<p dir="ltr">Hello Ivan, thanks for you response.</p>
<p dir="ltr">Unfortunatelly this didn't work. All our association attributes are set to tolerance=false by default.</p>
<p dir="ltr">Strange thing is, this only happens when reconciling on already assigned high level roles, not on assignment time.</p>
<p dir="ltr">Any other suggestion?<br>
Thanks again,</p>
<div class="gmail_extra"><br clear="all"><div><div class="m_8908444601929514937gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><br></div><div dir="ltr"><font face="arial, helvetica, sans-serif"><b>Rodrigo Yanis.</b><br><img src="http://www.identicum.com/img/favicon.ico">Identicum S.A.<br></font>Jorge Newbery 3226<br>Tel: +54 (11) 4824-9971<font face="arial, helvetica, sans-serif"><br><a href="mailto:ryanis@identicum.com" target="_blank"><font color="#0b5394">ryanis@identicum.com</font></a><br><a href="http://www.identicum.com/" target="_blank"><font color="#0b5394">www.identicum.com</font></a></font></div></div></div></div></div></div></div></div></div></div></div>
<br><div class="gmail_quote">2016-11-10 9:48 GMT-05:00 Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>Hi Rodrigo,</p>
<p>maybe <tolerant>false</tolerant> for association or
your group attribute (if not using associations) could help...</p>
<p>Ivan<br>
</p><div><div class="m_8908444601929514937h5">
<br>
<div class="m_8908444601929514937m_2600798162479677229moz-cite-prefix">On 11/10/2016 03:33 PM, Rodrigo Yanis
wrote:<br>
</div>
</div></div><blockquote type="cite"><div><div class="m_8908444601929514937h5">
<div dir="ltr">Hello everyone,
<div><br>
</div>
<div>We're having issues with our ScriptedSQL connector
misshandling group membership removals when said memberships
come from roles that are inherited from a higher level role,
that is assigned to the user.</div>
<div><br>
</div>
<div>When we remove the database role (the one that is linked to
the resource's meta-role, and represents a database group)
from the higher level role, and perform a reconciliation on
the user, this does not remove the group membership of this
user in the database. This only happens if the database role
is assigned directly to the user, and then removed.</div>
<div><br>
</div>
<div>We've also tried with a recompute task on the user, still
with no luck.</div>
<div><br>
</div>
<div>Since our role hierarchy does not support this last option,
we must find a way (either through a task or directly) to
remove memberships to roles that are no longer induced into
the high level role. </div>
<div><br>
</div>
<div>Do you have an idea on how to proceed? </div>
<div><br>
</div>
<div>Thanks for your help</div>
<div>
<div>
<div class="m_8908444601929514937m_2600798162479677229gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<div dir="ltr"><br>
</div>
<div dir="ltr"><font face="arial,
helvetica, sans-serif"><b>Rodrigo
Yanis.</b><br>
<img src="http://www.identicum.com/img/favicon.ico">Identicum
S.A.<br>
</font>Jorge Newbery 3226<br>
Tel: +54 (11) 4824-9971<font face="arial, helvetica, sans-serif"><br>
<a href="mailto:ryanis@identicum.com" target="_blank"><font color="#0b5394">ryanis@identicum.com</font></a><br>
<a href="http://www.identicum.com/" target="_blank"><font color="#0b5394">www.identicum.com</font></a></font></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="m_8908444601929514937m_2600798162479677229mimeAttachmentHeader"></fieldset>
<br>
</div></div><pre>______________________________<wbr>_________________
midPoint mailing list
<a class="m_8908444601929514937m_2600798162479677229moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a class="m_8908444601929514937m_2600798162479677229moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a><span class="m_8908444601929514937HOEnZb"><font color="#888888">
</font></span></pre><span class="m_8908444601929514937HOEnZb"><font color="#888888">
</font></span></blockquote><span class="m_8908444601929514937HOEnZb"><font color="#888888">
<br>
<pre class="m_8908444601929514937m_2600798162479677229moz-signature" cols="72">--
Ivan Noris
Senior Identity Engineer
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
</font></span></div>
<br>______________________________<wbr>_________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a><br>
<br></blockquote></div><br></div>