Automate target resource account creation

Table of Contents

At this point of your journey, your midPoint configuration can automatically generate usernames and passwords, and source HRIS accounts are automatically synchronized into midPoint. In the setup we use in this guide, every Person should have an account in Active Directory. However, there is no automation for that yet, so the new users you have added in the previous module do not have an AD account. You are going to address that in this module.

What awaits you in this module

You will configure midPoint so that every user of the Person archetype automatically gets an Active Directory account.

Typically, resource provisioning is based on roles or organizations user has or belongs to. But since you do not manage any of that in midPoint yet, you have to make use of something else: Every HRIS user account is of the Person archetype. You will use the Person archetype to induce AD accounts as a birthright of every user imported from the HRIS.

To give users of the Person archetype this birthright, you will add a new inducement to the Person archetype that will cause creation and ownership of an AD account.

Learn more about inducements, how they work and how they differ from other similar concepts in midPoint: Assignment × inducement × entitlement

1. Add inducement to the Person archetype

  1. In Archetypes > All archetypes, open the Person archetype for editing.

    • You can filter archetypes by Name.

  2. In Inducements > Resource, click New.

  3. Select your target resource.

  4. Click Next: Resource object type.

  5. Keep the selected Default for kind: Account and click Next: Entitlements.

  6. Do not make any changes and click Next: Mappings to continue.

  7. Do not add any mappings.

  8. Click Save settings to save the configuration.

Active Directory account inducement in the Person archetype
Figure 1. Active Directory account inducement in the Person archetype

2. Let scheduled HRIS reconciliation ensure provisioning

You have added an entitlement to the Person archetype ensuring all Person-archetype users have an AD account.

Wait until the next run of the scheduled HRIS reconciliation task finishes and check the results. The new users of the 900X series you have added in the previous module now should have their AD accounts active. Verify that in the AD server web UI.

List of AD accounts on the AD server including the new accounts created in HRIS
Figure 2. List of AD accounts including the new accounts created in HRIS

You can also check the result when you open one of the new users in Users > Persons and see their Projections.

The new user Andreas Baker has both the HRIS and AD projections
Figure 3. The new user Andreas Baker has both the HRIS and AD projections

Next steps

With the steps above completed, you have automated provisioning target resource accounts for all people you manage in midPoint.

The next step is to have all new accounts automatically assigned to the group in which all users are.

link

Was this page helpful?
YES NO
Thanks for your feedback