book needs funding.
>>>
>>> 3) Source code is available. You can read through the code and
>>> contribute the documentation.
>>>
>>> I know that this answer does not help much. But asking questions without
>>> contributing anything back is not going to help the project either.
>>>
>>>
>>> --
>>> Radovan Semancik
>>> Software Architectevolveum.com
>>>
>>>
>>>
>>> On 09/04/2018 04:16 AM, Alexandre Zia wrote:
>>>
>>> Hi all,
>>>
>>> I'm Having a hard time trying to understand how manual connector
>>> actually works.
>>> I've tried several approaches, but always end up with some
>>> "collateral effects"
>>> I've read all I could find about manual resources, MP Confluence,
>>> mailing list,
>>> provisioned all the examples, tried several different configs, but
>>> the fact
>>> is that there is no comprehensive explanation on how manual resources
>>> works
>>> So I'm asking for help here at least to check if I'm doing something
>>> terrible wrong
>>>
>>> 1. Pure manual connector:
>>>
>>> - Created Role to induce account creation works fine,
>>>
>>> - Upon role assignment the resulting operation it creates a shadow
>>> for the
>>> account in the connector, however the assignment operation never
>>> completes,
>>> stays in IN_PROGRESS forever and the shadows keeps pendingOperations
>>> and
>>> there is no way to get rid of them.
>>>
>>> - Upon role unassignment the role is unassigned but the projection in
>>> the
>>> resource (shadow) is not removed, stays there forever until we
>>> manually
>>> delete the shadow and run a reconciliation
>>>
>>> 2. Semi manual with CSV connector as additionalConnector:
>>>
>>> - Same as above, except:
>>>
>>> - I can see the accounts appearing in resource
>>> (Accounts tab in resource, searching in the resource side)
>>> when the accounts appears in the CSV, but seems to do nothing
>>> regarding the shadow.
>>>
>>> - when unassigning the role, same thing, when the account vanishes
>>> from CSV
>>> nothing happens to the shadow and the projection remains
>>>
>>> I have also created a Shadow Refresh Task, and it even reports that is
>>> processing the shadows, but nothing changes actually.
>>>
>>> Other thing we are trying to do here is how to notify operator when he
>>> needs
>>> to manually create or delete the accounts?
>>> We have created an extra approval named something like: "Wait for the
>>> operator to create the account" but again there is room for
>>> improvement here:
>>> - We have approvers assigned to the role and an approval stage
>>> - So we have added operators as "owners" and filtering the "wait for
>>> the
>>> operator" approval by the "owner" but this is not working properly.
>>>
>>> Can someone share a bit about the subject?
>>> What is the best approach to work with manual connectors?
>>>
>>> If we setup an ITSM plugin (we use Jira here) will it work as expected?
>>> By expected I mean will the assignments and unassignments work
>>> properly?
>>> The projections will be deleted upon unassignments?
>>> ITSM plugin is the right way to notify operators?
>>>
>>>
>>> Thanks for reading the entire email, I know it's huge ;)
>>>
>>> Regards,
>>> Alexandre
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>> --
>> Brandon Powers
>> Exclamation Labs
>> 300 Washington Street
>> Cumberland, MD 21502
>> 888.545.5008 or 301.722.5008 ext 144
>> fax 301.722.2183
>> brandon at exclamationlabs.com
>> www.exclamationlabs.com
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>
>
> --
>
> Alexandre Roberto Zia
>
> *Security*
>
> *TEL:* +55 (11) 3634-3360
>
> www.ifood.com.br
>
>
>
>
> <https://itunes.apple.com/br/app/ifood-delivery-e-entrega-comida/id483017239?mt=8>
> <https://play.google.com/store/apps/details?id=br.com.brainweb.ifood>
> <https://www.facebook.com/iFood?fref=ts> <https://twitter.com/iFood>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
--
Brandon Powers
Exclamation Labs
300 Washington Street
Cumberland, MD 21502
888.545.5008 or 301.722.5008 ext 144
fax 301.722.2183
brandon at exclamationlabs.com
www.exclamationlabs.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180912/8a9cad00/attachment.htm>
More information about the midPoint
mailing list