[midPoint] - SciptedSQL connector misshandling inherited roles deletion

Ivan Noris ivan.noris at evolveum.com
Thu Nov 10 19:51:45 CET 2016 

Hi Rodrigo,

unfortunately no other idea yet. I was running recompute ca. two weeks
ago to remove some application groups that were not added by midPoint,
the goal was to have association configuration with tolerant=false and
it worked (this was custom connector, not ScriptedSQL):

                <association>
                    <ref>ri:wsEntitlements</ref>
                    <tolerant>false</tolerant>
                    <matchingRule>mr:stringIgnoreCase</matchingRule>
                    <kind>entitlement</kind>
                    <intent>ws-entitlement</intent>
                    <direction>objectToSubject</direction>
                   
<associationAttribute>ri:accountId</associationAttribute>
                    <valueAttribute>icfs:uid</valueAttribute>
                </association>
 

In all roles where association is used, <strength>strong</strength> is
used as well (but the tolerant=false is a must). The recompute then
worked as supposed and removed all non-midpoint groups from the
accounts. The accounts were constructed by hierarchical roles (User -
assign - Business role - inducement - Application role) and the
association was in the Application role.

Best regards,

Ivan


On 11/10/2016 06:21 PM, Rodrigo Yanis wrote:
>
> Hello Ivan, thanks for you response.
>
> Unfortunatelly this didn't work. All our association attributes are
> set to tolerance=false by default.
>
> Strange thing is, this only happens when reconciling on already
> assigned high level roles, not on assignment time.
>
> Any other suggestion?
> Thanks again,
>
>
>
> *Rodrigo Yanis.*
> Identicum S.A.
> Jorge Newbery 3226
> Tel: +54 (11) 4824-9971
> ryanis at identicum.com <mailto:ryanis at identicum.com>
> www.identicum.com <http://www.identicum.com/>
>
> 2016-11-10 9:48 GMT-05:00 Ivan Noris <ivan.noris at evolveum.com
> <mailto:ivan.noris at evolveum.com>>:
>
>     Hi Rodrigo,
>
>     maybe <tolerant>false</tolerant> for association or your group
>     attribute (if not using associations) could help...
>
>     Ivan
>
>
>     On 11/10/2016 03:33 PM, Rodrigo Yanis wrote:
>>     Hello everyone,
>>
>>     We're having issues with our ScriptedSQL connector misshandling
>>     group membership removals when said memberships come from roles
>>     that are inherited from a higher level role, that is assigned to
>>     the user.
>>
>>     When we remove the database role (the one that is linked to the
>>     resource's meta-role, and represents a database group) from the
>>     higher level role, and perform a reconciliation on the user, this
>>     does not remove the group membership of this user in the
>>     database. This only happens if the database role is assigned
>>     directly to the user, and then removed.
>>
>>     We've also tried with a recompute task on the user, still with no
>>     luck.
>>
>>     Since our role hierarchy does not support this last option, we
>>     must find a way (either through a task or directly) to remove
>>     memberships to roles that are no longer induced into the high
>>     level role. 
>>
>>     Do you have an idea on how to proceed? 
>>
>>     Thanks for your help
>>
>>     *Rodrigo Yanis.*
>>     Identicum S.A.
>>     Jorge Newbery 3226
>>     Tel: +54 (11) 4824-9971
>>     ryanis at identicum.com <mailto:ryanis at identicum.com>
>>     www.identicum.com <http://www.identicum.com/>
>>
>>
>>     _______________________________________________
>>     midPoint mailing list
>>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>     http://lists.evolveum.com/mailman/listinfo/midpoint
>>     <http://lists.evolveum.com/mailman/listinfo/midpoint>
>
>     -- 
>     Ivan Noris
>     Senior Identity Engineer
>     evolveum.com <http://evolveum.com>
>
>     _______________________________________________ midPoint mailing
>     list midPoint at lists.evolveum.com
>     <mailto:midPoint at lists.evolveum.com>
>     http://lists.evolveum.com/mailman/listinfo/midpoint
>     <http://lists.evolveum.com/mailman/listinfo/midpoint> 
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
-- 
Ivan Noris
Senior Identity Engineer
evolveum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161110/8b7342a5/attachment.htm>

More information about the midPoint mailing list