<div dir="ltr"><div>Oh,  Pavol you explained me this in the clear way. Thank you.</div><div><br></div><div>I have a little bit different requirements and approach to solve this.</div><div>I should not care about       the bronze role assigning back because it is only initial access.</div><div>I used  next approach</div><div>In object template I use mapping with assignment with normal strength (see below).</div><div>I <span id="gmail-m_8865242058015927985gmail-result_box" class="gmail-m_8865242058015927985gmail-short_text" lang="en"><span class="gmail-m_8865242058015927985gmail-">noticed that using normal strength  for target assignment in mapping doesn't </span></span>assigning back Bronze role even when emailAddress was changed.</div><div><br></div>Am I correct and I can use such an approach or I something missed?<div></div><div></div><div><br></div><div><br></div><div><mapping id><br>      <description>Assigment to Mantis Basic role</description><br>      <strength>normal</strength><br>      <source><br>         <name>emailAddress</name><br>         <c:path>$user/emailAddress</c:<wbr>path><br>      </source><br>      <expression><br>         <value><br>            <targetRef oid="f0cf82d0-fe50-4e89-a628-<wbr>2e5a936de379" type="c:RoleType"/><!--Bronze role--><br>         </value><br>      </expression><br>      <target><br>         <c:path>assignment</c:path><br>      </target><br>      <condition><br>         <script xmlns:xsi="<a href="http://www.w3.org/2001/XMLSchema-instance" target="_blank">http://www.w3.org/<wbr>2001/XMLSchema-instance</a>"<br>                 xsi:type="c:<wbr>ScriptExpressionEvaluatorType"<wbr>><br>            <code><br>emailAddress != null<br>                    </code><br>         </script><br>      </condition><br>   </mapping><br></div><div><br></div><div><br></div><div><span id="gmail-m_8865242058015927985gmail-result_box" class="gmail-m_8865242058015927985gmail-short_text" lang="en"><span class="gmail-m_8865242058015927985gmail-"></span></span><br></div><div> <br></div><div><br></div><div><br></div><div><br></div><div><br></div><div> <br></div><div><br></div><div><br></div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On 2 July 2018 at 11:16, Pavol Mederly <span dir="ltr"><<a href="mailto:mederly@evolveum.com" target="_blank">mederly@evolveum.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div text="#000000" bgcolor="#FFFFFF">
    <p>Hello Oleksandr,</p>
    <p>I assume that during normal operation, if bronze, silver or gold
      role is unassigned, midPoint should automatically assign back the
      bronze role.</p>
    <p>Assuming that, three options come to my mind:</p>
    <ol>
      <li>Bind the role assignment to some user extension property,
        let's call it e.g. "level". It would have three possible values
        (bronze, silver, gold) - I assume this can be ensured by
        defining it as a custom enum. And there would be two mappings:
        (1) a weak mapping that assigns "bronze" value to "level" if it
        has no value, (2) a strong mapping that creates a
        bronze/silver/gold assignment based on the "level" value. This
        means that all changes to this assignments have to go through
        the "level" item, not via assignments themselves.<br>
      </li>
      <li>Write a custom <a href="https://wiki.evolveum.com/display/midPoint/Scripting+Hooks" target="_blank">scripting
          hook</a> that would evaluate the user after each change, and
        if it has no assignment to bronze/silver/gold role it would
        assign the bronze role.</li>
      <li>Write custom <a href="https://wiki.evolveum.com/display/midPoint/Policy+Rules" target="_blank">policy
          rule</a> that would fire if there's no assignment to
        bronze/silver/gold role. Unfortunately, midPoint currently has
        no way of specifying "do something" policy action, except for
        ugly workaround via custom "notify" action.</li>
    </ol>
    <p>So I would suggest either (1) or (2).</p>
    <p>Hope this helps.<br>
    </p><span class="">
    <pre class="m_-4731538508633317565moz-signature" cols="72">Pavol Mederly
Software developer
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
    </span><div><div class="h5"><div class="m_-4731538508633317565moz-cite-prefix">On 28.06.2018 15:18, Oleksandr Nekriach
      wrote:<br>
    </div>
    <blockquote type="cite">
      <div dir="ltr">Hello Pavol,<br>
        Yes, and I want that one of this radio-button role also was  a
        "basic" (initial) role. This basic-radio-button role should be
        automatically assigned to all new users by HR reconciliation
        task.<br>
        <br>
        For example:<br>
        <br>
        <ul>
          <li>    bronze role is a "basic" role and also radio-button
            role</li>
          <li>    thanks to the HR reconciliation task, every new user
            will be  assigned to the bronze role as 'basic" role.</li>
          <li>    during the user life cycle user can be assigned to 
            another radio-button roles manually  by HelpDesk or by some
            automatically processes and Midpoint should remember such
            assignment</li>
          <li>    but never the HR reconciliation should fall back to
            "basic" role assigment  if user has current radio-button
            assignment  different to "basic" role (has silver or gold
            role)<br>
          </li>
        </ul>
        <div><br>
        </div>
      </div>
      <div class="gmail_extra"><br>
        <div class="gmail_quote">On 28 June 2018 at 12:38, Pavol Mederly
          <span dir="ltr"><<a href="mailto:mederly@evolveum.com" target="_blank">mederly@evolveum.com</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div text="#000000" bgcolor="#FFFFFF">
              <p>Hello Oleksandr,</p>
              <p>do you mean something like this? E.g. you have radio
                button roles: bronze - silver - gold and you want to
                ensure that a user always has exactly one of them
                assigned? (e.g. bronze if neither silver nor gold)?</p>
              <pre class="m_-4731538508633317565m_688872782710185640moz-signature" cols="72">Pavol Mederly
Software developer
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
              <div>
                <div class="m_-4731538508633317565h5">
                  <div class="m_-4731538508633317565m_688872782710185640moz-cite-prefix">On
                    22.06.2018 11:24, Oleksandr Nekriach wrote:<br>
                  </div>
                </div>
              </div>
              <blockquote type="cite">
                <div>
                  <div class="m_-4731538508633317565h5">
                    <div dir="ltr">
                      <div>Hi guys,</div>
                      <div><br>
                      </div>
                      <div>Does Midpoint have elegant solution for 
                        basic role assignment which is also a
                        radio-button role?  <br>
                      </div>
                      <div>I have faced that  the assignment  of
                        basic-radio-button role by object template
                        mapping (a weak strength) does not work if we
                        have other assignment mappings  in the same
                        object template (for example OrgType
                        assignments).<br>
                      </div>
                      <div><br>
                      </div>
                      <div>Thank you in advance.</div>
                      <div> <br>
                      </div>
                      <div>-- <br>
                        <div class="m_-4731538508633317565m_688872782710185640gmail_signature" data-smartmail="gmail_signature">
                          <div dir="ltr"><span style="color:#4c4c4c">Best
                              regards, </span></div>
                          <div dir="ltr"><br>
                            <span style="color:#4c4c4c"></span></div>
                          <div dir="ltr"><span style="color:#4c4c4c"><img src="cid:part5.A6D32997.E95BE3DC@evolveum.com"> <br>
                              <br>
                              Oleksandr Nekriach | Identity and access
                              management engineer <br>
                              <br>
                              Dynatech, <a href="https://maps.google.com/?q=Mednieku+str.+4a,+Riga,+LV-1010,+Latvia&entry=gmail&source=g" target="_blank">Mednieku
                                str. 4a, Riga, LV-1010, Latvia</a> <br>
                              <br>
                              <div style="display:inline-block"><a href="tel:+371%2025%20314%20685" value="+37125314685" target="_blank">+37125314685</a></div>
                              ,
                              <div style="display:inline-block"><a href="mailto:o.nekriach@dynatech.lv" target="_blank">o.nekriach@dynatech.lv</a></div>
                              |
                              <div style="display:inline-block"><a href="http://www.dynatech.lv" target="_blank">www.dynatech.lv</a></div>
                              <br>
                              <br>
                              Stay connected: <br>
                              <div style="display:inline-block;margin:5px 5px 0 0"><a href="https://www.facebook.com/DynatechLatvia/?ref=br_rs" target="_blank"><img src="cid:part10.B8BE96AC.790094FF@evolveum.com"></a></div>
                              <div style="display:inline-block;margin:5px 0 0 0"><a href="https://www.linkedin.com/company-beta/17893047/" target="_blank"><img src="cid:part12.9950AE35.C7F80FD0@evolveum.com"></a></div>
                              <br>
                              <br>
                              <span style="font-size:11px;color:#a1a1a1">Confidentiality
                                Notice: This message contains
                                confidential information and is intended
                                only for the named recipient(s). If you
                                are not the addressee you may not copy,
                                distribute or perform any other
                                activities with this information. If you
                                have received this transmission in
                                error, please notify us by e-mail
                                immediately. E-mail transmission cannot
                                be guaranteed to be secure or error-free
                                as information could be intercepted,
                                corrupted, lost, destroyed, arrive late
                                or incomplete, or contain viruses.</span></span></div>
                        </div>
                      </div>
                    </div>
                    <br>
                    <fieldset class="m_-4731538508633317565m_688872782710185640mimeAttachmentHeader"></fieldset>
                    <br>
                  </div>
                </div>
                <pre>______________________________<wbr>_________________
midPoint mailing list
<a class="m_-4731538508633317565m_688872782710185640moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a class="m_-4731538508633317565m_688872782710185640moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>
</pre>
              </blockquote>
              <br>
            </div>
            <br>
            ______________________________<wbr>_________________<br>
            midPoint mailing list<br>
            <a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
            <a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a><br>
            <br>
          </blockquote>
        </div>
        <br>
        <br clear="all">
        <br>
        -- <br>
        <div class="m_-4731538508633317565gmail_signature" data-smartmail="gmail_signature">
          <div dir="ltr"><span style="color:#4c4c4c">Best regards, <br>
              <br>
              <img src="cid:part5.A6D32997.E95BE3DC@evolveum.com"> <br>
              <br>
              Oleksandr Nekriach | Identity and access management
              engineer <br>
              <br>
              Dynatech, <a href="https://maps.google.com/?q=Mednieku+str.+4a,+Riga,+LV-1010,+Latvia&entry=gmail&source=g" target="_blank">Mednieku str. 4a,
                Riga, LV-1010, Latvia</a> <br>
              <br>
              <div style="display:inline-block"><a href="tel:+371%2025%20314%20685" value="+37125314685" target="_blank">+37125314685</a></div>
              ,
              <div style="display:inline-block"><a href="mailto:o.nekriach@dynatech.lv" target="_blank">o.nekriach@dynatech.lv</a></div>
              |
              <div style="display:inline-block"><a href="http://www.dynatech.lv" target="_blank">www.dynatech.lv</a></div>
              <br>
              <br>
              Stay connected: <br>
              <div style="display:inline-block;margin:5px 5px 0 0"><a href="https://www.facebook.com/DynatechLatvia/?ref=br_rs" target="_blank"><img src="cid:part10.B8BE96AC.790094FF@evolveum.com"></a></div>
              <div style="display:inline-block;margin:5px 0 0 0"><a href="https://www.linkedin.com/company-beta/17893047/" target="_blank"><img src="cid:part12.9950AE35.C7F80FD0@evolveum.com"></a></div>
              <br>
              <br>
              <span style="font-size:11px;color:#a1a1a1">Confidentiality
                Notice: This message contains confidential information
                and is intended only for the named recipient(s). If you
                are not the addressee you may not copy, distribute or
                perform any other activities with this information. If
                you have received this transmission in error, please
                notify us by e-mail immediately. E-mail transmission
                cannot be guaranteed to be secure or error-free as
                information could be intercepted, corrupted, lost,
                destroyed, arrive late or incomplete, or contain
                viruses.</span></span></div>
        </div>
      </div>
      <br>
      <fieldset class="m_-4731538508633317565mimeAttachmentHeader"></fieldset>
      <br>
      <pre>______________________________<wbr>_________________
midPoint mailing list
<a class="m_-4731538508633317565moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a class="m_-4731538508633317565moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a>
</pre>
    </blockquote>
    <br>
  </div></div></div>

<br>______________________________<wbr>_________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><span style="color:#4c4c4c">Best regards, <br><br><img src="cid:o.nekriach@dynatech.lv1520941785292-7770"> <br><br>Oleksandr Nekriach | Identity and access management engineer <br><br>Dynatech, <a href="https://maps.google.com/?q=Mednieku+str.+4a,+Riga,+LV-1010,+Latvia&entry=gmail&source=g" target="_blank">Mednieku str. 4a, Riga, LV-1010, Latvia</a> <br><br><div style="display:inline-block"><a href="tel:+371%2025%20314%20685" value="+37125314685" target="_blank">+37125314685</a></div>, <div style="display:inline-block"><a href="mailto:o.nekriach@dynatech.lv" target="_blank">o.nekriach@dynatech.lv</a></div> | <div style="display:inline-block"><a href="http://www.dynatech.lv" target="_blank">www.dynatech.lv</a></div> <br><br>Stay connected: <br><div style="display:inline-block;margin:5px 5px 0 0"><a href="https://www.facebook.com/DynatechLatvia/?ref=br_rs" target="_blank"><img src="cid:o.nekriach@dynatech.lv1520941785292-7771"></a></div><div style="display:inline-block;margin:5px 0 0 0"><a href="https://www.linkedin.com/company-beta/17893047/" target="_blank"><img src="cid:o.nekriach@dynatech.lv1520941785292-7772"></a></div><br><br><span style="font-size:11px;color:#a1a1a1">Confidentiality
 Notice: This message contains confidential information and is intended 
only for the named recipient(s). If you are not the addressee you may 
not copy, distribute or perform any other activities with this 
information. If you have received this transmission in error, please 
notify us by e-mail immediately. E-mail transmission cannot be 
guaranteed to be secure or error-free as information could be 
intercepted, corrupted, lost, destroyed, arrive late or incomplete, or 
contain viruses.</span></span></div></div>
</div>