[midPoint] Import and assignmentPolicyEnforcement=none

Yakov Revyakin yrevyakin at gmail.com
Fri May 19 15:28:58 CEST 2023 

No, the previous post is a mistake.
Simply each next import (reconcile, recompute) after the initial one
results in creating a Google account.


On Fri, 19 May 2023 at 16:19, Yakov Revyakin <yrevyakin at gmail.com> wrote:

> I've found the root cause. I have a policy rule which triggers "recompute"
> on a user object.
>        <policyRule>
>             <policyConstraints>
>                 <modification>
>                     <item>extension/profileStatus</item>
>                 </modification>
>             </policyConstraints>
>             <policyActions>
>                 <scriptExecution>
>                     <object>
>                         <currentObject/>
>                     </object>
>                     <executeScript>
>                         <s:recompute/>
>                     </executeScript>
>                 </scriptExecution>
>             </policyActions>
>         </policyRule>
>
> It looks like this way to recompute a user turns off the "none" projection
> policy of the Google resource. This results in creating a Google account
> even though a Google assignmentPolicyEnforcement is "none".
>
> I tried different available executeOptions without success.
>
> Is this behavior expected?
>
> Thanks,
> Yakov
>
>
>
> On Tue, 16 May 2023 at 12:05, Yakov Revyakin <yrevyakin at gmail.com> wrote:
>
>> In the archetype assigned to the top org I have inducements of 2
>> resources. They work fine when a new user comes to or goes from suborgs.
>>
>>     <inducement>
>>         <construction>
>>             <!--Google-->
>>             <resourceRef oid="ca9a521f-16c1-4662-8f6f-0d6b01308a93"
>> relation="org:default" type="c:ResourceType"/>
>>             <kind>account</kind>
>>             <intent>default</intent>
>>         </construction>
>>         <order>3</order
>>         <focusType>UserType</focusType>
>>     </inducement>
>>
>>     <inducement>
>>         <construction>
>>             <!--Keycloak-->
>>             <resourceRef oid="20299cc9-9cf6-47e0-ba45-66e9ede06ee3"
>> relation="org:default" type="c:ResourceType"/>
>>             <kind>account</kind>
>>             <intent>default</intent>
>>             <association>
>>                 <ref>ri:group</ref>
>>                 <outbound>
>>                     <expression>
>>                         <associationFromLink>
>>                             <projectionDiscriminator
>> xsi:type="c:ShadowDiscriminatorType">
>>                                 <kind>entitlement</kind>
>>                                 <intent>organization</intent>
>>                             </projectionDiscriminator>
>>                         </associationFromLink>
>>                     </expression>
>>                 </outbound>
>>             </association>
>>         </construction>
>>         <order>3</order
>>         <focusType>UserType</focusType>
>>     </inducement>
>>
>> Before importing existing accounts I change assignmentPolicyEnforcement
>> from full to none.
>> 1) Importing Google accounts with import task doesn't demonstrate the
>> change in assignmentPolicyEnforcement. Midpoint tries to create a new
>> account and modify existing. Discovery works but this is not what I expect.
>> I'd like to see simply only existing accounts linked.
>> 2) I can see that with Keycloak assignmentPolicyEnforcement=none works as
>> expected - Midpoint doesn't create new Keycloak accounts. But, if, for
>> example, during Google import a user already has a Keycloak account with a
>> group association Midpoint deletes existing group associations.
>>
>> Strange behavior. Any ideas?
>> MP4.4.3
>>
>> Yakov
>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20230519/fa89da63/attachment.htm>

More information about the midPoint mailing list