[midPoint] Modification of role hierarchy not working
Jan Vaňáček - AMI Praha a.s.
jan.vanacek at ami.cz
Tue Oct 8 10:30:40 UTC 2019
I think you are referring to Entitlement Membership Removal
*From:* midPoint <midpoint-bounces at lists.evolveum.com> *On Behalf Of *Tom
*Sent:* Monday, September 30, 2019 5:52 PM
*To:* midpoint at lists.evolveum.com
*Subject:* [midPoint] Modification of role hierarchy not working
Has anyone tried to modify an existing role yet?
It seems like changes in the role hierarchy are not distributed to the
resources correctly after Recomputation.
1) The scenario starts like this:
- The user 'Testuser' has an assignment to the empty 'Root-Role'.
2) In the second step, I edit the role 'Root-Role':
- The 'Resource-Role' has an account construction inducement for a
resource (e.g. dummy CSV).
- The 'Root-Role' has an inducement to the 'Resource-Role'.
Because of MidPoint's eventual consistency, I start a Recomputation of all
A projection for the resource is created for the 'Testuser'. So far so good.
3) In the third step, I edit the role 'Root-Role' again:
- The inducement to 'Resource-Role' is removed from the 'Root-Role'.
To regain consistency, I start a Recomputation of all 'Root-Role' members
The user 'Testuser' still has his projection for the resource (which should
Only one thing happened: The <roleMembershipRef> to 'Resource-Role' was
removed during Recomputation.
The same bahaviour happened as I tried these variations:
- Deactivating the inducement ('Root-Role' -> 'Resource-Role') instead
of deleting it
- Reconciling the user 'Testuser' instead of starting the Recomputation
of all members of role 'Root-Role'
- Use different <strength> values for the construction inducement in the
Sidenote: The system behaves in the same (wrong?) way, when I replace the
construction inducement with a group projection.
In this case, the user should already have an account in the resource.
Interestingly, this operation still work:
- If I directly assign the 'Resource-Role' to the 'Testuser', the
projection is created correctly.
- If I remove the direct assignment of 'Resource-Role' from the
'Testuser', the projection is deleted correctly.
Sidenote: The Enforcement Options of the resources are set to the default
value ('relative' with no legalization).
This should create accounts after assignment and delete accounts after
Other accounts in the resource should not be touched.
The other Enforcement Options and the Legalization are not useful in my
scenario (I don't want all unassigned accounts to be whiped from the
The problem seems to be, that the Reconcile/Recompute job doesn't know,
that there had ever been an indirect assignment to the 'Resource-Role'.
Instead, the job behaves like the projetion was created manually for the
Because of this, there seems to be nothing to recompute for MidPoint.
I tried to analyze this behavior in a primary hook and found something
When a role is assigned/unassigned directly to a user, this is visible in
the <assignment> section and there is a delta with this change.
When a role is assigned/unassigned indirectly to a user, this is visible in
the <roleMembershipRef> section, but there is no delta at all.
I assume, this causes the different treatment of direct and indirect
If indirect assignments (<roleMembershipRef>) would be treated like direct
assignments (<assignment>), then everything would propably work as expected.
Changes made to the role hierarchy would cause an effect during
Reconcile/Recompute, because the <roleMembershipRef> are already added and
removed correctly right now.
Is there any recommended way, how to make changes to the role hierarchy?
Are there any configurations with which MidPoint can process indirect
assignments EXACTLY like direct assignments?
Is there any setting or configuration with which MidPoint can process the
changes made to indirect assignments when recomputing?
Can I trigger the reconcilation of a role member with some kind of delta
(e.g. 'remove indirect assignment')?
The configuration for my problem looks like this:
<!-- CSV-System -->
<!-- Resource-Role -->
<!-- Root-Role -->
I hope anyone can help me...
Thanks in advance!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the midPoint