<div dir="ltr">"<span style="font-size:12.8px">I hope that the connector support the multivalue attributes."</span><div><br></div><div>I could not get multi-value attributes to work in one of our database table resources. I checked ConnID and OpenICF for related settings and did not find any. We do though use database views, one of them is actually read/write so updates are pushed back to the view.</div><div><br></div><div>If someone does know how to use multi-value attributes in a database resources please let me know! If not, eventually I will need to migrate it to a scripted db resource.<br><div><br></div><div>JASON</div><div class="gmail_extra"><div><div class="gmail_signature"><div dir="ltr"><br></div></div></div>
<br><div class="gmail_quote">On Tue, May 3, 2016 at 2:34 AM, Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">
  
    
  
  <div text="#000000" bgcolor="#FFFFFF">
    Hi,<span class=""><br>
    <br>
    <div>On 05/03/2016 09:13 AM, Harits Elfahmi
      wrote:<br>
    </div>
    <blockquote type="cite">
      <div dir="ltr">Hi Ivan,
        <div><br>
        </div>
        <div>From what I read groups and users are saved at the same
          resource in LDAP, associating them would be as you said. But
          I'm using DatabaseTableConnector, and my roles and users data
          are in separate table in my database. To connect them to
          midpoint, I create two resource, one that connect to the users
          table, and another that connect to the roles table. Is it
          possible to associate them in midpoint, or is this the
          limitation of the DatabaseTableConnector? </div>
        <div><br>
        </div>
      </div>
    </blockquote>
    <br></span>
    DBTable connector is currently limited to support only one table
    (that's also why its configuration is so simple). The other
    limitations that I know of:<br>
    - it supports only accounts (AccountObjectClass) - if you use
    "accounts" as projection of roles, it works<br>
    - it supports only simple primary keys (not complex ones)<br>
    - it does not support entitlements/associations<br>
    <br>
    I think you have several possibilities:<br>
    <br>
    1) keep using DB Table connector, and on the DB side construct a
    view which will contain the user attributes as well as group
    membership. As DB Table does not really support anything else than
    accounts (everything is "accounts") you may skip using the
    association and just use some multivalue attribute of the account
    (in the DB View) to provision to the groups. I don't remember if I
    tried this recently and I hope that the connector support the
    multivalue attributes. If this works, it will be the simplest (but
    not prettiest) solution.<br>
    <br>
    You may still need two resources, one for managing accounts
    (including group membership using view attribute) and one for
    managing roles as you originally wanted for synchronizing with
    midPoint roles.<br>
    <br>
    2) try ScriptedSQL connector. You can twist and bend it to support
    any database, any table combination. So it can be configured to
    support entitlements and associations as well. This will require you
    to script the behaviour Create/Update/Read/Delete/Search/Schema etc.
    operations (Groovy or Javascript). One resource will be enough.<br>
    Some samples:
<a href="https://github.com/Evolveum/midpoint/tree/master/samples/resources/scriptedsql" target="_blank">https://github.com/Evolveum/midpoint/tree/master/samples/resources/scriptedsql</a><br>
    <br>
    3) create custom DB connector. That's almost the same as
    ScriptedSQL, but compiled (java) and not interpreted, so it should
    be faster.<br>
<a href="https://wiki.evolveum.com/display/midPoint/Connector+Development+HOWTO" target="_blank">https://wiki.evolveum.com/display/midPoint/Connector+Development+HOWTO</a><br>
    <br>
    [last but not least 4) the DB Table connector can be enhanced for
    multiple-table / entitlement / association support, by contributing
    or sponsoring such feature as documented in
    <a href="https://wiki.evolveum.com/display/midPoint/I+Need+New+Feature" target="_blank">https://wiki.evolveum.com/display/midPoint/I+Need+New+Feature</a>]<br>
    <br>
    Regards,<br>
    Ivan<div><div class="h5"><br>
    <br>
    <blockquote type="cite">
      <div dir="ltr">
        <div>Thanks</div>
      </div>
      <div class="gmail_extra"><br>
        <div class="gmail_quote">2016-05-03 13:50 GMT+07:00 Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>:<br>
          <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">
            <div text="#000000" bgcolor="#FFFFFF"> Hi,<br>
              <br>
              not sure if I understand how entitlement and account could
              be on different resources. But the answer is -
              associations works only if the entitlements and accounts
              are on the SAME resource.<br>
              <br>
              If you think of entitlements as "groups" (most common
              entitlement on resources), association configuration is
              just an information for midPoint about "how to get all
              account's groups" or "how to provision account's groups".
              That's for direction, associationAttribute and
              valueAttribute are for.<br>
              <br>
              For example in OpenLDAP:<br>
                          <br>
                                      <association><br>
                                             
              <ref>ri:group</ref><br>
                                              <displayName>LDAP
              Group Membership</displayName><br>
                                             
              <kind>entitlement</kind><br>
                                             
              <intent>ldapGroup</intent><br>
                                             
              <direction>objectToSubject</direction><br>
                                             
              <associationAttribute>ri:member</associationAttribute><br>
                                             
              <valueAttribute>ri:dn</valueAttribute><br>
                                      </association><br>
              <br>
              This means:<br>
              1) midPoint will use "virtual" attribute "ri:group" that
              you can use in mappings (e.g. in roles) to provision to
              OpenLDAP groups<br>
              2) direction=objectToSubject: midPoint will put accounts
              to groups (because group membership works this way in LDAP
              servers and also most other systems)<br>
              3) midPoint will use group's attribute "ri:member" ....<br>
              4) ... and will put corresponding accounts DN ("ri:dn")
              attribute value there<br>
              <br>
              <br>
              What are you trying to achieve..?<br>
              <br>
              Regards,<br>
              Ivan
              <div>
                <div><br>
                  <br>
                  <div>On 05/03/2016 07:50 AM, Harits Elfahmi wrote:<br>
                  </div>
                  <blockquote type="cite">
                    <div dir="ltr">Hello Ivan,
                      <div><br>
                      </div>
                      <div>Thanks for your suggestion, it works now. But
                        now I want to associate the entitlement to the
                        account. I use the association example from
                        midpoint GitHub:</div>
                      <div><br>
                      </div>
                      <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><association><br>
                        <span style="white-space:pre-wrap">     </span><ref>ri:role_id</ref><br>
                        <span style="white-space:pre-wrap">     </span><displayName>My

                        Role</displayName><br>
                        <span style="white-space:pre-wrap">     </span><kind>entitlement</kind><br>
                        <span style="white-space:pre-wrap">     </span><intent>default</intent><br>
                        <span style="white-space:pre-wrap">     </span><direction>objectToSubject</direction><br>
                        <span style="white-space:pre-wrap">     </span><associationAttribute>icfs:uid</associationAttribute><br>
                        <span style="white-space:pre-wrap">     </span><valueAttribute>ri:role_name</valueAttribute><br>
                        </association></blockquote>
                      <div> </div>
                      <div>But it causes an error, and my guess is
                        because of the entitlements and accounts are in
                        different resources. Is it possible to do the
                        association with another resource? </div>
                      <div><br>
                      </div>
                      <div>Thanks</div>
                      <div class="gmail_extra"><br>
                        <div class="gmail_quote">2016-05-02 14:02
                          GMT+07:00 Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank"></a><a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>:<br>
                          <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">
                            <div text="#000000" bgcolor="#FFFFFF"> Hi
                              Harits,<span><br>
                                <br>
                                <div>On 05/02/2016 08:17 AM, Harits
                                  Elfahmi wrote:<br>
                                </div>
                                <blockquote type="cite">
                                  <div dir="ltr">Hello all,
                                    <div><br>
                                    </div>
                                    <div>I'm trying to sync my role data
                                      from database table to midpoint
                                      using the GUI. From the docs I get
                                      the impression that the
                                      entitlements and accounts
                                      originated from single resource,
                                      but since DatabaseTableConnector
                                      connect to a certain table, I
                                      think I need to make another
                                      resource to store entitlement
                                      data. What I don't get is:</div>
                                    <div><br>
                                    </div>
                                    <div>- In Schema Handling what's the
                                      attribute I use in <b>target</b>?
                                      Is it <b>$role/name</b>? I can't
                                      find the reference in the docs</div>
                                  </div>
                                </blockquote>
                                <br>
                              </span> Instead of $user you would use
                              $focus. (It would work for users as well.)<span><br>
                                <br>
                                <blockquote type="cite">
                                  <div dir="ltr">
                                    <div>- In Synchronization, what's
                                      the appropriate reaction? I can't
                                      find <b>add role</b> reaction in
                                      the dropdown list</div>
                                  </div>
                                </blockquote>
                                <br>
                              </span> No, that's connected to the bug
                              you discovered earlier. The proper action
                              is addFocus.<br>
                              <handlerUri><a href="http://midpoint.evolveum.com/xml/ns/public/model/action-3#addFocus" target="_blank"></a><a href="http://midpoint.evolveum.com/xml/ns/public/model/action-3#addFocus" target="_blank">http://midpoint.evolveum.com/xml/ns/public/model/action-3#addFocus</a></handlerUri><br>
                              <br>
                              In order to synchronize resource objects
                              to anything else than users, the following
                              must be added to synchronization settings
                              (I don't know if the wizard supports it):<br>
                              <br>
                              ...<br>
                                            
                              <objectSynchronization><br>
                                                      <name>role
                              sync</name><br>
                                                      
                              <objectClass>ri:AccountObjectClass</objectClass><!--
                              DB Table connector supports only accounts
                              --><br>
                                                     
                              <kind>account</kind><br>
                                                     
                              <intent>default</intent><br>
                                                      <focusType><b>c:RoleType</b></focusType><br>
                                             
                              <enabled>true</enabled><br>
                                              <correlation><br>
                              ...<br>
                                              </correlation><br>
                              ...<br>
                              <br>
                              This means that the object will be
                              corelated with Roles, not Users (which is
                              default). In correlation expression you
                              will search for Roles and not Users. If
                              the correlation expressions returns zero
                              results, unmatched situation will occur
                              and action (e.g. addFocus) will be
                              executed. Everything is the same as for
                              users. Just use $focus instead of $user in
                              the inbound mappings.<br>
                              <br>
                              See some of our Generic Synchronization
                              samples such as <a href="https://github.com/Evolveum/midpoint/blob/master/samples/resources/opendj/opendj-resource-genericsync.xml" target="_blank">https://github.com/Evolveum/midpoint/blob/master/samples/resources/opendj/opendj-resource-genericsync.xml</a>
                              (it's OpenDJ, not DB Table, but you will
                              see the things I mentioned).<br>
                              <br>
                              Also see <a href="https://wiki.evolveum.com/display/midPoint/Generic+Synchronization" target="_blank">https://wiki.evolveum.com/display/midPoint/Generic+Synchronization</a><br>
                              <br>
                              Regards,<br>
                              Ivan<br>
                              <br>
                              <blockquote type="cite"><span>
                                  <div dir="ltr">
                                    <div><br>
                                    </div>
                                    <div>Is it possible to do this? Or
                                      do I need to manually add roles to
                                      midpoint? Please help.</div>
                                    <div><br>
                                    </div>
                                    <div>Thanks</div>
                                    <div>
                                      <div><br>
                                      </div>
                                      -- <br>
                                      <div>
                                        <div dir="ltr">
                                          <div>
                                            <div dir="ltr">
                                              <div>Cheers,</div>
                                              <div><b><br>
                                                </b></div>
                                              <div><b>Harits</b> Elfahmi</div>
                                            </div>
                                          </div>
                                        </div>
                                      </div>
                                    </div>
                                  </div>
                                  <br>
                                  <fieldset></fieldset>
                                  <br>
                                </span>
                                <pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><span><font color="#888888">
</font></span></pre>
                                <span><font color="#888888"> </font></span></blockquote>
                              <span><font color="#888888"> <br>
                                  <pre cols="72">-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer & IDM Architect
  <a href="http://evolveum.com" target="_blank">evolveum.com</a>                     <a href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
  ___________________________________________________
  "Semper ID(e)M Vix."
</pre>
                                </font></span></div>
                            <br>
_______________________________________________<br>
                            midPoint mailing list<br>
                            <a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
                            <a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
                            <br>
                          </blockquote>
                        </div>
                        <br>
                        <br clear="all">
                        <div><br>
                        </div>
                        -- <br>
                        <div>
                          <div dir="ltr">
                            <div>
                              <div dir="ltr">
                                <div>Cheers,</div>
                                <div><b><br>
                                  </b></div>
                                <div><b>Harits</b> Elfahmi</div>
                              </div>
                            </div>
                          </div>
                        </div>
                      </div>
                    </div>
                    <br>
                    <fieldset></fieldset>
                    <br>
                    <pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
                  </blockquote>
                  <br>
                  <pre cols="72">-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer & IDM Architect
  <a href="http://evolveum.com" target="_blank">evolveum.com</a>                     <a href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
  ___________________________________________________
  "Semper ID(e)M Vix."
</pre>
                </div>
              </div>
            </div>
            <br>
            _______________________________________________<br>
            midPoint mailing list<br>
            <a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
            <a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
            <br>
          </blockquote>
        </div>
        <br>
        <br clear="all">
        <div><br>
        </div>
        -- <br>
        <div>
          <div dir="ltr">
            <div>
              <div dir="ltr">
                <div>Cheers,</div>
                <div><b><br>
                  </b></div>
                <div><b>Harits</b> Elfahmi</div>
              </div>
            </div>
          </div>
        </div>
      </div>
      <br>
      <fieldset></fieldset>
      <br>
      <pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
    </blockquote>
    <br>
    <pre cols="72">-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer & IDM Architect
  <a href="http://evolveum.com" target="_blank">evolveum.com</a>                     <a href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
  ___________________________________________________
  "Semper ID(e)M Vix."
</pre>
  </div></div></div>

<br>_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br></blockquote></div><br></div></div></div>

<br>
<font size="2"><br><br>CONFIDENTIALITY NOTICE:<br>This e-mail together with any attachments is proprietary and confidential; intended for only the recipient(s) named above and may contain information that is privileged. You should not retain, copy or use this e-mail or any attachments for any purpose, or disclose all or any part of the contents to any person. Any views or opinions expressed in this e-mail are those of the author and do not represent those of the Baptist School of Health Professions. If you have received this e-mail in error, or are not the named recipient(s), you are hereby notified that any review, dissemination, distribution or copying of this communication is prohibited by the sender and to do so might constitute a violation of the Electronic Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender and delete this e-mail and any attachments from your computer. </font><br>