[midPoint] User to Role assignment activation date not working for AD group

Ivan Noris ivan.noris at evolveum.com
Wed Apr 17 10:49:22 CEST 2019 

Hi Alcides,

it behaves like that as when time comes (time of assignment
deactivation), midPoint will not process a "change", but issue a user
recomputation. The mappings behave like during reconciliation, there are
no deltas.

One possible workaround: instead of tolerant=false you can use
tolerantValuePattern

    <tolerantValuePattern>^Secret.*$</tolerantValuePattern><!--
tolerates Secret1234, Secret-4-1 but not AAA-Secret-123 -->

I was not able to find a documentation in a minute, but it should be
documented in the common schema for sure.

It should play well with tolerant=true/false, so setting tolerant=false
and tolerantValuePattern to a regexp containing the groups which should
be always kept by midPoint even when not provisioned by midPoint.

Of course, test the behaviour in non-prod environment before actually using.

Best regards,

Ivan

On 16. 4. 2019 19:39, Alcides Carlos de Moraes Neto wrote:
> Hi Ivan, thank you.
>
> We can't have it tolerant=false, we have many associations in AD
> outside midpoint control. 
>
> Assignment and unassignment works, shouldn’t assignment activation
> work just like an unassignment? Why tolerant is needed to remove
> membership in this case?
>
> Isn’t that exception related? We’re pretty sure this worked in 3.8,
> and it stopped now in 3.9
>
> Em ter, 16 de abr de 2019 às 05:36, Ivan Noris
> <ivan.noris at evolveum.com <mailto:ivan.noris at evolveum.com>> escreveu:
>
>     Hi Alcides,
>
>     I think the removal of group(s) will work in this scenario if the
>     AD attribute/association in the resource schema handling is set to
>     be tolerant=false.
>
>     Be sure this is what you want as tolerant=false means midPoint
>     will remove all values not given by midPoint.
>
>     Best regards,
>
>     Ivan
>
>     On 16. 4. 2019 0:26, Alcides Carlos de Moraes Neto wrote:
>>     Hello list,
>>
>>     We have working user and role association to AD users and groups.
>>     However, if we give users an assignment with activation
>>     expiration date in midpoint, they are not removed from the AD
>>     group when the date comes. The assignment shows as expired, but
>>     they are not removed from the AD group that the role projects to,
>>     even when recomputing.
>>
>>     Even removing the expired assignment will not remove the user
>>     from the list.
>>
>>     Also, when trying to modify any of the activation parameters from
>>     these assignments, we're getting a NPE:
>>     java.lang.NullPointerException: null
>>     com.evolveum.midpoint.prism.util.ItemDeltaItem.findIdi(ItemDeltaItem.java:218)
>>     com.evolveum.midpoint.repo.common.expression.ExpressionUtil.resolvePath(ExpressionUtil.java:232)
>>     com.evolveum.midpoint.model.common.mapping.MappingImpl.parseSource(MappingImpl.java:874)
>>
>>
>>     _______________________________________________
>>     midPoint mailing list
>>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>     -- 
>     Ivan Noris
>     Senior Identity Engineer
>     evolveum.com <http://evolveum.com>
>
>     _______________________________________________
>     midPoint mailing list
>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
Ivan Noris
Senior Identity Engineer
evolveum.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190417/43bf4870/attachment.htm>

More information about the midPoint mailing list