[midPoint] disabling assigned role does not remove group membership

[Markus Calmius]

Hi,

What is supposed to happen if a Role assignment automatically is changing from enabled to disabled?

I've been testing role requests with a Validity set and find the behaviour a bit odd.

The setup is like this:
I have a requestable business role that induces three roles. These three roles adds a group membership to three different groups in LDAP/FreeIPA. i.e one business role adds/removes user to three different groups.

When the request is made, I see the new role with the Activation set to enabled and the period/duration it is valid.
If I check "All direct/indirect assignments" I see the indirect roles/group memberships as expected.
When the validity is passed, the role changes to disabled as expected. Checking the "All direct/indirect assignments" I can see that the indirect assignment for this role is gone.
However, the group-membership in LDAP/FreeIPA is still there. Not good.

If I, as admin, manually go and change a validity period of an enabled role assignment so that it becomes disabled (i.e. change date or time to a passed point). Then, when I save the user, the group memberships are removed.

But, the automatic unassignment does not. Reconciliation does not fix it.
If I unassign the disabled role, the user's group memberships are still there (I assume since the connection to the subroles/inducements are gone)

Since a manual change works but the automatic does not, is there a bug or a configuration I've not set?

Thanks,
Markus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20231204/408d4027/attachment.htm>