[midPoint] assignmentPolicyEnforcement=none & existence=$focusExists

[Yakov Revyakin]

I decided to create a new topic to exclude noise from my previous one:
"Import and assignmentPolicyEnforcement=none".

Using things from popular Midpoint page
https://docs.evolveum.com/midpoint/reference/concepts/activation/disable-instead-of-delete/
I have found that the approach when we want to save non-legal accounts from
deletion works fine but with one exclusion.

If we have a user with active assignment of the resource and
assignmentPolicyEnforcement=none and we have the following definition for
existence

<existence>
    <outbound>
        <strength>weak</strength>
        <expression>
            <path>$focusExists</path>
        </expression>
    </outbound>
</existence>

then any user update (import, recon) results in creating a new resource
account.
It looks like the existence definition disregards
assignmentPolicyEnforcement=none.

This behavior influences the migration phase when we want to manage
creating of users and linking existing accounts of target systems to them.

I don't know if this is a bug or a feature. Probably someone can comment?

Also there is a workaround - if we rewrite existence definition in the
following way the problem goes:
<existence>
    <outbound>
        <strength>weak</strength>
        <expression>
            <path>$focusExists</path>
        </expression>
        <condition>
            <script>
                <code>
                    return shadow != null
                </code>
            </script>
        </condition>
    </outbound>
</existence>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20230519/071a9750/attachment.htm>