<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Hi Jaakko,</p>
<p>if you have disabled the delete capability for AD resource,
midpoint will never allow delete operation for any object in AD
(not just accounts, but anything, the setting is (for now)
resource-specific). Any attempt to do so will result in "Operation
not supported" exception in midPoint.</p>
<p>The Disable instead of Delete
(<a class="moz-txt-link-freetext" href="https://wiki.evolveum.com/display/midPoint/Disable+instead+of+Delete">https://wiki.evolveum.com/display/midPoint/Disable+instead+of+Delete</a>)
works for unassignment: if you have that configured, and you
unassign all roles giving AD account from the user, the account
will be not deleted (which is default) but disabled instead. But
this feature works only for unassignment. The attempt to unassign
(last) role will "convert" the operation from delete to disable.</p>
<p>If you try to delete projection or unlink, it will be not
converted to "disable" operation. I'm not aware of such feature
yet - unless my coleagues who work hard on upcoming 3.6 release
know better.<br>
</p>
<p>I can suggest the following: use the "disable instead of delete"
operation + disable delete capability for AD resource + set
authorization roles for your midPoint administrators so that they
cannot delete the projection (delete operation on ShadowType
objects).</p>
<p>Would this cover your scenario? (This is basically what I'm
proposing for my customer with older midPoint 3.4.x).</p>
<p>Best regards,</p>
<p>Ivan<br>
</p>
<br>
<div class="moz-cite-prefix">On 04/20/2017 08:16 AM, Jaakko Leskinen
wrote:<br>
</div>
<blockquote
cite="mid:03B975E1-B07D-43A9-9EFB-53DDA8C1A5F1@qvantel.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Title" content="">
<meta name="Keywords" content="">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Lucida Grande";
panose-1:2 11 6 0 4 5 2 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:Calibri;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:Calibri;
color:windowtext;
font-weight:normal;
font-style:normal;}
span.msoIns
{mso-style-type:export-only;
mso-style-name:"";
text-decoration:underline;
color:teal;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:Calibri;
mso-fareast-language:EN-US;}
@page WordSection1
{size:595.0pt 842.0pt;
margin:70.85pt 2.0cm 70.85pt 2.0cm;}
div.WordSection1
{page:WordSection1;}
--></style>
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt">Hello all,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">I have tried
to search high and low but, alas, my Google-fu has failed
me. So, please excuse me and feel free to point me to the
applicable documentation if I have indeed missed this one :)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Now that
being said, I am having hard time figuring out how to
disable AD accounts when the projection is deleted or
unlinked? Should this be possible?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">The
authoritative data flow is somewhat standard I would
suspect: HR system > MidPoint > AD - meaning that we
will never create user objects from AD accounts, enforce
attributes from MidPoint to AD and user objects in MidPoint
are created, and their status updated, based on what we have
in the HR system (unless we override something in MidPoint).<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">In essence,
what I am trying accomplish, is to provision new accounts in
AD with MidPoint but I do not want to ever delete a single
account from the AD resource. In all imaginable situations
the AD account, once provisioned, should never get deleted.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Using
MidPoint 3.5 and Active Directory with
com.evolveum.polygon.connector.ldap.ad.AdLdapConnector
v1.4.3.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">My resource
definition:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
<projection><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
<assignmentPolicyEnforcement>relative</assignmentPolicyEnforcement><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
<legalize>false</legalize><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
</projection><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">…<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
<cap:delete><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
<cap:enabled>false</cap:enabled><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
</cap:delete><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
</configured><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
</capabilities><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">…<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
<activation><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
<existence><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
<outbound><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
<strength>weak</strength><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
<expression><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
<c:path>$focusExists</c:path><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
</expression><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
</outbound><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
</existence><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
<administrativeStatus><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
<outbound><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
<strength>strong</strength><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
<expression><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
<script><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
<code><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
import
com.evolveum.midpoint.xml.ns._public.common.common_3.ActivationStatusType;<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
if (legal) {<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
input;<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
} else {<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
ActivationStatusType.DISABLED;<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
}<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
</code><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
</script><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
</expression><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
</outbound><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
</administrativeStatus><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
<validFrom><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
<outbound/><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
</validFrom><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
<validTo><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
<outbound/><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
</validTo><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
</activation><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">From our
upstream HR system we have:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><activation><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
<existence><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
<inbound><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
<expression><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
<asIs/><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
</expression><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
</inbound><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
</existence><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
<administrativeStatus><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
<inbound><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
<strength>weak</strength><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
<source><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
<c:path>$c:account/c:attributes/ri:ad_status</c:path><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
</source><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
<expression><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
<script><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
<code><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
import
com.evolveum.midpoint.xml.ns._public.common.common_3.ActivationStatusType;<o:p></o:p></span></p>
<p class="MsoNormal"
style="margin-left:36.0pt;text-indent:36.0pt"><span
style="font-size:11.0pt">if (ad_status == 1) {<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
null;<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
} else {<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
ActivationStatusType.DISABLED;<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
}<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
</code><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
</script><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
</expression><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
</inbound><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
</administrativeStatus><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
<validFrom><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
<inbound><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
<strength>weak</strength><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
</inbound><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
</validFrom><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
</activation><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">I have
tested unlinking and deleting the projection explicitly from
a given user in the MidPoint GUI and the AD account gets
never disabled. It just sits there enabled or if I change
the policy and enable resource delete capability, the
account will get removed (as expected).<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Thanks!<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">With best
regards,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Jaakko
Leskinen<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Times New
Roman";mso-fareast-language:EN-GB">-- <o:p></o:p></span></p>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:11.25pt;margin-right:0cm;margin-bottom:11.25pt;margin-left:0cm;line-height:16.5pt"><span
style="font-size:10.5pt;font-family:"Lucida
Grande";color:#2B2E2F;mso-fareast-language:EN-GB">Jaakko
Leskinen<br>
System Developer / Team Lead<br>
Qvantel<br>
Piippukatu 11<br>
FI-40100 Jyväskylä, Finland<br>
+358 44 977 3829<br>
<a moz-do-not-send="true"
href="mailto:jaakko.leskinen@qvantel.com"><span
style="color:#0563C1">jaakko.leskinen@qvantel.com</span></a><br>
<a moz-do-not-send="true" href="http://www.qvantel.com/"
target="_blank"><span style="color:#0563C1">www.qvantel.com</span></a><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Ivan Noris
Senior Identity Engineer
evolveum.com
</pre>
</body>
</html>