<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Hi Alcides,</p>
<p>it behaves like that as when time comes (time of assignment
deactivation), midPoint will not process a "change", but issue a
user recomputation. The mappings behave like during
reconciliation, there are no deltas.</p>
<p>One possible workaround: instead of tolerant=false you can use
tolerantValuePattern</p>
<p>
<tolerantValuePattern>^Secret.*$</tolerantValuePattern><!--
tolerates Secret1234, Secret-4-1 but not AAA-Secret-123 --><br>
</p>
<p>I was not able to find a documentation in a minute, but it should
be documented in the common schema for sure.</p>
<p>It should play well with tolerant=true/false, so setting
tolerant=false and tolerantValuePattern to a regexp containing the
groups which should be always kept by midPoint even when not
provisioned by midPoint.</p>
<p>Of course, test the behaviour in non-prod environment before
actually using.</p>
<p>Best regards,</p>
<p>Ivan<br>
</p>
<div class="moz-cite-prefix">On 16. 4. 2019 19:39, Alcides Carlos de
Moraes Neto wrote:<br>
</div>
<blockquote type="cite"
cite="mid:419053A5-F65B-4024-A528-B867454F19DB@gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr"><span></span></div>
<div dir="ltr">
<div dir="ltr">
<div>Hi Ivan, thank you.</div>
<div><br>
</div>
<div>We can't have it tolerant=false, we have many
associations in AD outside midpoint control. </div>
<div><br>
</div>
<div>Assignment and unassignment works, shouldn’t assignment
activation work just like an unassignment? Why tolerant is
needed to remove membership in this case?</div>
<div><br>
</div>
<div>Isn’t that exception related? We’re pretty sure this
worked in 3.8, and it stopped now in 3.9</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">Em ter, 16 de abr de 2019 às
05:36, Ivan Noris <<a
href="mailto:ivan.noris@evolveum.com"
moz-do-not-send="true">ivan.noris@evolveum.com</a>>
escreveu:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF">
<p>Hi Alcides,</p>
<p>I think the removal of group(s) will work in this
scenario if the AD attribute/association in the resource
schema handling is set to be tolerant=false.</p>
<p>Be sure this is what you want as tolerant=false means
midPoint will remove all values not given by midPoint.</p>
<p>Best regards,</p>
<p>Ivan<br>
</p>
<div class="gmail-m_1084764384954452029moz-cite-prefix">On
16. 4. 2019 0:26, Alcides Carlos de Moraes Neto wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div>Hello list,</div>
<div><br>
</div>
<div>We have working user and role association to
AD users and groups. However, if we give users
an assignment with activation expiration date in
midpoint, they are not removed from the AD group
when the date comes. The assignment shows as
expired, but they are not removed from the AD
group that the role projects to, even when
recomputing.</div>
<div><br>
</div>
<div>Even removing the expired assignment will not
remove the user from the list.</div>
<div><br>
</div>
<div>Also, when trying to modify any of the
activation parameters from these assignments,
we're getting a NPE:</div>
<div>java.lang.NullPointerException: null<br>
com.evolveum.midpoint.prism.util.ItemDeltaItem.findIdi(ItemDeltaItem.java:218)<br>
com.evolveum.midpoint.repo.common.expression.ExpressionUtil.resolvePath(ExpressionUtil.java:232)<br>
com.evolveum.midpoint.model.common.mapping.MappingImpl.parseSource(MappingImpl.java:874)<br>
<br>
</div>
</div>
</div>
</div>
<br>
<fieldset
class="gmail-m_1084764384954452029mimeAttachmentHeader"></fieldset>
<pre class="gmail-m_1084764384954452029moz-quote-pre">_______________________________________________
midPoint mailing list
<a class="gmail-m_1084764384954452029moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank" moz-do-not-send="true">midPoint@lists.evolveum.com</a>
<a class="gmail-m_1084764384954452029moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank" moz-do-not-send="true">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<pre class="gmail-m_1084764384954452029moz-signature" cols="72">--
Ivan Noris
Senior Identity Engineer
<a href="http://evolveum.com" target="_blank" moz-do-not-send="true">evolveum.com</a>
</pre>
</div>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank"
moz-do-not-send="true">midPoint@lists.evolveum.com</a><br>
<a
href="http://lists.evolveum.com/mailman/listinfo/midpoint"
rel="noreferrer" target="_blank" moz-do-not-send="true">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
</blockquote>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<pre class="moz-signature" cols="72">--
Ivan Noris
Senior Identity Engineer
evolveum.com
</pre>
</body>
</html>