Task #1130
closed
Create accounts when resaving identity
Added by Alena Peterová almost 6 years ago.
Updated about 5 years ago.
Category:
Account managment
Description
If an identity has an existing account and the identity is resaved (individually or by a bulk action), the accounts are provisioned according to currently assigned roles.
However, if the account doesn't exist, then resaving the identity doesn't create the account which should be created according the roles.
From the administrator's point of view, this is unexpected and confusing.
Use-case (it's usually needed during connecting a new system):
- Role doesn't assign any resource.
- The role is assigned to identities (automatically or manually)
- I assign some system to the role
- I want to make create accounts according to the role assignment.
This is useful for gradual deployment of production.
I would like to use it standard usecase:
- I start production with Active Directory in read-only mode.
- I will run processes and give all roles to users (including ad roles).
- Then I want to gradually create a user accounts in AD by bulk resaving.
In your case is ACM already called in the secound step.
I think you speak about the provisioning not ACM.
Petr Michal wrote:
This is useful for gradual deployment of production.
I would like to use it standard usecase:
- I start production with Active Directory in read-only mode.
- I will run processes and give all roles to users (including ad roles).
- Then I want to gradually create a user accounts in AD by bulk resaving.
I think you missed one point between 2 and 3 in which you check the provisioning queue and clean some (or all) operations.
Even with four steps I do not see none issue, because save of identity call the provisioning. So the 'resave' operation is fully sufficient for that use case.
Thinking of it again, I guess we (me and Pert Hanák) came across the similar usecase yesterday on other project.
usecase (in test environment):
- assign AD roles to users (automatic usually)
- check provisioning queue operations and clear it
- improve tranformation scripts, attribute mapping etc...
- resave a user and check the change, clear queue
cycle 3 and 4 until all is set up and then resave all users, last check, switch AD to RW and push the queue.
would this work? I think we had some issues with this yesterday.
Do you have before start the step 4 correctly created all AccAccounts in the IdM (I think yes)? Then yes, provisioning will be called on using the resave operation.
If you (after first step) for example add new system (on already assigned role), then you will don't have created AccAccounts for this new system, because ACM is not called automaticaly after role change. Then you have to invoke ACM manualy, but for this you cannot use the resave operation, becaouse that not call the ACM.
Vít Švanda wrote:
Do you have before start the step 4 correctly created all AccAccounts in the IdM (I think yes)? Then yes, provisioning will be called on using the resave operation.
If you (after first step) for example add new system (on already assigned role), then you will don't have created AccAccounts for this new system, because ACM is not called automaticaly after role change. Then you have to invoke ACM manualy, but for this you cannot use the resave operation, becaouse that not call the ACM.
Not sure about the existence of ACCAccounts, we will check it out. thx
- Priority changed from Normal to High
- Priority changed from High to Normal
Na projektu AK se to chová zvláštně - jednou přeuložení nevyvolalo Create, podruhé ano.
- Do you have created account (AccAccount and IdentityAccount) in both identities?
- Maybe some exception during provisioning occured ... is event queue empty (for this identity)?
Vít Švanda wrote:
Na projektu AK se to chová zvláštně - jednou přeuložení nevyvolalo Create, podruhé ano.
- Do you have created account (AccAccount and IdentityAccount) in both identities?
I try to read audit logs and I believe both existed.
- Maybe some exception during provisioning occured ... is event queue empty (for this identity)?
Not at that time, but it's possible that in the past there were some errors.
OK, I guess we need the "Invoke ACM" bulk action, which should create the account in all cases and wouldn't slow usual processes. This could be added to existing "Re-save" identity bulk action, because that's how we expected it already works (at least some of us).
The bulk action for role is great, I didn't know about that. Still, we need it per-user.
I think that this ticket is solved by the bulk action "Recalculate accounts and provision" which is new in 9.4. So it could be closed.
- Status changed from New to Closed
Also available in: Atom
PDF