Can someone please explain to me how AdHoc Provisioning works for Account-Group Memberships? I can’t find any documentation on this anywhere … aside from discussions about XDateSubItem on the “hosting” object.
With an ‘ordinary’ object provisioning operation, you create a Job-Chain that responds to the insert/update/delete/handleoutstanding event on the object being effected. Then you call a Sync-Project’s workflow that contains a mapping to handle this component. Simple.
For account-group memberships that work via a multi-valued property on a group, this works differently. You place in the Sync-Project an M:N component on the group. Then you’d expect to need a Job-Chain to respond to assign/remove on the AccountGroup assignment table, which calls the workflow with the a Group mapping containing your M:N component. But there is never such a process flow. Somehow, the object-layer understands that assignments are handled via an M:N component on the Group, and just triggers an Update Group. No assign/remove AccountGroup process ever appears. Only an Update Group. How? Why?
You would not expect this to work, because you’d think no properties on the Group have changed, so the Patch sent to the Sync-Project’s workflow would be empty and nothing would happen. But it all just works. How?
My problem is this… I have a target system that stores most account-group memberships as a multi-valued property on the Group [like most systems]. However, for certain groups, I need to store the assignment in a multi-valued property on the Account. So I think… this is easy. I create two schema-classes for AccountInGroup. I place an M:N on the Group that uses the one schema-class, and I place another M:N on the Account that handles the ‘strange’ AccountInGroup schema class.
When reading from the target system, this works just fine. But when a ‘special’ assignment is inserted in AccountInGroup, the results is one big mess.
You think… ok I’ll create a special provisioning workflow with only my special mapping, and then I… I what? There is no AccountInGroup Job-Chain where I can call the special provisioning workflow. Calling it from the existing Group-update is not going to work … because no group is getting updated.
I’ve been struggling with this for weeks, but clearly my IQ is simply too low to be able to figure this out.
How the heck does Ad Hoc provisioning for Memberships work, and how do I get it to work for certain ‘special’ assignments where the multi-valued attribute on the Account and not on the Group needs to be updated?
The only thing I can think of is Customizers. I’m guessing that most systems that use the ‘normal’ mechanism possibly have a Customizer on the AccountInGroup that transforms the assign/remove into an Update on the “hosting” object. If true, then perhaps I need a Customizer that sends an Update to the Account? [I tried responding to the AccountInGroup assign from a Job-Chan, and sending an Update event to the Account, but this doesn't work either]
To make all of this extra fun, my target-system uses SCIM, so this entire party needs to take place via CSM-UCI. Yes!