<div dir="ltr"><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">Hi Ivan, the Global Enforcement Policy is set to Full. The tolerant=false is working fine when we have the same associations in midPoint and in the resource. So if we remove a group in midPoint is removed on the resource. That works.</div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444"><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">We are working on a situation where the resource has more user-group assignments than midPoint has. It can be because entitlements are granted directly on the resource (not recommended by us but it can happen) or if you don't load the associations during the initial setup. So if we remove a role assignment or role inducement on midPoint and reconcile the user, it loses the removed roles (that would be right) but also loses the roles granted on the resource. </div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444"><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">As Ana said, we know this is not the best approach but we want to be sure if this is the only way that midpoint works, and we will recommend the customer to load and maintain all the associations in midPoint.</div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444"><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">Best regards,</div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><font face="arial, helvetica, sans-serif"><br><br><font color="#444444">Ing Nicolás Rossi</font><br><font color="#999999">Identicum S.A.</font><br><font color="#999999">Jorge Newbery 3226</font><br><font color="#999999">Tel: +54 (11) 4552-3050</font><br><font color="#999999"><a href="http://www.identicum.com" target="_blank">www.identicum.com</a></font></font><br></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div>
<br><div class="gmail_quote">On Thu, Nov 24, 2016 at 4:25 PM, Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>Hi Ana,</p>
<p>one other thing which comes to my mind is - can you check what's
the setting of Global Enforcement Policy in System Configuration?
The default is Relative; but "Full" may behave similar to
"tolerant=false".</p>
<p>I have used tolerant=false in <association> definition in
resource three weeks ago and I clearly remember that recomputing
users with (default) tolerant=true did not remove values that were
not provided by roles while setting tolerant=false in
<association> definition in resource did the trick during
recompute.<br>
</p>
<p>No other idea yet.<span class="HOEnZb"><font color="#888888"><br>
</font></span></p><span class="HOEnZb"><font color="#888888">
Ivan</font></span><div><div class="h5"><br>
<br>
<div class="m_-7024169922938030862moz-cite-prefix">On 11/24/2016 04:39 PM, Ana Pereyra
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi Ivan,
<div><br>
</div>
<div>First of all, thank you for your help and quick response. </div>
<div><br>
</div>
<div>We understand what you are saying about the tolerance tag
behavior: we tested both AD and ScriptedSQL connectors with
the association tolerance set in false and it removes the
assignments from the resource that have and have not been
assigned by MidPoint.</div>
<div><br>
</div>
<div>We will discuss this approach with our customer in order to
move forward with the project implementation.</div>
<div><br>
</div>
<div>Ideally, we would need a way to keep the resource
assignments that have not been granted by MidPoint. If there
is any way to do that, we would go with that.</div>
<div><br>
</div>
<div>We wait for your answer. Thanks in advace.</div>
<div>Best regards,</div>
<div><br>
</div>
<div>-- <br>
<div class="m_-7024169922938030862gmail_signature">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr"><b style="font-size:12.8px">Ana
Pereyra</b><br>
</div>
<div dir="ltr"><font style="font-size:12.8px" face="verdana, sans-serif"><img src="http://www.identicum.com/img/favicon.ico"> Identicum
S.A.<br>
<i><font color="#666666">Jorge Newbery 3226,
Argentina<br>
Tel: +54 (11) </font></i></font><font style="font-size:12.8px" color="#666666" face="verdana, sans-serif"><i>4552.3050</i></font>
<div style="font-size:12.8px"><font face="verdana,
sans-serif"><i><font size="1"><a href="mailto:apereyra@identicum.com" target="_blank">apereyra@identicum.com</a></font></i><br>
<a href="http://www.identicum.com/" target="_blank"><font color="#000000">www.identicum.com</font></a></font></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">2016-11-24 7:34 GMT-03:00 Nicolas
Rossi <span dir="ltr"><<a href="mailto:nrossi@identicum.com" target="_blank">nrossi@identicum.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div style="white-space:pre-wrap">Hi Ivan. I'll check it again but I already tried removing the tolerant parameter on the association definition. It keeps the groups assigned directly on the resource but it also keeps the groups removed from the user in a reconcile process. I mean, a role assigned to a user loses an inducement to other role and when I reconcile the user the group is not removed on the resource.
Let me try it again.
Regards</div>
<div class="m_-7024169922938030862gmail-HOEnZb">
<div class="m_-7024169922938030862gmail-h5"><br>
<div class="gmail_quote">
<div dir="ltr">El El jue, 24 de nov. de 2016 a las
04:32, Ivan Noris <<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>>
escribió:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF" class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg">
<p class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg">Hi
Ana,</p>
<p class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg">this
is typical behaviour when the
<association> in the resource is
configured as
<tolerant>false</tolerant>. Can
you check the setting in the resource?</p>
<p class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg">Setting
tolerant to true will allow also values given
not by midPoint assignments/mappings.<br class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg">
</p>
<p class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg">Setting
tolerant to false will drop all values not
given by midPoint assignments/mappings.</p>
<p class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg">The
default is true.</p>
<p class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg">Based
on the requirements, some customers and
projects require setting tolerant to true and
others to false.<br class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg">
</p>
<p class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg">Regards,</p>
<p class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg">Ivan<br class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg">
</p>
</div>
<div bgcolor="#FFFFFF" class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg"> <br class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg">
<div class="m_-7024169922938030862gmail-m_-8079639463165921417m_-6131397040475140582moz-cite-prefix m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg">On
11/23/2016 09:58 PM, Ana Pereyra wrote:<br class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg">
</div>
<blockquote type="cite" class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg">
<div dir="ltr" class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg">Hi
Radovan,
<div class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg"><br class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg">
</div>
<div class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg">Despite
it is now synchronizing correctly the user
groups assignments between the application
and MidPoint, we are facing the following
issue:</div>
<div class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg"><br class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg">
</div>
<div class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg">As
we said before, an account in the resource
may have groups that have been granted
from outside MidPoint. For example, we can
have user 1 with groups 1 and 2 in
MidPoint and groups 1, 2, 3 and 4 in the
resource (groups 3 and 4 have been
assigned directly in the resource).</div>
<div class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg"><br class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg">
</div>
<div class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg">When
we force a reconcile on the user, since
MidPoint has no record of groups 3 and 4,
the groups are deleted in the resource
too, based on a REMOVE_ATTRIBUTE_VALUES
operation on the Update script.</div>
<div class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg"><br class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg">
</div>
<div class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg">What
we would need, is for those groups that
have not been assigned by MidPoint (in
this case, groups 3 and 4) <b class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg">not
to be removed</b> from the user in the
resource.</div>
<div class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg"><br class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg">
</div>
<div class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg">Is
this MidPoint's default behaviour, to
unassign groups that have not been
assigned by MidPoint?</div>
<div class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg">Is
there a way to only unassign the groups
(on a reconcile after a remove inducement
operation) that have been granted by
MidPoint?</div>
<div class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg"><br class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg">
</div>
<div class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg">Best
Regards,</div>
<div class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg">-- <br class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg">
<div class="m_-7024169922938030862gmail-m_-8079639463165921417m_-6131397040475140582gmail_signature m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg">
<div dir="ltr" class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg">
<div dir="ltr" class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg">
<div dir="ltr" class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg">
<div dir="ltr" class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg">
<div dir="ltr" class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg"><b style="font-size:12.8px" class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg">Ana
Pereyra</b><br class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg">
</div>
<div dir="ltr" class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg"><font style="font-size:12.8px" class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg" face="verdana, sans-serif"><img class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg"> Identicum
S.A.<br class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg">
<i class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg"><font class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg" color="#666666">Jorge
Newbery 3226, Argentina<br class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg">
Tel: +54 (11) </font></i></font><font style="font-size:12.8px" class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg" color="#666666" face="verdana, sans-serif"><i class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg">4552.3050</i></font>
<div style="font-size:12.8px" class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg"><font class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg" face="verdana, sans-serif"><i class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg"><font class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg" size="1"><a href="mailto:apereyra@identicum.com" class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg" target="_blank">apereyra@identicum.com</a></font></i><br class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg">
<a href="http://www.identicum.com/" class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg" target="_blank"><font class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg" color="#000000">www.identicum.com</font></a></font></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg"><br class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg">
</div>
<div class="gmail_extra m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg"><br class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg">
<div class="gmail_quote m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg">2016-11-22
14:05 GMT-03:00 Radovan Semancik <span dir="ltr" class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg"><<a href="mailto:radovan.semancik@evolveum.com" class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg" target="_blank">radovan.semancik@evolveum.com</a><wbr>></span>:<br class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg">
<blockquote class="gmail_quote m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF" class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg"><span class="m_-7024169922938030862gmail-m_-8079639463165921417m_-6131397040475140582gmail- m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg">
<div class="m_-7024169922938030862gmail-m_-8079639463165921417m_-6131397040475140582gmail-m_-3781099487582159301moz-cite-prefix
gmail-m_-8079639463165921417gmail_msg">On 11/21/2016 08:33 PM, Nicolas
Rossi wrote:<br class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg">
</div>
<blockquote type="cite" class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg">
<div dir="ltr" class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg">
<div class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg">Is
that the only way to make it
work ?</div>
</div>
</blockquote>
<br class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg">
</span> No, definitely not. That
solution is more like a hack. Not a
real solution. The point is that
midPoint should correctly use the
delete attribute operation. It is
designed to do that and it works for
all correctly configured resources
that we have tried. So the point
here is to figure out why it does
not work for this specific case.<span class="m_-7024169922938030862gmail-m_-8079639463165921417m_-6131397040475140582gmail- m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg"><br class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg">
<br class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg">
<pre class="m_-7024169922938030862gmail-m_-8079639463165921417m_-6131397040475140582gmail-m_-3781099487582159301moz-signature m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg" cols="72">--
Radovan Semancik
Software Architect
<a href="http://evolveum.com" class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg" target="_blank">evolveum.com</a>
</pre>
</span></div>
<br class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg">
______________________________<wbr>_________________<br class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg">
midPoint mailing list<br class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg">
<a href="mailto:midPoint@lists.evolveum.com" class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg" target="_blank">midPoint@lists.evolveum.com</a><br class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg">
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a><br class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg">
<br class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg">
</blockquote>
</div>
<br class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg">
<br class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg" clear="all">
<div class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg"><br class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg">
</div>
<br class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg">
</div>
</div>
<br class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg">
<fieldset class="m_-7024169922938030862gmail-m_-8079639463165921417m_-6131397040475140582mimeAttachmentHeader m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg"></fieldset>
<br class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg">
<pre class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg">______________________________<wbr>_________________
midPoint mailing list
<a class="m_-7024169922938030862gmail-m_-8079639463165921417m_-6131397040475140582moz-txt-link-abbreviated m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a class="m_-7024169922938030862gmail-m_-8079639463165921417m_-6131397040475140582moz-txt-link-freetext m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>
</pre>
</blockquote>
</div><div bgcolor="#FFFFFF" class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg"><pre class="m_-7024169922938030862gmail-m_-8079639463165921417m_-6131397040475140582moz-signature m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg" cols="72">--
Ivan Noris
Senior Identity Engineer
</pre></div><div bgcolor="#FFFFFF" class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg"><pre class="m_-7024169922938030862gmail-m_-8079639463165921417m_-6131397040475140582moz-signature m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg" cols="72"><a href="http://evolveum.com" class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg" target="_blank">evolveum.com</a>
</pre>
</div>
______________________________<wbr>_________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" class="m_-7024169922938030862gmail-m_-8079639463165921417gmail_msg" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>
</blockquote></div>
</div></div>
______________________________<wbr>_________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>
</blockquote></div>
<div>
</div>
</div></div>
<fieldset class="m_-7024169922938030862mimeAttachmentHeader"></fieldset>
<pre>______________________________<wbr>_________________
midPoint mailing list
<a class="m_-7024169922938030862moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a class="m_-7024169922938030862moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<pre class="m_-7024169922938030862moz-signature" cols="72">--
Ivan Noris
Senior Identity Engineer
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre></div></div></div><br>______________________________<wbr>_________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a><br>
<br></blockquote></div><br></div>