<div dir="ltr"><div>I kind of solved this problem with archetypes.</div><div><br></div><div>Dropping all configuration that I've used in my previous configuration (roles, multisource etc), I've created two archetypes:</div><div>- trainee</div><div>- outsourced</div><div><br></div><div>In my resources, I try to associate the focus with one of the archetypes, in the schema handling/objectType tag:</div><div>...<br></div><div><focus><br> <type>c:UserType</type><br> <archetypeRef oid="fefefefe-ffff-aaaa-0000-00000000000c" relation="org:default" type="c:ArchetypeType" /></div><div> <!-- trainee archetype --><br></div><div></focus></div><div>...</div><div><br></div><div>When there is a conflict (the same person exists in both systems), MIDPOINT fails to synchronize the resource associated with the different archetype (that is one thing that I wanted).</div><div>If the identity should be synchronized with that resource, the administrator corrects the situation by manually changing the archetype of the identity.</div><div></div><div><br></div><div>The problem I'm having now is that there are unending stacktraces complaining about the fact that MP cannot set a different archetype to the existing identity.</div><div>For example:</div><div>1) The system is working fine and User_A is a trainee and working every day<br></div><div>2) User_A contract ends and he is not a trainee anymore<br></div><div>3) User_A starts working as an outsourced employee<br></div><div><br></div><div>Now we have a conflict because User_A exists in MP as an identity with the trainee archetype, but he appeared as an
outsourced employee
(his new position in the company).</div><div>The administrator changed the archetype to
outsourced and MP starts correctly to synchronize User_A with the
outsourced employee system.</div><div><br></div><div>But the logs starts to grow with stacktraces, reporting that MP cannot synchronize the disabled User_A (exists in the trainee system), because the identity have a different archetype.<br></div><div>Also, when the conflict happens, the live synchronization recurring tasks are automatically suspended.</div><div><br></div><div>How could I deal with these problems? Do anybody have any hints?</div><div>In the example above, I would like to avoid synchronizing the the identity with the resource associated with the different archetype.<br></div><div><br></div><div><div>Thanks in advance!</div><div>Fthul<br></div><div><br></div><div><br></div><div><br></div><div><br></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Em qua., 3 de mai. de 2023 às 20:31, fthul c <<a href="mailto:0xfthul@gmail.com">0xfthul@gmail.com</a>> escreveu:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>Hello,</div><div><br></div><div></div><div>I'm evaluating midpoint (I'm new to IDMs in general) and I'm having trouble getting midpoint to work as follows:</div><div><br></div><div>I have two authoritative resources for users:</div><div>A trainee
system (TS)<br></div><div>An
<span lang="en"><span><span>outsourced employee</span></span></span> system (OES) <br></div><div><br></div><div>Someone can exist and be active in the trainee system or can exist an be active in the outsourced employee system, but cannot be active at both systems at the same time (including begin/end dates). Some attributes can be a little different (for example, the person's name, organizational unit, phone, etc), and I would like to synchronize only the attributes from the resource in which the identity is active.<br></div><div><br></div><div>Sorry if my question is too basic, but how could I configure midpoint to work with this policy?</div><div></div><div><br></div><div></div><div>I've tried to create 2 "radio button" roles: trainee and outsourced and I could make only one of them be assigned.</div><div>My problem here was with synchronization, since midpoint kept updating the name based on the resource in which the user was disabled.</div><div>Sometimes it worked, but the history for the identity started to grow with each synchronization execution, because resources were "competing" to update the attributes.</div><div></div><div><br></div><div>I tried to use defaultAuthoritativeSource (and multisourced fields), but I'm having difficulty with the selection of the resource in which the identity is currently active.</div><div>My defaultAuthoritativeSource configuration (below) doesn't work properly.</div><div></div><div></div><div><br></div><div><multiSource><br> <defaultAuthoritativeSource><br> <expression><br> <script><br> <code><br> import com.evolveum.midpoint.util.MiscUtil<br> import com.evolveum.midpoint.prism.delta.*<br> import com.evolveum.midpoint.xml.ns._public.common.common_3.*<br> import com.evolveum.midpoint.util.DebugUtil<br> import com.evolveum.midpoint.xml.ns._public.common.common_3.ActivationStatusType<br> import com.evolveum.midpoint.util.exception.*<br><br> if(identity == null){<br> return null<br> }<br><br> def RESOURCE_TRAINEE = '466c4e70-ed4b-48f6-8842-99f8c12f9d9d'<br> def RESOURCE_OUTSOURCED = '82f6b6cf-eaf2-45e1-9e27-5349279248c2'<br> def res = [RESOURCE_TRAINEE, RESOURCE_OUTSOURCED]<br></div><div> <br></div><div> // trying to find what is the resource in which the user is active<br></div><div> def sources = identity<br> .collect { it.source }<br> .findAll { source -> res.contains(source?.resourceRef?.oid) }<br> .findAll { source -> midpoint.getObject(ShadowType.class, source.shadowRef.oid)?.isExists() }<br><br> if (sources?.size() == 1) {<br> // found only one, return it<br> return sources.get(0)<br> }<br><br> if (sources?.size() > 1) {<br> throw new PolicyViolationException("The identity is active in multiple authoritative resources")<br> }<br><br> return null<br> </code><br> </script><br> </expression><br> </defaultAuthoritativeSource><br></multiSource></div><div><br></div><div>The code above seems to work initially, but fails when I execute these steps:</div><div>1) I manually import the user from the trainee resource</div><div>2) I delete the user in the trainee resource</div><div>3) I run reconciliation for the user, and he becomes disabled</div><div>4) I manually import the user from the outsourced employee resource</div><div>5) he is correctly updated and is not a trainee anymore</div><div>6) I create the user again in the trainee resource</div><div>7) in this moment, when I try to manually import the trainee again, midpoint allows (shouldn't it throw the exception I programmed in the defaultAuthoritativeSource?)</div><div><br></div><div>Does anyone know what I'm doing wrong?<br></div><div><br></div><div>Additionally, in the code above I tried to interrupt the execution when I detected
that the identity existed in multiple resources with an exception (is it
done this way?).</div><div><br></div><div>Thanks in advance and sorry if my question is too basic!</div><div><br></div><div><br>
</div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><br></div>
</blockquote></div>