[midPoint] How to actualize an account based on parentOrgRef
Fabian Noll-Dukiewicz
fabian.noll-dukiewicz at fndit.de
Tue Apr 5 20:47:19 CEST 2022
I have one more idea: If you want that the AD account is reprovisioned to backend you can add parentOrgRef as an Outbound mapping. If the attribute is added or changed on a user having an AD account, it would be change your AD data.
Maybe you can show us some sample data for a better understanding of what is your use case.
Kind regards,
Fabian
Von: Yakov Revyakin <yrevyakin at gmail.com>
Datum: Dienstag, 5. April 2022 um 14:14
An: Fabian Noll-Dukiewicz <fabian.noll-dukiewicz at fndit.de>
Cc: MidPoint Mailing List <midpoint at lists.evolveum.com>
Betreff: Re: [midPoint] How to actualize an account based on parentOrgRef
Thank you Fabian,
I will take a look at triggers.
About your second option:
A user already has an appropriate role auto-assigned. During role assignment the role created an AD account based on parentOrgRef set previously. After, I reconcile the user and assign another org instead of the one mentioned before. In result the user still has the same AD account based on data from the first org. So, after this reconciliation I have inconsistency: parentOrgRef is updated but AD account isn't. I could probably check the equivalence of parentOrgRef and assignment.targetRef somewhere in condition but I am afraid I can get a role or account revoked.
On Tue, 5 Apr 2022 at 14:29, Fabian Noll-Dukiewicz <fabian.noll-dukiewicz at fndit.de<mailto:fabian.noll-dukiewicz at fndit.de>> wrote:
Hi Yakov,
I think you have multiple options to handle this requirement but it depends on your configuration. In my mind you can use trigger to start a recomputation of the affected user. (take a look on linked objects: https://docs.evolveum.com/midpoint/reference/synchronization/linked-objects/)
Another possibility is to separate the two things. First setting the parentOrgRef in resource synchronization and second do the account creation (e.g. based on role assignment) in object template or by automatic role assignment.
Hope to give you some hints to make some progress.
Kind regards,
Fabian
________________________________
Von: Yakov Revyakin <yrevyakin at gmail.com<mailto:yrevyakin at gmail.com>>
Gesendet: Montag, 4. April 2022 16:42
An: midPoint General Discussion <midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>>
Betreff: Re: [midPoint] How to actualize an account based on parentOrgRef
Can someone help with my question?
To actualize a user's AD account I run reconciliation with the user's HR source twice: first - to assign a parent org to the user, second - to create an account based on the parent org (because parentOrgRef is empty during first run).
Is it possible to configure the same effect running reconciliation only once?
Thanks,
J
On Sun, 3 Apr 2022 at 19:56, Yakov Revyakin <yrevyakin at gmail.com<mailto:yrevyakin at gmail.com>> wrote:
Hi,
AD shemaHandling recalculates user's AD account DN based on a value of parentOrgRef. If I assign another org instead of the previous recalculation doesn't happen because, as I understand, parentOrgRef gets updated value after a phase when MP calculates projections. So, I need to reconcile the user additionally to actualize the AD account.
Is this the right suggestion?
Can I manage this situation to have an actual state during a single import excluding extra recon?
Thanks,
J
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20220405/5ebb1525/attachment-0001.htm>
More information about the midPoint
mailing list