<div dir="ltr">Thanks you very much Ivan for this information. I understand the behaviour better now. <div><br></div><div>Regards,</div><div>Ana</div></div><div class="gmail_extra"><br><div class="gmail_quote">2016-11-10 15:45 GMT-03:00 Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>Hi,</p>
<p>the configuration for "disable instead of delete" works only for
unassigning "last role" - to tell midpoint that the account should
be disabled instead. Delete still works as usual.</p>
<p>Activation mapping is obviously not evaluated when you delete
user (I think no mappings are evaluated).</p>
<p>You can configure any resource to arbitrarily disable delete
operation using capabilities; in which case midPoint will throw an
exception when you try to delete the account.</p>
<p> <capabilities
xmlns:cap=<a class="m_-5194500174983860442moz-txt-link-rfc2396E" href="http://midpoint.evolveum.com/xml/ns/public/resource/capabilities-3" target="_blank">"http://midpoint.<wbr>evolveum.com/xml/ns/public/<wbr>resource/capabilities-3"</a>><br>
<configured><br>
<cap:create><br>
<cap:enabled>true</cap:<wbr>enabled><br>
</cap:create><br>
<cap:update><br>
<cap:enabled>true</cap:<wbr>enabled><br>
</cap:update><br>
<b> <cap:delete></b><b><br>
</b><b>
<cap:enabled>false</cap:<wbr>enabled></b><b><br>
</b><b> </cap:delete></b><b><br>
</b> </configured><br>
</capabilities><br>
<br>
</p>
<p>The drawback of disabling delete operation using capabilities is
that every delete operation (for account or not) will fail. You
can also modify the permissions of the technical account the
connector uses, to not allow deletes (it will throw exception as
well).</p>
<p>The different approach is not to delete the users/accounts at
all.<br>
</p>
Regards,<br>
Ivan<div><div class="h5"><br>
<br>
<div class="m_-5194500174983860442moz-cite-prefix">On 11/10/2016 06:07 PM, Ana Pereyra
wrote:<br>
</div>
</div></div><blockquote type="cite"><div><div class="h5">
<div dir="ltr">Hi everyone, <br clear="all">
<div><br>
</div>
<div>I have an Active Directory resource with the activation
node configured like this:</div>
<div><i><br>
</i></div>
<div>
<div><i><activation></i></div>
<div><i> <!--Existence mapping hardcoded to TRUE
in order not to delete in the resource when deleted in
MidPoint --></i></div>
<div><i> <existence></i></div>
<div><i> <outbound></i></div>
<div><i> <expression></i></div>
<div><i> <value>true</value></i></div>
<div><i> </expression></i></div>
<div><i> </outbound></i></div>
<div><i> </existence></i></div>
<div><i> <!-- If user exists and account is
entitled --></i></div>
<div><i> <administrativeStatus></i></div>
<div><i> <outbound></i></div>
<div><i> <expression></i></div>
<div><i> <script></i></div>
<div><i> <code></i></div>
<div><i> import
com.evolveum.midpoint.xml.ns._<wbr>public.common.common_3.<wbr>ActivationStatusType;</i></div>
<div><i> if (legal &&
assigned)</i></div>
<div><i> {</i></div>
<div><i> input;</i></div>
<div><i> }</i></div>
<div><i> else</i></div>
<div><i> {</i></div>
<div><i> ActivationStatusType.DISABLED;</i></div>
<div><i> }</i></div>
<div><i> </code></i></div>
<div><i> </script></i></div>
<div><i> </expression></i></div>
<div><i> </outbound></i></div>
<div><i> </administrativeStatus></i></div>
<div><i> </activation></i></div>
</div>
<div><i><br>
</i></div>
<div>What I need is the following:</div>
<div>
<ul>
<li>When a user that is linked is <b>disabled</b>, the
account is <b>disabled </b>in AD (Working)<br>
</li>
<li>When a user has the <b>association </b>to AD <b>removed
</b>(the resource is removed from the user, or a role
containing an inducement to the resource is removed from
the user), the account is <b>disabled </b>in AD
(Working)<br>
</li>
<li>When a user that is linked is <b>DELETED </b>from
MidPoint, the account is <b>disabled </b>in AD (NOT
WORKING). Currently, with this configuration, when I
delete a user that is linked in AD i get the following
error:</li>
</ul>
</div>
<div><i>Schema violation during processing shadow: shadow:
CN=testuser_ad,<wbr>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX<wbr>XXXXXXXXXXXXXXXXXX
(OID:dfc8cf0c-d571-4e09-9e58-<wbr>df9cf117f94d): Schema
violation: Value of attribute '__NAME__' must be a single
value, but it has 0values: Schema violation during
processing shadow: shadow:
CN=testuser_ad,<wbr>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX<wbr>XXXXXXXXXXXXXXXXXX
(OID:dfc8cf0c-d571-4e09-9e58-<wbr>df9cf117f94d): Schema
violation: Value of attribute '__NAME__' must be a single
value, but it has 0values: Schema violation during
processing shadow: shadow:
CN=testuser_ad,<wbr>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX<wbr>XXXXXXXXXXXXXXXXXX
(OID:dfc8cf0c-d571-4e09-9e58-<wbr>df9cf117f94d): Schema
violation: Value of attribute '__NAME__' must be a single
value, but it has 0values: Schema violation during
processing shadow: shadow:
CN=testuser_ad,<wbr>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX<wbr>XXXXXXXXXXXXXXXXXX
(OID:dfc8cf0c-d571-4e09-9e58-<wbr>df9cf117f94d): Schema
violation: Value of attribute '__NAME__' must be a single
value, but it has 0values</i><br>
</div>
<div><i><br>
</i></div>
<div>Can anyone please help me with this? Thanks in advanced.</div>
<div><br>
</div>
<div>Regards,</div>
-- <br>
<div class="m_-5194500174983860442gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr"><b style="font-size:12.8px">Ana
Pereyra</b><br>
</div>
<div dir="ltr"><font style="font-size:12.8px" face="verdana, sans-serif"><img> Identicum
S.A.<br>
<i><font color="#666666">Jorge Newbery
3226, Argentina<br>
Tel: +54 (11) </font></i></font><font style="font-size:12.8px" color="#666666" face="verdana, sans-serif"><i>4552.3050</i></font>
<div style="font-size:12.8px"><font face="verdana, sans-serif"><i><font size="1"><a href="mailto:apereyra@identicum.com" style="color:rgb(17,85,204)" target="_blank">apereyra@identicum.com</a></font></i><br>
<a href="http://www.identicum.com/" style="color:rgb(17,85,204)" target="_blank"><font color="#000000">www.identicum.com</font></a></font></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="m_-5194500174983860442mimeAttachmentHeader"></fieldset>
<br>
</div></div><pre>______________________________<wbr>_________________
midPoint mailing list
<a class="m_-5194500174983860442moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a class="m_-5194500174983860442moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a><span class="HOEnZb"><font color="#888888">
</font></span></pre><span class="HOEnZb"><font color="#888888">
</font></span></blockquote><span class="HOEnZb"><font color="#888888">
<br>
<pre class="m_-5194500174983860442moz-signature" cols="72">--
Ivan Noris
Senior Identity Engineer
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
</font></span></div>
<br>______________________________<wbr>_________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><b style="font-size:12.8px">Ana Pereyra</b><br></div><div dir="ltr"><font face="verdana, sans-serif" style="font-size:12.8px"><img src="http://www.identicum.com/img/favicon.ico"> Identicum S.A.<br><i><font color="#666666">Jorge Newbery 3226, Argentina<br>Tel: +54 (11) </font></i></font><font color="#666666" face="verdana, sans-serif" style="font-size:12.8px"><i>4552.3050</i></font><div style="font-size:12.8px"><font face="verdana, sans-serif"><i><font size="1"><a href="mailto:apereyra@identicum.com" style="color:rgb(17,85,204)" target="_blank">apereyra@identicum.com</a></font></i><br><a href="http://www.identicum.com/" style="color:rgb(17,85,204)" target="_blank"><font color="#000000">www.identicum.com</font></a></font></div></div></div></div></div></div></div></div></div></div></div>
</div>