<div dir="ltr"><div>Thank you Pavol.</div><div><br></div><div>After more tests, recomputing did remove the roleMembershipRef.</div><div><br></div><div>However, both roles have a metarole that creates an AD group projection, and assign members using associationFromLink, very simple stuff.</div><div>Removing the inducement and recomputing the users did remove the roleMembershipRef but did not remove the AD association.</div><div>Unassigning role1 with the inducement intact worked correctly and removed role2 AD group association from user AD projection.</div><div>Removing the inducement did not remove user from role2 AD group association, and unassigning from role1 only removes role1 AD group.</div><br></div><br><div class="gmail_quote"><div dir="ltr">Em qui, 13 de set de 2018 às 16:22, Pavol Mederly <<a href="mailto:mederly@evolveum.com">mederly@evolveum.com</a>> escreveu:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<p>Hello,</p>
<p>normally I would say this is a bug. Recomputation of users should
definitely remove role2 from users' roleMembershipRef items.</p>
<p>However, this particular functionality is quite well covered by
tests. So it might be some misconfiguration on your side.<br>
</p>
<p>You can try to <a href="https://wiki.evolveum.com/display/midPoint/Usual+Troubleshooting+Steps" target="_blank">troubleshoot</a>
the situation yourself or post more details here. Maybe someone
from the community would be able to help you.<br>
</p>
<p>Best regards,<br>
</p>
<pre class="m_-6868263146886646889moz-signature" cols="72">Pavol Mederly
Software developer
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
<div class="m_-6868263146886646889moz-cite-prefix">On 13.09.2018 20:08, Alcides Carlos de
Moraes Neto wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>Hello list,</div>
<div><br>
</div>
<div>We had a role1 that induced role2.</div>
<div>Removing the inducement did not remove membership of role2
from users of role1. <br>
</div>
<div> Recomputing either role1, role2 or the users didn't make a
difference.</div>
<div>Opening role2 with the GUI, the indirect members are shown
if you check the 'indirect members' option.</div>
<div>Opening the users with the GUI will not show the
assignment, even in the Show All Assignments dialog.<br>
</div>
<div>In the XML of the users we can see the roleMembershipRef
pointing to role2. <br>
</div>
<div>Unassigning role1 from the users, after removing the
inducement, did not remove role2 roleMembershipRef.<br>
</div>
<div><br>
</div>
<div>Is this by design, or a bug? <br>
</div>
</div>
<br>
<fieldset class="m_-6868263146886646889mimeAttachmentHeader"></fieldset>
<br>
<pre>_______________________________________________
midPoint mailing list
<a class="m_-6868263146886646889moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a class="m_-6868263146886646889moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
</div>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
</blockquote></div>