Project

General

Profile

Actions

Task #1130

closed

Create accounts when resaving identity

Added by Alena Peterová almost 6 years ago. Updated about 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Vít Švanda
Category:
Account managment
Target version:
-
Start date:
06/11/2018
Due date:
% Done:

0%

Estimated time:
Owner:

Description

If an identity has an existing account and the identity is resaved (individually or by a bulk action), the accounts are provisioned according to currently assigned roles.
However, if the account doesn't exist, then resaving the identity doesn't create the account which should be created according the roles.
From the administrator's point of view, this is unexpected and confusing.

Use-case (it's usually needed during connecting a new system):
  • Role doesn't assign any resource.
  • The role is assigned to identities (automatically or manually)
  • I assign some system to the role
  • I want to make create accounts according to the role assignment.
Actions #1

Updated by Petr Michal almost 6 years ago

This is useful for gradual deployment of production.

I would like to use it standard usecase:
  • I start production with Active Directory in read-only mode.
  • I will run processes and give all roles to users (including ad roles).
  • Then I want to gradually create a user accounts in AD by bulk resaving.
Actions #2

Updated by Vít Švanda almost 6 years ago

In your case is ACM already called in the secound step.

I think you speak about the provisioning not ACM.

Actions #3

Updated by Marcel Poul almost 6 years ago

Petr Michal wrote:

This is useful for gradual deployment of production.

I would like to use it standard usecase:
  • I start production with Active Directory in read-only mode.
  • I will run processes and give all roles to users (including ad roles).
  • Then I want to gradually create a user accounts in AD by bulk resaving.

I think you missed one point between 2 and 3 in which you check the provisioning queue and clean some (or all) operations.

Actions #4

Updated by Vít Švanda almost 6 years ago

Even with four steps I do not see none issue, because save of identity call the provisioning. So the 'resave' operation is fully sufficient for that use case.

Actions #5

Updated by Marcel Poul almost 6 years ago

Thinking of it again, I guess we (me and Pert Hanák) came across the similar usecase yesterday on other project.

usecase (in test environment):

  • assign AD roles to users (automatic usually)
  • check provisioning queue operations and clear it
  • improve tranformation scripts, attribute mapping etc...
  • resave a user and check the change, clear queue

cycle 3 and 4 until all is set up and then resave all users, last check, switch AD to RW and push the queue.

would this work? I think we had some issues with this yesterday.

Actions #6

Updated by Vít Švanda almost 6 years ago

Do you have before start the step 4 correctly created all AccAccounts in the IdM (I think yes)? Then yes, provisioning will be called on using the resave operation.
If you (after first step) for example add new system (on already assigned role), then you will don't have created AccAccounts for this new system, because ACM is not called automaticaly after role change. Then you have to invoke ACM manualy, but for this you cannot use the resave operation, becaouse that not call the ACM.

Actions #7

Updated by Marcel Poul almost 6 years ago

Vít Švanda wrote:

Do you have before start the step 4 correctly created all AccAccounts in the IdM (I think yes)? Then yes, provisioning will be called on using the resave operation.
If you (after first step) for example add new system (on already assigned role), then you will don't have created AccAccounts for this new system, because ACM is not called automaticaly after role change. Then you have to invoke ACM manualy, but for this you cannot use the resave operation, becaouse that not call the ACM.

Not sure about the existence of ACCAccounts, we will check it out. thx

Actions #8

Updated by Petr Michal over 5 years ago

  • Priority changed from Normal to High
Actions #11

Updated by Vít Švanda over 5 years ago

  • Priority changed from High to Normal
Actions #12

Updated by Vít Švanda over 5 years ago

Na projektu AK se to chová zvláštně - jednou přeuložení nevyvolalo Create, podruhé ano.
  • Do you have created account (AccAccount and IdentityAccount) in both identities?
  • Maybe some exception during provisioning occured ... is event queue empty (for this identity)?
Actions #13

Updated by Alena Peterová over 5 years ago

Vít Švanda wrote:

Na projektu AK se to chová zvláštně - jednou přeuložení nevyvolalo Create, podruhé ano.
  • Do you have created account (AccAccount and IdentityAccount) in both identities?

I try to read audit logs and I believe both existed.

  • Maybe some exception during provisioning occured ... is event queue empty (for this identity)?

Not at that time, but it's possible that in the past there were some errors.

OK, I guess we need the "Invoke ACM" bulk action, which should create the account in all cases and wouldn't slow usual processes. This could be added to existing "Re-save" identity bulk action, because that's how we expected it already works (at least some of us).
The bulk action for role is great, I didn't know about that. Still, we need it per-user.

Actions #14

Updated by Alena Peterová about 5 years ago

I think that this ticket is solved by the bulk action "Recalculate accounts and provision" which is new in 9.4. So it could be closed.

Actions #15

Updated by Vít Švanda about 5 years ago

  • Status changed from New to Closed
Actions

Also available in: Atom PDF