<div dir="ltr">Ivan,<div><br></div><div>I've compared your XML to my association attribute's deffinition on the resource and it looks the same. Can you please explain further what you mean by defining strength on the role itself? We've got a Meta-role -> Application role -> High level role architecture going (I believe it's just the same as yours except for the meta-role), and the group association is defined on the meta-role. Do you mean we should somehow define strength there? because it isn't explicitly set.</div><div><br></div><div>This is the inducement for the group association on the meta-role definition:</div><div><br></div><font size="1"><inducement id="2"><br> <construction><br> <resourceRef oid="00000000-0000-1de4-0002-000000000003" type="c:ResourceType"><!-- BANNER_USUARIOS --></resourceRef><br> <kind>account</kind><br> <intent>default</intent><br> <association><br> <c:ref>ri:GroupObjectClass</c:ref><br> <outbound><br> <expression><br> <associationFromLink><br> <projectionDiscriminator><br> <kind>entitlement</kind><br> <intent>default</intent><br> </projectionDiscriminator><br> </associationFromLink><br> </expression><br> </outbound><br> </association><br> </construction><br> <order>2</order><br> </inducement></font><div><br></div><div>Don't mind me if I sound a bit confused.</div><div><br></div><div>Thanks for your help.</div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><br></div><div dir="ltr"><font face="arial, helvetica, sans-serif"><b>Rodrigo Yanis.</b><br><img src="http://www.identicum.com/img/favicon.ico">Identicum S.A.<br></font>Jorge Newbery 3226<br>Tel: +54 (11) 4824-9971<font face="arial, helvetica, sans-serif"><br><a href="mailto:ryanis@identicum.com" target="_blank"><font color="#0b5394">ryanis@identicum.com</font></a><br><a href="http://www.identicum.com/" target="_blank"><font color="#0b5394">www.identicum.com</font></a></font></div></div></div></div></div></div></div></div></div></div></div>
<br><div class="gmail_quote">2016-11-10 13:51 GMT-05:00 Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>Hi Rodrigo,</p>
<p>unfortunately no other idea yet. I was running recompute ca. two
weeks ago to remove some application groups that were not added by
midPoint, the goal was to have association configuration with
tolerant=false and it worked (this was custom connector, not
ScriptedSQL):</p>
<p> <association><br>
<ref>ri:wsEntitlements</ref><br>
<tolerant>false</tolerant><br>
<matchingRule>mr:<wbr>stringIgnoreCase</<wbr>matchingRule><br>
<kind>entitlement</kind><br>
<intent>ws-entitlement</<wbr>intent><br>
<direction>objectToSubject</<wbr>direction><br>
<associationAttribute>ri:<wbr>accountId</<wbr>associationAttribute><br>
<valueAttribute>icfs:uid</<wbr>valueAttribute><br>
</association><br>
<br>
</p>
<p>In all roles where association is used,
<strength>strong</strength> is used as well (but the
tolerant=false is a must). The recompute then worked as supposed
and removed all non-midpoint groups from the accounts. The
accounts were constructed by hierarchical roles (User - assign -
Business role - inducement - Application role) and the association
was in the Application role.</p>
<p>Best regards,</p>
<p>Ivan<br>
</p><div><div class="h5">
<br>
<div class="m_8205048116372680684moz-cite-prefix">On 11/10/2016 06:21 PM, Rodrigo Yanis
wrote:<br>
</div>
<blockquote type="cite">
<p dir="ltr">Hello Ivan, thanks for you response.</p>
<p dir="ltr">Unfortunatelly this didn't work. All our association
attributes are set to tolerance=false by default.</p>
<p dir="ltr">Strange thing is, this only happens when reconciling
on already assigned high level roles, not on assignment time.</p>
<p dir="ltr">Any other suggestion?<br>
Thanks again,</p>
<div class="gmail_extra"><br clear="all">
<div>
<div class="m_8205048116372680684m_8908444601929514937gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<div dir="ltr"><br>
</div>
<div dir="ltr"><font face="arial, helvetica,
sans-serif"><b>Rodrigo Yanis.</b><br>
<img src="http://www.identicum.com/img/favicon.ico">Identicum
S.A.<br>
</font>Jorge Newbery 3226<br>
Tel: +54 (11) 4824-9971<font face="arial,
helvetica, sans-serif"><br>
<a href="mailto:ryanis@identicum.com" target="_blank"><font color="#0b5394">ryanis@identicum.com</font></a><br>
<a href="http://www.identicum.com/" target="_blank"><font color="#0b5394">www.identicum.com</font></a></font></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<div class="gmail_quote">2016-11-10 9:48 GMT-05:00 Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>Hi Rodrigo,</p>
<p>maybe <tolerant>false</tolerant> for
association or your group attribute (if not using
associations) could help...</p>
<p>Ivan<br>
</p>
<div>
<div class="m_8205048116372680684m_8908444601929514937h5"> <br>
<div class="m_8205048116372680684m_8908444601929514937m_2600798162479677229moz-cite-prefix">On
11/10/2016 03:33 PM, Rodrigo Yanis wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div class="m_8205048116372680684m_8908444601929514937h5">
<div dir="ltr">Hello everyone,
<div><br>
</div>
<div>We're having issues with our ScriptedSQL
connector misshandling group membership removals
when said memberships come from roles that are
inherited from a higher level role, that is
assigned to the user.</div>
<div><br>
</div>
<div>When we remove the database role (the one
that is linked to the resource's meta-role, and
represents a database group) from the higher
level role, and perform a reconciliation on the
user, this does not remove the group membership
of this user in the database. This only happens
if the database role is assigned directly to the
user, and then removed.</div>
<div><br>
</div>
<div>We've also tried with a recompute task on the
user, still with no luck.</div>
<div><br>
</div>
<div>Since our role hierarchy does not support
this last option, we must find a way (either
through a task or directly) to remove
memberships to roles that are no longer induced
into the high level role. </div>
<div><br>
</div>
<div>Do you have an idea on how to proceed? </div>
<div><br>
</div>
<div>Thanks for your help</div>
<div>
<div>
<div class="m_8205048116372680684m_8908444601929514937m_2600798162479677229gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<div dir="ltr"><br>
</div>
<div dir="ltr"><font face="arial, helvetica,
sans-serif"><b>Rodrigo
Yanis.</b><br>
<img src="http://www.identicum.com/img/favicon.ico">Identicum S.A.<br>
</font>Jorge Newbery 3226<br>
Tel: +54 (11) 4824-9971<font face="arial, helvetica,
sans-serif"><br>
<a href="mailto:ryanis@identicum.com" target="_blank"><font color="#0b5394">ryanis@identicum.com</font></a><br>
<a href="http://www.identicum.com/" target="_blank"><font color="#0b5394">www.identicum.com</font></a></font></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="m_8205048116372680684m_8908444601929514937m_2600798162479677229mimeAttachmentHeader"></fieldset>
<br>
</div>
</div>
<pre>______________________________<wbr>_________________
midPoint mailing list
<a class="m_8205048116372680684m_8908444601929514937m_2600798162479677229moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a class="m_8205048116372680684m_8908444601929514937m_2600798162479677229moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a><span class="m_8205048116372680684m_8908444601929514937HOEnZb"><font color="#888888">
</font></span></pre><span class="m_8205048116372680684m_8908444601929514937HOEnZb"><font color="#888888">
</font></span></blockquote><span class="m_8205048116372680684m_8908444601929514937HOEnZb"><font color="#888888">
<pre class="m_8205048116372680684m_8908444601929514937m_2600798162479677229moz-signature" cols="72">--
Ivan Noris
Senior Identity Engineer
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
</font></span></div>
______________________________<wbr>_________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>
</blockquote></div>
</div>
<fieldset class="m_8205048116372680684mimeAttachmentHeader"></fieldset>
<pre>______________________________<wbr>_________________
midPoint mailing list
<a class="m_8205048116372680684moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a class="m_8205048116372680684moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<pre class="m_8205048116372680684moz-signature" cols="72">--
Ivan Noris
Senior Identity Engineer
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre></div></div></div><br>______________________________<wbr>_________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a><br>
<br></blockquote></div><br></div>