<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Hi Aivo,</p>
<p>regarding displaying indirect assignments such as roles - we're
already tracking that new feature as
<a class="moz-txt-link-freetext" href="https://jira.evolveum.com/browse/MID-3385">https://jira.evolveum.com/browse/MID-3385</a></p>
<p><br>
</p>
<p>(Also happened to me and I needed it.)</p>
<p>It's waiting for prioritzation/sponsosrhip though.</p>
<p><br>
</p>
<p>Feel free to comment that issue directly in JIRA.<br>
</p>
<p><br>
</p>
<p>Best regards,</p>
<p>Ivan<br>
</p>
<br>
<div class="moz-cite-prefix">On 10/31/2016 03:41 PM, Aivo Kuhlberg
wrote:<br>
</div>
<blockquote cite="mid:1477924891870.86609@rmit.ee" type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<style type="text/css" style="display:none"><!--P{margin-top:0;margin-bottom:0;} p
{margin-top:0;
margin-bottom:0}p
{margin-top:0;
margin-bottom:0}--></style>
<p>I answer to my own question and the answer is yes. When the
tolerance is set to false in association then all the group
memberships of linked AD users which are not controlled by
midPoint will we deleted. So if I have not imported all AD
groups (where currently linked AD users belong) to midPoint then
after setting tolerance to false and reconciliation only the
membership of the imported and assigned groups will be kept.<br>
But there is a positive side, actually even two positive
results. First is that now the "Valid to" field in assignments
works. There is still issue (MID-3494) when the role has
approver but that is another problem.<br>
The second positive result is that now the removing of indirect
role assignment works as expected which brings it one critical
step closer to implementing automatic role assignments. I think
now the most troublesome issue for me is that users are not able
to see easily indirect roles - it would be nice to see them (for
example in different color) in "My assignments" and under
profile assignments tab without needing to browse cog menu.<br>
Regards,<br>
Aivo<br>
</p>
<div dir="ltr" style="font-size:12pt; color:#000000;
background-color:#FFFFFF;
font-family:Calibri,Arial,Helvetica,sans-serif">
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="divRplyFwdMsg" dir="ltr"><font style="font-size:11pt"
color="#000000" face="Calibri, sans-serif"><b>Saatja:</b>
midPoint <a class="moz-txt-link-rfc2396E" href="mailto:midpoint-bounces@lists.evolveum.com"><midpoint-bounces@lists.evolveum.com></a>
nimelAivo Kuhlberg <a class="moz-txt-link-rfc2396E" href="mailto:aivo.kuhlberg@rmit.ee"><aivo.kuhlberg@rmit.ee></a><br>
<b>Saadetud:</b> 31. oktoober 2016 11:01<br>
<b>Adressaat:</b> midPoint General Discussion<br>
<b>Teema:</b> Re: [midPoint] Valid to role assignment
problem</font>
<div> </div>
</div>
<div>
<p>Hi Ivan,<br>
Does association + tolerant mean I have to add
<tolerant>false</tolerant> to association part
in account definition in resourceSchema?</p>
<p>If so then what will happen all the groups which I have
exluded in my current AD group import? Will this setting
delete any existing members of these groups? For example
when midPoint user A has AD account and this AD account has
membership with AD group B but this group B is not synced to
midPoint. Will this group membership deleted if tolerant is
set to false?</p>
<p><br>
Best Regards,<br>
Aivo<br>
</p>
<div style="color:rgb(33,33,33)">
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="divRplyFwdMsg" dir="ltr"><font
style="font-size:11pt" color="#000000" face="Calibri,
sans-serif"><b>Saatja:</b> midPoint
<a class="moz-txt-link-rfc2396E" href="mailto:midpoint-bounces@lists.evolveum.com"><midpoint-bounces@lists.evolveum.com></a> nimelIvan
Noris <a class="moz-txt-link-rfc2396E" href="mailto:ivan.noris@evolveum.com"><ivan.noris@evolveum.com></a><br>
<b>Saadetud:</b> 28. oktoober 2016 22:10<br>
<b>Adressaat:</b> <a class="moz-txt-link-abbreviated" href="mailto:midpoint@lists.evolveum.com">midpoint@lists.evolveum.com</a><br>
<b>Teema:</b> Re: [midPoint] Valid to role assignment
problem</font>
<div> </div>
</div>
<div>
<p>Hi Aivo,</p>
<p>please check this issue: <a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="https://jira.evolveum.com/browse/MID-3296">
https://jira.evolveum.com/browse/MID-3296</a></p>
<p><br>
</p>
<p>If it's what you are experiencing, please check how is
you association + tolerant configured.</p>
<p><br>
</p>
<p>Ivan<br>
</p>
<br>
<div class="moz-cite-prefix">On 10/28/2016 10:14 AM, Aivo
Kuhlberg wrote:<br>
</div>
<blockquote type="cite">
<style type="text/css" style="">
<!--
p
{margin-top:0;
margin-bottom:0}
-->
</style>
<p>Hello,<br>
</p>
<p>I am testing role assignment valid from/to triggering
and have problem with valid to functionality. I
assigned role to midPoint user and before saving the
assignment I specified validto value. This midPoint
role is imported from AD group so I expect that when
the valid to time is over then the AD group will be
removed from the AD user but that does not happen.
Even full reconciliation of AD users and groups did
not help. Even changing the administrative status to
"Disabled" did not help. But when I changed it to
"Enabled" and then "Disabled" then the AD user group
membership dissapeared. Can it be because I am using
.NET AD connector and in LDAP connector this problem
is fixed?<br>
Before that I tested "Valid From" field triggering and
that worked as expected - after the specified time and
validity scanner run the AD group was assigned to AD
user. <br>
Regards,<br>
Aivo Kuhlberg<br>
</p>
<br>
<hr>
<font color="Gray" face="Arial" size="2">Käesolev e-kiri
võib sisaldada asutusesiseseks kasutamiseks
tunnistatud teavet.<br>
This e-mail may contain information which is
classified for official use.</font> <br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre>_______________________________________________
midPoint mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Ivan Noris
Senior Identity Engineer
evolveum.com
</pre>
</div>
</div>
<br>
<hr>
<font color="Gray" face="Arial" size="2">Käesolev e-kiri võib
sisaldada asutusesiseseks kasutamiseks tunnistatud teavet.<br>
This e-mail may contain information which is classified for
official use.</font> </div>
</div>
<br>
<hr>
<font color="Gray" face="Arial" size="2">Käesolev e-kiri võib
sisaldada asutusesiseseks kasutamiseks tunnistatud teavet.<br>
This e-mail may contain information which is classified for
official use.</font>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Ivan Noris
Senior Identity Engineer
evolveum.com
</pre>
</body>
</html>