<div dir="ltr">Ivan,<div><br></div><div>Just tried configuring the meta-role just like that. Unfortunately no progress. We'll continue analyzing this and keep you posted if we find anything.</div><div><br></div><div>Thanks a lot.</div><div><br></div><div>Regards,</div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><br></div><div dir="ltr"><font face="arial, helvetica, sans-serif"><b>Rodrigo Yanis.</b><br><img src="http://www.identicum.com/img/favicon.ico">Identicum S.A.<br></font>Jorge Newbery 3226<br>Tel: +54 (11) 4824-9971<font face="arial, helvetica, sans-serif"><br><a href="mailto:ryanis@identicum.com" target="_blank"><font color="#0b5394">ryanis@identicum.com</font></a><br><a href="http://www.identicum.com/" target="_blank"><font color="#0b5394">www.identicum.com</font></a></font></div></div></div></div></div></div></div></div></div></div></div>
<br><div class="gmail_quote">2016-11-11 2:46 GMT-05:00 Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div bgcolor="#FFFFFF" text="#000000">
    <p>Hi Rodrigo,</p>
    <p>I meant this:</p>
    <p>...</p>
    <p>    <inducement><br>
              <construction><br>
                      <resourceRef
      oid="00000000-dc00-dc00-0001-<wbr>000000000021"
      type="c:ResourceType"/><!-- Portal intranet --><span class=""><br>
              <kind>account</kind><br>
              <intent>default</intent><br>
              <association><br></span>
                  <ref>ri:wsEntitlements</ref><br>
                  <outbound><br>
      <b>                <strength>strong</strength></b><b><br>
      </b>                <source><br>
                          ...<br>
                      </source><br>
                      <expression><br>
                      ...</p>
    <p>But I think your problem should be resolved by tolerance (set to
      false) - strong mapping strength is to allow midPoint to enforce
      the group assignment when reconciling. Still I don't have any
      other idea. I hope that's not a problem with that specific
      connector because I wouldn't be able help with Java.</p>
    <p>Best regards,</p>
    <p>IVan<br>
    </p><div><div class="h5">
    <br>
    <div class="m_8345065841854202878moz-cite-prefix">On 11/10/2016 09:36 PM, Rodrigo Yanis
      wrote:<br>
    </div>
    <blockquote type="cite">
      <div dir="ltr">Ivan,
        <div><br>
        </div>
        <div>I've compared your XML to my association attribute's
          deffinition on the resource and it looks the same. Can you
          please explain further what you mean by defining strength on
          the role itself? We've got a Meta-role -> Application role
          -> High level role architecture going (I believe it's just
          the same as yours except for the meta-role), and the group
          association is defined on the meta-role. Do you mean we should
          somehow define strength there? because it isn't explicitly
          set.</div>
        <div><br>
        </div>
        <div>This is the inducement for the group association on the
          meta-role definition:</div>
        <div><br>
        </div>
        <font size="1"><inducement id="2"><br>
                <construction><br>
                   <resourceRef
          oid="00000000-0000-1de4-0002-<wbr>000000000003"
          type="c:ResourceType"><!-- BANNER_USUARIOS
          --></resourceRef><br>
                   <kind>account</kind><br>
                   <intent>default</intent><br>
                   <association><br>
                      <c:ref>ri:GroupObjectClass</c:<wbr>ref><br>
                      <outbound><br>
                         <expression><br>
                            <associationFromLink><br>
                               <projectionDiscriminator><br>
                                  <kind>entitlement</kind><br>
                                  <intent>default</intent><br>
                               </projectionDiscriminator><br>
                            </associationFromLink><br>
                         </expression><br>
                      </outbound><br>
                   </association><br>
                </construction><br>
                <order>2</order><br>
             </inducement></font>
        <div><br>
        </div>
        <div>Don't mind me if I sound a bit confused.</div>
        <div><br>
        </div>
        <div>Thanks for your help.</div>
      </div>
      <div class="gmail_extra"><br clear="all">
        <div>
          <div class="m_8345065841854202878gmail_signature" data-smartmail="gmail_signature">
            <div dir="ltr">
              <div>
                <div dir="ltr">
                  <div>
                    <div dir="ltr">
                      <div>
                        <div dir="ltr">
                          <div dir="ltr">
                            <div dir="ltr"><br>
                            </div>
                            <div dir="ltr"><font face="arial, helvetica,
                                sans-serif"><b>Rodrigo Yanis.</b><br>
                                <img src="http://www.identicum.com/img/favicon.ico">Identicum
                                S.A.<br>
                              </font>Jorge Newbery 3226<br>
                              Tel: +54 (11) 4824-9971<font face="arial,
                                helvetica, sans-serif"><br>
                                <a href="mailto:ryanis@identicum.com" target="_blank"><font color="#0b5394">ryanis@identicum.com</font></a><br>
                                <a href="http://www.identicum.com/" target="_blank"><font color="#0b5394">www.identicum.com</font></a></font></div>
                          </div>
                        </div>
                      </div>
                    </div>
                  </div>
                </div>
              </div>
            </div>
          </div>
        </div>
        <br>
        <div class="gmail_quote">2016-11-10 13:51 GMT-05:00 Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div bgcolor="#FFFFFF" text="#000000">
              <p>Hi Rodrigo,</p>
              <p>unfortunately no other idea yet. I was running
                recompute ca. two weeks ago to remove some application
                groups that were not added by midPoint, the goal was to
                have association configuration with tolerant=false and
                it worked (this was custom connector, not ScriptedSQL):</p>
              <p>                <association><br>
                                   
                <ref>ri:wsEntitlements</ref><br>
                                   
                <tolerant>false</tolerant><br>
                                    <matchingRule>mr:stringIgnoreC<wbr>ase</matchingRule><br>
                                    <kind>entitlement</kind><br>
                                    <intent>ws-entitlement</intent<wbr>><br>
                                   
                <direction>objectToSubject</di<wbr>rection><br>
                                    <associationAttribute>ri:accou<wbr>ntId</associationAttribute><br>
                                    <valueAttribute>icfs:uid</valu<wbr>eAttribute><br>
                                </association><br>
                 <br>
              </p>
              <p>In all roles where association is used,
                <strength>strong</strength> is used as well
                (but the tolerant=false is a must). The recompute then
                worked as supposed and removed all non-midpoint groups
                from the accounts. The accounts were constructed by
                hierarchical roles (User - assign - Business role -
                inducement - Application role) and the association was
                in the Application role.</p>
              <p>Best regards,</p>
              <p>Ivan<br>
              </p>
              <div>
                <div class="m_8345065841854202878h5"> <br>
                  <div class="m_8345065841854202878m_8205048116372680684moz-cite-prefix">On
                    11/10/2016 06:21 PM, Rodrigo Yanis wrote:<br>
                  </div>
                  <blockquote type="cite">
                    <p dir="ltr">Hello Ivan, thanks for you response.</p>
                    <p dir="ltr">Unfortunatelly this didn't work. All
                      our association attributes are set to
                      tolerance=false by default.</p>
                    <p dir="ltr">Strange thing is, this only happens
                      when reconciling on already assigned high level
                      roles, not on assignment time.</p>
                    <p dir="ltr">Any other suggestion?<br>
                      Thanks again,</p>
                    <div class="gmail_extra"><br clear="all">
                      <div>
                        <div class="m_8345065841854202878m_8205048116372680684m_8908444601929514937gmail_signature" data-smartmail="gmail_signature">
                          <div dir="ltr">
                            <div>
                              <div dir="ltr">
                                <div>
                                  <div dir="ltr">
                                    <div>
                                      <div dir="ltr">
                                        <div dir="ltr">
                                          <div dir="ltr"><br>
                                          </div>
                                          <div dir="ltr"><font face="arial, helvetica,
                                              sans-serif"><b>Rodrigo
                                                Yanis.</b><br>
                                              <img src="http://www.identicum.com/img/favicon.ico">Identicum
                                              S.A.<br>
                                            </font>Jorge Newbery 3226<br>
                                            Tel: +54 (11) 4824-9971<font face="arial, helvetica,
                                              sans-serif"><br>
                                              <a href="mailto:ryanis@identicum.com" target="_blank"><font color="#0b5394">ryanis@identicum.com</font></a><br>
                                              <a href="http://www.identicum.com/" target="_blank"><font color="#0b5394">www.identicum.com</font></a></font></div>
                                        </div>
                                      </div>
                                    </div>
                                  </div>
                                </div>
                              </div>
                            </div>
                          </div>
                        </div>
                      </div>
                      <br>
                      <div class="gmail_quote">2016-11-10 9:48 GMT-05:00
                        Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>:<br>
                        <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                          <div bgcolor="#FFFFFF" text="#000000">
                            <p>Hi Rodrigo,</p>
                            <p>maybe
                              <tolerant>false</tolerant> for
                              association or your group attribute (if
                              not using associations) could help...</p>
                            <p>Ivan<br>
                            </p>
                            <div>
                              <div class="m_8345065841854202878m_8205048116372680684m_8908444601929514937h5">
                                <br>
                                <div class="m_8345065841854202878m_8205048116372680684m_8908444601929514937m_2600798162479677229moz-cite-prefix">On
                                  11/10/2016 03:33 PM, Rodrigo Yanis
                                  wrote:<br>
                                </div>
                              </div>
                            </div>
                            <blockquote type="cite">
                              <div>
                                <div class="m_8345065841854202878m_8205048116372680684m_8908444601929514937h5">
                                  <div dir="ltr">Hello everyone,
                                    <div><br>
                                    </div>
                                    <div>We're having issues with our
                                      ScriptedSQL connector misshandling
                                      group membership removals when
                                      said memberships come from roles
                                      that are inherited from a higher
                                      level role, that is assigned to
                                      the user.</div>
                                    <div><br>
                                    </div>
                                    <div>When we remove the database
                                      role (the one that is linked to
                                      the resource's meta-role, and
                                      represents a database group) from
                                      the higher level role, and perform
                                      a reconciliation on the user, this
                                      does not remove the group
                                      membership of this user in the
                                      database. This only happens if the
                                      database role is assigned directly
                                      to the user, and then removed.</div>
                                    <div><br>
                                    </div>
                                    <div>We've also tried with a
                                      recompute task on the user, still
                                      with no luck.</div>
                                    <div><br>
                                    </div>
                                    <div>Since our role hierarchy does
                                      not support this last option, we
                                      must find a way (either through a
                                      task or directly) to remove
                                      memberships to roles that are no
                                      longer induced into the high level
                                      role. </div>
                                    <div><br>
                                    </div>
                                    <div>Do you have an idea on how to
                                      proceed? </div>
                                    <div><br>
                                    </div>
                                    <div>Thanks for your help</div>
                                    <div>
                                      <div>
                                        <div class="m_8345065841854202878m_8205048116372680684m_8908444601929514937m_2600798162479677229gmail_signature" data-smartmail="gmail_signature">
                                          <div dir="ltr">
                                            <div>
                                              <div dir="ltr">
                                                <div>
                                                  <div dir="ltr">
                                                    <div>
                                                      <div dir="ltr">
                                                        <div dir="ltr">
                                                          <div dir="ltr"><br>
                                                          </div>
                                                          <div dir="ltr"><font face="arial,
                                                          helvetica,
                                                          sans-serif"><b>Rodrigo
                                                          Yanis.</b><br>
                                                          <img src="http://www.identicum.com/img/favicon.ico">Identicum S.A.<br>
                                                          </font>Jorge
                                                          Newbery 3226<br>
                                                          Tel: +54 (11)
                                                          4824-9971<font face="arial,
                                                          helvetica,
                                                          sans-serif"><br>
                                                          <a href="mailto:ryanis@identicum.com" target="_blank"><font color="#0b5394">ryanis@identicum.com</font></a><br>
                                                          <a href="http://www.identicum.com/" target="_blank"><font color="#0b5394">www.identicum.com</font></a></font></div>
                                                        </div>
                                                      </div>
                                                    </div>
                                                  </div>
                                                </div>
                                              </div>
                                            </div>
                                          </div>
                                        </div>
                                      </div>
                                    </div>
                                  </div>
                                  <br>
                                  <fieldset class="m_8345065841854202878m_8205048116372680684m_8908444601929514937m_2600798162479677229mimeAttachmentHeader"></fieldset>
                                  <br>
                                </div>
                              </div>
                              <pre>______________________________<wbr>_________________
midPoint mailing list
<a class="m_8345065841854202878m_8205048116372680684m_8908444601929514937m_2600798162479677229moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a class="m_8345065841854202878m_8205048116372680684m_8908444601929514937m_2600798162479677229moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a><span class="m_8345065841854202878m_8205048116372680684m_8908444601929514937HOEnZb"><font color="#888888">
</font></span></pre><span class="m_8345065841854202878m_8205048116372680684m_8908444601929514937HOEnZb"><font color="#888888">
    </font></span></blockquote><span class="m_8345065841854202878m_8205048116372680684m_8908444601929514937HOEnZb"><font color="#888888">
    

    <pre class="m_8345065841854202878m_8205048116372680684m_8908444601929514937m_2600798162479677229moz-signature" cols="72">-- 
Ivan Noris
Senior Identity Engineer
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
  </font></span></div>


______________________________<wbr>_________________

midPoint mailing list

<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>

<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>


</blockquote></div>
</div>


<fieldset class="m_8345065841854202878m_8205048116372680684mimeAttachmentHeader"></fieldset>
<pre>______________________________<wbr>_________________
midPoint mailing list
<a class="m_8345065841854202878m_8205048116372680684moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a class="m_8345065841854202878m_8205048116372680684moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>
</pre>

</blockquote>
<pre class="m_8345065841854202878m_8205048116372680684moz-signature" cols="72">-- 
Ivan Noris
Senior Identity Engineer
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre></div></div></div>
______________________________<wbr>_________________

midPoint mailing list

<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>

<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>


</blockquote></div>
</div>


<fieldset class="m_8345065841854202878mimeAttachmentHeader"></fieldset>
<pre>______________________________<wbr>_________________
midPoint mailing list
<a class="m_8345065841854202878moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a class="m_8345065841854202878moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a>
</pre>

</blockquote>
<pre class="m_8345065841854202878moz-signature" cols="72">-- 
Ivan Noris
Senior Identity Engineer
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre></div></div></div><br>______________________________<wbr>_________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a><br>
<br></blockquote></div><br></div>