• State Suggested Answer
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 98 subscribers
  • Views 685 views
  • Users 0 members are here
Options
Related

Using "Members of M:N schema types" without SCIM-Endpoint in Target System

Daniel Dornhof

Hello OIM-Community, 

I just stumbled upon an issue. 

I'm currently trying to connect a System using the SCIM-Connector. 

The system doesn't provide a Schema, so the standard Schema of

  • Users
  • Groups

are used.

There is no group-Endpoint for this system, but the group-assignments are listed in an Array on one of the user attributes. 

The groups are imported into the OIM-Database using the DataImport-Tool.

When trying to use the "Members of M:N schema types" virtual property type to create the group-memberships, the synchronization tries to call the group-endpoint (i assume for validation) and doesnt create the group-memberships in the OIM database. 


Is there any way around that? 

Kind regards, 
Daniel

  • 0

    Hi Daniel,

    you may try to define a virtual property based on string array type at UCIUser schema type (left hand side).

    Use property type "Members of M:N schema types" an check the boxes "Ignore case" and "Try to mark the object for deletion" only. Add a reference to table "UCIUserInGroup" and let the members resolve to the id field you have imported at UCIGroup table (usually "ObjectGUID", if you have imported) .

    Use this new virtual property to map the group membership property (usually "groups~value").

    Regards,

        Tino

  • 0 in reply to tlindner

    First thank you for the reply. 

    That's what i've been trying so far, but when doing so the sync tries to call the non-existent groups endpoint to check for the given ID. This causes an error. 

    So far ... 
    I've managed to import the the relations by circumventing the "Members of M:N schema types" by writing the group ids as a long string with a delimiter and then having a process on top of it which runs a script that handles the objects. But i run into the same issue when trying to provision.


    But i feel like the should be an easier solution to the issue

  • 0 in reply to Daniel Dornhof

    Hi Daniel,

    so you have a working solution for synchronizing. You are allowed to use a second property for provisionig (set the arrows for direction of use in mapping). In case of the SCIM endpoint is accepting a string array in PATCH / PUT operation this could be a simple multi valued property having the id's of new groups / all groups.

    Regards,

       Tino

  • 0

    As this were a problem in our system, here is the solution to fix it:

    1.) Disable "Enable relative complement handling" on the virtual attribute "Members of M:N schema types" (OI-side).

    With that flag a reference resolution is done and the connector tries to load the object.
    Without it, no resolution is done and no object is searched for. Just the plain value is written.

    2.) Create a new mapping rule (must be the type of a value comparison rule & not multi-reference anymore)