<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Hi,</p>
<p>does it work in the common scenario when</p>
<p>1) you edit existing user, assign role and save - is the LDAP
account put into correct group(s)?</p>
<p>2) you then edit the same user, unassign role and save - is the
LDAP account removed from correct group(s)?</p>
<p>If this works normally, then provisioning works.</p>
<p>If you wish to be able to remove accounts from the groups after
you re-define your roles (using recompute), you probably need to
mark the association for groups as "tolerant=false" in the schema
hadling. This setting means that if there are any other
associations (group memberships) than given by midPoint mappings,
they will be removed and the account will be removed from such
groups.</p>
<p>Best regards,</p>
<p>Ivan<br>
</p>
<br>
<div class="moz-cite-prefix">On 27.10.2017 14:34, IDM wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAFdx=BDaaC=zL_DyjXOYNQ5RyGEU7hs=_7v451asxWSm=aCneg@mail.gmail.com">
<div dir="ltr"><span style="color:rgb(38,50,56);font-size:13px">We
have defined a role association in Schema Handling of LDAP for
UserTpes, that is a group in LDAP. When we assign an
inducement role to organization and recompute the users,
the role is given to users, and the association on the LDAP
group too, but when we unassign the same inducement role, and
recompute the users, the association in users are not
deleted. </span>
<div><br style="outline:none;color:rgb(38,50,56);font-size:13px">
<span style="color:rgb(38,50,56);font-size:13px">We have
checked the user XML and we do not see roleMembershipRef of
this role. We have tried several configurations and we do
not get to delete the association.</span></div>
<div><span style="color:rgb(38,50,56);font-size:13px"><br>
</span></div>
<div><span style="color:rgb(38,50,56);font-size:13px">The
defition of the asociation in the resource xml is this : </span></div>
<div><span style="color:rgb(38,50,56);font-size:13px"><br>
</span></div>
<div><span style="color:rgb(38,50,56);font-size:13px">===</span></div>
<div><span style="color:rgb(38,50,56);font-size:13px">Entitlement</span></div>
<div><span style="color:rgb(38,50,56);font-size:13px">Object to
Subject</span></div>
<div><span style="color:rgb(38,50,56);font-size:13px">member</span></div>
<div>Value : dn</div>
<div>Explicit ref. integrity: true</div>
<div>===</div>
<div>Exclusive Strong: true Tolerant: true</div>
<div>Fetch Strategy : choose one</div>
<div>Matching Rule: StringIgnoreCase</div>
<div><br>
</div>
<div><br>
</div>
<div><span style="color:rgb(38,50,56);font-size:13px"> Is There
some parameters or configuration to fix this problem?</span><br>
</div>
<div><span style="color:rgb(38,50,56);font-size:13px"><br>
</span></div>
<div><span style="color:rgb(38,50,56);font-size:13px">Thanks a
lot and regards</span></div>
</div>
<br>
<p><span>Segun el Articulo 5 de la L.O.P.D, le informamos que sus
datos constan en un fichero titularidad de CORE NETWORKS,
S.L., cuya finalidad es la gestion administrativa. Podra
ejercer su derecho de acceso, rectificacion, cancelacion y
oposicion mediante correo postal a C/ Serrano Galvache, 56,
Edificio Olmo, 1 Planta - C.P. 28033 (MADRID), o enviando un
correo electrónico a <a href="mailto:info@corenetworks.es"
target="_blank" moz-do-not-send="true"><span>info@corenetworks.es</span></a>.</span></p>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Ivan Noris
Senior Identity Engineer
evolveum.com
</pre>
</body>
</html>