Project

General

Profile

Actions

Feature #2129

open

Implement IdM-side filtering for synchronization and reconciliation

Added by Petr Fišer almost 5 years ago.

Status:
New
Priority:
Normal
Assignee:
Vít Švanda
Category:
Synchronization
Target version:
-
Start date:
03/20/2020
Due date:
% Done:

0%

Estimated time:
Owner:

Description

In synchronization settings, we can define custom filtering of accounts on the end system - creating custom IcFilter (let's call this "end-system filtering").
We already met situations (on two projects) where we would need a bit more freedom, specifically:
  • Filtering search results using regex.
  • Permanently hiding some accounts on end system from IdM. Those accounts could not be filtered out in other way (e.g. by specifying additional LDAP filter).
  • Filtering during reconciliation.
This is a feature request/proposal for a "IdM-side filtering" hook to a Groovy script / form-based filter. Supposed function (but this is free for discussion, if we find another way, we do not need to implement a hook):
  1. IdM performs listAll() as it does now.
  2. Each record of the listAll operation (=each listed account) is passed to hook as a Map<K,V>, where K is attribute name and V is its value. Processing the Map<K,V> is up to hook (that's why I propose it to be a Groovy script).
    • Hook returns "true" -> IdM will process the account in a synchronization/reconciliation.
    • Hook returns "false" -> IdM will not process the account. It would look like the account was not part of the listAll() result at all.

No data to display

Actions

Also available in: Atom PDF