<div dir="ltr">Hi Radovan,<div><br></div><div>Despite it is now synchronizing correctly the user groups assignments between the application and MidPoint, we are facing the following issue:</div><div><br></div><div>As we said before, an account in the resource may have groups that have been granted from outside MidPoint. For example, we can have user 1 with groups 1 and 2 in MidPoint and groups 1, 2, 3 and 4 in the resource (groups 3 and 4 have been assigned directly in the resource).</div><div><br></div><div>When we force a reconcile on the user, since MidPoint has no record of groups 3 and 4, the groups are deleted in the resource too, based on a REMOVE_ATTRIBUTE_VALUES operation on the Update script.</div><div><br></div><div>What we would need, is for those groups that have not been assigned by MidPoint (in this case, groups 3 and 4) <b>not to be removed</b> from the user in the resource.</div><div><br></div><div>Is this MidPoint's default behaviour, to unassign groups that have not been assigned by MidPoint?</div><div>Is there a way to only unassign the groups (on a reconcile after a remove inducement operation) that have been granted by MidPoint?</div><div><br></div><div>Best Regards,</div><div>-- <br><div class="gmail_signature"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><b style="font-size:12.8px">Ana Pereyra</b><br></div><div dir="ltr"><font face="verdana, sans-serif" style="font-size:12.8px"><img src="http://www.identicum.com/img/favicon.ico"> Identicum S.A.<br><i><font color="#666666">Jorge Newbery 3226, Argentina<br>Tel: +54 (11) </font></i></font><font color="#666666" face="verdana, sans-serif" style="font-size:12.8px"><i>4552.3050</i></font><div style="font-size:12.8px"><font face="verdana, sans-serif"><i><font size="1"><a href="mailto:apereyra@identicum.com" target="_blank">apereyra@identicum.com</a></font></i><br><a href="http://www.identicum.com/" target="_blank"><font color="#000000">www.identicum.com</font></a></font></div></div></div></div></div></div></div></div><div><br></div><div class="gmail_extra"><br><div class="gmail_quote">2016-11-22 14:05 GMT-03:00 Radovan Semancik <span dir="ltr"><<a href="mailto:radovan.semancik@evolveum.com" target="_blank">radovan.semancik@evolveum.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF"><span class="gmail-">
<div class="gmail-m_-3781099487582159301moz-cite-prefix">On 11/21/2016 08:33 PM, Nicolas Rossi
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>Is that the only way to make it work
?</div>
</div>
</blockquote>
<br></span>
No, definitely not. That solution is more like a hack. Not a real
solution. The point is that midPoint should correctly use the delete
attribute operation. It is designed to do that and it works for all
correctly configured resources that we have tried. So the point here
is to figure out why it does not work for this specific case.<span class="gmail-"><br>
<br>
<pre class="gmail-m_-3781099487582159301moz-signature" cols="72">--
Radovan Semancik
Software Architect
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
</span></div>
<br>______________________________<wbr>_________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div><br>
</div></div>