[midPoint] How can I synchronize users from the authoritative resource where the user is currently active?
fthul c
0xfthul at gmail.com
Thu May 4 01:31:36 CEST 2023
Hello,
I'm evaluating midpoint (I'm new to IDMs in general) and I'm having trouble
getting midpoint to work as follows:
I have two authoritative resources for users:
A trainee system (TS)
An outsourced employee system (OES)
Someone can exist and be active in the trainee system or can exist an be
active in the outsourced employee system, but cannot be active at both
systems at the same time (including begin/end dates). Some attributes can
be a little different (for example, the person's name, organizational unit,
phone, etc), and I would like to synchronize only the attributes from the
resource in which the identity is active.
Sorry if my question is too basic, but how could I configure midpoint to
work with this policy?
I've tried to create 2 "radio button" roles: trainee and outsourced and I
could make only one of them be assigned.
My problem here was with synchronization, since midpoint kept updating the
name based on the resource in which the user was disabled.
Sometimes it worked, but the history for the identity started to grow with
each synchronization execution, because resources were "competing" to
update the attributes.
I tried to use defaultAuthoritativeSource (and multisourced fields), but
I'm having difficulty with the selection of the resource in which the
identity is currently active.
My defaultAuthoritativeSource configuration (below) doesn't work properly.
<multiSource>
<defaultAuthoritativeSource>
<expression>
<script>
<code>
import com.evolveum.midpoint.util.MiscUtil
import com.evolveum.midpoint.prism.delta.*
import com.evolveum.midpoint.xml.ns._public.common.common_3.*
import com.evolveum.midpoint.util.DebugUtil
import
com.evolveum.midpoint.xml.ns._public.common.common_3.ActivationStatusType
import com.evolveum.midpoint.util.exception.*
if(identity == null){
return null
}
def RESOURCE_TRAINEE = '466c4e70-ed4b-48f6-8842-99f8c12f9d9d'
def RESOURCE_OUTSOURCED =
'82f6b6cf-eaf2-45e1-9e27-5349279248c2'
def res = [RESOURCE_TRAINEE, RESOURCE_OUTSOURCED]
// trying to find what is the resource in which the user is
active
def sources = identity
.collect { it.source }
.findAll { source ->
res.contains(source?.resourceRef?.oid) }
.findAll { source ->
midpoint.getObject(ShadowType.class, source.shadowRef.oid)?.isExists() }
if (sources?.size() == 1) {
// found only one, return it
return sources.get(0)
}
if (sources?.size() > 1) {
throw new PolicyViolationException("The identity is
active in multiple authoritative resources")
}
return null
</code>
</script>
</expression>
</defaultAuthoritativeSource>
</multiSource>
The code above seems to work initially, but fails when I execute these
steps:
1) I manually import the user from the trainee resource
2) I delete the user in the trainee resource
3) I run reconciliation for the user, and he becomes disabled
4) I manually import the user from the outsourced employee resource
5) he is correctly updated and is not a trainee anymore
6) I create the user again in the trainee resource
7) in this moment, when I try to manually import the trainee again,
midpoint allows (shouldn't it throw the exception I programmed in the
defaultAuthoritativeSource?)
Does anyone know what I'm doing wrong?
Additionally, in the code above I tried to interrupt the execution when I
detected that the identity existed in multiple resources with an exception
(is it done this way?).
Thanks in advance and sorry if my question is too basic!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20230503/27b0c8b7/attachment.htm>
More information about the midPoint
mailing list