<div dir="ltr">Hi Ivan,<div><br></div><div>First of all, thank you for your help and quick response. </div><div><br></div><div>We understand what you are saying about the tolerance tag behavior: we tested both AD and ScriptedSQL connectors with the association tolerance set in false and it removes the assignments from the resource that have and have not been assigned by MidPoint.</div><div><br></div><div>We will discuss this approach with our customer in order to move forward with the project implementation.</div><div><br></div><div>Ideally, we would need a way to keep the resource assignments that have not been granted by MidPoint. If there is any way to do that, we would go with that.</div><div><br></div><div>We wait for your answer. Thanks in advace.</div><div>Best regards,</div><div><br></div><div>-- <br><div class="gmail_signature"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><b style="font-size:12.8px">Ana Pereyra</b><br></div><div dir="ltr"><font face="verdana, sans-serif" style="font-size:12.8px"><img src="http://www.identicum.com/img/favicon.ico"> Identicum S.A.<br><i><font color="#666666">Jorge Newbery 3226, Argentina<br>Tel: +54 (11) </font></i></font><font color="#666666" face="verdana, sans-serif" style="font-size:12.8px"><i>4552.3050</i></font><div style="font-size:12.8px"><font face="verdana, sans-serif"><i><font size="1"><a href="mailto:apereyra@identicum.com" target="_blank">apereyra@identicum.com</a></font></i><br><a href="http://www.identicum.com/" target="_blank"><font color="#000000">www.identicum.com</font></a></font></div></div></div></div></div></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">2016-11-24 7:34 GMT-03:00 Nicolas Rossi <span dir="ltr"><<a href="mailto:nrossi@identicum.com" target="_blank">nrossi@identicum.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div style="white-space:pre-wrap">Hi Ivan. I'll check it again but I already tried removing the tolerant parameter on the association definition. It keeps the groups assigned directly on the resource but it also keeps the groups removed from the user in a reconcile process. I mean, a role assigned to a user loses an inducement to other role and when I reconcile the user the group is not removed on the resource. <br><br>Let me try it again. <br><br>Regards</div><div class="gmail-HOEnZb"><div class="gmail-h5"><br><div class="gmail_quote"><div dir="ltr">El El jue, 24 de nov. de 2016 a las 04:32, Ivan Noris <<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>> escribió:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF" class="gmail-m_-8079639463165921417gmail_msg">
<p class="gmail-m_-8079639463165921417gmail_msg">Hi Ana,</p>
<p class="gmail-m_-8079639463165921417gmail_msg">this is typical behaviour when the <association> in the
resource is configured as <tolerant>false</tolerant>.
Can you check the setting in the resource?</p>
<p class="gmail-m_-8079639463165921417gmail_msg">Setting tolerant to true will allow also values given not by
midPoint assignments/mappings.<br class="gmail-m_-8079639463165921417gmail_msg">
</p>
<p class="gmail-m_-8079639463165921417gmail_msg">Setting tolerant to false will drop all values not given by
midPoint assignments/mappings.</p>
<p class="gmail-m_-8079639463165921417gmail_msg">The default is true.</p>
<p class="gmail-m_-8079639463165921417gmail_msg">Based on the requirements, some customers and projects require
setting tolerant to true and others to false.<br class="gmail-m_-8079639463165921417gmail_msg">
</p>
<p class="gmail-m_-8079639463165921417gmail_msg">Regards,</p>
<p class="gmail-m_-8079639463165921417gmail_msg">Ivan<br class="gmail-m_-8079639463165921417gmail_msg">
</p></div><div bgcolor="#FFFFFF" class="gmail-m_-8079639463165921417gmail_msg">
<br class="gmail-m_-8079639463165921417gmail_msg">
<div class="gmail-m_-8079639463165921417m_-6131397040475140582moz-cite-prefix gmail-m_-8079639463165921417gmail_msg">On 11/23/2016 09:58 PM, Ana Pereyra
wrote:<br class="gmail-m_-8079639463165921417gmail_msg">
</div>
<blockquote type="cite" class="gmail-m_-8079639463165921417gmail_msg">
<div dir="ltr" class="gmail-m_-8079639463165921417gmail_msg">Hi Radovan,
<div class="gmail-m_-8079639463165921417gmail_msg"><br class="gmail-m_-8079639463165921417gmail_msg">
</div>
<div class="gmail-m_-8079639463165921417gmail_msg">Despite it is now synchronizing correctly the user groups
assignments between the application and MidPoint, we are
facing the following issue:</div>
<div class="gmail-m_-8079639463165921417gmail_msg"><br class="gmail-m_-8079639463165921417gmail_msg">
</div>
<div class="gmail-m_-8079639463165921417gmail_msg">As we said before, an account in the resource may have
groups that have been granted from outside MidPoint. For
example, we can have user 1 with groups 1 and 2 in MidPoint
and groups 1, 2, 3 and 4 in the resource (groups 3 and 4 have
been assigned directly in the resource).</div>
<div class="gmail-m_-8079639463165921417gmail_msg"><br class="gmail-m_-8079639463165921417gmail_msg">
</div>
<div class="gmail-m_-8079639463165921417gmail_msg">When we force a reconcile on the user, since MidPoint has
no record of groups 3 and 4, the groups are deleted in the
resource too, based on a REMOVE_ATTRIBUTE_VALUES operation on
the Update script.</div>
<div class="gmail-m_-8079639463165921417gmail_msg"><br class="gmail-m_-8079639463165921417gmail_msg">
</div>
<div class="gmail-m_-8079639463165921417gmail_msg">What we would need, is for those groups that have not been
assigned by MidPoint (in this case, groups 3 and 4) <b class="gmail-m_-8079639463165921417gmail_msg">not to
be removed</b> from the user in the resource.</div>
<div class="gmail-m_-8079639463165921417gmail_msg"><br class="gmail-m_-8079639463165921417gmail_msg">
</div>
<div class="gmail-m_-8079639463165921417gmail_msg">Is this MidPoint's default behaviour, to unassign groups
that have not been assigned by MidPoint?</div>
<div class="gmail-m_-8079639463165921417gmail_msg">Is there a way to only unassign the groups (on a reconcile
after a remove inducement operation) that have been granted by
MidPoint?</div>
<div class="gmail-m_-8079639463165921417gmail_msg"><br class="gmail-m_-8079639463165921417gmail_msg">
</div>
<div class="gmail-m_-8079639463165921417gmail_msg">Best Regards,</div>
<div class="gmail-m_-8079639463165921417gmail_msg">-- <br class="gmail-m_-8079639463165921417gmail_msg">
<div class="gmail-m_-8079639463165921417m_-6131397040475140582gmail_signature gmail-m_-8079639463165921417gmail_msg">
<div dir="ltr" class="gmail-m_-8079639463165921417gmail_msg">
<div dir="ltr" class="gmail-m_-8079639463165921417gmail_msg">
<div dir="ltr" class="gmail-m_-8079639463165921417gmail_msg">
<div dir="ltr" class="gmail-m_-8079639463165921417gmail_msg">
<div dir="ltr" class="gmail-m_-8079639463165921417gmail_msg"><b style="font-size:12.8px" class="gmail-m_-8079639463165921417gmail_msg">Ana
Pereyra</b><br class="gmail-m_-8079639463165921417gmail_msg">
</div>
<div dir="ltr" class="gmail-m_-8079639463165921417gmail_msg"><font style="font-size:12.8px" face="verdana, sans-serif" class="gmail-m_-8079639463165921417gmail_msg"><img class="gmail-m_-8079639463165921417gmail_msg"> Identicum
S.A.<br class="gmail-m_-8079639463165921417gmail_msg">
<i class="gmail-m_-8079639463165921417gmail_msg"><font color="#666666" class="gmail-m_-8079639463165921417gmail_msg">Jorge Newbery 3226,
Argentina<br class="gmail-m_-8079639463165921417gmail_msg">
Tel: +54 (11) </font></i></font><font style="font-size:12.8px" color="#666666" face="verdana, sans-serif" class="gmail-m_-8079639463165921417gmail_msg"><i class="gmail-m_-8079639463165921417gmail_msg">4552.3050</i></font>
<div style="font-size:12.8px" class="gmail-m_-8079639463165921417gmail_msg"><font face="verdana,
sans-serif" class="gmail-m_-8079639463165921417gmail_msg"><i class="gmail-m_-8079639463165921417gmail_msg"><font size="1" class="gmail-m_-8079639463165921417gmail_msg"><a href="mailto:apereyra@identicum.com" class="gmail-m_-8079639463165921417gmail_msg" target="_blank">apereyra@identicum.com</a></font></i><br class="gmail-m_-8079639463165921417gmail_msg">
<a href="http://www.identicum.com/" class="gmail-m_-8079639463165921417gmail_msg" target="_blank"><font color="#000000" class="gmail-m_-8079639463165921417gmail_msg">www.identicum.com</font></a></font></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div class="gmail-m_-8079639463165921417gmail_msg"><br class="gmail-m_-8079639463165921417gmail_msg">
</div>
<div class="gmail_extra gmail-m_-8079639463165921417gmail_msg"><br class="gmail-m_-8079639463165921417gmail_msg">
<div class="gmail_quote gmail-m_-8079639463165921417gmail_msg">2016-11-22 14:05 GMT-03:00 Radovan
Semancik <span dir="ltr" class="gmail-m_-8079639463165921417gmail_msg"><<a href="mailto:radovan.semancik@evolveum.com" class="gmail-m_-8079639463165921417gmail_msg" target="_blank">radovan.semancik@evolveum.com</a><wbr>></span>:<br class="gmail-m_-8079639463165921417gmail_msg">
<blockquote class="gmail_quote gmail-m_-8079639463165921417gmail_msg" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF" class="gmail-m_-8079639463165921417gmail_msg"><span class="gmail-m_-8079639463165921417m_-6131397040475140582gmail- gmail-m_-8079639463165921417gmail_msg">
<div class="gmail-m_-8079639463165921417m_-6131397040475140582gmail-m_-3781099487582159301moz-cite-prefix gmail-m_-8079639463165921417gmail_msg">On
11/21/2016 08:33 PM, Nicolas Rossi wrote:<br class="gmail-m_-8079639463165921417gmail_msg">
</div>
<blockquote type="cite" class="gmail-m_-8079639463165921417gmail_msg">
<div dir="ltr" class="gmail-m_-8079639463165921417gmail_msg">
<div class="gmail-m_-8079639463165921417gmail_msg">Is that the only way to make it work ?</div>
</div>
</blockquote>
<br class="gmail-m_-8079639463165921417gmail_msg">
</span> No, definitely not. That solution is more like a
hack. Not a real solution. The point is that midPoint
should correctly use the delete attribute operation. It
is designed to do that and it works for all correctly
configured resources that we have tried. So the point
here is to figure out why it does not work for this
specific case.<span class="gmail-m_-8079639463165921417m_-6131397040475140582gmail- gmail-m_-8079639463165921417gmail_msg"><br class="gmail-m_-8079639463165921417gmail_msg">
<br class="gmail-m_-8079639463165921417gmail_msg">
<pre class="gmail-m_-8079639463165921417m_-6131397040475140582gmail-m_-3781099487582159301moz-signature gmail-m_-8079639463165921417gmail_msg" cols="72">--
Radovan Semancik
Software Architect
<a href="http://evolveum.com" class="gmail-m_-8079639463165921417gmail_msg" target="_blank">evolveum.com</a>
</pre>
</span></div>
<br class="gmail-m_-8079639463165921417gmail_msg">
______________________________<wbr>_________________<br class="gmail-m_-8079639463165921417gmail_msg">
midPoint mailing list<br class="gmail-m_-8079639463165921417gmail_msg">
<a href="mailto:midPoint@lists.evolveum.com" class="gmail-m_-8079639463165921417gmail_msg" target="_blank">midPoint@lists.evolveum.com</a><br class="gmail-m_-8079639463165921417gmail_msg">
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" class="gmail-m_-8079639463165921417gmail_msg" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a><br class="gmail-m_-8079639463165921417gmail_msg">
<br class="gmail-m_-8079639463165921417gmail_msg">
</blockquote>
</div>
<br class="gmail-m_-8079639463165921417gmail_msg">
<br clear="all" class="gmail-m_-8079639463165921417gmail_msg">
<div class="gmail-m_-8079639463165921417gmail_msg"><br class="gmail-m_-8079639463165921417gmail_msg">
</div>
<br class="gmail-m_-8079639463165921417gmail_msg">
</div>
</div>
<br class="gmail-m_-8079639463165921417gmail_msg">
<fieldset class="gmail-m_-8079639463165921417m_-6131397040475140582mimeAttachmentHeader gmail-m_-8079639463165921417gmail_msg"></fieldset>
<br class="gmail-m_-8079639463165921417gmail_msg">
<pre class="gmail-m_-8079639463165921417gmail_msg">______________________________<wbr>_________________
midPoint mailing list
<a class="gmail-m_-8079639463165921417m_-6131397040475140582moz-txt-link-abbreviated gmail-m_-8079639463165921417gmail_msg" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a class="gmail-m_-8079639463165921417m_-6131397040475140582moz-txt-link-freetext gmail-m_-8079639463165921417gmail_msg" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br class="gmail-m_-8079639463165921417gmail_msg">
</div><div bgcolor="#FFFFFF" class="gmail-m_-8079639463165921417gmail_msg"><pre class="gmail-m_-8079639463165921417m_-6131397040475140582moz-signature gmail-m_-8079639463165921417gmail_msg" cols="72">--
Ivan Noris
Senior Identity Engineer
</pre></div><div bgcolor="#FFFFFF" class="gmail-m_-8079639463165921417gmail_msg"><pre class="gmail-m_-8079639463165921417m_-6131397040475140582moz-signature gmail-m_-8079639463165921417gmail_msg" cols="72"><a href="http://evolveum.com" class="gmail-m_-8079639463165921417gmail_msg" target="_blank">evolveum.com</a>
</pre>
</div>
______________________________<wbr>_________________<br class="gmail-m_-8079639463165921417gmail_msg">
midPoint mailing list<br class="gmail-m_-8079639463165921417gmail_msg">
<a href="mailto:midPoint@lists.evolveum.com" class="gmail-m_-8079639463165921417gmail_msg" target="_blank">midPoint@lists.evolveum.com</a><br class="gmail-m_-8079639463165921417gmail_msg">
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" class="gmail-m_-8079639463165921417gmail_msg" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a><br class="gmail-m_-8079639463165921417gmail_msg">
</blockquote></div>
</div></div><br>______________________________<wbr>_________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div><br>
</div></div>