<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Hi,</p>
<p>yes, as "strength" element is used both in construction and also
in mapping, it always looks confusing. But the two strengths are
for completely different things :)</p>
<p>To allow midpoint to always apply the "group membership" (by
association), the strong outbound mapping for association does the
trick.</p>
<p>To force midpoint to remove group membership from groups that are
not assigned by midpoint, tolerant=false might be set in resource
association definition (not in role!)</p>
<p>And finally, weak strength set in construction means that even if
this role constructs (creates) an account and adds the account to
a role, unless other role for the same projection is assigned with
strong strength in construction, the account will not be created.
The use case behind it is: if organization structure is replicated
to target system (AD for example), and user is assigned to
organization in midPoint, which is replicated to target system,
the account would be created immediately, even if the user has no
other roles. Strength=weak in construction prohibits this, and the
user must be assigned different role e.g. Employee and only then
the account is created the the groups assigned.</p>
<p>Let's hope I will be able to put it this way during our training
next week :)</p>
<p>Best regards,</p>
<p>Ivan<br>
</p>
<br>
<div class="moz-cite-prefix">On 25.01.2018 14:16, Alcides Carlos de
Moraes Neto wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAMLLNmmyZsbNmnZZV0coF-yEb5vNE=Au==myKoiLkEkd8wyp+w@mail.gmail.com">
<div dir="ltr">
<div>Thanks Ivan, that was it. I didn't notice I could set
strenght in the association mapping.</div>
<div>I have a weak construction with a strong mapping, that's a
bit crazy, but it works. :)</div>
<div><br>
</div>
My metarole is thus:<br>
<br>
<inducement id="1"><br>
<description>Group construction</description><br>
<construction><br>
<resourceRef
oid="3341f1ce-f96f-43fe-8bc9-7a9ec051b71b"<br>
relation="org:default"<br>
type="c:ResourceType"><!-- AD
--></resourceRef><br>
<kind>entitlement</kind><br>
<intent>org-group</intent><br>
</construction><br>
</inducement><br>
<inducement id="2"><br>
<description>Add users to group</description><br>
<construction><br>
<strength>weak</strength><br>
<resourceRef
oid="3341f1ce-f96f-43fe-8bc9-7a9ec051b71b"<br>
relation="org:default"<br>
type="c:ResourceType"><!-- AD
--></resourceRef><br>
<kind>account</kind><br>
<intent>default</intent><br>
<association><br>
<c:ref>ri:group</c:ref><br>
<tolerant>false</tolerant><br>
<outbound><br>
<b> <strength>strong</strength></b><br>
<expression><br>
<associationFromLink xmlns:xsi="<a
href="http://www.w3.org/2001/XMLSchema-instance"
moz-do-not-send="true">http://www.w3.org/2001/XMLSchema-instance</a>"<br>
xsi:type="c:AssociationFromLinkExpressionEvaluatorType"><br>
<projectionDiscriminator><br>
<kind>entitlement</kind><br>
<intent>org-group</intent><br>
</projectionDiscriminator><br>
</associationFromLink><br>
</expression><br>
</outbound><br>
</association><br>
</construction><br>
<order>2</order><br>
<condition><br>
<expression><br>
<script xmlns:xsi="<a
href="http://www.w3.org/2001/XMLSchema-instance"
moz-do-not-send="true">http://www.w3.org/2001/XMLSchema-instance</a>"<br>
xsi:type="c:ScriptExpressionEvaluatorType"><br>
<code>focus.getClass() ==
com.evolveum.midpoint.xml.ns._public.common.common_3.UserType.class
&& (focus.getEmployeeType().contains("TYPE1") ||
focus.getEmployeeType().contains("TYPE2"))</code><br>
</script><br>
</expression><br>
</condition><br>
</inducement><br>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">2018-01-25 6:29 GMT-02:00 Ivan Noris <span
dir="ltr"><<a href="mailto:ivan.noris@evolveum.com"
target="_blank" moz-do-not-send="true">ivan.noris@evolveum.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<p>Hi,</p>
<p>can you share the role (in your case probably the
metarole)? I think you might be missing strong in the
outbound mapping for association for order=2 mapping.</p>
<p>Ivan<br>
</p>
<div>
<div class="h5"> <br>
<div class="m_9040067883390274738moz-cite-prefix">On
24.01.2018 23:08, Alcides Carlos de Moraes Neto
wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div class="h5">
<div dir="ltr">
<div>
<div>
<div>Hello list,<br>
<br>
</div>
I have a OrgType -> AD Group projection,
with construction and entitlement association
all done in a single Meta Role. This works,
the groups are created and the Org Members are
added to the group.<br>
<br>
</div>
However, if the AD user account already is a
member of any other group, its not added to the
Org AD Group. And if I remove a user account
from the AD group from within Windows Server,
Midpoint does not create the association again.
It's behaving like a weak mapping.<br>
</div>
How do I make Midpoint enforce the group
membership? The association definition has
tolerant attribute set to FALSE . I've tried
setting assignmentPolicyEnforcement to FULL for
the resource, it does not work either.<br>
</div>
<br>
<fieldset
class="m_9040067883390274738mimeAttachmentHeader"></fieldset>
<br>
</div>
</div>
<pre>______________________________<wbr>_________________
midPoint mailing list
<a class="m_9040067883390274738moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank" moz-do-not-send="true">midPoint@lists.evolveum.com</a>
<a class="m_9040067883390274738moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank" moz-do-not-send="true">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a><span class="HOEnZb"><font color="#888888">
</font></span></pre>
<span class="HOEnZb"><font color="#888888"> </font></span></blockquote>
<span class="HOEnZb"><font color="#888888"> <br>
<pre class="m_9040067883390274738moz-signature" cols="72">--
Ivan Noris
Senior Identity Engineer
<a href="http://evolveum.com" target="_blank" moz-do-not-send="true">evolveum.com</a>
</pre>
</font></span></div>
<br>
______________________________<wbr>_________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com"
moz-do-not-send="true">midPoint@lists.evolveum.com</a><br>
<a
href="http://lists.evolveum.com/mailman/listinfo/midpoint"
rel="noreferrer" target="_blank" moz-do-not-send="true">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a><br>
<br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Ivan Noris
Senior Identity Engineer
evolveum.com
</pre>
</body>
</html>