<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    Hi Jason,<br>
    <br>
    some more questions to understand.<br>
    <br>
    What is the "lifecycle" of the user?<br>
    <br>
    Assigning role will cause icfs:name generation for the correct OU.<br>
    <br>
    Are such roles assigned manually?<br>
    <br>
    Is the role for "DISABLED" users also assigned manually when user
    leaves?<br>
    <br>
    Has the user which we are speaking of, still assigned that
    "DISABLED" role?<br>
    <br>
    Thanks,<br>
    Ivan<br>
    <br>
    <div class="moz-cite-prefix">On 10/16/2015 10:47 PM, Jason Everling
      wrote:<br>
    </div>
    <blockquote
cite="mid:CAFkZXY7FdpL8t5M3Txs5KzUe8w-T7GRjGLu_cLtYJEffY4aOwQ@mail.gmail.com"
      type="cite">
      <div dir="ltr">Ok so that makes a little more sense,
        <div><br>
        </div>
        <div>The meta role is used so that when a user is created in the
          "GUI" and is assigned an Org, they will then be created in AD
          in the same Org. This is that we do not have manually type out
          the entire OU Path.</div>
        <div><br>
        </div>
        <div>Here is the role,</div>
        <div><br>
        </div>
        <div>
          <div>   <name>Metarole for Orgs</name></div>
          <div>   <description></div>
          <div>        This MetaRole will add the current assigned
            organization to the organization attribute.</div>
          <div>    </description></div>
          <div>   <metadata></div>
          <div>     
<createTimestamp>2015-02-16T13:26:01.203-06:00</createTimestamp></div>
          <div>      <creatorRef
            oid="00000000-0000-0000-0000-000000000002"
            type="c:UserType"><!-- administrator
            --></creatorRef></div>
          <div>      <createChannel><a moz-do-not-send="true"
href="http://midpoint.evolveum.com/xml/ns/public/model/channels-3#objectImport">http://midpoint.evolveum.com/xml/ns/public/model/channels-3#objectImport</a></createChannel></div>
          <div>   </metadata></div>
          <div>   <inducement id="1"></div>
          <div>      <focusMappings></div>
          <div>         <mapping></div>
          <div>            <source></div>
          <div>             
             <c:path>$immediateRole/name</c:path></div>
          <div>            </source></div>
          <div>            <target></div>
          <div>             
             <c:path>$focus/organization</c:path></div>
          <div>            </target></div>
          <div>         </mapping></div>
          <div>      </focusMappings></div>
          <div>      <order>2</order></div>
          <div>   </inducement></div>
          <div></role></div>
        </div>
        <div><br>
        </div>
        <div>What would you recommend I try?</div>
      </div>
      <div class="gmail_extra"><br>
        <div class="gmail_quote">On Fri, Oct 16, 2015 at 3:39 PM, Ivan
          Noris <span dir="ltr"><<a moz-do-not-send="true"
              href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div text="#000000" bgcolor="#FFFFFF"> Hi Jason,<br>
              <br>
              Pavol and I are looking into the logs.<br>
              <br>
              It seems that the user has assigned organization
              OU=_DISABLED,OU=SHP Students,DC=TEST,DC=LOCAL, oid
              cce5ec38-5246-4368-9e7b-6b049e01ef4d, which sets the
              attribute "organization" (using the metarole).<br>
              <br>
              Additionally, the user template you posted, also sets the
              attribute "organization", so after processing, user has
              TWO values of organization attribute and this eventually
              fails in mapping for (AD) icfs:name.<br>
              <br>
              How is the first role assigned and why it's kept
              assigned..?<br>
              <br>
              Regards,<br>
              Ivan
              <div>
                <div class="h5"><br>
                  <br>
                  <div>On 10/16/2015 09:55 PM, Jason Everling wrote:<br>
                  </div>
                  <blockquote type="cite">
                    <div dir="ltr">But the users do not have 2
                      "organizations in their profile, they end up with
                      only 1,
                      <div><br>
                      </div>
                      <div>doesn't the "authoritive" flag ensure that
                        only one value exists for any multi value
                        attribute?</div>
                      <div><br>
                      </div>
                      <div>I attached the template that kicks off when a
                        user is added back to CSV</div>
                      <div><br>
                      </div>
                      <div>JASON</div>
                    </div>
                    <div class="gmail_extra"><br>
                      <div class="gmail_quote">On Fri, Oct 16, 2015 at
                        2:52 PM, Jason Everling <span dir="ltr"><<a
                            moz-do-not-send="true"
                            href="mailto:jeverling@bshp.edu"
                            target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:jeverling@bshp.edu">jeverling@bshp.edu</a></a>></span>
                        wrote:<br>
                        <blockquote class="gmail_quote" style="margin:0
                          0 0 .8ex;border-left:1px #ccc
                          solid;padding-left:1ex">
                          <div dir="ltr">So yes, during the re adding of
                            the user, a template kicks off, which all it
                            does, is add back their original
                            organization based on costCenter, which then
                            causes them to be enabled and moved in into
                            another AD container.</div>
                          <div class="gmail_extra">
                            <div>
                              <div><br>
                                <div class="gmail_quote">On Fri, Oct 16,
                                  2015 at 2:50 PM, Ivan Noris <span
                                    dir="ltr"><<a
                                      moz-do-not-send="true"
                                      href="mailto:ivan.noris@evolveum.com"
                                      target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:ivan.noris@evolveum.com">ivan.noris@evolveum.com</a></a>></span>
                                  wrote:<br>
                                  <blockquote class="gmail_quote"
                                    style="margin:0 0 0
                                    .8ex;border-left:1px #ccc
                                    solid;padding-left:1ex">
                                    <div text="#000000"
                                      bgcolor="#FFFFFF"> This is
                                      strange.<br>
                                      <br>
                                      The two values have the same
                                      initial, so I start to believe
                                      that the two values are produced
                                      by "organization" attribute.<br>
                                      <br>
                                      Can you please check if this user
                                      has one or two values of
                                      user/organization? One seems to be
                                      "OU=DISABLED..."<span><font
                                          color="#888888"><br>
                                          <br>
                                          I.</font></span><span><br>
                                        <br>
                                        <div>On 10/16/2015 09:02 PM,
                                          Jason Everling wrote:<br>
                                        </div>
                                      </span>
                                      <blockquote type="cite">
                                        <div>
                                          <div>
                                            <div dir="ltr">Here is the
                                              situation,
                                              <div><br>
                                              </div>
                                              <div>I am running into a
                                                issue, if the user in
                                                the CSV has a middle
                                                initial that was not
                                                there before and does
                                                not have that value in
                                                AD then I get an error,<br
                                                  clear="all">
                                                <div><br>
                                                </div>
                                                <div><span>Attempt to
                                                    replace 2 values to
                                                    a single-valued item
                                                    attributes/name;
                                                    values:
                                                    [PPV(String:cn=Charlie
                                                    K.
                                                    Brown,OU=DISABLED,OU=Students,DC=TEST,DC=LOCAL),
                                                    PPV(String:cn=Charlie
                                                    K. Brown,</span><span>OU=Dept,OU=Users,OU=Students,</span><span>DC=TEST,DC=LOCAL)]</span><br>
                                                </div>
                                                <div><span><br>
                                                  </span></div>
                                                <div><span>The above
                                                    users original
                                                    "name" in AD is</span></div>
                                                <div><span>cn=Charlie
                                                    Brown,OU=Dept,OU=Users,OU=Students,DC=TEST,DC=LOCAL</span><span><br>
                                                  </span></div>
                                                <div><span><br>
                                                  </span></div>
                                                <div><span>So when they
                                                    are added to CSV
                                                    with a middle
                                                    initial it is trying
                                                    to build the new
                                                    name like in the
                                                    first example and
                                                    fails.</span></div>
                                                <div><br>
                                                </div>
                                                <div>My AD DN code is,</div>
                                                <div><br>
                                                </div>
                                                <div>
                                                  <div><span style="white-space:pre-wrap">        </span>if


                                                    (additionalName ==
                                                    null) {</div>
                                                  <div><span style="white-space:pre-wrap">        </span>return


                                                    'cn='+givenName+'
                                                    '+familyName+iterationToken+','+organization+'';</div>
                                                  <div><span style="white-space:pre-wrap">        </span>}
                                                    else {</div>
                                                  <div><span style="white-space:pre-wrap">        </span>return


                                                    'cn='+givenName+'
                                                    '+additionalName+'.
'+familyName+iterationToken+','+organization+'';</div>
                                                  <div><span style="white-space:pre-wrap">        </span>}</div>
                                                </div>
                                                <div><br>
                                                </div>
                                                <div><br>
                                                </div>
                                                -- <br>
                                                <div>
                                                  <div dir="ltr">JASON</div>
                                                </div>
                                              </div>
                                            </div>
                                            <br>
                                          </div>
                                        </div>
                                        <font size="2"><br>
                                          <br>
                                          <span> CONFIDENTIALITY NOTICE:<br>
                                            This e-mail together with
                                            any attachments is
                                            proprietary and
                                            confidential; intended for
                                            only the recipient(s) named
                                            above and may contain
                                            information that is
                                            privileged. You should not
                                            retain, copy or use this
                                            e-mail or any attachments
                                            for any purpose, or disclose
                                            all or any part of the
                                            contents to any person. Any
                                            views or opinions expressed
                                            in this e-mail are those of
                                            the author and do not
                                            represent those of the
                                            Baptist School of Health
                                            Professions. If you have
                                            received this e-mail in
                                            error, or are not the named
                                            recipient(s), you are hereby
                                            notified that any review,
                                            dissemination, distribution
                                            or copying of this
                                            communication is prohibited
                                            by the sender and to do so
                                            might constitute a violation
                                            of the Electronic
                                            Communications Privacy Act,
                                            18 U.S.C. section 2510-2521.
                                            Please immediately notify
                                            the sender and delete this
                                            e-mail and any attachments
                                            from your computer. </span></font><br>
                                        <span> <br>
                                          <fieldset></fieldset>
                                          <br>
                                          <pre>_______________________________________________
midPoint mailing list
<a moz-do-not-send="true" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
                                        </span></blockquote>
                                      <span> <br>
                                        <pre cols="72">-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer & IDM Architect
  <a moz-do-not-send="true" href="http://evolveum.com" target="_blank">evolveum.com</a>                     <a moz-do-not-send="true" href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
  ___________________________________________________
  "Semper Id(e)M Vix."
</pre>
                                      </span></div>
                                    <br>
_______________________________________________<br>
                                    midPoint mailing list<br>
                                    <a moz-do-not-send="true"
                                      href="mailto:midPoint@lists.evolveum.com"
                                      target="_blank">midPoint@lists.evolveum.com</a><br>
                                    <a moz-do-not-send="true"
                                      href="http://lists.evolveum.com/mailman/listinfo/midpoint"
                                      rel="noreferrer" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
                                    <br>
                                  </blockquote>
                                </div>
                                <br>
                                <br clear="all">
                                <div><br>
                                </div>
                                -- <br>
                              </div>
                            </div>
                            <span><font color="#888888">
                                <div>
                                  <div dir="ltr">JASON</div>
                                </div>
                              </font></span></div>
                        </blockquote>
                      </div>
                      <br>
                      <br clear="all">
                      <div><br>
                      </div>
                      -- <br>
                      <div>
                        <div dir="ltr">JASON</div>
                      </div>
                    </div>
                    <br>
                    <font size="2"><br>
                      <br>
                      CONFIDENTIALITY NOTICE:<br>
                      This e-mail together with any attachments is
                      proprietary and confidential; intended for only
                      the recipient(s) named above and may contain
                      information that is privileged. You should not
                      retain, copy or use this e-mail or any attachments
                      for any purpose, or disclose all or any part of
                      the contents to any person. Any views or opinions
                      expressed in this e-mail are those of the author
                      and do not represent those of the Baptist School
                      of Health Professions. If you have received this
                      e-mail in error, or are not the named
                      recipient(s), you are hereby notified that any
                      review, dissemination, distribution or copying of
                      this communication is prohibited by the sender and
                      to do so might constitute a violation of the
                      Electronic Communications Privacy Act, 18 U.S.C.
                      section 2510-2521. Please immediately notify the
                      sender and delete this e-mail and any attachments
                      from your computer. </font><br>
                    <br>
                    <fieldset></fieldset>
                    <br>
                    <pre>_______________________________________________
midPoint mailing list
<a moz-do-not-send="true" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
                  </blockquote>
                  <br>
                  <pre cols="72">-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer & IDM Architect
  <a moz-do-not-send="true" href="http://evolveum.com" target="_blank">evolveum.com</a>                     <a moz-do-not-send="true" href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
  ___________________________________________________
  "Semper Id(e)M Vix."
</pre>
                </div>
              </div>
            </div>
            <br>
            _______________________________________________<br>
            midPoint mailing list<br>
            <a moz-do-not-send="true"
              href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
            <a moz-do-not-send="true"
              href="http://lists.evolveum.com/mailman/listinfo/midpoint"
              rel="noreferrer" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
            <br>
          </blockquote>
        </div>
        <br>
        <br clear="all">
        <div><br>
        </div>
        -- <br>
        <div class="gmail_signature">
          <div dir="ltr">JASON</div>
        </div>
      </div>
      <br>
      <font size="2"><br>
        <br>
        CONFIDENTIALITY NOTICE:<br>
        This e-mail together with any attachments is proprietary and
        confidential; intended for only the recipient(s) named above and
        may contain information that is privileged. You should not
        retain, copy or use this e-mail or any attachments for any
        purpose, or disclose all or any part of the contents to any
        person. Any views or opinions expressed in this e-mail are those
        of the author and do not represent those of the Baptist School
        of Health Professions. If you have received this e-mail in
        error, or are not the named recipient(s), you are hereby
        notified that any review, dissemination, distribution or copying
        of this communication is prohibited by the sender and to do so
        might constitute a violation of the Electronic Communications
        Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
        notify the sender and delete this e-mail and any attachments
        from your computer. </font><br>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
    </blockquote>
    <br>
    <pre class="moz-signature" cols="72">-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer & IDM Architect
  evolveum.com                     evolveum.com/blog/
  ___________________________________________________
  "Semper Id(e)M Vix."
</pre>
  </body>
</html>