Task #1130
closedCreate accounts when resaving identity
0%
Description
If an identity has an existing account and the identity is resaved (individually or by a bulk action), the accounts are provisioned according to currently assigned roles.
However, if the account doesn't exist, then resaving the identity doesn't create the account which should be created according the roles.
From the administrator's point of view, this is unexpected and confusing.
- Role doesn't assign any resource.
- The role is assigned to identities (automatically or manually)
- I assign some system to the role
- I want to make create accounts according to the role assignment.
Updated by Petr Michal almost 6 years ago
This is useful for gradual deployment of production.
I would like to use it standard usecase:- I start production with Active Directory in read-only mode.
- I will run processes and give all roles to users (including ad roles).
- Then I want to gradually create a user accounts in AD by bulk resaving.
Updated by Vít Švanda almost 6 years ago
In your case is ACM already called in the secound step.
I think you speak about the provisioning not ACM.
Updated by Marcel Poul almost 6 years ago
Petr Michal wrote:
This is useful for gradual deployment of production.
I would like to use it standard usecase:
- I start production with Active Directory in read-only mode.
- I will run processes and give all roles to users (including ad roles).
- Then I want to gradually create a user accounts in AD by bulk resaving.
I think you missed one point between 2 and 3 in which you check the provisioning queue and clean some (or all) operations.
Updated by Vít Švanda almost 6 years ago
Even with four steps I do not see none issue, because save of identity call the provisioning. So the 'resave' operation is fully sufficient for that use case.
Updated by Marcel Poul almost 6 years ago
Thinking of it again, I guess we (me and Pert Hanák) came across the similar usecase yesterday on other project.
usecase (in test environment):
- assign AD roles to users (automatic usually)
- check provisioning queue operations and clear it
- improve tranformation scripts, attribute mapping etc...
- resave a user and check the change, clear queue
cycle 3 and 4 until all is set up and then resave all users, last check, switch AD to RW and push the queue.
would this work? I think we had some issues with this yesterday.
Updated by Vít Švanda almost 6 years ago
Do you have before start the step 4 correctly created all AccAccounts in the IdM (I think yes)? Then yes, provisioning will be called on using the resave operation.
If you (after first step) for example add new system (on already assigned role), then you will don't have created AccAccounts for this new system, because ACM is not called automaticaly after role change. Then you have to invoke ACM manualy, but for this you cannot use the resave operation, becaouse that not call the ACM.
Updated by Marcel Poul almost 6 years ago
Vít Švanda wrote:
Do you have before start the step 4 correctly created all AccAccounts in the IdM (I think yes)? Then yes, provisioning will be called on using the resave operation.
If you (after first step) for example add new system (on already assigned role), then you will don't have created AccAccounts for this new system, because ACM is not called automaticaly after role change. Then you have to invoke ACM manualy, but for this you cannot use the resave operation, becaouse that not call the ACM.
Not sure about the existence of ACCAccounts, we will check it out. thx
Updated by Vít Švanda over 5 years ago
- Priority changed from High to Normal
- First please write your comments public and in english (the ticket losing continuity).
- What do you want exactly? Do you need invoke provisioning or ACM (account management)? If you need only provisioning, then that is invoke on identity save now.
- As I wrote above the goal isn't invoke to ACM during identity save (performance reason).
- In version 8.2.0 was created bulk operation for roles where you can invoke ACM for all connected identites (https://wiki.czechidm.com/tutorial/adm/roles_bulk_actions#invoke_account_management).
- If you need invoke ACM only for selected identities, the new operation "Invoke ACM" can be created as bulk operation for identites. If you need this ASAP, you can create this bulk operation in your project (to the product can be it merged later) (https://wiki.czechidm.com/devel/documentation/bulk_actions/dev/bulk_actions#how_can_i_add_new_bulk_action).
Updated by Vít Švanda over 5 years ago
- Do you have created account (AccAccount and IdentityAccount) in both identities?
- Maybe some exception during provisioning occured ... is event queue empty (for this identity)?
Updated by Alena Peterová over 5 years ago
Vít Švanda wrote:
Na projektu AK se to chová zvláštně - jednou přeuložení nevyvolalo Create, podruhé ano.
- Do you have created account (AccAccount and IdentityAccount) in both identities?
I try to read audit logs and I believe both existed.
- Maybe some exception during provisioning occured ... is event queue empty (for this identity)?
Not at that time, but it's possible that in the past there were some errors.
OK, I guess we need the "Invoke ACM" bulk action, which should create the account in all cases and wouldn't slow usual processes. This could be added to existing "Re-save" identity bulk action, because that's how we expected it already works (at least some of us).
The bulk action for role is great, I didn't know about that. Still, we need it per-user.
Updated by Alena Peterová about 5 years ago
I think that this ticket is solved by the bulk action "Recalculate accounts and provision" which is new in 9.4. So it could be closed.