[midPoint] How to unassign assignment with effectiveStatus="disabled" and propagate this change to AD

Lubomir Odlevak odlevak.lubomir at gmail.com
Thu Apr 21 11:24:04 CEST 2022


Pavol,
I have tried to apply range, but it didn't work properly. IDM role was
successfully unassign from user, but deletion was not automatically applied
to the respective objects (role membership in AD). It seems that effective
status is set before the role unassignment and that is the main problem.

st 20. 4. 2022 o 12:15 Pavol Mederly via midPoint <
midpoint at lists.evolveum.com> napísal(a):

> Ľubomír,
>
> what you observe is basically a missing functionality in the validation
> scanning activity. I have update the docs to make it more clear.
>
> Please see the Limitations section in
> https://docs.evolveum.com/midpoint/reference/tasks/specific/focus-validity-scan/
> .
>
> --
> Pavol Mederly
> Software developerevolveum.com
>
> On 10/02/2022 16:54, Lubomir Odlevak via midPoint wrote:
>
> Hi Pavol, this problem still persists in all mP versions, 4.4 included. I
> already created  JIRA ticket: https://jira.evolveum.com/browse/MID-7194.
> If the effective status of the assignment is changed to "disabled" and you
> try to unassign this assignment via mP, it will NOT unnassign  AD role
> membership in AD (assignments with the valid-to time in future don't work
> either).
>
> Regards
> Lubomir
>
>
> pi 30. 10. 2020 o 12:21 Pavol Mederly via midPoint <
> midpoint at lists.evolveum.com> napísal(a):
>
>> Lubomir,
>>
>> this might be a side effect of changes in expression evaluation in 4.2.
>>
>> What is unclear to me is this: As far as I know, the AD role membership
>> should be removed as soon as the effective status of the assignment is
>> changed to "disabled". (Obviously, disabled assignments should not give
>> their owner any entitlements.)
>>
>> How 3.8 and 4.1 behaved in this respect?
>>
>> Best regards,
>>
>> Pavol Mederly
>> Software developerevolveum.com
>>
>> On 30/10/2020 10:19, Lubomir Odlevak via midPoint wrote:
>>
>> Pascal thanks for the task, but I can unassign the role in mP. The
>> problem is that change (unassignment) is not propagated into AD for role
>> assignment with effectiveStatus = "disabled".
>> My case:
>> The role is assigned to the user and valid-to parameter is set on
>> assignment and is propagated to AD (assigned to the user in AD). At
>> valid-to time mP set effectiveStatus = "disabled" for this
>> assignment automatically, and the role is still assigned in mP and AD.
>> Now if I manually or with the hook unassign that role from mP, then it is
>> not propagated to AD and the user has still assigned the AD group.
>> I want to achieve that mP valid-to role will be unassigned  both from mP
>> and  AD after valid-to parameter is exceeded.
>>
>> Regards
>> Lubomir
>>
>> pi 16. 10. 2020 o 13:16 Pascal PÉRICHON via midPoint <
>> midpoint at lists.evolveum.com> napísal(a):
>>
>>> this task could be a good start :
>>>
>>>
>>>     <task>
>>>         <name>task suppress Assignement ETUDIANT-LICENCE</name>
>>>         <extension>
>>>             <scext:executeScript xmlns:scext=
>>> "http://midpoint.evolveum.com/xml/ns/public/model/scripting/extension-3"
>>> <http://midpoint.evolveum.com/xml/ns/public/model/scripting/extension-3>
>>>                                  xmlns:s=
>>> "http://midpoint.evolveum.com/xml/ns/public/model/scripting-3"
>>> <http://midpoint.evolveum.com/xml/ns/public/model/scripting-3>
>>>                                  xmlns:c=
>>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>>>                                  xmlns:t=
>>> "http://prism.evolveum.com/xml/ns/public/types-3"
>>> <http://prism.evolveum.com/xml/ns/public/types-3>
>>>                                  xmlns:xsi=
>>> "http://www.w3.org/2001/XMLSchema-instance"
>>> <http://www.w3.org/2001/XMLSchema-instance>
>>>                                  xmlns:api=
>>> "http://midpoint.evolveum.com/xml/ns/public/common/api-types-3"
>>> <http://midpoint.evolveum.com/xml/ns/public/common/api-types-3>
>>>                                  xmlns:q=
>>> "http://prism.evolveum.com/xml/ns/public/query-3"
>>> <http://prism.evolveum.com/xml/ns/public/query-3>
>>>                                  xmlns:xsd=
>>> "http://www.w3.org/2001/XMLSchema" <http://www.w3.org/2001/XMLSchema>
>>>                                  xmlns:org=
>>> "http://midpoint.evolveum.com/xml/ns/public/common/org-3"
>>> <http://midpoint.evolveum.com/xml/ns/public/common/org-3>>
>>>                 <s:search>
>>>                     <s:type>c:UserType</s:type>
>>>                     <s:query>
>>>                         <q:filter>
>>>                             <q:and>
>>>                                 <q:equal>
>>>                                     <q:path>subtype</q:path>
>>>                                     <q:value>ETUDIANT-DOCTORAT</q:value>
>>>                                 </q:equal>
>>>                                 <q:substring>
>>>
>>> <q:matching>polyStringNorm</q:matching>
>>>                                     <q:path>name</q:path>
>>>                                     <q:value>a</q:value>
>>>                                     <q:anchorStart>true</q:anchorStart>
>>>                                 </q:substring>
>>>                                 <q:equal>
>>>
>>> <q:path>c:assignment/targetRef/@/name</q:path>
>>>
>>> <q:value>etudiants-cursus-doctorat</q:value>
>>>                                 </q:equal>
>>>                                 <!--q:org>
>>>                                     <q:orgRef>
>>>
>>> <q:oid>u75-etudiants-cursus-licence</q:oid-->
>>>
>>> <!--q:oid>u75-etudiants-cursus-master</q:oid-->
>>>
>>> <!--q:oid>u75-etudiants-cursus-doctorat</q:oid-->
>>>                                     <!--/q:orgRef>
>>>                                     <q:maxDepth>unbounded</q:maxDepth>
>>>                                 </q:org-->
>>>                             </q:and>
>>>                         </q:filter>
>>>                     </s:query>
>>>
>>>                     <s:action>
>>>                         <s:type>modify</s:type>
>>>                         <s:parameter>
>>>                             <s:name>delta</s:name>
>>>                             <c:value xsi:type="t:ObjectDeltaType">
>>>                                 <t:changeType>modify</t:changeType>
>>>                                 <t:itemDelta>
>>>
>>> <t:modificationType>delete</t:modificationType>
>>>                                     <t:path>c:assignment</t:path>
>>>                                     <t:value xsi:type="c:AssignmentType">
>>>                                         <targetRef
>>> oid="u75-etudiants-cursus-doctorat" relation="org:default"
>>> type="c:RoleType"/>
>>>                                         <!--targetRef
>>> oid="u75-etudiants-cursus-doctorat" relation="org:default"
>>> type="c:OrgType"/-->
>>>                                     </t:value>
>>>                                 </t:itemDelta>
>>>                             </c:value>
>>>                         </s:parameter>
>>>                     </s:action>
>>>
>>>                 </s:search>
>>>             </scext:executeScript>
>>>         </extension>
>>>         <ownerRef oid="00000000-0000-0000-0000-000000000002"/>
>>>         <executionStatus>runnable</executionStatus>
>>>
>>>         <category>BulkActions</category>
>>>         <handlerUri>
>>> http://midpoint.evolveum.com/xml/ns/public/model/scripting/handler-3
>>> </handlerUri>
>>>         <recurrence>single</recurrence>
>>>     </task>
>>>
>>> Le 16/10/2020 à 12:46, Lubomir Odlevak via midPoint a écrit :
>>>
>>> Hello all,
>>>
>>> I have assigned role to MP user and set Activation valid  on this
>>> assignment. Role has been assigned in MP and AD successfully.
>>> When valid-to-time has been exceeded,i have run user reconcilation (or
>>> validity task) and effectiveStatus has been set to "disable" for the
>>> assignment.
>>> Both mP role and AD role are still assigned. Now, I'm trying unassign
>>> role assignment from MP user (manually or with hook), but it is not removed
>>> in AD and user is still member of that AD group. How can I achieve it ?
>>> How to unassign assignment with effectiveStatus="disabled" and propagate
>>> this change to AD and remove user from the AD group?
>>>
>>> btw: The unassigment with effective status set to "enabled" are
>>> unassigned properly in AD.
>>> Tested on mp 3.8 and 4.1.
>>>
>>> Regards
>>> Lubomir Odlevak
>>>
>>> _______________________________________________
>>> midPoint mailing listmidPoint at lists.evolveum.comhttps://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> https://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>
>> _______________________________________________
>> midPoint mailing listmidPoint at lists.evolveum.comhttps://lists.evolveum.com/mailman/listinfo/midpoint
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> https://lists.evolveum.com/mailman/listinfo/midpoint
>>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttps://lists.evolveum.com/mailman/listinfo/midpoint
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20220421/a080b759/attachment-0001.htm>


More information about the midPoint mailing list