Add new attribute provisioning from HRIS to AD
In this module, you will test how your configuration copes with importing new user attributes from the source and provisioning them to the target.
What awaits you in this module
You will import another user attribute from the HRIS and provision it to the AD resource. You will create two new mappings: one inbound mapping to get the HRIS data to midPoint, and one outbound mapping to populate the AD resource account with the data.
The attribute in question is the job title. The employees have their job titles in the HRIS, but not in the AD resource. Your goal is to propagate the job titles to AD as well.
1. Create new mapping in HRIS
In the HRIS resource in midPoint, create a new inbound mapping:
-
Name: e.g., job-to-title
-
From resource attribute: job
-
Expression: As is
-
Target: title
-
Lifecycle state: Proposed
The mapping is in the Proposed lifecycle state, meaning the recurring HRIS reconciliation task cannot work with it yet and you can safely simulate.
Figure 1. HRIS inbound mapping to insert the job resource value into the title resource object attribute
2. Create new mapping in AD
in the AD resource in midPoint, create a new outbound mapping:
-
Name: e.g., mapping-title
-
From resource attribute: title
-
Expression: As is
-
Target: title
-
Lifecycle state: Proposed
If you use the Docker image prepared for this guide, the mapping is already there pre-configured. Just change its lifecycle state to Proposed.
3. Simulate import from HRIS
Your configuration is ready, it is time to verify what it does. Go to the HRIS resource and run the simulated development import task.
|
Lifecycle states reminder
Tasks in the preview mode with the configuration set to development evaluate all active and proposed configuration items but make no permanent changes. |
After the task finishes, click Show simulation result.
The result should be that a resource object has been affected for all focal objects with projection to the AD resource. Click More info , open an item in the list, and inspect the changes made to the item. The only change should be the title being provisioned to the AD resource.
Note that certain users on the AD resource already have the title attribute filled in.
Since the outbound mapping is strong by default, the existing value in the AD is overwritten (which is desired as you cannot know whether data in the non-authoritative resource are correct).
Figure 2. HRIS import simulation result for Diane Davis showing the job title would be provisioned to and corrected in the AD resource
Namely, in the example data used for this guide, these accounts already have job title filled in in AD:
-
cn=Brad Carpenter,ou=users,dc=example,dc=com -
cn=Jimmy Taylor,ou=users,dc=example,dc=com -
cn=Peter Hunter,ou=users,dc=example,dc=com -
cn=Diane Davis,ou=users,dc=example,dc=com -
cn=Patrick Anderson,ou=users,dc=example,dc=com
4. Put the configuration to prodution
Once you have verified the configuration did not break anything and works as expected, you can put it to production.
-
Change the lifecycle state of the HRIS inbound mapping to Active.
-
Change the lifecycle state of the AD outbound mapping to Active.
-
Wait for the recurring HRIS reconciliation task to pick up the changes and provision the job titles to all accounts on LDAP.
Once done, have a look at the Projections screen in user profiles in midPoint and search for the title attribute.
Similarly, open the AD web administration interface and see the account attributes there.:w
Figure 3. The job title now shows correctly on the AD resource
Next steps
To be fair, the job title value does not look very nice because it contains the internal code from HRIS. It is the job for the next module to fix that by amending an existing mapping to make the value more human friendly, and to show that midPoint can cope just fine with changes made "on the fly".
Was this page helpful?
YES
NO
Thanks for your feedback