[midPoint] - SciptedSQL connector misshandling inherited roles deletion
Ana Pereyra
apereyra at identicum.com
Wed Nov 23 21:58:49 CET 2016
Hi Radovan,
Despite it is now synchronizing correctly the user groups assignments
between the application and MidPoint, we are facing the following issue:
As we said before, an account in the resource may have groups that have
been granted from outside MidPoint. For example, we can have user 1 with
groups 1 and 2 in MidPoint and groups 1, 2, 3 and 4 in the resource (groups
3 and 4 have been assigned directly in the resource).
When we force a reconcile on the user, since MidPoint has no record of
groups 3 and 4, the groups are deleted in the resource too, based on a
REMOVE_ATTRIBUTE_VALUES operation on the Update script.
What we would need, is for those groups that have not been assigned by
MidPoint (in this case, groups 3 and 4) *not to be removed* from the user
in the resource.
Is this MidPoint's default behaviour, to unassign groups that have not been
assigned by MidPoint?
Is there a way to only unassign the groups (on a reconcile after a remove
inducement operation) that have been granted by MidPoint?
Best Regards,
--
*Ana Pereyra*
Identicum S.A.
*Jorge Newbery 3226, ArgentinaTel: +54 (11) **4552.3050*
*apereyra at identicum.com <apereyra at identicum.com>*
www.identicum.com
2016-11-22 14:05 GMT-03:00 Radovan Semancik <radovan.semancik at evolveum.com>:
> On 11/21/2016 08:33 PM, Nicolas Rossi wrote:
>
> Is that the only way to make it work ?
>
>
> No, definitely not. That solution is more like a hack. Not a real
> solution. The point is that midPoint should correctly use the delete
> attribute operation. It is designed to do that and it works for all
> correctly configured resources that we have tried. So the point here is to
> figure out why it does not work for this specific case.
>
> --
> Radovan Semancik
> Software Architectevolveum.com
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161123/dcfbf36b/attachment.htm>
More information about the midPoint
mailing list