<div dir="ltr"><div class="gmail_default" style="font-size:small;color:rgb(68,68,68)"><span style="font-family:arial,helvetica,sans-serif">Hi Radovan, we found a combination of settings to make it work:</span></div><div class="gmail_default"><ul style="color:rgb(68,68,68);font-size:small"><li>The user association to group is defined as subjectToObject where the user has a <b>groups</b> attribute as multivalued and set tolerant to false<br></li><li>The Meta Role outbound configuration has strength as strong</li><li>The Update Script deletes user assignments not contained on the groups attribute received and then tries to assign each group received:</li></ul><div><div><font color="#444444" face="monospace, monospace"> case "ADD_ATTRIBUTE_VALUES":</font></div><div><font face="monospace, monospace"><br></font></div><div><font color="#444444" face="monospace, monospace"> if(objectClass == "__ACCOUNT__")</font></div><div><font color="#444444" face="monospace, monospace"> {</font></div><div><font color="#444444" face="monospace, monospace"> def groups = attributes.get("groups");</font></div><div><font color="#444444" face="monospace, monospace"> if(groups != null && groups.size() > 0)</font></div><div><font color="#444444" face="monospace, monospace"> {</font></div><div><font face="monospace, monospace"><span style="color:rgb(68,68,68)"> <b>sql.execute("delete from UserGroups where user_id = ${uid} and group_id not in (" + groups.join(",") + ")");</b></span><br></font></div><div><font color="#444444" face="monospace, monospace"> }</font></div><div><font color="#444444" face="monospace, monospace"> for(String group : attributes.get("groups"))</font></div><div><font color="#444444" face="monospace, monospace"> {</font></div><div><font color="#444444" face="monospace, monospace"> def existingEntitlement = sql.rows("SELECT 1 FROM UserGroups WHERE user_id=? AND group_id=?",[uid as String, group as String]);</font></div><div><font color="#444444" face="monospace, monospace"> if(existingEntitlement.<wbr>isEmpty())</font></div><div><font color="#444444" face="monospace, monospace"> {</font></div><div><font face="monospace, monospace"><span style="color:rgb(68,68,68)"> sql.execute("insert into UserGroups (user_id, group_id) values (" + uid + "," + group + ")");</span><br></font></div><div><font color="#444444" face="monospace, monospace"> }</font></div><div><font color="#444444" face="monospace, monospace"> else</font></div><div><font color="#444444" face="monospace, monospace"> {</font></div><div><font color="#444444" face="monospace, monospace"> <a href="http://log.info" target="_blank">log.info</a>("Sample - Skipping assignment because user ${uid} already has group ${group}");</font></div><div><font color="#444444" face="monospace, monospace"> }</font></div><div><font color="#444444" face="monospace, monospace"> } </font></div><div><font color="#444444" face="monospace, monospace"> }</font></div></div><div style="color:rgb(68,68,68);font-size:small"><br></div><div><div style="color:rgb(68,68,68);font-size:small">With these settings, every time the user has a new assignment, unassignment or is reconciled, the Update script receives an ADD_ATTRIBUTE_VALUE operation of objectClass __ACCOUNT__ with the array of groups the user has in midPoint at this point:</div><div style="color:rgb(68,68,68);font-size:small"><br></div><div style="color:rgb(68,68,68);font-size:small"><table cellspacing="0" cellpadding="0" dir="ltr" border="1" style="color:rgb(34,34,34);font-size:13px;table-layout:fixed;font-family:arial,sans,sans-serif;border-collapse:collapse;border:1px solid rgb(204,204,204)"><colgroup><col width="345"><col width="534"></colgroup><tbody><tr style="height:21px"><td style="padding:2px 3px;border-color:rgb(0,0,0);font-weight:bold;vertical-align:top">midPoint Action</td><td style="padding:2px 3px;vertical-align:bottom;border-top-color:rgb(0,0,0);border-right-color:rgb(0,0,0);border-bottom-color:rgb(0,0,0);font-weight:bold">Script behaviour</td></tr><tr style="height:21px"><td style="padding:2px 3px;border-right-color:rgb(0,0,0);border-bottom-color:rgb(0,0,0);border-left-color:rgb(0,0,0);vertical-align:top">Role directly assigned to User</td><td style="padding:2px 3px;vertical-align:bottom;border-right-color:rgb(0,0,0);border-bottom-color:rgb(0,0,0)">ADD_ATTRIBUTE_VALUES to __ACCOUNT__ with the list of the user's assignments</td></tr><tr style="height:21px"><td style="padding:2px 3px;border-right-color:rgb(0,0,0);border-bottom-color:rgb(0,0,0);border-left-color:rgb(0,0,0);vertical-align:top">Role directly unassigned from User</td><td style="padding:2px 3px;vertical-align:bottom;border-right-color:rgb(0,0,0);border-bottom-color:rgb(0,0,0)">ADD_ATTRIBUTE_VALUES to __ACCOUNT__ with the list of the user's assignments</td></tr><tr style="height:21px"><td style="padding:2px 3px;border-right-color:rgb(0,0,0);border-bottom-color:rgb(0,0,0);border-left-color:rgb(0,0,0);vertical-align:top">Role with inducements assigned to User</td><td style="padding:2px 3px;vertical-align:bottom;border-right-color:rgb(0,0,0);border-bottom-color:rgb(0,0,0)">ADD_ATTRIBUTE_VALUES to __ACCOUNT__ with the list of the user's assignments</td></tr><tr style="height:21px"><td style="padding:2px 3px;border-right-color:rgb(0,0,0);border-bottom-color:rgb(0,0,0);border-left-color:rgb(0,0,0);vertical-align:top">Inducement removed from Role and User reconcile</td><td style="padding:2px 3px;vertical-align:bottom;border-right-color:rgb(0,0,0);border-bottom-color:rgb(0,0,0)">ADD_ATTRIBUTE_VALUES to __ACCOUNT__ with the list of the user's assignments</td></tr></tbody></table></div><div style="color:rgb(68,68,68);font-size:small"><br></div></div><div style="color:rgb(68,68,68);font-size:small">Is that the only way to make it work ? I mean deleting user-group associations on each ADD_ATTRIBUTE_VALUES assuming that I will receive the entire group list the user should have after the operation, because the user can have assignments on the Resource that are not represented in midPoint that would be deleted.</div><div style="color:rgb(68,68,68);font-size:small"><br></div><div style="color:rgb(68,68,68);font-size:small">On the other hand when:</div><div><ul style="color:rgb(68,68,68);font-size:small"><li>The user association to group is defined as subjectToObject where the user has a <b>groups</b> attribute as multivalued and set tolerant to false<br></li><li>The Meta Role does not have strength configuration </li><li>The Update script removes values only on REMOVE_ATTRIBUTE_VALUES operation</li></ul><font color="#444444">With these settings these are the results:</font></div><div><font color="#444444"><br></font></div><div><div style="color:rgb(68,68,68)"><table cellspacing="0" cellpadding="0" dir="ltr" border="1" style="table-layout:fixed;font-size:13px;font-family:arial,sans,sans-serif;border-collapse:collapse;border:1px solid rgb(204,204,204)"><tbody><tr style="height:21px"><td style="padding:2px 3px;vertical-align:bottom;border-color:rgb(0,0,0);font-weight:bold">midPoint Action</td><td style="padding:2px 3px;vertical-align:bottom;border-top-color:rgb(0,0,0);border-right-color:rgb(0,0,0);border-bottom-color:rgb(0,0,0);font-weight:bold">Script behaviour </td></tr><tr style="height:21px"><td style="padding:2px 3px;border-right-color:rgb(0,0,0);border-bottom-color:rgb(0,0,0);border-left-color:rgb(0,0,0);vertical-align:top">Role directly assigned to User</td><td style="padding:2px 3px;vertical-align:bottom;border-right-color:rgb(0,0,0);border-bottom-color:rgb(0,0,0)">ADD_ATTRIBUTE_VALUES to __ACCOUNT__ with assigned value</td></tr><tr style="height:21px"><td style="padding:2px 3px;border-right-color:rgb(0,0,0);border-bottom-color:rgb(0,0,0);border-left-color:rgb(0,0,0);vertical-align:top">Role directly unassigned from User</td><td style="padding:2px 3px;vertical-align:bottom;border-right-color:rgb(0,0,0);border-bottom-color:rgb(0,0,0)">REMOVE_ATTRIBUTE_VALUES to __ACCOUNT__ with unassigned value</td></tr><tr style="height:21px"><td style="padding:2px 3px;border-right-color:rgb(0,0,0);border-bottom-color:rgb(0,0,0);border-left-color:rgb(0,0,0);vertical-align:top">Role with inducements assigned to User</td><td style="padding:2px 3px;vertical-align:bottom;border-right-color:rgb(0,0,0);border-bottom-color:rgb(0,0,0)">ADD_ATTRIBUTE_VALUES to __ACCOUNT__ with assigned values (inducements)</td></tr><tr style="height:21px"><td style="padding:2px 3px;border-right-color:rgb(0,0,0);border-bottom-color:rgb(0,0,0);border-left-color:rgb(0,0,0);vertical-align:top">Inducement removed from Role and User reconcile</td><td style="padding:2px 3px;vertical-align:bottom;border-right-color:rgb(0,0,0);border-bottom-color:rgb(0,0,0);word-wrap:break-word">ADD_ATTRIBUTE_VALUES to __ACCOUNT__ for each assigned value <b style="background-color:rgb(255,229,153)">but no REMOVE_ATTRIBUTE_VALUE operation for the removed inducement<br><br></b></td></tr></tbody></table></div></div><div><font color="#444444"><br></font></div><div>Clearly the first configuration is not possible for us to use. We should figure out how to make the second one work.</div><div><br></div><div>Best regards, </div><div></div></div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><font face="arial, helvetica, sans-serif"><br><br><font color="#444444">Ing Nicolás Rossi</font><br><font color="#999999">Identicum S.A.</font><br><font color="#999999">Jorge Newbery 3226</font><br><font color="#999999">Tel: +54 (11) 4552-3050</font><br><font color="#999999"><a href="http://www.identicum.com" target="_blank">www.identicum.com</a></font></font><br></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div>
<br><div class="gmail_quote">On Mon, Nov 21, 2016 at 2:38 PM, Nicolas Rossi <span dir="ltr"><<a href="mailto:nrossi@identicum.com" target="_blank">nrossi@identicum.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">Sorry, there was a typo on the operation triggered:</div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><ul style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px"><li style="margin-left:15px"><font color="#444444" face="arial, helvetica, sans-serif"><b>ScriptedSQL-Group6</b> role is unassigned from ScriptedSQL-SuperRole</font></li><li style="margin-left:15px"><font color="#444444" face="arial, helvetica, sans-serif">User Celeste is reconciled</font></li></ul></div></div><div class="gmail_extra"><br clear="all"><div><div class="m_2553170879631977449gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><font face="arial, helvetica, sans-serif"><br><span class=""><br><font color="#444444">Ing Nicolás Rossi</font><br><font color="#999999">Identicum S.A.</font><br><font color="#999999">Jorge Newbery 3226</font><br><font color="#999999">Tel: +54 (11) 4552-3050</font><br><font color="#999999"><a href="http://www.identicum.com" target="_blank">www.identicum.com</a></font></span></font><br></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div><div><div class="h5">
<br><div class="gmail_quote">On Mon, Nov 21, 2016 at 12:17 PM, Nicolas Rossi <span dir="ltr"><<a href="mailto:nrossi@identicum.com" target="_blank">nrossi@identicum.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">Hi, here is the provisioning log (DEBUG mode):</div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br></div><div class="gmail_default"><div class="gmail_default" style="color:rgb(68,68,68);font-size:small"><font face="monospace, monospace">2016-11-21 12:01:07,928 [] [Thread-107] DEBUG (<a href="http://org.forgerock.openicf.misc.sc">org.forgerock.openicf.misc.sc</a><wbr>riptedcommon.ScriptedConnector<wbr>): method: null msg:Entering SEARCH Script with objectClass __ACCOUNT__</font></div><div class="gmail_default" style="color:rgb(68,68,68);font-size:small"><font face="monospace, monospace">2016-11-21 12:01:07,950 [] [Thread-107] DEBUG (<a href="http://org.forgerock.openicf.misc.sc">org.forgerock.openicf.misc.sc</a><wbr>riptedcommon.ScriptedConnector<wbr>): method: null msg:Search WHERE clause is: WHERE id = 8</font></div><div class="gmail_default" style="color:rgb(68,68,68);font-size:small"><font face="monospace, monospace">2016-11-21 12:01:08,016 [] [Thread-107] DEBUG (<a href="http://org.forgerock.openicf.misc.sc">org.forgerock.openicf.misc.sc</a><wbr>riptedcommon.ScriptedConnector<wbr>): method: null msg:Entering SEARCH Script with objectClass __GROUP__</font></div><div class="gmail_default" style="color:rgb(68,68,68);font-size:small"><font face="monospace, monospace">2016-11-21 12:01:08,031 [] [Thread-107] DEBUG (<a href="http://org.forgerock.openicf.misc.sc">org.forgerock.openicf.misc.sc</a><wbr>riptedcommon.ScriptedConnector<wbr>): method: null msg:Search WHERE clause is: WHERE id = 4</font></div><div class="gmail_default" style="color:rgb(68,68,68);font-size:small"><font face="monospace, monospace">2016-11-21 12:01:08,188 [] [Thread-107] DEBUG (com.evolveum.midpoint.provisi<wbr>oning.impl.ResourceObjectConve<wbr>rter): PROVISIONING MODIFY operation on resource:00000000-0000-1de4-00<wbr>02-000000000010(ScriptedSQL)</font></div><div class="gmail_default" style="color:rgb(68,68,68);font-size:small"><font face="monospace, monospace"> MODIFY object, object class ACCOUNT:default, identified by:</font></div><div class="gmail_default" style="color:rgb(68,68,68);font-size:small"><font face="monospace, monospace"> [</font></div><div class="gmail_default" style="color:rgb(68,68,68);font-size:small"><font face="monospace, monospace"> uid: 8</font></div><div class="gmail_default" style="color:rgb(68,68,68);font-size:small"><font face="monospace, monospace"> ]</font></div><div class="gmail_default" style="color:rgb(68,68,68);font-size:small"><font face="monospace, monospace"> changes:</font></div><div class="gmail_default" style="color:rgb(68,68,68);font-size:small"><font face="monospace, monospace"> [</font></div><div class="gmail_default" style="color:rgb(68,68,68);font-size:small"><font face="monospace, monospace"> Property modification operation:</font></div><div class="gmail_default" style="color:rgb(68,68,68);font-size:small"><font face="monospace, monospace"> attributes/groups</font></div><div class="gmail_default" style="color:rgb(68,68,68);font-size:small"><font face="monospace, monospace"> ADD: 4</font></div><div class="gmail_default" style="color:rgb(68,68,68);font-size:small"><font face="monospace, monospace"> ]</font></div><div class="gmail_default" style="color:rgb(68,68,68);font-size:small"><font face="monospace, monospace">2016-11-21 12:01:08,286 [] [Thread-107] DEBUG (<a href="http://org.forgerock.openicf.misc.sc">org.forgerock.openicf.misc.sc</a><wbr>riptedcommon.ScriptedConnector<wbr>): method: null msg:Entering Update Script with action ADD_ATTRIBUTE_VALUES Script for object class __ACCOUNT__</font></div><div class="gmail_default" style="color:rgb(68,68,68);font-size:small"><font face="monospace, monospace">2016-11-21 12:01:08,288 [] [Thread-107] DEBUG (<a href="http://org.forgerock.openicf.misc.sc">org.forgerock.openicf.misc.sc</a><wbr>riptedcommon.ScriptedConnector<wbr>): method: null msg:Sample - Attribute received: groups -> [4]</font></div><div class="gmail_default" style="color:rgb(68,68,68);font-size:small"><font face="monospace, monospace">2016-11-21 12:01:08,288 [] [Thread-107] DEBUG (<a href="http://org.forgerock.openicf.misc.sc">org.forgerock.openicf.misc.sc</a><wbr>riptedcommon.ScriptedConnector<wbr>): method: null msg:Sample - Entro en add attribute values</font></div><div class="gmail_default" style="color:rgb(68,68,68);font-size:small"><font face="monospace, monospace">2016-11-21 12:01:08,290 [] [Thread-107] DEBUG (<a href="http://org.forgerock.openicf.misc.sc">org.forgerock.openicf.misc.sc</a><wbr>riptedcommon.ScriptedConnector<wbr>): method: null msg:Sample - Skipping assignment because user 8 already has group 4</font></div><div class="gmail_default" style="color:rgb(68,68,68);font-size:small"><font face="monospace, monospace">2016-11-21 12:01:08,290 [] [Thread-107] DEBUG (com.evolveum.midpoint.provisi<wbr>oning.impl.ResourceObjectConve<wbr>rter): PROVISIONING MODIFY successful, side-effect changes {</font></div><div class="gmail_default" style="color:rgb(68,68,68);font-size:small"><font face="monospace, monospace">}</font></div><div class="gmail_default" style="color:rgb(68,68,68);font-size:small"><font face="monospace, monospace">2016-11-21 12:01:08,586 [] [Thread-107] DEBUG (<a href="http://org.forgerock.openicf.misc.sc">org.forgerock.openicf.misc.sc</a><wbr>riptedcommon.ScriptedConnector<wbr>): method: null msg:Entering SEARCH Script with objectClass __GROUP__</font></div><div class="gmail_default" style="color:rgb(68,68,68);font-size:small"><font face="monospace, monospace">2016-11-21 12:01:08,601 [] [Thread-107] DEBUG (<a href="http://org.forgerock.openicf.misc.sc">org.forgerock.openicf.misc.sc</a><wbr>riptedcommon.ScriptedConnector<wbr>): method: null msg:Search WHERE clause is: WHERE id = 4</font></div><div class="gmail_default" style="color:rgb(68,68,68);font-size:small"><font face="monospace, monospace">2016-11-21 12:01:08,673 [] [Thread-107] DEBUG (<a href="http://org.forgerock.openicf.misc.sc">org.forgerock.openicf.misc.sc</a><wbr>riptedcommon.ScriptedConnector<wbr>): method: null msg:Entering SEARCH Script with objectClass __GROUP__</font></div><div class="gmail_default" style="color:rgb(68,68,68);font-size:small"><font face="monospace, monospace">2016-11-21 12:01:08,711 [] [Thread-107] DEBUG (<a href="http://org.forgerock.openicf.misc.sc">org.forgerock.openicf.misc.sc</a><wbr>riptedcommon.ScriptedConnector<wbr>): method: null msg:Search WHERE clause is: WHERE id = 4</font></div><div class="gmail_default" style="color:rgb(68,68,68);font-size:small;font-family:arial,helvetica,sans-serif"><br></div><div class="gmail_default" style="color:rgb(68,68,68);font-size:small;font-family:arial,helvetica,sans-serif">The context before the operation was:</div><div class="gmail_default"><ul><li><font color="#444444" face="arial, helvetica, sans-serif">User Celeste has an account with id 8 on ScriptedSQL resource</font></li><li><font color="#444444" face="arial, helvetica, sans-serif">User Celeste has an assignment to ScriptedSQL-SuperRole</font></li><li><font color="#444444" face="arial, helvetica, sans-serif">Role ScriptedSQL-SuperRole has an assignment to ScriptedSQL-Group4 and ScriptedSQL-Group6</font></li><li><font color="#444444" face="arial, helvetica, sans-serif">Account 8 has roles 4 and 6 on the resource</font></li></ul><div><font color="#444444" face="arial, helvetica, sans-serif">This was the operation I triggered:</font></div><ul><li><font color="#444444" face="arial, helvetica, sans-serif">ScriptedSQL-Group5 role is unassigned from ScriptedSQL-SuperRole</font></li><li><font color="#444444" face="arial, helvetica, sans-serif">User Celeste is reconciled</font></li></ul><div><font color="#444444" face="arial, helvetica, sans-serif">There is no reference to ScriptedSQL-Group6 (id = 6) in the log. Attached is the log in TRACE mode of same operation.</font></div><div><font color="#444444" face="arial, helvetica, sans-serif"><br></font></div><div><font color="#444444" face="arial, helvetica, sans-serif">This is the meta role definition:</font></div><div><font color="#444444" face="monospace, monospace"><br></font></div><div><font color="#444444"><span><div><font face="monospace, monospace"> <association></font></div><div><font face="monospace, monospace"> <c:ref>ri:GroupObjectClass</c:<wbr>ref></font></div></span><div><font face="monospace, monospace"> <b><tolerant>false</tolerant></b></font></div><div><font face="monospace, monospace"> <outbound></font></div><div><font face="monospace, monospace"> <b><strength>strong</strength></b></font></div><span><div><font face="monospace, monospace"> <expression></font></div><div><font face="monospace, monospace"> <associationFromLink></font></div><div><font face="monospace, monospace"> <projectionDiscriminator></font></div><div><font face="monospace, monospace"> <kind>entitlement</kind></font></div><div><font face="monospace, monospace"> <intent>default</intent></font></div><div><font face="monospace, monospace"> </projectionDiscriminator></font></div><div><font face="monospace, monospace"> </associationFromLink></font></div><div><font face="monospace, monospace"> </expression></font></div><div><font face="monospace, monospace"> </outbound></font></div><div><font face="monospace, monospace"> </association></font></div><div style="font-family:arial,helvetica,sans-serif"><br></div></span><div style="font-family:arial,helvetica,sans-serif">And this is the association definition on the ScriptedSQL resource:</div><div style="font-family:arial,helvetica,sans-serif"><br></div><div><span><div><font face="monospace, monospace"> <association></font></div><div><font face="monospace, monospace"> <c:ref>ri:GroupObjectClass</c:<wbr>ref></font></div></span><div><font face="monospace, monospace"> <b><tolerant>false</tolerant></b></font></div><span><div><font face="monospace, monospace"> <kind>entitlement</kind></font></div><div><font face="monospace, monospace"> <intent>default</intent></font></div></span><div><font face="monospace, monospace"> <direction>subjectToObject</di<wbr>rection></font></div><div><font face="monospace, monospace"> <associationAttribute>ri:group<wbr>s</associationAttribute></font></div><span><div><font face="monospace, monospace"> <valueAttribute>icfs:uid</valu<wbr>eAttribute></font></div><div><font face="monospace, monospace"> </association></font></div></span></div></font></div><div><font color="#444444" face="arial, helvetica, sans-serif"><br></font></div><div><font color="#444444" face="arial, helvetica, sans-serif">Regards,</font></div></div><div class="gmail_default" style="color:rgb(68,68,68);font-size:small;font-family:arial,helvetica,sans-serif"><br></div></div></div><div class="gmail_extra"><span><br clear="all"><div><div class="m_2553170879631977449m_-836825905956045561gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><font face="arial, helvetica, sans-serif"><br><br><font color="#444444">Ing Nicolás Rossi</font><br><font color="#999999">Identicum S.A.</font><br><font color="#999999">Jorge Newbery 3226</font><br><font color="#999999">Tel: +54 (11) 4552-3050</font><br><font color="#999999"><a href="http://www.identicum.com" target="_blank">www.identicum.com</a></font></font><br></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div>
<br></span><div><div class="m_2553170879631977449h5"><div class="gmail_quote">On Mon, Nov 21, 2016 at 11:09 AM, Radovan Semancik <span dir="ltr"><<a href="mailto:radovan.semancik@evolveum.com" target="_blank">radovan.semancik@evolveum.com</a><wbr>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div class="m_2553170879631977449m_-836825905956045561m_-6181252134839203565moz-cite-prefix">Hi,<br>
<br>
That's strange. The ScriptedSQL is somehow different. But it
should not be THAT different. Please once again look at the ConnId
operation trace. That's the most reliable source of debugging
information in this case.<br>
<br>
But based on your information I would guess that it really is
midPoint issue. If the connector is not getting the remove
operation than that means that midpoint is not sending it. If you
are sure that the "model" configuration is correct (e.g. tolerant
setting, mapping strength, etc.) then it is most likely that the
provisioning part is filtering out the operation. There may be
several reasons for that. E.g. if the read operation does not work
properly midPoint may think that the value is not there and
therefore there is no need to remove it. Some resources (namely
LDAP) are quite touchy and they respond with an error if we try to
remove a value that is not there. Therefore we are often filtering
the deltas before sending them to connector. Or there may be
several other cases. Generally setting provisioning logging to
DEBUG (and in extreme cases to TRACE) should give you more
information what it really happening. To be more specific try
setting:<br>
com.evolveum.midpoint.provisio<wbr>ning: DEBUG<span><br>
<br>
<pre class="m_2553170879631977449m_-836825905956045561m_-6181252134839203565moz-signature" cols="72">--
Radovan Semancik
Software Architect
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
<br>
<br></span><div><div class="m_2553170879631977449m_-836825905956045561h5">
On 11/21/2016 01:38 PM, Nicolas Rossi wrote:<br>
</div></div></div><div><div class="m_2553170879631977449m_-836825905956045561h5">
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">Hi
Radovan. It worked for ActiveDirectory connector but didn't
for the ScriptedSQL. We have added an echo at the beginning of
each groovy scripts printing the action and the object class
received and It only receives an ADD_ATTRIBUTE_VALUE of the
value that the user already had. There is no
REMOVE_ATTRIBUTE_VALUE so I guess the issue is on the
connector this time. I have an isolated set of resource, meta
role and role to reproduce the issue. You can download it from
<a href="https://dl.dropboxusercontent.com/u/9319179/ScriptedSQLTest.zip" target="_blank">here</a>
if you want. The main difference with the Active Directory
resource is in the association: subjectToObject vs
objectToSubject. Do you think the problem could be there ?
I'll try it.</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">I
guess it would be helpful add this info of tolerant attribute
on this page: <a href="https://wiki.evolveum.com/display/midPoint/Entitlements" target="_blank">https://wiki.evolveum.co<wbr>m/display/midPoint/Entitlement<wbr>s</a>.</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">Best
regards,</div>
</div>
<div class="gmail_extra"><br clear="all">
<div>
<div class="m_2553170879631977449m_-836825905956045561m_-6181252134839203565gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr"><font face="arial, helvetica,
sans-serif"><br>
<br>
<font color="#444444">Ing
Nicolás Rossi</font><br>
<font color="#999999">Identicum
S.A.</font><br>
<font color="#999999">Jorge
Newbery 3226</font><br>
<font color="#999999">Tel:
+54 (11) 4552-3050</font><br>
<font color="#999999"><a href="http://www.identicum.com" target="_blank">www.identicum.com</a></font></font><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<div class="gmail_quote">On Mon, Nov 21, 2016 at 7:15 AM,
Radovan Semancik <span dir="ltr"><<a href="mailto:radovan.semancik@evolveum.com" target="_blank">radovan.semancik@evolveum.com</a><wbr>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div class="m_2553170879631977449m_-836825905956045561m_-6181252134839203565m_-2249893482612098258moz-cite-prefix">Hi,<br>
<br>
I have created the test. And surprisingly it is passing.
This is 3.5-SNAPSHOT, but it is very likely that it
works also in earlier versions. Therefore it looks it is
really a misconfiguration. The cause is really most
likely the tolerant flag. The tolerant flag is critical
in this situation. <br>
<br>
For "normal" midPoint operations when you are adding or
removing an assignment from user we have the delta. We
know what has changed. Therefore we remove the group
even if it is set to tolerant. Because we know that the
last assignment that "induced" that group was just
removed.<br>
<br>
But if you change the meta role (first operation) and
then reconcile the user (second operation) then there is
no delta. These operations are independent. MidPoint
does not know what has changed in the meta-role.
Therefore it cannot use the same logic to remove the
user from the group. Slightly different logic is used in
reconciliation. Logic that is not based on deltas
(because there are none). And in this case the tolerant
flag is important. If it is set to true then midPoint
will NOT remove the extra values from the attribute or
the extra entitlements. If it is set to false then
midPoint will remove them.<br>
<br>
Please make sure you have the association set to
non-tolerant in the schemaHandling section of the
resource definition. Like this:<br>
<br>
<resource><br>
<schemaHandling><br>
....<br>
<association><br>
<ref>ri:group</ref><br>
<tolerant>false</tolerant><br>
....<br>
</association><br>
...<br>
<br>
This has to be defined in the schemaHandling and NOT in
the role or meta-role. The tolerance is the property of
the attribute/association itself and NOT a property of
any mapping, role or value. The values that are not
given by any role and just that - not given by any role.
So we do not have any role definition that we can apply
to them. Therefore the setting whether the
attribute/association is tolerant or not is somehow
"global". Therefore it needs to be defined in
schemaHandling.<br>
<br>
Also, please make sure that your mappings are strong,
e.g.<br>
<br>
<role><br>
...<br>
<inducement><br>
<construction><br>
...<br>
<association><br>
<ref>ri:group</ref><br>
<outbound><br>
<strength>strong</strength><br>
...<br>
</outbound><br>
</association><br>
</construction><br>
</inducement><br>
<br>
Mappings that are of "normal" strength are inherently
delta-based and they are usually NOT processed by the
reconciliation at all. For "normal" mappings the last
change wins. But in reconciliation we have no idea what
change was the last one - whether the one on the
resource or the one in midPoint. Therefore we prefer the
conservative approach and we rather maintain status quo.<span><br>
<br>
<pre class="m_2553170879631977449m_-836825905956045561m_-6181252134839203565m_-2249893482612098258moz-signature" cols="72">--
Radovan Semancik
Software Architect
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
<br>
<br>
</span>
<div>
<div class="m_2553170879631977449m_-836825905956045561m_-6181252134839203565h5"> On 11/20/2016 04:44 PM, Radovan
Semancik wrote:<br>
</div>
</div>
</div>
<div>
<div class="m_2553170879631977449m_-836825905956045561m_-6181252134839203565h5">
<blockquote type="cite">
<div class="m_2553170879631977449m_-836825905956045561m_-6181252134839203565m_-2249893482612098258moz-cite-prefix">Hi,<br>
<br>
There is no update operation in the log. Therefor
midPoint is not invoking the group membership
removal at all. I'm not sure what exactly happens
here. Your configuration seems to be OK at the
first sight and I would tell that your setup
should work. Therefore this may be a midPoint bug.
I will try to reproduce similar situation in
midPoint tests. I'll let you know how it went.<br>
<br>
<pre class="m_2553170879631977449m_-836825905956045561m_-6181252134839203565m_-2249893482612098258moz-signature" cols="72">--
Radovan Semancik
Software Architect
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
<br>
<br>
On 11/16/2016 01:49 PM, Nicolas Rossi wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">Hi
Radovan, here is the log of the operation as
you suggested. At the beginning the
"AD-SuperRole" had 3 inducements to roles
(with MetaRole): AD-Group3, AD-Group4 and
AD-Group5. The user ltroncoso has this
AD-SuperRole and he has 3 groups assigned on
AD. Then we removed the AD-Group3 from the
AD-SuperRole and reconciled the User from the
Admin-GUI but he still has the groupMembership
on AD to Group3. </div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444"><br>
</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">Attached
is the AD-SuperRole, the AD_GROUP-ENTITLEMENT
(MetaRole), the AD-Group3 and the User's xml. </div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444"><br>
</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">Do
you need any additional information ?</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444"><br>
</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">Best
regards,</div>
</div>
<div class="gmail_extra"><br clear="all">
<div>
<div class="m_2553170879631977449m_-836825905956045561m_-6181252134839203565m_-2249893482612098258gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr"><font face="arial,
helvetica,
sans-serif"><br>
<br>
<font color="#444444">Ing
Nicolás Rossi</font><br>
<font color="#999999">Identicum
S.A.</font><br>
<font color="#999999">Jorge
Newbery 3226</font><br>
<font color="#999999">Tel:
+54
(11) 4552-3050</font><br>
<font color="#999999"><a href="http://www.identicum.com" target="_blank">www.identicum.com</a></font></font><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<div class="gmail_quote">On Wed, Nov 16, 2016 at
7:35 AM, Radovan Semancik <span dir="ltr"><<a href="mailto:radovan.semancik@evolveum.com" target="_blank">radovan.semancik@evolveum.com</a><wbr>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div class="m_2553170879631977449m_-836825905956045561m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028moz-cite-prefix">Hi,<br>
<br>
This is a really interesting case.
Initially I was suspecting a problem in
the scripted SQL connector. We do not
use these scripted connectors much as
the configurations are very difficult to
maintain. With the many possible uses of
the scripted connectors these are likely
to be a cause of problems. But if that
issue affects AD/LDAP connector then it
may indicate midPoint issue.<br>
<br>
Just to provide complete information:
some time ago I have written a guide how
to systematically diagnose issues like
these. Here it is: <br>
<br>
<a class="m_2553170879631977449m_-836825905956045561m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028moz-txt-link-freetext" href="https://wiki.evolveum.com/display/midPoint/Troubleshooting+Mappings" target="_blank">https://wiki.evolveum.com/disp<wbr>lay/midPoint/Troubleshooting+M<wbr>appings</a><br>
<br>
However, to cut it short, first
interesting thing would be to see what
operation midPoint sends to the
connector. Please enable the ConnId
operation logging by setting following
logger:<br>
<br>
<pre>org.identityconnectors.framewo<wbr>rk: TRACE
</pre>
Then re-try the operation (example of the message that you are
looking for is in the guide). This should give us information
whether the problem is that midPoint is sending wrong operation to
connector or whether the connector is doing wrong thing. Then we
will know where to focus further search for the problem.<span class="m_2553170879631977449m_-836825905956045561m_-6181252134839203565m_-2249893482612098258HOEnZb"><font color="#888888">
<pre class="m_2553170879631977449m_-836825905956045561m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028moz-signature" cols="72">--
Radovan Semancik
Software Architect
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre></font></span><div><div class="m_2553170879631977449m_-836825905956045561m_-6181252134839203565m_-2249893482612098258h5">
On 11/14/2016 04:11 PM, Nicolas Rossi wrote:
</div></div></div><div><div class="m_2553170879631977449m_-836825905956045561m_-6181252134839203565m_-2249893482612098258h5">
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">Hi
guys, I'd like to add more information to this issue. We are
also facing the same issue with the AD-Ldap driver when a Role
loses an inducement to another Role. After reconcile the user
the group membership is not removed. </div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">
</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">I've
added the <tolerant>false</tolerant> flag to the
Meta Role as Ivan said but there was no change. </div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">
</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">Regards,</div>
</div>
<div class="gmail_extra">
<div>
<div class="m_2553170879631977449m_-836825905956045561m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr"><font face="arial, helvetica,
sans-serif">
<font color="#444444">Ing
Nicolás Rossi</font>
<font color="#999999">Identicum
S.A.</font>
<font color="#999999">Jorge
Newbery 3226</font>
<font color="#999999">Tel:
+54 (11) 4552-3050</font>
<font color="#999999"><a href="http://www.identicum.com" target="_blank">www.identicum.com</a></font></font>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div class="gmail_quote">On Fri, Nov 11, 2016 at 5:09 PM,
Nicolas Rossi <span dir="ltr"><<a href="mailto:nrossi@identicum.com" target="_blank">nrossi@identicum.com</a>></span>
wrote:
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">Hi
Ivan / Radovan</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">
</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">I
guess there is a problem in the ScriptedSQL driver (not
the scripts) when an inducement is unassigned from a
Role because we are facing the same issue in two
different situations:</div>
<div class="gmail_default">
<ol>
<li><font face="arial, helvetica, sans-serif" color="#444444">When a technical role with
inducements to entitlements is unassigned from
user the script does not receive the action
REMOVE_ATTRIBUTE_VALUE</font></li>
<li><font face="arial, helvetica, sans-serif" color="#444444">When a technical role (with
MetaRole) is unassigned from a functional role
assigned to user when recompute the user the
script does not receive the action
REMOVE_ATTRIBUTE_VALUE</font></li>
</ol>
<div><font face="arial, helvetica, sans-serif" color="#444444">Both situations are working when you
assign the inducements. I have an isolated example <a href="https://dl.dropboxusercontent.com/u/9319179/ScriptedSQLTest.zip" target="_blank">here</a>.</font></div>
<div><font face="arial, helvetica, sans-serif" color="#444444">
</font></div>
<div><font face="arial, helvetica, sans-serif" color="#444444">Best regards,</font></div>
</div>
</div>
<div class="gmail_extra">
<div>
<div class="m_2553170879631977449m_-836825905956045561m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr"><font face="arial,
helvetica, sans-serif">
<font color="#444444">Ing
Nicolás Rossi</font><span>
<font color="#999999">Identicum
S.A.</font>
<font color="#999999">Jorge
Newbery 3226</font>
</span><font color="#999999">Tel:
+54 (11) 4552-3050</font>
<font color="#999999"><a href="http://www.identicum.com" target="_blank">www.identicum.com</a></font></font>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div>
<div class="m_2553170879631977449m_-836825905956045561m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028h5">
<div class="gmail_quote">On Fri, Nov 11, 2016 at 11:00
AM, Rodrigo Yanis <span dir="ltr"><<a href="mailto:ryanis@identicum.com" target="_blank">ryanis@identicum.com</a>></span>
wrote:
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Ivan,
<div>
</div>
<div>Just tried configuring the meta-role just
like that. Unfortunately no progress. We'll
continue analyzing this and keep you posted if
we find anything.</div>
<div>
</div>
<div>Thanks a lot.</div>
<div>
</div>
<div>Regards,</div>
</div>
<div class="gmail_extra"><span>
<div>
<div class="m_2553170879631977449m_-836825905956045561m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
</div>
<div dir="ltr"><font face="arial,
helvetica, sans-serif"><b>Rodrigo
Yanis.</b>
<img src="http://www.identicum.com/img/favicon.ico">Identicum S.A.
</font>Jorge Newbery
3226
Tel: +54 (11) 4824-9971<font face="arial,
helvetica, sans-serif">
<a href="mailto:ryanis@identicum.com" target="_blank"><font color="#0b5394">ryanis@identicum.com</font></a>
<a href="http://www.identicum.com/" target="_blank"><font color="#0b5394">www.identicum.com</font></a></font></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</span>
<div>
<div class="m_2553170879631977449m_-836825905956045561m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276h5">
<div class="gmail_quote">2016-11-11 2:46
GMT-05:00 Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>:
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>Hi Rodrigo,</p>
<p>I meant this:</p>
<p>...</p>
<p> <inducement>
<construction>
<resourceRef
oid="00000000-dc00-dc00-0001-0<wbr>00000000021"
type="c:ResourceType"/><!--
Portal intranet --><span>
<kind>account</kind>
<intent>default</intent>
<association>
</span>
<ref>ri:wsEntitlements</ref>
<outbound>
<b>
<strength>strong</strength></b><b>
</b> <source>
...
</source>
<expression>
...</p>
<p>But I think your problem should be
resolved by tolerance (set to false)
- strong mapping strength is to
allow midPoint to enforce the group
assignment when reconciling. Still I
don't have any other idea. I hope
that's not a problem with that
specific connector because I
wouldn't be able help with Java.</p>
<p>Best regards,</p>
<p>IVan
</p>
<div>
<div class="m_2553170879631977449m_-836825905956045561m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960h5">
<div class="m_2553170879631977449m_-836825905956045561m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878moz-cite-prefix">On
11/10/2016 09:36 PM, Rodrigo
Yanis wrote:
</div>
<blockquote type="cite">
<div dir="ltr">Ivan,
<div>
</div>
<div>I've compared your XML to
my association attribute's
deffinition on the resource
and it looks the same. Can
you please explain further
what you mean by defining
strength on the role itself?
We've got a Meta-role ->
Application role -> High
level role architecture
going (I believe it's just
the same as yours except for
the meta-role), and the
group association is defined
on the meta-role. Do you
mean we should somehow
define strength there?
because it isn't explicitly
set.</div>
<div>
</div>
<div>This is the inducement
for the group association on
the meta-role definition:</div>
<div>
</div>
<font size="1"><inducement
id="2">
<construction>
<resourceRef
oid="00000000-0000-1de4-0002-0<wbr>00000000003"
type="c:ResourceType"><!-- BANNER_USUARIOS
--></resourceRef>
<kind>account</kind>
<intent>default</intent>
<association>
<c:ref>ri:GroupObjectClass</c:<wbr>ref>
<outbound>
<expression>
<associationFromLink>
<projectionDiscriminator>
<kind>entitlement</kind>
<intent>default</intent>
</projectionDiscriminator>
</associationFromLink>
</expression>
</outbound>
</association>
</construction>
<order>2</order>
</inducement></font>
<div>
</div>
<div>Don't mind me if I sound
a bit confused.</div>
<div>
</div>
<div>Thanks for your help.</div>
</div>
<div class="gmail_extra">
<div>
<div class="m_2553170879631977449m_-836825905956045561m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
</div>
<div dir="ltr"><font face="arial,
helvetica,
sans-serif"><b>Rodrigo
Yanis.</b>
<img src="http://www.identicum.com/img/favicon.ico">Identicum S.A.
</font>Jorge
Newbery 3226
Tel: +54 (11)
4824-9971<font face="arial,
helvetica,
sans-serif">
<a href="mailto:ryanis@identicum.com" target="_blank"><font color="#0b5394">ryanis@identicum.com</font></a>
<a href="http://www.identicum.com/" target="_blank"><font color="#0b5394">www.identicum.com</font></a></font></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div class="gmail_quote">2016-11-10
13:51 GMT-05:00 Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>:
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>Hi Rodrigo,</p>
<p>unfortunately no
other idea yet. I was
running recompute ca.
two weeks ago to
remove some
application groups
that were not added by
midPoint, the goal was
to have association
configuration with
tolerant=false and it
worked (this was
custom connector, not
ScriptedSQL):</p>
<p>
<association>
<ref>ri:wsEntitlements</ref>
<tolerant>false</tolerant>
<matchingRule>mr:stringIgnoreC<wbr>ase</matchingRule>
<kind>entitlement</kind>
<intent>ws-entitlement</intent<wbr>>
<direction>objectToSubject</di<wbr>rection>
<associationAttribute>ri:accou<wbr>ntId</associationAttribute>
<valueAttribute>icfs:uid</valu<wbr>eAttribute>
</association>
</p>
<p>In all roles where
association is used,
<strength>strong</strength>
is used as well (but
the tolerant=false is
a must). The recompute
then worked as
supposed and removed
all non-midpoint
groups from the
accounts. The accounts
were constructed by
hierarchical roles
(User - assign -
Business role -
inducement -
Application role) and
the association was in
the Application role.</p>
<p>Best regards,</p>
<p>Ivan
</p>
<div>
<div class="m_2553170879631977449m_-836825905956045561m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878h5">
<div class="m_2553170879631977449m_-836825905956045561m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878m_8205048116372680684moz-cite-prefix">On
11/10/2016 06:21
PM, Rodrigo Yanis
wrote:
</div>
<blockquote type="cite">
<p dir="ltr">Hello
Ivan, thanks for
you response.</p>
<p dir="ltr">Unfortunatelly
this didn't
work. All our
association
attributes are
set to
tolerance=false
by default.</p>
<p dir="ltr">Strange
thing is, this
only happens
when reconciling
on already
assigned high
level roles, not
on assignment
time.</p>
<p dir="ltr">Any
other
suggestion?
Thanks again,</p>
<div class="gmail_extra">
<div>
<div class="m_2553170879631977449m_-836825905956045561m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878m_8205048116372680684m_8908444601929514937gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
</div>
<div dir="ltr"><font face="arial,
helvetica,
sans-serif"><b>Rodrigo
Yanis.</b>
<img src="http://www.identicum.com/img/favicon.ico">Identicum S.A.
</font>Jorge
Newbery 3226
Tel: +54 (11)
4824-9971<font face="arial,
helvetica,
sans-serif">
<a href="mailto:ryanis@identicum.com" target="_blank"><font color="#0b5394">ryanis@identicum.com</font></a>
<a href="http://www.identicum.com/" target="_blank"><font color="#0b5394">www.identicum.com</font></a></font></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div class="gmail_quote">2016-11-10
9:48 GMT-05:00
Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>:
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>Hi Rodrigo,</p>
<p>maybe
<tolerant>false</tolerant>
for
association or
your group
attribute (if
not using
associations)
could help...</p>
<p>Ivan
</p>
<div>
<div class="m_2553170879631977449m_-836825905956045561m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878m_8205048116372680684m_8908444601929514937h5">
<div class="m_2553170879631977449m_-836825905956045561m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878m_8205048116372680684m_8908444601929514937m_2600798162479677229moz-cite-prefix">On
11/10/2016
03:33 PM,
Rodrigo Yanis
wrote:
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div class="m_2553170879631977449m_-836825905956045561m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878m_8205048116372680684m_8908444601929514937h5">
<div dir="ltr">Hello
everyone,
<div>
</div>
<div>We're
having issues
with our
ScriptedSQL
connector
misshandling
group
membership
removals when
said
memberships
come from
roles that are
inherited from
a higher level
role, that is
assigned to
the user.</div>
<div>
</div>
<div>When we
remove the
database role
(the one that
is linked to
the resource's
meta-role, and
represents a
database
group) from
the higher
level role,
and perform a
reconciliation
on the user,
this does not
remove the
group
membership of
this user in
the database.
This only
happens if the
database role
is assigned
directly to
the user, and
then removed.</div>
<div>
</div>
<div>We've
also tried
with a
recompute task
on the user,
still with no
luck.</div>
<div>
</div>
<div>Since our
role hierarchy
does not
support this
last option,
we must find a
way (either
through a task
or directly)
to remove
memberships to
roles that are
no longer
induced into
the high level
role. </div>
<div>
</div>
<div>Do you
have an idea
on how to
proceed? </div>
<div>
</div>
<div>Thanks
for your help</div>
<div>
<div>
<div class="m_2553170879631977449m_-836825905956045561m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878m_8205048116372680684m_8908444601929514937m_2600798162479677229gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
</div>
<div dir="ltr"><font face="arial,
helvetica,
sans-serif"><b>Rodrigo
Yanis.</b>
<img src="http://www.identicum.com/img/favicon.ico">Identicum S.A.
</font>Jorge
Newbery 3226
Tel: +54 (11)
4824-9971<font face="arial,
helvetica,
sans-serif">
<a href="mailto:ryanis@identicum.com" target="_blank"><font color="#0b5394">ryanis@identicum.com</font></a>
<a href="http://www.identicum.com/" target="_blank"><font color="#0b5394">www.identicum.com</font></a></font></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<fieldset class="m_2553170879631977449m_-836825905956045561m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878m_8205048116372680684m_8908444601929514937m_2600798162479677229mimeAttachmentHeader"></fieldset>
</div>
</div>
<pre>______________________________<wbr>_________________
midPoint mailing list
<a class="m_2553170879631977449m_-836825905956045561m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878m_8205048116372680684m_8908444601929514937m_2600798162479677229moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a class="m_2553170879631977449m_-836825905956045561m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878m_8205048116372680684m_8908444601929514937m_2600798162479677229moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a><span class="m_2553170879631977449m_-836825905956045561m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878m_8205048116372680684m_8908444601929514937HOEnZb"><font color="#888888">
</font></span></pre><span class="m_2553170879631977449m_-836825905956045561m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878m_8205048116372680684m_8908444601929514937HOEnZb"><font color="#888888">
</font></span></blockquote><span class="m_2553170879631977449m_-836825905956045561m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878m_8205048116372680684m_8908444601929514937HOEnZb"><font color="#888888">
<pre class="m_2553170879631977449m_-836825905956045561m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878m_8205048116372680684m_8908444601929514937m_2600798162479677229moz-signature" cols="72">--
Ivan Noris
Senior Identity Engineer
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
</font></span></div>
______________________________<wbr>_________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>
</blockquote></div>
</div>
<fieldset class="m_2553170879631977449m_-836825905956045561m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878m_8205048116372680684mimeAttachmentHeader"></fieldset>
<pre>______________________________<wbr>_________________
midPoint mailing list
<a class="m_2553170879631977449m_-836825905956045561m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878m_8205048116372680684moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a class="m_2553170879631977449m_-836825905956045561m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878m_8205048116372680684moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>
</pre>
</blockquote>
<pre class="m_2553170879631977449m_-836825905956045561m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878m_8205048116372680684moz-signature" cols="72">--
Ivan Noris
Senior Identity Engineer
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre></div></div></div>
______________________________<wbr>_________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>
</blockquote></div>
</div>
<fieldset class="m_2553170879631977449m_-836825905956045561m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878mimeAttachmentHeader"></fieldset>
<pre>______________________________<wbr>_________________
midPoint mailing list
<a class="m_2553170879631977449m_-836825905956045561m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a class="m_2553170879631977449m_-836825905956045561m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>
</pre>
</blockquote>
<pre class="m_2553170879631977449m_-836825905956045561m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878moz-signature" cols="72">--
Ivan Noris
Senior Identity Engineer
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre></div></div></div>
______________________________<wbr>_________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>
</blockquote></div>
</div></div></div>
______________________________<wbr>_________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>
</blockquote></div>
</div></div></div>
</blockquote></div>
</div>
<fieldset class="m_2553170879631977449m_-836825905956045561m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028mimeAttachmentHeader"></fieldset>
<pre>______________________________<wbr>_________________
midPoint mailing list
<a class="m_2553170879631977449m_-836825905956045561m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a class="m_2553170879631977449m_-836825905956045561m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>
</pre>
</blockquote>
</div></div></div>
______________________________<wbr>_________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>
</blockquote></div>
</div>
<fieldset class="m_2553170879631977449m_-836825905956045561m_-6181252134839203565m_-2249893482612098258mimeAttachmentHeader"></fieldset>
<pre>______________________________<wbr>_________________
midPoint mailing list
<a class="m_2553170879631977449m_-836825905956045561m_-6181252134839203565m_-2249893482612098258moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a class="m_2553170879631977449m_-836825905956045561m_-6181252134839203565m_-2249893482612098258moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>
</pre>
</blockquote>
</blockquote>
</div></div></div>
______________________________<wbr>_________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>
</blockquote></div>
</div>
<fieldset class="m_2553170879631977449m_-836825905956045561m_-6181252134839203565mimeAttachmentHeader"></fieldset>
<pre>______________________________<wbr>_________________
midPoint mailing list
<a class="m_2553170879631977449m_-836825905956045561m_-6181252134839203565moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a class="m_2553170879631977449m_-836825905956045561m_-6181252134839203565moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>
</pre>
</blockquote>
</div></div></div><br>______________________________<wbr>_________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a><br>
<br></blockquote></div><br></div></div></div>
</blockquote></div><br></div></div></div>
</blockquote></div><br></div>