I need a help wit a simple (I think) question about Lotus Adapter for ITIM 5.1.
When I create a Provisioning rule for Lotus Service, setting a group membership A for some roles, the selected users are assigned to A group on Notes.
When I create a second Provisioning rule for Lotus Service, setting a group membership B for the same roles of the previous provisioning, the selected users are assigned to B group and removed from group A on Notes.
How can I do to merge group membership from both provisionings?
I would like to do something like:
Provisioning Policy everyone:
- applies to all users of the company.
- assign to "everyone" email group on Notes for receive public email communications.
Provisioning policy HR
- applies only to Human Resources users.
- assign to "HR" email group on Notes for receive email directed to Human Resources department.
So, a HR user will be assigned to both email groups, receiving all public communications and HR directed email.
Already tried different combinations of Role priority and enforcement options, but always are selected membership of one provisioning or other.
Thanks a lot.
Pinned topic ITIM lotus notes adapter: merging group membership from different Prov
Answered question This question has been answered.
Unanswered question This question has not been answered yet.
Updated on 2013-02-05T15:25:52Z at 2013-02-05T15:25:52Z by SystemAdmin
Re: ITIM lotus notes adapter: merging group membership from different Prov2013-02-02T12:17:11ZThis is the accepted answer. This is the accepted answer.This sounds very peculiar - definitely not like the default behavior...
What you need to look into are "Join Policies". (I would have included a link here - but the documentation site is down at the moment...)
The default for a multivalued attribute is normally "Union" - what you described here looks like it is set to "Priority".
So - go into the Join policy editor - find the Lotus Role attribute and change it to "Union" and it will work like you expect.
One word of warning - join directives are global - you can only have one per attribute - this is also one of the reason that you should always create new attributes for any custom profile you develop - never reuse attributes from other service profiles...
Re: ITIM lotus notes adapter: merging group membership from different Prov2013-02-05T14:33:10ZThis is the accepted answer. This is the accepted answer.
- SystemAdmin 110000D4XK
I double checked Join policies and it was configured as Union.
After deleted related provisionings and roles and created again, it is running ok now.
The only doubt is that attributes on both provs. must be marked as mandatory for this work as I want. Is this the expected behavior?
Re: ITIM lotus notes adapter: merging group membership from different Prov2013-02-05T14:53:33ZThis is the accepted answer. This is the accepted answer.
- SystemAdmin 110000D4XK
The rule is that default will ALLOW somebody to REQUEST the value - mandatory will tell the system that the MUST HAVE this value(s) - depending on your enforcement it will be react differently - normally you will have either MARK which will just flag the account as non-compliant or CORRECT which will enforce (automatically) the value(s).
This is described in the formal documentation - but for some of the details you must go back to the 4.5.1 Policy Guide...