[midPoint] R: Re: Reevaluate entitlement association

Pavol Mederly mederly at evolveum.com
Fri Sep 8 22:44:16 CEST 2017 

Hello Marco,

I assume your entitlements are created using account constructions 
containing mappings. The behavior on recompute/reconcile depends on the 
strength of those mappings and on the tolerance level set on target 
associations (and attributes).

Generally, strength=normal (read "relative") means the mappings are put 
into action on a value change. Recompute/reconcile does *not* trigger them.

If you want to be sure your mapping is employed on recompute/reconcile, 
you have to mark it as strength=strong.

See 
https://wiki.evolveum.com/display/midPoint/Mapping#Mapping-MappingStrength.

Also you can enable logging and see what mappings are triggered, and, 
generally, what's going on when you run recompute.

See https://wiki.evolveum.com/display/midPoint/Troubleshooting+Mappings.

Best regards,

Pavol Mederly
Software developer
evolveum.com

On 08.09.2017 19:56, Marco Benucci wrote:
> Sorry for not have specified this before, but recompute seems not to 
> work. Neither the checkbox on the user page neither a bulk with the 
> recompute action...
>
> No errors are showed by the way.
>
> We have planned the update asap, but before doing that we have a bunch 
> of more urgent requests...
>
> Anyway, should be this the expected behavior?
>
> If an account on AD is not in a given group, but his/her virtual 
> identity have the role/entitlement associated (and the account is 
> correctly linked), should a recomputation fix this?
>
> Maybe we have a wrong resource configuration?
> Il 08 set 2017 7:44 PM, Martin Lízner - AMI Praha a.s. 
> <martin.lizner at ami.cz> ha scritto:
>
>     Hi, simple user recompute should do it. E.g. open user in GUI,
>     check the reconcile checbox and hit save. Anyway I also recommend
>     upgrading to the latest (3.6, soon 3.6.1) mp version. M.
>
>     Martin Lízner
>     solution architect
>
>     gsm: [+420] 737 745 571
>     e-mail: martin.lizner at ami.cz <mailto:martin.lizner at ami.cz>
>
>     			
>
>     AMI Praha a.s.
>     Pláničkova 11
>     162 00 Praha 6
>     tel.: [+420] 274 783 239
>     web: www.ami.cz <http://www.ami.cz/>
>
>     			
>
>
>
>     AMI Praha a.s. <http://www.skyidentity.com/>
>
>     Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá
>     za společnost AMI Praha a.s.
>     jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít
>     výhradně písemnou formu.
>
>
>
>     2017-09-08 18:43 GMT+02:00 Marco Benucci <m.benucci at nsr.it
>     <mailto:m.benucci at nsr.it>>:
>
>         Hi,
>
>         we have midpoint 3.4 and an AD resource with configured
>         entitlements.
>
>         Now, I still do not know why, but on AD many users have lost
>         their membership of a role. Fortunately in midPoint we still
>         have the role/entitlement associated to all the right users.
>
>         Is there a way to force midPoint to reevaluate the entitlement
>         association to add again users to theri group?
>
>         Thank you.
>
>
>         _______________________________________________
>         midPoint mailing list
>         midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>         http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170908/a4d98726/attachment.htm>

More information about the midPoint mailing list