Pull users from two primary sources with different UID:s

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Pull users from two primary sources with different UID:s

Mikael Ekblom

Hi,

 

We have a small challenge here that includes two primary pull sources, where the UID for these sources are not the same or cannot be set to the same value. The only common UID(National Identification Number) that could be used as a kind of primary key for users pulled from both sources (that would make this an easy case) can change to my surprise when it comes to foreign exchange students.This is when they get Finnish versions of the NIN.  It will not be possible to set any previousUID column to both sources either (for payroll particularly) and I would like to avoid having to build any separate repository only due to this case.  

 

So, what I do during provision and within beforeProvision to be precise, is that I check if I get any existing match for the pulled user based on the NIN. If I do, I like to create a new syndelta with the information from the existing user together with the fields that should be added. If no match is found, then the provisioning should continue as before.  

 

What I do is to create a new syncdelta with the UID changed to the existing UID for the account matching, set the connector object with the required fields, create an AnyTO object and an anyPatch object and send this to beforeupdate together with the new delta.

 

Everything is fine so far.  

 

Within beforeUpdate, I can see that I get all the required fields for that connector object. AbstractAnyDataBinder though claims that I have a required attribute missing: eduPersonUniqueId, that I can see that is present within both objects (AnyTO and AnyPatch ) sent to the beforeUpdate and it is also available as a field within the connector object for the sync delta.

 

What am I missing? Should I recreate the syncdelta object again within beforeUpdate together with the AnyTO and AnyPatch objects too, to be sure? What is required for beforeUpdate to function properly? Is it even possible to revert to beforeUpdate from say beforeProvision if a possible match is found? It should I think. It is a bit troublesome to check for yourself, when the API-documentation is not that detailed…J

 

Regards,

 

       Mikael

 

 

 

Mikael Ekblom

Systemutvecklare/System developer

Arcada, IT

 

Jan-Magnus Janssons plats 1,

FIN-00560 Helsingfors,

Finland

 

TFn: +358 207 699 467

Mobil: +358 207 699 467

 

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Pull users from two primary sources with different UID:s

ilgrosso
Administrator
Hi Mikael,
if I understand your environment, the problem can be seen as the general situation where there are two distinct external resources, each with a different unique id, matching two distinct attributes in Syncope.

In such situations, at least one of the resources  bears one or more attributes that can be used to match users on Syncope, even if the key is not (yet) available (say Firstname + Surname, even though I know I am over-simplifying).

The tool to leverage here are the Pull Policies [1], in particular the Pull Correlation Rules [2].

HTH
Regards.

[1] https://syncope.apache.org/docs/reference-guide.html#policies-pull
[2] https://syncope.apache.org/docs/reference-guide.html#pull-correlation-rules

On 14/06/2017 16:05, Mikael Ekblom wrote:

Hi,

 

We have a small challenge here that includes two primary pull sources, where the UID for these sources are not the same or cannot be set to the same value. The only common UID(National Identification Number) that could be used as a kind of primary key for users pulled from both sources (that would make this an easy case) can change to my surprise when it comes to foreign exchange students.This is when they get Finnish versions of the NIN.  It will not be possible to set any previousUID column to both sources either (for payroll particularly) and I would like to avoid having to build any separate repository only due to this case.  

 

So, what I do during provision and within beforeProvision to be precise, is that I check if I get any existing match for the pulled user based on the NIN. If I do, I like to create a new syndelta with the information from the existing user together with the fields that should be added. If no match is found, then the provisioning should continue as before.  

 

What I do is to create a new syncdelta with the UID changed to the existing UID for the account matching, set the connector object with the required fields, create an AnyTO object and an anyPatch object and send this to beforeupdate together with the new delta.

 

Everything is fine so far.  

 

Within beforeUpdate, I can see that I get all the required fields for that connector object. AbstractAnyDataBinder though claims that I have a required attribute missing: eduPersonUniqueId, that I can see that is present within both objects (AnyTO and AnyPatch ) sent to the beforeUpdate and it is also available as a field within the connector object for the sync delta.

 

What am I missing? Should I recreate the syncdelta object again within beforeUpdate together with the AnyTO and AnyPatch objects too, to be sure? What is required for beforeUpdate to function properly? Is it even possible to revert to beforeUpdate from say beforeProvision if a possible match is found? It should I think. It is a bit troublesome to check for yourself, when the API-documentation is not that detailed…J

 

Regards,

 

       Mikael

-- 
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Pull users from two primary sources with different UID:s

Mikael Ekblom

Hi,

 

Well, I totally forgot about that one…that truly simplified this case and I did not have to re-invent the wheel again! I thank thee for that!...:)

 

Even though the attributes left to correlate with are a bit ambiguous and we do have data quality problems here…

 

Regards,

 

     Mikael

 

 

From: Francesco Chicchiriccò [mailto:[hidden email]]
Sent: torstai 15. kesäkuuta 2017 18.03
To: [hidden email]
Subject: Re: Pull users from two primary sources with different UID:s

 

Hi Mikael,
if I understand your environment, the problem can be seen as the general situation where there are two distinct external resources, each with a different unique id, matching two distinct attributes in Syncope.

In such situations, at least one of the resources  bears one or more attributes that can be used to match users on Syncope, even if the key is not (yet) available (say Firstname + Surname, even though I know I am over-simplifying).

The tool to leverage here are the Pull Policies [1], in particular the Pull Correlation Rules [2].

HTH
Regards.

[1] https://syncope.apache.org/docs/reference-guide.html#policies-pull
[2] https://syncope.apache.org/docs/reference-guide.html#pull-correlation-rules

On 14/06/2017 16:05, Mikael Ekblom wrote:

Hi,

 

We have a small challenge here that includes two primary pull sources, where the UID for these sources are not the same or cannot be set to the same value. The only common UID(National Identification Number) that could be used as a kind of primary key for users pulled from both sources (that would make this an easy case) can change to my surprise when it comes to foreign exchange students.This is when they get Finnish versions of the NIN.  It will not be possible to set any previousUID column to both sources either (for payroll particularly) and I would like to avoid having to build any separate repository only due to this case.  

 

So, what I do during provision and within beforeProvision to be precise, is that I check if I get any existing match for the pulled user based on the NIN. If I do, I like to create a new syndelta with the information from the existing user together with the fields that should be added. If no match is found, then the provisioning should continue as before.  

 

What I do is to create a new syncdelta with the UID changed to the existing UID for the account matching, set the connector object with the required fields, create an AnyTO object and an anyPatch object and send this to beforeupdate together with the new delta.

 

Everything is fine so far.  

 

Within beforeUpdate, I can see that I get all the required fields for that connector object. AbstractAnyDataBinder though claims that I have a required attribute missing: eduPersonUniqueId, that I can see that is present within both objects (AnyTO and AnyPatch ) sent to the beforeUpdate and it is also available as a field within the connector object for the sync delta.

 

What am I missing? Should I recreate the syncdelta object again within beforeUpdate together with the AnyTO and AnyPatch objects too, to be sure? What is required for beforeUpdate to function properly? Is it even possible to revert to beforeUpdate from say beforeProvision if a possible match is found? It should I think. It is a bit troublesome to check for yourself, when the API-documentation is not that detailed…J

 

Regards,

 

       Mikael

-- 
Francesco Chicchiriccò
 
Tirasa - Open Source Excellence
http://www.tirasa.net/
 
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/
Loading...