<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <p>Hi Rodrigo,</p>
    <p>unfortunately no other idea yet. I was running recompute ca. two
      weeks ago to remove some application groups that were not added by
      midPoint, the goal was to have association configuration with
      tolerant=false and it worked (this was custom connector, not
      ScriptedSQL):</p>
    <p>                <association><br>
                          <ref>ri:wsEntitlements</ref><br>
                          <tolerant>false</tolerant><br>
                         
      <matchingRule>mr:stringIgnoreCase</matchingRule><br>
                          <kind>entitlement</kind><br>
                          <intent>ws-entitlement</intent><br>
                         
      <direction>objectToSubject</direction><br>
                         
      <associationAttribute>ri:accountId</associationAttribute><br>
                         
      <valueAttribute>icfs:uid</valueAttribute><br>
                      </association><br>
       <br>
    </p>
    <p>In all roles where association is used,
      <strength>strong</strength> is used as well (but the
      tolerant=false is a must). The recompute then worked as supposed
      and removed all non-midpoint groups from the accounts. The
      accounts were constructed by hierarchical roles (User - assign -
      Business role - inducement - Application role) and the association
      was in the Application role.</p>
    <p>Best regards,</p>
    <p>Ivan<br>
    </p>
    <br>
    <div class="moz-cite-prefix">On 11/10/2016 06:21 PM, Rodrigo Yanis
      wrote:<br>
    </div>
    <blockquote
cite="mid:CADu-59H6PJy9ynYeX3v8MKKvNcvan-gwn-eDEEiukdvH4gL1KQ@mail.gmail.com"
      type="cite">
      <p dir="ltr">Hello Ivan, thanks for you response.</p>
      <p dir="ltr">Unfortunatelly this didn't work. All our association
        attributes are set to tolerance=false by default.</p>
      <p dir="ltr">Strange thing is, this only happens when reconciling
        on already assigned high level roles, not on assignment time.</p>
      <p dir="ltr">Any other suggestion?<br>
        Thanks again,</p>
      <div class="gmail_extra"><br clear="all">
        <div>
          <div class="m_8908444601929514937gmail_signature"
            data-smartmail="gmail_signature">
            <div dir="ltr">
              <div>
                <div dir="ltr">
                  <div>
                    <div dir="ltr">
                      <div>
                        <div dir="ltr">
                          <div dir="ltr">
                            <div dir="ltr"><br>
                            </div>
                            <div dir="ltr"><font face="arial, helvetica,
                                sans-serif"><b>Rodrigo Yanis.</b><br>
                                <img moz-do-not-send="true"
                                  src="http://www.identicum.com/img/favicon.ico">Identicum
                                S.A.<br>
                              </font>Jorge Newbery 3226<br>
                              Tel: +54 (11) 4824-9971<font face="arial,
                                helvetica, sans-serif"><br>
                                <a moz-do-not-send="true"
                                  href="mailto:ryanis@identicum.com"
                                  target="_blank"><font color="#0b5394">ryanis@identicum.com</font></a><br>
                                <a moz-do-not-send="true"
                                  href="http://www.identicum.com/"
                                  target="_blank"><font color="#0b5394">www.identicum.com</font></a></font></div>
                          </div>
                        </div>
                      </div>
                    </div>
                  </div>
                </div>
              </div>
            </div>
          </div>
        </div>
        <br>
        <div class="gmail_quote">2016-11-10 9:48 GMT-05:00 Ivan Noris <span
            dir="ltr"><<a moz-do-not-send="true"
              href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div bgcolor="#FFFFFF" text="#000000">
              <p>Hi Rodrigo,</p>
              <p>maybe <tolerant>false</tolerant> for
                association or your group attribute (if not using
                associations) could help...</p>
              <p>Ivan<br>
              </p>
              <div>
                <div class="m_8908444601929514937h5"> <br>
                  <div
                    class="m_8908444601929514937m_2600798162479677229moz-cite-prefix">On
                    11/10/2016 03:33 PM, Rodrigo Yanis wrote:<br>
                  </div>
                </div>
              </div>
              <blockquote type="cite">
                <div>
                  <div class="m_8908444601929514937h5">
                    <div dir="ltr">Hello everyone,
                      <div><br>
                      </div>
                      <div>We're having issues with our ScriptedSQL
                        connector misshandling group membership removals
                        when said memberships come from roles that are
                        inherited from a higher level role, that is
                        assigned to the user.</div>
                      <div><br>
                      </div>
                      <div>When we remove the database role (the one
                        that is linked to the resource's meta-role, and
                        represents a database group) from the higher
                        level role, and perform a reconciliation on the
                        user, this does not remove the group membership
                        of this user in the database. This only happens
                        if the database role is assigned directly to the
                        user, and then removed.</div>
                      <div><br>
                      </div>
                      <div>We've also tried with a recompute task on the
                        user, still with no luck.</div>
                      <div><br>
                      </div>
                      <div>Since our role hierarchy does not support
                        this last option, we must find a way (either
                        through a task or directly) to remove
                        memberships to roles that are no longer induced
                        into the high level role. </div>
                      <div><br>
                      </div>
                      <div>Do you have an idea on how to proceed? </div>
                      <div><br>
                      </div>
                      <div>Thanks for your help</div>
                      <div>
                        <div>
                          <div
                            class="m_8908444601929514937m_2600798162479677229gmail_signature"
                            data-smartmail="gmail_signature">
                            <div dir="ltr">
                              <div>
                                <div dir="ltr">
                                  <div>
                                    <div dir="ltr">
                                      <div>
                                        <div dir="ltr">
                                          <div dir="ltr">
                                            <div dir="ltr"><br>
                                            </div>
                                            <div dir="ltr"><font
                                                face="arial, helvetica,
                                                sans-serif"><b>Rodrigo
                                                  Yanis.</b><br>
                                                <img
                                                  moz-do-not-send="true"
src="http://www.identicum.com/img/favicon.ico">Identicum S.A.<br>
                                              </font>Jorge Newbery 3226<br>
                                              Tel: +54 (11) 4824-9971<font
                                                face="arial, helvetica,
                                                sans-serif"><br>
                                                <a
                                                  moz-do-not-send="true"
href="mailto:ryanis@identicum.com" target="_blank"><font color="#0b5394">ryanis@identicum.com</font></a><br>
                                                <a
                                                  moz-do-not-send="true"
href="http://www.identicum.com/" target="_blank"><font color="#0b5394">www.identicum.com</font></a></font></div>
                                          </div>
                                        </div>
                                      </div>
                                    </div>
                                  </div>
                                </div>
                              </div>
                            </div>
                          </div>
                        </div>
                      </div>
                    </div>
                    <br>
                    <fieldset
                      class="m_8908444601929514937m_2600798162479677229mimeAttachmentHeader"></fieldset>
                    <br>
                  </div>
                </div>
                <pre>______________________________<wbr>_________________
midPoint mailing list
<a moz-do-not-send="true" class="m_8908444601929514937m_2600798162479677229moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" class="m_8908444601929514937m_2600798162479677229moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a><span class="m_8908444601929514937HOEnZb"><font color="#888888">
</font></span></pre><span class="m_8908444601929514937HOEnZb"><font color="#888888">
    </font></span></blockquote><span class="m_8908444601929514937HOEnZb"><font color="#888888">
    

    <pre class="m_8908444601929514937m_2600798162479677229moz-signature" cols="72">-- 
Ivan Noris
Senior Identity Engineer
<a moz-do-not-send="true" href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
  </font></span></div>


______________________________<wbr>_________________

midPoint mailing list

<a moz-do-not-send="true" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>

<a moz-do-not-send="true" href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>


</blockquote></div>
</div>


<fieldset class="mimeAttachmentHeader"></fieldset>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>

</blockquote>
<pre class="moz-signature" cols="72">-- 
Ivan Noris
Senior Identity Engineer
evolveum.com
</pre></body></html>