<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Hello Philippe & Fabian,<br>
<br>
see also my notes <font color="#3366ff">inline</font> in addition
to Pavol's.<br>
<br>
<div class="moz-cite-prefix">On 03/21/2016 05:46 PM, Pavol Mederly
wrote:<br>
</div>
<blockquote cite="mid:56F0254D.6070407@evolveum.com" type="cite">Hello
Philippe and Fabian,
<br>
<br>
here are some answers (or, more precisely, pointers to relevant
information) to your questions:
<br>
<br>
<blockquote type="cite">- How can you adjust some attribute in a
connector? We tried to rename some attribute names in the XML
file but if we try to create a new user with the new attribute
names the connector says the attribute is unknown? </blockquote>
I don't understand this question. What exactly you'd like to
adjust? Please be more specific what you'd like to achieve, and
preferably give us an example.
<br>
<br>
</blockquote>
<br>
<font color="#3366ff">IF you are trying to show the attribute name
in the GUI form differently from its name in the connector, e.g.
the attribute name is sAMAccountName and you wish to show it as
"Login name", this is very easy. See <displayName> element
in the schemaHandling/attribute in many of our samples, e.g.:<br>
<attribute><br>
<ref>ri:sAMAccountName</ref> <br>
<displayName>Login
name</displayName><br>
...<br>
</font><br>
<blockquote cite="mid:56F0254D.6070407@evolveum.com" type="cite">
<blockquote type="cite">- If you create a role, how can you give
this role authorities? From the start on, there is for example
just the role end user and super user with authorities.
<br>
</blockquote>
What do you mean by "authorities"? From what you say I understand
you'd like to attach some authorizations to a role - i.e. saying
like "holder of this role can see all other users' details". Is it
so? If yes, please have a look at
<a class="moz-txt-link-freetext" href="https://wiki.evolveum.com/display/midPoint/Authorization+Configuration">https://wiki.evolveum.com/display/midPoint/Authorization+Configuration</a>.
It is a very elaborate and powerful mechanism, allowing to specify
authorizations in very, very flexible and detailed manner.
<br>
<br>
<blockquote type="cite">- Is it possible to filter Users just
through attributes? for example show every user with the name
Thomas? Or is it just possible to filter users with
organisations? </blockquote>
I'm not sure how it is in midPoint 3.3, but in 3.4-snapshot it is
possible to filter users by name, given name (e.g. Thomas), family
name, full name, additional name(s), administrative status, cost
center. If you need more, you can use e.g. Bulk actions
(<a class="moz-txt-link-freetext" href="https://wiki.evolveum.com/display/midPoint/Bulk+actions">https://wiki.evolveum.com/display/midPoint/Bulk+actions</a>) to
extract users you need (but that's not very interactive). Or you
can use reports. Or export all users and write a custom script to
filter what you need.
<br>
<br>
<blockquote type="cite">- Is there an option to prevent that users
dont get authorities that they should never have? for example a
customer user should never be able to get the role of a super
user?
<br>
</blockquote>
I'm not sure about this; maybe someone other on this list would
respond.
<br>
For general prevention of unwanted authorizations and role
assignments midPoint provides:
<br>
- certifications
(<a class="moz-txt-link-freetext" href="https://evolveum.com/blog/access-certification-in-midpoint/">https://evolveum.com/blog/access-certification-in-midpoint/</a>)
<br>
- approvals
(<a class="moz-txt-link-freetext" href="https://wiki.evolveum.com/display/midPoint/Workflows">https://wiki.evolveum.com/display/midPoint/Workflows</a>).
<br>
<br>
<blockquote type="cite">- Is it possible to set attributes from a
user through a role assignment?
<br>
</blockquote>
Certainly. See e.g.
<a class="moz-txt-link-freetext" href="https://wiki.evolveum.com/display/midPoint/Advanced+Hybrid+RBAC">https://wiki.evolveum.com/display/midPoint/Advanced+Hybrid+RBAC</a>
<br>
<br>
<blockquote type="cite">- How can you change the password policy
in midpoint and synchronizise them with Active Directory and
Exchange?
<br>
</blockquote>
You specify password policy like this:
<a class="moz-txt-link-freetext" href="https://wiki.evolveum.com/display/midPoint/Password+Policy">https://wiki.evolveum.com/display/midPoint/Password+Policy</a>
<br>
Not sure what you mean by synchronization of the policy with
AD/Exchange; if you want to have compatible policies in midPoint
and AD/Exchange (i.e. so that if a user's password is accepted by
midPoint it will be accepted by AD/Exchange and vice versa), you
have to obtain current password policy from AD/Exchange and
manually create equivalent policy in midPoint. (Or the way around,
take a policy from midPoint and create equivalent one in
AD/Exchange.)
<br>
</blockquote>
<br>
<font color="#3366ff">Just to add: midPoint uses its own password
policies to validate/generate passwords. For each resource,
different password policy can be used, or the global one will be
used (default). As we don't synchronize the policies (the
complexity definitions), you need to create the password policies
in midPoint to be at least as strong as in the resources.</font><br>
<br>
<blockquote cite="mid:56F0254D.6070407@evolveum.com" type="cite">
<br>
<blockquote type="cite">- How can an employee request authorities?
And how can his boss authorize this request?
<br>
</blockquote>
Please see the wiki page on workflows mentioned above.
<br>
In 3.3, the request is done simply by trying to assign specific
role to himself/herself. After saving it, the workflow is started
automatically (if role approver or approver expression or approval
schema is defined).
<br>
In 3.4 there will be a special tab for requesting roles (see
3.4-snapshot).
<br>
<br>
<blockquote type="cite">- Is it possible to create a hierarchy? If
yes, how?
<br>
</blockquote>
A hierarchy of what? E.g. for organizations (that could be
basically anything from traditional organizations to projects to
e.g. study programmes or even individual lectures), it certainly
is possible and well supported. Please have a look around our
wiki.
<br>
<br>
<blockquote type="cite">- How can you generate reports? are there
already basic templates for reports? and how can you export them
in different formats like .xls .csv .pdf ? </blockquote>
Very simply. You just need to use "Reports" menu. Please try it;
and have a look at
<a class="moz-txt-link-freetext" href="https://wiki.evolveum.com/display/midPoint/Report+Configuration">https://wiki.evolveum.com/display/midPoint/Report+Configuration</a>.
<br>
<br>
<blockquote type="cite">- How can we transfer a currently existing
active directory structure as easily as possible in midpoint? We
got an XML-data for example and want to implement this user in
midpoint as well. </blockquote>
Please be more specific. Or, even better, please have a look at
the following:
<br>
- <a class="moz-txt-link-freetext" href="https://wiki.evolveum.com/display/midPoint/OrgSync+Story+Test">https://wiki.evolveum.com/display/midPoint/OrgSync+Story+Test</a>
(this one is not specific to AD but the general idea is the same)
<br>
-
<a class="moz-txt-link-freetext" href="https://wiki.evolveum.com/display/midPoint/Active+Directory+Group+Synchronization+HOWTO">https://wiki.evolveum.com/display/midPoint/Active+Directory+Group+Synchronization+HOWTO</a><br>
-
<a class="moz-txt-link-freetext" href="https://evolveum.com/blog/practical-organization-structure-in-active-directory/">https://evolveum.com/blog/practical-organization-structure-in-active-directory/</a><br>
...and then think again and try to formulate your question more
precisely.
<br>
<br>
</blockquote>
<br>
<font color="#3366ff">Certainly it's possible to import/synchronize
the directory structures, one way, or the another or
bi-directional. So if you have e.g. directory structure of
organizational units or groups in AD and wish to create the
corresponding structure in midPoint, yes this is possible. The
real data is synchronized, you don't need to export it from AD and
preprocess for midpoint.<br>
Please read the links Pavol shared above.</font><br>
<br>
Best regards,<br>
Ivan<br>
<br>
<blockquote cite="mid:56F0254D.6070407@evolveum.com" type="cite">Hope
this helps,
<br>
Pavol
<br>
<br>
<br>
On 19.03.2016 20:57, Fabian Mirz wrote:
<br>
<blockquote type="cite">Hello all,
<br>
<br>
we are a group of students who are currently testing MidPoint
3.3 as an Identity Manager System for a big company.
<br>
We have build up recently our test environment with 2 servers.
On the first one, we installed midPoint and on the second one we
configurated Active Directory and installed Exchange.
<br>
The basic functions are already running, we are for example able
to create a user in midpoint, assign him with the exchange
connector and midpoint creates this user also on the other
server with a mailbox.
<br>
Sadly we still have some issues and we hope you can help us.
<br>
<br>
We are new to this topic, so please be forgiving if there are
some "stupid" questions.
<br>
<br>
- How can you adjust some attribute in a connector? We tried to
rename some attribute names in the XML file but if we try to
create a new user with the new attribute names the connector
says the attribute is unknown?
<br>
- If you create a role, how can you give this role authorities?
From the start on, there is for example just the role end user
and super user with authorities.
<br>
- Is it possible to filter Users just through attributes? for
example show every user with the name Thomas? Or is it just
possible to filter users with organisations?
<br>
- Is there an option to prevent that users dont get authorities
that they should never have? for example a customer user should
never be able to get the role of a super user?
<br>
- Is it possible to set attributes from a user through a role
assignment?
<br>
- How can you change the password policy in midpoint and
synchronizise them with Active Directory and Exchange?
<br>
- How can an employee request authorities? And how can his boss
authorize this request?
<br>
- Is it possible to create a hierarchy? If yes, how?
<br>
- How can you generate reports? are there already basic
templates for reports? and how can you export them in different
formats like .xls .csv .pdf ?
<br>
<br>
And the last but most import question:
<br>
- How can we transfer a currently existing active directory
structure as easily as possible in midpoint? We got an XML-data
for example and want to implement this user in midpoint as well.
<br>
<br>
<br>
Best regards
<br>
<br>
Philippe Büdinger & Fabian Mirz
<br>
<br>
_______________________________________________
<br>
midPoint mailing list
<br>
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<br>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
<br>
</blockquote>
<br>
_______________________________________________
<br>
midPoint mailing list
<br>
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<br>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
<br>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
evolveum.com evolveum.com/blog/
___________________________________________________
"Semper ID(e)M Vix."
</pre>
</body>
</html>