<div dir="ltr"><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">Hi Radovan !! it's working now !!!!</div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">The association definition was almost fine, I added the shortcuts from Groups pointing to Users with "members" and I also added the field members to the Group schema.</div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">I guess the main issue was on the scripts. We started from a ScriptedSQL Sample resource from github and it doesn't have any relationship between Users and Groups. So we created it with a table UserGroups but we didn't add the multivalued attribute on the SearchScript in the result array. That was the big mistake. After returning the list of user groups and group members I could see the associations on the GUI and the behavior on remove and reconcile was ok !</div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">Here is an example of what I am saying:</div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br></div><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><div class="gmail_default"><div class="gmail_default"><font color="#444444" face="monospace, monospace">case "__ACCOUNT__":</font></div></div></blockquote></blockquote><div class="gmail_default"><div class="gmail_default"><span class="gmail-Apple-tab-span" style="white-space:pre"><font color="#444444" face="monospace, monospace"> </font></span></div><div class="gmail_default"><font color="#444444" face="monospace, monospace"><span class="gmail-Apple-tab-span" style="white-space:pre"> </span>sqlQuery = "SELECT Users.*, IFNULL(GROUP_CONCAT(UserGroups.group_id SEPARATOR ','), '') as groups " +</font></div><div class="gmail_default"><font color="#444444" face="monospace, monospace"><span class="gmail-Apple-tab-span" style="white-space:pre"> </span>" FROM Users left join UserGroups on Users.id = UserGroups.user_id " + where +</font></div><div class="gmail_default"><font color="#444444" face="monospace, monospace"><span class="gmail-Apple-tab-span" style="white-space:pre"> </span>" GROUP BY Users.id";</font></div><div class="gmail_default"><font color="#444444" face="monospace, monospace"><br></font></div><div class="gmail_default"><font color="#444444" face="monospace, monospace"><span class="gmail-Apple-tab-span" style="white-space:pre"> </span>sql.eachRow(sqlQuery, {</font></div><div class="gmail_default"><font color="#444444" face="monospace, monospace"><br></font></div><div class="gmail_default"><font color="#444444" face="monospace, monospace"><span class="gmail-Apple-tab-span" style="white-space:pre"> </span>result.add([__UID__:<a href="http://it.id">it.id</a>, __NAME__:it.login, __ENABLE__:!it.disabled, fullname:it.fullname, </font></div><div class="gmail_default"><font color="#444444" face="monospace, monospace"><span class="gmail-Apple-tab-span" style="white-space:pre"> </span>firstname:it.firstname, lastname:it.lastname, email:it.email, organization:it.organization, </font></div><div class="gmail_default"><font color="#444444" face="monospace, monospace"><span class="gmail-Apple-tab-span" style="white-space:pre"> </span><b style="background-color:rgb(255,242,204)">groups: it.groups.split(",") as List ]</b>);</font></div><div class="gmail_default"><font color="#444444" face="monospace, monospace"><span class="gmail-Apple-tab-span" style="white-space:pre"> </span>});</font></div><div class="gmail_default"><font color="#444444" face="monospace, monospace"><br></font></div><div class="gmail_default"><font color="#444444" face="monospace, monospace"><span class="gmail-Apple-tab-span" style="white-space:pre"> </span>break;</font></div></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">Maybe we can work together to improve the ScriptedSQL Sample on github. I can fork the repository, add this changes and make a pull request to you as we did with Office365 connector.</div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">Best regards, </div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><font face="arial, helvetica, sans-serif"><br><br><font color="#444444">Ing Nicolás Rossi</font><br><font color="#999999">Identicum S.A.</font><br><font color="#999999">Jorge Newbery 3226</font><br><font color="#999999">Tel: +54 (11) 4552-3050</font><br><font color="#999999"><a href="http://www.identicum.com" target="_blank">www.identicum.com</a></font></font><br></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div>
<br><div class="gmail_quote">On Tue, Nov 22, 2016 at 2:00 PM, Radovan Semancik <span dir="ltr"><<a href="mailto:radovan.semancik@evolveum.com" target="_blank">radovan.semancik@evolveum.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div class="m_6863627869252002457moz-cite-prefix">Hi,<br>
<br>
Clearly the provisioning is trying to add group 4. So this
supports the theory that midPoint thinks that the account does not
have any groups. My guess would be that does not see the group
membership correctly. Can you see the associations correctly when
you look at the account details in the GUI? If my theory is
correct then you probably see no associations there at all (e.g.
you would not see neither group 4 nor 6 for account 8).<br>
<br>
Proper setup for reading associations is (of course) critical for
reconciliation. If midPoint cannot see what groups the account has
then midPoint cannot correctly compute what groups to add or
remove.<br>
<br>
There are two likely reasons for this: connector does not return
the data or midPoint is not configured properly to understand
that. You can check if connector returns the data by looking at
the ConnId operation trace. You should see get/search operation
there and check that the connector is returning group membership
attributes correctly. If the connector really returns the
information correctly then the most likely case is misconfigured
association definition. I have realized that the details of the
association definition were not properly documented in the wiki.
The documentation was in the schema, but not in the wiki. So I
have just added that:<br>
<br>
<a class="m_6863627869252002457moz-txt-link-freetext" href="https://wiki.evolveum.com/display/midPoint/Entitlements#Entitlements-AssociationDefinition" target="_blank">https://wiki.evolveum.com/<wbr>display/midPoint/Entitlements#<wbr>Entitlements-<wbr>AssociationDefinition</a><br>
<br>
Please have a look at that and check if your association
configuration is OK.<br>
<br>
If nothing helps then you may need to resort to drastic measures:
setting the log level to TRACE :-)<br>
<br>
<pre class="m_6863627869252002457moz-signature" cols="72">--
Radovan Semancik
Software Architect
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
<br>
<br>
<br>
<br>
On 11/21/2016 04:17 PM, Nicolas Rossi wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">Hi,
here is the provisioning log (DEBUG mode):</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
</div>
<div class="gmail_default">
<div class="gmail_default" style="color:rgb(68,68,68);font-size:small"><font face="monospace, monospace">2016-11-21 12:01:07,928 []
[Thread-107] DEBUG
(org.forgerock.openicf.misc.<wbr>scriptedcommon.<wbr>ScriptedConnector):
method: null msg:Entering SEARCH Script with objectClass
__ACCOUNT__</font></div>
<div class="gmail_default" style="color:rgb(68,68,68);font-size:small"><font face="monospace, monospace">2016-11-21 12:01:07,950 []
[Thread-107] DEBUG
(org.forgerock.openicf.misc.<wbr>scriptedcommon.<wbr>ScriptedConnector):
method: null msg:Search WHERE clause is: WHERE id = 8</font></div>
<div class="gmail_default" style="color:rgb(68,68,68);font-size:small"><font face="monospace, monospace">2016-11-21 12:01:08,016 []
[Thread-107] DEBUG
(org.forgerock.openicf.misc.<wbr>scriptedcommon.<wbr>ScriptedConnector):
method: null msg:Entering SEARCH Script with objectClass
__GROUP__</font></div>
<div class="gmail_default" style="color:rgb(68,68,68);font-size:small"><font face="monospace, monospace">2016-11-21 12:01:08,031 []
[Thread-107] DEBUG
(org.forgerock.openicf.misc.<wbr>scriptedcommon.<wbr>ScriptedConnector):
method: null msg:Search WHERE clause is: WHERE id = 4</font></div>
<div class="gmail_default" style="color:rgb(68,68,68);font-size:small"><font face="monospace, monospace">2016-11-21 12:01:08,188 []
[Thread-107] DEBUG
(com.evolveum.midpoint.<wbr>provisioning.impl.<wbr>ResourceObjectConverter):
PROVISIONING MODIFY operation on
<a class="m_6863627869252002457moz-txt-link-freetext">resource:00000000-0000-1de4-<wbr>0002-000000000010(ScriptedSQL)</a></font></div>
<div class="gmail_default" style="color:rgb(68,68,68);font-size:small"><font face="monospace, monospace"> MODIFY object, object class
ACCOUNT:default, identified by:</font></div>
<div class="gmail_default" style="color:rgb(68,68,68);font-size:small"><font face="monospace, monospace"> [</font></div>
<div class="gmail_default" style="color:rgb(68,68,68);font-size:small"><font face="monospace, monospace"> uid: 8</font></div>
<div class="gmail_default" style="color:rgb(68,68,68);font-size:small"><font face="monospace, monospace"> ]</font></div>
<div class="gmail_default" style="color:rgb(68,68,68);font-size:small"><font face="monospace, monospace"> changes:</font></div>
<div class="gmail_default" style="color:rgb(68,68,68);font-size:small"><font face="monospace, monospace"> [</font></div>
<div class="gmail_default" style="color:rgb(68,68,68);font-size:small"><font face="monospace, monospace"> Property modification
operation:</font></div>
<div class="gmail_default" style="color:rgb(68,68,68);font-size:small"><font face="monospace, monospace"> attributes/groups</font></div>
<div class="gmail_default" style="color:rgb(68,68,68);font-size:small"><font face="monospace, monospace"> ADD: 4</font></div>
<div class="gmail_default" style="color:rgb(68,68,68);font-size:small"><font face="monospace, monospace"> ]</font></div>
<div class="gmail_default" style="color:rgb(68,68,68);font-size:small"><font face="monospace, monospace">2016-11-21 12:01:08,286 []
[Thread-107] DEBUG
(org.forgerock.openicf.misc.<wbr>scriptedcommon.<wbr>ScriptedConnector):
method: null msg:Entering Update Script with action
ADD_ATTRIBUTE_VALUES Script for object class __ACCOUNT__</font></div>
<div class="gmail_default" style="color:rgb(68,68,68);font-size:small"><font face="monospace, monospace">2016-11-21 12:01:08,288 []
[Thread-107] DEBUG
(org.forgerock.openicf.misc.<wbr>scriptedcommon.<wbr>ScriptedConnector):
method: null msg:Sample - Attribute received: groups ->
[4]</font></div>
<div class="gmail_default" style="color:rgb(68,68,68);font-size:small"><font face="monospace, monospace">2016-11-21 12:01:08,288 []
[Thread-107] DEBUG
(org.forgerock.openicf.misc.<wbr>scriptedcommon.<wbr>ScriptedConnector):
method: null msg:Sample - Entro en add attribute values</font></div>
<div class="gmail_default" style="color:rgb(68,68,68);font-size:small"><font face="monospace, monospace">2016-11-21 12:01:08,290 []
[Thread-107] DEBUG
(org.forgerock.openicf.misc.<wbr>scriptedcommon.<wbr>ScriptedConnector):
method: null msg:Sample - Skipping assignment because user
8 already has group 4</font></div>
<div class="gmail_default" style="color:rgb(68,68,68);font-size:small"><font face="monospace, monospace">2016-11-21 12:01:08,290 []
[Thread-107] DEBUG
(com.evolveum.midpoint.<wbr>provisioning.impl.<wbr>ResourceObjectConverter):
PROVISIONING MODIFY successful, side-effect changes {</font></div>
<div class="gmail_default" style="color:rgb(68,68,68);font-size:small"><font face="monospace, monospace">}</font></div>
<div class="gmail_default" style="color:rgb(68,68,68);font-size:small"><font face="monospace, monospace">2016-11-21 12:01:08,586 []
[Thread-107] DEBUG
(org.forgerock.openicf.misc.<wbr>scriptedcommon.<wbr>ScriptedConnector):
method: null msg:Entering SEARCH Script with objectClass
__GROUP__</font></div>
<div class="gmail_default" style="color:rgb(68,68,68);font-size:small"><font face="monospace, monospace">2016-11-21 12:01:08,601 []
[Thread-107] DEBUG
(org.forgerock.openicf.misc.<wbr>scriptedcommon.<wbr>ScriptedConnector):
method: null msg:Search WHERE clause is: WHERE id = 4</font></div>
<div class="gmail_default" style="color:rgb(68,68,68);font-size:small"><font face="monospace, monospace">2016-11-21 12:01:08,673 []
[Thread-107] DEBUG
(org.forgerock.openicf.misc.<wbr>scriptedcommon.<wbr>ScriptedConnector):
method: null msg:Entering SEARCH Script with objectClass
__GROUP__</font></div>
<div class="gmail_default" style="color:rgb(68,68,68);font-size:small"><font face="monospace, monospace">2016-11-21 12:01:08,711 []
[Thread-107] DEBUG
(org.forgerock.openicf.misc.<wbr>scriptedcommon.<wbr>ScriptedConnector):
method: null msg:Search WHERE clause is: WHERE id = 4</font></div>
<div class="gmail_default" style="color:rgb(68,68,68);font-size:small;font-family:arial,helvetica,sans-serif"><br>
</div>
<div class="gmail_default" style="color:rgb(68,68,68);font-size:small;font-family:arial,helvetica,sans-serif">The
context before the operation was:</div>
<div class="gmail_default">
<ul>
<li><font face="arial, helvetica, sans-serif" color="#444444">User Celeste has an account with id 8
on ScriptedSQL resource</font></li>
<li><font face="arial, helvetica, sans-serif" color="#444444">User Celeste has an assignment to
ScriptedSQL-SuperRole</font></li>
<li><font face="arial, helvetica, sans-serif" color="#444444">Role ScriptedSQL-SuperRole has an
assignment to ScriptedSQL-Group4 and
ScriptedSQL-Group6</font></li>
<li><font face="arial, helvetica, sans-serif" color="#444444">Account 8 has roles 4 and 6 on the
resource</font></li>
</ul>
<div><font face="arial, helvetica, sans-serif" color="#444444">This was the operation I triggered:</font></div>
<ul>
<li><font face="arial, helvetica, sans-serif" color="#444444">ScriptedSQL-Group5 role is unassigned
from ScriptedSQL-SuperRole</font></li>
<li><font face="arial, helvetica, sans-serif" color="#444444">User Celeste is reconciled</font></li>
</ul>
<div><font face="arial, helvetica, sans-serif" color="#444444">There is no reference to
ScriptedSQL-Group6 (id = 6) in the log. Attached is the
log in TRACE mode of same operation.</font></div>
<div><font face="arial, helvetica, sans-serif" color="#444444"><br>
</font></div>
<div><font face="arial, helvetica, sans-serif" color="#444444">This is the meta role definition:</font></div>
<div><font face="monospace, monospace" color="#444444"><br>
</font></div>
<div><font color="#444444">
<div><font face="monospace, monospace">
<association></font></div>
<div><font face="monospace, monospace">
<c:ref>ri:GroupObjectClass</c:<wbr>ref></font></div>
<div><font face="monospace, monospace"> <b><tolerant>false</tolerant></b></font></div>
<div><font face="monospace, monospace">
<outbound></font></div>
<div><font face="monospace, monospace"> <b><strength>strong</strength></b></font></div>
<div><font face="monospace, monospace">
<expression></font></div>
<div><font face="monospace, monospace">
<associationFromLink></font></div>
<div><font face="monospace, monospace">
<projectionDiscriminator></font></div>
<div><font face="monospace, monospace">
<kind>entitlement</kind></font></div>
<div><font face="monospace, monospace">
<intent>default</intent></font></div>
<div><font face="monospace, monospace">
</projectionDiscriminator></font></div>
<div><font face="monospace, monospace">
</associationFromLink></font></div>
<div><font face="monospace, monospace">
</expression></font></div>
<div><font face="monospace, monospace">
</outbound></font></div>
<div><font face="monospace, monospace">
</association></font></div>
<div style="font-family:arial,helvetica,sans-serif"><br>
</div>
<div style="font-family:arial,helvetica,sans-serif">And
this is the association definition on the ScriptedSQL
resource:</div>
<div style="font-family:arial,helvetica,sans-serif"><br>
</div>
<div>
<div><font face="monospace, monospace">
<association></font></div>
<div><font face="monospace, monospace">
<c:ref>ri:GroupObjectClass</c:<wbr>ref></font></div>
<div><font face="monospace, monospace"> <b><tolerant>false</tolerant></b></font></div>
<div><font face="monospace, monospace">
<kind>entitlement</kind></font></div>
<div><font face="monospace, monospace">
<intent>default</intent></font></div>
<div><font face="monospace, monospace">
<direction>subjectToObject</<wbr>direction></font></div>
<div><font face="monospace, monospace">
<associationAttribute>ri:<wbr>groups</associationAttribute></font></div>
<div><font face="monospace, monospace">
<valueAttribute>icfs:uid</<wbr>valueAttribute></font></div>
<div><font face="monospace, monospace">
</association></font></div>
</div>
</font></div>
<div><font face="arial, helvetica, sans-serif" color="#444444"><br>
</font></div>
<div><font face="arial, helvetica, sans-serif" color="#444444">Regards,</font></div>
</div>
<div class="gmail_default" style="color:rgb(68,68,68);font-size:small;font-family:arial,helvetica,sans-serif"><br>
</div>
</div>
</div>
<div class="gmail_extra"><br clear="all">
<div>
<div class="m_6863627869252002457gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr"><font face="arial, helvetica,
sans-serif"><br>
<br>
<font color="#444444">Ing
Nicolás Rossi</font><br>
<font color="#999999">Identicum
S.A.</font><br>
<font color="#999999">Jorge
Newbery 3226</font><br>
<font color="#999999">Tel:
+54 (11) 4552-3050</font><br>
<font color="#999999"><a href="http://www.identicum.com" target="_blank">www.identicum.com</a></font></font><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<div class="gmail_quote">On Mon, Nov 21, 2016 at 11:09 AM,
Radovan Semancik <span dir="ltr"><<a href="mailto:radovan.semancik@evolveum.com" target="_blank">radovan.semancik@evolveum.com</a><wbr>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div class="m_6863627869252002457m_-6181252134839203565moz-cite-prefix">Hi,<br>
<br>
That's strange. The ScriptedSQL is somehow different.
But it should not be THAT different. Please once again
look at the ConnId operation trace. That's the most
reliable source of debugging information in this case.<br>
<br>
But based on your information I would guess that it
really is midPoint issue. If the connector is not
getting the remove operation than that means that
midpoint is not sending it. If you are sure that the
"model" configuration is correct (e.g. tolerant setting,
mapping strength, etc.) then it is most likely that the
provisioning part is filtering out the operation. There
may be several reasons for that. E.g. if the read
operation does not work properly midPoint may think that
the value is not there and therefore there is no need to
remove it. Some resources (namely LDAP) are quite touchy
and they respond with an error if we try to remove a
value that is not there. Therefore we are often
filtering the deltas before sending them to connector.
Or there may be several other cases. Generally setting
provisioning logging to DEBUG (and in extreme cases to
TRACE) should give you more information what it really
happening. To be more specific try setting:<br>
com.evolveum.midpoint.provisio<wbr>ning: DEBUG<span><br>
<br>
<pre class="m_6863627869252002457m_-6181252134839203565moz-signature" cols="72">--
Radovan Semancik
Software Architect
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
<br>
<br>
</span>
<div>
<div class="m_6863627869252002457h5"> On 11/21/2016 01:38 PM, Nicolas Rossi
wrote:<br>
</div>
</div>
</div>
<div>
<div class="m_6863627869252002457h5">
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">Hi
Radovan. It worked for ActiveDirectory connector
but didn't for the ScriptedSQL. We have added an
echo at the beginning of each groovy scripts
printing the action and the object class
received and It only receives an
ADD_ATTRIBUTE_VALUE of the value that the user
already had. There is no REMOVE_ATTRIBUTE_VALUE
so I guess the issue is on the connector this
time. I have an isolated set of resource, meta
role and role to reproduce the issue. You can
download it from <a href="https://dl.dropboxusercontent.com/u/9319179/ScriptedSQLTest.zip" target="_blank">here</a> if you want. The main
difference with the Active Directory resource is
in the association: subjectToObject vs
objectToSubject. Do you think the problem could
be there ? I'll try it.</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">I
guess it would be helpful add this info of
tolerant attribute on this page: <a href="https://wiki.evolveum.com/display/midPoint/Entitlements" target="_blank">https://wiki.evolveum.co<wbr>m/display/midPoint/Entitlement<wbr>s</a>.</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">Best
regards,</div>
</div>
<div class="gmail_extra"><br clear="all">
<div>
<div class="m_6863627869252002457m_-6181252134839203565gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr"><font face="arial,
helvetica,
sans-serif"><br>
<br>
<font color="#444444">Ing
Nicolás Rossi</font><br>
<font color="#999999">Identicum
S.A.</font><br>
<font color="#999999">Jorge
Newbery 3226</font><br>
<font color="#999999">Tel:
+54
(11) 4552-3050</font><br>
<font color="#999999"><a href="http://www.identicum.com" target="_blank">www.identicum.com</a></font></font><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<div class="gmail_quote">On Mon, Nov 21, 2016 at
7:15 AM, Radovan Semancik <span dir="ltr"><<a href="mailto:radovan.semancik@evolveum.com" target="_blank">radovan.semancik@evolveum.com</a><wbr>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258moz-cite-prefix">Hi,<br>
<br>
I have created the test. And surprisingly
it is passing. This is 3.5-SNAPSHOT, but
it is very likely that it works also in
earlier versions. Therefore it looks it is
really a misconfiguration. The cause is
really most likely the tolerant flag. The
tolerant flag is critical in this
situation. <br>
<br>
For "normal" midPoint operations when you
are adding or removing an assignment from
user we have the delta. We know what has
changed. Therefore we remove the group
even if it is set to tolerant. Because we
know that the last assignment that
"induced" that group was just removed.<br>
<br>
But if you change the meta role (first
operation) and then reconcile the user
(second operation) then there is no delta.
These operations are independent. MidPoint
does not know what has changed in the
meta-role. Therefore it cannot use the
same logic to remove the user from the
group. Slightly different logic is used in
reconciliation. Logic that is not based on
deltas (because there are none). And in
this case the tolerant flag is important.
If it is set to true then midPoint will
NOT remove the extra values from the
attribute or the extra entitlements. If it
is set to false then midPoint will remove
them.<br>
<br>
Please make sure you have the association
set to non-tolerant in the schemaHandling
section of the resource definition. Like
this:<br>
<br>
<resource><br>
<schemaHandling><br>
....<br>
<association><br>
<ref>ri:group</ref><br>
<tolerant>false</tolerant><br>
....<br>
</association><br>
...<br>
<br>
This has to be defined in the
schemaHandling and NOT in the role or
meta-role. The tolerance is the property
of the attribute/association itself and
NOT a property of any mapping, role or
value. The values that are not given by
any role and just that - not given by any
role. So we do not have any role
definition that we can apply to them.
Therefore the setting whether the
attribute/association is tolerant or not
is somehow "global". Therefore it needs to
be defined in schemaHandling.<br>
<br>
Also, please make sure that your mappings
are strong, e.g.<br>
<br>
<role><br>
...<br>
<inducement><br>
<construction><br>
...<br>
<association><br>
<ref>ri:group</ref><br>
<outbound><br>
<strength>strong</strength><br>
...<br>
</outbound><br>
</association><br>
</construction><br>
</inducement><br>
<br>
Mappings that are of "normal" strength are
inherently delta-based and they are
usually NOT processed by the
reconciliation at all. For "normal"
mappings the last change wins. But in
reconciliation we have no idea what change
was the last one - whether the one on the
resource or the one in midPoint. Therefore
we prefer the conservative approach and we
rather maintain status quo.<span><br>
<br>
<pre class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258moz-signature" cols="72">--
Radovan Semancik
Software Architect
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
<br>
<br>
</span>
<div>
<div class="m_6863627869252002457m_-6181252134839203565h5">
On 11/20/2016 04:44 PM, Radovan
Semancik wrote:<br>
</div>
</div>
</div>
<div>
<div class="m_6863627869252002457m_-6181252134839203565h5">
<blockquote type="cite">
<div class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258moz-cite-prefix">Hi,<br>
<br>
There is no update operation in the
log. Therefor midPoint is not
invoking the group membership
removal at all. I'm not sure what
exactly happens here. Your
configuration seems to be OK at the
first sight and I would tell that
your setup should work. Therefore
this may be a midPoint bug. I will
try to reproduce similar situation
in midPoint tests. I'll let you know
how it went.<br>
<br>
<pre class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258moz-signature" cols="72">--
Radovan Semancik
Software Architect
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
<br>
<br>
On 11/16/2016 01:49 PM, Nicolas
Rossi wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">Hi
Radovan, here is the log of the
operation as you suggested. At
the beginning the "AD-SuperRole"
had 3 inducements to roles (with
MetaRole): AD-Group3, AD-Group4
and AD-Group5. The user
ltroncoso has this AD-SuperRole
and he has 3 groups assigned on
AD. Then we removed the
AD-Group3 from the AD-SuperRole
and reconciled the User from the
Admin-GUI but he still has the
groupMembership on AD to
Group3. </div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444"><br>
</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">Attached
is the AD-SuperRole, the
AD_GROUP-ENTITLEMENT (MetaRole),
the AD-Group3 and the User's
xml. </div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444"><br>
</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">Do
you need any additional
information ?</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444"><br>
</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">Best
regards,</div>
</div>
<div class="gmail_extra"><br clear="all">
<div>
<div class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr"><font face="arial,
helvetica,
sans-serif"><br>
<br>
<font color="#444444">Ing
Nicolás Rossi</font><br>
<font color="#999999">Identicum
S.A.</font><br>
<font color="#999999">Jorge
Newbery 3226</font><br>
<font color="#999999">Tel:
+54
(11) 4552-3050</font><br>
<font color="#999999"><a href="http://www.identicum.com" target="_blank">www.identicum.com</a></font></font><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<div class="gmail_quote">On Wed,
Nov 16, 2016 at 7:35 AM, Radovan
Semancik <span dir="ltr"><<a href="mailto:radovan.semancik@evolveum.com" target="_blank">radovan.semancik@evolveum.com</a><wbr>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028moz-cite-prefix">Hi,<br>
<br>
This is a really
interesting case.
Initially I was suspecting
a problem in the scripted
SQL connector. We do not
use these scripted
connectors much as the
configurations are very
difficult to maintain.
With the many possible
uses of the scripted
connectors these are
likely to be a cause of
problems. But if that
issue affects AD/LDAP
connector then it may
indicate midPoint issue.<br>
<br>
Just to provide complete
information: some time ago
I have written a guide how
to systematically diagnose
issues like these. Here it
is: <br>
<br>
<a class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028moz-txt-link-freetext" href="https://wiki.evolveum.com/display/midPoint/Troubleshooting+Mappings" target="_blank">https://wiki.evolveum.com/disp<wbr>lay/midPoint/Troubleshooting+M<wbr>appings</a><br>
<br>
However, to cut it short,
first interesting thing
would be to see what
operation midPoint sends
to the connector. Please
enable the ConnId
operation logging by
setting following logger:<br>
<br>
<pre>org.identityconnectors.framewo<wbr>rk: TRACE
</pre>
Then re-try the operation (example of the message that you are
looking for is in the guide). This should give us information
whether the problem is that midPoint is sending wrong operation to
connector or whether the connector is doing wrong thing. Then we
will know where to focus further search for the problem.<span class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258HOEnZb"><font color="#888888">
<pre class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028moz-signature" cols="72">--
Radovan Semancik
Software Architect
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre></font></span><div><div class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258h5">
On 11/14/2016 04:11 PM, Nicolas Rossi wrote:
</div></div></div><div><div class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258h5">
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">Hi
guys, I'd like to add more information to this issue. We are
also facing the same issue with the AD-Ldap driver when a Role
loses an inducement to another Role. After reconcile the user
the group membership is not removed. </div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">
</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">I've
added the <tolerant>false</tolerant> flag to the
Meta Role as Ivan said but there was no change. </div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">
</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">Regards,</div>
</div>
<div class="gmail_extra">
<div>
<div class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr"><font face="arial, helvetica,
sans-serif">
<font color="#444444">Ing
Nicolás Rossi</font>
<font color="#999999">Identicum
S.A.</font>
<font color="#999999">Jorge
Newbery 3226</font>
<font color="#999999">Tel:
+54 (11) 4552-3050</font>
<font color="#999999"><a href="http://www.identicum.com" target="_blank">www.identicum.com</a></font></font>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div class="gmail_quote">On Fri, Nov 11, 2016 at 5:09 PM,
Nicolas Rossi <span dir="ltr"><<a href="mailto:nrossi@identicum.com" target="_blank">nrossi@identicum.com</a>></span>
wrote:
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">Hi
Ivan / Radovan</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">
</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">I
guess there is a problem in the ScriptedSQL driver (not
the scripts) when an inducement is unassigned from a
Role because we are facing the same issue in two
different situations:</div>
<div class="gmail_default">
<ol>
<li><font face="arial, helvetica, sans-serif" color="#444444">When a technical role with
inducements to entitlements is unassigned from
user the script does not receive the action
REMOVE_ATTRIBUTE_VALUE</font></li>
<li><font face="arial, helvetica, sans-serif" color="#444444">When a technical role (with
MetaRole) is unassigned from a functional role
assigned to user when recompute the user the
script does not receive the action
REMOVE_ATTRIBUTE_VALUE</font></li>
</ol>
<div><font face="arial, helvetica, sans-serif" color="#444444">Both situations are working when you
assign the inducements. I have an isolated example <a href="https://dl.dropboxusercontent.com/u/9319179/ScriptedSQLTest.zip" target="_blank">here</a>.</font></div>
<div><font face="arial, helvetica, sans-serif" color="#444444">
</font></div>
<div><font face="arial, helvetica, sans-serif" color="#444444">Best regards,</font></div>
</div>
</div>
<div class="gmail_extra">
<div>
<div class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr"><font face="arial,
helvetica, sans-serif">
<font color="#444444">Ing
Nicolás Rossi</font><span>
<font color="#999999">Identicum
S.A.</font>
<font color="#999999">Jorge
Newbery 3226</font>
</span><font color="#999999">Tel:
+54 (11) 4552-3050</font>
<font color="#999999"><a href="http://www.identicum.com" target="_blank">www.identicum.com</a></font></font>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div>
<div class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028h5">
<div class="gmail_quote">On Fri, Nov 11, 2016 at 11:00
AM, Rodrigo Yanis <span dir="ltr"><<a href="mailto:ryanis@identicum.com" target="_blank">ryanis@identicum.com</a>></span>
wrote:
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Ivan,
<div>
</div>
<div>Just tried configuring the meta-role just
like that. Unfortunately no progress. We'll
continue analyzing this and keep you posted if
we find anything.</div>
<div>
</div>
<div>Thanks a lot.</div>
<div>
</div>
<div>Regards,</div>
</div>
<div class="gmail_extra"><span>
<div>
<div class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
</div>
<div dir="ltr"><font face="arial,
helvetica, sans-serif"><b>Rodrigo
Yanis.</b>
<img src="http://www.identicum.com/img/favicon.ico">Identicum S.A.
</font>Jorge Newbery
3226
Tel: +54 (11) 4824-9971<font face="arial,
helvetica, sans-serif">
<a href="mailto:ryanis@identicum.com" target="_blank"><font color="#0b5394">ryanis@identicum.com</font></a>
<a href="http://www.identicum.com/" target="_blank"><font color="#0b5394">www.identicum.com</font></a></font></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</span>
<div>
<div class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276h5">
<div class="gmail_quote">2016-11-11 2:46
GMT-05:00 Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>:
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>Hi Rodrigo,</p>
<p>I meant this:</p>
<p>...</p>
<p> <inducement>
<construction>
<resourceRef
oid="00000000-dc00-dc00-0001-0<wbr>00000000021"
type="c:ResourceType"/><!--
Portal intranet --><span>
<kind>account</kind>
<intent>default</intent>
<association>
</span>
<ref>ri:wsEntitlements</ref>
<outbound>
<b>
<strength>strong</strength></b><b>
</b> <source>
...
</source>
<expression>
...</p>
<p>But I think your problem should be
resolved by tolerance (set to false)
- strong mapping strength is to
allow midPoint to enforce the group
assignment when reconciling. Still I
don't have any other idea. I hope
that's not a problem with that
specific connector because I
wouldn't be able help with Java.</p>
<p>Best regards,</p>
<p>IVan
</p>
<div>
<div class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960h5">
<div class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878moz-cite-prefix">On
11/10/2016 09:36 PM, Rodrigo
Yanis wrote:
</div>
<blockquote type="cite">
<div dir="ltr">Ivan,
<div>
</div>
<div>I've compared your XML to
my association attribute's
deffinition on the resource
and it looks the same. Can
you please explain further
what you mean by defining
strength on the role itself?
We've got a Meta-role ->
Application role -> High
level role architecture
going (I believe it's just
the same as yours except for
the meta-role), and the
group association is defined
on the meta-role. Do you
mean we should somehow
define strength there?
because it isn't explicitly
set.</div>
<div>
</div>
<div>This is the inducement
for the group association on
the meta-role definition:</div>
<div>
</div>
<font size="1"><inducement
id="2">
<construction>
<resourceRef
oid="00000000-0000-1de4-0002-0<wbr>00000000003"
type="c:ResourceType"><!-- BANNER_USUARIOS
--></resourceRef>
<kind>account</kind>
<intent>default</intent>
<association>
<c:ref>ri:GroupObjectClass</c:<wbr>ref>
<outbound>
<expression>
<associationFromLink>
<projectionDiscriminator>
<kind>entitlement</kind>
<intent>default</intent>
</projectionDiscriminator>
</associationFromLink>
</expression>
</outbound>
</association>
</construction>
<order>2</order>
</inducement></font>
<div>
</div>
<div>Don't mind me if I sound
a bit confused.</div>
<div>
</div>
<div>Thanks for your help.</div>
</div>
<div class="gmail_extra">
<div>
<div class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
</div>
<div dir="ltr"><font face="arial,
helvetica,
sans-serif"><b>Rodrigo
Yanis.</b>
<img src="http://www.identicum.com/img/favicon.ico">Identicum S.A.
</font>Jorge
Newbery 3226
Tel: +54 (11)
4824-9971<font face="arial,
helvetica,
sans-serif">
<a href="mailto:ryanis@identicum.com" target="_blank"><font color="#0b5394">ryanis@identicum.com</font></a>
<a href="http://www.identicum.com/" target="_blank"><font color="#0b5394">www.identicum.com</font></a></font></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div class="gmail_quote">2016-11-10
13:51 GMT-05:00 Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>:
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>Hi Rodrigo,</p>
<p>unfortunately no
other idea yet. I was
running recompute ca.
two weeks ago to
remove some
application groups
that were not added by
midPoint, the goal was
to have association
configuration with
tolerant=false and it
worked (this was
custom connector, not
ScriptedSQL):</p>
<p>
<association>
<ref>ri:wsEntitlements</ref>
<tolerant>false</tolerant>
<matchingRule>mr:stringIgnoreC<wbr>ase</matchingRule>
<kind>entitlement</kind>
<intent>ws-entitlement</intent<wbr>>
<direction>objectToSubject</di<wbr>rection>
<associationAttribute>ri:accou<wbr>ntId</associationAttribute>
<valueAttribute>icfs:uid</valu<wbr>eAttribute>
</association>
</p>
<p>In all roles where
association is used,
<strength>strong</strength>
is used as well (but
the tolerant=false is
a must). The recompute
then worked as
supposed and removed
all non-midpoint
groups from the
accounts. The accounts
were constructed by
hierarchical roles
(User - assign -
Business role -
inducement -
Application role) and
the association was in
the Application role.</p>
<p>Best regards,</p>
<p>Ivan
</p>
<div>
<div class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878h5">
<div class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878m_8205048116372680684moz-cite-prefix">On
11/10/2016 06:21
PM, Rodrigo Yanis
wrote:
</div>
<blockquote type="cite">
<p dir="ltr">Hello
Ivan, thanks for
you response.</p>
<p dir="ltr">Unfortunatelly
this didn't
work. All our
association
attributes are
set to
tolerance=false
by default.</p>
<p dir="ltr">Strange
thing is, this
only happens
when reconciling
on already
assigned high
level roles, not
on assignment
time.</p>
<p dir="ltr">Any
other
suggestion?
Thanks again,</p>
<div class="gmail_extra">
<div>
<div class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878m_8205048116372680684m_8908444601929514937gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
</div>
<div dir="ltr"><font face="arial,
helvetica,
sans-serif"><b>Rodrigo
Yanis.</b>
<img src="http://www.identicum.com/img/favicon.ico">Identicum S.A.
</font>Jorge
Newbery 3226
Tel: +54 (11)
4824-9971<font face="arial,
helvetica,
sans-serif">
<a href="mailto:ryanis@identicum.com" target="_blank"><font color="#0b5394">ryanis@identicum.com</font></a>
<a href="http://www.identicum.com/" target="_blank"><font color="#0b5394">www.identicum.com</font></a></font></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div class="gmail_quote">2016-11-10
9:48 GMT-05:00
Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>:
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>Hi Rodrigo,</p>
<p>maybe
<tolerant>false</tolerant>
for
association or
your group
attribute (if
not using
associations)
could help...</p>
<p>Ivan
</p>
<div>
<div class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878m_8205048116372680684m_8908444601929514937h5">
<div class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878m_8205048116372680684m_8908444601929514937m_2600798162479677229moz-cite-prefix">On
11/10/2016
03:33 PM,
Rodrigo Yanis
wrote:
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878m_8205048116372680684m_8908444601929514937h5">
<div dir="ltr">Hello
everyone,
<div>
</div>
<div>We're
having issues
with our
ScriptedSQL
connector
misshandling
group
membership
removals when
said
memberships
come from
roles that are
inherited from
a higher level
role, that is
assigned to
the user.</div>
<div>
</div>
<div>When we
remove the
database role
(the one that
is linked to
the resource's
meta-role, and
represents a
database
group) from
the higher
level role,
and perform a
reconciliation
on the user,
this does not
remove the
group
membership of
this user in
the database.
This only
happens if the
database role
is assigned
directly to
the user, and
then removed.</div>
<div>
</div>
<div>We've
also tried
with a
recompute task
on the user,
still with no
luck.</div>
<div>
</div>
<div>Since our
role hierarchy
does not
support this
last option,
we must find a
way (either
through a task
or directly)
to remove
memberships to
roles that are
no longer
induced into
the high level
role. </div>
<div>
</div>
<div>Do you
have an idea
on how to
proceed? </div>
<div>
</div>
<div>Thanks
for your help</div>
<div>
<div>
<div class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878m_8205048116372680684m_8908444601929514937m_2600798162479677229gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
</div>
<div dir="ltr"><font face="arial,
helvetica,
sans-serif"><b>Rodrigo
Yanis.</b>
<img src="http://www.identicum.com/img/favicon.ico">Identicum S.A.
</font>Jorge
Newbery 3226
Tel: +54 (11)
4824-9971<font face="arial,
helvetica,
sans-serif">
<a href="mailto:ryanis@identicum.com" target="_blank"><font color="#0b5394">ryanis@identicum.com</font></a>
<a href="http://www.identicum.com/" target="_blank"><font color="#0b5394">www.identicum.com</font></a></font></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<fieldset class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878m_8205048116372680684m_8908444601929514937m_2600798162479677229mimeAttachmentHeader"></fieldset>
</div>
</div>
<pre>______________________________<wbr>_________________
midPoint mailing list
<a class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878m_8205048116372680684m_8908444601929514937m_2600798162479677229moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878m_8205048116372680684m_8908444601929514937m_2600798162479677229moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a><span class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878m_8205048116372680684m_8908444601929514937HOEnZb"><font color="#888888">
</font></span></pre><span class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878m_8205048116372680684m_8908444601929514937HOEnZb"><font color="#888888">
</font></span></blockquote><span class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878m_8205048116372680684m_8908444601929514937HOEnZb"><font color="#888888">
<pre class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878m_8205048116372680684m_8908444601929514937m_2600798162479677229moz-signature" cols="72">--
Ivan Noris
Senior Identity Engineer
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
</font></span></div>
______________________________<wbr>_________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>
</blockquote></div>
</div>
<fieldset class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878m_8205048116372680684mimeAttachmentHeader"></fieldset>
<pre>______________________________<wbr>_________________
midPoint mailing list
<a class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878m_8205048116372680684moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878m_8205048116372680684moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>
</pre>
</blockquote>
<pre class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878m_8205048116372680684moz-signature" cols="72">--
Ivan Noris
Senior Identity Engineer
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre></div></div></div>
______________________________<wbr>_________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>
</blockquote></div>
</div>
<fieldset class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878mimeAttachmentHeader"></fieldset>
<pre>______________________________<wbr>_________________
midPoint mailing list
<a class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>
</pre>
</blockquote>
<pre class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878moz-signature" cols="72">--
Ivan Noris
Senior Identity Engineer
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre></div></div></div>
______________________________<wbr>_________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>
</blockquote></div>
</div></div></div>
______________________________<wbr>_________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>
</blockquote></div>
</div></div></div>
</blockquote></div>
</div>
<fieldset class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028mimeAttachmentHeader"></fieldset>
<pre>______________________________<wbr>_________________
midPoint mailing list
<a class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>
</pre>
</blockquote>
</div></div></div>
______________________________<wbr>_________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>
</blockquote></div>
</div>
<fieldset class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258mimeAttachmentHeader"></fieldset>
<pre>______________________________<wbr>_________________
midPoint mailing list
<a class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>
</pre>
</blockquote>
</blockquote>
</div></div></div>
______________________________<wbr>_________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>
</blockquote></div>
</div>
<fieldset class="m_6863627869252002457m_-6181252134839203565mimeAttachmentHeader"></fieldset>
<pre>______________________________<wbr>_________________
midPoint mailing list
<a class="m_6863627869252002457m_-6181252134839203565moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a class="m_6863627869252002457m_-6181252134839203565moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>
</pre>
</blockquote>
</div></div></div>
______________________________<wbr>_________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>
</blockquote></div>
</div>
<fieldset class="m_6863627869252002457mimeAttachmentHeader"></fieldset>
<pre>______________________________<wbr>_________________
midPoint mailing list
<a class="m_6863627869252002457moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a class="m_6863627869252002457moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a>
</pre>
</blockquote>
</div><br>______________________________<wbr>_________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a><br>
<br></blockquote></div><br></div>