[midPoint] Import and assignmentPolicyEnforcement=none

Yakov Revyakin yrevyakin at gmail.com
Fri May 19 15:19:31 CEST 2023 

I've found the root cause. I have a policy rule which triggers "recompute"
on a user object.
       <policyRule>
            <policyConstraints>
                <modification>
                    <item>extension/profileStatus</item>
                </modification>
            </policyConstraints>
            <policyActions>
                <scriptExecution>
                    <object>
                        <currentObject/>
                    </object>
                    <executeScript>
                        <s:recompute/>
                    </executeScript>
                </scriptExecution>
            </policyActions>
        </policyRule>

It looks like this way to recompute a user turns off the "none" projection
policy of the Google resource. This results in creating a Google account
even though a Google assignmentPolicyEnforcement is "none".

I tried different available executeOptions without success.

Is this behavior expected?

Thanks,
Yakov



On Tue, 16 May 2023 at 12:05, Yakov Revyakin <yrevyakin at gmail.com> wrote:

> In the archetype assigned to the top org I have inducements of 2
> resources. They work fine when a new user comes to or goes from suborgs.
>
>     <inducement>
>         <construction>
>             <!--Google-->
>             <resourceRef oid="ca9a521f-16c1-4662-8f6f-0d6b01308a93"
> relation="org:default" type="c:ResourceType"/>
>             <kind>account</kind>
>             <intent>default</intent>
>         </construction>
>         <order>3</order
>         <focusType>UserType</focusType>
>     </inducement>
>
>     <inducement>
>         <construction>
>             <!--Keycloak-->
>             <resourceRef oid="20299cc9-9cf6-47e0-ba45-66e9ede06ee3"
> relation="org:default" type="c:ResourceType"/>
>             <kind>account</kind>
>             <intent>default</intent>
>             <association>
>                 <ref>ri:group</ref>
>                 <outbound>
>                     <expression>
>                         <associationFromLink>
>                             <projectionDiscriminator
> xsi:type="c:ShadowDiscriminatorType">
>                                 <kind>entitlement</kind>
>                                 <intent>organization</intent>
>                             </projectionDiscriminator>
>                         </associationFromLink>
>                     </expression>
>                 </outbound>
>             </association>
>         </construction>
>         <order>3</order
>         <focusType>UserType</focusType>
>     </inducement>
>
> Before importing existing accounts I change assignmentPolicyEnforcement
> from full to none.
> 1) Importing Google accounts with import task doesn't demonstrate the
> change in assignmentPolicyEnforcement. Midpoint tries to create a new
> account and modify existing. Discovery works but this is not what I expect.
> I'd like to see simply only existing accounts linked.
> 2) I can see that with Keycloak assignmentPolicyEnforcement=none works as
> expected - Midpoint doesn't create new Keycloak accounts. But, if, for
> example, during Google import a user already has a Keycloak account with a
> group association Midpoint deletes existing group associations.
>
> Strange behavior. Any ideas?
> MP4.4.3
>
> Yakov
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20230519/711b4ccf/attachment.htm>

More information about the midPoint mailing list