
<div dir="ltr"><div>Thank you, Wojciech.<br><br></div>The tolerant flag was enough. <br></div><div class="gmail_extra"><br><div class="gmail_quote">2017-12-20 17:06 GMT-02:00 Wojciech Staszewski <span dir="ltr"><<a href="mailto:wojciech.staszewski@diagnostyka.pl" target="_blank">wojciech.staszewski@diagnostyka.pl</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

  
  <div text="#000000" bgcolor="#FFFFFF">

    <p>Just one more:</p>

    <p>Do you have</p>

    <p><tolerant>false</tolerant></p>

    <p>in association definition?<br>

      <br>

      The assignment policy enforcement if I understand correctly

      removes unassigned accounts from resource.<br>

      <br>

    </p>

    <br>

    <div class="m_3490817950592287538moz-cite-prefix">W dniu 20.12.2017 o 19:45, Wojciech

      Staszewski pisze:<br>

    </div><div><div class="h5">

    <blockquote type="cite">

      
      <p>Hello!</p>

      <p>If I understand this example: <a class="m_3490817950592287538moz-txt-link-freetext" href="https://wiki.evolveum.com/display/midPoint/Projection+Policy" target="_blank">https://wiki.evolveum.com/<wbr>display/midPoint/Projection+<wbr>Policy</a><br>

        the enforcement policy should be outside "schemaHandling" as a

        separate section:</p>

      <p><projection><br>

          
<assignmentPolicyEnforcement><wbr>full</<wbr>assignmentPolicyEnforcement><br>

        </projection><br>

      </p>

      I have it configured this way and it works - it removes not

      assigned entitlements.<br>

      <br>

      Good luck!<br>

      WS<br>

      <br>

      <div class="m_3490817950592287538moz-cite-prefix">W dniu 20.12.2017 o 18:52, Alcides

        Carlos de Moraes Neto pisze:<br>

      </div>

      <blockquote type="cite">

        <div dir="ltr">

          <div>

            <div>

              <div>

                <div>

                  <div>Hello list,<br>

                    <br>

                  </div>

                  I have a working Org. Unit -> AD group mapping,

                  with an AssociationFromLink inducement for members.<br>

                  <br>

                </div>

                However, I would like Midpoint to also remove members of

                the AD group that are added manually, that don't match

                members of the Org. Unit. <br>

                I tried using <br>

                        
<assignmentPolicyEnforcement><wbr>full</<wbr>assignmentPolicyEnforcement><br>

              </div>

              inside the Schema Handling for the entitlement, but it

              didn't work.<br>

              <br>

            </div>

            Any leads?<br>

          </div>

          Thanks in advance.<br>

        </div>

        <br>

        <fieldset class="m_3490817950592287538mimeAttachmentHeader"></fieldset>

        <br>

        <pre>______________________________<wbr>_________________

midPoint mailing list

<a class="m_3490817950592287538moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>

<a class="m_3490817950592287538moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a>

</pre>

      </blockquote>

      <br>

      <fieldset class="m_3490817950592287538mimeAttachmentHeader"></fieldset>

      <br>

      <pre>______________________________<wbr>_________________

midPoint mailing list

<a class="m_3490817950592287538moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>

<a class="m_3490817950592287538moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a>

</pre>

    </blockquote>

    <br>

    </div></div><span class="HOEnZb"><font color="#888888"><pre class="m_3490817950592287538moz-signature" cols="72">-- 

Wojciech Staszewski

Administrator Systemów Sieciowych

tel. kom: 663 680 236

<a class="m_3490817950592287538moz-txt-link-abbreviated" href="http://www.diagnostyka.pl" target="_blank">www.diagnostyka.pl</a>

Diagnostyka Sp. z o. o.

ul. Prof. M. Życzkowskiego 16, 31-864 Kraków

Numer KRS: 0000381559 (Sąd Rejonowy dla Krakowa-Śródmieścia w Krakowie, XI Wydział Gospodarczy KRS)

NIP: 675-12-65-009; REGON: 356366975

Kapitał zakładowy: 33 756 500 zł.


Pomyśl o środowisku zanim wydrukujesz ten e-mail.</pre>

  </font></span></div>


<br>______________________________<wbr>_________________<br>

midPoint mailing list<br>

<a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>

<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a><br>

<br></blockquote></div><br></div>