<div dir="ltr">Yes I saw that yesterday as I was searching, I have been able to manually change effectiveStatus to enabled using the debug pages for each shadow that got disabled last week.<div><br></div><div>I still do not know why those 30 or so users had that value of disabled when there are other same type of users that has enabled instead.</div><div><br></div><div>Thanks Again!</div><div><br></div><div>JASON</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Oct 2, 2015 at 2:17 AM, Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
Hi Jason,<br>
<br>
possibly related to <a href="https://jira.evolveum.com/browse/MID-2585" target="_blank">https://jira.evolveum.com/browse/MID-2585</a><span class="HOEnZb"><font color="#888888"><br>
<br>
I.</font></span><div><div class="h5"><br>
<br>
<div>On 10/01/2015 05:46 PM, Jason Everling
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Oh I meant also in my resources, not the task
directly,
<div><br>
</div>
<div>Why does this have effectiveStatus disabled for the persons
shadow? that timestamp is when the notification fired</div>
<div><br>
</div>
<div>
<div> <activation></div>
<div>
<administrativeStatus>enabled</administrativeStatus></div>
<div>
<effectiveStatus>disabled</effectiveStatus></div>
<div>
<enableTimestamp>2015-09-29T12:30:23.392-05:00</enableTimestamp></div>
<div> <lockoutStatus>normal</lockoutStatus></div>
<div> </activation></div>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Oct 1, 2015 at 9:48 AM, Ivan
Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"> Hi Jason,<br>
<br>
the configuration for administrativeStatus that I posted
was not in the task, but in resource schema handling. I
have multiple (all) resources with that configuration.<br>
<br>
I also remember that I also get "false" positives of
changing administrativeStatus to ENABLED even if the
account is already enabled; but I assumed that in my case
it may be caused by the fact that I'm using strong
mappings...<br>
<br>
... which is not your case...<br>
<br>
I'm not sure if this is error or just false positive; I
hope someone else may be able to answer this.<br>
<br>
Best regards,<br>
Ivan
<div>
<div><br>
<br>
<div>On 10/01/2015 03:55 PM, Jason Everling wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">No I don't have anything like that in
my recon task, no activation at all in it. This
happened again a few days ago when a value in my
CSV resource was modified for a user, their last
name which is "weak" so it did not update in
midpoint, and when I ran the audit report I saw
that it replaced ENABLED with ENABLED making it
look like they were "disabled" but they were not,
it just replaced enabled with enabled.
<div><br>
</div>
<div>I went further into my CSV resource and found
the below,</div>
<div><br>
</div>
<div>
<div> <activation></div>
<div> <administrativeStatus></div>
<div> <inbound></div>
<div> <expression></div>
<div>
<value>enabled</value></div>
<div> </expression></div>
<div> </inbound></div>
<div> </administrativeStatus></div>
<div> </activation></div>
</div>
<div><br>
</div>
<div>So I changed it and added the highlighted,</div>
<div><br>
</div>
<div>
<div> <activation></div>
<div> <administrativeStatus></div>
<div> <inbound></div>
<div> <font color="#ff0000"><strength>weak</strength></font></div>
<div> <expression></div>
<div>
<value>enabled</value></div>
<div> </expression></div>
<div> </inbound></div>
<div> </administrativeStatus></div>
<div> </activation></div>
</div>
<div><br>
</div>
<div>This might have been causing the false
positives as when an attribute was changed, even
if the attribute was "weak" it would still
replace "enabled" with "enabled" in the user
object causing a notification to fire.</div>
<div><br>
</div>
<div>So far after the change, a few days now, I
have not had the issue again,</div>
<div><br>
</div>
<div>Maybe this is not the cause? But I will keep
an eye on it, I have notifications going to my
email so I will be able to see if it happens
again before I let the notifications go out to
the users.</div>
<div><br>
</div>
<div>JASON</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Oct 1, 2015 at
5:31 AM, Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank"></a><a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"> Hi
Jason,<br>
<br>
I have encountered similar behaviour -
reconciliation or recompute task (or
reconcile checkbox) disabled accounts that
were not provided by roles.<br>
<br>
This happened after migration from 3.0.x
-> 3.3-snapshot and with the following
configuration in resource (see bold text):<br>
<br>
<activation><br>
<existence><br>
<outbound><br>
<strength>weak</strength><br>
<expression><br>
<path>$focusExists</path><br>
</expression><br>
</outbound><br>
</existence><br>
<administrativeStatus><br>
<outbound><br>
<strength>strong</strength><br>
<!-- XXX to allow to disable when
removing roles by recomputing users; but<br>
enforcement MUST be set to FULL for this to
work --><br>
<expression><br>
<script><br>
<code><br>
import
com.evolveum.midpoint.xml.ns._public.common.common_3.ActivationStatusType;<br>
<b> if
(legal && assigned) { //
previously only "legal" was used</b><b><br>
</b>
input;<br>
} else {<br>
ActivationStatusType.DISABLED;<br>
}<br>
</code><br>
</script><br>
</expression><br>
</outbound><br>
</administrativeStatus><br>
</activation><br>
<br>
Are you using this config too?<br>
<br>
Regard,<br>
I.
<div>
<div><br>
<br>
<div>On 09/25/2015 05:58 PM, Jason
Everling wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div>
<div dir="ltr">I found out why!
<div><br>
</div>
<div>So if these users did not have
any role assigned then their GUI
accounts were being disabled.</div>
<div><br>
</div>
<div>Strange though, this did not
happen in 3.1.1, so maybe there
was a bug in 3.1.1 related to
that?</div>
<div><br>
</div>
<div>JASON</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Fri, Sep
25, 2015 at 10:08 AM, Jason
Everling <span dir="ltr"><<a href="mailto:jeverling@bshp.edu" target="_blank"></a><a href="mailto:jeverling@bshp.edu" target="_blank">jeverling@bshp.edu</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">I have a recon
task that runs every night and
after I updated us to 3.2 the
task last night disabled about
30 accounts, only their GUI
account and not all their
other resource accounts.
<div><br>
</div>
<div>It should have never
disabled their accounts, I
cannot figure out why that
happened and even within the
resource there is nothing
stated to inactivate or
anything, this same
task/resource has been
running every night for
about 3 weeks now and this
is the first time this
happened,</div>
<div><br>
</div>
<div>Thanks!</div>
<span><font color="#888888">
<div>
<div><br>
</div>
-- <br>
<div>
<div dir="ltr">JASON</div>
</div>
</div>
</font></span></div>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div>
<div dir="ltr">JASON</div>
</div>
</div>
<br>
</div>
</div>
<font size="2"><br>
<br>
<span> CONFIDENTIALITY NOTICE:<br>
This e-mail together with any
attachments is proprietary and
confidential; intended for only the
recipient(s) named above and may
contain information that is
privileged. You should not retain,
copy or use this e-mail or any
attachments for any purpose, or
disclose all or any part of the
contents to any person. Any views or
opinions expressed in this e-mail are
those of the author and do not
represent those of the Baptist School
of Health Professions. If you have
received this e-mail in error, or are
not the named recipient(s), you are
hereby notified that any review,
dissemination, distribution or copying
of this communication is prohibited by
the sender and to do so might
constitute a violation of the
Electronic Communications Privacy Act,
18 U.S.C. section 2510-2521. Please
immediately notify the sender and
delete this e-mail and any attachments
from your computer. </span></font><br>
<span> <br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</span></blockquote>
<span><font color="#888888"> <br>
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
<a href="http://evolveum.com" target="_blank">evolveum.com</a> <a href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
___________________________________________________
"Semper Id(e)M Vix."
</pre>
</font></span></div>
<br>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div>
<div dir="ltr">JASON</div>
</div>
</div>
<br>
<font size="2"><br>
<br>
CONFIDENTIALITY NOTICE:<br>
This e-mail together with any attachments is
proprietary and confidential; intended for only
the recipient(s) named above and may contain
information that is privileged. You should not
retain, copy or use this e-mail or any attachments
for any purpose, or disclose all or any part of
the contents to any person. Any views or opinions
expressed in this e-mail are those of the author
and do not represent those of the Baptist School
of Health Professions. If you have received this
e-mail in error, or are not the named
recipient(s), you are hereby notified that any
review, dissemination, distribution or copying of
this communication is prohibited by the sender and
to do so might constitute a violation of the
Electronic Communications Privacy Act, 18 U.S.C.
section 2510-2521. Please immediately notify the
sender and delete this e-mail and any attachments
from your computer. </font><br>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
<a href="http://evolveum.com" target="_blank">evolveum.com</a> <a href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
___________________________________________________
"Semper Id(e)M Vix."
</pre>
</div>
</div>
</div>
<br>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div>
<div dir="ltr">JASON</div>
</div>
</div>
<br>
<font size="2"><br>
<br>
CONFIDENTIALITY NOTICE:<br>
This e-mail together with any attachments is proprietary and
confidential; intended for only the recipient(s) named above and
may contain information that is privileged. You should not
retain, copy or use this e-mail or any attachments for any
purpose, or disclose all or any part of the contents to any
person. Any views or opinions expressed in this e-mail are those
of the author and do not represent those of the Baptist School
of Health Professions. If you have received this e-mail in
error, or are not the named recipient(s), you are hereby
notified that any review, dissemination, distribution or copying
of this communication is prohibited by the sender and to do so
might constitute a violation of the Electronic Communications
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
notify the sender and delete this e-mail and any attachments
from your computer. </font><br>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
<a href="http://evolveum.com" target="_blank">evolveum.com</a> <a href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
___________________________________________________
"Semper Id(e)M Vix."
</pre>
</div></div></div>
<br>_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr">JASON</div></div>
</div>
<br>
<font size="2"><br><br>CONFIDENTIALITY NOTICE:<br>This e-mail together with any attachments is proprietary and confidential; intended for only the recipient(s) named above and may contain information that is privileged. You should not retain, copy or use this e-mail or any attachments for any purpose, or disclose all or any part of the contents to any person. Any views or opinions expressed in this e-mail are those of the author and do not represent those of the Baptist School of Health Professions. If you have received this e-mail in error, or are not the named recipient(s), you are hereby notified that any review, dissemination, distribution or copying of this communication is prohibited by the sender and to do so might constitute a violation of the Electronic Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender and delete this e-mail and any attachments from your computer. </font><br>