<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <p>Hi,</p>
    <p>the configuration for "disable instead of delete" works only for
      unassigning "last role" - to tell midpoint that the account should
      be disabled instead. Delete still works as usual.</p>
    <p>Activation mapping is obviously not evaluated when you delete
      user (I think no mappings are evaluated).</p>
    <p>You can configure any resource to arbitrarily disable delete
      operation using capabilities; in which case midPoint will throw an
      exception when you try to delete the account.</p>
    <p>        <capabilities
xmlns:cap=<a class="moz-txt-link-rfc2396E" href="http://midpoint.evolveum.com/xml/ns/public/resource/capabilities-3">"http://midpoint.evolveum.com/xml/ns/public/resource/capabilities-3"</a>><br>
                  <configured><br>
                      <cap:create><br>
                          <cap:enabled>true</cap:enabled><br>
                      </cap:create><br>
                      <cap:update><br>
                          <cap:enabled>true</cap:enabled><br>
                      </cap:update><br>
      <b>                <cap:delete></b><b><br>
      </b><b>                   
        <cap:enabled>false</cap:enabled></b><b><br>
      </b><b>                </cap:delete></b><b><br>
      </b>            </configured><br>
              </capabilities><br>
      <br>
    </p>
    <p>The drawback of disabling delete operation using capabilities is
      that every delete operation (for account or not) will fail. You
      can also modify the permissions of the technical account the
      connector uses, to not allow deletes (it will throw exception as
      well).</p>
    <p>The different approach is not to delete the users/accounts at
      all.<br>
    </p>
    Regards,<br>
    Ivan<br>
    <br>
    <div class="moz-cite-prefix">On 11/10/2016 06:07 PM, Ana Pereyra
      wrote:<br>
    </div>
    <blockquote
cite="mid:CAO5EgRr=U5g+Xm4DV4nrA-G=5Or-EtbLuDiGpEwZ+HxrNesJAg@mail.gmail.com"
      type="cite">
      <div dir="ltr">Hi everyone, <br clear="all">
        <div><br>
        </div>
        <div>I have an Active Directory resource with the activation
          node configured like this:</div>
        <div><i><br>
          </i></div>
        <div>
          <div><i><activation></i></div>
          <div><i>          <!--Existence mapping hardcoded to TRUE
              in order not to delete in the resource when deleted in
              MidPoint --></i></div>
          <div><i>          <existence></i></div>
          <div><i>            <outbound></i></div>
          <div><i>              <expression></i></div>
          <div><i>                <value>true</value></i></div>
          <div><i>              </expression></i></div>
          <div><i>            </outbound></i></div>
          <div><i>          </existence></i></div>
          <div><i>          <!-- If user exists and account is
              entitled --></i></div>
          <div><i>          <administrativeStatus></i></div>
          <div><i>            <outbound></i></div>
          <div><i>              <expression></i></div>
          <div><i>                <script></i></div>
          <div><i>                  <code></i></div>
          <div><i>                    import
com.evolveum.midpoint.xml.ns._public.common.common_3.ActivationStatusType;</i></div>
          <div><i>                    if (legal &amp;&amp;
              assigned)</i></div>
          <div><i>                    {</i></div>
          <div><i>                      input;</i></div>
          <div><i>                    }</i></div>
          <div><i>                    else</i></div>
          <div><i>                    {</i></div>
          <div><i>                      ActivationStatusType.DISABLED;</i></div>
          <div><i>                    }</i></div>
          <div><i>                  </code></i></div>
          <div><i>                </script></i></div>
          <div><i>              </expression></i></div>
          <div><i>            </outbound></i></div>
          <div><i>          </administrativeStatus></i></div>
          <div><i>        </activation></i></div>
        </div>
        <div><i><br>
          </i></div>
        <div>What I need is the following:</div>
        <div>
          <ul>
            <li>When a user that is linked is <b>disabled</b>, the
              account is <b>disabled </b>in AD (Working)<br>
            </li>
            <li>When a user has the <b>association </b>to AD <b>removed
              </b>(the resource is removed from the user, or a role
              containing an inducement to the resource is removed from
              the user), the account is <b>disabled </b>in AD
              (Working)<br>
            </li>
            <li>When a user that is linked is <b>DELETED </b>from
              MidPoint, the account is <b>disabled </b>in AD (NOT
              WORKING). Currently, with this configuration, when I
              delete a user that is linked in AD i get the following
              error:</li>
          </ul>
        </div>
        <div><i>Schema violation during processing shadow: shadow:
            CN=testuser_ad,XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
            (OID:dfc8cf0c-d571-4e09-9e58-df9cf117f94d): Schema
            violation: Value of attribute '__NAME__' must be a single
            value, but it has 0values: Schema violation during
            processing shadow: shadow:
            CN=testuser_ad,XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
            (OID:dfc8cf0c-d571-4e09-9e58-df9cf117f94d): Schema
            violation: Value of attribute '__NAME__' must be a single
            value, but it has 0values: Schema violation during
            processing shadow: shadow:
            CN=testuser_ad,XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
            (OID:dfc8cf0c-d571-4e09-9e58-df9cf117f94d): Schema
            violation: Value of attribute '__NAME__' must be a single
            value, but it has 0values: Schema violation during
            processing shadow: shadow:
            CN=testuser_ad,XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
            (OID:dfc8cf0c-d571-4e09-9e58-df9cf117f94d): Schema
            violation: Value of attribute '__NAME__' must be a single
            value, but it has 0values</i><br>
        </div>
        <div><i><br>
          </i></div>
        <div>Can anyone please help me with this? Thanks in advanced.</div>
        <div><br>
        </div>
        <div>Regards,</div>
        -- <br>
        <div class="gmail_signature">
          <div dir="ltr">
            <div>
              <div dir="ltr">
                <div>
                  <div dir="ltr">
                    <div>
                      <div dir="ltr">
                        <div>
                          <div dir="ltr"><b style="font-size:12.8px">Ana
                              Pereyra</b><br>
                          </div>
                          <div dir="ltr"><font style="font-size:12.8px"
                              face="verdana, sans-serif"><img
                                moz-do-not-send="true"
                                src="http://www.identicum.com/img/favicon.ico"> Identicum
                              S.A.<br>
                              <i><font color="#666666">Jorge Newbery
                                  3226, Argentina<br>
                                  Tel: +54 (11) </font></i></font><font
                              style="font-size:12.8px" color="#666666"
                              face="verdana, sans-serif"><i>4552.3050</i></font>
                            <div style="font-size:12.8px"><font
                                face="verdana, sans-serif"><i><font
                                    size="1"><a moz-do-not-send="true"
                                      href="mailto:apereyra@identicum.com"
                                      style="color:rgb(17,85,204)"
                                      target="_blank">apereyra@identicum.com</a></font></i><br>
                                <a moz-do-not-send="true"
                                  href="http://www.identicum.com/"
                                  style="color:rgb(17,85,204)"
                                  target="_blank"><font color="#000000">www.identicum.com</font></a></font></div>
                          </div>
                        </div>
                      </div>
                    </div>
                  </div>
                </div>
              </div>
            </div>
          </div>
        </div>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
    </blockquote>
    <br>
    <pre class="moz-signature" cols="72">-- 
Ivan Noris
Senior Identity Engineer
evolveum.com
</pre>
  </body>
</html>