[midPoint] How to actualize an account based on parentOrgRef

Tue Apr 5 22:32:43 CEST 2022

Below my mapping for AD user's DN:

            <attribute>
                <ref>ri:dn</ref>
                <outbound>
                    <strength>strong</strength>
                    <source>
                        <path>parentOrgRef</path>
                    </source>
                    <source>
                        <path>fullName</path>
                    </source>
                    <expression>
                        <script>
                            <code>
                                OrgType link =
midpoint.getOrgByOid(parentOrgRef.oid);
                                return basic.composeDn( . . .);
                            </code>
                        </script>
                    </expression>
                    <condition>
                        <script>
                            <code>
                                return parentOrgRef != null;
                            </code>
                        </script>
                    </condition>
                </outbound>
            </attribute>

And simple role with user's AD account:
<role>
    <name>User IT Role</name>
    <inducement>
        <construction>
            <resourceRef oid="746ecf5e-3e8c-11e6-b2f9-3c970e44b9e2"
relation="org:default" type="c:ResourceType"/>
            <kind>account</kind>
            <intent>default</intent>
        </construction>
    </inducement>
</role>

I am waiting that if I import updated user with new org
1) new org will be assigned instead of old one (this works). I use
assignmentTargetSearch and createOnDemand with populateObject in
UserObjectTemplate.
2) AD account will be updated based on new org attributes (this doesn't. I
need to run extra recon to actualize AD account)

On Tue, 5 Apr 2022 at 21:47, Fabian Noll-Dukiewicz <
fabian.noll-dukiewicz at fndit.de> wrote:

> I have one more idea: If you want that the AD account is reprovisioned to
> backend you can add parentOrgRef as an Outbound mapping. If the attribute
> is added or changed on a user having an AD account, it would be change your
> AD data.
>
>
>
> Maybe you can show us some sample data for a better understanding of what
> is your use case.
>
>
>
> Kind regards,
>
> Fabian
>
>
>
> *Von: *Yakov Revyakin <yrevyakin at gmail.com>
> *Datum: *Dienstag, 5. April 2022 um 14:14
> *An: *Fabian Noll-Dukiewicz <fabian.noll-dukiewicz at fndit.de>
> *Cc: *MidPoint Mailing List <midpoint at lists.evolveum.com>
> *Betreff: *Re: [midPoint] How to actualize an account based on
> parentOrgRef
>
> Thank you Fabian,
>
> I will take a look at triggers.
>
>
>
> About your second option:
>
> A user already has an appropriate role auto-assigned. During
> role assignment the role created an AD account based on parentOrgRef set
> previously. After, I reconcile the user and assign another org instead of
> the one mentioned before. In result the user still has the same AD account
> based on data from the first org. So, after this reconciliation I have
> inconsistency: parentOrgRef is updated but AD account isn't. I could
> probably check the equivalence of parentOrgRef and assignment.targetRef
> somewhere in condition but I am afraid I can get a role or account revoked.
>
>
>
>
>
>
>
>
>
> On Tue, 5 Apr 2022 at 14:29, Fabian Noll-Dukiewicz <
> fabian.noll-dukiewicz at fndit.de> wrote:
>
> Hi Yakov,
>
>
>
> I think you have multiple options to handle this requirement but it
> depends on your configuration. In my mind you can use trigger to start a
> recomputation of the affected user. (take a look on linked objects:
> https://docs.evolveum.com/midpoint/reference/synchronization/linked-objects/
> )
>
> Another possibility is to separate the two things. First setting the
> parentOrgRef in resource synchronization and second do the account creation
> (e.g. based on role assignment) in object template or by automatic role
> assignment.
>
>
>
> Hope to give you some hints to make some progress.
>
>
>
> Kind regards,
>
> Fabian
>
>
> ------------------------------
>
> *Von:* Yakov Revyakin <yrevyakin at gmail.com>
> *Gesendet:* Montag, 4. April 2022 16:42
> *An:* midPoint General Discussion <midpoint at lists.evolveum.com>
> *Betreff:* Re: [midPoint] How to actualize an account based on
> parentOrgRef
>
>
>
> Can someone help with my question?
>
> To actualize a user's AD account I run reconciliation with the user's HR
> source twice: first - to assign a parent org to the user, second - to
> create an account based on the parent org (because parentOrgRef is empty
> during first run).
>
> Is it possible to configure the same effect running reconciliation only
> once?
>
> Thanks,
>
> J
>
>
>
> On Sun, 3 Apr 2022 at 19:56, Yakov Revyakin <yrevyakin at gmail.com> wrote:
>
> Hi,
>
>
>
> AD shemaHandling recalculates user's AD account DN based on a value of
> parentOrgRef. If I assign another org instead of the previous
> recalculation doesn't happen because, as I understand, parentOrgRef gets
> updated value after a phase when MP calculates projections. So, I need to
> reconcile the user additionally to actualize the AD account.
>
> Is this the right suggestion?
>
> Can I manage this situation to have an actual state during a single import
> excluding extra recon?
>
> Thanks,
>
> J
>
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20220405/9f33bc9c/attachment.htm>