<html>

  <head>

    <meta content="text/html; charset=UTF-8" http-equiv="Content-Type">

  </head>

  <body bgcolor="#FFFFFF" text="#000000">

    Hi Lucie,<br>

    <br>

    can you please check your setting in System config - Assignment

    Policy Enforcement?<br>

    I've just test your issue:<br>

    <br>

    1) when <b>Relative</b> (default) assignment policy is used: the

    behaviour is as you have specified. Unassigning the role (or

    account) will disable it because of your configuration.

    Disabling/enabling User in midPoint will disable/enable the account

    (even if it is unassigned)<br>

    <br>

    2) when <b>Full</b> assignment policy is used: unassigning the role

    (or account) will disable it because of your configuration.

    Disabling User in midPoint will disable the User+account (although

    it is disabled, so no change will be provisioned). BUT, when you try

    to Enable User, the User will be enabled, but the account will be

    DISABLED.<br>

    <br>

    As I understand the behaviour is caused by<br>

    <br>

                                        import

com.evolveum.midpoint.xml.ns._public.common.common_2a.ActivationStatusType;<br>

                                        if (legal) {

    <br>

                                            input;

    <br>

                                        } else {

    <br>

    ActivationStatusType.DISABLED;

    <br>

    <br>

    the "legal" variable will be false after the account/role is

    unassigned and the assignment enforcement policy is FULL.<br>

    <br>

    Please refer to

    <a class="moz-txt-link-freetext" href="https://wiki.evolveum.com/display/midPoint/Projection+Policy">https://wiki.evolveum.com/display/midPoint/Projection+Policy</a> page

    for the enforcement policy modes. In the short, unassigned accounts

    are prohibited in FULL enforcement policy, they would be deleted,

    but in your configuration you've replaced delete with disable.<br>

    <br>

    Hope this helps.<br>

    <br>

    Regards,<br>

    IVan<br>

    <br>

    <div class="moz-cite-prefix">On 03/20/2014 03:06 PM, Lucie Rút

      Bittnerová wrote:<br>

    </div>

    <blockquote cite="mid:532AF5E6.5050706@ami.cz" type="cite">Hello,

      <br>

      <br>

      I have some issues which I cannot solve.

      <br>

      <br>

      I have configured activation of resource exactly as it is written

      on wiki:

      <br>

      <br>

                 <activation>

      <br>

                      <existence>

      <br>

                          <outbound>

      <br>

                              <expression>

      <br>

                                  <path>$focusExists</path>

      <br>

                              </expression>

      <br>

                          </outbound>

      <br>

                      </existence>

      <br>

                      <administrativeStatus>

      <br>

                          <outbound>

      <br>

                              <expression>

      <br>

                                  <script>

      <br>

                                      <code>

      <br>

                                          import

com.evolveum.midpoint.xml.ns._public.common.common_2a.ActivationStatusType;<br>

                                          if (legal) {

      <br>

                                              input;

      <br>

                                          } else {

      <br>

      ActivationStatusType.DISABLED;

      <br>

                                          }

      <br>

                                      </code>

      <br>

                                  </script>

      <br>

                              </expression>

      <br>

                          </outbound>

      <br>

                      </administrativeStatus>

      <br>

                  </activation>

      <br>

      <br>

      But the behaviour is not such as it should be. When I unassign

      role which assigns this resource to the user, the account stays in

      the list of accounts and is disabled, that is ok. When I change

      some attribute of the user, it is synchronized to the account,

      which stays disabled, thats also ok. But when I change state of

      the user to disabled and then back to enabled, the account, which

      should stay disabled, changes its state to enabled, which I think

      is wrong. Can you please help me how to change the configuration

      that the account would be on unassignment not only disabled but

      also unlinked?

      <br>

      <br>

      I have also problem how to configure resource to achieve this

      behaviour: When resource is assigned to the user and the user

      account already exists on that resource I'd like to have linked

      this account to the user without any errors  but now I get only

      error message and no account is linked.

      <br>

      <br>

      Is it possible to configure Midpoint in the way that when user

      with some accounts is deleted the accounts are only disabled and

      unlinked and not deleted?

      <br>

      <br>

      Thank you for any help.

      <br>

      Lucie

      <br>

      <br>

      _______________________________________________

      <br>

      midPoint mailing list

      <br>

      <a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>

      <br>

      <a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>

      <br>

    </blockquote>

    <br>

    <pre class="moz-signature" cols="72">-- 

  Ing. Ivan Noris

  Senior Identity Management Engineer

  evolveum.com

  ___________________________________________________

  "Semper cautus - semper paratus - semper idem Vix."

</pre>

  </body>

</html>