<div dir="ltr">Disregard that last email, was not caused by the shadow effectiveStatus</div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Oct 2, 2015 at 9:02 AM, Jason Everling <span dir="ltr"><<a href="mailto:jeverling@bshp.edu" target="_blank">jeverling@bshp.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Yeah I read that on the jira issue BUT it seems that since the effectiveStatus for the shadow was changed even though the user object was enabled for both effectiveStatus and administrativeStatus, it still fired the below notification.<div><br></div><div><div> <expressionFilter></div><div> <script></div><div> <code></div><div><span style="white-space:pre-wrap"> </span>event.isRelatedToItem(new com.evolveum.midpoint.prism.path.ItemPath("activation", "administrativeStatus")) &&</div><div><span style="white-space:pre-wrap"> </span>basic.getExtensionPropertyValue(requestee, '<a href="http://www.bshp.edu/xml/ns/public/bshp" target="_blank">http://www.bshp.edu/xml/ns/public/bshp</a>', 'eduPersonAffiliation') == 'student'</div><div> </code></div><div> </script></div><div> </expressionFilter></div></div><div><br></div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Oct 2, 2015 at 8:52 AM, Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
BTW I'm not sure if effectiveStatus is even used now for shadows.<br>
<br>
In User it seems to work OK.<br>
<br>
Regards,<br>
I.<div><div><br>
<br>
<div>On 10/02/2015 03:22 PM, Jason Everling
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Yes I saw that yesterday as I was searching, I have
been able to manually change effectiveStatus to enabled using
the debug pages for each shadow that got disabled last week.
<div><br>
</div>
<div>I still do not know why those 30 or so users had that value
of disabled when there are other same type of users that has
enabled instead.</div>
<div><br>
</div>
<div>Thanks Again!</div>
<div><br>
</div>
<div>JASON</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Fri, Oct 2, 2015 at 2:17 AM, Ivan
Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"> Hi Jason,<br>
<br>
possibly related to <a href="https://jira.evolveum.com/browse/MID-2585" target="_blank">https://jira.evolveum.com/browse/MID-2585</a><span><font color="#888888"><br>
<br>
I.</font></span>
<div>
<div><br>
<br>
<div>On 10/01/2015 05:46 PM, Jason Everling wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Oh I meant also in my resources, not
the task directly,
<div><br>
</div>
<div>Why does this have effectiveStatus disabled
for the persons shadow? that timestamp is when
the notification fired</div>
<div><br>
</div>
<div>
<div> <activation></div>
<div>
<administrativeStatus>enabled</administrativeStatus></div>
<div>
<effectiveStatus>disabled</effectiveStatus></div>
<div>
<enableTimestamp>2015-09-29T12:30:23.392-05:00</enableTimestamp></div>
<div>
<lockoutStatus>normal</lockoutStatus></div>
<div> </activation></div>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Oct 1, 2015 at
9:48 AM, Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank"></a><a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"> Hi
Jason,<br>
<br>
the configuration for administrativeStatus
that I posted was not in the task, but in
resource schema handling. I have multiple
(all) resources with that configuration.<br>
<br>
I also remember that I also get "false"
positives of changing administrativeStatus
to ENABLED even if the account is already
enabled; but I assumed that in my case it
may be caused by the fact that I'm using
strong mappings...<br>
<br>
... which is not your case...<br>
<br>
I'm not sure if this is error or just false
positive; I hope someone else may be able to
answer this.<br>
<br>
Best regards,<br>
Ivan
<div>
<div><br>
<br>
<div>On 10/01/2015 03:55 PM, Jason
Everling wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">No I don't have
anything like that in my recon task,
no activation at all in it. This
happened again a few days ago when a
value in my CSV resource was
modified for a user, their last name
which is "weak" so it did not update
in midpoint, and when I ran the
audit report I saw that it replaced
ENABLED with ENABLED making it look
like they were "disabled" but they
were not, it just replaced enabled
with enabled.
<div><br>
</div>
<div>I went further into my CSV
resource and found the below,</div>
<div><br>
</div>
<div>
<div> <activation></div>
<div>
<administrativeStatus></div>
<div>
<inbound></div>
<div>
<expression></div>
<div>
<value>enabled</value></div>
<div>
</expression></div>
<div>
</inbound></div>
<div>
</administrativeStatus></div>
<div> </activation></div>
</div>
<div><br>
</div>
<div>So I changed it and added the
highlighted,</div>
<div><br>
</div>
<div>
<div> <activation></div>
<div>
<administrativeStatus></div>
<div>
<inbound></div>
<div> <font color="#ff0000"><strength>weak</strength></font></div>
<div>
<expression></div>
<div>
<value>enabled</value></div>
<div>
</expression></div>
<div>
</inbound></div>
<div>
</administrativeStatus></div>
<div> </activation></div>
</div>
<div><br>
</div>
<div>This might have been causing
the false positives as when an
attribute was changed, even if the
attribute was "weak" it would
still replace "enabled" with
"enabled" in the user object
causing a notification to fire.</div>
<div><br>
</div>
<div>So far after the change, a few
days now, I have not had the issue
again,</div>
<div><br>
</div>
<div>Maybe this is not the cause?
But I will keep an eye on it, I
have notifications going to my
email so I will be able to see if
it happens again before I let the
notifications go out to the users.</div>
<div><br>
</div>
<div>JASON</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Oct
1, 2015 at 5:31 AM, Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank"></a><a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"> Hi Jason,<br>
<br>
I have encountered similar
behaviour - reconciliation or
recompute task (or reconcile
checkbox) disabled accounts
that were not provided by
roles.<br>
<br>
This happened after migration
from 3.0.x -> 3.3-snapshot
and with the following
configuration in resource (see
bold text):<br>
<br>
<activation><br>
<existence><br>
<outbound><br>
<strength>weak</strength><br>
<expression><br>
<path>$focusExists</path><br>
</expression><br>
</outbound><br>
</existence><br>
<administrativeStatus><br>
<outbound><br>
<strength>strong</strength><br>
<!-- XXX to allow to
disable when removing roles by
recomputing users; but<br>
enforcement MUST be set to
FULL for this to work --><br>
<expression><br>
<script><br>
<code><br>
import
com.evolveum.midpoint.xml.ns._public.common.common_3.ActivationStatusType;<br>
<b>
if (legal &&
assigned) { // previously
only "legal" was used</b><b><br>
</b>
input;<br>
} else {<br>
ActivationStatusType.DISABLED;<br>
}<br>
</code><br>
</script><br>
</expression><br>
</outbound><br>
</administrativeStatus><br>
</activation><br>
<br>
Are you using this config too?<br>
<br>
Regard,<br>
I.
<div>
<div><br>
<br>
<div>On 09/25/2015 05:58
PM, Jason Everling
wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div>
<div dir="ltr">I found
out why!
<div><br>
</div>
<div>So if these users
did not have any
role assigned then
their GUI accounts
were being disabled.</div>
<div><br>
</div>
<div>Strange though,
this did not happen
in 3.1.1, so maybe
there was a bug in
3.1.1 related to
that?</div>
<div><br>
</div>
<div>JASON</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On
Fri, Sep 25, 2015 at
10:08 AM, Jason
Everling <span dir="ltr"><<a href="mailto:jeverling@bshp.edu" target="_blank"></a><a href="mailto:jeverling@bshp.edu" target="_blank">jeverling@bshp.edu</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">I
have a recon
task that runs
every night and
after I updated
us to 3.2 the
task last night
disabled about
30 accounts,
only their GUI
account and not
all their other
resource
accounts.
<div><br>
</div>
<div>It should
have never
disabled their
accounts, I
cannot figure
out why that
happened and
even within
the resource
there is
nothing stated
to inactivate
or anything,
this same
task/resource
has been
running every
night for
about 3 weeks
now and this
is the first
time this
happened,</div>
<div><br>
</div>
<div>Thanks!</div>
<span><font color="#888888">
<div>
<div><br>
</div>
-- <br>
<div>
<div dir="ltr">JASON</div>
</div>
</div>
</font></span></div>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div>
<div dir="ltr">JASON</div>
</div>
</div>
<br>
</div>
</div>
<font size="2"><br>
<br>
<span> CONFIDENTIALITY
NOTICE:<br>
This e-mail together
with any attachments is
proprietary and
confidential; intended
for only the
recipient(s) named above
and may contain
information that is
privileged. You should
not retain, copy or use
this e-mail or any
attachments for any
purpose, or disclose all
or any part of the
contents to any person.
Any views or opinions
expressed in this e-mail
are those of the author
and do not represent
those of the Baptist
School of Health
Professions. If you have
received this e-mail in
error, or are not the
named recipient(s), you
are hereby notified that
any review,
dissemination,
distribution or copying
of this communication is
prohibited by the sender
and to do so might
constitute a violation
of the Electronic
Communications Privacy
Act, 18 U.S.C. section
2510-2521. Please
immediately notify the
sender and delete this
e-mail and any
attachments from your
computer. </span></font><br>
<span> <br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</span></blockquote>
<span><font color="#888888"> <br>
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
<a href="http://evolveum.com" target="_blank">evolveum.com</a> <a href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
___________________________________________________
"Semper Id(e)M Vix."
</pre>
</font></span></div>
<br>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div>
<div dir="ltr">JASON</div>
</div>
</div>
<br>
<font size="2"><br>
<br>
CONFIDENTIALITY NOTICE:<br>
This e-mail together with any
attachments is proprietary and
confidential; intended for only the
recipient(s) named above and may
contain information that is
privileged. You should not retain,
copy or use this e-mail or any
attachments for any purpose, or
disclose all or any part of the
contents to any person. Any views or
opinions expressed in this e-mail
are those of the author and do not
represent those of the Baptist
School of Health Professions. If you
have received this e-mail in error,
or are not the named recipient(s),
you are hereby notified that any
review, dissemination, distribution
or copying of this communication is
prohibited by the sender and to do
so might constitute a violation of
the Electronic Communications
Privacy Act, 18 U.S.C. section
2510-2521. Please immediately notify
the sender and delete this e-mail
and any attachments from your
computer. </font><br>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
<a href="http://evolveum.com" target="_blank">evolveum.com</a> <a href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
___________________________________________________
"Semper Id(e)M Vix."
</pre>
</div>
</div>
</div>
<br>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div>
<div dir="ltr">JASON</div>
</div>
</div>
<br>
<font size="2"><br>
<br>
CONFIDENTIALITY NOTICE:<br>
This e-mail together with any attachments is
proprietary and confidential; intended for only
the recipient(s) named above and may contain
information that is privileged. You should not
retain, copy or use this e-mail or any attachments
for any purpose, or disclose all or any part of
the contents to any person. Any views or opinions
expressed in this e-mail are those of the author
and do not represent those of the Baptist School
of Health Professions. If you have received this
e-mail in error, or are not the named
recipient(s), you are hereby notified that any
review, dissemination, distribution or copying of
this communication is prohibited by the sender and
to do so might constitute a violation of the
Electronic Communications Privacy Act, 18 U.S.C.
section 2510-2521. Please immediately notify the
sender and delete this e-mail and any attachments
from your computer. </font><br>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
<a href="http://evolveum.com" target="_blank">evolveum.com</a> <a href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
___________________________________________________
"Semper Id(e)M Vix."
</pre>
</div>
</div>
</div>
<br>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div>
<div dir="ltr">JASON</div>
</div>
</div>
<br>
<font size="2"><br>
<br>
CONFIDENTIALITY NOTICE:<br>
This e-mail together with any attachments is proprietary and
confidential; intended for only the recipient(s) named above and
may contain information that is privileged. You should not
retain, copy or use this e-mail or any attachments for any
purpose, or disclose all or any part of the contents to any
person. Any views or opinions expressed in this e-mail are those
of the author and do not represent those of the Baptist School
of Health Professions. If you have received this e-mail in
error, or are not the named recipient(s), you are hereby
notified that any review, dissemination, distribution or copying
of this communication is prohibited by the sender and to do so
might constitute a violation of the Electronic Communications
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
notify the sender and delete this e-mail and any attachments
from your computer. </font><br>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
<a href="http://evolveum.com" target="_blank">evolveum.com</a> <a href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
___________________________________________________
"Semper Id(e)M Vix."
</pre>
</div></div></div>
<br>_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div><div dir="ltr">JASON</div></div>
</div>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr">JASON</div></div>
</div>
<br>
<font size="2"><br><br>CONFIDENTIALITY NOTICE:<br>This e-mail together with any attachments is proprietary and confidential; intended for only the recipient(s) named above and may contain information that is privileged. You should not retain, copy or use this e-mail or any attachments for any purpose, or disclose all or any part of the contents to any person. Any views or opinions expressed in this e-mail are those of the author and do not represent those of the Baptist School of Health Professions. If you have received this e-mail in error, or are not the named recipient(s), you are hereby notified that any review, dissemination, distribution or copying of this communication is prohibited by the sender and to do so might constitute a violation of the Electronic Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender and delete this e-mail and any attachments from your computer. </font><br>