<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Hi Ana,</p>
<p>this is typical behaviour when the <association> in the
resource is configured as <tolerant>false</tolerant>.
Can you check the setting in the resource?</p>
<p>Setting tolerant to true will allow also values given not by
midPoint assignments/mappings.<br>
</p>
<p>Setting tolerant to false will drop all values not given by
midPoint assignments/mappings.</p>
<p>The default is true.</p>
<p>Based on the requirements, some customers and projects require
setting tolerant to true and others to false.<br>
</p>
<p>Regards,</p>
<p>Ivan<br>
</p>
<br>
<div class="moz-cite-prefix">On 11/23/2016 09:58 PM, Ana Pereyra
wrote:<br>
</div>
<blockquote
cite="mid:CAO5EgRo97wf=A9O_UyBpMdGLe7kvNa3kq13tVjvjz78bGB6m0w@mail.gmail.com"
type="cite">
<div dir="ltr">Hi Radovan,
<div><br>
</div>
<div>Despite it is now synchronizing correctly the user groups
assignments between the application and MidPoint, we are
facing the following issue:</div>
<div><br>
</div>
<div>As we said before, an account in the resource may have
groups that have been granted from outside MidPoint. For
example, we can have user 1 with groups 1 and 2 in MidPoint
and groups 1, 2, 3 and 4 in the resource (groups 3 and 4 have
been assigned directly in the resource).</div>
<div><br>
</div>
<div>When we force a reconcile on the user, since MidPoint has
no record of groups 3 and 4, the groups are deleted in the
resource too, based on a REMOVE_ATTRIBUTE_VALUES operation on
the Update script.</div>
<div><br>
</div>
<div>What we would need, is for those groups that have not been
assigned by MidPoint (in this case, groups 3 and 4) <b>not to
be removed</b> from the user in the resource.</div>
<div><br>
</div>
<div>Is this MidPoint's default behaviour, to unassign groups
that have not been assigned by MidPoint?</div>
<div>Is there a way to only unassign the groups (on a reconcile
after a remove inducement operation) that have been granted by
MidPoint?</div>
<div><br>
</div>
<div>Best Regards,</div>
<div>-- <br>
<div class="gmail_signature">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr"><b style="font-size:12.8px">Ana
Pereyra</b><br>
</div>
<div dir="ltr"><font style="font-size:12.8px"
face="verdana, sans-serif"><img
moz-do-not-send="true"
src="http://www.identicum.com/img/favicon.ico"> Identicum
S.A.<br>
<i><font color="#666666">Jorge Newbery 3226,
Argentina<br>
Tel: +54 (11) </font></i></font><font
style="font-size:12.8px" color="#666666"
face="verdana, sans-serif"><i>4552.3050</i></font>
<div style="font-size:12.8px"><font face="verdana,
sans-serif"><i><font size="1"><a
moz-do-not-send="true"
href="mailto:apereyra@identicum.com"
target="_blank">apereyra@identicum.com</a></font></i><br>
<a moz-do-not-send="true"
href="http://www.identicum.com/"
target="_blank"><font color="#000000">www.identicum.com</font></a></font></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div><br>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">2016-11-22 14:05 GMT-03:00 Radovan
Semancik <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:radovan.semancik@evolveum.com"
target="_blank">radovan.semancik@evolveum.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF"><span class="gmail-">
<div
class="gmail-m_-3781099487582159301moz-cite-prefix">On
11/21/2016 08:33 PM, Nicolas Rossi wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>Is that the only way to make it work ?</div>
</div>
</blockquote>
<br>
</span> No, definitely not. That solution is more like a
hack. Not a real solution. The point is that midPoint
should correctly use the delete attribute operation. It
is designed to do that and it works for all correctly
configured resources that we have tried. So the point
here is to figure out why it does not work for this
specific case.<span class="gmail-"><br>
<br>
<pre class="gmail-m_-3781099487582159301moz-signature" cols="72">--
Radovan Semancik
Software Architect
<a moz-do-not-send="true" href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
</span></div>
<br>
______________________________<wbr>_________________<br>
midPoint mailing list<br>
<a moz-do-not-send="true"
href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a moz-do-not-send="true"
href="http://lists.evolveum.com/mailman/listinfo/midpoint"
rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
<br>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Ivan Noris
Senior Identity Engineer
evolveum.com
</pre>
</body>
</html>