Re: Dynamic assignment of users to groups-> propagation to AD

Fri, 26 May 2017 04:47:18 -0700 

Hi Mikael,
the fact that dynamic group assignment does not trigger propagation sounds like a bug: I have created 

https://issues.apache.org/jira/browse/SYNCOPE-1099

Thanks for reporting.
Regards.

On 23/05/2017 10:12, Mikael Ekblom wrote:


Hi,


I’ll ask a small question here, before I start to implement my own 
action.



We have most of the basic functionality working now (automatic user 
name creation and password assignments etc. ) and through the template 
functionality for the external resources able to assign users to basic 
groups within Syncope and propagate these group memberships to AD too 
while pulling users from the external HR resource etc.



My question though regards dynamic assignments of users to groups 
based on an attribute for example. This works fine internally and the 
users are assigned to a group dynamically based on an existing cost 
center attribute value in the HR system, but those minor changes are 
not propagated towards AD as a change within the memberships for that 
group object.  By this I mean that the group in AD is still empty, 
while the console shows that the membership is there within Synope as 
a dynamic group membership.



As for a resource, you have the propagation actions for provisioning 
users like the ldapmembership, ldappassword etc. and these seem to 
work pretty much out if the box when you assign “regular” group 
memberships during a pull.   A change in the user will trigger a 
propagation action towards the external AD resource.



But the dynamic assignment of groups do not seem to propagate as I 
thought that it maybe could. So, I guess that assigning dynamic 
memberships according to some cost center value during an initial 
pull, will not trigger a group membership propagation action 
automatically towards  AD for that group object?  Is Syncope even 
designed for that?



I guess we need to assign groups through a pull action for the cost 
center part during update, because the group membership will change 
through time though during updates?  Not a big job either, but I 
decided to ask just in case. It would be cleaner to have it done as a 
standard configuration change from the console or maybe added as a 
feature.


Regards,

Mikael


--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/























					Reply via email to