<div dir="ltr"><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">Hi Radovan !! it's working now !!!!</div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">The association definition was almost fine, I added the shortcuts from Groups pointing to Users with "members" and I also added the field members to the Group schema.</div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">I guess the main issue was on the scripts. We started from a ScriptedSQL Sample resource from github and it doesn't have any relationship between Users and Groups. So we created it with a table UserGroups but we didn't add the multivalued attribute on the SearchScript in the result array. That was the big mistake. After returning the list of user groups and group members I could see the associations on the GUI and the behavior on remove and reconcile was ok !</div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">Here is an example of what I am saying:</div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br></div><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><div class="gmail_default"><div class="gmail_default"><font color="#444444" face="monospace, monospace">case "__ACCOUNT__":</font></div></div></blockquote></blockquote><div class="gmail_default"><div class="gmail_default"><span class="gmail-Apple-tab-span" style="white-space:pre"><font color="#444444" face="monospace, monospace">               </font></span></div><div class="gmail_default"><font color="#444444" face="monospace, monospace"><span class="gmail-Apple-tab-span" style="white-space:pre">              </span>sqlQuery = "SELECT Users.*, IFNULL(GROUP_CONCAT(UserGroups.group_id SEPARATOR ','), '') as groups " +</font></div><div class="gmail_default"><font color="#444444" face="monospace, monospace"><span class="gmail-Apple-tab-span" style="white-space:pre">                          </span>"  FROM Users left join UserGroups on Users.id = UserGroups.user_id " + where +</font></div><div class="gmail_default"><font color="#444444" face="monospace, monospace"><span class="gmail-Apple-tab-span" style="white-space:pre">                    </span>" GROUP BY Users.id";</font></div><div class="gmail_default"><font color="#444444" face="monospace, monospace"><br></font></div><div class="gmail_default"><font color="#444444" face="monospace, monospace"><span class="gmail-Apple-tab-span" style="white-space:pre">          </span>sql.eachRow(sqlQuery, {</font></div><div class="gmail_default"><font color="#444444" face="monospace, monospace"><br></font></div><div class="gmail_default"><font color="#444444" face="monospace, monospace"><span class="gmail-Apple-tab-span" style="white-space:pre">                     </span>result.add([__UID__:<a href="http://it.id">it.id</a>, __NAME__:it.login, __ENABLE__:!it.disabled, fullname:it.fullname, </font></div><div class="gmail_default"><font color="#444444" face="monospace, monospace"><span class="gmail-Apple-tab-span" style="white-space:pre">                                  </span>firstname:it.firstname, lastname:it.lastname, email:it.email, organization:it.organization, </font></div><div class="gmail_default"><font color="#444444" face="monospace, monospace"><span class="gmail-Apple-tab-span" style="white-space:pre">                                 </span><b style="background-color:rgb(255,242,204)">groups: it.groups.split(",") as List ]</b>);</font></div><div class="gmail_default"><font color="#444444" face="monospace, monospace"><span class="gmail-Apple-tab-span" style="white-space:pre">          </span>});</font></div><div class="gmail_default"><font color="#444444" face="monospace, monospace"><br></font></div><div class="gmail_default"><font color="#444444" face="monospace, monospace"><span class="gmail-Apple-tab-span" style="white-space:pre">         </span>break;</font></div></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">Maybe we can work together to improve the ScriptedSQL Sample on github. I can fork the repository, add this changes and make a pull request to you as we did with Office365 connector.</div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">Best regards, </div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><font face="arial, helvetica, sans-serif"><br><br><font color="#444444">Ing Nicolás Rossi</font><br><font color="#999999">Identicum S.A.</font><br><font color="#999999">Jorge Newbery 3226</font><br><font color="#999999">Tel: +54 (11) 4552-3050</font><br><font color="#999999"><a href="http://www.identicum.com" target="_blank">www.identicum.com</a></font></font><br></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div>
<br><div class="gmail_quote">On Tue, Nov 22, 2016 at 2:00 PM, Radovan Semancik <span dir="ltr"><<a href="mailto:radovan.semancik@evolveum.com" target="_blank">radovan.semancik@evolveum.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div bgcolor="#FFFFFF" text="#000000">
    <div class="m_6863627869252002457moz-cite-prefix">Hi,<br>
      <br>
      Clearly the provisioning is trying to add group 4. So this
      supports the theory that midPoint thinks that the account does not
      have any groups. My guess would be that does not see the group
      membership correctly. Can you see the associations correctly when
      you look at the account details in the GUI? If my theory is
      correct then you probably see no associations there at all (e.g.
      you would not see neither group 4 nor 6 for account 8).<br>
      <br>
      Proper setup for reading associations is (of course) critical for
      reconciliation. If midPoint cannot see what groups the account has
      then midPoint cannot correctly compute what groups to add or
      remove.<br>
      <br>
      There are two likely reasons for this: connector does not return
      the data or midPoint is not configured properly to understand
      that. You can check if connector returns the data by looking at
      the ConnId operation trace. You should see get/search operation
      there and check that the connector is returning group membership
      attributes correctly. If the connector really returns the
      information correctly then the most likely case is misconfigured
      association definition. I have realized that the details of the
      association definition were not properly documented in the wiki.
      The documentation was in the schema, but not in the wiki. So I
      have just added that:<br>
      <br>
<a class="m_6863627869252002457moz-txt-link-freetext" href="https://wiki.evolveum.com/display/midPoint/Entitlements#Entitlements-AssociationDefinition" target="_blank">https://wiki.evolveum.com/<wbr>display/midPoint/Entitlements#<wbr>Entitlements-<wbr>AssociationDefinition</a><br>
      <br>
      Please have a look at that and check if your association
      configuration is OK.<br>
      <br>
      If nothing helps then you may need to resort to drastic measures:
      setting the log level to TRACE :-)<br>
      <br>
      <pre class="m_6863627869252002457moz-signature" cols="72">-- 
Radovan Semancik
Software Architect
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
      <br>
      <br>
      <br>
      <br>
      On 11/21/2016 04:17 PM, Nicolas Rossi wrote:<br>
    </div>
    <blockquote type="cite">
      <div dir="ltr">
        <div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">Hi,
          here is the provisioning log (DEBUG mode):</div>
        <div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
        </div>
        <div class="gmail_default">
          <div class="gmail_default" style="color:rgb(68,68,68);font-size:small"><font face="monospace, monospace">2016-11-21 12:01:07,928 []
              [Thread-107] DEBUG
              (org.forgerock.openicf.misc.<wbr>scriptedcommon.<wbr>ScriptedConnector):
              method: null msg:Entering SEARCH Script with objectClass
              __ACCOUNT__</font></div>
          <div class="gmail_default" style="color:rgb(68,68,68);font-size:small"><font face="monospace, monospace">2016-11-21 12:01:07,950 []
              [Thread-107] DEBUG
              (org.forgerock.openicf.misc.<wbr>scriptedcommon.<wbr>ScriptedConnector):
              method: null msg:Search WHERE clause is:  WHERE id = 8</font></div>
          <div class="gmail_default" style="color:rgb(68,68,68);font-size:small"><font face="monospace, monospace">2016-11-21 12:01:08,016 []
              [Thread-107] DEBUG
              (org.forgerock.openicf.misc.<wbr>scriptedcommon.<wbr>ScriptedConnector):
              method: null msg:Entering SEARCH Script with objectClass
              __GROUP__</font></div>
          <div class="gmail_default" style="color:rgb(68,68,68);font-size:small"><font face="monospace, monospace">2016-11-21 12:01:08,031 []
              [Thread-107] DEBUG
              (org.forgerock.openicf.misc.<wbr>scriptedcommon.<wbr>ScriptedConnector):
              method: null msg:Search WHERE clause is:  WHERE id = 4</font></div>
          <div class="gmail_default" style="color:rgb(68,68,68);font-size:small"><font face="monospace, monospace">2016-11-21 12:01:08,188 []
              [Thread-107] DEBUG
              (com.evolveum.midpoint.<wbr>provisioning.impl.<wbr>ResourceObjectConverter):
              PROVISIONING MODIFY operation on
              <a class="m_6863627869252002457moz-txt-link-freetext">resource:00000000-0000-1de4-<wbr>0002-000000000010(ScriptedSQL)</a></font></div>
          <div class="gmail_default" style="color:rgb(68,68,68);font-size:small"><font face="monospace, monospace"> MODIFY object, object class
              ACCOUNT:default, identified by:</font></div>
          <div class="gmail_default" style="color:rgb(68,68,68);font-size:small"><font face="monospace, monospace">  [</font></div>
          <div class="gmail_default" style="color:rgb(68,68,68);font-size:small"><font face="monospace, monospace">    uid: 8</font></div>
          <div class="gmail_default" style="color:rgb(68,68,68);font-size:small"><font face="monospace, monospace">  ]</font></div>
          <div class="gmail_default" style="color:rgb(68,68,68);font-size:small"><font face="monospace, monospace"> changes:</font></div>
          <div class="gmail_default" style="color:rgb(68,68,68);font-size:small"><font face="monospace, monospace">  [</font></div>
          <div class="gmail_default" style="color:rgb(68,68,68);font-size:small"><font face="monospace, monospace">    Property modification
              operation:</font></div>
          <div class="gmail_default" style="color:rgb(68,68,68);font-size:small"><font face="monospace, monospace">      attributes/groups</font></div>
          <div class="gmail_default" style="color:rgb(68,68,68);font-size:small"><font face="monospace, monospace">        ADD: 4</font></div>
          <div class="gmail_default" style="color:rgb(68,68,68);font-size:small"><font face="monospace, monospace">  ]</font></div>
          <div class="gmail_default" style="color:rgb(68,68,68);font-size:small"><font face="monospace, monospace">2016-11-21 12:01:08,286 []
              [Thread-107] DEBUG
              (org.forgerock.openicf.misc.<wbr>scriptedcommon.<wbr>ScriptedConnector):
              method: null msg:Entering Update Script with action
              ADD_ATTRIBUTE_VALUES Script for object class __ACCOUNT__</font></div>
          <div class="gmail_default" style="color:rgb(68,68,68);font-size:small"><font face="monospace, monospace">2016-11-21 12:01:08,288 []
              [Thread-107] DEBUG
              (org.forgerock.openicf.misc.<wbr>scriptedcommon.<wbr>ScriptedConnector):
              method: null msg:Sample - Attribute received: groups ->
              [4]</font></div>
          <div class="gmail_default" style="color:rgb(68,68,68);font-size:small"><font face="monospace, monospace">2016-11-21 12:01:08,288 []
              [Thread-107] DEBUG
              (org.forgerock.openicf.misc.<wbr>scriptedcommon.<wbr>ScriptedConnector):
              method: null msg:Sample - Entro en add attribute values</font></div>
          <div class="gmail_default" style="color:rgb(68,68,68);font-size:small"><font face="monospace, monospace">2016-11-21 12:01:08,290 []
              [Thread-107] DEBUG
              (org.forgerock.openicf.misc.<wbr>scriptedcommon.<wbr>ScriptedConnector):
              method: null msg:Sample - Skipping assignment because user
              8 already has group 4</font></div>
          <div class="gmail_default" style="color:rgb(68,68,68);font-size:small"><font face="monospace, monospace">2016-11-21 12:01:08,290 []
              [Thread-107] DEBUG
              (com.evolveum.midpoint.<wbr>provisioning.impl.<wbr>ResourceObjectConverter):
              PROVISIONING MODIFY successful, side-effect changes {</font></div>
          <div class="gmail_default" style="color:rgb(68,68,68);font-size:small"><font face="monospace, monospace">}</font></div>
          <div class="gmail_default" style="color:rgb(68,68,68);font-size:small"><font face="monospace, monospace">2016-11-21 12:01:08,586 []
              [Thread-107] DEBUG
              (org.forgerock.openicf.misc.<wbr>scriptedcommon.<wbr>ScriptedConnector):
              method: null msg:Entering SEARCH Script with objectClass
              __GROUP__</font></div>
          <div class="gmail_default" style="color:rgb(68,68,68);font-size:small"><font face="monospace, monospace">2016-11-21 12:01:08,601 []
              [Thread-107] DEBUG
              (org.forgerock.openicf.misc.<wbr>scriptedcommon.<wbr>ScriptedConnector):
              method: null msg:Search WHERE clause is:  WHERE id = 4</font></div>
          <div class="gmail_default" style="color:rgb(68,68,68);font-size:small"><font face="monospace, monospace">2016-11-21 12:01:08,673 []
              [Thread-107] DEBUG
              (org.forgerock.openicf.misc.<wbr>scriptedcommon.<wbr>ScriptedConnector):
              method: null msg:Entering SEARCH Script with objectClass
              __GROUP__</font></div>
          <div class="gmail_default" style="color:rgb(68,68,68);font-size:small"><font face="monospace, monospace">2016-11-21 12:01:08,711 []
              [Thread-107] DEBUG
              (org.forgerock.openicf.misc.<wbr>scriptedcommon.<wbr>ScriptedConnector):
              method: null msg:Search WHERE clause is:  WHERE id = 4</font></div>
          <div class="gmail_default" style="color:rgb(68,68,68);font-size:small;font-family:arial,helvetica,sans-serif"><br>
          </div>
          <div class="gmail_default" style="color:rgb(68,68,68);font-size:small;font-family:arial,helvetica,sans-serif">The
            context before the operation was:</div>
          <div class="gmail_default">
            <ul>
              <li><font face="arial, helvetica, sans-serif" color="#444444">User Celeste has an account with id 8
                  on ScriptedSQL resource</font></li>
              <li><font face="arial, helvetica, sans-serif" color="#444444">User Celeste has an assignment to
                  ScriptedSQL-SuperRole</font></li>
              <li><font face="arial, helvetica, sans-serif" color="#444444">Role ScriptedSQL-SuperRole has an
                  assignment to ScriptedSQL-Group4 and
                  ScriptedSQL-Group6</font></li>
              <li><font face="arial, helvetica, sans-serif" color="#444444">Account 8 has roles 4 and 6 on the
                  resource</font></li>
            </ul>
            <div><font face="arial, helvetica, sans-serif" color="#444444">This was the operation I triggered:</font></div>
            <ul>
              <li><font face="arial, helvetica, sans-serif" color="#444444">ScriptedSQL-Group5 role is unassigned
                  from ScriptedSQL-SuperRole</font></li>
              <li><font face="arial, helvetica, sans-serif" color="#444444">User Celeste is reconciled</font></li>
            </ul>
            <div><font face="arial, helvetica, sans-serif" color="#444444">There is no reference to
                ScriptedSQL-Group6 (id = 6) in the log. Attached is the
                log in TRACE mode of same operation.</font></div>
            <div><font face="arial, helvetica, sans-serif" color="#444444"><br>
              </font></div>
            <div><font face="arial, helvetica, sans-serif" color="#444444">This is the meta role definition:</font></div>
            <div><font face="monospace, monospace" color="#444444"><br>
              </font></div>
            <div><font color="#444444">
                <div><font face="monospace, monospace">       
                     <association></font></div>
                <div><font face="monospace, monospace">           
                    <c:ref>ri:GroupObjectClass</c:<wbr>ref></font></div>
                <div><font face="monospace, monospace">            <b><tolerant>false</tolerant></b></font></div>
                <div><font face="monospace, monospace">           
                    <outbound></font></div>
                <div><font face="monospace, monospace">               <b><strength>strong</strength></b></font></div>
                <div><font face="monospace, monospace">             
                     <expression></font></div>
                <div><font face="monospace, monospace">                 
                    <associationFromLink></font></div>
                <div><font face="monospace, monospace">                 
                       <projectionDiscriminator></font></div>
                <div><font face="monospace, monospace">                 
                          <kind>entitlement</kind></font></div>
                <div><font face="monospace, monospace">                 
                          <intent>default</intent></font></div>
                <div><font face="monospace, monospace">                 
                       </projectionDiscriminator></font></div>
                <div><font face="monospace, monospace">                 
                    </associationFromLink></font></div>
                <div><font face="monospace, monospace">             
                     </expression></font></div>
                <div><font face="monospace, monospace">           
                    </outbound></font></div>
                <div><font face="monospace, monospace">       
                     </association></font></div>
                <div style="font-family:arial,helvetica,sans-serif"><br>
                </div>
                <div style="font-family:arial,helvetica,sans-serif">And
                  this is the association definition on the ScriptedSQL
                  resource:</div>
                <div style="font-family:arial,helvetica,sans-serif"><br>
                </div>
                <div>
                  <div><font face="monospace, monospace">       
                       <association></font></div>
                  <div><font face="monospace, monospace">           
                      <c:ref>ri:GroupObjectClass</c:<wbr>ref></font></div>
                  <div><font face="monospace, monospace">            <b><tolerant>false</tolerant></b></font></div>
                  <div><font face="monospace, monospace">           
                      <kind>entitlement</kind></font></div>
                  <div><font face="monospace, monospace">           
                      <intent>default</intent></font></div>
                  <div><font face="monospace, monospace">           
                      <direction>subjectToObject</<wbr>direction></font></div>
                  <div><font face="monospace, monospace">           
                      <associationAttribute>ri:<wbr>groups</associationAttribute></font></div>
                  <div><font face="monospace, monospace">           
                      <valueAttribute>icfs:uid</<wbr>valueAttribute></font></div>
                  <div><font face="monospace, monospace">       
                       </association></font></div>
                </div>
              </font></div>
            <div><font face="arial, helvetica, sans-serif" color="#444444"><br>
              </font></div>
            <div><font face="arial, helvetica, sans-serif" color="#444444">Regards,</font></div>
          </div>
          <div class="gmail_default" style="color:rgb(68,68,68);font-size:small;font-family:arial,helvetica,sans-serif"><br>
          </div>
        </div>
      </div>
      <div class="gmail_extra"><br clear="all">
        <div>
          <div class="m_6863627869252002457gmail_signature" data-smartmail="gmail_signature">
            <div dir="ltr">
              <div>
                <div dir="ltr">
                  <div>
                    <div dir="ltr">
                      <div>
                        <div dir="ltr">
                          <div>
                            <div dir="ltr">
                              <div>
                                <div dir="ltr">
                                  <div>
                                    <div dir="ltr">
                                      <div>
                                        <div dir="ltr"><font face="arial, helvetica,
                                            sans-serif"><br>
                                            <br>
                                            <font color="#444444">Ing
                                              Nicolás Rossi</font><br>
                                            <font color="#999999">Identicum
                                              S.A.</font><br>
                                            <font color="#999999">Jorge
                                              Newbery 3226</font><br>
                                            <font color="#999999">Tel:
                                              +54 (11) 4552-3050</font><br>
                                            <font color="#999999"><a href="http://www.identicum.com" target="_blank">www.identicum.com</a></font></font><br>
                                        </div>
                                      </div>
                                    </div>
                                  </div>
                                </div>
                              </div>
                            </div>
                          </div>
                        </div>
                      </div>
                    </div>
                  </div>
                </div>
              </div>
            </div>
          </div>
        </div>
        <br>
        <div class="gmail_quote">On Mon, Nov 21, 2016 at 11:09 AM,
          Radovan Semancik <span dir="ltr"><<a href="mailto:radovan.semancik@evolveum.com" target="_blank">radovan.semancik@evolveum.com</a><wbr>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div bgcolor="#FFFFFF" text="#000000">
              <div class="m_6863627869252002457m_-6181252134839203565moz-cite-prefix">Hi,<br>
                <br>
                That's strange. The ScriptedSQL is somehow different.
                But it should not be THAT different. Please once again
                look at the ConnId operation trace. That's the most
                reliable source of debugging information in this case.<br>
                <br>
                But based on your information I would guess that it
                really is midPoint issue. If the connector is not
                getting the remove operation than that means that
                midpoint is not sending it. If you are sure that the
                "model" configuration is correct (e.g. tolerant setting,
                mapping strength, etc.) then it is most likely that the
                provisioning part is filtering out the operation. There
                may be several reasons for that. E.g. if the read
                operation does not work properly midPoint may think that
                the value is not there and therefore there is no need to
                remove it. Some resources (namely LDAP) are quite touchy
                and they respond with an error if we try to remove a
                value that is not there. Therefore we are often
                filtering the deltas before sending them to connector.
                Or there may be several other cases. Generally setting
                provisioning logging to DEBUG (and in extreme cases to
                TRACE) should give you more information what it really
                happening. To be more specific try setting:<br>
                com.evolveum.midpoint.provisio<wbr>ning: DEBUG<span><br>
                  <br>
                  <pre class="m_6863627869252002457m_-6181252134839203565moz-signature" cols="72">-- 
Radovan Semancik
Software Architect
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
                  <br>
                  <br>
                </span>
                <div>
                  <div class="m_6863627869252002457h5"> On 11/21/2016 01:38 PM, Nicolas Rossi
                    wrote:<br>
                  </div>
                </div>
              </div>
              <div>
                <div class="m_6863627869252002457h5">
                  <blockquote type="cite">
                    <div dir="ltr">
                      <div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">Hi
                        Radovan. It worked for ActiveDirectory connector
                        but didn't for the ScriptedSQL. We have added an
                        echo at the beginning of each groovy scripts
                        printing the action and the object class
                        received and It only receives an
                        ADD_ATTRIBUTE_VALUE of the value that the user
                        already had. There is no REMOVE_ATTRIBUTE_VALUE
                        so I guess the issue is on the connector this
                        time. I have an isolated set of resource, meta
                        role and role to reproduce the issue. You can
                        download it from <a href="https://dl.dropboxusercontent.com/u/9319179/ScriptedSQLTest.zip" target="_blank">here</a> if you want. The main
                        difference with the Active Directory resource is
                        in the association: subjectToObject vs
                        objectToSubject. Do you think the problem could
                        be there ? I'll try it.</div>
                      <div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
                      </div>
                      <div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">I
                        guess it would be helpful add this info of
                        tolerant attribute on this page: <a href="https://wiki.evolveum.com/display/midPoint/Entitlements" target="_blank">https://wiki.evolveum.co<wbr>m/display/midPoint/Entitlement<wbr>s</a>.</div>
                      <div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
                      </div>
                      <div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">Best
                        regards,</div>
                    </div>
                    <div class="gmail_extra"><br clear="all">
                      <div>
                        <div class="m_6863627869252002457m_-6181252134839203565gmail_signature" data-smartmail="gmail_signature">
                          <div dir="ltr">
                            <div>
                              <div dir="ltr">
                                <div>
                                  <div dir="ltr">
                                    <div>
                                      <div dir="ltr">
                                        <div>
                                          <div dir="ltr">
                                            <div>
                                              <div dir="ltr">
                                                <div>
                                                  <div dir="ltr">
                                                    <div>
                                                      <div dir="ltr"><font face="arial,
                                                          helvetica,
                                                          sans-serif"><br>
                                                          <br>
                                                          <font color="#444444">Ing
                                                          Nicolás Rossi</font><br>
                                                          <font color="#999999">Identicum
                                                          S.A.</font><br>
                                                          <font color="#999999">Jorge
                                                          Newbery 3226</font><br>
                                                          <font color="#999999">Tel:
                                                          +54
                                                          (11) 4552-3050</font><br>
                                                          <font color="#999999"><a href="http://www.identicum.com" target="_blank">www.identicum.com</a></font></font><br>
                                                      </div>
                                                    </div>
                                                  </div>
                                                </div>
                                              </div>
                                            </div>
                                          </div>
                                        </div>
                                      </div>
                                    </div>
                                  </div>
                                </div>
                              </div>
                            </div>
                          </div>
                        </div>
                      </div>
                      <br>
                      <div class="gmail_quote">On Mon, Nov 21, 2016 at
                        7:15 AM, Radovan Semancik <span dir="ltr"><<a href="mailto:radovan.semancik@evolveum.com" target="_blank">radovan.semancik@evolveum.com</a><wbr>></span>
                        wrote:<br>
                        <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                          <div bgcolor="#FFFFFF" text="#000000">
                            <div class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258moz-cite-prefix">Hi,<br>
                              <br>
                              I have created the test. And surprisingly
                              it is passing. This is 3.5-SNAPSHOT, but
                              it is very likely that it works also in
                              earlier versions. Therefore it looks it is
                              really a misconfiguration. The cause is
                              really most likely the tolerant flag. The
                              tolerant flag is critical in this
                              situation. <br>
                              <br>
                              For "normal" midPoint operations when you
                              are adding or removing an assignment from
                              user we have the delta. We know what has
                              changed. Therefore we remove the group
                              even if it is set to tolerant. Because we
                              know that the last assignment that
                              "induced" that group was just removed.<br>
                              <br>
                              But if you change the meta role (first
                              operation) and then reconcile the user
                              (second operation) then there is no delta.
                              These operations are independent. MidPoint
                              does not know what has changed in the
                              meta-role. Therefore it cannot use the
                              same logic to remove the user from the
                              group. Slightly different logic is used in
                              reconciliation. Logic that is not based on
                              deltas (because there are none). And in
                              this case the tolerant flag is important.
                              If it is set to true then midPoint will
                              NOT remove the extra values from the
                              attribute or the extra entitlements. If it
                              is set to false then midPoint will remove
                              them.<br>
                              <br>
                              Please make sure you have the association
                              set to non-tolerant in the schemaHandling
                              section of the resource definition. Like
                              this:<br>
                              <br>
                              <resource><br>
                                 <schemaHandling><br>
                                    ....<br>
                                    <association><br>
                                             
                              <ref>ri:group</ref><br>
                                             
                              <tolerant>false</tolerant><br>
                                               ....<br>
                                          </association><br>
                                           ...<br>
                              <br>
                              This has to be defined in the
                              schemaHandling and NOT in the role or
                              meta-role. The tolerance is the property
                              of the attribute/association itself and
                              NOT a property of any mapping, role or
                              value. The values that are not given by
                              any role and just that - not given by any
                              role. So we do not have any role
                              definition that we can apply to them.
                              Therefore the setting whether the
                              attribute/association is tolerant or not
                              is somehow "global". Therefore it needs to
                              be defined in schemaHandling.<br>
                              <br>
                              Also, please make sure that your mappings
                              are strong, e.g.<br>
                              <br>
                              <role><br>
                                  ...<br>
                                  <inducement><br>
                                      <construction><br>
                                          ...<br>
                                          <association><br>
                                             
                              <ref>ri:group</ref><br>
                                              <outbound><br>
                                                 
                              <strength>strong</strength><br>
                                                  ...<br>
                                              </outbound><br>
                                          </association><br>
                                      </construction><br>
                                  </inducement><br>
                              <br>
                              Mappings that are of "normal" strength are
                              inherently delta-based and they are
                              usually NOT processed by the
                              reconciliation at all. For "normal"
                              mappings the last change wins. But in
                              reconciliation we have no idea what change
                              was the last one - whether the one on the
                              resource or the one in midPoint. Therefore
                              we prefer the conservative approach and we
                              rather maintain status quo.<span><br>
                                <br>
                                <pre class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258moz-signature" cols="72">-- 
Radovan Semancik
Software Architect
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
                                <br>
                                <br>
                              </span>
                              <div>
                                <div class="m_6863627869252002457m_-6181252134839203565h5">
                                  On 11/20/2016 04:44 PM, Radovan
                                  Semancik wrote:<br>
                                </div>
                              </div>
                            </div>
                            <div>
                              <div class="m_6863627869252002457m_-6181252134839203565h5">
                                <blockquote type="cite">
                                  <div class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258moz-cite-prefix">Hi,<br>
                                    <br>
                                    There is no update operation in the
                                    log. Therefor midPoint is not
                                    invoking the group membership
                                    removal at all. I'm not sure what
                                    exactly happens here. Your
                                    configuration seems to be OK at the
                                    first sight and I would tell that
                                    your setup should work. Therefore
                                    this may be a midPoint bug. I will
                                    try to reproduce similar situation
                                    in midPoint tests. I'll let you know
                                    how it went.<br>
                                    <br>
                                    <pre class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258moz-signature" cols="72">-- 
Radovan Semancik
Software Architect
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
                                    <br>
                                    <br>
                                    On 11/16/2016 01:49 PM, Nicolas
                                    Rossi wrote:<br>
                                  </div>
                                  <blockquote type="cite">
                                    <div dir="ltr">
                                      <div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">Hi
                                        Radovan, here is the log of the
                                        operation as you suggested. At
                                        the beginning the "AD-SuperRole"
                                        had 3 inducements to roles (with
                                        MetaRole): AD-Group3, AD-Group4
                                        and AD-Group5. The user
                                        ltroncoso has this AD-SuperRole
                                        and he has 3 groups assigned on
                                        AD. Then we removed the
                                        AD-Group3 from the AD-SuperRole
                                        and reconciled the User from the
                                        Admin-GUI but he still has the
                                        groupMembership on AD to
                                        Group3. </div>
                                      <div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444"><br>
                                      </div>
                                      <div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">Attached
                                        is the AD-SuperRole, the
                                        AD_GROUP-ENTITLEMENT (MetaRole),
                                        the AD-Group3 and the User's
                                        xml. </div>
                                      <div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444"><br>
                                      </div>
                                      <div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">Do
                                        you need any additional
                                        information ?</div>
                                      <div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444"><br>
                                      </div>
                                      <div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">Best
                                        regards,</div>
                                    </div>
                                    <div class="gmail_extra"><br clear="all">
                                      <div>
                                        <div class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258gmail_signature" data-smartmail="gmail_signature">
                                          <div dir="ltr">
                                            <div>
                                              <div dir="ltr">
                                                <div>
                                                  <div dir="ltr">
                                                    <div>
                                                      <div dir="ltr">
                                                        <div>
                                                          <div dir="ltr">
                                                          <div>
                                                          <div dir="ltr">
                                                          <div>
                                                          <div dir="ltr">
                                                          <div>
                                                          <div dir="ltr"><font face="arial,
                                                          helvetica,
                                                          sans-serif"><br>
                                                          <br>
                                                          <font color="#444444">Ing
                                                          Nicolás Rossi</font><br>
                                                          <font color="#999999">Identicum
                                                          S.A.</font><br>
                                                          <font color="#999999">Jorge
                                                          Newbery 3226</font><br>
                                                          <font color="#999999">Tel:
                                                          +54
                                                          (11) 4552-3050</font><br>
                                                          <font color="#999999"><a href="http://www.identicum.com" target="_blank">www.identicum.com</a></font></font><br>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </div>
                                                        </div>
                                                      </div>
                                                    </div>
                                                  </div>
                                                </div>
                                              </div>
                                            </div>
                                          </div>
                                        </div>
                                      </div>
                                      <br>
                                      <div class="gmail_quote">On Wed,
                                        Nov 16, 2016 at 7:35 AM, Radovan
                                        Semancik <span dir="ltr"><<a href="mailto:radovan.semancik@evolveum.com" target="_blank">radovan.semancik@evolveum.com</a><wbr>></span>
                                        wrote:<br>
                                        <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                                          <div bgcolor="#FFFFFF" text="#000000">
                                            <div class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028moz-cite-prefix">Hi,<br>
                                              <br>
                                              This is a really
                                              interesting case.
                                              Initially I was suspecting
                                              a problem in the scripted
                                              SQL connector. We do not
                                              use these scripted
                                              connectors much as the
                                              configurations are very
                                              difficult to maintain.
                                              With the many possible
                                              uses of the scripted
                                              connectors these are
                                              likely to be a cause of
                                              problems. But if that
                                              issue affects AD/LDAP
                                              connector then it may
                                              indicate midPoint issue.<br>
                                              <br>
                                              Just to provide complete
                                              information: some time ago
                                              I have written a guide how
                                              to systematically diagnose
                                              issues like these. Here it
                                              is: <br>
                                              <br>
                                              <a class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028moz-txt-link-freetext" href="https://wiki.evolveum.com/display/midPoint/Troubleshooting+Mappings" target="_blank">https://wiki.evolveum.com/disp<wbr>lay/midPoint/Troubleshooting+M<wbr>appings</a><br>
                                              <br>
                                              However, to cut it short,
                                              first interesting thing
                                              would be to see what
                                              operation midPoint sends
                                              to the connector. Please
                                              enable the ConnId
                                              operation logging by
                                              setting following logger:<br>
                                              <br>
                                              <pre>org.identityconnectors.framewo<wbr>rk: TRACE

</pre>
      Then re-try the operation (example of the message that you are
      looking for is in the guide). This should give us information
      whether the problem is that midPoint is sending wrong operation to
      connector or whether the connector is doing wrong thing. Then we
      will know where to focus further search for the problem.<span class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258HOEnZb"><font color="#888888">

      

      <pre class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028moz-signature" cols="72">-- 
Radovan Semancik
Software Architect
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre></font></span><div><div class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258h5">
      

      

      On 11/14/2016 04:11 PM, Nicolas Rossi wrote:

    </div></div></div><div><div class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258h5">
    <blockquote type="cite">
      <div dir="ltr">
        <div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">Hi
          guys, I'd like to add more information to this issue. We are
          also facing the same issue with the AD-Ldap driver when a Role
          loses an inducement to another Role. After reconcile the user
          the group membership is not removed. </div>
        <div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">

        </div>
        <div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">I've
          added the <tolerant>false</tolerant> flag to the
          Meta Role as Ivan said but there was no change.  </div>
        <div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">

        </div>
        <div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">Regards,</div>
      </div>
      <div class="gmail_extra">

        <div>
          <div class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028gmail_signature" data-smartmail="gmail_signature">
            <div dir="ltr">
              <div>
                <div dir="ltr">
                  <div>
                    <div dir="ltr">
                      <div>
                        <div dir="ltr">
                          <div>
                            <div dir="ltr">
                              <div>
                                <div dir="ltr">
                                  <div>
                                    <div dir="ltr">
                                      <div>
                                        <div dir="ltr"><font face="arial, helvetica,
                                            sans-serif">

                                            

                                            <font color="#444444">Ing
                                              Nicolás Rossi</font>

                                            <font color="#999999">Identicum
                                              S.A.</font>

                                            <font color="#999999">Jorge
                                              Newbery 3226</font>

                                            <font color="#999999">Tel:
                                              +54 (11) 4552-3050</font>

                                            <font color="#999999"><a href="http://www.identicum.com" target="_blank">www.identicum.com</a></font></font>

                                        </div>
                                      </div>
                                    </div>
                                  </div>
                                </div>
                              </div>
                            </div>
                          </div>
                        </div>
                      </div>
                    </div>
                  </div>
                </div>
              </div>
            </div>
          </div>
        </div>
        

        <div class="gmail_quote">On Fri, Nov 11, 2016 at 5:09 PM,
          Nicolas Rossi <span dir="ltr"><<a href="mailto:nrossi@identicum.com" target="_blank">nrossi@identicum.com</a>></span>
          wrote:

          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div dir="ltr">
              <div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">Hi
                Ivan / Radovan</div>
              <div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">

              </div>
              <div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">I
                guess there is a problem in the ScriptedSQL driver (not
                the scripts) when an inducement is unassigned from a
                Role because we are facing the same issue in two
                different situations:</div>
              <div class="gmail_default">
                <ol>
                  <li><font face="arial, helvetica, sans-serif" color="#444444">When a technical role with
                      inducements to entitlements is unassigned from
                      user the script does not receive the action
                      REMOVE_ATTRIBUTE_VALUE</font></li>
                  <li><font face="arial, helvetica, sans-serif" color="#444444">When a technical role (with
                      MetaRole) is unassigned from a functional role
                      assigned to user when recompute the user the
                      script does not receive the action
                      REMOVE_ATTRIBUTE_VALUE</font></li>
                </ol>
                <div><font face="arial, helvetica, sans-serif" color="#444444">Both situations are working when you
                    assign the inducements. I have an isolated example <a href="https://dl.dropboxusercontent.com/u/9319179/ScriptedSQLTest.zip" target="_blank">here</a>.</font></div>
                <div><font face="arial, helvetica, sans-serif" color="#444444">

                  </font></div>
                <div><font face="arial, helvetica, sans-serif" color="#444444">Best regards,</font></div>
              </div>
            </div>
            <div class="gmail_extra">

              <div>
                <div class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276gmail_signature" data-smartmail="gmail_signature">
                  <div dir="ltr">
                    <div>
                      <div dir="ltr">
                        <div>
                          <div dir="ltr">
                            <div>
                              <div dir="ltr">
                                <div>
                                  <div dir="ltr">
                                    <div>
                                      <div dir="ltr">
                                        <div>
                                          <div dir="ltr">
                                            <div>
                                              <div dir="ltr"><font face="arial,
                                                  helvetica, sans-serif">

                                                  

                                                  <font color="#444444">Ing
                                                    Nicolás Rossi</font><span>

                                                    <font color="#999999">Identicum
                                                      S.A.</font>

                                                    <font color="#999999">Jorge
                                                      Newbery 3226</font>

                                                  </span><font color="#999999">Tel:
                                                    +54 (11) 4552-3050</font>

                                                  <font color="#999999"><a href="http://www.identicum.com" target="_blank">www.identicum.com</a></font></font>

                                              </div>
                                            </div>
                                          </div>
                                        </div>
                                      </div>
                                    </div>
                                  </div>
                                </div>
                              </div>
                            </div>
                          </div>
                        </div>
                      </div>
                    </div>
                  </div>
                </div>
              </div>
              <div>
                <div class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028h5">
                  

                  <div class="gmail_quote">On Fri, Nov 11, 2016 at 11:00
                    AM, Rodrigo Yanis <span dir="ltr"><<a href="mailto:ryanis@identicum.com" target="_blank">ryanis@identicum.com</a>></span>
                    wrote:

                    <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                      <div dir="ltr">Ivan,
                        <div>

                        </div>
                        <div>Just tried configuring the meta-role just
                          like that. Unfortunately no progress. We'll
                          continue analyzing this and keep you posted if
                          we find anything.</div>
                        <div>

                        </div>
                        <div>Thanks a lot.</div>
                        <div>

                        </div>
                        <div>Regards,</div>
                      </div>
                      <div class="gmail_extra"><span>

                          <div>
                            <div class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960gmail_signature" data-smartmail="gmail_signature">
                              <div dir="ltr">
                                <div>
                                  <div dir="ltr">
                                    <div>
                                      <div dir="ltr">
                                        <div>
                                          <div dir="ltr">
                                            <div dir="ltr">
                                              <div dir="ltr">

                                              </div>
                                              <div dir="ltr"><font face="arial,
                                                  helvetica, sans-serif"><b>Rodrigo
                                                    Yanis.</b>

                                                  <img src="http://www.identicum.com/img/favicon.ico">Identicum S.A.

                                                </font>Jorge Newbery
                                                3226

                                                Tel: +54 (11) 4824-9971<font face="arial,
                                                  helvetica, sans-serif">

                                                  <a href="mailto:ryanis@identicum.com" target="_blank"><font color="#0b5394">ryanis@identicum.com</font></a>

                                                  <a href="http://www.identicum.com/" target="_blank"><font color="#0b5394">www.identicum.com</font></a></font></div>
                                            </div>
                                          </div>
                                        </div>
                                      </div>
                                    </div>
                                  </div>
                                </div>
                              </div>
                            </div>
                          </div>
                          

                        </span>
                        <div>
                          <div class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276h5">
                            <div class="gmail_quote">2016-11-11 2:46
                              GMT-05:00 Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>:

                              <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                                <div bgcolor="#FFFFFF" text="#000000">
                                  <p>Hi Rodrigo,</p>
                                  <p>I meant this:</p>
                                  <p>...</p>
                                  <p>    <inducement>

                                            <construction>

                                                    <resourceRef
                                    oid="00000000-dc00-dc00-0001-0<wbr>00000000021"
                                    type="c:ResourceType"/><!--
                                    Portal intranet --><span>

                                             
                                      <kind>account</kind>

                                             
                                      <intent>default</intent>

                                              <association>

                                    </span>            
                                    <ref>ri:wsEntitlements</ref>

                                                <outbound>

                                    <b>               
                                      <strength>strong</strength></b><b>

                                    </b>                <source>

                                                        ...

                                                    </source>

                                                    <expression>

                                                    ...</p>
                                  <p>But I think your problem should be
                                    resolved by tolerance (set to false)
                                    - strong mapping strength is to
                                    allow midPoint to enforce the group
                                    assignment when reconciling. Still I
                                    don't have any other idea. I hope
                                    that's not a problem with that
                                    specific connector because I
                                    wouldn't be able help with Java.</p>
                                  <p>Best regards,</p>
                                  <p>IVan

                                  </p>
                                  <div>
                                    <div class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960h5">
                                      

                                      <div class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878moz-cite-prefix">On
                                        11/10/2016 09:36 PM, Rodrigo
                                        Yanis wrote:

                                      </div>
                                      <blockquote type="cite">
                                        <div dir="ltr">Ivan,
                                          <div>

                                          </div>
                                          <div>I've compared your XML to
                                            my association attribute's
                                            deffinition on the resource
                                            and it looks the same. Can
                                            you please explain further
                                            what you mean by defining
                                            strength on the role itself?
                                            We've got a Meta-role ->
                                            Application role -> High
                                            level role architecture
                                            going (I believe it's just
                                            the same as yours except for
                                            the meta-role), and the
                                            group association is defined
                                            on the meta-role. Do you
                                            mean we should somehow
                                            define strength there?
                                            because it isn't explicitly
                                            set.</div>
                                          <div>

                                          </div>
                                          <div>This is the inducement
                                            for the group association on
                                            the meta-role definition:</div>
                                          <div>

                                          </div>
                                          <font size="1"><inducement
                                            id="2">

                                                  <construction>

                                                     <resourceRef
                                            oid="00000000-0000-1de4-0002-0<wbr>00000000003"
type="c:ResourceType"><!-- BANNER_USUARIOS
                                            --></resourceRef>

                                                   
                                             <kind>account</kind>

                                                   
                                             <intent>default</intent>

                                                     <association>

                                                       
                                            <c:ref>ri:GroupObjectClass</c:<wbr>ref>

                                                        <outbound>

                                                         
                                             <expression>

                                                             
                                            <associationFromLink>

                                                               
                                             <projectionDiscriminator>

                                                                   
                                            <kind>entitlement</kind>

                                                                   
                                            <intent>default</intent>

                                                               
                                             </projectionDiscriminator>

                                                             
                                            </associationFromLink>

                                                         
                                             </expression>

                                                       
                                            </outbound>

                                                   
                                             </association>

                                                  </construction>

                                                 
                                            <order>2</order>

                                               </inducement></font>
                                          <div>

                                          </div>
                                          <div>Don't mind me if I sound
                                            a bit confused.</div>
                                          <div>

                                          </div>
                                          <div>Thanks for your help.</div>
                                        </div>
                                        <div class="gmail_extra">

                                          <div>
                                            <div class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878gmail_signature" data-smartmail="gmail_signature">
                                              <div dir="ltr">
                                                <div>
                                                  <div dir="ltr">
                                                    <div>
                                                      <div dir="ltr">
                                                        <div>
                                                          <div dir="ltr">
                                                          <div dir="ltr">
                                                          <div dir="ltr">

                                                          </div>
                                                          <div dir="ltr"><font face="arial,
                                                          helvetica,
                                                          sans-serif"><b>Rodrigo
                                                          Yanis.</b>

                                                          <img src="http://www.identicum.com/img/favicon.ico">Identicum S.A.

                                                          </font>Jorge
                                                          Newbery 3226

                                                          Tel: +54 (11)
                                                          4824-9971<font face="arial,
                                                          helvetica,
                                                          sans-serif">

                                                          <a href="mailto:ryanis@identicum.com" target="_blank"><font color="#0b5394">ryanis@identicum.com</font></a>

                                                          <a href="http://www.identicum.com/" target="_blank"><font color="#0b5394">www.identicum.com</font></a></font></div>
                                                          </div>
                                                          </div>
                                                        </div>
                                                      </div>
                                                    </div>
                                                  </div>
                                                </div>
                                              </div>
                                            </div>
                                          </div>
                                          

                                          <div class="gmail_quote">2016-11-10
                                            13:51 GMT-05:00 Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>:

                                            <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                                              <div bgcolor="#FFFFFF" text="#000000">
                                                <p>Hi Rodrigo,</p>
                                                <p>unfortunately no
                                                  other idea yet. I was
                                                  running recompute ca.
                                                  two weeks ago to
                                                  remove some
                                                  application groups
                                                  that were not added by
                                                  midPoint, the goal was
                                                  to have association
                                                  configuration with
                                                  tolerant=false and it
                                                  worked (this was
                                                  custom connector, not
                                                  ScriptedSQL):</p>
                                                <p>               
                                                  <association>

                                                                     
                                                  <ref>ri:wsEntitlements</ref>

                                                                     
                                                  <tolerant>false</tolerant>

                                                                     
                                                  <matchingRule>mr:stringIgnoreC<wbr>ase</matchingRule>

                                                                     
                                                  <kind>entitlement</kind>

                                                                     
                                                  <intent>ws-entitlement</intent<wbr>>

                                                                     
                                                  <direction>objectToSubject</di<wbr>rection>

                                                                     
                                                  <associationAttribute>ri:accou<wbr>ntId</associationAttribute>

                                                                     
                                                  <valueAttribute>icfs:uid</valu<wbr>eAttribute>

                                                                 
                                                  </association>

                                                   

                                                </p>
                                                <p>In all roles where
                                                  association is used,
                                                  <strength>strong</strength>
                                                  is used as well (but
                                                  the tolerant=false is
                                                  a must). The recompute
                                                  then worked as
                                                  supposed and removed
                                                  all non-midpoint
                                                  groups from the
                                                  accounts. The accounts
                                                  were constructed by
                                                  hierarchical roles
                                                  (User - assign -
                                                  Business role -
                                                  inducement -
                                                  Application role) and
                                                  the association was in
                                                  the Application role.</p>
                                                <p>Best regards,</p>
                                                <p>Ivan

                                                </p>
                                                <div>
                                                  <div class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878h5">
                                                    

                                                    <div class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878m_8205048116372680684moz-cite-prefix">On
                                                      11/10/2016 06:21
                                                      PM, Rodrigo Yanis
                                                      wrote:

                                                    </div>
                                                    <blockquote type="cite">
                                                      <p dir="ltr">Hello
                                                        Ivan, thanks for
                                                        you response.</p>
                                                      <p dir="ltr">Unfortunatelly
                                                        this didn't
                                                        work. All our
                                                        association
                                                        attributes are
                                                        set to
                                                        tolerance=false
                                                        by default.</p>
                                                      <p dir="ltr">Strange
                                                        thing is, this
                                                        only happens
                                                        when reconciling
                                                        on already
                                                        assigned high
                                                        level roles, not
                                                        on assignment
                                                        time.</p>
                                                      <p dir="ltr">Any
                                                        other
                                                        suggestion?

                                                        Thanks again,</p>
                                                      <div class="gmail_extra">

                                                        <div>
                                                          <div class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878m_8205048116372680684m_8908444601929514937gmail_signature" data-smartmail="gmail_signature">
                                                          <div dir="ltr">
                                                          <div>
                                                          <div dir="ltr">
                                                          <div>
                                                          <div dir="ltr">
                                                          <div>
                                                          <div dir="ltr">
                                                          <div dir="ltr">
                                                          <div dir="ltr">

                                                          </div>
                                                          <div dir="ltr"><font face="arial,
                                                          helvetica,
                                                          sans-serif"><b>Rodrigo
                                                          Yanis.</b>

                                                          <img src="http://www.identicum.com/img/favicon.ico">Identicum S.A.

                                                          </font>Jorge
                                                          Newbery 3226

                                                          Tel: +54 (11)
                                                          4824-9971<font face="arial,
                                                          helvetica,
                                                          sans-serif">

                                                          <a href="mailto:ryanis@identicum.com" target="_blank"><font color="#0b5394">ryanis@identicum.com</font></a>

                                                          <a href="http://www.identicum.com/" target="_blank"><font color="#0b5394">www.identicum.com</font></a></font></div>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </div>
                                                        </div>
                                                        

                                                        <div class="gmail_quote">2016-11-10
                                                          9:48 GMT-05:00
                                                          Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>:

                                                          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                                                          <div bgcolor="#FFFFFF" text="#000000">
                                                          <p>Hi Rodrigo,</p>
                                                          <p>maybe
                                                          <tolerant>false</tolerant>
                                                          for
                                                          association or
                                                          your group
                                                          attribute (if
                                                          not using
                                                          associations)
                                                          could help...</p>
                                                          <p>Ivan

                                                          </p>
                                                          <div>
                                                          <div class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878m_8205048116372680684m_8908444601929514937h5">
                                                          

                                                          <div class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878m_8205048116372680684m_8908444601929514937m_2600798162479677229moz-cite-prefix">On
                                                          11/10/2016
                                                          03:33 PM,
                                                          Rodrigo Yanis
                                                          wrote:

                                                          </div>
                                                          </div>
                                                          </div>
                                                          <blockquote type="cite">
                                                          <div>
                                                          <div class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878m_8205048116372680684m_8908444601929514937h5">
                                                          <div dir="ltr">Hello
                                                          everyone,
                                                          <div>

                                                          </div>
                                                          <div>We're
                                                          having issues
                                                          with our
                                                          ScriptedSQL
                                                          connector
                                                          misshandling
                                                          group
                                                          membership
                                                          removals when
                                                          said
                                                          memberships
                                                          come from
                                                          roles that are
                                                          inherited from
                                                          a higher level
                                                          role, that is
                                                          assigned to
                                                          the user.</div>
                                                          <div>

                                                          </div>
                                                          <div>When we
                                                          remove the
                                                          database role
                                                          (the one that
                                                          is linked to
                                                          the resource's
                                                          meta-role, and
                                                          represents a
                                                          database
                                                          group) from
                                                          the higher
                                                          level role,
                                                          and perform a
                                                          reconciliation
                                                          on the user,
                                                          this does not
                                                          remove the
                                                          group
                                                          membership of
                                                          this user in
                                                          the database.
                                                          This only
                                                          happens if the
                                                          database role
                                                          is assigned
                                                          directly to
                                                          the user, and
                                                          then removed.</div>
                                                          <div>

                                                          </div>
                                                          <div>We've
                                                          also tried
                                                          with a
                                                          recompute task
                                                          on the user,
                                                          still with no
                                                          luck.</div>
                                                          <div>

                                                          </div>
                                                          <div>Since our
                                                          role hierarchy
                                                          does not
                                                          support this
                                                          last option,
                                                          we must find a
                                                          way (either
                                                          through a task
                                                          or directly)
                                                          to remove
                                                          memberships to
                                                          roles that are
                                                          no longer
                                                          induced into
                                                          the high level
                                                          role. </div>
                                                          <div>

                                                          </div>
                                                          <div>Do you
                                                          have an idea
                                                          on how to
                                                          proceed? </div>
                                                          <div>

                                                          </div>
                                                          <div>Thanks
                                                          for your help</div>
                                                          <div>
                                                          <div>
                                                          <div class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878m_8205048116372680684m_8908444601929514937m_2600798162479677229gmail_signature" data-smartmail="gmail_signature">
                                                          <div dir="ltr">
                                                          <div>
                                                          <div dir="ltr">
                                                          <div>
                                                          <div dir="ltr">
                                                          <div>
                                                          <div dir="ltr">
                                                          <div dir="ltr">
                                                          <div dir="ltr">

                                                          </div>
                                                          <div dir="ltr"><font face="arial,
                                                          helvetica,
                                                          sans-serif"><b>Rodrigo
                                                          Yanis.</b>

                                                          <img src="http://www.identicum.com/img/favicon.ico">Identicum S.A.

                                                          </font>Jorge
                                                          Newbery 3226

                                                          Tel: +54 (11)
                                                          4824-9971<font face="arial,
                                                          helvetica,
                                                          sans-serif">

                                                          <a href="mailto:ryanis@identicum.com" target="_blank"><font color="#0b5394">ryanis@identicum.com</font></a>

                                                          <a href="http://www.identicum.com/" target="_blank"><font color="#0b5394">www.identicum.com</font></a></font></div>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          

                                                          <fieldset class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878m_8205048116372680684m_8908444601929514937m_2600798162479677229mimeAttachmentHeader"></fieldset>
                                                          

                                                          </div>
                                                          </div>
                                                          <pre>______________________________<wbr>_________________
midPoint mailing list
<a class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878m_8205048116372680684m_8908444601929514937m_2600798162479677229moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878m_8205048116372680684m_8908444601929514937m_2600798162479677229moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a><span class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878m_8205048116372680684m_8908444601929514937HOEnZb"><font color="#888888">
</font></span></pre><span class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878m_8205048116372680684m_8908444601929514937HOEnZb"><font color="#888888">
    </font></span></blockquote><span class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878m_8205048116372680684m_8908444601929514937HOEnZb"><font color="#888888">
    

    <pre class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878m_8205048116372680684m_8908444601929514937m_2600798162479677229moz-signature" cols="72">-- 
Ivan Noris
Senior Identity Engineer
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
  </font></span></div>


______________________________<wbr>_________________

midPoint mailing list

<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>

<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>


</blockquote></div>
</div>


<fieldset class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878m_8205048116372680684mimeAttachmentHeader"></fieldset>
<pre>______________________________<wbr>_________________
midPoint mailing list
<a class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878m_8205048116372680684moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878m_8205048116372680684moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>
</pre>

</blockquote>
<pre class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878m_8205048116372680684moz-signature" cols="72">-- 
Ivan Noris
Senior Identity Engineer
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre></div></div></div>
______________________________<wbr>_________________

midPoint mailing list

<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>

<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>


</blockquote></div>
</div>


<fieldset class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878mimeAttachmentHeader"></fieldset>
<pre>______________________________<wbr>_________________
midPoint mailing list
<a class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>
</pre>

</blockquote>
<pre class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028m_-3001675308369013276m_1454510348081728960m_8345065841854202878moz-signature" cols="72">-- 
Ivan Noris
Senior Identity Engineer
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre></div></div></div>
______________________________<wbr>_________________

midPoint mailing list

<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>

<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>


</blockquote></div>
</div></div></div>

______________________________<wbr>_________________

midPoint mailing list

<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>

<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>


</blockquote></div>
</div></div></div>
</blockquote></div>
</div>


<fieldset class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028mimeAttachmentHeader"></fieldset>
<pre>______________________________<wbr>_________________
midPoint mailing list
<a class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258m_-3093975276269421028moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>
</pre>

</blockquote>

</div></div></div>
______________________________<wbr>_________________

midPoint mailing list

<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>

<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>


</blockquote></div>
</div>


<fieldset class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258mimeAttachmentHeader"></fieldset>
<pre>______________________________<wbr>_________________
midPoint mailing list
<a class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a class="m_6863627869252002457m_-6181252134839203565m_-2249893482612098258moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>
</pre>

</blockquote>




</blockquote>

</div></div></div>
______________________________<wbr>_________________

midPoint mailing list

<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>

<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>


</blockquote></div>
</div>


<fieldset class="m_6863627869252002457m_-6181252134839203565mimeAttachmentHeader"></fieldset>
<pre>______________________________<wbr>_________________
midPoint mailing list
<a class="m_6863627869252002457m_-6181252134839203565moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a class="m_6863627869252002457m_-6181252134839203565moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>
</pre>

</blockquote>

</div></div></div>
______________________________<wbr>_________________

midPoint mailing list

<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>

<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>


</blockquote></div>
</div>


<fieldset class="m_6863627869252002457mimeAttachmentHeader"></fieldset>
<pre>______________________________<wbr>_________________
midPoint mailing list
<a class="m_6863627869252002457moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a class="m_6863627869252002457moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a>
</pre>

</blockquote>

</div><br>______________________________<wbr>_________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a><br>
<br></blockquote></div><br></div>