[midPoint] DatabaseTableConnector organization structure sync
Arnošt Starosta - AMI Praha a.s.
arnost.starosta at ami.cz
Wed May 13 10:01:46 CEST 2020
Hi Merve,
your organizations may have more than one parent? i guess no, that would
make a very unusual organization structure.
Suppose each midpoint organization has an id in extension/org_id and knows
it's one and only parent id in extension/parent_id. Then a mapping like
<mapping>
<source>
<path>$focus/*extension/parent_id*</path>
</source>
<expression>
<assignmentTargetSearch>
<targetType>c:OrgType</targetType>
<filter>
<q:equal>
<q:path>*extension/org_id*</q:path>
<expression>
<script><code>*parent_id*</code></script>
</expression>
</q:equal>
</filter>
</assignmentTargetSearch>
</expression>
<*target*>
<path>$focus/*assignment*</path>
</target>
</mapping>
in organization template assigns the organization as a member in *existing*
parent organization. When you reconcile your organizations in a random
order and not in parent-first-child-next order (as you do), the parent
organization may not be created yet, the mapping can't find the parent and
child organizations keep dangling in the air (visible as many fake 'root'
orgs in gui). That's why you need to recompute all the orgs one more time
when all parent orgs are guaranteed they exist - after reconciling them
first.
I checked briefly your org template and you seem to mix parent and child
ids sometimes, e.g. the 'Add Organization' mapping tries to assign parents
(i guess) by this filter
<filter>
<q:equal>
<q:path>c:identifier</q:path>
<expression>
<script>
<code>*org_id*</code>
</script>
</expression>
</q:equal>
</filter>
where org_id is extension/identifier. Shouldn't you be comparing *parent_id*
instead? You seem to be on the right path in the end .)
arnost
út 12. 5. 2020 v 21:26 odesílatel mceylan <mrveceylan at gmail.com> napsal:
> Hi Arnost,
>
> Hi, do I have to define all parent ones in filter one by one? What will be
> added later? and how can I do this?
>
> Arnošt Starosta - AMI Praha a.s. <arnost.starosta at ami.cz>, 12 May 2020
> Sal, 20:03 tarihinde şunu yazdı:
>
>> Hi Merve,
>>
>> you may load the parent org id to each organization in midpoint with
>> ordinary resource inbound mapping to an extension attribute. Then create
>> the assignment from organization to it's parent org in org template by
>> using the parent id in the filter, like this
>>
>> https://wiki.evolveum.com/display/midPoint/Automatic+Role+Assignment+HOWTO
>>
>> Do the same for users and their parent orgs.
>>
>> During the first organization import the parent org may not exist yet (it
>> may be processed and created after the child org), thats why you need to
>> recompute the orgs second time to get all parent assignments working.
>>
>> good luck
>>
>> arnost
>>
>>
>>
>>
>> út 12. 5. 2020 v 16:33 odesílatel mceylan <mrveceylan at gmail.com> napsal:
>>
>>> Hi Gustav, Thanks for your answer
>>>
>>> It did not improve when I imported twice. I didn't understand that.
>>> There are users in the database table and there is also identifier and
>>> parent information in their information. Users are sorted, for example, by
>>> employeeNumber. But unfortunately, the organization name, identifier and
>>> parent_id in their columns are not sequential. What do I have to do in this
>>> situation?
>>>
>>> Pálos Gustáv <gustav.palos at gmail.com>, 12 May 2020 Sal, 16:57 tarihinde
>>> şunu yazdı:
>>>
>>>> Hi mceylan,
>>>>
>>>> You need organizations in right order (from bottom to top), and I
>>>> prefer not using createOnDemand, just create orgs with linked shadows
>>>> & strong assignmentTargetSearch.
>>>> If you have in wrong order, you need to import "twice", first just
>>>> create orgs and assign what you already have, and on second round create
>>>> assignments to missing parents from first run.
>>>>
>>>> best regards,
>>>>
>>>> Gustav
>>>>
>>>>
>>>> ut 12. 5. 2020 o 15:15 mceylan <mrveceylan at gmail.com> napísal(a):
>>>>
>>>>> I made it as the attached source. I added the user template in the
>>>>> file. This way the organizational tree is created, but parent_id and
>>>>> identifier get mixed. So some don't occur under child parent. It occurs as
>>>>> a side tab. I couldn't figure it out.
>>>>>
>>>>> Ivan Noris <ivan.noris at evolveum.com>, 12 May 2020 Sal, 15:57
>>>>> tarihinde şunu yazdı:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> nothing special. Just use them as AccountObjectClass from the
>>>>>> connector and link them to corresponding objects in midPoint (e.g.
>>>>>> Organizations).
>>>>>>
>>>>>> Ivan
>>>>>> On 12. 5. 2020 14:55, mceylan wrote:
>>>>>>
>>>>>> Thanks for the answer, Ivan. So what should I do to pull the
>>>>>> organizational units from DB Table resource and create and synchronize the
>>>>>> organization tree in midpoint according to parent id and identifier?
>>>>>>
>>>>>> Ivan Noris <ivan.noris at evolveum.com>, 12 May 2020 Sal, 14:30
>>>>>> tarihinde şunu yazdı:
>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> I think DB Table connector supports only AccountObjectClass.
>>>>>>>
>>>>>>> Ivan
>>>>>>>
>>>>>>>
>>>>>>> On 12. 5. 2020 13:06, mceylan wrote:
>>>>>>>
>>>>>>> I get the following error when I set
>>>>>>> CustomorganizationalUnitObjectClass as database resorce object class. What
>>>>>>> would be the reason?
>>>>>>>
>>>>>>> Error:No objectclass specified and no default can be determined
>>>>>>>
>>>>>>> <default>true</default>
>>>>>>> When I do, I get the following error.
>>>>>>>
>>>>>>> Internal error: Got unexpected exception:
>>>>>>> java.lang.IllegalArgumentException: Operation requires an Account
>>>>>>> ObjectClass.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> <schemaHandling>
>>>>>>> <objectType id="1">
>>>>>>> <kind>generic</kind>
>>>>>>> <default>false</default>
>>>>>>>
>>>>>>> <objectClass>ri:CustomorganizationalUnitObjectClass</objectClass>
>>>>>>> <attribute id="2">
>>>>>>> <c:ref>icfs:uid</c:ref>
>>>>>>> <displayName>Entry UUID</displayName>
>>>>>>> <limitations>
>>>>>>> <access>
>>>>>>> <read>true</read>
>>>>>>> </access>
>>>>>>> </limitations>
>>>>>>> </attribute>
>>>>>>> <attribute id="3">
>>>>>>> <c:ref>icfs:name</c:ref>
>>>>>>> <displayName>Name</displayName>
>>>>>>> <limitations>
>>>>>>> <minOccurs>0</minOccurs>
>>>>>>> <access>
>>>>>>> <read>true</read>
>>>>>>> <add>true</add>
>>>>>>> <modify>true</modify>
>>>>>>> </access>
>>>>>>> </limitations>
>>>>>>> <inbound id="24">
>>>>>>> <target>
>>>>>>> <c:path>$user/employeeNumber</c:path>
>>>>>>> </target>
>>>>>>> </inbound>
>>>>>>> <inbound id="43">
>>>>>>> <target>
>>>>>>> <c:path>$user/name</c:path>
>>>>>>> </target>
>>>>>>> </inbound>
>>>>>>> </attribute>
>>>>>>> <attribute id="15">
>>>>>>> <c:ref>ri:parent_id</c:ref>
>>>>>>> <inbound id="16">
>>>>>>> <target>
>>>>>>> <c:path>$user/extension/parent_id</c:path>
>>>>>>> </target>
>>>>>>> </inbound>
>>>>>>> </attribute>
>>>>>>> <attribute id="37">
>>>>>>> <c:ref>ri:identifier</c:ref>
>>>>>>> <inbound id="39">
>>>>>>> <target>
>>>>>>> <c:path>$user/extension/identifier</c:path>
>>>>>>> </target>
>>>>>>> </inbound>
>>>>>>> </attribute>
>>>>>>> <attribute id="32">
>>>>>>> <c:ref>ri:organization_name</c:ref>
>>>>>>> <inbound id="33">
>>>>>>> <target>
>>>>>>> <c:path>$user/extension/organizationname</c:path>
>>>>>>> </target>
>>>>>>> </inbound>
>>>>>>> </attribute>
>>>>>>> <activation>
>>>>>>> <administrativeStatus>
>>>>>>> <outbound id="5"/>
>>>>>>> <inbound id="6">
>>>>>>> <strength>weak</strength>
>>>>>>> </inbound>
>>>>>>> </administrativeStatus>
>>>>>>> </activation>
>>>>>>> </objectType>
>>>>>>> </schemaHandling>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> midPoint mailing listmidPoint at lists.evolveum.comhttps://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>>>
>>>>>>> --
>>>>>>> Ivan Noris
>>>>>>> Senior Identity Engineerevolveum.com
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> midPoint mailing list
>>>>>>> midPoint at lists.evolveum.com
>>>>>>> https://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Merve CEYLAN
>>>>>>
>>>>>> _______________________________________________
>>>>>> midPoint mailing listmidPoint at lists.evolveum.comhttps://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>>
>>>>>> --
>>>>>> Ivan Noris
>>>>>> Senior Identity Engineerevolveum.com
>>>>>>
>>>>>> _______________________________________________
>>>>>> midPoint mailing list
>>>>>> midPoint at lists.evolveum.com
>>>>>> https://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Merve CEYLAN
>>>>> _______________________________________________
>>>>> midPoint mailing list
>>>>> midPoint at lists.evolveum.com
>>>>> https://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>
>>>>
>>>>
>>>> --
>>>> s pozdravom
>>>>
>>>> Gustáv Pálos
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> https://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>
>>>
>>> --
>>> Merve CEYLAN
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> https://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>
>>
>> --
>>
>> *Arnošt Starosta*
>> solution architect
>>
>> gsm: [+420] 603 794 932
>> e‑mail: arnost.starosta at ami.cz
>>
>> *AMI Praha a.s.*
>> Pláničkova 11, 162 00 Praha 6
>>
>> tel.: [+420] 274 783 239 | web: www.ami.cz
>>
>> [image: AMI Praha a.s.]
>>
>> Textem tohoto e‑mailu podepisující neslibuje uzavřít ani neuzavírá
>> za společnost AMI Praha a.s.
>> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
>> písemnou formu.
>>
>> Tento e‑mail je určen výhradně pro potřeby jeho adresáta/ů a může
>> obsahovat důvěrné nebo osobní
>> informace. Nejste‑li zamýšleným příjemcem, je zakázáno jakékoliv
>> zveřejňování, zprostředkování
>> nebo jiné použití těchto informací. Pokud jste obdrželi e‑mail
>> neoprávněně, informujte o tom prosím
>> odesílatele a vymažte neprodleně všechny kopie tohoto e‑mailu včetně
>> všech jeho příloh. Nakládáním
>> s neoprávněně získanými informacemi se vystavujete riziku právního
>> postihu.
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> https://lists.evolveum.com/mailman/listinfo/midpoint
>>
>
>
> --
> Merve CEYLAN
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
>
--
*Arnošt Starosta*
solution architect
gsm: [+420] 603 794 932
e‑mail: arnost.starosta at ami.cz
*AMI Praha a.s.*
Pláničkova 11, 162 00 Praha 6
tel.: [+420] 274 783 239 | web: www.ami.cz
[image: AMI Praha a.s.]
Textem tohoto e‑mailu podepisující neslibuje uzavřít ani neuzavírá
za společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
písemnou formu.
Tento e‑mail je určen výhradně pro potřeby jeho adresáta/ů a může obsahovat
důvěrné nebo osobní
informace. Nejste‑li zamýšleným příjemcem, je zakázáno jakékoliv
zveřejňování, zprostředkování
nebo jiné použití těchto informací. Pokud jste obdrželi e‑mail neoprávněně,
informujte o tom prosím
odesílatele a vymažte neprodleně všechny kopie tohoto e‑mailu včetně
všech jeho příloh. Nakládáním
s neoprávněně získanými informacemi se vystavujete riziku právního postihu.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200513/f32efffd/attachment.htm>
More information about the midPoint
mailing list