<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Hi Jaakko,</p>
<p>yes the best would be when you play with it a little.</p>
<p>One particularly important thing about roles (or assignments in
general) is, that if you only add projections, midPoint knows if
the account exists or not, but you cannot specify if it should
exist or not. Assignments are exactly for this: if you assign a
role (account) to midPoint user, that account should exist. If
there is projection for that account, everything is OK. If the
account is missing and midPoint has assignment for it, it can be
recreated again, because that's the policy - it should exist. If
you unassign a role, again it's the policy which says if the
account should be deleted or disabled.<br>
</p>
<p>So the roles are good :-)<br>
</p>
<p>Best regards,</p>
<p>Ivan<br>
</p>
<br>
<div class="moz-cite-prefix">On 04/20/2017 10:54 AM, Jaakko Leskinen
wrote:<br>
</div>
<blockquote
cite="mid:88C88A41-4F85-45CE-9CED-98B9245C65D1@qvantel.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Title" content="">
<meta name="Keywords" content="">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Courier New";
panose-1:2 7 3 9 2 2 5 2 4 4;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Apple Color Emoji";
panose-1:0 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Lucida Grande";
panose-1:2 11 6 0 4 5 2 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:Calibri;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman";}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
span.EmailStyle18
{mso-style-type:personal;
font-family:Calibri;
color:windowtext;
font-weight:normal;
font-style:normal;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Courier;
mso-fareast-language:EN-US;}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:Calibri;
color:windowtext;}
span.msoIns
{mso-style-type:export-only;
mso-style-name:"";
text-decoration:underline;
color:teal;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:595.0pt 842.0pt;
margin:70.85pt 2.0cm 70.85pt 2.0cm;}
div.WordSection1
{page:WordSection1;}
--></style>
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt">Hi Ivan,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Thanks for
clarifying this. I was heading to that conclusion as well
after reading some more about assignments and projections.
The “disable instead of delete” is applicable only when
roles are used. We just were not quite there yet and had no
roles defined </span><span
style="font-size:11.0pt;font-family:"Apple Color
Emoji"">☺</span><span style="font-size:11.0pt">I will
setup some roles and do the tests but I assume it will work
as described.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">I will have
to see how your recommendations about restricting the
administration of projections fit to our scenario.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Thanks for
such a clear and prompt response!<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Best
regards,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Jaakko<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span style="font-family:"Times New
Roman";mso-fareast-language:EN-GB">-- <o:p></o:p></span></p>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:11.25pt;margin-right:0cm;margin-bottom:11.25pt;margin-left:0cm;line-height:16.5pt"><span
style="font-size:10.5pt;font-family:"Lucida
Grande";color:#2B2E2F;mso-fareast-language:EN-GB">Jaakko
Leskinen<br>
System Developer / Team Lead<br>
Qvantel<br>
Piippukatu 11<br>
FI-40100 Jyväskylä, Finland<br>
+358 44 977 3829<br>
<a moz-do-not-send="true"
href="mailto:jaakko.leskinen@qvantel.com">jaakko.leskinen@qvantel.com</a><br>
<a moz-do-not-send="true" href="http://www.qvantel.com/"
target="_blank">www.qvantel.com</a><o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span style="color:black">From: </span></b><span
style="color:black">midPoint
<a class="moz-txt-link-rfc2396E" href="mailto:midpoint-bounces@lists.evolveum.com"><midpoint-bounces@lists.evolveum.com></a> on behalf of
Ivan Noris <a class="moz-txt-link-rfc2396E" href="mailto:ivan.noris@evolveum.com"><ivan.noris@evolveum.com></a><br>
<b>Organization: </b>Evolveum, s.r.o.<br>
<b>Reply-To: </b>midPoint General Discussion
<a class="moz-txt-link-rfc2396E" href="mailto:midpoint@lists.evolveum.com"><midpoint@lists.evolveum.com></a><br>
<b>Date: </b>Thursday, 20 April 2017 at 9.58<br>
<b>To: </b><a class="moz-txt-link-rfc2396E" href="mailto:midpoint@lists.evolveum.com">"midpoint@lists.evolveum.com"</a>
<a class="moz-txt-link-rfc2396E" href="mailto:midpoint@lists.evolveum.com"><midpoint@lists.evolveum.com></a><br>
<b>Subject: </b>Re: [midPoint] AD disable account on
unlink</span><span
style="color:black;mso-fareast-language:EN-GB"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Times New
Roman""><o:p> </o:p></span></p>
</div>
<p>Hi Jaakko,<o:p></o:p></p>
<p>if you have disabled the delete capability for AD resource,
midpoint will never allow delete operation for any object in
AD (not just accounts, but anything, the setting is (for now)
resource-specific). Any attempt to do so will result in
"Operation not supported" exception in midPoint.<o:p></o:p></p>
<p>The Disable instead of Delete (<a moz-do-not-send="true"
href="https://wiki.evolveum.com/display/midPoint/Disable+instead+of+Delete">https://wiki.evolveum.com/display/midPoint/Disable+instead+of+Delete</a>)
works for unassignment: if you have that configured, and you
unassign all roles giving AD account from the user, the
account will be not deleted (which is default) but disabled
instead. But this feature works only for unassignment. The
attempt to unassign (last) role will "convert" the operation
from delete to disable.<o:p></o:p></p>
<p>If you try to delete projection or unlink, it will be not
converted to "disable" operation. I'm not aware of such
feature yet - unless my coleagues who work hard on upcoming
3.6 release know better.<o:p></o:p></p>
<p>I can suggest the following: use the "disable instead of
delete" operation + disable delete capability for AD resource
+ set authorization roles for your midPoint administrators so
that they cannot delete the projection (delete operation on
ShadowType objects).<o:p></o:p></p>
<p>Would this cover your scenario? (This is basically what I'm
proposing for my customer with older midPoint 3.4.x).<o:p></o:p></p>
<p>Best regards,<o:p></o:p></p>
<p>Ivan<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On 04/20/2017 08:16 AM, Jaakko Leskinen
wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span style="font-size:11.0pt">Hello all,</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">I have
tried to search high and low but, alas, my Google-fu has
failed me. So, please excuse me and feel free to point me
to the applicable documentation if I have indeed missed
this one :)</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Now that
being said, I am having hard time figuring out how to
disable AD accounts when the projection is deleted or
unlinked? Should this be possible?</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">The
authoritative data flow is somewhat standard I would
suspect: HR system > MidPoint > AD - meaning that we
will never create user objects from AD accounts, enforce
attributes from MidPoint to AD and user objects in
MidPoint are created, and their status updated, based on
what we have in the HR system (unless we override
something in MidPoint).</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">In
essence, what I am trying accomplish, is to provision new
accounts in AD with MidPoint but I do not want to ever
delete a single account from the AD resource. In all
imaginable situations the AD account, once provisioned,
should never get deleted.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Using
MidPoint 3.5 and Active Directory with
com.evolveum.polygon.connector.ldap.ad.AdLdapConnector
v1.4.3.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">My
resource definition:</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
<projection></span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
<assignmentPolicyEnforcement>relative</assignmentPolicyEnforcement></span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
<legalize>false</legalize></span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
</projection></span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">…</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
<cap:delete></span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
<cap:enabled>false</cap:enabled></span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
</cap:delete></span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
</configured></span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
</capabilities></span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">…</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
<activation></span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
<existence></span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
<outbound></span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
<strength>weak</strength></span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
<expression></span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
<c:path>$focusExists</c:path></span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
</expression></span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
</outbound></span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
</existence></span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
<administrativeStatus></span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
<outbound></span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
<strength>strong</strength></span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
<expression></span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
<script></span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
<code></span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
import
com.evolveum.midpoint.xml.ns._public.common.common_3.ActivationStatusType;</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
if (legal) {</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
input;</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
} else {</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
ActivationStatusType.DISABLED;</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
}</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
</code></span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
</script></span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
</expression></span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
</outbound></span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
</administrativeStatus></span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
<validFrom></span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
<outbound/></span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
</validFrom></span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
<validTo></span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
<outbound/></span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
</validTo></span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
</activation></span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">From our
upstream HR system we have:</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><activation></span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
<existence></span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
<inbound></span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
<expression></span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
<asIs/></span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
</expression></span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
</inbound></span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
</existence></span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
<administrativeStatus></span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
<inbound></span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
<strength>weak</strength></span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
<source></span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
<c:path>$c:account/c:attributes/ri:ad_status</c:path></span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
</source></span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
<expression></span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
<script></span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
<code></span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
import
com.evolveum.midpoint.xml.ns._public.common.common_3.ActivationStatusType;</span><o:p></o:p></p>
<p class="MsoNormal"
style="margin-left:36.0pt;text-indent:36.0pt"><span
style="font-size:11.0pt">if (ad_status == 1) {</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
null;</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
} else {</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
ActivationStatusType.DISABLED;</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
}</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
</code></span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
</script></span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
</expression></span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
</inbound></span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
</administrativeStatus></span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
<validFrom></span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
<inbound></span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
<strength>weak</strength></span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
</inbound></span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
</validFrom></span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
</activation></span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">I have
tested unlinking and deleting the projection explicitly
from a given user in the MidPoint GUI and the AD account
gets never disabled. It just sits there enabled or if I
change the policy and enable resource delete capability,
the account will get removed (as expected).</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Thanks!</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">With best
regards,</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Jaakko
Leskinen</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal">-- <o:p></o:p></p>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:11.25pt;margin-right:0cm;margin-bottom:11.25pt;margin-left:0cm;line-height:16.5pt"><span
style="font-size:10.5pt">Jaakko Leskinen<br>
System Developer / Team Lead<br>
Qvantel<br>
Piippukatu 11<br>
FI-40100 Jyväskylä, Finland<br>
+358 44 977 3829<br>
<a moz-do-not-send="true"
href="mailto:jaakko.leskinen@qvantel.com">jaakko.leskinen@qvantel.com</a><br>
<a moz-do-not-send="true" href="http://www.qvantel.com/"
target="_blank">www.qvantel.com</a></span><o:p></o:p></p>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><span style="font-family:"Times New
Roman";mso-fareast-language:EN-GB"><br>
<br>
<br>
<o:p></o:p></span></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>midPoint mailing list<o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><span style="font-family:"Times New
Roman";mso-fareast-language:EN-GB"><br>
<br>
<o:p></o:p></span></p>
<pre>-- <o:p></o:p></pre>
<pre>Ivan Noris<o:p></o:p></pre>
<pre>Senior Identity Engineer<o:p></o:p></pre>
<pre>evolveum.com<o:p></o:p></pre>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Ivan Noris
Senior Identity Engineer
evolveum.com
</pre>
</body>
</html>