<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Hi,<br>
<br>
That's strange. The ScriptedSQL is somehow different. But it
should not be THAT different. Please once again look at the ConnId
operation trace. That's the most reliable source of debugging
information in this case.<br>
<br>
But based on your information I would guess that it really is
midPoint issue. If the connector is not getting the remove
operation than that means that midpoint is not sending it. If you
are sure that the "model" configuration is correct (e.g. tolerant
setting, mapping strength, etc.) then it is most likely that the
provisioning part is filtering out the operation. There may be
several reasons for that. E.g. if the read operation does not work
properly midPoint may think that the value is not there and
therefore there is no need to remove it. Some resources (namely
LDAP) are quite touchy and they respond with an error if we try to
remove a value that is not there. Therefore we are often filtering
the deltas before sending them to connector. Or there may be
several other cases. Generally setting provisioning logging to
DEBUG (and in extreme cases to TRACE) should give you more
information what it really happening. To be more specific try
setting:<br>
com.evolveum.midpoint.provisioning: DEBUG<br>
<br>
<pre class="moz-signature" cols="72">--
Radovan Semancik
Software Architect
evolveum.com
</pre>
<br>
<br>
On 11/21/2016 01:38 PM, Nicolas Rossi wrote:<br>
</div>
<blockquote
cite="mid:CAAxX8cjkbsLLM83VSDto+vZb217x89M4CZoSChQbqnJedwTfvQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">Hi
Radovan. It worked for ActiveDirectory connector but didn't
for the ScriptedSQL. We have added an echo at the beginning of
each groovy scripts printing the action and the object class
received and It only receives an ADD_ATTRIBUTE_VALUE of the
value that the user already had. There is no
REMOVE_ATTRIBUTE_VALUE so I guess the issue is on the
connector this time. I have an isolated set of resource, meta
role and role to reproduce the issue. You can download it from
<a moz-do-not-send="true"
href="https://dl.dropboxusercontent.com/u/9319179/ScriptedSQLTest.zip">here</a>
if you want. The main difference with the Active Directory
resource is in the association: subjectToObject vs
objectToSubject. Do you think the problem could be there ?
I'll try it.</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">I
guess it would be helpful add this info of tolerant attribute
on this page: <a moz-do-not-send="true"
href="https://wiki.evolveum.com/display/midPoint/Entitlements">https://wiki.evolveum.com/display/midPoint/Entitlements</a>.</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">Best
regards,</div>
</div>
<div class="gmail_extra"><br clear="all">
<div>
<div class="gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr"><font
face="arial, helvetica,
sans-serif"><br>
<br>
<font color="#444444">Ing
Nicolás Rossi</font><br>
<font color="#999999">Identicum
S.A.</font><br>
<font color="#999999">Jorge
Newbery 3226</font><br>
<font color="#999999">Tel:
+54 (11) 4552-3050</font><br>
<font color="#999999"><a
moz-do-not-send="true"
href="http://www.identicum.com"
target="_blank">www.identicum.com</a></font></font><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<div class="gmail_quote">On Mon, Nov 21, 2016 at 7:15 AM,
Radovan Semancik <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:radovan.semancik@evolveum.com"
target="_blank">radovan.semancik@evolveum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div class="m_-2249893482612098258moz-cite-prefix">Hi,<br>
<br>
I have created the test. And surprisingly it is passing.
This is 3.5-SNAPSHOT, but it is very likely that it
works also in earlier versions. Therefore it looks it is
really a misconfiguration. The cause is really most
likely the tolerant flag. The tolerant flag is critical
in this situation. <br>
<br>
For "normal" midPoint operations when you are adding or
removing an assignment from user we have the delta. We
know what has changed. Therefore we remove the group
even if it is set to tolerant. Because we know that the
last assignment that "induced" that group was just
removed.<br>
<br>
But if you change the meta role (first operation) and
then reconcile the user (second operation) then there is
no delta. These operations are independent. MidPoint
does not know what has changed in the meta-role.
Therefore it cannot use the same logic to remove the
user from the group. Slightly different logic is used in
reconciliation. Logic that is not based on deltas
(because there are none). And in this case the tolerant
flag is important. If it is set to true then midPoint
will NOT remove the extra values from the attribute or
the extra entitlements. If it is set to false then
midPoint will remove them.<br>
<br>
Please make sure you have the association set to
non-tolerant in the schemaHandling section of the
resource definition. Like this:<br>
<br>
<resource><br>
<schemaHandling><br>
....<br>
<association><br>
<ref>ri:group</ref><br>
<tolerant>false</tolerant><br>
....<br>
</association><br>
...<br>
<br>
This has to be defined in the schemaHandling and NOT in
the role or meta-role. The tolerance is the property of
the attribute/association itself and NOT a property of
any mapping, role or value. The values that are not
given by any role and just that - not given by any role.
So we do not have any role definition that we can apply
to them. Therefore the setting whether the
attribute/association is tolerant or not is somehow
"global". Therefore it needs to be defined in
schemaHandling.<br>
<br>
Also, please make sure that your mappings are strong,
e.g.<br>
<br>
<role><br>
...<br>
<inducement><br>
<construction><br>
...<br>
<association><br>
<ref>ri:group</ref><br>
<outbound><br>
<strength>strong</strength><br>
...<br>
</outbound><br>
</association><br>
</construction><br>
</inducement><br>
<br>
Mappings that are of "normal" strength are inherently
delta-based and they are usually NOT processed by the
reconciliation at all. For "normal" mappings the last
change wins. But in reconciliation we have no idea what
change was the last one - whether the one on the
resource or the one in midPoint. Therefore we prefer the
conservative approach and we rather maintain status quo.<span
class=""><br>
<br>
<pre class="m_-2249893482612098258moz-signature" cols="72">--
Radovan Semancik
Software Architect
<a moz-do-not-send="true" href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
<br>
<br>
</span>
<div>
<div class="h5"> On 11/20/2016 04:44 PM, Radovan
Semancik wrote:<br>
</div>
</div>
</div>
<div>
<div class="h5">
<blockquote type="cite">
<div class="m_-2249893482612098258moz-cite-prefix">Hi,<br>
<br>
There is no update operation in the log. Therefor
midPoint is not invoking the group membership
removal at all. I'm not sure what exactly happens
here. Your configuration seems to be OK at the
first sight and I would tell that your setup
should work. Therefore this may be a midPoint bug.
I will try to reproduce similar situation in
midPoint tests. I'll let you know how it went.<br>
<br>
<pre class="m_-2249893482612098258moz-signature" cols="72">--
Radovan Semancik
Software Architect
<a moz-do-not-send="true" href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
<br>
<br>
On 11/16/2016 01:49 PM, Nicolas Rossi wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">Hi
Radovan, here is the log of the operation as
you suggested. At the beginning the
"AD-SuperRole" had 3 inducements to roles
(with MetaRole): AD-Group3, AD-Group4 and
AD-Group5. The user ltroncoso has this
AD-SuperRole and he has 3 groups assigned on
AD. Then we removed the AD-Group3 from the
AD-SuperRole and reconciled the User from the
Admin-GUI but he still has the groupMembership
on AD to Group3. </div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444"><br>
</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">Attached
is the AD-SuperRole, the AD_GROUP-ENTITLEMENT
(MetaRole), the AD-Group3 and the User's xml. </div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444"><br>
</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">Do
you need any additional information ?</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444"><br>
</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">Best
regards,</div>
</div>
<div class="gmail_extra"><br clear="all">
<div>
<div
class="m_-2249893482612098258gmail_signature"
data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr"><font
face="arial,
helvetica,
sans-serif"><br>
<br>
<font
color="#444444">Ing
Nicolás Rossi</font><br>
<font
color="#999999">Identicum
S.A.</font><br>
<font
color="#999999">Jorge
Newbery 3226</font><br>
<font
color="#999999">Tel:
+54
(11) 4552-3050</font><br>
<font
color="#999999"><a
moz-do-not-send="true" href="http://www.identicum.com" target="_blank">www.identicum.com</a></font></font><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<div class="gmail_quote">On Wed, Nov 16, 2016 at
7:35 AM, Radovan Semancik <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:radovan.semancik@evolveum.com"
target="_blank">radovan.semancik@evolveum.com</a><wbr>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px
#ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div
class="m_-2249893482612098258m_-3093975276269421028moz-cite-prefix">Hi,<br>
<br>
This is a really interesting case.
Initially I was suspecting a problem in
the scripted SQL connector. We do not
use these scripted connectors much as
the configurations are very difficult to
maintain. With the many possible uses of
the scripted connectors these are likely
to be a cause of problems. But if that
issue affects AD/LDAP connector then it
may indicate midPoint issue.<br>
<br>
Just to provide complete information:
some time ago I have written a guide how
to systematically diagnose issues like
these. Here it is: <br>
<br>
<a moz-do-not-send="true"
class="m_-2249893482612098258m_-3093975276269421028moz-txt-link-freetext"
href="https://wiki.evolveum.com/display/midPoint/Troubleshooting+Mappings"
target="_blank">https://wiki.evolveum.com/disp<wbr>lay/midPoint/Troubleshooting+<wbr>Mappings</a><br>
<br>
However, to cut it short, first
interesting thing would be to see what
operation midPoint sends to the
connector. Please enable the ConnId
operation logging by setting following
logger:<br>
<br>
<pre>org.identityconnectors.framewo<wbr>rk: TRACE
</pre>
Then re-try the operation (example of the message that you are
looking for is in the guide). This should give us information
whether the problem is that midPoint is sending wrong operation to
connector or whether the connector is doing wrong thing. Then we
will know where to focus further search for the problem.<span class="m_-2249893482612098258HOEnZb"><font color="#888888">
<pre class="m_-2249893482612098258m_-3093975276269421028moz-signature" cols="72">--
Radovan Semancik
Software Architect
<a moz-do-not-send="true" href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre></font></span><div><div class="m_-2249893482612098258h5">
On 11/14/2016 04:11 PM, Nicolas Rossi wrote:
</div></div></div><div><div class="m_-2249893482612098258h5">
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">Hi
guys, I'd like to add more information to this issue. We are
also facing the same issue with the AD-Ldap driver when a Role
loses an inducement to another Role. After reconcile the user
the group membership is not removed. </div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">
</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">I've
added the <tolerant>false</tolerant> flag to the
Meta Role as Ivan said but there was no change. </div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">
</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">Regards,</div>
</div>
<div class="gmail_extra">
<div>
<div class="m_-2249893482612098258m_-3093975276269421028gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr"><font face="arial, helvetica,
sans-serif">
<font color="#444444">Ing
Nicolás Rossi</font>
<font color="#999999">Identicum
S.A.</font>
<font color="#999999">Jorge
Newbery 3226</font>
<font color="#999999">Tel:
+54 (11) 4552-3050</font>
<font color="#999999"><a moz-do-not-send="true" href="http://www.identicum.com" target="_blank">www.identicum.com</a></font></font>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div class="gmail_quote">On Fri, Nov 11, 2016 at 5:09 PM,
Nicolas Rossi <span dir="ltr"><<a moz-do-not-send="true" href="mailto:nrossi@identicum.com" target="_blank">nrossi@identicum.com</a>></span>
wrote:
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">Hi
Ivan / Radovan</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">
</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">I
guess there is a problem in the ScriptedSQL driver (not
the scripts) when an inducement is unassigned from a
Role because we are facing the same issue in two
different situations:</div>
<div class="gmail_default">
<ol>
<li><font face="arial, helvetica, sans-serif" color="#444444">When a technical role with
inducements to entitlements is unassigned from
user the script does not receive the action
REMOVE_ATTRIBUTE_VALUE</font></li>
<li><font face="arial, helvetica, sans-serif" color="#444444">When a technical role (with
MetaRole) is unassigned from a functional role
assigned to user when recompute the user the
script does not receive the action
REMOVE_ATTRIBUTE_VALUE</font></li>
</ol>
<div><font face="arial, helvetica, sans-serif" color="#444444">Both situations are working when you
assign the inducements. I have an isolated example <a moz-do-not-send="true" href="https://dl.dropboxusercontent.com/u/9319179/ScriptedSQLTest.zip" target="_blank">here</a>.</font></div>
<div><font face="arial, helvetica, sans-serif" color="#444444">
</font></div>
<div><font face="arial, helvetica, sans-serif" color="#444444">Best regards,</font></div>
</div>
</div>
<div class="gmail_extra">
<div>
<div class="m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr"><font face="arial,
helvetica, sans-serif">
<font color="#444444">Ing
Nicolás Rossi</font><span>
<font color="#999999">Identicum
S.A.</font>
<font color="#999999">Jorge
Newbery 3226</font>
</span><font color="#999999">Tel:
+54 (11) 4552-3050</font>
<font color="#999999"><a moz-do-not-send="true" href="http://www.identicum.com" target="_blank">www.identicum.com</a></font></font>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div>
<div class="m_-2249893482612098258m_-3093975276269421028h5">
<div class="gmail_quote">On Fri, Nov 11, 2016 at 11:00
AM, Rodrigo Yanis <span dir="ltr"><<a moz-do-not-send="true" href="mailto:ryanis@identicum.com" target="_blank">ryanis@identicum.com</a>></span>
wrote:
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Ivan,
<div>
</div>
<div>Just tried configuring the meta-role just
like that. Unfortunately no progress. We'll
continue analyzing this and keep you posted if
we find anything.</div>
<div>
</div>
<div>Thanks a lot.</div>
<div>
</div>
<div>Regards,</div>
</div>
<div class="gmail_extra"><span>
<div>
<div class="m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
</div>
<div dir="ltr"><font face="arial,
helvetica, sans-serif"><b>Rodrigo
Yanis.</b>
<img moz-do-not-send="true" src="http://www.identicum.com/img/favicon.ico">Identicum S.A.
</font>Jorge Newbery
3226
Tel: +54 (11) 4824-9971<font face="arial,
helvetica, sans-serif">
<a moz-do-not-send="true" href="mailto:ryanis@identicum.com" target="_blank"><font color="#0b5394">ryanis@identicum.com</font></a>
<a moz-do-not-send="true" href="http://www.identicum.com/" target="_blank"><font color="#0b5394">www.identicum.com</font></a></font></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</span>
<div>
<div class="m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276h5">
<div class="gmail_quote">2016-11-11 2:46
GMT-05:00 Ivan Noris <span dir="ltr"><<a moz-do-not-send="true" href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>:
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>Hi Rodrigo,</p>
<p>I meant this:</p>
<p>...</p>
<p> <inducement>
<construction>
<resourceRef
oid="00000000-dc00-dc00-0001-0<wbr>00000000021"
type="c:ResourceType"/><!--
Portal intranet --><span>
<kind>account</kind>
<intent>default</intent>
<association>
</span>
<ref>ri:wsEntitlements</ref>
<outbound>
<b>
<strength>strong</strength></b><b>
</b> <source>
...
</source>
<expression>
...</p>
<p>But I think your problem should be
resolved by tolerance (set to false)
- strong mapping strength is to
allow midPoint to enforce the group
assignment when reconciling. Still I
don't have any other idea. I hope
that's not a problem with that
specific connector because I
wouldn't be able help with Java.</p>
<p>Best regards,</p>
<p>IVan
</p>
<div>
<div class="m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960h5">
<div class="m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878moz-cite-prefix">On
11/10/2016 09:36 PM, Rodrigo
Yanis wrote:
</div>
<blockquote type="cite">
<div dir="ltr">Ivan,
<div>
</div>
<div>I've compared your XML to
my association attribute's
deffinition on the resource
and it looks the same. Can
you please explain further
what you mean by defining
strength on the role itself?
We've got a Meta-role ->
Application role -> High
level role architecture
going (I believe it's just
the same as yours except for
the meta-role), and the
group association is defined
on the meta-role. Do you
mean we should somehow
define strength there?
because it isn't explicitly
set.</div>
<div>
</div>
<div>This is the inducement
for the group association on
the meta-role definition:</div>
<div>
</div>
<font size="1"><inducement
id="2">
<construction>
<resourceRef
oid="00000000-0000-1de4-0002-0<wbr>00000000003"
type="c:ResourceType"><!-- BANNER_USUARIOS
--></resourceRef>
<kind>account</kind>
<intent>default</intent>
<association>
<c:ref>ri:GroupObjectClass</c:<wbr>ref>
<outbound>
<expression>
<associationFromLink>
<projectionDiscriminator>
<kind>entitlement</kind>
<intent>default</intent>
</projectionDiscriminator>
</associationFromLink>
</expression>
</outbound>
</association>
</construction>
<order>2</order>
</inducement></font>
<div>
</div>
<div>Don't mind me if I sound
a bit confused.</div>
<div>
</div>
<div>Thanks for your help.</div>
</div>
<div class="gmail_extra">
<div>
<div class="m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
</div>
<div dir="ltr"><font face="arial,
helvetica,
sans-serif"><b>Rodrigo
Yanis.</b>
<img moz-do-not-send="true" src="http://www.identicum.com/img/favicon.ico">Identicum S.A.
</font>Jorge
Newbery 3226
Tel: +54 (11)
4824-9971<font face="arial,
helvetica,
sans-serif">
<a moz-do-not-send="true" href="mailto:ryanis@identicum.com" target="_blank"><font color="#0b5394">ryanis@identicum.com</font></a>
<a moz-do-not-send="true" href="http://www.identicum.com/" target="_blank"><font color="#0b5394">www.identicum.com</font></a></font></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div class="gmail_quote">2016-11-10
13:51 GMT-05:00 Ivan Noris <span dir="ltr"><<a moz-do-not-send="true" href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>:
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>Hi Rodrigo,</p>
<p>unfortunately no
other idea yet. I was
running recompute ca.
two weeks ago to
remove some
application groups
that were not added by
midPoint, the goal was
to have association
configuration with
tolerant=false and it
worked (this was
custom connector, not
ScriptedSQL):</p>
<p>
<association>
<ref>ri:wsEntitlements</ref>
<tolerant>false</tolerant>
<matchingRule>mr:stringIgnoreC<wbr>ase</matchingRule>
<kind>entitlement</kind>
<intent>ws-entitlement</intent<wbr>>
<direction>objectToSubject</di<wbr>rection>
<associationAttribute>ri:accou<wbr>ntId</associationAttribute>
<valueAttribute>icfs:uid</valu<wbr>eAttribute>
</association>
</p>
<p>In all roles where
association is used,
<strength>strong</strength>
is used as well (but
the tolerant=false is
a must). The recompute
then worked as
supposed and removed
all non-midpoint
groups from the
accounts. The accounts
were constructed by
hierarchical roles
(User - assign -
Business role -
inducement -
Application role) and
the association was in
the Application role.</p>
<p>Best regards,</p>
<p>Ivan
</p>
<div>
<div class="m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878h5">
<div class="m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878m_8205048116372680684moz-cite-prefix">On
11/10/2016 06:21
PM, Rodrigo Yanis
wrote:
</div>
<blockquote type="cite">
<p dir="ltr">Hello
Ivan, thanks for
you response.</p>
<p dir="ltr">Unfortunatelly
this didn't
work. All our
association
attributes are
set to
tolerance=false
by default.</p>
<p dir="ltr">Strange
thing is, this
only happens
when reconciling
on already
assigned high
level roles, not
on assignment
time.</p>
<p dir="ltr">Any
other
suggestion?
Thanks again,</p>
<div class="gmail_extra">
<div>
<div class="m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878m_8205048116372680684m_8908444601929514937gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
</div>
<div dir="ltr"><font face="arial,
helvetica,
sans-serif"><b>Rodrigo
Yanis.</b>
<img moz-do-not-send="true" src="http://www.identicum.com/img/favicon.ico">Identicum S.A.
</font>Jorge
Newbery 3226
Tel: +54 (11)
4824-9971<font face="arial,
helvetica,
sans-serif">
<a moz-do-not-send="true" href="mailto:ryanis@identicum.com" target="_blank"><font color="#0b5394">ryanis@identicum.com</font></a>
<a moz-do-not-send="true" href="http://www.identicum.com/" target="_blank"><font color="#0b5394">www.identicum.com</font></a></font></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div class="gmail_quote">2016-11-10
9:48 GMT-05:00
Ivan Noris <span dir="ltr"><<a moz-do-not-send="true" href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>:
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>Hi Rodrigo,</p>
<p>maybe
<tolerant>false</tolerant>
for
association or
your group
attribute (if
not using
associations)
could help...</p>
<p>Ivan
</p>
<div>
<div class="m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878m_8205048116372680684m_8908444601929514937h5">
<div class="m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878m_8205048116372680684m_8908444601929514937m_2600798162479677229moz-cite-prefix">On
11/10/2016
03:33 PM,
Rodrigo Yanis
wrote:
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div class="m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878m_8205048116372680684m_8908444601929514937h5">
<div dir="ltr">Hello
everyone,
<div>
</div>
<div>We're
having issues
with our
ScriptedSQL
connector
misshandling
group
membership
removals when
said
memberships
come from
roles that are
inherited from
a higher level
role, that is
assigned to
the user.</div>
<div>
</div>
<div>When we
remove the
database role
(the one that
is linked to
the resource's
meta-role, and
represents a
database
group) from
the higher
level role,
and perform a
reconciliation
on the user,
this does not
remove the
group
membership of
this user in
the database.
This only
happens if the
database role
is assigned
directly to
the user, and
then removed.</div>
<div>
</div>
<div>We've
also tried
with a
recompute task
on the user,
still with no
luck.</div>
<div>
</div>
<div>Since our
role hierarchy
does not
support this
last option,
we must find a
way (either
through a task
or directly)
to remove
memberships to
roles that are
no longer
induced into
the high level
role. </div>
<div>
</div>
<div>Do you
have an idea
on how to
proceed? </div>
<div>
</div>
<div>Thanks
for your help</div>
<div>
<div>
<div class="m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878m_8205048116372680684m_8908444601929514937m_2600798162479677229gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
</div>
<div dir="ltr"><font face="arial,
helvetica,
sans-serif"><b>Rodrigo
Yanis.</b>
<img moz-do-not-send="true" src="http://www.identicum.com/img/favicon.ico">Identicum S.A.
</font>Jorge
Newbery 3226
Tel: +54 (11)
4824-9971<font face="arial,
helvetica,
sans-serif">
<a moz-do-not-send="true" href="mailto:ryanis@identicum.com" target="_blank"><font color="#0b5394">ryanis@identicum.com</font></a>
<a moz-do-not-send="true" href="http://www.identicum.com/" target="_blank"><font color="#0b5394">www.identicum.com</font></a></font></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<fieldset class="m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878m_8205048116372680684m_8908444601929514937m_2600798162479677229mimeAttachmentHeader"></fieldset>
</div>
</div>
<pre>______________________________<wbr>_________________
midPoint mailing list
<a moz-do-not-send="true" class="m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878m_8205048116372680684m_8908444601929514937m_2600798162479677229moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" class="m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878m_8205048116372680684m_8908444601929514937m_2600798162479677229moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a><span class="m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878m_8205048116372680684m_8908444601929514937HOEnZb"><font color="#888888">
</font></span></pre><span class="m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878m_8205048116372680684m_8908444601929514937HOEnZb"><font color="#888888">
</font></span></blockquote><span class="m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878m_8205048116372680684m_8908444601929514937HOEnZb"><font color="#888888">
<pre class="m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878m_8205048116372680684m_8908444601929514937m_2600798162479677229moz-signature" cols="72">--
Ivan Noris
Senior Identity Engineer
<a moz-do-not-send="true" href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
</font></span></div>
______________________________<wbr>_________________
midPoint mailing list
<a moz-do-not-send="true" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>
</blockquote></div>
</div>
<fieldset class="m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878m_8205048116372680684mimeAttachmentHeader"></fieldset>
<pre>______________________________<wbr>_________________
midPoint mailing list
<a moz-do-not-send="true" class="m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878m_8205048116372680684moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" class="m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878m_8205048116372680684moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>
</pre>
</blockquote>
<pre class="m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878m_8205048116372680684moz-signature" cols="72">--
Ivan Noris
Senior Identity Engineer
<a moz-do-not-send="true" href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre></div></div></div>
______________________________<wbr>_________________
midPoint mailing list
<a moz-do-not-send="true" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>
</blockquote></div>
</div>
<fieldset class="m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878mimeAttachmentHeader"></fieldset>
<pre>______________________________<wbr>_________________
midPoint mailing list
<a moz-do-not-send="true" class="m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" class="m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>
</pre>
</blockquote>
<pre class="m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878moz-signature" cols="72">--
Ivan Noris
Senior Identity Engineer
<a moz-do-not-send="true" href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre></div></div></div>
______________________________<wbr>_________________
midPoint mailing list
<a moz-do-not-send="true" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>
</blockquote></div>
</div></div></div>
______________________________<wbr>_________________
midPoint mailing list
<a moz-do-not-send="true" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>
</blockquote></div>
</div></div></div>
</blockquote></div>
</div>
<fieldset class="m_-2249893482612098258m_-3093975276269421028mimeAttachmentHeader"></fieldset>
<pre>______________________________<wbr>_________________
midPoint mailing list
<a moz-do-not-send="true" class="m_-2249893482612098258m_-3093975276269421028moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" class="m_-2249893482612098258m_-3093975276269421028moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>
</pre>
</blockquote>
</div></div></div>
______________________________<wbr>_________________
midPoint mailing list
<a moz-do-not-send="true" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>
</blockquote></div>
</div>
<fieldset class="m_-2249893482612098258mimeAttachmentHeader"></fieldset>
<pre>______________________________<wbr>_________________
midPoint mailing list
<a moz-do-not-send="true" class="m_-2249893482612098258moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" class="m_-2249893482612098258moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a>
</pre>
</blockquote>
</blockquote>
</div></div></div>
______________________________<wbr>_________________
midPoint mailing list
<a moz-do-not-send="true" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a>
</blockquote></div>
</div>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
</body></html>