Add new attribute provisioning from HRIS to AD
Test how your midPoint configuration handles revised provisioning requirements and the resulting mapping changes in both the source and target resources.
What awaits you in this module
You will import a new user attribute from the HRIS and provision it to Active Directory. You will create two new mappings: one inbound mapping to get the HRIS data to midPoint, and one outbound mapping to populate AD accounts with the data.
The attribute in question is the job title. The employees have their job titles in the HRIS, but not in Active Directory. Your goal is to propagate the job titles to AD as well and see if nothing in your midPoint configuration breaks with this change.
1. Create new HRIS mapping
In the HRIS resource in midPoint, create a new inbound mapping.
Follow this guide: Create inbound mappings
-
Name: e.g., job-to-title
-
From resource attribute: job
-
Expression: As is
-
Target: title
-
Lifecycle state: Proposed
The mapping is in the Proposed lifecycle state, meaning the recurring HRIS reconciliation task cannot work with it yet and you can safely simulate.
Figure 1. Inbound mapping to insert the job attribute value from the HRIS resource into the title attribute in midPoint
2. Create new AD mapping
In the AD resource in midPoint, create a new outbound mapping.
|
If you use the Docker image prepared for this guide, the mapping is already there preconfigured. Just change its lifecycle state to Proposed. |
Follow this guide: Create outbound mappings
-
Name: e.g., mapping-title
-
From resource attribute: title
-
Expression: As is
-
Target: title
-
Lifecycle state: Proposed
3. Simulate import from HRIS
Your configuration is ready, it is time to verify what it does. Go to the HRIS resource and run a simulated development import task. You have it ready for use from the earlier module: link.
|
Lifecycle states knowledge refresher
Tasks in the preview mode with the configuration set to development evaluate all active and proposed configuration items but make no permanent changes. |
After the task finishes, click Show simulation result.
The result should be that a resource object has been affected for all focal objects that have a projection to the AD resource. Click More info , open an item in the list, and inspect the changes. The only change should be the title being provisioned to AD.
Note that certain users on the AD resource already have the title attribute filled in.
Since the outbound mapping is strong, midPoint overwrites the existing value in AD.
That is desired as you cannot know whether the data in the non-authoritative Active Directory server are correct.
Figure 2. HRIS import simulation result for Diane Davis showing the job title would be provisioned to and corrected in Active Directory
4. Put the configuration to prodution
Once you have verified the configuration did not break anything and works as expected, put it to production.
-
Change the lifecycle state of the HRIS inbound mapping to Active.
-
Change the lifecycle state of the AD outbound mapping to Active.
-
Wait for the recurring HRIS reconciliation task to pick up the changes and provision the job titles to all accounts in AD.
Once done, have a look at the Projections screen in user profiles in midPoint and look for the title attribute.
Similarly, open the AD web administration UI and see the account attributes there.
Figure 3. The job title is now correct in Active Directory
Next steps
To be fair, the job title value does not look very nice because it contains the internal numeric code from the HRIS. It is the job for the next module to fix that by amending the existing mapping to make the value more human friendly, and to show that midPoint can cope just fine with changes made "on the fly".
Was this page helpful?
YES
NO
Thanks for your feedback