<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Hello Dharmendra,<br>
<br>
actually, it is possible to recompute users having a given role
(directly assigned!) via SOAP API.<br>
<br>
You have to execute the following bulk action (a.k.a. midPoint
script).<br>
<br>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<s:search
xmlns=<a class="moz-txt-link-rfc2396E" href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">"http://midpoint.evolveum.com/xml/ns/public/common/common-3"</a><br>
xmlns:s=<a class="moz-txt-link-rfc2396E" href="http://midpoint.evolveum.com/xml/ns/public/model/scripting-3">"http://midpoint.evolveum.com/xml/ns/public/model/scripting-3"</a>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<br>
xmlns:c=<a class="moz-txt-link-rfc2396E" href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">"http://midpoint.evolveum.com/xml/ns/public/common/common-3"</a><br>
xmlns:q=<a class="moz-txt-link-rfc2396E" href="http://prism.evolveum.com/xml/ns/public/query-3">"http://prism.evolveum.com/xml/ns/public/query-3"</a>><br>
<s:type>c:UserType</s:type><br>
<s:searchFilter><br>
<q:ref><br>
<q:path>assignment/targetRef</q:path><br>
<q:value><br>
<oid>00000000-0000-0000-0000-000000000004</oid><br>
<type>RoleType</type><br>
</q:value><br>
</q:ref><br>
</s:searchFilter><br>
<s:action><br>
<s:type>recompute</s:type><br>
</s:action><br>
</s:search><br>
<br>
(of course, replace oid with your role's OID)<br>
<br>
You can use the runScript sample
(samples\model-client-sample\src\main\java\com\evolveum\midpoint\testing\model\client\sample\RunScript.java)
to see how bulk actions can be executed via SOAP API.<br>
<br>
Note: it is quite experimental yet; however, it works.<br>
<br>
More to read:<br>
<a
href="https://wiki.evolveum.com/display/midPoint/runscript+command+line+tool">https://wiki.evolveum.com/display/midPoint/runscript+command+line+tool</a><br>
<a href="https://wiki.evolveum.com/display/midPoint/Bulk+actions">https://wiki.evolveum.com/display/midPoint/Bulk+actions</a><br>
<br>
Regards,<br>
Pavol<br>
<br>
<br>
On 26. 11. 2014 9:48, dharmendra parakh wrote:<br>
</div>
<blockquote
cite="mid:CAKvVWqzWtYxTGyj55a9orqZ-sDjR2GQ4CSPsGwqmEEhv6uzr0g@mail.gmail.com"
type="cite">
<div dir="ltr">Hi Ivan
<div><br>
</div>
<div>Thanks for the information, I will try this, between you
have mentioned that <span
style="font-family:arial,sans-serif;font-size:13px">doing
this on a role level is not i</span>mplemented yet in GUI
but is there any API which can do this?</div>
<div><br>
</div>
<div>I was thinking to write a client which can perform this
operation for specific role.</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div>Regards</div>
<div>Dharmendra</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Nov 26, 2014 at 2:13 PM, Ivan
Noris <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> Hi Dharmendra,<br>
<br>
GUI part for doing this on a role level is planned, not
implemented yet.<br>
<br>
It is however possible with User Recomputation Task. The
task (without any query conditions) can be created from
Server Tasks - New Task menu. It will process all user and
recompute them. The task can be scheduled, e.g. to run
once a day.<br>
<br>
You can also create User Recomputation Task with
conditions/query, if you want to recompute only users with
some role assigned. Be adwised this currently works only
if the role is assigned directly, not as a subrole of
other role:<br>
<br>
<task<br>
xmlns=<a moz-do-not-send="true"
href="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
target="_blank">"http://midpoint.evolveum.com/xml/ns/public/common/common-3"</a><br>
xmlns:xsi=<a moz-do-not-send="true"
href="http://www.w3.org/2001/XMLSchema-instance"
target="_blank">"http://www.w3.org/2001/XMLSchema-instance"</a><br>
xmlns:xsd=<a moz-do-not-send="true"
href="http://www.w3.org/2001/XMLSchema" target="_blank">"http://www.w3.org/2001/XMLSchema"</a>><br>
<br>
<name>User Recompute - having role <b>00000000-0000-0000-0000-000000000008</b></name><br>
<extension xmlns:q=<a moz-do-not-send="true"
href="http://prism.evolveum.com/xml/ns/public/query-3"
target="_blank">"http://prism.evolveum.com/xml/ns/public/query-3"</a>><br>
<mext:objectQuery
xmlns:mext=<a moz-do-not-send="true"
href="http://midpoint.evolveum.com/xml/ns/public/model/extension-3"
target="_blank">"http://midpoint.evolveum.com/xml/ns/public/model/extension-3"</a>><br>
<q:filter><br>
<q:ref>
<br>
<q:path>assignment/targetRef</q:path>
<br>
<q:value>
<br>
<oid><b>00000000-0000-0000-0000-000000000008</b></oid>
<br>
<type>RoleType</type>
<br>
</q:value>
<br>
</q:ref><br>
</q:filter><br>
</mext:objectQuery><br>
</extension><br>
<ownerRef
oid="00000000-0000-0000-0000-000000000002"/><br>
<executionStatus>runnable</executionStatus><br>
<handlerUri><a moz-do-not-send="true"
href="http://midpoint.evolveum.com/xml/ns/public/model/synchronization/task/recompute/handler-3"
target="_blank">http://midpoint.evolveum.com/xml/ns/public/model/synchronization/task/recompute/handler-3</a></handlerUri><br>
<recurrence>single</recurrence><br>
<binding>tight</binding><br>
</task><br>
<br>
Replace the <oid>..</oid> with the oid of the
role you wish to recompute and import this task using
Configuration - Import object - Embedded editor - paste
this example. The task will execute immediately.<br>
<br>
NB: the ..00008 oid je End User role, I've tested if the
task is importable. It is.<br>
<br>
Regards,<br>
Ivan
<div>
<div class="h5"><br>
<br>
<div>On 11/26/2014 08:04 AM, dharmendra parakh wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi Ivan/ Pavol
<div><br>
</div>
<div>Thanks for the information, i tried it and it
works well. but rather than doing it at user
level i would like to do it at role level.</div>
<div><br>
</div>
<div>For example:</div>
<div>- I change a role definition - added an
additional group assignment </div>
<div>- Now i want to propagate this change to all
the member users.</div>
<div>- If i go and do this at user level it is not
scalable.</div>
<div><br>
</div>
<div>So is there any way where we can say
recompute all the user accounts affected by the
change in role definition?</div>
<div><br>
</div>
<div>Regards</div>
<div>Dharmendra</div>
<div>
<div><br>
</div>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Tue, Nov 25, 2014 at
7:49 PM, Ivan Noris <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:ivan.noris@evolveum.com"
target="_blank">ivan.noris@evolveum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0
0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> Hi,<span><br>
<br>
<div><br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi
<div><br>
</div>
<div>- How can we recompute the
account?</div>
<div>- Yes, after changing the role
newly members get correct groups.</div>
<div><br>
</div>
</div>
</blockquote>
<br>
</span> For one single user, it should be
sufficient to:<br>
- go to Users<br>
- find your user<br>
- click the "wheel" icon in the user line
and select "Reconcile"<br>
<br>
The same should be possible for multiple
selected users, using the "wheel" icon in
the user list header (the same option
"Reconcile").<br>
<br>
Be adwised, all roles assigned to selected
user(s) will be recomputed.<br>
<br>
Regards,<br>
Ivan
<div>
<div><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div>Regards</div>
<div>Dharmendra</div>
<div><br>
</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Tue, Nov
25, 2014 at 7:01 PM, Pavol Mederly
<span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:pavol.mederly@gmail.com"
target="_blank">pavol.mederly@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div bgcolor="#FFFFFF"
text="#000000">
<div>Dharmendra,<br>
<br>
after changing the role,
user accounts have to be
recomputed for the change to
be applied onto the
resource.<br>
<br>
A quick check: if you create
a new user and assign him
this modified role, is the
group membership OK for the
newly created account?<br>
<br>
Best regards,<br>
Pavol <br>
<div>
<div> <br>
On 25. 11. 2014 12:14,
dharmendra parakh wrote:<br>
</div>
</div>
</div>
<div>
<div>
<blockquote type="cite">
<div dir="ltr">Hi
<div><br>
</div>
<div>Thanks for the
information, I
didn't get chance to
go through these
documents but i will
look into this for
sure. </div>
<div>What i understand
is i can not modify
the groups assigned
as role inducement
from GUI.</div>
<div><br>
</div>
<div>I tried changing
the groups from xml
but then this change
is not enforced to
member users
account. I need it
for my project for
which i am
evaluating midpoint,
how can i do that?</div>
<div><br>
</div>
<div><br>
</div>
<div>Thanks</div>
<div>Dharmendra</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<div
class="gmail_quote">On
Sun, Nov 23, 2014 at
2:32 AM, Pavol
Mederly <span
dir="ltr"><<a
moz-do-not-send="true"
href="mailto:pavol.mederly@gmail.com" target="_blank">pavol.mederly@gmail.com</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0 0
0
.8ex;border-left:1px
#ccc
solid;padding-left:1ex">
<div
bgcolor="#FFFFFF"
text="#000000">
<div>Dharmendra,<br>
<br>
thank you for
the
explanation.<br>
<br>
Currently, GUI
allows only to
change
"regular"
attributes of
induced
accounts
(directly when
creating the
inducement, or
later when
editing it by
clicking on
"Show empty"
button and
changing what
you need*).<br>
<br>
If you want to
work with
associations,
you have to
write it in
XML, e.g. via
<b>Con</b><b>figuration->Repository
objects</b>
page.<br>
<br>
For an
example,
please see
e.g. <a
moz-do-not-send="true"
href="https://wiki.evolveum.com/display/midPoint/Assignment+Configuration#AssignmentConfiguration-EntitlementAssociations"
target="_blank">https://wiki.evolveum.com/display/midPoint/Assignment+Configuration#AssignmentConfiguration-EntitlementAssociations</a>.<br>
<br>
But before
trying that, I
would strongly
recommend
reading about
the concept of
entitlements,
starting here:<br>
<a
moz-do-not-send="true"
href="https://wiki.evolveum.com/display/midPoint/Entitlements"
target="_blank">https://wiki.evolveum.com/display/midPoint/Entitlements</a><br>
and then about
assignments: <a
moz-do-not-send="true"
href="https://wiki.evolveum.com/display/midPoint/Assignment"
target="_blank">https://wiki.evolveum.com/display/midPoint/Assignment</a><br>
and <a
moz-do-not-send="true"
href="https://wiki.evolveum.com/display/midPoint/Assignment+Configuration"
target="_blank">https://wiki.evolveum.com/display/midPoint/Assignment+Configuration</a><br>
<br>
Anyway, if you
would have any
questions,
we're here to
help.<br>
<br>
Best regards,<br>
Pavol<br>
<br>
(*) Due to a
bug in GUI,
attribute
changes are
applied, but
are not shown
back in GUI.
But they can
be seen via
Repository
objects page.
Hope we'll fix
that soon.<br>
---
<div>
<div><br>
On 22. 11.
2014 19:50,
dharmendra
parakh wrote:<br>
</div>
</div>
</div>
<div>
<div>
<blockquote
type="cite">
<div dir="ltr">Hi <span
style="font-family:arial,sans-serif;font-size:13px">Pavol</span>
<div><span
style="font-family:arial,sans-serif;font-size:13px"><br>
</span></div>
<div><span
style="font-family:arial,sans-serif;font-size:13px">What
i have done is
pretty
straight
forward, I
have
configured a
role to induce
an ldap
resource using
GUI (PFA).</span></div>
<div><span
style="font-family:arial,sans-serif;font-size:13px"><br>
</span></div>
<div><span
style="font-family:arial,sans-serif;font-size:13px">So
as per my
understanding
when i add
this resource
to role
inducement all
the role
members will
get this
resource
provisioned, I
have tested
this and it is
working very
well.</span></div>
<div><span
style="font-family:arial,sans-serif;font-size:13px"><br>
</span></div>
<div><span
style="font-family:arial,sans-serif;font-size:13px">Now
i want to
change the
resource data
which i
provided while
adding this
resource
inducement to
role for
example
container or
group
assignment
information. I
am not sure
how can i do
this.</span></div>
<div><span
style="font-family:arial,sans-serif;font-size:13px"><br>
</span></div>
<div><span
style="font-family:arial,sans-serif;font-size:13px"><br>
</span></div>
<div><span
style="font-family:arial,sans-serif;font-size:13px">Thanks!</span></div>
<div><span
style="font-family:arial,sans-serif;font-size:13px">Dharmendra</span></div>
</div>
<div
class="gmail_extra"><br>
<div
class="gmail_quote">On
Sat, Nov 22,
2014 at 10:52
PM, Pavol
Mederly <span
dir="ltr"><<a
moz-do-not-send="true" href="mailto:mederly@evolveum.com"
target="_blank">mederly@evolveum.com</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0
0 0
.8ex;border-left:1px
#ccc
solid;padding-left:1ex">
<div
bgcolor="#FFFFFF"
text="#000000">
<div>Hello
Dharmendra,<br>
<br>
I'm not sure
what exactly
you have done
and what you
would like to
achieve.<br>
<br>
You've created
a role and
configured it
to induce an
LDAP resource.
Did you do
this using a
GUI or via
XML? <br>
If via GUI,
please send
here a
screenshot
what have you
done and what
you want to
achieve.<br>
If via XML,
please do the
same (sending
here
appropriate
pieces of your
XML
configuration).<br>
<br>
Best regards,<br>
Pavol Mederly
<div>
<div><br>
<br>
On 22. 11.
2014 11:33,
dharmendra
parakh wrote:<br>
</div>
</div>
</div>
<blockquote
type="cite">
<div>
<div>
<div dir="ltr">Hi
Everyone
<div><br>
</div>
<div>I just
downloaded and
started
learning
midpoint for
my personal
learning
purpose. I
really liked
it and I am
very excited
to learn using
it.</div>
<div><br>
</div>
<div>I have a
question about
inducements in
midpoint.</div>
<div><br>
</div>
<div>I have
created a role
and configured
it to induce a
ldap resource
with some ldap
groups. Now I
want to change
the configured
groups/resource
information
but i could
not find the
way to do it.</div>
<div><br>
</div>
<div>Can you
help me doing
this or there
is no such
implementation
in midpoint
currently.</div>
<div>Please
help me with
this let me
know if you
need more
information on
this.</div>
<div><br>
</div>
<div><br>
</div>
<div>Thanks</div>
<div>Dharmendra
Parakh</div>
<div><a
moz-do-not-send="true"
href="tel:%2B91-9730648544" value="+919730648544" target="_blank">+91-9730648544</a></div>
</div>
<br>
<fieldset></fieldset>
<br>
</div>
</div>
<pre>_______________________________________________
midPoint mailing list
<a moz-do-not-send="true" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
</div>
<br>
_______________________________________________<br>
midPoint
mailing list<br>
<a
moz-do-not-send="true"
href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a
moz-do-not-send="true"
href="http://lists.evolveum.com/mailman/listinfo/midpoint"
target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
midPoint mailing list
<a moz-do-not-send="true" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
</div>
</div>
</div>
<br>
_______________________________________________<br>
midPoint mailing
list<br>
<a
moz-do-not-send="true"
href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a
moz-do-not-send="true"
href="http://lists.evolveum.com/mailman/listinfo/midpoint"
target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
midPoint mailing list
<a moz-do-not-send="true" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
</div>
</div>
</div>
<br>
_______________________________________________<br>
midPoint mailing list<br>
<a moz-do-not-send="true"
href="mailto:midPoint@lists.evolveum.com"
target="_blank">midPoint@lists.evolveum.com</a><br>
<a moz-do-not-send="true"
href="http://lists.evolveum.com/mailman/listinfo/midpoint"
target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
midPoint mailing list
<a moz-do-not-send="true" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
</div>
</div>
<span><font color="#888888">
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer
<a moz-do-not-send="true" href="http://evolveum.com" target="_blank">evolveum.com</a> <a moz-do-not-send="true" href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
_____________________________________________
"Semper Id(e)M Vix."
</pre>
</font></span></div>
<br>
_______________________________________________<br>
midPoint mailing list<br>
<a moz-do-not-send="true"
href="mailto:midPoint@lists.evolveum.com"
target="_blank">midPoint@lists.evolveum.com</a><br>
<a moz-do-not-send="true"
href="http://lists.evolveum.com/mailman/listinfo/midpoint"
target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
midPoint mailing list
<a moz-do-not-send="true" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer
<a moz-do-not-send="true" href="http://evolveum.com" target="_blank">evolveum.com</a> <a moz-do-not-send="true" href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
_____________________________________________
"Semper Id(e)M Vix."
</pre>
</div>
</div>
</div>
<br>
_______________________________________________<br>
midPoint mailing list<br>
<a moz-do-not-send="true"
href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a moz-do-not-send="true"
href="http://lists.evolveum.com/mailman/listinfo/midpoint"
target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
</body>
</html>