[midPoint] Valid to role assignment problem
Aivo Kuhlberg
aivo.kuhlberg at rmit.ee
Mon Oct 31 10:01:11 CET 2016
Hi Ivan,
Does association + tolerant mean I have to add <tolerant>false</tolerant> to association part in account definition in resourceSchema?
If so then what will happen all the groups which I have exluded in my current AD group import? Will this setting delete any existing members of these groups? For example when midPoint user A has AD account and this AD account has membership with AD group B but this group B is not synced to midPoint. Will this group membership deleted if tolerant is set to false?
Best Regards,
Aivo
________________________________
Saatja: midPoint <midpoint-bounces at lists.evolveum.com> nimelIvan Noris <ivan.noris at evolveum.com>
Saadetud: 28. oktoober 2016 22:10
Adressaat: midpoint at lists.evolveum.com
Teema: Re: [midPoint] Valid to role assignment problem
Hi Aivo,
please check this issue: https://jira.evolveum.com/browse/MID-3296
If it's what you are experiencing, please check how is you association + tolerant configured.
Ivan
On 10/28/2016 10:14 AM, Aivo Kuhlberg wrote:
Hello,
I am testing role assignment valid from/to triggering and have problem with valid to functionality. I assigned role to midPoint user and before saving the assignment I specified validto value. This midPoint role is imported from AD group so I expect that when the valid to time is over then the AD group will be removed from the AD user but that does not happen. Even full reconciliation of AD users and groups did not help. Even changing the administrative status to "Disabled" did not help. But when I changed it to "Enabled" and then "Disabled" then the AD user group membership dissapeared. Can it be because I am using .NET AD connector and in LDAP connector this problem is fixed?
Before that I tested "Valid From" field triggering and that worked as expected - after the specified time and validity scanner run the AD group was assigned to AD user.
Regards,
Aivo Kuhlberg
________________________________
Käesolev e-kiri võib sisaldada asutusesiseseks kasutamiseks tunnistatud teavet.
This e-mail may contain information which is classified for official use.
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
http://lists.evolveum.com/mailman/listinfo/midpoint
--
Ivan Noris
Senior Identity Engineer
evolveum.com
________________________________
Käesolev e-kiri võib sisaldada asutusesiseseks kasutamiseks tunnistatud teavet.
This e-mail may contain information which is classified for official use.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161031/74e97b4f/attachment.htm>
More information about the midPoint
mailing list