<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Hi Rodrigo,</p>
<p>maybe <tolerant>false</tolerant> for association or
your group attribute (if not using associations) could help...</p>
<p>Ivan<br>
</p>
<br>
<div class="moz-cite-prefix">On 11/10/2016 03:33 PM, Rodrigo Yanis
wrote:<br>
</div>
<blockquote
cite="mid:CADu-59EdJi+cMs_LVbhGK74GCBDa9tPD2_o7r=2qiJcmfGb7dA@mail.gmail.com"
type="cite">
<div dir="ltr">Hello everyone,
<div><br>
</div>
<div>We're having issues with our ScriptedSQL connector
misshandling group membership removals when said memberships
come from roles that are inherited from a higher level role,
that is assigned to the user.</div>
<div><br>
</div>
<div>When we remove the database role (the one that is linked to
the resource's meta-role, and represents a database group)
from the higher level role, and perform a reconciliation on
the user, this does not remove the group membership of this
user in the database. This only happens if the database role
is assigned directly to the user, and then removed.</div>
<div><br>
</div>
<div>We've also tried with a recompute task on the user, still
with no luck.</div>
<div><br>
</div>
<div>Since our role hierarchy does not support this last option,
we must find a way (either through a task or directly) to
remove memberships to roles that are no longer induced into
the high level role. </div>
<div><br>
</div>
<div>Do you have an idea on how to proceed? </div>
<div><br>
</div>
<div>Thanks for your help</div>
<div>
<div>
<div class="gmail_signature"
data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<div dir="ltr"><br>
</div>
<div dir="ltr"><font face="arial,
helvetica, sans-serif"><b>Rodrigo
Yanis.</b><br>
<img moz-do-not-send="true"
src="http://www.identicum.com/img/favicon.ico">Identicum
S.A.<br>
</font>Jorge Newbery 3226<br>
Tel: +54 (11) 4824-9971<font
face="arial, helvetica, sans-serif"><br>
<a moz-do-not-send="true"
href="mailto:ryanis@identicum.com"
target="_blank"><font
color="#0b5394">ryanis@identicum.com</font></a><br>
<a moz-do-not-send="true"
href="http://www.identicum.com/"
target="_blank"><font
color="#0b5394">www.identicum.com</font></a></font></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Ivan Noris
Senior Identity Engineer
evolveum.com
</pre>
</body>
</html>