[midPoint] Import and assignmentPolicyEnforcement=none
Yakov Revyakin
yrevyakin at gmail.com
Fri May 19 15:59:20 CEST 2023
So, real root cause is <existence> definition.
existence=true can break the "none" assignmentPolicyEnforcement.
If existence is true than resource account will be created even though
assignmentPolicyEnforcement="none"
On Fri, 19 May 2023 at 16:28, Yakov Revyakin <yrevyakin at gmail.com> wrote:
> No, the previous post is a mistake.
> Simply each next import (reconcile, recompute) after the initial one
> results in creating a Google account.
>
>
> On Fri, 19 May 2023 at 16:19, Yakov Revyakin <yrevyakin at gmail.com> wrote:
>
>> I've found the root cause. I have a policy rule which triggers
>> "recompute" on a user object.
>> <policyRule>
>> <policyConstraints>
>> <modification>
>> <item>extension/profileStatus</item>
>> </modification>
>> </policyConstraints>
>> <policyActions>
>> <scriptExecution>
>> <object>
>> <currentObject/>
>> </object>
>> <executeScript>
>> <s:recompute/>
>> </executeScript>
>> </scriptExecution>
>> </policyActions>
>> </policyRule>
>>
>> It looks like this way to recompute a user turns off the "none"
>> projection policy of the Google resource. This results in creating a Google
>> account even though a Google assignmentPolicyEnforcement is "none".
>>
>> I tried different available executeOptions without success.
>>
>> Is this behavior expected?
>>
>> Thanks,
>> Yakov
>>
>>
>>
>> On Tue, 16 May 2023 at 12:05, Yakov Revyakin <yrevyakin at gmail.com> wrote:
>>
>>> In the archetype assigned to the top org I have inducements of 2
>>> resources. They work fine when a new user comes to or goes from suborgs.
>>>
>>> <inducement>
>>> <construction>
>>> <!--Google-->
>>> <resourceRef oid="ca9a521f-16c1-4662-8f6f-0d6b01308a93"
>>> relation="org:default" type="c:ResourceType"/>
>>> <kind>account</kind>
>>> <intent>default</intent>
>>> </construction>
>>> <order>3</order
>>> <focusType>UserType</focusType>
>>> </inducement>
>>>
>>> <inducement>
>>> <construction>
>>> <!--Keycloak-->
>>> <resourceRef oid="20299cc9-9cf6-47e0-ba45-66e9ede06ee3"
>>> relation="org:default" type="c:ResourceType"/>
>>> <kind>account</kind>
>>> <intent>default</intent>
>>> <association>
>>> <ref>ri:group</ref>
>>> <outbound>
>>> <expression>
>>> <associationFromLink>
>>> <projectionDiscriminator
>>> xsi:type="c:ShadowDiscriminatorType">
>>> <kind>entitlement</kind>
>>> <intent>organization</intent>
>>> </projectionDiscriminator>
>>> </associationFromLink>
>>> </expression>
>>> </outbound>
>>> </association>
>>> </construction>
>>> <order>3</order
>>> <focusType>UserType</focusType>
>>> </inducement>
>>>
>>> Before importing existing accounts I change assignmentPolicyEnforcement
>>> from full to none.
>>> 1) Importing Google accounts with import task doesn't demonstrate the
>>> change in assignmentPolicyEnforcement. Midpoint tries to create a new
>>> account and modify existing. Discovery works but this is not what I expect.
>>> I'd like to see simply only existing accounts linked.
>>> 2) I can see that with Keycloak assignmentPolicyEnforcement=none works
>>> as expected - Midpoint doesn't create new Keycloak accounts. But, if, for
>>> example, during Google import a user already has a Keycloak account with a
>>> group association Midpoint deletes existing group associations.
>>>
>>> Strange behavior. Any ideas?
>>> MP4.4.3
>>>
>>> Yakov
>>>
>>>
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20230519/07ec6695/attachment-0001.htm>
More information about the midPoint
mailing list