<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Hi,</p>
<p>the configuration for "disable instead of delete" works only for
unassigning "last role" - to tell midpoint that the account should
be disabled instead. Delete still works as usual.</p>
<p>Activation mapping is obviously not evaluated when you delete
user (I think no mappings are evaluated).</p>
<p>You can configure any resource to arbitrarily disable delete
operation using capabilities; in which case midPoint will throw an
exception when you try to delete the account.</p>
<p> <capabilities
xmlns:cap=<a class="moz-txt-link-rfc2396E" href="http://midpoint.evolveum.com/xml/ns/public/resource/capabilities-3">"http://midpoint.evolveum.com/xml/ns/public/resource/capabilities-3"</a>><br>
<configured><br>
<cap:create><br>
<cap:enabled>true</cap:enabled><br>
</cap:create><br>
<cap:update><br>
<cap:enabled>true</cap:enabled><br>
</cap:update><br>
<b> <cap:delete></b><b><br>
</b><b>
<cap:enabled>false</cap:enabled></b><b><br>
</b><b> </cap:delete></b><b><br>
</b> </configured><br>
</capabilities><br>
<br>
</p>
<p>The drawback of disabling delete operation using capabilities is
that every delete operation (for account or not) will fail. You
can also modify the permissions of the technical account the
connector uses, to not allow deletes (it will throw exception as
well).</p>
<p>The different approach is not to delete the users/accounts at
all.<br>
</p>
Regards,<br>
Ivan<br>
<br>
<div class="moz-cite-prefix">On 11/10/2016 06:07 PM, Ana Pereyra
wrote:<br>
</div>
<blockquote
cite="mid:CAO5EgRr=U5g+Xm4DV4nrA-G=5Or-EtbLuDiGpEwZ+HxrNesJAg@mail.gmail.com"
type="cite">
<div dir="ltr">Hi everyone, <br clear="all">
<div><br>
</div>
<div>I have an Active Directory resource with the activation
node configured like this:</div>
<div><i><br>
</i></div>
<div>
<div><i><activation></i></div>
<div><i> <!--Existence mapping hardcoded to TRUE
in order not to delete in the resource when deleted in
MidPoint --></i></div>
<div><i> <existence></i></div>
<div><i> <outbound></i></div>
<div><i> <expression></i></div>
<div><i> <value>true</value></i></div>
<div><i> </expression></i></div>
<div><i> </outbound></i></div>
<div><i> </existence></i></div>
<div><i> <!-- If user exists and account is
entitled --></i></div>
<div><i> <administrativeStatus></i></div>
<div><i> <outbound></i></div>
<div><i> <expression></i></div>
<div><i> <script></i></div>
<div><i> <code></i></div>
<div><i> import
com.evolveum.midpoint.xml.ns._public.common.common_3.ActivationStatusType;</i></div>
<div><i> if (legal &&
assigned)</i></div>
<div><i> {</i></div>
<div><i> input;</i></div>
<div><i> }</i></div>
<div><i> else</i></div>
<div><i> {</i></div>
<div><i> ActivationStatusType.DISABLED;</i></div>
<div><i> }</i></div>
<div><i> </code></i></div>
<div><i> </script></i></div>
<div><i> </expression></i></div>
<div><i> </outbound></i></div>
<div><i> </administrativeStatus></i></div>
<div><i> </activation></i></div>
</div>
<div><i><br>
</i></div>
<div>What I need is the following:</div>
<div>
<ul>
<li>When a user that is linked is <b>disabled</b>, the
account is <b>disabled </b>in AD (Working)<br>
</li>
<li>When a user has the <b>association </b>to AD <b>removed
</b>(the resource is removed from the user, or a role
containing an inducement to the resource is removed from
the user), the account is <b>disabled </b>in AD
(Working)<br>
</li>
<li>When a user that is linked is <b>DELETED </b>from
MidPoint, the account is <b>disabled </b>in AD (NOT
WORKING). Currently, with this configuration, when I
delete a user that is linked in AD i get the following
error:</li>
</ul>
</div>
<div><i>Schema violation during processing shadow: shadow:
CN=testuser_ad,XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
(OID:dfc8cf0c-d571-4e09-9e58-df9cf117f94d): Schema
violation: Value of attribute '__NAME__' must be a single
value, but it has 0values: Schema violation during
processing shadow: shadow:
CN=testuser_ad,XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
(OID:dfc8cf0c-d571-4e09-9e58-df9cf117f94d): Schema
violation: Value of attribute '__NAME__' must be a single
value, but it has 0values: Schema violation during
processing shadow: shadow:
CN=testuser_ad,XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
(OID:dfc8cf0c-d571-4e09-9e58-df9cf117f94d): Schema
violation: Value of attribute '__NAME__' must be a single
value, but it has 0values: Schema violation during
processing shadow: shadow:
CN=testuser_ad,XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
(OID:dfc8cf0c-d571-4e09-9e58-df9cf117f94d): Schema
violation: Value of attribute '__NAME__' must be a single
value, but it has 0values</i><br>
</div>
<div><i><br>
</i></div>
<div>Can anyone please help me with this? Thanks in advanced.</div>
<div><br>
</div>
<div>Regards,</div>
-- <br>
<div class="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr"><b style="font-size:12.8px">Ana
Pereyra</b><br>
</div>
<div dir="ltr"><font style="font-size:12.8px"
face="verdana, sans-serif"><img
moz-do-not-send="true"
src="http://www.identicum.com/img/favicon.ico"> Identicum
S.A.<br>
<i><font color="#666666">Jorge Newbery
3226, Argentina<br>
Tel: +54 (11) </font></i></font><font
style="font-size:12.8px" color="#666666"
face="verdana, sans-serif"><i>4552.3050</i></font>
<div style="font-size:12.8px"><font
face="verdana, sans-serif"><i><font
size="1"><a moz-do-not-send="true"
href="mailto:apereyra@identicum.com"
style="color:rgb(17,85,204)"
target="_blank">apereyra@identicum.com</a></font></i><br>
<a moz-do-not-send="true"
href="http://www.identicum.com/"
style="color:rgb(17,85,204)"
target="_blank"><font color="#000000">www.identicum.com</font></a></font></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Ivan Noris
Senior Identity Engineer
evolveum.com
</pre>
</body>
</html>