[midPoint] Changes in role hierarchy are not distributed correctly

iam-mailing at tk.de iam-mailing at tk.de
Thu Dec 12 15:26:58 CET 2019 

Hi everyone,

has anyone experience with modifications in role hierarchies?
How do you handle changes in already assigned roles?
It seems to me that midPoint doesn't support some modifications...

The issue occurs when I remove a group focus from a role hierarchy (in any depth).
To apply this new hierarchy to the members I start a reconcile of all members.
The reconcile only adds groups to the linked accounts if they were added to the hierarchy, but it does not remove groups if they were deleted from the hierarchy.

Here is one example:
[User]  --(assign)---> [ParentRole] --(induce)--> [Role1], [Role2]
[Role1] --(project)--> [Shadow: 'group-1']
[Role2] --(project)--> [Shadow: 'group-2']

When I remove the inducement [ParentRole]-->[Role1] and start a reconcile for a user, the user account still has 'group-1' in the resource.
This happens as well in the AD as in the DummyResource.

I already tried a lot with the <tolerant> settings and the <fetchStrategy> of the <association> section in the resource.

The wiki tells: '[...] in case that the role definition is changed. There are in fact two operation: change of the role and then reconcile the user. [...] And in this case the tolerant flag is important.'
(https://wiki.evolveum.com/display/midPoint/Entitlements Chapter Entitlement Membership Removal)

But for me, the <tolerant> flag does not change the behavior...

Is there anything I missed?


Here are some extracts of the configuration with the dummy resource:

Shadow 1 (equivalent to shadow 2):
<shadow oid="shadow-001"
            xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
            xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
            xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">
      <name>group-1</name>
      <resourceRef oid="resource-001"/>
      <objectClass>ri:GroupObjectClass</objectClass>
      <kind>entitlement</kind>
      <intent>group</intent>
      <attributes>
            <icfs:uid>group-1</icfs:uid>
            <icfs:name>group-1</icfs:name>
      </attributes>
</shadow>

Role 1 (equivalent to role 2):
<role oid="role-001"
      xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
      xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
      xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance/resource-001">
      <name>Role-1</name>
      <inducement>
      <construction>
            <resourceRef oid="resource-001" type="c:ResourceType"/>
            <kind>account</kind>
            <association>
                  <ref>ri:group</ref>
                  <outbound>
                        <strength>strong</strength>
                        <expression>
                             <value>
                                   <shadowRef oid="shadow-001" type="ShadowType"/>
                             </value>
                        </expression>
                  </outbound>
            </association>
      </construction>
      </inducement>
</role>

Parent role:
<role oid="role-parent-003"
            xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
            xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
            xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3">
      <name>Role-Parent</name>
      <inducement id="1">
            <targetRef oid="role-001" relation="org:default" type="c:RoleType"/>
      </inducement>
      <inducement id="2">
            <targetRef oid="role-002" relation="org:default" type="c:RoleType"/>
      </inducement>
</role>

Resource:
<resource oid="resource-001">
      ...
      <schemaHandling>
            <objectType>
                  ...
                  <association>
                        <ref>ri:group</ref>
                        <kind>entitlement</kind>
                        <intent>group</intent>
                        <direction>objectToSubject</direction>
                        <associationAttribute>ri:members</associationAttribute>
                        <valueAttribute>icfs:name</valueAttribute>
                        <shortcutAssociationAttribute>ri:privileges</shortcutAssociationAttribute>
                        <shortcutValueAttribute>icfs:name</shortcutValueAttribute>
                        <tolerant>false</tolerant>
                        <fetchStrategy>explicit</fetchStrategy>
                  </association>
            </objectType>
      </schemaHandling>
</resource>

The test case:
public void testReconcile() throws Exception {
      Task task = createTask("reconcileTest");
      OperationResult result = task.getResult();

      assignRole("user-001", "role-parent-003");

      uninduceRole("role-parent-003", "role-001", task, result);

      reconcileUser("user-001", task, result);

      DummyGroup group1 = dummyResource.getGroupByName("group-1");
      assertFalse(group1.containsMember("user-001"), "'group-1' should be removed but is still associated");
}

Thanks in advance,
Henrik
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20191212/2187617a/attachment.htm>

More information about the midPoint mailing list