<div dir="ltr"><div>Hi Ivan,</div><div><br></div><div>I have tested this with 3.7, and the account gets deleted if the user is deleted, even if existence mapping is set to true.<br></div></div><br><div class="gmail_quote"><div dir="ltr">Em sex, 10 de ago de 2018 às 04:15, Ivan Noris <<a href="mailto:ivan.noris@evolveum.com">ivan.noris@evolveum.com</a>> escreveu:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<p>Hi,</p>
<p>there is one other thing. When using disable instead of delete,
the <existence> mapping may just return "true" all the time
and the account will never be deleted when deleting the user or
unassigning the role. (This is not the same as disabling the
capability for deletion; you may want to combine both to prevent
explicit account deletion.)<br>
</p>
<p>You just need to update the existence mapping from returning
<path>$focusExists</path> to
<value>true</value></p>
<p>I think I have tried that some time ago (definitely not recently)
and I don't know if there are any tests, but it should work.</p>
<p>That should cover the deletion of user but still keep the account
forever (the shadow in repository as well).</p>
<p>You can try that and see.<br>
</p>
<a class="m_3433998007711420110moz-txt-link-freetext" href="https://wiki.evolveum.com/display/midPoint/Disable+instead+of+Delete" target="_blank">https://wiki.evolveum.com/display/midPoint/Disable+instead+of+Delete</a>
(this sample does contain the above mentioned configuration)<br>
<br>
Best regards,<br>
Ivan<br>
<br>
<div class="m_3433998007711420110moz-cite-prefix">On 09.08.2018 20:43, Alcides Carlos de
Moraes Neto wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>Thanks for the info, Ivan.</div>
<div><br>
</div>
<div>In regards to unlinking, our mappings and correlation
expressions work in a way that, if a deactivated user would be
unlinked the account, it would not be linked again. But I
understand it would be an issue for a lot of cases.</div>
<div>The best practice would be to delete the user in midPoint.</div>
<div><br>
</div>
<div>The main reason behind this is that I want to keep the AD
login account intact so the Exchange mailbox is not lost when
a user leaves. <br>
</div>
<div><br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr">Em qui, 9 de ago de 2018 às 05:56, Ivan Noris
<<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>>
escreveu:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<p>Hi,</p>
<p>just to inform you that we are already tracking:</p>
<p> <a class="m_3433998007711420110m_7320881063399096488m_-6361799743803380685moz-txt-link-freetext" href="https://jira.evolveum.com/browse/MID-2142" target="_blank">https://jira.evolveum.com/browse/MID-2142</a>
(Capabilities per objectType (e.g. Delete capability only
for some intents)</p>
<p>and <br>
</p>
<p><a class="m_3433998007711420110m_7320881063399096488m_-6361799743803380685moz-txt-link-freetext" href="https://jira.evolveum.com/browse/MID-2144" target="_blank">https://jira.evolveum.com/browse/MID-2144</a>
(Configured capabilities - add a way to ignore instead of
"Operation not supported" error)</p>
<p>There are marked as "subscription needed", so you may
want to use a subscription to prioritize them.<br>
</p>
<p>Related to unlinking: I'm not aware of any way, but even
if there was a way how to unlink an account (probably it's
possible using bulk tasks), the account would be linked
back if any synchronization would run for that resource
and unlinked->link reaction would be specified. This is
because unlink = dropping linkRef reference from user
object to shadow, but the shadow would still remain in the
repository. Even if the shadow would not remain, it would
be recreated upon next reconciliation with the system, as
the account still exists.</p>
<p>So the best option would be avoid deletion of the
accounts by using configured capabilities, but as you
correctly stated, the current behaviour would apply for
all objects on the resource (accounts, groups etc.).
That's why we are tracking the features in our JIRA.<br>
</p>
<p>Best regards,</p>
<p>Ivan<br>
</p>
<br>
<div class="m_3433998007711420110m_7320881063399096488m_-6361799743803380685moz-cite-prefix">On
08.08.2018 21:57, Alcides Carlos de Moraes Neto wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>Hello list,</div>
<div><br>
</div>
<div>Quick question: Is it possible to not delete, but
unlink accounts when a user is deleted and/or
unassigned from the account?</div>
<div><br>
</div>
<div>Right now I'm able to disable instead of delete,
but the account remains linked to the user.</div>
<div>I would like to either delete the user without
deleting the account, or unlink the user from the
account automatically. <br>
</div>
<div><br>
</div>
<div>I have simulated this by removing the "delete"
capability from the resource, but this is not viable,
as I need to be able to delete groups, but not users.<br>
</div>
<div><br>
</div>
<div>Thanks!<br>
</div>
</div>
<br>
<fieldset class="m_3433998007711420110m_7320881063399096488m_-6361799743803380685mimeAttachmentHeader"></fieldset>
<br>
<pre>_______________________________________________
midPoint mailing list
<a class="m_3433998007711420110m_7320881063399096488m_-6361799743803380685moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a class="m_3433998007711420110m_7320881063399096488m_-6361799743803380685moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<pre class="m_3433998007711420110m_7320881063399096488m_-6361799743803380685moz-signature" cols="72">--
Ivan Noris
Senior Identity Engineer
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
</div>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
</blockquote>
</div>
<br>
<fieldset class="m_3433998007711420110mimeAttachmentHeader"></fieldset>
<br>
<pre>_______________________________________________
midPoint mailing list
<a class="m_3433998007711420110moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a class="m_3433998007711420110moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<pre class="m_3433998007711420110moz-signature" cols="72">--
Ivan Noris
Senior Identity Engineer
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
</div>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
</blockquote></div>