<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Hi,</p>
<p>I assume you are deleting user from midPoint. In that case the
mappings for existence seem not to be evaluated which may be a
bug.<br>
</p>
<p>But the following scenario should work if existence mapping is
set to return "true" in all cases:</p>
<p>1. edit user</p>
<p>2. unassign the role keeping the AD / Exchange account (or all
roles)</p>
<p>3. existence mapping will keep the account forever;
administrativeStatus mapping will keep the account disabled</p>
<p>But in this scenario the user will be kept in midPoint.</p>
<p>I was briefly discussing this with my coleagues. There are
multiple ways/recommendations how to achieve something reasonable
with the features I'm aware of:</p>
<p>a) keep users in midPoint forever, use "Disable instead of
delete" to keep the accounts forever on target systems, or combine
with "Delayed delete" feature to delete the accouns after e.g. 30
days after disable</p>
<p>b) delete users from midPoint and use disabled delete capability
(I have copied links for possible enhancements for this earlier,
namely the configurable capabilities per objectType - which would
be your case)</p>
<p>c) maybe you've discovered a bug/missing feature with the
existence mappings being not (correctly) evaluated when user is
deleted in midPoint. Please create a new issue in
jira.evolveum.com and describe as much as possible for this
scenario.</p>
<p>Best regards,</p>
<p>Ivan<br>
</p>
<p><br>
</p>
<br>
<div class="moz-cite-prefix">On 13.08.2018 23:29, Alcides Carlos de
Moraes Neto wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAMLLNmnwWB7kCKULC1QAEkqxYBS2gU1zFJbbt5AzVRYgJzh2mg@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<div dir="ltr">
<div>Hi Ivan,</div>
<div><br>
</div>
<div>I have tested this with 3.7, and the account gets deleted
if the user is deleted, even if existence mapping is set to
true.<br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr">Em sex, 10 de ago de 2018 às 04:15, Ivan Noris
<<a href="mailto:ivan.noris@evolveum.com"
moz-do-not-send="true">ivan.noris@evolveum.com</a>>
escreveu:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<p>Hi,</p>
<p>there is one other thing. When using disable instead of
delete, the <existence> mapping may just return
"true" all the time and the account will never be deleted
when deleting the user or unassigning the role. (This is
not the same as disabling the capability for deletion; you
may want to combine both to prevent explicit account
deletion.)<br>
</p>
<p>You just need to update the existence mapping from
returning <path>$focusExists</path> to
<value>true</value></p>
<p>I think I have tried that some time ago (definitely not
recently) and I don't know if there are any tests, but it
should work.</p>
<p>That should cover the deletion of user but still keep the
account forever (the shadow in repository as well).</p>
<p>You can try that and see.<br>
</p>
<a class="m_3433998007711420110moz-txt-link-freetext"
href="https://wiki.evolveum.com/display/midPoint/Disable+instead+of+Delete"
target="_blank" moz-do-not-send="true">https://wiki.evolveum.com/display/midPoint/Disable+instead+of+Delete</a>
(this sample does contain the above mentioned configuration)<br>
<br>
Best regards,<br>
Ivan<br>
<br>
<div class="m_3433998007711420110moz-cite-prefix">On
09.08.2018 20:43, Alcides Carlos de Moraes Neto wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>Thanks for the info, Ivan.</div>
<div><br>
</div>
<div>In regards to unlinking, our mappings and
correlation expressions work in a way that, if a
deactivated user would be unlinked the account, it
would not be linked again. But I understand it would
be an issue for a lot of cases.</div>
<div>The best practice would be to delete the user in
midPoint.</div>
<div><br>
</div>
<div>The main reason behind this is that I want to keep
the AD login account intact so the Exchange mailbox is
not lost when a user leaves. <br>
</div>
<div><br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr">Em qui, 9 de ago de 2018 às 05:56, Ivan
Noris <<a href="mailto:ivan.noris@evolveum.com"
target="_blank" moz-do-not-send="true">ivan.noris@evolveum.com</a>>
escreveu:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<p>Hi,</p>
<p>just to inform you that we are already tracking:</p>
<p> <a
class="m_3433998007711420110m_7320881063399096488m_-6361799743803380685moz-txt-link-freetext"
href="https://jira.evolveum.com/browse/MID-2142"
target="_blank" moz-do-not-send="true">https://jira.evolveum.com/browse/MID-2142</a>
(Capabilities per objectType (e.g. Delete
capability only for some intents)</p>
<p>and <br>
</p>
<p><a
class="m_3433998007711420110m_7320881063399096488m_-6361799743803380685moz-txt-link-freetext"
href="https://jira.evolveum.com/browse/MID-2144"
target="_blank" moz-do-not-send="true">https://jira.evolveum.com/browse/MID-2144</a>
(Configured capabilities - add a way to ignore
instead of "Operation not supported" error)</p>
<p>There are marked as "subscription needed", so you
may want to use a subscription to prioritize them.<br>
</p>
<p>Related to unlinking: I'm not aware of any way,
but even if there was a way how to unlink an
account (probably it's possible using bulk tasks),
the account would be linked back if any
synchronization would run for that resource and
unlinked->link reaction would be specified.
This is because unlink = dropping linkRef
reference from user object to shadow, but the
shadow would still remain in the repository. Even
if the shadow would not remain, it would be
recreated upon next reconciliation with the
system, as the account still exists.</p>
<p>So the best option would be avoid deletion of the
accounts by using configured capabilities, but as
you correctly stated, the current behaviour would
apply for all objects on the resource (accounts,
groups etc.). That's why we are tracking the
features in our JIRA.<br>
</p>
<p>Best regards,</p>
<p>Ivan<br>
</p>
<br>
<div
class="m_3433998007711420110m_7320881063399096488m_-6361799743803380685moz-cite-prefix">On
08.08.2018 21:57, Alcides Carlos de Moraes Neto
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>Hello list,</div>
<div><br>
</div>
<div>Quick question: Is it possible to not
delete, but unlink accounts when a user is
deleted and/or unassigned from the account?</div>
<div><br>
</div>
<div>Right now I'm able to disable instead of
delete, but the account remains linked to the
user.</div>
<div>I would like to either delete the user
without deleting the account, or unlink the
user from the account automatically. <br>
</div>
<div><br>
</div>
<div>I have simulated this by removing the
"delete" capability from the resource, but
this is not viable, as I need to be able to
delete groups, but not users.<br>
</div>
<div><br>
</div>
<div>Thanks!<br>
</div>
</div>
<br>
<fieldset
class="m_3433998007711420110m_7320881063399096488m_-6361799743803380685mimeAttachmentHeader"></fieldset>
<br>
<pre>_______________________________________________
midPoint mailing list
<a class="m_3433998007711420110m_7320881063399096488m_-6361799743803380685moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank" moz-do-not-send="true">midPoint@lists.evolveum.com</a>
<a class="m_3433998007711420110m_7320881063399096488m_-6361799743803380685moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank" moz-do-not-send="true">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<pre class="m_3433998007711420110m_7320881063399096488m_-6361799743803380685moz-signature" cols="72">--
Ivan Noris
Senior Identity Engineer
<a href="http://evolveum.com" target="_blank" moz-do-not-send="true">evolveum.com</a>
</pre>
</div>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com"
target="_blank" moz-do-not-send="true">midPoint@lists.evolveum.com</a><br>
<a
href="http://lists.evolveum.com/mailman/listinfo/midpoint"
rel="noreferrer" target="_blank"
moz-do-not-send="true">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
</blockquote>
</div>
<br>
<fieldset
class="m_3433998007711420110mimeAttachmentHeader"></fieldset>
<br>
<pre>_______________________________________________
midPoint mailing list
<a class="m_3433998007711420110moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank" moz-do-not-send="true">midPoint@lists.evolveum.com</a>
<a class="m_3433998007711420110moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank" moz-do-not-send="true">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<pre class="m_3433998007711420110moz-signature" cols="72">--
Ivan Noris
Senior Identity Engineer
<a href="http://evolveum.com" target="_blank" moz-do-not-send="true">evolveum.com</a>
</pre>
</div>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank"
moz-do-not-send="true">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint"
rel="noreferrer" target="_blank" moz-do-not-send="true">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
</blockquote>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Ivan Noris
Senior Identity Engineer
evolveum.com
</pre>
</body>
</html>