You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@syncope.apache.org by Mikael Ekblom <mi...@arcada.fi> on 2017/06/14 14:05:30 UTC
Pull users from two primary sources with different UID:s
Hi,
We have a small challenge here that includes two primary pull sources, where the UID for these sources are not the same or cannot be set to the same value. The only common UID(National Identification Number) that could be used as a kind of primary key for users pulled from both sources (that would make this an easy case) can change to my surprise when it comes to foreign exchange students.This is when they get Finnish versions of the NIN. It will not be possible to set any previousUID column to both sources either (for payroll particularly) and I would like to avoid having to build any separate repository only due to this case.
So, what I do during provision and within beforeProvision to be precise, is that I check if I get any existing match for the pulled user based on the NIN. If I do, I like to create a new syndelta with the information from the existing user together with the fields that should be added. If no match is found, then the provisioning should continue as before.
What I do is to create a new syncdelta with the UID changed to the existing UID for the account matching, set the connector object with the required fields, create an AnyTO object and an anyPatch object and send this to beforeupdate together with the new delta.
Everything is fine so far.
Within beforeUpdate, I can see that I get all the required fields for that connector object. AbstractAnyDataBinder though claims that I have a required attribute missing: eduPersonUniqueId, that I can see that is present within both objects (AnyTO and AnyPatch ) sent to the beforeUpdate and it is also available as a field within the connector object for the sync delta.
What am I missing? Should I recreate the syncdelta object again within beforeUpdate together with the AnyTO and AnyPatch objects too, to be sure? What is required for beforeUpdate to function properly? Is it even possible to revert to beforeUpdate from say beforeProvision if a possible match is found? It should I think. It is a bit troublesome to check for yourself, when the API-documentation is not that detailed...:)
Regards,
Mikael
Mikael Ekblom
Systemutvecklare/System developer
Arcada, IT
Jan-Magnus Janssons plats 1,
FIN-00560 Helsingfors,
Finland
TFn: +358 207 699 467
Mobil: +358 207 699 467
RE: Pull users from two primary sources with different UID:s
Posted by Mikael Ekblom <mi...@arcada.fi>.
Hi,
Well, I totally forgot about that one…that truly simplified this case and I did not have to re-invent the wheel again! I thank thee for that!...:)
Even though the attributes left to correlate with are a bit ambiguous and we do have data quality problems here…
Regards,
Mikael
From: Francesco Chicchiriccò [mailto:ilgrosso@apache.org]
Sent: torstai 15. kesäkuuta 2017 18.03
To: user@syncope.apache.org
Subject: Re: Pull users from two primary sources with different UID:s
Hi Mikael,
if I understand your environment, the problem can be seen as the general situation where there are two distinct external resources, each with a different unique id, matching two distinct attributes in Syncope.
In such situations, at least one of the resources bears one or more attributes that can be used to match users on Syncope, even if the key is not (yet) available (say Firstname + Surname, even though I know I am over-simplifying).
The tool to leverage here are the Pull Policies [1], in particular the Pull Correlation Rules [2].
HTH
Regards.
[1] https://syncope.apache.org/docs/reference-guide.html#policies-pull
[2] https://syncope.apache.org/docs/reference-guide.html#pull-correlation-rules
On 14/06/2017 16:05, Mikael Ekblom wrote:
Hi,
We have a small challenge here that includes two primary pull sources, where the UID for these sources are not the same or cannot be set to the same value. The only common UID(National Identification Number) that could be used as a kind of primary key for users pulled from both sources (that would make this an easy case) can change to my surprise when it comes to foreign exchange students.This is when they get Finnish versions of the NIN. It will not be possible to set any previousUID column to both sources either (for payroll particularly) and I would like to avoid having to build any separate repository only due to this case.
So, what I do during provision and within beforeProvision to be precise, is that I check if I get any existing match for the pulled user based on the NIN. If I do, I like to create a new syndelta with the information from the existing user together with the fields that should be added. If no match is found, then the provisioning should continue as before.
What I do is to create a new syncdelta with the UID changed to the existing UID for the account matching, set the connector object with the required fields, create an AnyTO object and an anyPatch object and send this to beforeupdate together with the new delta.
Everything is fine so far.
Within beforeUpdate, I can see that I get all the required fields for that connector object. AbstractAnyDataBinder though claims that I have a required attribute missing: eduPersonUniqueId, that I can see that is present within both objects (AnyTO and AnyPatch ) sent to the beforeUpdate and it is also available as a field within the connector object for the sync delta.
What am I missing? Should I recreate the syncdelta object again within beforeUpdate together with the AnyTO and AnyPatch objects too, to be sure? What is required for beforeUpdate to function properly? Is it even possible to revert to beforeUpdate from say beforeProvision if a possible match is found? It should I think. It is a bit troublesome to check for yourself, when the API-documentation is not that detailed…☺
Regards,
Mikael
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/
Re: Pull users from two primary sources with different UID:s
Posted by Francesco Chicchiriccò <il...@apache.org>.
Hi Mikael,
if I understand your environment, the problem can be seen as the general
situation where there are two distinct external resources, each with a
different unique id, matching two distinct attributes in Syncope.
In such situations, at least one of the resources bears one or more
attributes that can be used to match users on Syncope, even if the key
is not (yet) available (say Firstname + Surname, even though I know I am
over-simplifying).
The tool to leverage here are the Pull Policies [1], in particular the
Pull Correlation Rules [2].
HTH
Regards.
[1] https://syncope.apache.org/docs/reference-guide.html#policies-pull
[2]
https://syncope.apache.org/docs/reference-guide.html#pull-correlation-rules
On 14/06/2017 16:05, Mikael Ekblom wrote:
>
> Hi,
>
> We have a small challenge here that includes two primary pull sources,
> where the UID for these sources are not the same or cannot be set to
> the same value. The only common UID(National Identification Number)
> that could be used as a kind of primary key for users pulled from both
> sources (that would make this an easy case) can change to my surprise
> when it comes to foreign exchange students.This is when they get
> Finnish versions of the NIN. It will not be possible to set any
> previousUID column to both sources either (for payroll particularly)
> and I would like to avoid having to build any separate repository only
> due to this case.
>
> So, what I do during provision and within beforeProvision to be
> precise, is that I check if I get any existing match for the pulled
> user based on the NIN. If I do, I like to create a new syndelta with
> the information from the existing user together with the fields that
> should be added. If no match is found, then the provisioning should
> continue as before.
>
> What I do is to create a new syncdelta with the UID changed to the
> existing UID for the account matching, set the connector object with
> the required fields, create an AnyTO object and an anyPatch object and
> send this to beforeupdate together with the new delta.
>
> Everything is fine so far.
>
> Within beforeUpdate, I can see that I get all the required fields for
> that connector object. AbstractAnyDataBinder though claims that I have
> a required attribute missing: eduPersonUniqueId, that I can see that
> is present within both objects (AnyTO and AnyPatch ) sent to the
> beforeUpdate and it is also available as a field within the connector
> object for the sync delta.
>
> What am I missing? Should I recreate the syncdelta object again within
> beforeUpdate together with the AnyTO and AnyPatch objects too, to be
> sure? What is required for beforeUpdate to function properly? Is it
> even possible to revert to beforeUpdate from say beforeProvision if a
> possible match is found? It should I think. It is a bit troublesome to
> check for yourself, when the API-documentation is not that detailed…J
>
> Regards,
>
> Mikael
>
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/