[midPoint] Unlinking accounts when user is deleted / unassigned?

Alcides Carlos de Moraes Neto alcides.neto at gmail.com
Thu Aug 9 20:43:12 CEST 2018 

Thanks for the info, Ivan.

In regards to unlinking, our mappings and correlation expressions work in a
way that, if a deactivated user would be unlinked the account, it would not
be linked again. But I understand it would be an issue for a lot of cases.
The best practice would be to delete the user in midPoint.

The main reason behind this is that I want to keep the AD login account
intact so the Exchange mailbox is not lost when a user leaves.


Em qui, 9 de ago de 2018 às 05:56, Ivan Noris <ivan.noris at evolveum.com>
escreveu:

> Hi,
>
> just to inform you that we are already tracking:
>
> https://jira.evolveum.com/browse/MID-2142 (Capabilities per objectType
> (e.g. Delete capability only for some intents)
>
> and
>
> https://jira.evolveum.com/browse/MID-2144 (Configured capabilities - add
> a way to ignore instead of "Operation not supported" error)
>
> There are marked as "subscription needed", so you may want to use a
> subscription to prioritize them.
>
> Related to unlinking: I'm not aware of any way, but even if there was a
> way how to unlink an account (probably it's possible using bulk tasks), the
> account would be linked back if any synchronization would run for that
> resource and unlinked->link reaction would be specified. This is because
> unlink = dropping linkRef reference from user object to shadow, but the
> shadow would still remain in the repository. Even if the shadow would not
> remain, it would be recreated upon next reconciliation with the system, as
> the account still exists.
>
> So the best option would be avoid deletion of the accounts by using
> configured capabilities, but as you correctly stated, the current behaviour
> would apply for all objects on the resource (accounts, groups etc.). That's
> why we are tracking the features in our JIRA.
>
> Best regards,
>
> Ivan
>
> On 08.08.2018 21:57, Alcides Carlos de Moraes Neto wrote:
>
> Hello list,
>
> Quick question: Is it possible to not delete, but unlink accounts when a
> user is deleted and/or unassigned from the account?
>
> Right now I'm able to disable instead of delete, but the account remains
> linked to the user.
> I would like to either delete the user without deleting the account, or
> unlink the user from the account automatically.
>
> I have simulated this by removing the "delete" capability from the
> resource, but this is not viable, as I need to be able to delete groups,
> but not users.
>
> Thanks!
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> --
> Ivan Noris
> Senior Identity Engineerevolveum.com
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180809/2b615855/attachment.htm>

More information about the midPoint mailing list