<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Aivo,<br>
<br>
yes that's exactly what I wanted to suggest, but I haven't time to
answer/check your configs yet.<br>
I hope that's it.<br>
<br>
Rule of thumb #1: if you wish the reconciliation to enforce some
value, mapping strength must be strong.<br>
Rule of thumb #2: default strength=normal.<br>
<br>
Normal strength mapping is applied whenever source attribute(s)
change. Not during reconciliation/synchronization.<br>
<br>
Regards,<br>
Ivan<br>
<br>
<div class="moz-cite-prefix">On 04/27/2016 04:24 PM, Aivo Kuhlberg
wrote:<br>
</div>
<blockquote cite="mid:1461767057902.91321@rmit.ee" type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<style type="text/css" style="display:none"><!--P{margin-top:0;margin-bottom:0;} p
{margin-top:0;
margin-bottom:0}--></style>
<p>I think I solved the problem now. I added to the groups
metarole strength parameter as Ivan suggested:<br>
<span style="font-family: Consolas,monospace; font-size: 10pt;">
<inducement id="2"></span><br style="font-family:
Consolas,monospace; font-size: 10pt;">
<span style="font-family: Consolas,monospace; font-size: 10pt;">
<construction></span><br style="font-family:
Consolas,monospace; font-size: 10pt;">
<span style="font-family: Consolas,monospace; font-size: 10pt;">
<resourceRef oid="f25fd804-12ba-41e2-a961-c72eb5d9ab5b"
type="c:ResourceType"/></span><span style="font-family:
Consolas,monospace; font-size: 10pt;"></span><br
style="font-family: Consolas,monospace; font-size: 10pt;">
<span style="font-family: Consolas,monospace; font-size: 10pt;">
<kind>account</kind></span><br style="font-family:
Consolas,monospace; font-size: 10pt;">
<span style="font-family: Consolas,monospace; font-size: 10pt;">
<intent>default</intent></span><br
style="font-family: Consolas,monospace; font-size: 10pt;">
<span style="font-family: Consolas,monospace; font-size: 10pt;">
<association></span><br style="font-family:
Consolas,monospace; font-size: 10pt;">
<span style="font-family: Consolas,monospace; font-size: 10pt;">
<c:ref >ri:group</c:ref></span><br
style="font-family: Consolas,monospace; font-size: 10pt;">
<span style="font-family: Consolas,monospace; font-size: 10pt;">
<outbound></span><br style="font-family:
Consolas,monospace; font-size: 10pt;">
<span style="font-family: Consolas,monospace; font-size: 10pt;">
</span><strong style="font-family: Consolas,monospace;
font-size: 10pt;"><strength>strong</strength></strong><br
style="font-family: Consolas,monospace; font-size: 10pt;">
<span style="font-family: Consolas,monospace; font-size: 10pt;">
<expression></span><br style="font-family:
Consolas,monospace; font-size: 10pt;">
<span style="font-family: Consolas,monospace; font-size: 10pt;">
<associationFromLink></span><br style="font-family:
Consolas,monospace; font-size: 10pt;">
<span style="font-family: Consolas,monospace; font-size: 10pt;">
<projectionDiscriminator></span><br style="font-family:
Consolas,monospace; font-size: 10pt;">
<span style="font-family: Consolas,monospace; font-size: 10pt;">
<kind>entitlement</kind></span><br
style="font-family: Consolas,monospace; font-size: 10pt;">
<span style="font-family: Consolas,monospace; font-size: 10pt;">
<intent>group</intent></span><br
style="font-family: Consolas,monospace; font-size: 10pt;">
<span style="font-family: Consolas,monospace; font-size: 10pt;">
</projectionDiscriminator></span><br style="font-family:
Consolas,monospace; font-size: 10pt;">
<span style="font-family: Consolas,monospace; font-size: 10pt;">
</associationFromLink></span><br style="font-family:
Consolas,monospace; font-size: 10pt;">
<span style="font-family: Consolas,monospace; font-size: 10pt;">
</expression></span><br style="font-family:
Consolas,monospace; font-size: 10pt;">
<span style="font-family: Consolas,monospace; font-size: 10pt;">
</outbound></span><br style="font-family:
Consolas,monospace; font-size: 10pt;">
<span style="font-family: Consolas,monospace; font-size: 10pt;">
</association></span><br style="font-family:
Consolas,monospace; font-size: 10pt;">
<span style="font-family: Consolas,monospace; font-size: 10pt;">
</construction></span><br style="font-family:
Consolas,monospace; font-size: 10pt;">
<span style="font-family: Consolas,monospace; font-size: 10pt;">
<order>2</order></span><br style="font-family:
Consolas,monospace; font-size: 10pt;">
<span style="font-family: Consolas,monospace; font-size: 10pt;">
</inducement></span><br>
<br>
Thanks for your help!<br>
</p>
<p>Aivo Kuhlberg<br>
</p>
<div style="font-size:12pt; color:#000000;
background-color:#FFFFFF;
font-family:Calibri,Arial,Helvetica,sans-serif" dir="ltr">
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="divRplyFwdMsg" dir="ltr"><font style="font-size:11pt"
face="Calibri, sans-serif" color="#000000"><b>Saatja:</b>
midPoint <a class="moz-txt-link-rfc2396E" href="mailto:midpoint-bounces@lists.evolveum.com"><midpoint-bounces@lists.evolveum.com></a>
nimelAivo Kuhlberg <a class="moz-txt-link-rfc2396E" href="mailto:aivo.kuhlberg@rmit.ee"><aivo.kuhlberg@rmit.ee></a><br>
<b>Saadetud:</b> 27. aprill 2016 15:49<br>
<b>Adressaat:</b> midPoint General Discussion<br>
<b>Teema:</b> Re: [midPoint] Assigned AD group does not
reappear when 1 of 2 groups is deleted from AD user</font>
<div> </div>
</div>
<div>
<p>Hi Gusto, Ivan,<br>
My AD sync resource is here: <a class="moz-txt-link-freetext" href="http://pastebin.com/4McckbmY">http://pastebin.com/4McckbmY</a><br>
Imported AD groups have following metarole assignment:
<a class="moz-txt-link-freetext" href="http://pastebin.com/z4pNS3hq">http://pastebin.com/z4pNS3hq</a><br>
Regards,<br>
Aivo Kuhlberg<br>
</p>
<div style="color:rgb(33,33,33)">
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="divRplyFwdMsg" dir="ltr"><font
style="font-size:11pt" face="Calibri, sans-serif"
color="#000000"><b>Saatja:</b> midPoint
<a class="moz-txt-link-rfc2396E" href="mailto:midpoint-bounces@lists.evolveum.com"><midpoint-bounces@lists.evolveum.com></a> nimelIvan
Noris <a class="moz-txt-link-rfc2396E" href="mailto:ivan.noris@evolveum.com"><ivan.noris@evolveum.com></a><br>
<b>Saadetud:</b> 27. aprill 2016 14:56<br>
<b>Adressaat:</b> <a class="moz-txt-link-abbreviated" href="mailto:midpoint@lists.evolveum.com">midpoint@lists.evolveum.com</a><br>
<b>Teema:</b> Re: [midPoint] Assigned AD group does not
reappear when 1 of 2 groups is deleted from AD user</font>
<div> </div>
</div>
<div>Hi Aivo,<br>
also please show us how associations for groups are
configured in the roles that put users to that groups.<br>
The mappings should be
<strength>strong</strength> to apply during
recon.<br>
<br>
I<br>
<br>
<div class="moz-cite-prefix">On 04/27/2016 01:45 PM, Pálos
Gustáv wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi,
<div><br>
</div>
<div>please send me a resource config XML</div>
<div>Do you use <tolerant>false</tolerant>
in group attribute in schemaHandling?</div>
<div><br>
</div>
<div>Gusto</div>
<div><br>
<div class="gmail_extra"><br>
<div class="gmail_quote">2016-04-27 13:33
GMT+02:00 Aivo Kuhlberg <span dir="ltr">
<<a moz-do-not-send="true"
href="mailto:aivo.kuhlberg@rmit.ee"
target="_blank">aivo.kuhlberg@rmit.ee</a>></span>:<br>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px
0.8ex; border-left-width:1px;
border-left-style:solid;
border-left-color:rgb(204,204,204);
padding-left:1ex">
<div dir="ltr" style="font-size:12pt;
color:rgb(0,0,0);
font-family:Calibri,Arial,Helvetica,sans-serif;
background-color:rgb(255,255,255)">
<p>I noticed today strange behavior about
midPoint role reassignment. I have set up
AD sync and imported users and also groups
as roles. I am testing user who have AD
resource assignment in midPoint and also 2
AD-group-based role assignments.<br>
At first I remove in AD one of the
assigned role-based groups from user, but
not both groups. Then I run recomputation
task in midPoint.<br>
Result: previously deleted group does not
appear again to AD user<br>
If I remove both groups in AD then after
recomputation both groups appear again in
AD user<br>
Is this a bug or I am missing something?<br>
</p>
<p>I use midPoint 3.3.1 with AD connector<br>
</p>
<p><br>
</p>
<p>Thanks,</p>
<p>Aivo Kuhlberg<br>
</p>
<br>
<hr>
<font face="Arial" color="Gray" size="2">Käesolev
e-kiri võib sisaldada asutusesiseseks
kasutamiseks tunnistatud teavet.<br>
This e-mail may contain information which
is classified for official use.</font> </div>
<br>
_______________________________________________<br>
midPoint mailing list<br>
<a moz-do-not-send="true"
href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a moz-do-not-send="true"
href="http://lists.evolveum.com/mailman/listinfo/midpoint"
rel="noreferrer" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre>_______________________________________________
midPoint mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
evolveum.com evolveum.com/blog/
___________________________________________________
"Semper ID(e)M Vix."
</pre>
</div>
</div>
<br>
<hr>
<font face="Arial" color="Gray" size="2">Käesolev e-kiri võib
sisaldada asutusesiseseks kasutamiseks tunnistatud teavet.<br>
This e-mail may contain information which is classified for
official use.</font> </div>
</div>
<br>
<hr>
<font face="Arial" color="Gray" size="2">Käesolev e-kiri võib
sisaldada asutusesiseseks kasutamiseks tunnistatud teavet.<br>
This e-mail may contain information which is classified for
official use.</font>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
evolveum.com evolveum.com/blog/
___________________________________________________
"Semper ID(e)M Vix."
</pre>
</body>
</html>