[midPoint] Import and assignmentPolicyEnforcement=none
Yakov Revyakin
yrevyakin at gmail.com
Tue May 16 11:05:12 CEST 2023
In the archetype assigned to the top org I have inducements of 2 resources.
They work fine when a new user comes to or goes from suborgs.
<inducement>
<construction>
<!--Google-->
<resourceRef oid="ca9a521f-16c1-4662-8f6f-0d6b01308a93"
relation="org:default" type="c:ResourceType"/>
<kind>account</kind>
<intent>default</intent>
</construction>
<order>3</order
<focusType>UserType</focusType>
</inducement>
<inducement>
<construction>
<!--Keycloak-->
<resourceRef oid="20299cc9-9cf6-47e0-ba45-66e9ede06ee3"
relation="org:default" type="c:ResourceType"/>
<kind>account</kind>
<intent>default</intent>
<association>
<ref>ri:group</ref>
<outbound>
<expression>
<associationFromLink>
<projectionDiscriminator
xsi:type="c:ShadowDiscriminatorType">
<kind>entitlement</kind>
<intent>organization</intent>
</projectionDiscriminator>
</associationFromLink>
</expression>
</outbound>
</association>
</construction>
<order>3</order
<focusType>UserType</focusType>
</inducement>
Before importing existing accounts I change assignmentPolicyEnforcement
from full to none.
1) Importing Google accounts with import task doesn't demonstrate the
change in assignmentPolicyEnforcement. Midpoint tries to create a new
account and modify existing. Discovery works but this is not what I expect.
I'd like to see simply only existing accounts linked.
2) I can see that with Keycloak assignmentPolicyEnforcement=none works as
expected - Midpoint doesn't create new Keycloak accounts. But, if, for
example, during Google import a user already has a Keycloak account with a
group association Midpoint deletes existing group associations.
Strange behavior. Any ideas?
MP4.4.3
Yakov
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20230516/f97d8a33/attachment.htm>
More information about the midPoint
mailing list