<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Hello Martin,</p>
<p>concerning this one:</p>
<p>
<blockquote type="cite">Without doing any other assignment to the
user, we remove the Group Role. In this case, after verifying
the group and user existance (with the SearcScript), we found
out that the connector executes the DeleteScript in order to
manage User deletion. But it does not do anything with the group
membership.</blockquote>
This is the responsibility of your groovy script in ScriptedSQL
resource. So, when requested to delete the user, you have to
delete all of his entitlements.</p>
<p>
<blockquote type="cite">The behaviour that we are trying to
accomplish is the following: Once the user loose the last group,
remove the user from that group but leave it created (and
disabled) within the database.</blockquote>
This has to be solved at the level of midPoint, <b>not</b> in
connector itself.</p>
Here is a related HOWTO: <a
href="https://wiki.evolveum.com/display/midPoint/Disable+instead+of+Delete">https://wiki.evolveum.com/display/midPoint/Disable+instead+of+Delete</a>.<br>
<br>
Best regards,<br>
<pre class="moz-signature" cols="72">Pavol Mederly
Software developer
evolveum.com
</pre>
<div class="moz-cite-prefix">On 13.09.2016 16:01, Martin Marchese
wrote:<br>
</div>
<blockquote
cite="mid:CAG3rmdomCYFSF-2XCAZMsc8ASYMaO4fr56uq4WTqrfiKubmHYw@mail.gmail.com"
type="cite">
<div dir="ltr">Hi All,
<div><br>
</div>
<div>We were running some tests with the ScriptedSQL connector
in order to manage group membership in a database.</div>
<div><br>
</div>
<div>Our DB model has the following tables:</div>
<div><br>
</div>
<div>USERS</div>
<div>GROUPS</div>
<div>USERGROUPS</div>
<div><br>
</div>
<div>Assigning the resource to a User, executes the create
script and we use that to create the user in the USERS table.</div>
<div><br>
</div>
<div>Adding a Role to a user already linked (which has the
resource meta-rol assigned) execute the UPDATE script with the
ADD_ATTRIBUTES_VALUE action and we use that script to add a
record into the USERGROUPS table. Similar behaviour when we
remove the role to the user, but in this case with a
REMOVE_ATTRIBUTE_VALUES action.</div>
<div><br>
</div>
<div>Finallly, we tested the following case:</div>
<div><br>
</div>
<div>User not linked nor assigned the Resource. We assign the
Group Role, which creates the user in the USERS table
(CreateScript) and adds the corresponding record to the
USERGROUPS table (UpdateScript with ADD_ATTRIBUTE_VALUE
action).</div>
<div><br>
</div>
<div>Without doing any other assignment to the user, we remove
the Group Role. In this case, after verifying the group and
user existance (with the SearcScript), we found out that the
connector executes the DeleteScript in order to manage User
deletion. But it does not do anything with the group
membership.</div>
<div><br>
</div>
<div>The behaviour that we are trying to accomplish is the
following: Once the user loose the last group, remove the user
from that group but leave it created (and disabled) within the
database.</div>
<div>Yes, we could process this within the delete script, but in
a real Delete (when a user is being deleted but it has many
group assignments within the DB), we would like to disable the
user, without removing the group memberships.</div>
<div><br>
</div>
<div>Is this possible or is not how the connector works?</div>
<div><br>
</div>
<div>Thanks in advance</div>
<div><br>
</div>
<div>
<div>
<div class="gmail_signature"
data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr"><b><span></span><span></span>Ing.
MartÃn Marchese</b><br>
<img moz-do-not-send="true"
src="http://www.identicum.com/img/favicon.ico">Identicum
S.A.<br>
Jorge Newbery 3226<br>
Tel: +54 (11) 4552-3050<br>
<a moz-do-not-send="true"
href="mailto:mmarchese@identicum.com"
target="_blank">mmarchese@identicum.com</a><br>
<a moz-do-not-send="true"
href="http://www.identicum.com"
target="_blank">www.identicum.com</a></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
</body>
</html>