<html><body><div style="font-family: times new roman, new york, times, serif; font-size: 12pt; color: #000000"><div>Hi Vincent,<br></div><div><br></div><div>the intents are exactly to support the "multiple accounts for the same user" feature. :)<br></div><div>Ivan<br></div><div><br></div><hr id="zwchr"><blockquote style="border-left:2px solid #1010FF;margin-left:5px;padding-left:5px;color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt;"><b>From: </b>"HURTEVENT VINCENT" <vincent.hurtevent@univ-lyon1.fr><br><b>To: </b>"midPoint General Discussion" <midpoint@lists.evolveum.com><br><b>Sent: </b>Wednesday, October 5, 2016 5:10:52 PM<br><b>Subject: </b>Re: [midPoint] How to specify multiple object template ref in sync rules<br><div><br></div><div class="">Working with intents seems to be the perfect solution, and will also allow us to create,  when needed, multiple accounts in our directories for one identity (staff account, student account, guest account, super user account, etc).</div><div class=""><br class=""></div><div class="">We’ll try this !</div><div class=""><br class=""></div><div class="">Thank you !</div><div class=""><br class=""></div>
<br class=""><div><blockquote class=""><div class="">Le 5 oct. 2016 à 16:58, Ivan Noris <<a href="mailto:Ivan.Noris@evolveum.com" class="" target="_blank">Ivan.Noris@evolveum.com</a>> a écrit :</div><br class="Apple-interchange-newline"><div class="">


<div class=""><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;" class=""><div class="">Hi Vincent,<br class=""></div><div class=""><br class=""></div><div class="">you could define multiple synchronization policies for the same resource if you can distinguish between the accounts and configure them as different intents. Then, for each intent you can have diferent synchronization policies including object template reference.<br class=""></div><div class=""><br class=""></div><div class="">Example (from the training) - only <synchronization> part, schemaHandling for both intents must be also defined with mappings.<br class=""></div><div class="">I have defined two intents. One is default, the other is "test" account. The accounts differ by username - test accounts always start with underscore (_). This is used to distinguish the intents, see the conditions in <objectSynchronization> parts.<br class=""></div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">...<br class=""></div><div class="">        <synchronization><br class="">            <objectSynchronization><br class="">                <!--<br class="">                    The synchronization for this resource is enabled.<br class="">                    It means that the synchronization will react to changes detected by<br class="">                    the system (live sync task, discovery or reconciliation) --><br class="">                    <name>Default account</name><br class=""><!--<objectClass>ri:AccountObjectClass</objectClass>--><br class="">                    <kind>account</kind><br class="">                    <intent>default</intent><br class="">                <enabled>true</enabled><br class="">    <br class="">                    <condition><br class="">                        <script><br class="">                           <code><br class="">                              import static com.evolveum.midpoint.schema.constants.SchemaConstants.*<br class="">//                            name = basic.lc(shadow.getName().toString())<br class="">                              name = basic.getAttributeValue(shadow, ICFS_NAME)<br class="">                              //<a href="http://log.info" class="" target="_blank">log.info</a>("XXX Synchronization condition for account/default; name (getName()) = {}; name (getAttributeValue) = {}; evaluated to {}", shadow.getName(), name, !name?.startsWith('_'))<br class="">                              return !name?.startsWith('_')<br class="">                           </code><br class="">                        </script><br class="">                    </condition><br class="">                <correlation><br class="">                    <q:description><br class="">                        Correlation expression is a search query.<br class="">                        Following search queury will look for users that have "employeeNumber"<br class="">                        equal to the "enumber" attribute of the account.<br class="">                            The condition will ensure that "enumber" is not<br class="">                            empty, otherwise it would match any midPoint user<br class="">                            with empty "employeeNumber" attribute, such as "administrator".<br class="">                        The correlation rule by default looks for users, so it will not match<br class="">                        any other object type.<br class="">                    </q:description><br class="">                    <q:equal><br class="">                        <q:path>c:employeeNumber</q:path><br class="">                              <expression><br class="">                                <path>$account/attributes/ri:enumber</path><br class="">                              </expression><br class="">                    </q:equal><br class="">                        <condition><br class="">                            <script><br class="">                                <code>basic.getAttributeValue(shadow, 'enumber') != null</code><br class="">                            </script><br class="">                        </condition><br class="">                </correlation><br class="">    <br class="">                <reaction><br class="">                    <situation>linked</situation><br class="">                        <synchronize>true</synchronize><br class="">                </reaction><br class="">                <reaction><br class="">                    <situation>deleted</situation><br class="">                    <synchronize>true</synchronize><br class="">                        <action><br class="">                            <handlerUri><a href="http://midpoint.evolveum.com/xml/ns/public/model/action-3#unlink</handlerUri>" class="" target="_blank">http://midpoint.evolveum.com/xml/ns/public/model/action-3#unlink</handlerUri></a><br class="">                        </action><br class="">                </reaction><br class="">                <reaction><br class="">                    <situation>unlinked</situation><br class="">                    <synchronize>true</synchronize><br class="">                        <action><br class="">                            <handlerUri><a href="http://midpoint.evolveum.com/xml/ns/public/model/action-3#link</handlerUri>" class="" target="_blank">http://midpoint.evolveum.com/xml/ns/public/model/action-3#link</handlerUri></a><br class="">                        </action><br class="">                </reaction><br class="">                <reaction><br class="">                    <situation>unmatched</situation><br class="">                    <synchronize>true</synchronize><br class="">                        <action><br class="">                            <handlerUri><a href="http://midpoint.evolveum.com/xml/ns/public/model/action-3#inactivateShadow</handlerUri>" class="" target="_blank">http://midpoint.evolveum.com/xml/ns/public/model/action-3#inactivateShadow</handlerUri></a><br class="">                        </action><br class="">                </reaction><br class="">        </objectSynchronization><br class="">            <objectSynchronization><br class="">                <!--<br class="">                    The synchronization for this resource is enabled.<br class="">                    It means that the synchronization will react to changes detected by<br class="">                    the system (live sync task, discovery or reconciliation).<br class="">                        The test account has name starting with "_". --><br class="">                    <name>Test account</name><br class=""><!--<objectClass>ri:AccountObjectClass</objectClass>--><br class="">                    <kind>account</kind><br class="">                    <intent>test</intent><br class="">                <enabled>true</enabled><br class="">                    <condition><br class="">                        <script><br class="">                           <code><br class="">                              import static com.evolveum.midpoint.schema.constants.SchemaConstants.*<br class="">//                            name = basic.lc(shadow.getName().toString())<br class="">                              name = basic.getAttributeValue(shadow, ICFS_NAME)<br class="">                              //<a href="http://log.info" class="" target="_blank">log.info</a>("XXX Synchronization condition for account/test; name (getName()) = {}; name (getAttribute) = {}; evaluated to {}", shadow.getName(), name, name.startsWith('_'))<br class="">                              return name?.startsWith('_')<br class="">                           </code><br class="">                        </script><br class="">                    </condition><br class="">    <br class="">                <correlation><br class="">                    <q:description><br class="">                        Correlation expression is a search query.<br class="">                        Following search queury will look for users that have "name"<br class="">                        equal to the account name without the first character. We assume that<br class="">                            the first character is "_" because of the condition above.<br class="">                        The correlation rule by default looks for users, so it will not match<br class="">                        any other object type.<br class="">                    </q:description><br class="">                    <q:equal><br class="">                            <q:matching>polyStringNorm</q:matching><br class="">                            <q:path>c:name</q:path><br class="">                                <expression><br class="">                                    <script><br class="">                                        <code><br class="">                                        n = shadow.getName().toString()<br class="">                                        n.substring(1)<br class="">                                        </code><br class="">                                    </script><br class="">                                </expression><br class="">                    </q:equal><br class="">                </correlation><br class="">    <br class="">                <reaction><br class="">                    <situation>linked</situation><br class="">                        <synchronize>true</synchronize><br class="">                </reaction><br class="">                <reaction><br class="">                    <situation>deleted</situation><br class="">                    <synchronize>true</synchronize><br class="">                        <action><br class="">                            <handlerUri><a href="http://midpoint.evolveum.com/xml/ns/public/model/action-3#unlink</handlerUri>" class="" target="_blank">http://midpoint.evolveum.com/xml/ns/public/model/action-3#unlink</handlerUri></a><br class="">                        </action><br class="">                </reaction><br class="">                <reaction><br class="">                    <situation>unlinked</situation><br class="">                    <synchronize>true</synchronize><br class="">                        <action><br class="">                            <handlerUri><a href="http://midpoint.evolveum.com/xml/ns/public/model/action-3#link</handlerUri>" class="" target="_blank">http://midpoint.evolveum.com/xml/ns/public/model/action-3#link</handlerUri></a><br class="">                        </action><br class="">                </reaction><br class="">                <reaction><br class="">                    <situation>unmatched</situation><br class="">                    <synchronize>true</synchronize><br class="">                        <action><br class="">                            <handlerUri><a href="http://midpoint.evolveum.com/xml/ns/public/model/action-3#inactivateShadow</handlerUri>" class="" target="_blank">http://midpoint.evolveum.com/xml/ns/public/model/action-3#inactivateShadow</handlerUri></a><br class="">                        </action><br class="">                </reaction><br class="">        </objectSynchronization><br class="">        </synchronization><br class="">...<br class=""></div><div class=""><br class=""></div><div class="">I'm not using object templates here, but this is from my real project:<br class=""></div><div class="">...<br class=""></div><div class="">          <reaction><br class="">              <situation>deleted</situation><br class="">              <synchronize>true</synchronize><br class="">            <objectTemplateRef oid="73e2560a-fd87-11e5-839d-3c970e44b9e2"/><br class="">              <action><br class="">               <handlerUri><a href="http://midpoint.evolveum.com/xml/ns/public/model/action-3#inactivateFocus</handlerUri>" class="" target="_blank">http://midpoint.evolveum.com/xml/ns/public/model/action-3#inactivateFocus</handlerUri></a><br class="">             </action><br class="">          </reaction><br class=""><br class=""></div><div class="">...<br class=""></div><div class=""><br class=""></div><div class="">That template was referenced everytime deleted account was discovered, midPoint would disable it and execute the template (to set some additional attributes of that user).<br class=""></div><div class=""><br class=""></div><div class="">Hope this helps.<br class=""></div><div class="">Regards<br class=""></div><div class="">Ivan<br class=""></div><div class=""><br class=""></div><hr id="zwchr" class=""><blockquote style="border-left-width: 2px; border-left-style: solid; border-left-color: rgb(16, 16, 255); margin-left: 5px; padding-left: 5px; font-weight: normal; font-style: normal; text-decoration: none; font-family: Helvetica, Arial, sans-serif; font-size: 12pt;" class=""><b class="">From: </b>"HURTEVENT VINCENT" <<a href="mailto:vincent.hurtevent@univ-lyon1.fr" class="" target="_blank">vincent.hurtevent@univ-lyon1.fr</a>><br class=""><b class="">To: </b><a href="mailto:midpoint@lists.evolveum.com" class="" target="_blank">midpoint@lists.evolveum.com</a><br class=""><b class="">Sent: </b>Wednesday, October 5, 2016 3:02:49 PM<br class=""><b class="">Subject: </b>[midPoint] How to specify multiple object template ref in sync rules<br class=""><div class=""><br class=""></div><div class="">Hello,</div><div class=""><br class=""></div><div class="">We are still working on Midpoint in order to replace our current IDM solution.</div><div class=""><br class=""></div><div class="">We have a first ressource which our main data source ressource with all our people (staff, students, etc). Actually it’s only one table.</div><div class=""><br class=""></div><div class="">We would like to have distinct rules for each of our people category, i.e., rules for staff, different rules for student, etc.</div><div class="">The object template seems to be the right solution, with one object template for each category BUT we don’t know how to use different objet templates in the same reaction (unmatched->addFocus).</div><div class=""><br class=""></div><div class="">Is it possible ? Or do we need to split people upstream, in our database (one table per people category) ? Ressource configuration (WHERE clause) ? </div><div class=""><br class=""></div><div class="">Have multiple ressources pointing to the same database/table without select specific category will result to bad perf IMO, each import task will have to crawl the whole database/table.</div><div class=""><br class=""></div><div class="">Thank you !</div><div class=""><br class=""></div><div class=""><br class=""></div><br class=""><div class="">
<div style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">— <br class="">Vincent Hurtevent<br class="">Direction du Système d’Information<br class="">Université Claude Bernard Lyon 1</div>
</div>
<br class=""><br class="">_______________________________________________<br class="">midPoint mailing list<br class="">midPoint@lists.evolveum.com<br class="">http://lists.evolveum.com/mailman/listinfo/midpoint<br class=""></blockquote><div class=""><br class=""><br class=""></div><div class=""><br class=""></div><div class="">-- <br class=""></div><div class=""><span class=""></span>Ivan Noris<br class="">Senior Identity Engineer<br class=""><a href="http://evolveum.com" class="" target="_blank">evolveum.com</a><span class=""></span><br class=""></div></div></div>_______________________________________________<br class="">midPoint mailing list<br class=""><a href="mailto:midPoint@lists.evolveum.com" class="" target="_blank">midPoint@lists.evolveum.com</a><br class="">http://lists.evolveum.com/mailman/listinfo/midpoint<br class=""></div></blockquote></div><br class=""><br>_______________________________________________<br>midPoint mailing list<br>midPoint@lists.evolveum.com<br>http://lists.evolveum.com/mailman/listinfo/midpoint<br></blockquote><div><br><br></div><div><br></div><div>-- <br></div><div><span name="x"></span>Ivan Noris<br>Senior Identity Engineer<br>evolveum.com<span name="x"></span><br></div></div></body></html>