<div dir="ltr">I did a reconcile already from that last time I figured out how to do it from one of the previous discussions. I just didn't know if it were a standard to do a daily recon on a resource.<div><br></div><div>It took 27 minutes to do a full Recon, I only have 6 attributes which 3 are outbound and 3 is both in/out. Name, Last, Phone, Email, Department, Profile (extension). This is a VMware VM on my workstation also, so surprisingly fast because the virtual disk is on the same disk as 10 other running VMs.</div><div><br></div><div>I have almost 6 different resources now, various types, 2 of which are this type where the resource already has the accounts.</div><div><br></div><div>I also upgraded to 3.1 Snapshot, just so I am creating all the objects on the latest version.</div><div><br></div><div> </div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Dec 8, 2014 at 1:27 PM, Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
Hi Jason,<br>
<br>
40.000 accounts is not an issue itself. Just be adwised that
performance strongly depends not only the number of users, but also
on configuration of mappings, logging, tracing etc. In other words,
linking the account is one thing, provisioning changes during the
recon takes more time.<br>
<br>
Anyway we appreciate any information about the performance in your
case when it's finished.<br>
<br>
And don't forget to run the dry-run recon first to be sure about
your correlation rules.<br>
<br>
Thanks,<br>
Ivan<div><div class="h5"><br>
<br>
<div>On 12/08/2014 06:45 PM, Jason Everling
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Ok thanks, that is what I figured so I just wanted
to make sure that was the case. I am going to remove that
configuration, it should never create anyways, users will always
be listed on that resource first way before midpoint would ever
even create the midpoint user account.
<div><br>
</div>
<div>I could also just leave that and run Reconcile on the
resource nightly, it has 40,000 objects, that should not be an
issue right?<br>
<div><br>
</div>
<div>JASON</div>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Mon, Dec 8, 2014 at 11:42 AM, Ivan
Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> Hi Jason,<br>
<br>
as the error states, and based on what you've written
earlier about disabling creates, it's because the create
capability is disabled (deliberately). midPoint tries to
create (add) account and the decision that it should be
converted to an update comes just after the collision is
detected.<span><font color="#888888"><br>
<br>
I.</font></span>
<div>
<div><br>
<br>
<div>On 12/08/2014 06:26 PM, Jason Everling wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">I figured that this was the case and
I read on the wiki..
<div><br>
<div>"<span style="font-size:13px">Technically,
when midPoint user is assigned a role that
should provision account on target system
and the account already exists (= can be
correlated), it will be updated. But the
decision is made upon the provisioning
request."</span></div>
</div>
<div><span style="font-size:13px"><br>
</span></div>
<div><span style="font-size:13px">But it does not
work, it errors out. Maybe because my resource
has create and delete disabled? Midpoint will
never create or delete accounts in this
resource.</span></div>
<div><br>
</div>
<div>
<div><span style="white-space:pre-wrap"> </span><cap:create></div>
<div>
<cap:enabled>false</cap:enabled></div>
<div> </cap:create></div>
<div> <cap:delete></div>
<div><span style="white-space:pre-wrap"> </span><cap:enabled>false</cap:enabled></div>
<div> </cap:delete></div>
</div>
<div><br>
</div>
<div>Starting error,</div>
<div><br>
</div>
<div>com.evolveum.midpoint.util.exception.SystemException:
com.evolveum.midpoint.util.exception.SystemException:
java.lang.UnsupportedOperationException:
Resource does not support 'create' operation<br>
</div>
<div><br>
</div>
<div>This is when I have a role that has an
inducement for this resource which I would have
thought would just link since it already exists,
the correlation is employeeNumber like all of my
other resources.</div>
<div><br>
</div>
<div>JASON</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Mon, Dec 8, 2014 at
10:52 AM, Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> Hi
Jason,<br>
<br>
in general, the deployment is as follows:<br>
<br>
1. import/reconcile from source system(s) to
create identities (users) in midPoint. This
may also create additional accounts in other
systems (i.e. that were not provisioned
before).<br>
2. create reconciliation tasks for all other
systems, where the accounts already exists
and should be linked to midpoint identities.<br>
<br>
Based on the mappings in your resources, the
reconciliations may modify the data on the
reconciled resources (outbound mappings).<br>
<br>
Technically, when midPoint user is assigned
a role that should provision account on
target system and the account already exists
(= can be correlated), it will be updated.
But the decision is made upon the
provisioning request.<br>
<br>
So I'd recommend to setup the reconciliation
tasks, and start them first with the
"dry-run" flag to see how many accounts can
be correlated to midPoint users.<br>
<br>
Regards,<br>
Ivan
<div>
<div><br>
<br>
<div>On 12/08/2014 04:51 PM, Jason
Everling wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div>
<div dir="ltr">So here is the
scenario,
<div><br>
</div>
<div>There is a DBTable resource
that already has all the accounts,
midpoint will not create or delete
from this resource.</div>
<div><br>
</div>
<div>The user does not exist yet in
Midpoint, The users are created in
midpoint using another DBTable
resource.</div>
<div><br>
</div>
<div>How can I link the newly
created user in Midpoint to their
account in the other resource,</div>
<div><br>
</div>
<div>I can do this by running a
reconcile task on the resource but
is there any other way to link
users to accounts on other
resources since they already exist
without having to run reconcile on
the resource everytime?</div>
<div><br>
</div>
<div>Thanks,</div>
<div>JASON</div>
</div>
<br>
</div>
</div>
<font><br>
<br>
CONFIDENTIALITY NOTICE:<br>
This e-mail together with any
attachments is proprietary and
confidential; intended for only the
recipient(s) named above and may contain
information that is privileged. You
should not retain, copy or use this
e-mail or any attachments for any
purpose, or disclose all or any part of
the contents to any person. Any views or
opinions expressed in this e-mail are
those of the author and do not represent
those of the Baptist School of Health
Professions. If you have received this
e-mail in error, or are not the named
recipient(s), you are hereby notified
that any review, dissemination,
distribution or copying of this
communication is prohibited by the
sender and to do so might constitute a
violation of the Electronic
Communications Privacy Act, 18 U.S.C.
section 2510-2521. Please immediately
notify the sender and delete this e-mail
and any attachments from your computer.
</font><br>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><span><font color="#888888">
</font></span></pre>
<span><font color="#888888"> </font></span></blockquote>
<span><font color="#888888"> <br>
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer
<a href="http://evolveum.com" target="_blank">evolveum.com</a> <a href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
_____________________________________________
"Semper Id(e)M Vix."
</pre>
</font></span></div>
<br>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br>
</blockquote>
</div>
<br>
</div>
<br>
<font><br>
<br>
CONFIDENTIALITY NOTICE:<br>
This e-mail together with any attachments is
proprietary and confidential; intended for only
the recipient(s) named above and may contain
information that is privileged. You should not
retain, copy or use this e-mail or any attachments
for any purpose, or disclose all or any part of
the contents to any person. Any views or opinions
expressed in this e-mail are those of the author
and do not represent those of the Baptist School
of Health Professions. If you have received this
e-mail in error, or are not the named
recipient(s), you are hereby notified that any
review, dissemination, distribution or copying of
this communication is prohibited by the sender and
to do so might constitute a violation of the
Electronic Communications Privacy Act, 18 U.S.C.
section 2510-2521. Please immediately notify the
sender and delete this e-mail and any attachments
from your computer. </font><br>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer
<a href="http://evolveum.com" target="_blank">evolveum.com</a> <a href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
_____________________________________________
"Semper Id(e)M Vix."
</pre>
</div>
</div>
</div>
<br>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br>
</blockquote>
</div>
<br>
</div>
<br>
<font><br>
<br>
CONFIDENTIALITY NOTICE:<br>
This e-mail together with any attachments is proprietary and
confidential; intended for only the recipient(s) named above and
may contain information that is privileged. You should not
retain, copy or use this e-mail or any attachments for any
purpose, or disclose all or any part of the contents to any
person. Any views or opinions expressed in this e-mail are those
of the author and do not represent those of the Baptist School
of Health Professions. If you have received this e-mail in
error, or are not the named recipient(s), you are hereby
notified that any review, dissemination, distribution or copying
of this communication is prohibited by the sender and to do so
might constitute a violation of the Electronic Communications
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
notify the sender and delete this e-mail and any attachments
from your computer. </font><br>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer
<a href="http://evolveum.com" target="_blank">evolveum.com</a> <a href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
_____________________________________________
"Semper Id(e)M Vix."
</pre>
</div></div></div>
<br>_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br></blockquote></div><br></div>
<br>
<font size="2"><br><br>CONFIDENTIALITY NOTICE:<br>This e-mail together with any attachments is proprietary and confidential; intended for only the recipient(s) named above and may contain information that is privileged. You should not retain, copy or use this e-mail or any attachments for any purpose, or disclose all or any part of the contents to any person. Any views or opinions expressed in this e-mail are those of the author and do not represent those of the Baptist School of Health Professions. If you have received this e-mail in error, or are not the named recipient(s), you are hereby notified that any review, dissemination, distribution or copying of this communication is prohibited by the sender and to do so might constitute a violation of the Electronic Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender and delete this e-mail and any attachments from your computer. </font><br>