[midPoint] User to Role assignment activation date not working for AD group

Ivan Noris ivan.noris at evolveum.com
Tue Apr 16 10:35:41 CEST 2019


Hi Alcides,

I think the removal of group(s) will work in this scenario if the AD
attribute/association in the resource schema handling is set to be
tolerant=false.

Be sure this is what you want as tolerant=false means midPoint will
remove all values not given by midPoint.

Best regards,

Ivan

On 16. 4. 2019 0:26, Alcides Carlos de Moraes Neto wrote:
> Hello list,
>
> We have working user and role association to AD users and groups.
> However, if we give users an assignment with activation expiration
> date in midpoint, they are not removed from the AD group when the date
> comes. The assignment shows as expired, but they are not removed from
> the AD group that the role projects to, even when recomputing.
>
> Even removing the expired assignment will not remove the user from the
> list.
>
> Also, when trying to modify any of the activation parameters from
> these assignments, we're getting a NPE:
> java.lang.NullPointerException: null
> com.evolveum.midpoint.prism.util.ItemDeltaItem.findIdi(ItemDeltaItem.java:218)
> com.evolveum.midpoint.repo.common.expression.ExpressionUtil.resolvePath(ExpressionUtil.java:232)
> com.evolveum.midpoint.model.common.mapping.MappingImpl.parseSource(MappingImpl.java:874)
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
Ivan Noris
Senior Identity Engineer
evolveum.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190416/68e36a48/attachment.htm>


More information about the midPoint mailing list