<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Hi Rodrigo,</p>
<p>I meant this:</p>
<p>...</p>
<p> <inducement><br>
<construction><br>
<resourceRef
oid="00000000-dc00-dc00-0001-000000000021"
type="c:ResourceType"/><!-- Portal intranet --><br>
<kind>account</kind><br>
<intent>default</intent><br>
<association><br>
<ref>ri:wsEntitlements</ref><br>
<outbound><br>
<b> <strength>strong</strength></b><b><br>
</b> <source><br>
...<br>
</source><br>
<expression><br>
...</p>
<p>But I think your problem should be resolved by tolerance (set to
false) - strong mapping strength is to allow midPoint to enforce
the group assignment when reconciling. Still I don't have any
other idea. I hope that's not a problem with that specific
connector because I wouldn't be able help with Java.</p>
<p>Best regards,</p>
<p>IVan<br>
</p>
<br>
<div class="moz-cite-prefix">On 11/10/2016 09:36 PM, Rodrigo Yanis
wrote:<br>
</div>
<blockquote
cite="mid:CADu-59HmyRpEBWrnH4XBpUiQs_iEkRMUaRCO3BFfm5VwPpSGCg@mail.gmail.com"
type="cite">
<div dir="ltr">Ivan,
<div><br>
</div>
<div>I've compared your XML to my association attribute's
deffinition on the resource and it looks the same. Can you
please explain further what you mean by defining strength on
the role itself? We've got a Meta-role -> Application role
-> High level role architecture going (I believe it's just
the same as yours except for the meta-role), and the group
association is defined on the meta-role. Do you mean we should
somehow define strength there? because it isn't explicitly
set.</div>
<div><br>
</div>
<div>This is the inducement for the group association on the
meta-role definition:</div>
<div><br>
</div>
<font size="1"><inducement id="2"><br>
<construction><br>
<resourceRef
oid="00000000-0000-1de4-0002-000000000003"
type="c:ResourceType"><!-- BANNER_USUARIOS
--></resourceRef><br>
<kind>account</kind><br>
<intent>default</intent><br>
<association><br>
<c:ref>ri:GroupObjectClass</c:ref><br>
<outbound><br>
<expression><br>
<associationFromLink><br>
<projectionDiscriminator><br>
<kind>entitlement</kind><br>
<intent>default</intent><br>
</projectionDiscriminator><br>
</associationFromLink><br>
</expression><br>
</outbound><br>
</association><br>
</construction><br>
<order>2</order><br>
</inducement></font>
<div><br>
</div>
<div>Don't mind me if I sound a bit confused.</div>
<div><br>
</div>
<div>Thanks for your help.</div>
</div>
<div class="gmail_extra"><br clear="all">
<div>
<div class="gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<div dir="ltr"><br>
</div>
<div dir="ltr"><font face="arial, helvetica,
sans-serif"><b>Rodrigo Yanis.</b><br>
<img moz-do-not-send="true"
src="http://www.identicum.com/img/favicon.ico">Identicum
S.A.<br>
</font>Jorge Newbery 3226<br>
Tel: +54 (11) 4824-9971<font face="arial,
helvetica, sans-serif"><br>
<a moz-do-not-send="true"
href="mailto:ryanis@identicum.com"
target="_blank"><font color="#0b5394">ryanis@identicum.com</font></a><br>
<a moz-do-not-send="true"
href="http://www.identicum.com/"
target="_blank"><font color="#0b5394">www.identicum.com</font></a></font></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<div class="gmail_quote">2016-11-10 13:51 GMT-05:00 Ivan Noris <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>Hi Rodrigo,</p>
<p>unfortunately no other idea yet. I was running
recompute ca. two weeks ago to remove some application
groups that were not added by midPoint, the goal was to
have association configuration with tolerant=false and
it worked (this was custom connector, not ScriptedSQL):</p>
<p> <association><br>
<ref>ri:wsEntitlements</ref><br>
<tolerant>false</tolerant><br>
<matchingRule>mr:<wbr>stringIgnoreCase</<wbr>matchingRule><br>
<kind>entitlement</kind><br>
<intent>ws-entitlement</<wbr>intent><br>
<direction>objectToSubject</<wbr>direction><br>
<associationAttribute>ri:<wbr>accountId</<wbr>associationAttribute><br>
<valueAttribute>icfs:uid</<wbr>valueAttribute><br>
</association><br>
<br>
</p>
<p>In all roles where association is used,
<strength>strong</strength> is used as well
(but the tolerant=false is a must). The recompute then
worked as supposed and removed all non-midpoint groups
from the accounts. The accounts were constructed by
hierarchical roles (User - assign - Business role -
inducement - Application role) and the association was
in the Application role.</p>
<p>Best regards,</p>
<p>Ivan<br>
</p>
<div>
<div class="h5"> <br>
<div class="m_8205048116372680684moz-cite-prefix">On
11/10/2016 06:21 PM, Rodrigo Yanis wrote:<br>
</div>
<blockquote type="cite">
<p dir="ltr">Hello Ivan, thanks for you response.</p>
<p dir="ltr">Unfortunatelly this didn't work. All
our association attributes are set to
tolerance=false by default.</p>
<p dir="ltr">Strange thing is, this only happens
when reconciling on already assigned high level
roles, not on assignment time.</p>
<p dir="ltr">Any other suggestion?<br>
Thanks again,</p>
<div class="gmail_extra"><br clear="all">
<div>
<div
class="m_8205048116372680684m_8908444601929514937gmail_signature"
data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<div dir="ltr"><br>
</div>
<div dir="ltr"><font
face="arial, helvetica,
sans-serif"><b>Rodrigo
Yanis.</b><br>
<img
moz-do-not-send="true"
src="http://www.identicum.com/img/favicon.ico">Identicum
S.A.<br>
</font>Jorge Newbery 3226<br>
Tel: +54 (11) 4824-9971<font
face="arial, helvetica,
sans-serif"><br>
<a moz-do-not-send="true"
href="mailto:ryanis@identicum.com" target="_blank"><font color="#0b5394">ryanis@identicum.com</font></a><br>
<a moz-do-not-send="true"
href="http://www.identicum.com/" target="_blank"><font color="#0b5394">www.identicum.com</font></a></font></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<div class="gmail_quote">2016-11-10 9:48 GMT-05:00
Ivan Noris <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:ivan.noris@evolveum.com"
target="_blank">ivan.noris@evolveum.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0
0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>Hi Rodrigo,</p>
<p>maybe
<tolerant>false</tolerant> for
association or your group attribute (if
not using associations) could help...</p>
<p>Ivan<br>
</p>
<div>
<div
class="m_8205048116372680684m_8908444601929514937h5">
<br>
<div
class="m_8205048116372680684m_8908444601929514937m_2600798162479677229moz-cite-prefix">On
11/10/2016 03:33 PM, Rodrigo Yanis
wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div
class="m_8205048116372680684m_8908444601929514937h5">
<div dir="ltr">Hello everyone,
<div><br>
</div>
<div>We're having issues with our
ScriptedSQL connector misshandling
group membership removals when
said memberships come from roles
that are inherited from a higher
level role, that is assigned to
the user.</div>
<div><br>
</div>
<div>When we remove the database
role (the one that is linked to
the resource's meta-role, and
represents a database group) from
the higher level role, and perform
a reconciliation on the user, this
does not remove the group
membership of this user in the
database. This only happens if the
database role is assigned directly
to the user, and then removed.</div>
<div><br>
</div>
<div>We've also tried with a
recompute task on the user, still
with no luck.</div>
<div><br>
</div>
<div>Since our role hierarchy does
not support this last option, we
must find a way (either through a
task or directly) to remove
memberships to roles that are no
longer induced into the high level
role. </div>
<div><br>
</div>
<div>Do you have an idea on how to
proceed? </div>
<div><br>
</div>
<div>Thanks for your help</div>
<div>
<div>
<div
class="m_8205048116372680684m_8908444601929514937m_2600798162479677229gmail_signature"
data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<div dir="ltr"><br>
</div>
<div dir="ltr"><font
face="arial,
helvetica,
sans-serif"><b>Rodrigo
Yanis.</b><br>
<img
moz-do-not-send="true"
src="http://www.identicum.com/img/favicon.ico">Identicum S.A.<br>
</font>Jorge
Newbery 3226<br>
Tel: +54 (11)
4824-9971<font
face="arial,
helvetica,
sans-serif"><br>
<a
moz-do-not-send="true"
href="mailto:ryanis@identicum.com" target="_blank"><font color="#0b5394">ryanis@identicum.com</font></a><br>
<a
moz-do-not-send="true"
href="http://www.identicum.com/" target="_blank"><font color="#0b5394">www.identicum.com</font></a></font></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset
class="m_8205048116372680684m_8908444601929514937m_2600798162479677229mimeAttachmentHeader"></fieldset>
<br>
</div>
</div>
<pre>______________________________<wbr>_________________
midPoint mailing list
<a moz-do-not-send="true" class="m_8205048116372680684m_8908444601929514937m_2600798162479677229moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" class="m_8205048116372680684m_8908444601929514937m_2600798162479677229moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a><span class="m_8205048116372680684m_8908444601929514937HOEnZb"><font color="#888888">
</font></span></pre><span class="m_8205048116372680684m_8908444601929514937HOEnZb"><font color="#888888">
</font></span></blockquote><span class="m_8205048116372680684m_8908444601929514937HOEnZb"><font color="#888888">
<pre class="m_8205048116372680684m_8908444601929514937m_2600798162479677229moz-signature" cols="72">--
Ivan Noris
Senior Identity Engineer
<a moz-do-not-send="true" href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
</font></span></div>
______________________________<wbr>_________________
midPoint mailing list
<a moz-do-not-send="true" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>
</blockquote></div>
</div>
<fieldset class="m_8205048116372680684mimeAttachmentHeader"></fieldset>
<pre>______________________________<wbr>_________________
midPoint mailing list
<a moz-do-not-send="true" class="m_8205048116372680684moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" class="m_8205048116372680684moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<pre class="m_8205048116372680684moz-signature" cols="72">--
Ivan Noris
Senior Identity Engineer
<a moz-do-not-send="true" href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre></div></div></div>
______________________________<wbr>_________________
midPoint mailing list
<a moz-do-not-send="true" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a>
</blockquote></div>
</div>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<pre class="moz-signature" cols="72">--
Ivan Noris
Senior Identity Engineer
evolveum.com
</pre></body></html>