Task #919
open
Provide a way to determine which contract is the account associated with during provisioning
0%
Description
In the transformation script in provisioning attributes mapping we need to be able to determine which of user's contracts are associated with the account. In case I want to fill attributes according to which contracts is the account assigned to I'm currently not able to determine this especially during the CREATE action.
This is a real issue for situations where you have identities with more contracts and you want to create an account in a connected system for each of them filled with the attribute values according to which contract the account is created for. I cannot just use the primary contract for this.
The side effect (and nice-to-have) of this feature might be an ability to create and link more accounts on system via adding one role to more identity's contracts. I'd like to generate the identifier of the account according to the contract to which the role is assigned.
Updated by Vít Švanda over 6 years ago
- Priority changed from Immediate to Normal
- Target version deleted (
Garnet (7.7.0))
Updated by Vít Švanda over 6 years ago
- Status changed from New to Needs feedback
- Assignee changed from Vít Švanda to Vladimír Kotýnek
Every contract can have own account now. May be you can rather use sync/provisioning of contracts instead sync/provisioning of identities.
Updated by Vladimír Kotýnek over 6 years ago
Provisioning of contracts would be also useful and maybe in some cases helpful. However not every information I need to provision is actually a property of contract. Usually you need to provide also some Identity's attributes like given name and family name. And I am afraid that the provisioning of contract (in it's first version) would work the same way as the provisioning of roles or organization trees - every existing entity of this type you re-save in IdM would be provisioned to every system with attributes mapping for the provisioning of contracts configured. That's also a reason I prefer the improvement of an existing feature rather then the implementation new one.
Also in the system I want to create user account not user's contract, so IMHO provisioning of contracts to create user account would be kind of hack not a proper solution. The same data should't have different meaning in different systems. Just saying...
Updated by Vladimír Kotýnek over 6 years ago
- Assignee changed from Vladimír Kotýnek to Vít Švanda
- Priority changed from Normal to High
Updated by Vít Švanda over 6 years ago
- It is easy get identity in the contract provisioning ("many to one" relation).
- In the current version of IdM (7.6) you can use the "Basic account management". It means you can write condition (groovy script) on the system mapping. This condition defines if will be account created or not. This mechanism works for every provisioning entities (Identity, TreeNode, Role, ...) . More about it you can find here: https://wiki.czechidm.com/7.6/dev/account-management#basic_account_management
Updated by Vladimír Kotýnek over 6 years ago
However, if the script doesn't exist it creates the account always, is it so? In the script, I need to be able to allow to create the account only if the identity has a certain role assigned to a certain contract. If this is not possible, we are still in the same situation but with different entity provisioning and different script execution. At he moment of account create provisioning we need to know what event (~what role assignment to what contract) caused the provisioning.
Updated by Vít Švanda over 6 years ago
- By default are created accounts on all systems with correct provisioning mapping.
- Determining which role is assignment to the contract is very easy, because the role are assigned on the contract not direct on the identity.
Updated by Vít Švanda over 6 years ago
- Status changed from Needs feedback to New
- Priority changed from High to Normal
Updated by Vladimír Kotýnek over 6 years ago
Vít Švanda wrote:
- Determining which role is assignment to the contract is very easy, because the role are assigned on the contract not direct on the identity.
So the information is already present at the moment of account provisioning. It's only not accessible for the script, is it so?
Updated by Vladimír Kotýnek almost 6 years ago
We did some testing and it seems that this is not an option for our usecase since version 8 was released.