From yrevyakin at gmail.com Wed Jul 5 22:02:36 2023 From: yrevyakin at gmail.com (Yakov Revyakin) Date: Wed, 5 Jul 2023 23:02:36 +0300 Subject: [midPoint] notification with policyRule / policyActions In-Reply-To: <0b425b85-bfb5-e1d7-30a3-5b342f0793f8@evolveum.com> References: <28501a97-9955-a7b9-4f1d-03dceacaf9b5@evolveum.com> <0b425b85-bfb5-e1d7-30a3-5b342f0793f8@evolveum.com> Message-ID: Pavol, no problems. I implemented what I needed, but I think the approach is not ideal. I can't change runAsRef dynamically to run expression under a tenant user. So, I filter users programmatically in the script. The code below is a part of the user archetype. The policyRule is triggered by transition of unknown administrativeStatus to enabled/disabled. false true activation/administrativeStatus file mail UserType On Thu, 29 Jun 2023 at 16:15, Pavol Mederly via midPoint < midpoint at lists.evolveum.com> wrote: > Yakov, > > I am sorry, but - in general - we developers do not answer questions here > on the list. I try to give general answers where I can do that quickly, or > where it is well-aligned with my daily development work. > > So, unfortunately, I cannot help you with your further questions. > > I hope someone from the community could do that; ... or, our professional > consultancy services would welcome you :) > > Best regards, > > -- > Pavol Mederly > Software developerevolveum.com > > On 29/06/2023 15:06, Yakov Revyakin via midPoint wrote: > > Hi Pavol, > I agree - looks really tricky. Till I'm trying to understand what > exactly happens there, could you answer another related question? > > I found that there is action under > policyActions/scriptExecution/executeScript which is configurable in a > clear way. > But found that I can't execute this correctly under a tenant user. To > execute notify action we need full access like superuser - see 1st > runAsRef. In this case recipientExpression ignores tenancy limitation > during user search in the script below. So, we need 2nd runAsRef to run the > script by the current logged in user which is a user of the current tenant. > In case of static oid of this user things work fine - the script returns > only users from this tenant. I simply can't write xml for dynamic case. > Could you help? > > > > > > > > > > > > > > oid="d94e7fdc-0935-4b51-9205-6417a598f235" /> > > > > > > > > .... > > > file > > > > > > > > On Thu, 29 Jun 2023 at 14:01, Pavol Mederly via midPoint < > midpoint at lists.evolveum.com> wrote: > >> Hello Yakov, >> >> this one is highly experimental; and the documentation is probably >> waiting for a sponsor (i.e., a customer needing it). >> >> However, as usual, I'd suggest searching through midPoint test sources. >> Each feature (even experimental ones, at least majority of them) should >> have some tests created for it. >> >> This one is no exception, although more trickier than usual. It seems to >> me that TestRbac.test870AssignRoleScreaming would provide some hints. >> >> Regards, >> >> -- >> Pavol Mederly >> Software developerevolveum.com >> >> On 27/06/2023 07:21, Yakov Revyakin via midPoint wrote: >> >> Any ideas? >> >> On Thu, 15 Jun 2023 at 09:54, Yakov Revyakin wrote: >> >>> Hi all, >>> It's not clear it is possible currently to use as policy >>> action. >>> >>> >>> >>> >>> >>> >>> >>> Is there any sample how to deal with this? >>> >>> Or, maybe, an alternative way? Actually, I'd like to notify if a >>> transition based on objectState is triggered. >>> >>> Thanks, >>> Yakov >>> >> >> _______________________________________________ >> midPoint mailing listmidPoint at lists.evolveum.comhttps://lists.evolveum.com/mailman/listinfo/midpoint >> >> _______________________________________________ >> midPoint mailing list >> midPoint at lists.evolveum.com >> https://lists.evolveum.com/mailman/listinfo/midpoint >> > > _______________________________________________ > midPoint mailing listmidPoint at lists.evolveum.comhttps://lists.evolveum.com/mailman/listinfo/midpoint > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > https://lists.evolveum.com/mailman/listinfo/midpoint > -------------- next part -------------- An HTML attachment was scrubbed... URL: From patrik.sidler at itconcepts.ch Thu Jul 6 11:18:59 2023 From: patrik.sidler at itconcepts.ch (Patrik Sidler) Date: Thu, 6 Jul 2023 09:18:59 +0000 Subject: [midPoint] Active Directory Role setting Attribute on AD Account, does not Cleanup Attribute whe Role is removed Message-ID: Hi Commuinity, I have created a Role, that sets a predefined Attribute Value on an users Active Directory Account when the role I assigned. SetValue Role required to set a Value on an Attribute true true ri:extensionAttribute1 ImportantValue The Assignment works perfect. As soon as the Role is assigned, the Value is available on the Users Active Directory Account. But when I remove the Role, the value stays on the Attribute. It will not be removed when I unassign the Role? I do not know if this is possible or not. But It would be great if anyone is having an Idea how to clean up the Attribute when I unassign the Role. Thank you in advance for your help. Best Regards, Patrik -------------- next part -------------- An HTML attachment was scrubbed... URL: From odlevak.lubomir at gmail.com Thu Jul 6 12:02:54 2023 From: odlevak.lubomir at gmail.com (Lubomir Odlevak) Date: Thu, 6 Jul 2023 12:02:54 +0200 Subject: [midPoint] Active Directory Role setting Attribute on AD Account, does not Cleanup Attribute whe Role is removed In-Reply-To: References: Message-ID: Hi Patrik, try this: ImportantValue all napísal(a): > Hi Commuinity, > > > > I have created a Role, that sets a predefined Attribute Value on an users > Active Directory Account when the role I assigned. > > > > xmlns:c=http://midpoint.evolveum.com/xml/ns/public/common/common-3 > xmlns:icfs= > http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3 > xmlns:org=http://midpoint.evolveum.com/xml/ns/public/common/org-3 > xmlns:q=http://prism.evolveum.com/xml/ns/public/query-3 > xmlns:ri= > http://midpoint.evolveum.com/xml/ns/public/resource/instance-3 > xmlns:t=http://prism.evolveum.com/xml/ns/public/types-3> > SetValue > Role required to set a Value on an Attribute > > true > true > > > relation="org:default" type="c:ResourceType"/> > > ri:extensionAttribute1 > > > ImportantValue > > > > > > > > > > The Assignment works perfect. As soon as the Role is assigned, the Value > is available on the Users Active Directory Account. > > > > But when I remove the Role, the value stays on the Attribute. It will not > be removed when I unassign the Role? > > > > I do not know if this is possible or not. > > But It would be great if anyone is having an Idea how to clean up the > Attribute when I unassign the Role. > > > > Thank you in advance for your help. > > > > Best Regards, > > Patrik > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > https://lists.evolveum.com/mailman/listinfo/midpoint > -------------- next part -------------- An HTML attachment was scrubbed... URL: From patrik.sidler at itconcepts.ch Thu Jul 6 13:38:05 2023 From: patrik.sidler at itconcepts.ch (Patrik Sidler) Date: Thu, 6 Jul 2023 11:38:05 +0000 Subject: [midPoint] Active Directory Role setting Attribute on AD Account, does not Cleanup Attribute whe Role is removed In-Reply-To: References: Message-ID: Hi Lubo, Thank you very much for your help, it solved my problem. Best Regards, Patrik Von: Lubomir Odlevak Gesendet: Donnerstag, 6. Juli 2023 12:03 An: midPoint General Discussion Cc: Patrik Sidler Betreff: Re: [midPoint] Active Directory Role setting Attribute on AD Account, does not Cleanup Attribute whe Role is removed Hi Patrik, try this: ImportantValue all > napísal(a): Hi Commuinity, I have created a Role, that sets a predefined Attribute Value on an users Active Directory Account when the role I assigned. SetValue Role required to set a Value on an Attribute true true ri:extensionAttribute1 ImportantValue The Assignment works perfect. As soon as the Role is assigned, the Value is available on the Users Active Directory Account. But when I remove the Role, the value stays on the Attribute. It will not be removed when I unassign the Role? I do not know if this is possible or not. But It would be great if anyone is having an Idea how to clean up the Attribute when I unassign the Role. Thank you in advance for your help. Best Regards, Patrik _______________________________________________ midPoint mailing list midPoint at lists.evolveum.com https://lists.evolveum.com/mailman/listinfo/midpoint -------------- next part -------------- An HTML attachment was scrubbed... URL: From hazelton at internet2.edu Wed Jul 12 22:01:18 2023 From: hazelton at internet2.edu (Keith Hazelton) Date: Wed, 12 Jul 2023 20:01:18 +0000 Subject: [midPoint] Apply a bulk action to a specific object type and subtype Message-ID: Is it possible to use a filter to perform a bulk action on a specific object type and subtype? I know pt can be done, for example, for user subtypes, but we want to remove assignments for a specific subtype of group. Thanks in advance, --Keith Hazelton _________________________ hazelton at internet2.edu -------------- next part -------------- An HTML attachment was scrubbed... URL: From martin.spanik at evolveum.com Thu Jul 13 10:17:30 2023 From: martin.spanik at evolveum.com (Martin Spanik) Date: Thu, 13 Jul 2023 10:17:30 +0200 Subject: [midPoint] Apply a bulk action to a specific object type and subtype In-Reply-To: References: Message-ID: <002301d9b562$784b17f0$68e147d0$@evolveum.com> Hello Keith Yes it is possible. I prepared example of such task – you can use and tune it. It’s tested on 4.7 and 4.4. I don’t know which version you are using. Let’s assume that your groups are represented by roles in midPoint and you have set of roles having attribute subtype with value ‘groupRole’. The role has ‘Internal’ service assigned. You want to modify these roles. Example of the role is attached too. Let’s get to the task: You filter the objects in element of task/activity/work/iteractiveScripting. RoleType subtype = 'groupRole' Then you just run action on this set of objects. This action applies defined modification delta on the objects you selected in the filter. The example task removes the assigned service. Commented part modifies just description attribute - just as an example. I hope it will help you. Best regards, Martin Spanik Senior Identity Engineer +421 905 334 507 martin.spanik at evolveum.com https://evolveum.com From: midPoint [mailto:midpoint-bounces at lists.evolveum.com] On Behalf Of Keith Hazelton via midPoint Sent: streda 12. júla 2023 22:01 To: midpoint at lists.evolveum.com Cc: Keith Hazelton Subject: [midPoint] Apply a bulk action to a specific object type and subtype Is it possible to use a filter to perform a bulk action on a specific object type and subtype? I know pt can be done, for example, for user subtypes, but we want to remove assignments for a specific subtype of group. Thanks in advance, --Keith Hazelton _________________________ hazelton at internet2.edu -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: RoleA.xml Type: text/xml Size: 1466 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: modifyGroupRoles.xml Type: text/xml Size: 2321 bytes Desc: not available URL: From pcaskey at internet2.edu Fri Jul 14 00:31:41 2023 From: pcaskey at internet2.edu (Paul Caskey) Date: Thu, 13 Jul 2023 22:31:41 +0000 Subject: [midPoint] Apply a bulk action to a specific object type and subtype In-Reply-To: <002301d9b562$784b17f0$68e147d0$@evolveum.com> References: <002301d9b562$784b17f0$68e147d0$@evolveum.com> Message-ID: Thanks, Martin! In our case, it's the assignment itself that has the subtype, not the role (or org). Like this (taken from a user object): groupRole enabled It seems like a bulk action should be able to do it. But I can't figure it out yet. :) Thanks again! -Paul From: midPoint On Behalf Of Martin Spanik via midPoint Sent: Thursday, July 13, 2023 3:18 AM To: 'midPoint General Discussion' Cc: Martin Spanik Subject: Re: [midPoint] Apply a bulk action to a specific object type and subtype Hello Keith Yes it is possible. I prepared example of such task - you can use and tune it. It's tested on 4.7 and 4.4. I don't know which version you are using. Let's assume that your groups are represented by roles in midPoint and you have set of roles having attribute subtype with value 'groupRole'. The role has 'Internal' service assigned. You want to modify these roles. Example of the role is attached too. Let's get to the task: You filter the objects in element of task/activity/work/iteractiveScripting. RoleType subtype = 'groupRole' Then you just run action on this set of objects. This action applies defined modification delta on the objects you selected in the filter. The example task removes the assigned service. Commented part modifies just description attribute - just as an example. I hope it will help you. Best regards, Martin Spanik Senior Identity Engineer +421 905 334 507 martin.spanik at evolveum.com https://evolveum.com From: midPoint [mailto:midpoint-bounces at lists.evolveum.com] On Behalf Of Keith Hazelton via midPoint Sent: streda 12. júla 2023 22:01 To: midpoint at lists.evolveum.com Cc: Keith Hazelton > Subject: [midPoint] Apply a bulk action to a specific object type and subtype Is it possible to use a filter to perform a bulk action on a specific object type and subtype? I know pt can be done, for example, for user subtypes, but we want to remove assignments for a specific subtype of group. Thanks in advance, --Keith Hazelton _________________________ hazelton at internet2.edu -------------- next part -------------- An HTML attachment was scrubbed... URL: From Eetu.Salpaharju at tietokeskus.fi Fri Jul 14 12:52:56 2023 From: Eetu.Salpaharju at tietokeskus.fi (Eetu Salpaharju) Date: Fri, 14 Jul 2023 10:52:56 +0000 Subject: [midPoint] SAML authentication return URL Message-ID: Hello, I'm deploying SAML2 authentication against Microsoft Azure AD. My network configuration is using nginx server as reverse proxy like this. Both Midpoint and nginx are running on the same server. user ---https://midpoint.example.com---> nginx ---http://localhost:8080---> Midpoint Now Midpoint sends following return URL to Azure: http://midpoint.example.com/midpoint/auth/default/azure_auth/SSO/alias/aad . The problem is that return url is using http instead of https. The return url should be https://midpoint.example.com/midpoint/auth/default/azure_auth/SSO/alias/aad . Where could I define base url or similar attribute so return URL would be with https protocol? For reference, my authenticator configuration is below. ... ... azure_auth Authentication against AzureAD tenant. UserType **ApplicationID from Azure** aad **ApplicationID from Azure** /var/midpoint/auth/azure_metadata.xml Microsoft Azure urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST emailAddress .... Thank you in advance for helping with this one. - Eetu From fabian.noll-dukiewicz at veryfy.gmbh Fri Jul 14 13:07:25 2023 From: fabian.noll-dukiewicz at veryfy.gmbh (Fabian Noll-Dukiewicz) Date: Fri, 14 Jul 2023 11:07:25 +0000 Subject: [midPoint] SAML authentication return URL In-Reply-To: References: Message-ID: Hi Eetu, I think it could be a miss configuration of your nginx. Please check this: https://community.sonarsource.com/t/saml-error-with-nginx-reverse-proxy/46324 (It is not midPoint, but covered the same problem). On midpoint site you can check, if you have set the “Default hostname” in system configuration • Infrastructure to you Reverse Proxy address (https://midpoint.example.com). Good Luck! Kind regards, Fabian -- Fabian Noll-Dukiewicz Spezialist Identity & Access Management | Geschäftsführer Tel.: +49 152 244 63 211 Email: fabian.noll-dukiewicz at veryfy.gmbh Web: https://veryfy.gmbh Von: midPoint im Auftrag von Eetu Salpaharju via midPoint Datum: Freitag, 14. Juli 2023 um 12:53 An: midpoint at lists.evolveum.com Cc: Eetu Salpaharju Betreff: [midPoint] SAML authentication return URL Hello, I'm deploying SAML2 authentication against Microsoft Azure AD. My network configuration is using nginx server as reverse proxy like this. Both Midpoint and nginx are running on the same server. user ---https://midpoint.example.com---> nginx ---http://localhost:8080---> Midpoint Now Midpoint sends following return URL to Azure: http://midpoint.example.com/midpoint/auth/default/azure_auth/SSO/alias/aad . The problem is that return url is using http instead of https. The return url should be https://midpoint.example.com/midpoint/auth/default/azure_auth/SSO/alias/aad . Where could I define base url or similar attribute so return URL would be with https protocol? For reference, my authenticator configuration is below. ... ... azure_auth Authentication against AzureAD tenant. UserType **ApplicationID from Azure** aad **ApplicationID from Azure** /var/midpoint/auth/azure_metadata.xml Microsoft Azure urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST emailAddress .... Thank you in advance for helping with this one. - Eetu _______________________________________________ midPoint mailing list midPoint at lists.evolveum.com https://lists.evolveum.com/mailman/listinfo/midpoint -------------- next part -------------- An HTML attachment was scrubbed... URL: From Eetu.Salpaharju at tietokeskus.fi Fri Jul 14 15:36:16 2023 From: Eetu.Salpaharju at tietokeskus.fi (Eetu Salpaharju) Date: Fri, 14 Jul 2023 13:36:16 +0000 Subject: [midPoint] SAML authentication return URL In-Reply-To: References: Message-ID: Thank you for the reply! I already had Default hostname setting in place. That doesn't seem to have any effect on return url. Host and protocol seems to come from Tomcat as you say. No luck this far though to get it work. This far I've tried following settings. My nginx configuration, as far as I see it should have all needed set_header -parameters: server { listen 443 ssl; server_name midpoint.example.com; ssl_certificate /etc/ssl/certs/midpoint.crt; ssl_certificate_key /etc/pki/private/midpoint.key; location / { proxy_pass http://localhost:8080; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-Port 443; proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } I've tried to use $scheme variable instead of https in X-Forwarded-Proto, but no difference. Then I read about tomcat settings from here. https://docs.evolveum.com/midpoint/devel/guides/environment/embedded-tomcat/ And in case Tomcat didn't read headers, I created application.yml file having these settings: server: tomcat: accesslog: directory: accesslogs enabled: true pattern: common prefix: access_log suffix: .log port-header: X-Forwarded-Port remote-ip-header: X-Forwarded-For protocol-header: X-Forwarded-Proto protocol-header-https-value: https redirect-context-root: true This configuration file is in use. I can tell because now there is accesslog -directory in Midpoint home. But still no difference. Tomcat / Midpoint reads hostname from headers as it should but protocol is still always http in return url. - Eetu ________________________________________ From: Fabian Noll-Dukiewicz Sent: 14 July 2023 14:07 To: midPoint General Discussion Cc: Eetu Salpaharju Subject: AW: SAML authentication return URL Hi Eetu, I think it could be a miss configuration of your nginx. Please check this: https://community.sonarsource.com/t/saml-error-with-nginx-reverse-proxy/46324 (It is not midPoint, but covered the same problem). On midpoint site you can check, if you have set the “Default hostname” in system configuration • Infrastructure to you Reverse Proxy address (https://midpoint.example.com). Good Luck! Kind regards, Fabian -- Fabian Noll-Dukiewicz Spezialist Identity & Access Management | Geschäftsführer Tel.: +49 152 244 63 211 Email: fabian.noll-dukiewicz at veryfy.gmbh Web: https://veryfy.gmbh Von: midPoint im Auftrag von Eetu Salpaharju via midPoint Datum: Freitag, 14. Juli 2023 um 12:53 An: midpoint at lists.evolveum.com Cc: Eetu Salpaharju Betreff: [midPoint] SAML authentication return URL Hello, I'm deploying SAML2 authentication against Microsoft Azure AD. My network configuration is using nginx server as reverse proxy like this. Both Midpoint and nginx are running on the same server. user ---https://midpoint.example.com---> nginx ---http://localhost:8080---> Midpoint Now Midpoint sends following return URL to Azure: http://midpoint.example.com/midpoint/auth/default/azure_auth/SSO/alias/aad . The problem is that return url is using http instead of https. The return url should be https://midpoint.example.com/midpoint/auth/default/azure_auth/SSO/alias/aad . Where could I define base url or similar attribute so return URL would be with https protocol? For reference, my authenticator configuration is below. ... ... azure_auth Authentication against AzureAD tenant. UserType **ApplicationID from Azure** aad **ApplicationID from Azure** /var/midpoint/auth/azure_metadata.xml Microsoft Azure urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST emailAddress .... Thank you in advance for helping with this one. - Eetu _______________________________________________ midPoint mailing list midPoint at lists.evolveum.com https://lists.evolveum.com/mailman/listinfo/midpoint From pcaskey at internet2.edu Mon Jul 17 02:01:41 2023 From: pcaskey at internet2.edu (Paul Caskey) Date: Mon, 17 Jul 2023 00:01:41 +0000 Subject: [midPoint] Apply a bulk action to a specific object type and subtype In-Reply-To: References: <002301d9b562$784b17f0$68e147d0$@evolveum.com> Message-ID: Hi- I'm working with Keith (the OP) and our use case for this is trying to remove old assignments. These are assignments on user objects to orgs that have already been deleted. The code below selects exactly the assignments I need to remove, but I can't figure out how to remove or unassign the assignments. Does anyone know how to remove/unassign an assignment inside a bulk action of type 'execute-script'? Here's what selects the assignments I need to delete: c:UserType assignment/subtype test-assignment execute-script script import com.evolveum.midpoint.xml.ns._public.common.common_3.*; import com.evolveum.midpoint.model.api.*; import com.evolveum.midpoint.xml.ns._public.common.common_3.FocusType; import com.evolveum.midpoint.xml.ns._public.common.common_3.OrgType; import com.evolveum.midpoint.model.api.ModelExecuteOptions; for (a in input.assignment) { if (a.subtype[0] == "test-assignment") { OrgType org = midpoint.resolveReferenceIfExists(a.targetRef); log.info ("Found test-assignment to Org: {}", org.oid) //need to delete/unassign this assignment (a) } } Thanks in advance for any help and insight! -Paul From: midPoint On Behalf Of Paul Caskey via midPoint Sent: Thursday, July 13, 2023 5:32 PM To: martin.spanik at evolveum.com; midPoint General Discussion Cc: Paul Caskey Subject: Re: [midPoint] Apply a bulk action to a specific object type and subtype Thanks, Martin! In our case, it's the assignment itself that has the subtype, not the role (or org). Like this (taken from a user object): groupRole enabled It seems like a bulk action should be able to do it. But I can't figure it out yet. :) Thanks again! -Paul From: midPoint > On Behalf Of Martin Spanik via midPoint Sent: Thursday, July 13, 2023 3:18 AM To: 'midPoint General Discussion' > Cc: Martin Spanik > Subject: Re: [midPoint] Apply a bulk action to a specific object type and subtype Hello Keith Yes it is possible. I prepared example of such task - you can use and tune it. It's tested on 4.7 and 4.4. I don't know which version you are using. Let's assume that your groups are represented by roles in midPoint and you have set of roles having attribute subtype with value 'groupRole'. The role has 'Internal' service assigned. You want to modify these roles. Example of the role is attached too. Let's get to the task: You filter the objects in element of task/activity/work/iteractiveScripting. RoleType subtype = 'groupRole' Then you just run action on this set of objects. This action applies defined modification delta on the objects you selected in the filter. The example task removes the assigned service. Commented part modifies just description attribute - just as an example. I hope it will help you. Best regards, Martin Spanik Senior Identity Engineer +421 905 334 507 martin.spanik at evolveum.com https://evolveum.com From: midPoint [mailto:midpoint-bounces at lists.evolveum.com] On Behalf Of Keith Hazelton via midPoint Sent: streda 12. júla 2023 22:01 To: midpoint at lists.evolveum.com Cc: Keith Hazelton > Subject: [midPoint] Apply a bulk action to a specific object type and subtype Is it possible to use a filter to perform a bulk action on a specific object type and subtype? I know pt can be done, for example, for user subtypes, but we want to remove assignments for a specific subtype of group. Thanks in advance, --Keith Hazelton _________________________ hazelton at internet2.edu -------------- next part -------------- An HTML attachment was scrubbed... URL: From 3584726646 at qq.com Mon Jul 17 02:01:58 2023 From: 3584726646 at qq.com (=?utf-8?B?MzU4NDcyNjY0Ng==?=) Date: Mon, 17 Jul 2023 08:01:58 +0800 Subject: [midPoint] =?utf-8?b?6Ieq5Yqo5Zue5aSNOiBSZTogIEFwcGx5IGEgYnVs?= =?utf-8?q?k_action_to_a_specific_object_type_andsubtype?= In-Reply-To: Message-ID: An HTML attachment was scrubbed... URL: From kamil.jires at evolveum.com Wed Jul 19 13:49:30 2023 From: kamil.jires at evolveum.com (Kamil Jires) Date: Wed, 19 Jul 2023 13:49:30 +0200 (CEST) Subject: [midPoint] Apply a bulk action to a specific object type and subtype In-Reply-To: References: <002301d9b562$784b17f0$68e147d0$@evolveum.com> Message-ID: <1528014827.70591.1689767370360.JavaMail.zimbra@evolveum.com> Hi Paul, let me share the task definition doing the stuff. Few notes: - As you are loging just oid, the request for the object from the repository would be wasting of the performance (I have left it there as comment). - if you need to limit to Org only, you can make the condition ( a == "test-assignment" ) more complex involving other tests e.g. related to the assignment.targetRef.type . I hope it will help you with your issue... BR, Kamil ----- remove assignment by subtype runnable BulkActions loose single UserType assignment/subtype test-assignment execute-script script import com.evolveum.midpoint.prism.delta.ObjectDelta import com.evolveum.midpoint.prism.delta.builder.S_ItemEntry import com.evolveum.midpoint.prism.path.ItemPath import com.evolveum.midpoint.xml.ns._public.common.common_3.AssignmentType import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType UserType user = input as UserType List<AssignmentType> assignmentsToRemove = new ArrayList() for (AssignmentType assignment : user.getAssignment()) { if (assignment.subtype != null && assignment.subtype.size() != 0) { for (String a : assignment.subtype) { if (a == "test-assignment") { // ################### // OrgType org = midpoint.resolveReferenceIfExists(assignment.targetRef) // log.info("Found test-assignment to Org: {}",org.oid) // # Why to resolve the Org object in case you are logging just oid ? // ################### log.info("Found test-assignment to {}: {}", assignment.targetRef.type.localPart, assignment.targetRef.oid ) if (!assignmentsToRemove.contains(assignment)) { assignmentsToRemove.add(assignment) break } } } } } S_ItemEntry removeAssignments = midpoint.prismContext.deltaFor(UserType.class) for (AssignmentType assignmentToRemove : assignmentsToRemove) { removeAssignments = removeAssignments.item(ItemPath.create(UserType.F_ASSIGNMENT)).delete(assignmentToRemove.clone()) } ObjectDelta removeAssignmentsDelta = removeAssignments.asObjectDelta(user.oid) if (removeAssignmentsDelta) { log.info("Removing the selected assignments...") midpoint.executeChanges(Arrays.asList(removeAssignmentsDelta)) } From: "Paul Caskey via midPoint" To: "midPoint General Discussion" , "martin spanik" Cc: "Paul Caskey" Sent: Monday, July 17, 2023 2:01:41 AM Subject: Re: [midPoint] Apply a bulk action to a specific object type and subtype Hi- I’m working with Keith (the OP) and our use case for this is trying to remove old assignments. These are assignments on user objects to orgs that have already been deleted. The code below selects exactly the assignments I need to remove, but I can’t figure out how to remove or unassign the assignments. Does anyone know how to remove/unassign an assignment inside a bulk action of type ‘execute-script’? Here’s what selects the assignments I need to delete: c:UserType assignment/subtype test-assignment execute-script script import com.evolveum.midpoint.xml.ns._public.common.common_3.*; import com.evolveum.midpoint.model.api.*; import com.evolveum.midpoint.xml.ns._public.common.common_3.FocusType; import com.evolveum.midpoint.xml.ns._public.common.common_3.OrgType; import com.evolveum.midpoint.model.api.ModelExecuteOptions; for (a in input.assignment) { if (a.subtype[0] == "test-assignment") { OrgType org = midpoint.resolveReferenceIfExists(a.targetRef); log.info ("Found test-assignment to Org: {}", org.oid) //need to delete/unassign this assignment (a) } } Thanks in advance for any help and insight! -Paul From: midPoint On Behalf Of Paul Caskey via midPoint Sent: Thursday, July 13, 2023 5:32 PM To: martin.spanik at evolveum.com; midPoint General Discussion Cc: Paul Caskey Subject: Re: [midPoint] Apply a bulk action to a specific object type and subtype Thanks, Martin! In our case, it’s the assignment itself that has the subtype, not the role (or org). Like this (taken from a user object): groupRole enabled It seems like a bulk action should be able to do it. But I can’t figure it out yet. :) Thanks again! -Paul From: midPoint < [ mailto:midpoint-bounces at lists.evolveum.com | midpoint-bounces at lists.evolveum.com ] > On Behalf Of Martin Spanik via midPoint Sent: Thursday, July 13, 2023 3:18 AM To: 'midPoint General Discussion' < [ mailto:midpoint at lists.evolveum.com | midpoint at lists.evolveum.com ] > Cc: Martin Spanik < [ mailto:martin.spanik at evolveum.com | martin.spanik at evolveum.com ] > Subject: Re: [midPoint] Apply a bulk action to a specific object type and subtype Hello Keith Yes it is possible. I prepared example of such task – you can use and tune it. It’s tested on 4.7 and 4.4. I don’t know which version you are using. Let’s assume that your groups are represented by roles in midPoint and you have set of roles having attribute subtype with value ‘groupRole’. The role has ‘Internal’ service assigned. You want to modify these roles. Example of the role is attached too. Let’s get to the task: You filter the objects in element of task/activity/work/iteractiveScripting. < objects > < type >RoleType < query > < q :filter > < q :text >subtype = 'groupRole' Then you just run action on this set of objects. This action applies defined modification delta on the objects you selected in the filter. The example task removes the assigned service. Commented part modifies just description attribute - just as an example. I hope it will help you. Best regards, Martin Spanik Senior Identity Engineer +421 905 334 507 [ mailto:martin.spanik at evolveum.com | martin.spanik at evolveum.com ] [ https://www.evolveum.com/ | https://evolveum.com ] From: midPoint [ [ mailto:midpoint-bounces at lists.evolveum.com | mailto:midpoint-bounces at lists.evolveum.com ] ] On Behalf Of Keith Hazelton via midPoint Sent: streda 12. júla 2023 22:01 To: [ mailto:midpoint at lists.evolveum.com | midpoint at lists.evolveum.com ] Cc: Keith Hazelton < [ mailto:hazelton at internet2.edu | hazelton at internet2.edu ] > Subject: [midPoint] Apply a bulk action to a specific object type and subtype Is it possible to use a filter to perform a bulk action on a specific object type and subtype? I know pt can be done, for example, for user subtypes, but we want to remove assignments for a specific subtype of group. Thanks in advance, --Keith Hazelton _________________________ [ mailto:hazelton at internet2.edu | hazelton at internet2.edu ] _______________________________________________ midPoint mailing list midPoint at lists.evolveum.com https://lists.evolveum.com/mailman/listinfo/midpoint -------------- next part -------------- An HTML attachment was scrubbed... URL: From davidgregor7 at gmail.com Wed Jul 19 15:44:14 2023 From: davidgregor7 at gmail.com (David Gregor) Date: Wed, 19 Jul 2023 15:44:14 +0200 Subject: [midPoint] Unassign roles from users (pairs) using scripts Message-ID: Hi all, I have many pairs of users and roles and I would like to unassign these roles from the users. Doing it manually would take a lot of time, is there a better way? Maybe BA/BA tasks, I am not sure if it's possible or how to do it. My version is 4.4.4. BTW, I tried to send this mail like 2 days ago and it didnt reach or at least didnt display in the archive, idk what went wrong.. hopefully this one will reach. Thanks! Dave -------------- next part -------------- An HTML attachment was scrubbed... URL: From pcaskey at internet2.edu Wed Jul 19 15:44:38 2023 From: pcaskey at internet2.edu (Paul Caskey) Date: Wed, 19 Jul 2023 13:44:38 +0000 Subject: [midPoint] Apply a bulk action to a specific object type and subtype In-Reply-To: <1528014827.70591.1689767370360.JavaMail.zimbra@evolveum.com> References: <002301d9b562$784b17f0$68e147d0$@evolveum.com> <1528014827.70591.1689767370360.JavaMail.zimbra@evolveum.com> Message-ID: Thank you, Kamil. That works perfectly! And you are correct. There is no need to fetch the org object. I thought I might need it, but your solution works great without it. Thanks again! -Paul From: Kamil Jires Sent: Wednesday, July 19, 2023 6:50 AM To: midPoint General Discussion Cc: Paul Caskey Subject: Re: [midPoint] Apply a bulk action to a specific object type and subtype Hi Paul, let me share the task definition doing the stuff. Few notes: - As you are loging just oid, the request for the object from the repository would be wasting of the performance (I have left it there as comment). - if you need to limit to Org only, you can make the condition ( a == "test-assignment" ) more complex involving other tests e.g. related to the assignment.targetRef.type . I hope it will help you with your issue... BR, Kamil ----- remove assignment by subtype runnable BulkActions loose single UserType assignment/subtype test-assignment execute-script script import com.evolveum.midpoint.prism.delta.ObjectDelta import com.evolveum.midpoint.prism.delta.builder.S_ItemEntry import com.evolveum.midpoint.prism.path.ItemPath import com.evolveum.midpoint.xml.ns._public.common.common_3.AssignmentType import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType UserType user = input as UserType List<AssignmentType> assignmentsToRemove = new ArrayList() for (AssignmentType assignment : user.getAssignment()) { if (assignment.subtype != null && assignment.subtype.size() != 0) { for (String a : assignment.subtype) { if (a == "test-assignment") { // ################### // OrgType org = midpoint.resolveReferenceIfExists(assignment.targetRef) // log.info("Found test-assignment to Org: {}",org.oid) // # Why to resolve the Org object in case you are logging just oid ? // ################### log.info("Found test-assignment to {}: {}", assignment.targetRef.type.localPart, assignment.targetRef.oid ) if (!assignmentsToRemove.contains(assignment)) { assignmentsToRemove.add(assignment) break } } } } } S_ItemEntry removeAssignments = midpoint.prismContext.deltaFor(UserType.class) for (AssignmentType assignmentToRemove : assignmentsToRemove) { removeAssignments = removeAssignments.item(ItemPath.create(UserType.F_ASSIGNMENT)).delete(assignmentToRemove.clone()) } ObjectDelta removeAssignmentsDelta = removeAssignments.asObjectDelta(user.oid) if (removeAssignmentsDelta) { log.info("Removing the selected assignments...") midpoint.executeChanges(Arrays.asList(removeAssignmentsDelta)) } ________________________________ From: "Paul Caskey via midPoint" > To: "midPoint General Discussion" >, "martin spanik" > Cc: "Paul Caskey" > Sent: Monday, July 17, 2023 2:01:41 AM Subject: Re: [midPoint] Apply a bulk action to a specific object type and subtype Hi- I’m working with Keith (the OP) and our use case for this is trying to remove old assignments. These are assignments on user objects to orgs that have already been deleted. The code below selects exactly the assignments I need to remove, but I can’t figure out how to remove or unassign the assignments. Does anyone know how to remove/unassign an assignment inside a bulk action of type ‘execute-script’? Here’s what selects the assignments I need to delete: c:UserType assignment/subtype test-assignment execute-script script import com.evolveum.midpoint.xml.ns._public.common.common_3.*; import com.evolveum.midpoint.model.api.*; import com.evolveum.midpoint.xml.ns._public.common.common_3.FocusType; import com.evolveum.midpoint.xml.ns._public.common.common_3.OrgType; import com.evolveum.midpoint.model.api.ModelExecuteOptions; for (a in input.assignment) { if (a.subtype[0] == "test-assignment") { OrgType org = midpoint.resolveReferenceIfExists(a.targetRef); log.info ("Found test-assignment to Org: {}", org.oid) //need to delete/unassign this assignment (a) } } Thanks in advance for any help and insight! -Paul From: midPoint > On Behalf Of Paul Caskey via midPoint Sent: Thursday, July 13, 2023 5:32 PM To: martin.spanik at evolveum.com; midPoint General Discussion > Cc: Paul Caskey > Subject: Re: [midPoint] Apply a bulk action to a specific object type and subtype Thanks, Martin! In our case, it’s the assignment itself that has the subtype, not the role (or org). Like this (taken from a user object): groupRole enabled It seems like a bulk action should be able to do it. But I can’t figure it out yet. :) Thanks again! -Paul From: midPoint > On Behalf Of Martin Spanik via midPoint Sent: Thursday, July 13, 2023 3:18 AM To: 'midPoint General Discussion' > Cc: Martin Spanik > Subject: Re: [midPoint] Apply a bulk action to a specific object type and subtype Hello Keith Yes it is possible. I prepared example of such task – you can use and tune it. It’s tested on 4.7 and 4.4. I don’t know which version you are using. Let’s assume that your groups are represented by roles in midPoint and you have set of roles having attribute subtype with value ‘groupRole’. The role has ‘Internal’ service assigned. You want to modify these roles. Example of the role is attached too. Let’s get to the task: You filter the objects in element of task/activity/work/iteractiveScripting. RoleType subtype = 'groupRole' Then you just run action on this set of objects. This action applies defined modification delta on the objects you selected in the filter. The example task removes the assigned service. Commented part modifies just description attribute - just as an example. I hope it will help you. Best regards, Martin Spanik Senior Identity Engineer +421 905 334 507 martin.spanik at evolveum.com https://evolveum.com From: midPoint [mailto:midpoint-bounces at lists.evolveum.com] On Behalf Of Keith Hazelton via midPoint Sent: streda 12. júla 2023 22:01 To: midpoint at lists.evolveum.com Cc: Keith Hazelton > Subject: [midPoint] Apply a bulk action to a specific object type and subtype Is it possible to use a filter to perform a bulk action on a specific object type and subtype? I know pt can be done, for example, for user subtypes, but we want to remove assignments for a specific subtype of group. Thanks in advance, --Keith Hazelton _________________________ hazelton at internet2.edu _______________________________________________ midPoint mailing list midPoint at lists.evolveum.com https://lists.evolveum.com/mailman/listinfo/midpoint -------------- next part -------------- An HTML attachment was scrubbed... URL: From Eetu.Salpaharju at tietokeskus.fi Wed Jul 19 15:49:02 2023 From: Eetu.Salpaharju at tietokeskus.fi (Eetu Salpaharju) Date: Wed, 19 Jul 2023 13:49:02 +0000 Subject: [midPoint] Fw: Manager info to ActiveDirectory In-Reply-To: References: Message-ID: ** This is a repost for this message. For some reason first never ended up to the mailing list, or at least to archive page. Sorry if you get this message twice ** Hello, TL;DR; If someone has working solution to populate AD manager field with Midpoint, I'd love to see how it is done. I have MS Active Directory resource and I'd need to populate manager field. I have users manager information stored in Midpoint in two different ways: I've extended user schema and added a field named supervisorNo which is reference to employeeNumber in managers user object. I wish I could use that field somehow like this ri:manager Manager $user/extension/tkuser:supervisorNo But I cannot figure out how to get another user object as variable in that script. Another approach would be something suggested in https://lists.evolveum.com/pipermail/midpoint/2016-March/001702.html . I have organization units for users and they have correct managers. BUT... I haven't find any examples how to use getManagers() -function in Groovy and in XML definitions. And links mentioned on that post doesn't work anymore. And another problem is that I have multiple organizational structures (based on managers, cost centers, locations etc). Each of those can have manager(s) defined so I don't know how to find right manager for a user to use in Active Directory context. One solution would be to use getManagersByOrgType -fucntion but I haven't find a way to define orgType for my organization units. According to https://docs.evolveum.com/midpoint/reference/org/organizational-structure/ -> important properties of org objects -table there should be orgType as a property, but when I try to use it as inbound mapping, Midpoint says that such property does not exists. - Eetu From Eetu.Salpaharju at tietokeskus.fi Mon Jul 24 12:58:23 2023 From: Eetu.Salpaharju at tietokeskus.fi (Eetu Salpaharju) Date: Mon, 24 Jul 2023 10:58:23 +0000 Subject: [midPoint] Fw: Manager info to ActiveDirectory Message-ID: **There seems to be something wrong with this mailing list. Repost, because previous mail is not visible on archive and I didn't get a copy from mailing list** Hello, I found a working solution for my problem. I send it here in case someone is working with similar scenario in the future. Hopefully this saves a few hours. This one even check if the manager has account in AD and if multiple managers are found with getManager -function this uses info in extended user properties to find out who (if any) is the right one. ri:manager Eetu Salpaharju Tietokeskus Finland Oy From Eetu.Salpaharju at tietokeskus.fi Mon Jul 24 13:31:23 2023 From: Eetu.Salpaharju at tietokeskus.fi (Eetu Salpaharju) Date: Mon, 24 Jul 2023 11:31:23 +0000 Subject: [midPoint] Manual permission management for a large set of access rights Message-ID: Hello, I'd like to use Midpoint to manage our technician access to customer environments. There is a few hundred customers and actual access granting accesses is done manually by a dedicated team. This will be the case also in future, it is too time consuming to build a automation for each customer. My proposal involves creating a manual resource with each customer as an entitlement. To kickstart this, I've prepared a CSV file containing the list of customers, which will help me automate the creation of entitlements. Once these entitlements are in place, we can easily assign them to users through services or roles, streamlining the access-granting process. When a user is added or removed from a customer (entitlement), the connector will generate a case and our team makes changes manually. But there is a few questions I have: * Can I create entitlements for manual connector at all? * Can I use a CsvConnector as a secondary connector to import entitlements? The CsvConnector seems more oriented towards handling account-related data from CSV files, rather than directly managing entitlements. Does anyone have experience using it for entitlement management as a secondary connector? I'd appreciate any insights. * Would there be some better ways to tackle this need? Creating separate resource for each customer isn't the optimal option in maintenance point of view. Thanks again, Regards, Eetu Salpaharju Tietokeskus Finland oy From martin.spanik at evolveum.com Thu Jul 27 14:57:18 2023 From: martin.spanik at evolveum.com (Martin Spanik) Date: Thu, 27 Jul 2023 14:57:18 +0200 Subject: [midPoint] Identity Governance and Administration with midPoint - survey Message-ID: <001001d9c089$e0445f10$a0cd1d30$@evolveum.com> Dear midPoint community, A few weeks ago, we sent out an email informing you about an exciting opportunity to participate in shaping the future of midPoint's Identity Governance and Administration (IGA) features. We sincerely appreciate your continued support, and today, if you haven't already done so, we would like to kindly remind you there is still an opportunity to take part in the anonymous IGA survey at https://evolveum.limequery.net/379168?lang=en . Your participation will help us prioritize and shape our future enhancements to better align with the needs of our end users. We genuinely value your input, and your contribution to the midPoint community. If you have already completed the survey, we extend our thanks for your time and efforts. If you have any colleagues who might benefit from contributing their insights, please feel free to share the survey link with them. If you have any questions or need further assistance, please feel free to reach out to us. Martin Spanik Senior Identity Engineer +421 905 334 507 martin.spanik at evolveum.com https://evolveum.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From marie.ioannou at itconcepts.ch Fri Jul 28 13:04:11 2023 From: marie.ioannou at itconcepts.ch (Marie Ioannou) Date: Fri, 28 Jul 2023 11:04:11 +0000 Subject: [midPoint] modify userview Message-ID: To whom it may concern, I restrict the user view for a manager to all its subordinates. The manager can only read. How can I get rid of the checkbox column (outerleft column) and of outerright column where one can disable, delete, reconcile, unlock etc... a user? I don't get why this outerright column exists if the manger has in my settings no right to disable, delete, reconcile, unlock etc... its subordinates. If he chooses one of those actions then he gets an error because he has not the appropriate rights. Anyway, for my needs I want to get rid of this column. Thank you in advance for your help, Dr. Marie Ioannou ITConcepts Professional GmbH [X] [X] [X] -------------- next part -------------- An HTML attachment was scrubbed... URL: From blackcm at purdue.edu Fri Jul 28 14:54:28 2023 From: blackcm at purdue.edu (Black, Carey Matthew) Date: Fri, 28 Jul 2023 12:54:28 +0000 Subject: [midPoint] modify userview In-Reply-To: References: Message-ID: Marie, While I am sure it can be debated as a "preference", there are some people who find dynamic User Interfaces (UI's) that "hide functions" to be more difficult than a single standard UI that is uniform for all users. (Regardless of their access in that context of the display at the moment.) However, I am also a user who has not yet seen the "perfect UI" too.( If anyone has see such a thing, I would love to see it too. ) Not to mention the additional complexity of the application development that arises out of such "cross cutting" logic. Which is to say that the more dynamic the UI is, the harder it is to maintain as you add additional features, functions and the permutations of interactions between those things and the users "level of access" really does get out of control really quickly. The obvious exception is "user permissions" to data. If a UI element is only for 'blob objects" and the user has no access to "blob objects" then hiding all "blob object UI elements" seems not only reasonable but "easy". ( Well until there are some interactions between "blob objects" and other objects in the UI. See permutations of interactions comment above.) There are always "local/odd" things that every application tries to do to make things "better". But that also leads to "application specific knowledge" that is a burden for the user and the tool. ( In my opinion. ) Frankly I would rather have all UI's be 100% accessible, to all users, and then conform to more "standard organization models" than to need to keep needing to figure out if the button I need is "at the top or bottom", "at the right or the left" or "only there some of the time". But maybe it is just me.... -- Carey Matthew Black From: midPoint On Behalf Of Marie Ioannou via midPoint Sent: Friday, July 28, 2023 7:04 AM To: midpoint at lists.evolveum.com Cc: Marie Ioannou Subject: [midPoint] modify userview ---- External Email: Use caution with attachments, links, or sharing data ---- To whom it may concern, I restrict the user view for a manager to all its subordinates. The manager can only read. How can I get rid of the checkbox column (outerleft column) and of outerright column where one can disable, delete, reconcile, unlock etc... a user? I don't get why this outerright column exists if the manger has in my settings no right to disable, delete, reconcile, unlock etc... its subordinates. If he chooses one of those actions then he gets an error because he has not the appropriate rights. Anyway, for my needs I want to get rid of this column. Thank you in advance for your help, Dr. Marie Ioannou ITConcepts Professional GmbH [X] [X] [X] -------------- next part -------------- An HTML attachment was scrubbed... URL: From marie.ioannou at itconcepts.ch Fri Jul 28 15:00:34 2023 From: marie.ioannou at itconcepts.ch (Marie Ioannou) Date: Fri, 28 Jul 2023 13:00:34 +0000 Subject: [midPoint] modify userview In-Reply-To: References: Message-ID: Thank you Carey you answered my "philosophical" question. I am more interested in the technical part of my question. How can I GET RID OFF the checkbox column and the outerright column (disable, reconcile, delete, unlock, etc)? Thank you for your answer and best regards, Dr. Marie Ioannou ITConcepts Professional GmbH ________________________________ From: Black, Carey Matthew Sent: Friday, July 28, 2023 2:54 PM To: midPoint General Discussion Cc: Marie Ioannou Subject: RE: modify userview Marie, While I am sure it can be debated as a “preference”, there are some people who find dynamic User Interfaces (UI’s) that “hide functions” to be more difficult than a single standard UI that is uniform for all users. (Regardless of their access in that context of the display at the moment.) However, I am also a user who has not yet seen the “perfect UI” too.( If anyone has see such a thing, I would love to see it too. ) Not to mention the additional complexity of the application development that arises out of such “cross cutting” logic. Which is to say that the more dynamic the UI is, the harder it is to maintain as you add additional features, functions and the permutations of interactions between those things and the users “level of access” really does get out of control really quickly. The obvious exception is “user permissions” to data. If a UI element is only for ‘blob objects” and the user has no access to “blob objects” then hiding all “blob object UI elements” seems not only reasonable but “easy”. ( Well until there are some interactions between “blob objects” and other objects in the UI. See permutations of interactions comment above.) There are always “local/odd” things that every application tries to do to make things “better”. But that also leads to “application specific knowledge” that is a burden for the user and the tool. ( In my opinion. ) Frankly I would rather have all UI’s be 100% accessible, to all users, and then conform to more “standard organization models” than to need to keep needing to figure out if the button I need is “at the top or bottom”, “at the right or the left” or “only there some of the time”. But maybe it is just me…. -- Carey Matthew Black From: midPoint On Behalf Of Marie Ioannou via midPoint Sent: Friday, July 28, 2023 7:04 AM To: midpoint at lists.evolveum.com Cc: Marie Ioannou Subject: [midPoint] modify userview ---- External Email: Use caution with attachments, links, or sharing data ---- To whom it may concern, I restrict the user view for a manager to all its subordinates. The manager can only read. How can I get rid of the checkbox column (outerleft column) and of outerright column where one can disable, delete, reconcile, unlock etc... a user? I don't get why this outerright column exists if the manger has in my settings no right to disable, delete, reconcile, unlock etc... its subordinates. If he chooses one of those actions then he gets an error because he has not the appropriate rights. Anyway, for my needs I want to get rid of this column. Thank you in advance for your help, Dr. Marie Ioannou ITConcepts Professional GmbH [X] [X] [X] -------------- next part -------------- An HTML attachment was scrubbed... URL: