[midPoint] How to actualize an account based on parentOrgRef
Yakov Revyakin
yrevyakin at gmail.com
Tue Apr 5 14:14:14 CEST 2022
Thank you Fabian,
I will take a look at triggers.
About your second option:
A user already has an appropriate role auto-assigned. During
role assignment the role created an AD account based on parentOrgRef set
previously. After, I reconcile the user and assign another org instead of
the one mentioned before. In result the user still has the same AD account
based on data from the first org. So, after this reconciliation I have
inconsistency: parentOrgRef is updated but AD account isn't. I could
probably check the equivalence of parentOrgRef and assignment.targetRef
somewhere in condition but I am afraid I can get a role or account revoked.
On Tue, 5 Apr 2022 at 14:29, Fabian Noll-Dukiewicz <
fabian.noll-dukiewicz at fndit.de> wrote:
> Hi Yakov,
>
> I think you have multiple options to handle this requirement but it
> depends on your configuration. In my mind you can use trigger to start a
> recomputation of the affected user. (take a look on linked objects:
> https://docs.evolveum.com/midpoint/reference/synchronization/linked-objects/
> )
> Another possibility is to separate the two things. First setting the
> parentOrgRef in resource synchronization and second do the account creation
> (e.g. based on role assignment) in object template or by automatic role
> assignment.
>
> Hope to give you some hints to make some progress.
>
> Kind regards,
> Fabian
>
> ------------------------------
> *Von:* Yakov Revyakin <yrevyakin at gmail.com>
> *Gesendet:* Montag, 4. April 2022 16:42
> *An:* midPoint General Discussion <midpoint at lists.evolveum.com>
> *Betreff:* Re: [midPoint] How to actualize an account based on
> parentOrgRef
>
> Can someone help with my question?
> To actualize a user's AD account I run reconciliation with the user's HR
> source twice: first - to assign a parent org to the user, second - to
> create an account based on the parent org (because parentOrgRef is empty
> during first run).
> Is it possible to configure the same effect running reconciliation only
> once?
> Thanks,
> J
>
> On Sun, 3 Apr 2022 at 19:56, Yakov Revyakin <yrevyakin at gmail.com> wrote:
>
> Hi,
>
> AD shemaHandling recalculates user's AD account DN based on a value of
> parentOrgRef. If I assign another org instead of the previous
> recalculation doesn't happen because, as I understand, parentOrgRef gets
> updated value after a phase when MP calculates projections. So, I need to
> reconcile the user additionally to actualize the AD account.
> Is this the right suggestion?
> Can I manage this situation to have an actual state during a single import
> excluding extra recon?
> Thanks,
> J
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20220405/5aadb72c/attachment.htm>
More information about the midPoint
mailing list