Sync with Roles and Assignment are not working

This topic has 1 reply, 2 voices, and was last updated 3 weeks, 4 days ago by vliefooghe.

  • Author
    Posts
  • #28463
     joellaa3
    Participant

    I’m following a documentation[1] and trying to create new users from CSV file and create some of these users in a MS AD.
    What I did:
    – Create a Connector to read CSV file (CSVUsers)
    – Create a Connector to write to Active Directory (AD1)
    – Create a Mapping CSV_to_Local (Source: CSVUsers; Target: Managed/User)
    – Create a Mapping Local_to_AD (Source: Managed/User; Target: AD1)
    – Create a Assignment (AD), mapping to Local_to_AD
    – Create a new Role (AD), linking with Assignment “AD”

    What I was expect: only the users that I added manually in AD’ Role was created in Active Directory through Mapping Local_to_AD.
    What are happens: all users created using CSV_to_Local Mapping are created in Managed/User and Active Directory, ignoring my Role list users.

    If I add an attribute in Assignment using some field to test, work. But I would like to use the Role to group the users to be added in AD.

    Someone can help me?

    I’m using OpenIDM 7.0.1 (revision: 9be45fd)

    Thanks!

    [1] https://backstage.forgerock.com/docs/idm/7/samples-guide/provisioning-with-roles.html

    • This topic was modified 1 month, 3 weeks ago by joellaa3. Reason: Add the version of software
    #28506
     vliefooghe
    Participant

    Hello,

    assignments and roles can only be used – from what I understand – to populate specific attributes / values.

    If you want to restrict creation of account in your AD, you should use the validSource in your sync.json.

    For example, I use this in my User_AD mapping :

                "validSource" : {
                    "type" : "text/javascript",
                    "source" : "source.physicalDeliveryOfficeName != null"
                },

    in your case, you should probable find the effectiveRole which is OK for AD account creation.
    You can also use a javascript file, like this example:

                "validSource" : {
                    "type" : "text/javascript",
                    "file" : "script/AD/isUserValidForAD.js"
                },
Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.

©2021 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?