[midPoint] How to unassign assignment with effectiveStatus="disabled" and propagate this change to AD
Pavol Mederly
mederly at evolveum.com
Thu Apr 21 11:32:05 CEST 2022
Ľubomír,
you may be right, but may not. I am not sure. I would try to apply the
same principle to the association (by making it non-tolerant). Then
there will be no place for keeping "unauthorized" values there. :)
Unfortunately, the usual disclaimer applies here: this is the most I can
do for you without a subscription. Maybe someone from the community?
--
Pavol Mederly
Software developer
evolveum.com
On 21/04/2022 11:24, Lubomir Odlevak wrote:
> Pavol,
> I have tried to apply range, but it didn't work properly. IDM role was
> successfully unassign from user, but deletion was not automatically
> applied to the respective objects (role membership in AD). It seems
> that effective status is set before the role unassignment and that is
> the main problem.
>
> st 20. 4. 2022 o 12:15 Pavol Mederly via midPoint
> <midpoint at lists.evolveum.com> napísal(a):
>
> Ľubomír,
>
> what you observe is basically a missing functionality in the
> validation scanning activity. I have update the docs to make it
> more clear.
>
> Please see the Limitations section in
> https://docs.evolveum.com/midpoint/reference/tasks/specific/focus-validity-scan/.
>
> --
> Pavol Mederly
> Software developer
> evolveum.com <http://evolveum.com>
>
> On 10/02/2022 16:54, Lubomir Odlevak via midPoint wrote:
>> Hi Pavol, this problem still persists in all mP versions, 4.4
>> included. I already created JIRA ticket:
>> https://jira.evolveum.com/browse/MID-7194.
>> If the effective status of the assignment is changed to
>> "disabled" and you try to unassign this assignment via mP, it
>> will NOT unnassign AD role membership in AD (assignments with
>> the valid-to time in future don't work either).
>>
>> Regards
>> Lubomir
>>
>>
>> pi 30. 10. 2020 o 12:21 Pavol Mederly via midPoint
>> <midpoint at lists.evolveum.com> napísal(a):
>>
>> Lubomir,
>>
>> this might be a side effect of changes in expression
>> evaluation in 4.2.
>>
>> What is unclear to me is this: As far as I know, the AD role
>> membership should be removed as soon as the effective status
>> of the assignment is changed to "disabled". (Obviously,
>> disabled assignments should not give their owner any
>> entitlements.)
>>
>> How 3.8 and 4.1 behaved in this respect?
>>
>> Best regards,
>>
>> Pavol Mederly
>> Software developer
>> evolveum.com <http://evolveum.com>
>>
>> On 30/10/2020 10:19, Lubomir Odlevak via midPoint wrote:
>>> Pascal thanks for the task, but I can unassign the role in
>>> mP. The problem is that change (unassignment) is not
>>> propagated into AD for role assignment with effectiveStatus
>>> = "disabled".
>>> My case:
>>> The role is assigned to the user and valid-to parameter is
>>> set on assignment and is propagated to AD (assigned to the
>>> user in AD). At valid-to time mP set effectiveStatus =
>>> "disabled" for this assignment automatically, and the role
>>> is still assigned in mP and AD.
>>> Now if I manually or with the hook unassign that role from
>>> mP, then it is not propagated to AD and the user has still
>>> assigned the AD group.
>>> I want to achieve that mP valid-to role will be unassigned
>>> both from mP and AD after valid-to parameter is exceeded.
>>>
>>> Regards
>>> Lubomir
>>>
>>> pi 16. 10. 2020 o 13:16 Pascal PÉRICHON via midPoint
>>> <midpoint at lists.evolveum.com> napísal(a):
>>>
>>> this task could be a good start :
>>>
>>>
>>> <task>
>>> <name>task suppress Assignement
>>> ETUDIANT-LICENCE</name>
>>> <extension>
>>> <scext:executeScript
>>> xmlns:scext="http://midpoint.evolveum.com/xml/ns/public/model/scripting/extension-3"
>>> <http://midpoint.evolveum.com/xml/ns/public/model/scripting/extension-3>
>>>
>>> xmlns:s="http://midpoint.evolveum.com/xml/ns/public/model/scripting-3"
>>> <http://midpoint.evolveum.com/xml/ns/public/model/scripting-3>
>>>
>>> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>>>
>>> xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
>>> <http://prism.evolveum.com/xml/ns/public/types-3>
>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>> <http://www.w3.org/2001/XMLSchema-instance>
>>> xmlns:api="http://midpoint.evolveum.com/xml/ns/public/common/api-types-3"
>>> <http://midpoint.evolveum.com/xml/ns/public/common/api-types-3>
>>>
>>> xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
>>> <http://prism.evolveum.com/xml/ns/public/query-3>
>>> xmlns:xsd="http://www.w3.org/2001/XMLSchema"
>>> <http://www.w3.org/2001/XMLSchema>
>>> xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
>>> <http://midpoint.evolveum.com/xml/ns/public/common/org-3>>
>>> <s:search>
>>> <s:type>c:UserType</s:type>
>>> <s:query>
>>> <q:filter>
>>> <q:and>
>>> <q:equal>
>>> <q:path>subtype</q:path>
>>> <q:value>ETUDIANT-DOCTORAT</q:value>
>>> </q:equal>
>>> <q:substring>
>>> <q:matching>polyStringNorm</q:matching>
>>> <q:path>name</q:path>
>>> <q:value>a</q:value>
>>> <q:anchorStart>true</q:anchorStart>
>>> </q:substring>
>>> <q:equal>
>>> <q:path>c:assignment/targetRef/@/name</q:path>
>>> <q:value>etudiants-cursus-doctorat</q:value>
>>> </q:equal>
>>> <!--q:org>
>>> <q:orgRef>
>>> <q:oid>u75-etudiants-cursus-licence</q:oid-->
>>> <!--q:oid>u75-etudiants-cursus-master</q:oid-->
>>> <!--q:oid>u75-etudiants-cursus-doctorat</q:oid-->
>>> <!--/q:orgRef>
>>> <q:maxDepth>unbounded</q:maxDepth>
>>> </q:org-->
>>> </q:and>
>>> </q:filter>
>>> </s:query>
>>>
>>> <s:action>
>>> <s:type>modify</s:type>
>>> <s:parameter>
>>> <s:name>delta</s:name>
>>> <c:value
>>> xsi:type="t:ObjectDeltaType">
>>> <t:changeType>modify</t:changeType>
>>> <t:itemDelta>
>>> <t:modificationType>delete</t:modificationType>
>>> <t:path>c:assignment</t:path>
>>> <t:value xsi:type="c:AssignmentType">
>>> <targetRef oid="u75-etudiants-cursus-doctorat"
>>> relation="org:default" type="c:RoleType"/>
>>> <!--targetRef oid="u75-etudiants-cursus-doctorat"
>>> relation="org:default" type="c:OrgType"/-->
>>> </t:value>
>>> </t:itemDelta>
>>> </c:value>
>>> </s:parameter>
>>> </s:action>
>>>
>>> </s:search>
>>> </scext:executeScript>
>>> </extension>
>>> <ownerRef
>>> oid="00000000-0000-0000-0000-000000000002"/>
>>> <executionStatus>runnable</executionStatus>
>>>
>>> <category>BulkActions</category>
>>>
>>> <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/scripting/handler-3</handlerUri>
>>> <recurrence>single</recurrence>
>>> </task>
>>>
>>> Le 16/10/2020 à 12:46, Lubomir Odlevak via midPoint a
>>> écrit :
>>>> Hello all,
>>>>
>>>> I have assigned role to MP user and set Activation
>>>> valid on this assignment. Role has been assigned in MP
>>>> and AD successfully.
>>>> When valid-to-time has been exceeded,i have run user
>>>> reconcilation (or validity task) and effectiveStatus
>>>> has been set to "disable" for the assignment.
>>>> Both mP role and AD role are still assigned. Now, I'm
>>>> trying unassign role assignment from MP user (manually
>>>> or with hook), but it is not removed in AD and user is
>>>> still member of that AD group. How can I achieve it ?
>>>> How to unassign assignment with
>>>> effectiveStatus="disabled" and propagate this change to
>>>> AD and remove user from the AD group?
>>>>
>>>> btw: The unassigment with effective status set to
>>>> "enabled" are unassigned properly in AD.
>>>> Tested on mp 3.8 and 4.1.
>>>>
>>>> Regards
>>>> Lubomir Odlevak
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> https://lists.evolveum.com/mailman/listinfo/midpoint
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> https://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> https://lists.evolveum.com/mailman/listinfo/midpoint
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> https://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> https://lists.evolveum.com/mailman/listinfo/midpoint
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20220421/f3fb5060/attachment-0001.htm>
More information about the midPoint
mailing list