<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    Hi Jason,<br>
    <br>
    the configuration for administrativeStatus that I posted was not in
    the task, but in resource schema handling. I have multiple (all)
    resources with that configuration.<br>
    <br>
    I also remember that I also get "false" positives of changing
    administrativeStatus to ENABLED even if the account is already
    enabled; but I assumed that in my case it may be caused by the fact
    that I'm using strong mappings...<br>
    <br>
    ... which is not your case...<br>
    <br>
    I'm not sure if this is error or just false positive; I hope someone
    else may be able to answer this.<br>
    <br>
    Best regards,<br>
    Ivan<br>
    <br>
    <div class="moz-cite-prefix">On 10/01/2015 03:55 PM, Jason Everling
      wrote:<br>
    </div>
    <blockquote
cite="mid:CAFkZXY6701iqDh9GpHg3szkaYGXtzBX8c+MDu1nPG2Bqn0h5_Q@mail.gmail.com"
      type="cite">
      <div dir="ltr">No I don't have anything like that in my recon
        task, no activation at all in it. This happened again a few days
        ago when a value in my CSV resource was modified for a user,
        their last name which is "weak" so it did not update in
        midpoint, and when I ran the audit report I saw that it replaced
        ENABLED with ENABLED making it look like they were "disabled"
        but they were not, it just replaced enabled with enabled.
        <div><br>
        </div>
        <div>I went further into my CSV resource and found the below,</div>
        <div><br>
        </div>
        <div>
          <div>         <activation></div>
          <div>            <administrativeStatus></div>
          <div>               <inbound></div>
          <div>                  <expression></div>
          <div>                     <value>enabled</value></div>
          <div>                  </expression></div>
          <div>               </inbound></div>
          <div>            </administrativeStatus></div>
          <div>         </activation></div>
        </div>
        <div><br>
        </div>
        <div>So I changed it and added the highlighted,</div>
        <div><br>
        </div>
        <div>
          <div>         <activation></div>
          <div>            <administrativeStatus></div>
          <div>               <inbound></div>
          <div>                  <font color="#ff0000"><strength>weak</strength></font></div>
          <div>                  <expression></div>
          <div>                     <value>enabled</value></div>
          <div>                  </expression></div>
          <div>               </inbound></div>
          <div>            </administrativeStatus></div>
          <div>         </activation></div>
        </div>
        <div><br>
        </div>
        <div>This might have been causing the false positives as when an
          attribute was changed, even if the attribute was "weak" it
          would still replace "enabled" with "enabled" in the user
          object causing a notification to fire.</div>
        <div><br>
        </div>
        <div>So far after the change, a few days now, I have not had the
          issue again,</div>
        <div><br>
        </div>
        <div>Maybe this is not the cause? But I will keep an eye on it,
          I have notifications going to my email so I will be able to
          see if it happens again before I let the notifications go out
          to the users.</div>
        <div><br>
        </div>
        <div>JASON</div>
      </div>
      <div class="gmail_extra"><br>
        <div class="gmail_quote">On Thu, Oct 1, 2015 at 5:31 AM, Ivan
          Noris <span dir="ltr"><<a moz-do-not-send="true"
              href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div text="#000000" bgcolor="#FFFFFF"> Hi Jason,<br>
              <br>
              I have encountered similar behaviour - reconciliation or
              recompute task (or reconcile checkbox) disabled accounts
              that were not provided by roles.<br>
              <br>
              This happened after migration from 3.0.x ->
              3.3-snapshot and with the following configuration in
              resource (see bold text):<br>
              <br>
                              <activation><br>
                                  <existence><br>
                                      <outbound><br>
                              <strength>weak</strength><br>
                                          <expression><br>
                                             
              <path>$focusExists</path><br>
                                          </expression><br>
                                      </outbound><br>
                              </existence><br>
                              <administrativeStatus><br>
                                  <outbound><br>
                                     
              <strength>strong</strength><br>
              <!-- XXX to allow to disable when removing roles by
              recomputing users; but<br>
              enforcement MUST be set to FULL for this to work --><br>
                                      <expression><br>
                                          <script><br>
                                              <code><br>
                                                  import
com.evolveum.midpoint.xml.ns._public.common.common_3.ActivationStatusType;<br>
              <b>                                    if (legal
                &amp;&amp; assigned) { // previously only
                "legal" was used</b><b><br>
              </b>                                        input;<br>
                                                  } else {<br>
                                                     
              ActivationStatusType.DISABLED;<br>
                                                  }<br>
                                              </code><br>
                                          </script><br>
                                      </expression><br>
                                  </outbound><br>
                              </administrativeStatus><br>
              </activation><br>
              <br>
              Are you using this config too?<br>
              <br>
              Regard,<br>
              I.
              <div>
                <div class="h5"><br>
                  <br>
                  <div>On 09/25/2015 05:58 PM, Jason Everling wrote:<br>
                  </div>
                </div>
              </div>
              <blockquote type="cite">
                <div>
                  <div class="h5">
                    <div dir="ltr">I found out why!
                      <div><br>
                      </div>
                      <div>So if these users did not have any role
                        assigned then their GUI accounts were being
                        disabled.</div>
                      <div><br>
                      </div>
                      <div>Strange though, this did not happen in 3.1.1,
                        so maybe there was a bug in 3.1.1 related to
                        that?</div>
                      <div><br>
                      </div>
                      <div>JASON</div>
                    </div>
                    <div class="gmail_extra"><br>
                      <div class="gmail_quote">On Fri, Sep 25, 2015 at
                        10:08 AM, Jason Everling <span dir="ltr"><<a
                            moz-do-not-send="true"
                            href="mailto:jeverling@bshp.edu"
                            target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:jeverling@bshp.edu">jeverling@bshp.edu</a></a>></span>
                        wrote:<br>
                        <blockquote class="gmail_quote" style="margin:0
                          0 0 .8ex;border-left:1px #ccc
                          solid;padding-left:1ex">
                          <div dir="ltr">I have a recon task that runs
                            every night and after I updated us to 3.2
                            the task last night disabled about 30
                            accounts, only their GUI account and not all
                            their other resource accounts.
                            <div><br>
                            </div>
                            <div>It should have never disabled their
                              accounts, I cannot figure out why that
                              happened and even within the resource
                              there is nothing stated to inactivate or
                              anything, this same task/resource has been
                              running every night for about 3 weeks now
                              and this is the first time this happened,</div>
                            <div><br>
                            </div>
                            <div>Thanks!</div>
                            <span><font color="#888888">
                                <div>
                                  <div><br>
                                  </div>
                                  -- <br>
                                  <div>
                                    <div dir="ltr">JASON</div>
                                  </div>
                                </div>
                              </font></span></div>
                        </blockquote>
                      </div>
                      <br>
                      <br clear="all">
                      <div><br>
                      </div>
                      -- <br>
                      <div>
                        <div dir="ltr">JASON</div>
                      </div>
                    </div>
                    <br>
                  </div>
                </div>
                <font size="2"><br>
                  <br>
                  <span class=""> CONFIDENTIALITY NOTICE:<br>
                    This e-mail together with any attachments is
                    proprietary and confidential; intended for only the
                    recipient(s) named above and may contain information
                    that is privileged. You should not retain, copy or
                    use this e-mail or any attachments for any purpose,
                    or disclose all or any part of the contents to any
                    person. Any views or opinions expressed in this
                    e-mail are those of the author and do not represent
                    those of the Baptist School of Health Professions.
                    If you have received this e-mail in error, or are
                    not the named recipient(s), you are hereby notified
                    that any review, dissemination, distribution or
                    copying of this communication is prohibited by the
                    sender and to do so might constitute a violation of
                    the Electronic Communications Privacy Act, 18 U.S.C.
                    section 2510-2521. Please immediately notify the
                    sender and delete this e-mail and any attachments
                    from your computer. </span></font><br>
                <span class=""> <br>
                  <fieldset></fieldset>
                  <br>
                  <pre>_______________________________________________
midPoint mailing list
<a moz-do-not-send="true" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
                </span></blockquote>
              <span class="HOEnZb"><font color="#888888"> <br>
                  <pre cols="72">-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer & IDM Architect
  <a moz-do-not-send="true" href="http://evolveum.com" target="_blank">evolveum.com</a>                     <a moz-do-not-send="true" href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
  ___________________________________________________
  "Semper Id(e)M Vix."
</pre>
                </font></span></div>
            <br>
            _______________________________________________<br>
            midPoint mailing list<br>
            <a moz-do-not-send="true"
              href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
            <a moz-do-not-send="true"
              href="http://lists.evolveum.com/mailman/listinfo/midpoint"
              rel="noreferrer" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
            <br>
          </blockquote>
        </div>
        <br>
        <br clear="all">
        <div><br>
        </div>
        -- <br>
        <div class="gmail_signature">
          <div dir="ltr">JASON</div>
        </div>
      </div>
      <br>
      <font size="2"><br>
        <br>
        CONFIDENTIALITY NOTICE:<br>
        This e-mail together with any attachments is proprietary and
        confidential; intended for only the recipient(s) named above and
        may contain information that is privileged. You should not
        retain, copy or use this e-mail or any attachments for any
        purpose, or disclose all or any part of the contents to any
        person. Any views or opinions expressed in this e-mail are those
        of the author and do not represent those of the Baptist School
        of Health Professions. If you have received this e-mail in
        error, or are not the named recipient(s), you are hereby
        notified that any review, dissemination, distribution or copying
        of this communication is prohibited by the sender and to do so
        might constitute a violation of the Electronic Communications
        Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
        notify the sender and delete this e-mail and any attachments
        from your computer. </font><br>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
    </blockquote>
    <br>
    <pre class="moz-signature" cols="72">-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer & IDM Architect
  evolveum.com                     evolveum.com/blog/
  ___________________________________________________
  "Semper Id(e)M Vix."
</pre>
  </body>
</html>