[midPoint] User to Role assignment activation date not working for AD group

Alcides Carlos de Moraes Neto alcides.neto at gmail.com
Tue Apr 16 19:39:38 CEST 2019


Hi Ivan, thank you.

We can't have it tolerant=false, we have many associations in AD outside midpoint control. 

Assignment and unassignment works, shouldn’t assignment activation work just like an unassignment? Why tolerant is needed to remove membership in this case?

Isn’t that exception related? We’re pretty sure this worked in 3.8, and it stopped now in 3.9

> Em ter, 16 de abr de 2019 às 05:36, Ivan Noris <ivan.noris at evolveum.com> escreveu:
> Hi Alcides,
> 
> I think the removal of group(s) will work in this scenario if the AD attribute/association in the resource schema handling is set to be tolerant=false.
> 
> Be sure this is what you want as tolerant=false means midPoint will remove all values not given by midPoint.
> 
> Best regards,
> 
> Ivan
> 
>> On 16. 4. 2019 0:26, Alcides Carlos de Moraes Neto wrote:
>> Hello list,
>> 
>> We have working user and role association to AD users and groups. However, if we give users an assignment with activation expiration date in midpoint, they are not removed from the AD group when the date comes. The assignment shows as expired, but they are not removed from the AD group that the role projects to, even when recomputing.
>> 
>> Even removing the expired assignment will not remove the user from the list.
>> 
>> Also, when trying to modify any of the activation parameters from these assignments, we're getting a NPE:
>> java.lang.NullPointerException: null
>> com.evolveum.midpoint.prism.util.ItemDeltaItem.findIdi(ItemDeltaItem.java:218)
>> com.evolveum.midpoint.repo.common.expression.ExpressionUtil.resolvePath(ExpressionUtil.java:232)
>> com.evolveum.midpoint.model.common.mapping.MappingImpl.parseSource(MappingImpl.java:874)
>> 
>> 
>> 
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
> -- 
> Ivan Noris
> Senior Identity Engineer
> evolveum.com
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190416/41915dd9/attachment.htm>


More information about the midPoint mailing list