[midPoint] R: R: Re: Reevaluate entitlement association

Fri Sep 8 23:15:20 CEST 2017

Hi,
I have created my entitlements using this schema object in my resource
https://pastebin.com/zkJkwS73

and an object synchronization like this
https://pastebin.com/axrzXbc2

the template used in sync is the following
https://pastebin.com/MUYd9xBz

Moreover, I have an association in the account schemaHandling
https://pastebin.com/bDsHu38V

This is basically what is described in https://wiki.evolveum.com/display/midPoint/Active+Directory+Group+Synchronization+HOWTO

Where should I put the mapping’s strenght?

Thank you,
Marco

Da: Pavol Mederly
Inviato: venerdì 8 settembre 2017 22:50
A: midpoint at lists.evolveum.com
Oggetto: Re: [midPoint] R: Re: Reevaluate entitlement association

Hello Marco,
I assume your entitlements are created using account constructions containing mappings. The behavior on recompute/reconcile depends on the strength of those mappings and on the tolerance level set on target associations (and attributes).
Generally, strength=normal (read "relative") means the mappings are put into action on a value change. Recompute/reconcile does not trigger them.
If you want to be sure your mapping is employed on recompute/reconcile, you have to mark it as strength=strong.
See https://wiki.evolveum.com/display/midPoint/Mapping#Mapping-MappingStrength.
Also you can enable logging and see what mappings are triggered, and, generally, what's going on when you run recompute.
See https://wiki.evolveum.com/display/midPoint/Troubleshooting+Mappings.
Best regards,
Pavol Mederly
Software developer
evolveum.com
On 08.09.2017 19:56, Marco Benucci wrote:
Sorry for not have specified this before, but recompute seems not to work. Neither the checkbox on the user page neither a bulk with the recompute action...

No errors are showed by the way.

We have planned the update asap, but before doing that we have a bunch of more urgent requests...

Anyway, should be this the expected behavior?

If an account on AD is not in a given group, but his/her virtual identity have the role/entitlement associated (and the account is correctly linked), should a recomputation fix this?

Maybe we have a wrong resource configuration? 
Il 08 set 2017 7:44 PM, Martin Lízner - AMI Praha a.s. <martin.lizner at ami.cz> ha scritto:
Hi, simple user recompute should do it. E.g. open user in GUI, check the reconcile checbox and hit save. Anyway I also recommend upgrading to the latest (3.6, soon 3.6.1) mp version. M.

Martin Lízner
solution architect

gsm: [+420] 737 745 571
e-mail: martin.lizner at ami.cz

AMI Praha a.s.
Pláničkova 11
162 00 Praha 6
tel.: [+420] 274 783 239
web: www.ami.cz

Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně písemnou formu.

2017-09-08 18:43 GMT+02:00 Marco Benucci <m.benucci at nsr.it>:
Hi,
we have midpoint 3.4 and an AD resource with configured entitlements.

Now, I still do not know why, but on AD many users have lost their membership of a role. Fortunately in midPoint we still have the role/entitlement associated to all the right users.

Is there a way to force midPoint to reevaluate the entitlement association to add again users to theri group?

Thank you.

_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
http://lists.evolveum.com/mailman/listinfo/midpoint

_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170908/b2d2e5ac/attachment.htm>