[midPoint] (sub)role unassignment issue

Markus Calmius markus.calmius at proton.ch
Wed Oct 25 10:26:41 CEST 2023 

Hi,

I got some assistance that pointed out an error in my association-config. I had forgotten the <tolerant>false</tolerant> attribute.
Adding that, the association (and group membership in the resource) was removed.

The account on the resource is disabled, but not removed.

If I assign the role directly, and then unassign it, the account is also removed. So there is probably another issue somewhere, but at least the access/entitlement is removed which is good (enough for now).


Markus Calmius
Proton AG


------- Original Message -------
On Tuesday, October 24th, 2023 at 12:00, midpoint-request at lists.evolveum.com <midpoint-request at lists.evolveum.com> wrote:


> Send midPoint mailing list submissions to
> midpoint at lists.evolveum.com
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.evolveum.com/mailman/listinfo/midpoint
> or, via email, send a message with subject or body 'help' to
> midpoint-request at lists.evolveum.com
> 
> You can reach the person managing the list at
> midpoint-owner at lists.evolveum.com
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of midPoint digest..."
> 
> 
> Today's Topics:
> 
> 1. (sub)role unassignment issue (Markus Calmius)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Tue, 24 Oct 2023 08:12:10 +0000
> From: Markus Calmius markus.calmius at proton.ch
> 
> To: midPoint General Discussion midpoint at lists.evolveum.com
> 
> Subject: [midPoint] (sub)role unassignment issue
> Message-ID:
> clOSROJh1EbcE4vNfAxBxtsrMnHTdSOdJBriXF0NCB_KXtup-ZISoTmcxT15NLkm97WabHkU_blbTsaKPSZphSr0oIR9z91_2kYQwp4PkWs=@proton.ch
> 
> 
> Content-Type: text/plain; charset="utf-8"
> 
> Hi,
> 
> if someone can point me in the right direction on how to solve the problem below, I will very much appreciate it.
> 
> During HR-import we set some specific Archetypes (thanks Pavol for guiding me to "mapping range")
> The main archetype (for active users) induces two roles, one to give access to midpoint-gui and one business-role that induces other roles, one which sets a group in a keycloak resource.
> When the archetype is changed (lifecycle state has changed) all direct and indirect assignments are removed, but the user still has an account and association to the group in keycloak.
> 
> If, however, I assign the "keycloak"-role manually, and then deactivate the user it is removed. (thanks to the hook-implementation)
> 
> so:
> User->ArcheType->Business-Role->Keycloak-Role - does not work
> 
> 
> User->Business-Role->Keycloak-Role - does not work
> 
> User->Keycloak-Role - works
> 
> 
> 
> Markus Calmius
> Proton AG
> 
> 
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: https://lists.evolveum.com/pipermail/midpoint/attachments/20231024/cc2eb9eb/attachment-0001.htm
> 
> 
> ------------------------------
> 
> Subject: Digest Footer
> 
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
> 
> 
> ------------------------------
> 
> End of midPoint Digest, Vol 138, Issue 24
> *****************************************

More information about the midPoint mailing list