<div dir="ltr">Hi Ivan,<div><br></div><div>From what I read groups and users are saved at the same resource in LDAP, associating them would be as you said. But I'm using DatabaseTableConnector, and my roles and users data are in separate table in my database. To connect them to midpoint, I create two resource, one that connect to the users table, and another that connect to the roles table. Is it possible to associate them in midpoint, or is this the limitation of the DatabaseTableConnector? </div><div><br></div><div>Thanks</div></div><div class="gmail_extra"><br><div class="gmail_quote">2016-05-03 13:50 GMT+07:00 Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
Hi,<br>
<br>
not sure if I understand how entitlement and account could be on
different resources. But the answer is - associations works only if
the entitlements and accounts are on the SAME resource.<br>
<br>
If you think of entitlements as "groups" (most common entitlement on
resources), association configuration is just an information for
midPoint about "how to get all account's groups" or "how to
provision account's groups". That's for direction,
associationAttribute and valueAttribute are for.<br>
<br>
For example in OpenLDAP:<br>
<br>
<association><br>
<ref>ri:group</ref><br>
<displayName>LDAP Group
Membership</displayName><br>
<kind>entitlement</kind><br>
<intent>ldapGroup</intent><br>
<direction>objectToSubject</direction><br>
<associationAttribute>ri:member</associationAttribute><br>
<valueAttribute>ri:dn</valueAttribute><br>
</association><br>
<br>
This means:<br>
1) midPoint will use "virtual" attribute "ri:group" that you can use
in mappings (e.g. in roles) to provision to OpenLDAP groups<br>
2) direction=objectToSubject: midPoint will put accounts to groups
(because group membership works this way in LDAP servers and also
most other systems)<br>
3) midPoint will use group's attribute "ri:member" ....<br>
4) ... and will put corresponding accounts DN ("ri:dn") attribute
value there<br>
<br>
<br>
What are you trying to achieve..?<br>
<br>
Regards,<br>
Ivan<div><div class="h5"><br>
<br>
<div>On 05/03/2016 07:50 AM, Harits Elfahmi
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hello Ivan,
<div><br>
</div>
<div>Thanks for your suggestion, it works now. But now I want to
associate the entitlement to the account. I use the
association example from midpoint GitHub:</div>
<div><br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><association><br>
<span style="white-space:pre-wrap"> </span><ref>ri:role_id</ref><br>
<span style="white-space:pre-wrap"> </span><displayName>My
Role</displayName><br>
<span style="white-space:pre-wrap"> </span><kind>entitlement</kind><br>
<span style="white-space:pre-wrap"> </span><intent>default</intent><br>
<span style="white-space:pre-wrap"> </span><direction>objectToSubject</direction><br>
<span style="white-space:pre-wrap"> </span><associationAttribute>icfs:uid</associationAttribute><br>
<span style="white-space:pre-wrap"> </span><valueAttribute>ri:role_name</valueAttribute><br>
</association></blockquote>
<div> </div>
<div>But it causes an error, and my guess is because of the
entitlements and accounts are in different resources. Is it
possible to do the association with another resource? </div>
<div><br>
</div>
<div>Thanks</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">2016-05-02 14:02 GMT+07:00 Ivan Noris
<span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"> Hi Harits,<span><br>
<br>
<div>On 05/02/2016 08:17 AM, Harits Elfahmi wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hello all,
<div><br>
</div>
<div>I'm trying to sync my role data from database
table to midpoint using the GUI. From the docs I
get the impression that the entitlements and
accounts originated from single resource, but
since DatabaseTableConnector connect to a
certain table, I think I need to make another
resource to store entitlement data. What I don't
get is:</div>
<div><br>
</div>
<div>- In Schema Handling what's the attribute I
use in <b>target</b>? Is it <b>$role/name</b>?
I can't find the reference in the docs</div>
</div>
</blockquote>
<br>
</span> Instead of $user you would use $focus. (It would
work for users as well.)<span><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div>- In Synchronization, what's the appropriate
reaction? I can't find <b>add role</b> reaction
in the dropdown list</div>
</div>
</blockquote>
<br>
</span> No, that's connected to the bug you discovered
earlier. The proper action is addFocus.<br>
<handlerUri><a href="http://midpoint.evolveum.com/xml/ns/public/model/action-3#addFocus" target="_blank">http://midpoint.evolveum.com/xml/ns/public/model/action-3#addFocus</a></handlerUri><br>
<br>
In order to synchronize resource objects to anything
else than users, the following must be added to
synchronization settings (I don't know if the wizard
supports it):<br>
<br>
...<br>
<objectSynchronization><br>
<name>role
sync</name><br>
<objectClass>ri:AccountObjectClass</objectClass><!--
DB Table connector supports only accounts --><br>
<kind>account</kind><br>
<intent>default</intent><br>
<focusType><b>c:RoleType</b></focusType><br>
<enabled>true</enabled><br>
<correlation><br>
...<br>
</correlation><br>
...<br>
<br>
This means that the object will be corelated with Roles,
not Users (which is default). In correlation expression
you will search for Roles and not Users. If the
correlation expressions returns zero results, unmatched
situation will occur and action (e.g. addFocus) will be
executed. Everything is the same as for users. Just use
$focus instead of $user in the inbound mappings.<br>
<br>
See some of our Generic Synchronization samples such as
<a href="https://github.com/Evolveum/midpoint/blob/master/samples/resources/opendj/opendj-resource-genericsync.xml" target="_blank">https://github.com/Evolveum/midpoint/blob/master/samples/resources/opendj/opendj-resource-genericsync.xml</a>
(it's OpenDJ, not DB Table, but you will see the things
I mentioned).<br>
<br>
Also see <a href="https://wiki.evolveum.com/display/midPoint/Generic+Synchronization" target="_blank">https://wiki.evolveum.com/display/midPoint/Generic+Synchronization</a><br>
<br>
Regards,<br>
Ivan<br>
<br>
<blockquote type="cite"><span>
<div dir="ltr">
<div><br>
</div>
<div>Is it possible to do this? Or do I need to
manually add roles to midpoint? Please help.</div>
<div><br>
</div>
<div>Thanks</div>
<div>
<div><br>
</div>
-- <br>
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>Cheers,</div>
<div><b><br>
</b></div>
<div><b>Harits</b> Elfahmi</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</span>
<pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><span><font color="#888888">
</font></span></pre>
<span><font color="#888888"> </font></span></blockquote>
<span><font color="#888888"> <br>
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
<a href="http://evolveum.com" target="_blank">evolveum.com</a> <a href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
___________________________________________________
"Semper ID(e)M Vix."
</pre>
</font></span></div>
<br>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>Cheers,</div>
<div><b><br>
</b></div>
<div><b>Harits</b> Elfahmi</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
<a href="http://evolveum.com" target="_blank">evolveum.com</a> <a href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
___________________________________________________
"Semper ID(e)M Vix."
</pre>
</div></div></div>
<br>_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div>Cheers,</div><div><b><br></b></div><div><b>Harits</b> Elfahmi</div></div></div></div></div>
</div>