[midPoint] creating my first connector - unable to comprehend group management
Odd Arne Beck
oddbeck at gmail.com
Sat Mar 1 01:21:27 CET 2025
Thanks Jean for your reply.
I've gotten it to work, and thanks to your reply it verified for me that I
was on the right track. I am using associations but it was quite hard to
understand how it all connects together with all the attributes.
I'm sort of in a catch22 situation, I believe that midPoint could be a very
good asset for my company, but I need to demo it for them it on order for
them to possibly see value in it, which means there is no chance I get
funding for any of the courses through Evolveum, which in turn makes it
hard for me to be able to demo it properly so they see the potential and
can fund a course for me 😵💫
This means I've got to spend my free time to do all this reading and
figuring out how to do all of it.
I really appreciate your quick response Jean, and I wish you all a
fantastic weekend 😎
tor. 27. feb. 2025, 13:36 skrev Jean Michel via midPoint <
midpoint at lists.evolveum.com>:
> Hello Beck,
>
> I hope you well.
>
> I've used two ways to achieved assign and unassign user access from a
> group using the connID framework.
>
> 1. Without association configured: Creating a multi-valued attribute on
> Account object, this attribute contains all access/groups where the user
> is member of. In your connector code, You can identify when this
> specific attribute is changed by Midpoint, and then perform the
> revoke/assign based on the type of operation, it will be defined by the
> Set of AttributeDelta parameter in the updateDelta method. This
> multi-valued attribute must contain the access/group UID and then you
> can perform insert/remove the user, using his userID
>
> 2. With association configured: In this case, you will create a
> multi-valued attribute inside the Group/Access object, this attribute
> contains all members UIDs from this group. When Midpoint send to your
> connector a new assign, it will put the user UID as value to Add, and
> will pass this inside the Set of AttributeDelta. The same way it happens
> for revoke access, however Midpoint will send the user ID as value to
> Remove.
>
> There is an snippet of a method that assign or unassign users from a
> group when you have association configured on midpoint, you can see this
> below:
>
> public void assignOrUnassignUser(Uid uid, Set<AttributeDelta> set) {
> set.forEach(delta -> {
> List<Object> valuesToAdd = delta.getValuesToAdd();
>
> if (valuesToAdd != null) {
> String attrName = delta.getName();
> for (Object value: valuesToAdd) {
> if (attrName.equals(SchemaHandler.ROLE_MEMBERS)) {
> // ROLE_MEMBERS is the name of my multi-valued attribute on my Group
> Schema, that contains all members UIDs for the group
> LOG.info("Adding value {0} to attribute {1}",
> value, attrName);
> assignRole(uid.getUidValue(),
> value.toString()); // uid is the group UID, value is the account/user UID
> }
> }
> }
> });
>
> set.forEach(delta -> {
> List<Object> valuesToRemove = delta.getValuesToRemove();
>
> if (valuesToRemove != null) {
> String attrName = delta.getName();
> for (Object value: valuesToRemove) {
> if (attrName.equals(SchemaHandler.ROLE_MEMBERS)) {
> LOG.info("Removing value {0} to attribute {1}",
> value, attrName);
> unassignRole(uid.getUidValue(),
> value.toString()); // uid is the group UID, value is the account/user UID
> }
> }
> }
> });
> }
>
> The assignOrUnassign method is called from updateDelta method from main
> Connector class, it's only for assign and revoke operations.
>
> I hope this can help you on your development.
>
> If you have any question, please let me know.
>
> My best regards
>
> --
> Jean Michel S. A. dos Santos
> +55 (51) 4042-8153 / +55 (51) 3984-2645
> https://www.ebz.tec.br/
>
> Em 27/02/2025 06:17, midpoint-request at lists.evolveum.com escreveu:
> > Send midPoint mailing list submissions to
> > midpoint at lists.evolveum.com
> >
> > To subscribe or unsubscribe via the World Wide Web, visit
> > https://lists.evolveum.com/mailman/listinfo/midpoint
> > or, via email, send a message with subject or body 'help' to
> > midpoint-request at lists.evolveum.com
> >
> > You can reach the person managing the list at
> > midpoint-owner at lists.evolveum.com
> >
> > When replying, please edit your Subject line so it is more specific
> > than "Re: Contents of midPoint digest..."
> >
> >
> > Today's Topics:
> >
> > 1. Re: limiting livesync AD work (Matus Macik)
> > 2. Override default approval policy (Jussi Jokela)
> > 3. creating my first connector - unable to comprehend group
> > management (Odd Arne Beck)
> > 4. Table Layout Adjustment for Better Clarity, MidPoint 4.8
> > (Puchta Jaroslav Ing.)
> >
> >
> > ----------------------------------------------------------------------
> >
> > Message: 1
> > Date: Wed, 26 Feb 2025 16:04:01 +0100 (CET)
> > From: Matus Macik <matus.macik at evolveum.com>
> > To: midPoint General Discussion <midpoint at lists.evolveum.com>
> > Subject: Re: [midPoint] limiting livesync AD work
> > Message-ID:
> > <1801336681.320368.1740582241827.JavaMail.zimbra at evolveum.com>
> > Content-Type: text/plain; charset=utf-8
> >
> > Hello,
> >
> > This behavior can be achieved as mentioned, via the Synchronization >
> Reaction configuration of the object class you wish to limit.
> > In the reaction to a synchronization situation, you can specify the
> channel to which this reaction is limited. In your case, we can use the
> "objectImport" channel in reaction to the "linked" situation.
> >
> > The configuration snipped could look somewhat like this:
> >
> > <synchronization>
> > <reaction>
> > <situation>unmatched</situation>
> > <actions>
> > <addFocus/>
> > </actions>
> > </reaction>
> > <reaction>
> > <situation>unlinked</situation>
> > <actions>
> > <link/>
> > </actions>
> > </reaction>
> > <reaction>
> > <situation>linked</situation>
> > <channel>
> http://midpoint.evolveum.com/xml/ns/public/model/channels-3#objectImport
> </channel>
> > <actions>
> > <synchronize/>
> > </actions>
> > </reaction>
> > </synchronization>
> >
> > With this configuration present, the execution of a reconciliation or
> LiveSync task should end up with the requested result.
> >
> > Please have a look in our documentation regarding channels:
> https://docs.evolveum.com/midpoint/reference/support-4.9/resources/resource-configuration/schema-handling/synchronization/
> >
> > Additionally, could you provide a more specific example of the use case
> you have in mind? Maybe there is an alternative solution or approach.
> >
> > Best Regards,
> >
> > Mat?? Mac?k | Identity and Access Management Engineer
> >
> > [ https://evolveum.com/ ]
> > [ mailto:matus.macik at evolveum.com | matus.macik at evolveum.com ] | [
> http://www.evolveum.com/ | www.evolveum.com ]
> > [ https://evolveum.com/upcoming-events/ | ]
> >
> > [ https://www.linkedin.com/company/evolveum ] [
> https://twitter.com/evolveum ] [ https://www.facebook.com/evolveum ]
> >
> >
> > Disclaimer: The contents of this e-mail and attachment(s) thereto are
> confidential and intended for the named recipient(s) only. It shall not
> attach any liability on the originator or Evolveum s.r.o. or its
> affiliates. Any views or opinions presented in this email are solely those
> of the author and may not necessarily reflect the opinions of Evolveum
> s.r.o. or its affiliates. Any form of reproduction, dissemination, copying,
> disclosure, modification, distribution and / or publication of this message
> without the prior written consent of the author of this e-mail is strictly
> prohibited. If you have received this email in error please delete it and
> notify the sender immediately.
> >
> > ----- Original Message -----
> > From: "midPoint General Discussion" <midpoint at lists.evolveum.com>
> > To: "midPoint General Discussion" <midpoint at lists.evolveum.com>
> > Cc: "mikhail.nikolaenko" <mikhail.nikolaenko at proton.me>
> > Sent: Tuesday, February 25, 2025 10:29:32 AM
> > Subject: Re: [midPoint] limiting livesync AD work
> >
> > Hello,
> >
> > I am very new to the midPoint and only reading the book and playing with
> local test instance, but I guess it should be possible using just
> synchronization configuration in the object type (Resource -> Schema
> handling -> your object type -> synchronization).
> > You need situations:
> > Unmatched - means there is a new account so you define action: link
> > Deleted - unlink
> >
> > Hope I am right and it helps :-)
> >
> > With best regards,
> > Mike
> >
> >
> > Sent with Proton Mail secure email.
> >
> > On Friday, 21 February 2025 at 4:48 PM, Ashwill, Steven L via midPoint <
> midpoint at lists.evolveum.com> wrote:
> >
> >> Hello,
> >> Is there a way that we can limit the livesync task in 4.8.x to simply
> pick up create events? Once a user is created and we have them linked, we
> no longer want to react to changes in the AD. Midpoint has authority on the
> mappings we control and we ignore everything else in the AD and therefore
> we don't want to process the 1000s of updates that occur daily. We just
> want to react to a create or delete of a user in the AD and link or unlink
> the user we have in midpoint
> >>
> >>
> >> STEVEN L ASHWILL
> >> Software Engineer Coordinator
> >>
> >>
> >>
> >> Under the Illinois Freedom of Information Act any written communication
> to or from university employees regarding university business is a public
> record and may be subject to public disclosure.
> >>
> >>
> >> _______________________________________________
> >> midPoint mailing list
> >> midPoint at lists.evolveum.com
> >> https://lists.evolveum.com/mailman/listinfo/midpoint
> > _______________________________________________
> > midPoint mailing list
> > midPoint at lists.evolveum.com
> > https://lists.evolveum.com/mailman/listinfo/midpoint
> >
> >
> > ------------------------------
> >
> > Message: 2
> > Date: Wed, 26 Feb 2025 15:27:33 +0200
> > From: Jussi Jokela <jussi.jokela92 at gmail.com>
> > To: midpoint at lists.evolveum.com
> > Subject: [midPoint] Override default approval policy
> > Message-ID:
> > <CABQ2MC_s5rwJ=DhqFp97CFpoY4_pUL=
> F4GNzmV3eR3NT+uv3sw at mail.gmail.com>
> > Content-Type: text/plain; charset="utf-8"
> >
> > I'm having difficulties overriding my "default approver" policy. I have
> two
> > metaroles, one for default approver and one for "high risk systems" (for
> > example) and
> > and the default approver is inherited from another metarole which is used
> > when creating new roles and the high risk metarole is assigned when the
> > created role requires it.
> >
> > The high risk metarole has the <mergeOverwriting>true</mergeOverwriting>
> > but it does not seem to have effect. When the default approver and high
> > risk system metaroles are induced to
> > created role, both policy stages require manual approval when the desired
> > outcome is just to approve the high risk system (all must approve) as it
> > has lower order (higher priority).
> >
> > Here are the code snippets for both policy metaroles and the metarole
> that
> > includes the default approver policy:
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > * <displayName>Metarole: High risk systems</displayName>
> <inducement
> > id="1"> <policyRule> <policyConstraints>
> > <assignment> <operation>add</operation>
> > </assignment> </policyConstraints> <policyActions>
> > <approval id="3"> <compositionStrategy>
> > <order>5</order>
> > <mergeOverwriting>true</mergeOverwriting>
> > </compositionStrategy> <approvalSchema>
> > <stage id="4"> <name>Security</name>
> > <approverRef relation="org:default"
> > type="c:OrgType"> <filter>
> > <q:text>name="High_risk_systems"</q:text>
> > </filter>
> > <resolutionTime>run</resolutionTime>
> > </approverRef>
> > <evaluationStrategy>allMustApprove</evaluationStrategy>
> > <outcomeIfNoApprovers>reject</outcomeIfNoApprovers>
> > <groupExpansion>onWorkItemCreation</groupExpansion>
> > </stage> </approvalSchema>
> > </approval> </policyActions> </policyRule>
> > </inducement> <displayName>Default approver</displayName>
> <inducement
> > id="1"> <policyRule> <policyConstraints>
> > <assignment> <operation>add</operation>
> > </assignment> </policyConstraints> <policyActions>
> > <approval id="16"> <compositionStrategy>
> > <order>50</order>
> > </compositionStrategy> <approvalSchema>
> > <stage id="17"> <name>Default
> > approver</name> <approverRef
> > relation="org:default" type="c:OrgType">
> > <filter> <q:text>name="Default
> > approver"</q:text> </filter>
> > <resolutionTime>run</resolutionTime>
> > </approverRef>
> > <evaluationStrategy>firstDecides</evaluationStrategy>
> > <outcomeIfNoApprovers>reject</outcomeIfNoApprovers>
> > <groupExpansion>onWorkItemCreation</groupExpansion>
> > </stage> </approvalSchema>
> > </approval> </policyActions> </policyRule>
> > </inducement>*
> >
> >
> >
> > * <inducement id="59"> <targetRef
> > oid="7c1a3009-b456-40e6-a160-be32f70c1c7c" (default approver)
> > relation="org:default" type="c:RoleType"/> </inducement>*
> >
> >
> > Hope my goal is clear. :)
> >
> >
> > Best regards,
> > Jussi
> > -------------- next part --------------
> > An HTML attachment was scrubbed...
> > URL: <
> https://lists.evolveum.com/pipermail/midpoint/attachments/20250226/81ad7911/attachment-0001.htm
> >
> >
> > ------------------------------
> >
> > Message: 3
> > Date: Wed, 26 Feb 2025 20:21:40 +0100
> > From: Odd Arne Beck <oddbeck at gmail.com>
> > To: midpoint at lists.evolveum.com
> > Subject: [midPoint] creating my first connector - unable to comprehend
> > group management
> > Message-ID:
> > <CAKjv1x4c1c2ozyO0ct6dEtdQ=
> 2yZeYdaY1rc2tYVzyO904x7Ww at mail.gmail.com>
> > Content-Type: text/plain; charset="utf-8"
> >
> > Hi!
> >
> > I am on Midpoint 4.9.1 and I am trying to figure out developing a
> connector
> > and getting to know the framework for connectors. I've studied several
> > other connectors and their source code in the process.
> >
> > I'm creating a basic connector for sqlite creating tables Users, Groups
> and
> > UsersGroups (mapping table for group membership). I use the hibernate ORM
> > for the database part.
> >
> > As of now my connector is able to create the Users, and any roles
> (groups)
> > are also created through entitlements in the 'Groups' table.
> >
> > However, when I assign a user to a group the create() / executeQuery() /
> > Update() and similar methods are triggered but I am not able to see
> > anywhere a ref to a user ID or something similar that I can use in order
> to
> > inject the UserId + GroupId into my "UsersGroups" table.
> >
> > I am pretty sure I've set up the associations accordingly to the docs for
> > 4.9.1.
> > What am I missing or not understanding?
> >
> > Thanks for any advice and help.
> >
> > Best regards,
> >
> > Odd Beck
> > -------------- next part --------------
> > An HTML attachment was scrubbed...
> > URL: <
> https://lists.evolveum.com/pipermail/midpoint/attachments/20250226/69a216a7/attachment-0001.htm
> >
> >
> > ------------------------------
> >
> > Message: 4
> > Date: Thu, 27 Feb 2025 09:17:25 +0000
> > From: Puchta Jaroslav Ing. <puchta.jaroslav at cpost.cz>
> > To: "midpoint at lists.evolveum.com" <midpoint at lists.evolveum.com>
> > Subject: [midPoint] Table Layout Adjustment for Better Clarity,
> > MidPoint 4.8
> > Message-ID:
> > <
> DB9P189MB2097249279AB53442433A3B79DCD2 at DB9P189MB2097.EURP189.PROD.OUTLOOK.COM
> >
> >
> > Content-Type: text/plain; charset="utf-8"
> >
> > Hi everyone,
> > I would like to request your help with adjusting the layout of tables
> with roles. Currently, the description column takes up about 8/12 of the
> table's width, which causes line breaks for roles or service names. This
> line breaking makes it difficult to visually locate roles in the table.
> > I propose increasing the column width where the display names are shown
> to make it easier to find roles in the table. On the other hand, line
> breaks in the description column are not as problematic.
> > Best regards,
> > J.Puchta
> >
> > -------------- next part --------------
> > An HTML attachment was scrubbed...
> > URL: <
> https://lists.evolveum.com/pipermail/midpoint/attachments/20250227/5300b5b7/attachment.htm
> >
> > -------------- next part --------------
> > A non-text attachment was scrubbed...
> > Name: smime.p7s
> > Type: application/pkcs7-signature
> > Size: 2812 bytes
> > Desc: not available
> > URL: <
> https://lists.evolveum.com/pipermail/midpoint/attachments/20250227/5300b5b7/attachment.bin
> >
> >
> > ------------------------------
> >
> > Subject: Digest Footer
> >
> > _______________________________________________
> > midPoint mailing list
> > midPoint at lists.evolveum.com
> > https://lists.evolveum.com/mailman/listinfo/midpoint
> >
> >
> > ------------------------------
> >
> > End of midPoint Digest, Vol 154, Issue 17
> > *****************************************
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20250301/c7ba41f5/attachment-0001.htm>
More information about the midPoint
mailing list