[midPoint] linking an existing account on a resource on midpoint 4.4.8

iam-mailing at tk.de iam-mailing at tk.de
Fri Nov 29 12:31:37 CET 2024 

Hello,

in your construction inducement you can set the strength for the actual construction to "weak". The association would only be created if the account is already there, so you would need to reconcile the accounts regularly or configure a live sync if possible.

Example:

<construction>
            <strength>weak</strength>
            <resourceRef oid="..." relation="org:default" type="c:ResourceType"/>
            <kind>account</kind>
            <intent>account-intent</intent>
            <association>
                <c:ref>ri:GroupObjectClass</c:ref>
                <outbound>
                    <strength>strong</strength>
                    <expression>
                        <associationFromLink xsi:type="c:AssociationFromLinkExpressionEvaluatorType">
                            <projectionDiscriminator xsi:type="c:ShadowDiscriminatorType">
                                <kind>entitlement</kind>
                                <intent>group</intent>
                            </projectionDiscriminator>
                        </associationFromLink>
                    </expression>
                </outbound>
            </association>
        </construction>

To prevent midpoint from trying to delete the account if the last role gets removed or the user gets deleted you could add an existence mapping: https://docs.evolveum.com/midpoint/reference/support-4.9/resources/resource-configuration/schema-handling/activation/#existence-mapping


Kind Regards
Emil Militzer 
__________________________ 
Techniker Krankenkasse 
Unternehmenszentrale 

emil.militzer at tk.de <mailto:emil.militzer at tk.de> 







Am 15.11.24, 18:38 schrieb "midPoint im Auftrag von Ashwill, Steven L via midPoint" <midpoint-bounces at lists.evolveum.com <mailto:midpoint-bounces at lists.evolveum.com> im Auftrag von midpoint at lists.evolveum.com <mailto:midpoint at lists.evolveum.com>>:




------------------------------------------------------------------------------


I have a resource that we do not have create or delete capabilities, only update.
The issue I'm having is when we are informed that there is a new account on the resource and I add the role that induces the projection midpoint is trying to create the account instead of just linking it to the existing account. What am I missing.
Below is my xml for sync on the resource.




<synchronization>
<objectSynchronization>
<name>default sync</name>
<objectClass>ri:AccountObjectClass</objectClass>
<kind>account</kind>
<focusType>c:UserType</focusType>
<enabled>true</enabled>
<correlation>
<q:equal xmlns="">
<q:path>c:employeeNumber</q:path>
<expression>
<script>
<code>
String empNo = basic.getAttributeValue(account, 'http://midpoint.evolveum.com/xml/ns/public/resource/instance-3' <http://midpoint.evolveum.com/xml/ns/public/resource/instance-3'>, 'uin');
return empNo;
</code>
</script>
</expression>
</q:equal>
</correlation>
<reconcile>true</reconcile>
<opportunistic>true</opportunistic>
<reaction>
<situation>linked</situation>
<action>
<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-2#modifyUser</handlerUri> <http://midpoint.evolveum.com/xml/ns/public/model/action-2#modifyUser</handlerUri>>
</action>
</reaction>
<reaction>
<situation>deleted</situation>
<action>
<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-2#unlinkAccount</handlerUri> <http://midpoint.evolveum.com/xml/ns/public/model/action-2#unlinkAccount</handlerUri>>
</action>
</reaction>
<reaction>
<situation>unlinked</situation>
<action>
<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-2#linkAccount</handlerUri> <http://midpoint.evolveum.com/xml/ns/public/model/action-2#linkAccount</handlerUri>>
</action>
</reaction>
</objectSynchronization>
</synchronization>
















STEVEN L ASHWILL
Software Engineer Coordinator
Administrative Information Technology Services
University of Illinois at Urbana-Champaign
50 Gerty Drive | M/C 673
Champaign, IL 61820
217.265.6337 | sashwill at uillinois.edu <mailto:sashwill at uillinois.edu>
www.aits.uillinois.edu
Under the Illinois Freedom of Information Act any written communication to or from university employees regarding university business is a public record and may be subject to public disclosure. 












_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
https://lists.evolveum.com/mailman/listinfo/midpoint <https://lists.evolveum.com/mailman/listinfo/midpoint>

More information about the midPoint mailing list