<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Title" content="">
<meta name="Keywords" content="">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Lucida Grande";
panose-1:2 11 6 0 4 5 2 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:Calibri;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:Calibri;
color:windowtext;
font-weight:normal;
font-style:normal;}
span.msoIns
{mso-style-type:export-only;
mso-style-name:"";
text-decoration:underline;
color:teal;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:Calibri;
mso-fareast-language:EN-US;}
@page WordSection1
{size:595.0pt 842.0pt;
margin:70.85pt 2.0cm 70.85pt 2.0cm;}
div.WordSection1
{page:WordSection1;}
--></style>
</head>
<body bgcolor="white" lang="EN-GB" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt">Hello all,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">I have tried to search high and low but, alas, my Google-fu has failed me. So, please excuse me and feel free to point me to the applicable documentation if I have indeed missed this one :)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Now that being said, I am having hard time figuring out how to disable AD accounts when the projection is deleted or unlinked? Should this be possible?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">The authoritative data flow is somewhat standard I would suspect: HR system > MidPoint > AD - meaning that we will never create user objects from AD accounts, enforce attributes from MidPoint to AD and user
objects in MidPoint are created, and their status updated, based on what we have in the HR system (unless we override something in MidPoint).<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">In essence, what I am trying accomplish, is to provision new accounts in AD with MidPoint but I do not want to ever delete a single account from the AD resource. In all imaginable situations the AD account,
once provisioned, should never get deleted.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Using MidPoint 3.5 and Active Directory with com.evolveum.polygon.connector.ldap.ad.AdLdapConnector v1.4.3.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">My resource definition:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> <projection><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> <assignmentPolicyEnforcement>relative</assignmentPolicyEnforcement><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> <legalize>false</legalize><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </projection><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">…<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> <cap:delete><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> <cap:enabled>false</cap:enabled><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </cap:delete><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </configured><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </capabilities><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">…<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> <activation><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> <existence><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> <outbound><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> <strength>weak</strength><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> <expression><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> <c:path>$focusExists</c:path><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </expression><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </outbound><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </existence><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> <administrativeStatus><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> <outbound><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> <strength>strong</strength><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> <expression><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> <script><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> <code><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> import com.evolveum.midpoint.xml.ns._public.common.common_3.ActivationStatusType;<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> if (legal) {<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> input;<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> } else {<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> ActivationStatusType.DISABLED;<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> }<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </code><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </script><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </expression><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </outbound><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </administrativeStatus><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> <validFrom><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> <outbound/><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </validFrom><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> <validTo><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> <outbound/><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </validTo><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </activation><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">From our upstream HR system we have:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><activation><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> <existence><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> <inbound><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> <expression><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> <asIs/><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </expression><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </inbound><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </existence><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> <administrativeStatus><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> <inbound><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> <strength>weak</strength><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> <source><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> <c:path>$c:account/c:attributes/ri:ad_status</c:path><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </source><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> <expression><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> <script><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> <code><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> import com.evolveum.midpoint.xml.ns._public.common.common_3.ActivationStatusType;<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:36.0pt;text-indent:36.0pt"><span style="font-size:11.0pt">if (ad_status == 1) {<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> null;<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> } else {<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> ActivationStatusType.DISABLED;<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> }<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </code><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </script><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </expression><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </inbound><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </administrativeStatus><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> <validFrom><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> <inbound><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> <strength>weak</strength><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </inbound><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </validFrom><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </activation><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">I have tested unlinking and deleting the projection explicitly from a given user in the MidPoint GUI and the AD account gets never disabled. It just sits there enabled or if I change the policy and enable
resource delete capability, the account will get removed (as expected).<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Thanks!<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">With best regards,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Jaakko Leskinen<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Times New Roman";mso-fareast-language:EN-GB">-- <o:p></o:p></span></p>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:11.25pt;margin-right:0cm;margin-bottom:11.25pt;margin-left:0cm;line-height:16.5pt">
<span style="font-size:10.5pt;font-family:"Lucida Grande";color:#2B2E2F;mso-fareast-language:EN-GB">Jaakko Leskinen<br>
System Developer / Team Lead<br>
Qvantel<br>
Piippukatu 11<br>
FI-40100 Jyväskylä, Finland<br>
+358 44 977 3829<br>
<a href="mailto:jaakko.leskinen@qvantel.com"><span style="color:#0563C1">jaakko.leskinen@qvantel.com</span></a><br>
<a href="http://www.qvantel.com/" target="_blank"><span style="color:#0563C1">www.qvantel.com</span></a><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>