[midPoint] How to unassign assignment with effectiveStatus="disabled" and propagate this change to AD
Pavol Mederly
mederly at evolveum.com
Wed Apr 20 12:15:35 CEST 2022
Ľubomír,
what you observe is basically a missing functionality in the validation
scanning activity. I have update the docs to make it more clear.
Please see the Limitations section in
https://docs.evolveum.com/midpoint/reference/tasks/specific/focus-validity-scan/.
--
Pavol Mederly
Software developer
evolveum.com
On 10/02/2022 16:54, Lubomir Odlevak via midPoint wrote:
> Hi Pavol, this problem still persists in all mP versions, 4.4
> included. I already created JIRA ticket:
> https://jira.evolveum.com/browse/MID-7194.
> If the effective status of the assignment is changed to "disabled" and
> you try to unassign this assignment via mP, it will NOT unnassign AD
> role membership in AD (assignments with the valid-to time in future
> don't work either).
>
> Regards
> Lubomir
>
>
> pi 30. 10. 2020 o 12:21 Pavol Mederly via midPoint
> <midpoint at lists.evolveum.com> napísal(a):
>
> Lubomir,
>
> this might be a side effect of changes in expression evaluation in
> 4.2.
>
> What is unclear to me is this: As far as I know, the AD role
> membership should be removed as soon as the effective status of
> the assignment is changed to "disabled". (Obviously, disabled
> assignments should not give their owner any entitlements.)
>
> How 3.8 and 4.1 behaved in this respect?
>
> Best regards,
>
> Pavol Mederly
> Software developer
> evolveum.com <http://evolveum.com>
>
> On 30/10/2020 10:19, Lubomir Odlevak via midPoint wrote:
>> Pascal thanks for the task, but I can unassign the role in mP.
>> The problem is that change (unassignment) is not propagated into
>> AD for role assignment with effectiveStatus = "disabled".
>> My case:
>> The role is assigned to the user and valid-to parameter is set on
>> assignment and is propagated to AD (assigned to the user in AD).
>> At valid-to time mP set effectiveStatus = "disabled" for this
>> assignment automatically, and the role is still assigned in mP
>> and AD.
>> Now if I manually or with the hook unassign that role from mP,
>> then it is not propagated to AD and the user has still assigned
>> the AD group.
>> I want to achieve that mP valid-to role will be unassigned both
>> from mP and AD after valid-to parameter is exceeded.
>>
>> Regards
>> Lubomir
>>
>> pi 16. 10. 2020 o 13:16 Pascal PÉRICHON via midPoint
>> <midpoint at lists.evolveum.com> napísal(a):
>>
>> this task could be a good start :
>>
>>
>> <task>
>> <name>task suppress Assignement ETUDIANT-LICENCE</name>
>> <extension>
>> <scext:executeScript
>> xmlns:scext="http://midpoint.evolveum.com/xml/ns/public/model/scripting/extension-3"
>> <http://midpoint.evolveum.com/xml/ns/public/model/scripting/extension-3>
>>
>> xmlns:s="http://midpoint.evolveum.com/xml/ns/public/model/scripting-3"
>> <http://midpoint.evolveum.com/xml/ns/public/model/scripting-3>
>>
>> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>>
>> xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
>> <http://prism.evolveum.com/xml/ns/public/types-3>
>>
>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>> <http://www.w3.org/2001/XMLSchema-instance>
>>
>> xmlns:api="http://midpoint.evolveum.com/xml/ns/public/common/api-types-3"
>> <http://midpoint.evolveum.com/xml/ns/public/common/api-types-3>
>>
>> xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
>> <http://prism.evolveum.com/xml/ns/public/query-3>
>>
>> xmlns:xsd="http://www.w3.org/2001/XMLSchema"
>> <http://www.w3.org/2001/XMLSchema>
>>
>> xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
>> <http://midpoint.evolveum.com/xml/ns/public/common/org-3>>
>> <s:search>
>> <s:type>c:UserType</s:type>
>> <s:query>
>> <q:filter>
>> <q:and>
>> <q:equal>
>> <q:path>subtype</q:path>
>> <q:value>ETUDIANT-DOCTORAT</q:value>
>> </q:equal>
>> <q:substring>
>> <q:matching>polyStringNorm</q:matching>
>> <q:path>name</q:path>
>> <q:value>a</q:value>
>> <q:anchorStart>true</q:anchorStart>
>> </q:substring>
>> <q:equal>
>> <q:path>c:assignment/targetRef/@/name</q:path>
>> <q:value>etudiants-cursus-doctorat</q:value>
>> </q:equal>
>> <!--q:org>
>> <q:orgRef>
>> <q:oid>u75-etudiants-cursus-licence</q:oid-->
>> <!--q:oid>u75-etudiants-cursus-master</q:oid-->
>> <!--q:oid>u75-etudiants-cursus-doctorat</q:oid-->
>> <!--/q:orgRef>
>> <q:maxDepth>unbounded</q:maxDepth>
>> </q:org-->
>> </q:and>
>> </q:filter>
>> </s:query>
>>
>> <s:action>
>> <s:type>modify</s:type>
>> <s:parameter>
>> <s:name>delta</s:name>
>> <c:value
>> xsi:type="t:ObjectDeltaType">
>> <t:changeType>modify</t:changeType>
>> <t:itemDelta>
>> <t:modificationType>delete</t:modificationType>
>> <t:path>c:assignment</t:path>
>> <t:value
>> xsi:type="c:AssignmentType">
>> <targetRef oid="u75-etudiants-cursus-doctorat"
>> relation="org:default" type="c:RoleType"/>
>> <!--targetRef oid="u75-etudiants-cursus-doctorat"
>> relation="org:default" type="c:OrgType"/-->
>> </t:value>
>> </t:itemDelta>
>> </c:value>
>> </s:parameter>
>> </s:action>
>>
>> </s:search>
>> </scext:executeScript>
>> </extension>
>> <ownerRef oid="00000000-0000-0000-0000-000000000002"/>
>> <executionStatus>runnable</executionStatus>
>>
>> <category>BulkActions</category>
>>
>> <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/scripting/handler-3</handlerUri>
>> <recurrence>single</recurrence>
>> </task>
>>
>> Le 16/10/2020 à 12:46, Lubomir Odlevak via midPoint a écrit :
>>> Hello all,
>>>
>>> I have assigned role to MP user and set Activation valid on
>>> this assignment. Role has been assigned in MP and AD
>>> successfully.
>>> When valid-to-time has been exceeded,i have run user
>>> reconcilation (or validity task) and effectiveStatus has
>>> been set to "disable" for the assignment.
>>> Both mP role and AD role are still assigned. Now, I'm trying
>>> unassign role assignment from MP user (manually or with
>>> hook), but it is not removed in AD and user is still member
>>> of that AD group. How can I achieve it ?
>>> How to unassign assignment with effectiveStatus="disabled"
>>> and propagate this change to AD and remove user from the AD
>>> group?
>>>
>>> btw: The unassigment with effective status set to "enabled"
>>> are unassigned properly in AD.
>>> Tested on mp 3.8 and 4.1.
>>>
>>> Regards
>>> Lubomir Odlevak
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> https://lists.evolveum.com/mailman/listinfo/midpoint
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> https://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> https://lists.evolveum.com/mailman/listinfo/midpoint
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20220420/4c18da5f/attachment-0001.htm>
More information about the midPoint
mailing list