[midPoint] Modification of role hierarchy not working

Jan Vaňáček - AMI Praha a.s. jan.vanacek at ami.cz
Tue Oct 8 10:30:40 UTC 2019

I think you are referring to Entitlement Membership Removal


*From:* midPoint <midpoint-bounces at lists.evolveum.com> *On Behalf Of *Tom
*Sent:* Monday, September 30, 2019 5:52 PM
*To:* midpoint at lists.evolveum.com
*Subject:* [midPoint] Modification of role hierarchy not working

Hi everyone!

Has anyone tried to modify an existing role yet?
It seems like changes in the role hierarchy are not distributed to the
resources correctly after Recomputation.

1) The scenario starts like this:

   - The user 'Testuser' has an assignment to the empty 'Root-Role'.

2) In the second step, I edit the role 'Root-Role':

   - The 'Resource-Role' has an account construction inducement for a
   resource (e.g. dummy CSV).
   - The 'Root-Role' has an inducement to the 'Resource-Role'.

Because of MidPoint's eventual consistency, I start a Recomputation of all
'Root-Role' members.

A projection for the resource is created for the 'Testuser'. So far so good.

3) In the third step, I edit the role 'Root-Role' again:

   - The inducement to 'Resource-Role' is removed from the 'Root-Role'.

To regain consistency, I start a Recomputation of all 'Root-Role' members

Nothing happens.
The user 'Testuser' still has his projection for the resource (which should
be deleted).
Only one thing happened: The <roleMembershipRef> to 'Resource-Role' was
removed during Recomputation.

The same bahaviour happened as I tried these variations:

   - Deactivating the inducement ('Root-Role' -> 'Resource-Role') instead
   of deleting it
   - Reconciling the user 'Testuser' instead of starting the Recomputation
   of all members of role 'Root-Role'
   - Use different <strength> values for the construction inducement in the

Sidenote: The system behaves in the same (wrong?) way, when I replace the
construction inducement with a group projection.
In this case, the user should already have an account in the resource.

Interestingly, this operation still work:

   - If I directly assign the 'Resource-Role' to the 'Testuser', the
   projection is created correctly.
   - If I remove the direct assignment of 'Resource-Role' from the
   'Testuser', the projection is deleted correctly.

Sidenote: The Enforcement Options of the resources are set to the default
value ('relative' with no legalization).
This should create accounts after assignment and delete accounts after
Other accounts in the resource should not be touched.
The other Enforcement Options and the Legalization are not useful in my
scenario (I don't want all unassigned accounts to be whiped from the

The problem seems to be, that the Reconcile/Recompute job doesn't know,
that there had ever been an indirect assignment to the 'Resource-Role'.
Instead, the job behaves like the projetion was created manually for the
Because of this, there seems to be nothing to recompute for MidPoint.

I tried to analyze this behavior in a primary hook and found something
When a role is assigned/unassigned directly to a user, this is visible in
the <assignment> section and there is a delta with this change.
When a role is assigned/unassigned indirectly to a user, this is visible in
the <roleMembershipRef> section, but there is no delta at all.
I assume, this causes the different treatment of direct and indirect

If indirect assignments (<roleMembershipRef>) would be treated like direct
assignments (<assignment>), then everything would propably work as expected.
Changes made to the role hierarchy would cause an effect during
Reconcile/Recompute, because the <roleMembershipRef> are already added and
removed correctly right now.

Is there any recommended way, how to make changes to the role hierarchy?

Are there any configurations with which MidPoint can process indirect
assignments EXACTLY like direct assignments?

Is there any setting or configuration with which MidPoint can process the
changes made to indirect assignments when recomputing?

Can I trigger the reconcilation of a role member with some kind of delta
(e.g. 'remove indirect assignment')?

The configuration for my problem looks like this:

<role oid="11111111-9ac3-4c09-8bb1-c151bd8cd128">

            <resourceRef oid="33333333-9d55-4bf6-8fd3-d9c7a6f0bd03"
relation="org:default" type="c:ResourceType">
                <!-- CSV-System -->

<role oid="22222222-afa2-4a2e-9d3e-c7e8738c673d">
        <targetRef oid="11111111-9ac3-4c09-8bb1-c151bd8cd128"
relation="org:default" type="c:RoleType">
            <!-- Resource-Role -->

<user oid="00000000-d56b-4c7d-baf7-61c98afa8851">
        <targetRef oid="22222222-afa2-4a2e-9d3e-c7e8738c673d"
relation="org:default" type="c:RoleType">
            <!-- Root-Role -->

I hope anyone can help me...
Thanks in advance!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.evolveum.com/pipermail/midpoint/attachments/20191008/2735a1d1/attachment-0001.html>

More information about the midPoint mailing list