<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    Hmmm... My first impression is to have a look at "tolerant" flag for
    the association (setting it to "false").<br>
    <pre class="moz-signature" cols="72">Pavol Mederly
Software developer
evolveum.com
</pre>
    <div class="moz-cite-prefix">On 13.09.2018 23:58, Alcides Carlos de
      Moraes Neto wrote:<br>
    </div>
    <blockquote type="cite"
cite="mid:CAMLLNmmgQJ+zSVnBsm4H1T8XgU0H8xpmcgXsSnev2cTB=6vZRA@mail.gmail.com">
      <meta http-equiv="content-type" content="text/html; charset=utf-8">
      <div dir="ltr">
        <div>Thank you Pavol.</div>
        <div><br>
        </div>
        <div>After more tests, recomputing did remove the
          roleMembershipRef.</div>
        <div><br>
        </div>
        <div>However, both roles have a metarole that creates an AD
          group projection, and assign members using
          associationFromLink, very simple stuff.</div>
        <div>Removing the inducement and recomputing the users did
          remove the roleMembershipRef but did not remove the AD
          association.</div>
        <div>Unassigning role1 with the inducement intact worked
          correctly and removed role2 AD group association from user AD
          projection.</div>
        <div>Removing the inducement did not remove user from role2 AD
          group association, and unassigning from role1 only removes
          role1 AD group.</div>
        <br>
      </div>
      <br>
      <div class="gmail_quote">
        <div dir="ltr">Em qui, 13 de set de 2018 às 16:22, Pavol Mederly
          <<a href="mailto:mederly@evolveum.com"
            moz-do-not-send="true">mederly@evolveum.com</a>>
          escreveu:<br>
        </div>
        <blockquote class="gmail_quote" style="margin:0 0 0
          .8ex;border-left:1px #ccc solid;padding-left:1ex">
          <div text="#000000" bgcolor="#FFFFFF">
            <p>Hello,</p>
            <p>normally I would say this is a bug. Recomputation of
              users should definitely remove role2 from users'
              roleMembershipRef items.</p>
            <p>However, this particular functionality is quite well
              covered by tests. So it might be some misconfiguration on
              your side.<br>
            </p>
            <p>You can try to <a
href="https://wiki.evolveum.com/display/midPoint/Usual+Troubleshooting+Steps"
                target="_blank" moz-do-not-send="true">troubleshoot</a>
              the situation yourself or post more details here. Maybe
              someone from the community would be able to help you.<br>
            </p>
            <p>Best regards,<br>
            </p>
            <pre class="m_-6868263146886646889moz-signature" cols="72">Pavol Mederly
Software developer
<a href="http://evolveum.com" target="_blank" moz-do-not-send="true">evolveum.com</a>
</pre>
            <div class="m_-6868263146886646889moz-cite-prefix">On
              13.09.2018 20:08, Alcides Carlos de Moraes Neto wrote:<br>
            </div>
            <blockquote type="cite">
              <div dir="ltr">
                <div>Hello list,</div>
                <div><br>
                </div>
                <div>We had a role1 that induced role2.</div>
                <div>Removing the inducement did not remove membership
                  of role2 from users of role1. <br>
                </div>
                <div> Recomputing either role1, role2 or the users
                  didn't make a difference.</div>
                <div>Opening role2 with the GUI, the indirect members
                  are shown if you check the 'indirect members' option.</div>
                <div>Opening the users with the GUI will not show the
                  assignment, even in the Show All Assignments dialog.<br>
                </div>
                <div>In the XML of the users we can see the
                  roleMembershipRef pointing to role2. <br>
                </div>
                <div>Unassigning role1 from the users, after removing
                  the inducement, did not remove role2
                  roleMembershipRef.<br>
                </div>
                <div><br>
                </div>
                <div>Is this by design, or a bug? <br>
                </div>
              </div>
              <br>
              <fieldset
                class="m_-6868263146886646889mimeAttachmentHeader"></fieldset>
              <br>
              <pre>_______________________________________________
midPoint mailing list
<a class="m_-6868263146886646889moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank" moz-do-not-send="true">midPoint@lists.evolveum.com</a>
<a class="m_-6868263146886646889moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank" moz-do-not-send="true">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
            </blockquote>
            <br>
          </div>
          _______________________________________________<br>
          midPoint mailing list<br>
          <a href="mailto:midPoint@lists.evolveum.com" target="_blank"
            moz-do-not-send="true">midPoint@lists.evolveum.com</a><br>
          <a href="http://lists.evolveum.com/mailman/listinfo/midpoint"
            rel="noreferrer" target="_blank" moz-do-not-send="true">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
        </blockquote>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>