<div dir="ltr"><div><span class="gmail-tlid-translation gmail-translation" lang="en"><span title="" class="gmail-">Hi Guys<br></span></span></div><div><span class="gmail-tlid-translation gmail-translation" lang="en"><span title="" class="gmail-"><br></span></span></div><div><span class="gmail-tlid-translation gmail-translation" lang="en"><span title="" class="gmail-">I tried to perform a reconciliation task instead of recompute.</span><br><span title="" class="gmail-">Users were assigned to the new group inserted in the role rbac, but the task had several errors.</span><br><span title="">Analyzing the midpoint logs I detected the following:</span></span></div><div><br></div><div>020-06-22 13:53:08,868 [SYNCHRONIZATION_SERVICE] [midPointScheduler_Worker-6] ERROR (com.evolveum.midpoint.model.impl.sync.SynchronizationServiceImpl): SYNCHRONIZATION: Error in synchronization on resource:746ecf5e-3e8c-11e6-b2f9-3c970e44b9e2(Medusa Active Directory (LDAP)) for situation LINKED: SchemaException: Expected to find 'UserType' but found 'RoleType' (role:9d22cbe8-c67f-4248-9c21-26aa7ce2215f(gs_jira_sec_soc)). Bad OID in a reference?. Change was ResourceObjectShadowChangeDescription(objectDelta=null, currentShadow=shadow:7bdf855b-b748-4b94-9a23-037f32021005(CN=gs_jira_sec_soc,OU=Usuarios,DC=xyz,DC=net), oldShadow=null, sourceChannel=<a href="http://midpoint.evolveum.com/xml/ns/public/provisioning/channels-3#reconciliation">http://midpoint.evolveum.com/xml/ns/public/provisioning/channels-3#reconciliation</a>, resource=resource:746ecf5e-3e8c-11e6-b2f9-3c970e44b9e2(Medusa Active Directory (LDAP)))<br>com.evolveum.midpoint.util.exception.SchemaException: Expected to find 'UserType' but found 'RoleType' (role:9d22cbe8-c67f-4248-9c21-26aa7ce2215f(gs_jira_sec_soc)). Bad OID in a reference?</div><div><br></div><div>Regards</div><div><br></div><div>Gus<br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Em seg., 22 de jun. de 2020 às 11:02, Gus Lou <<a href="mailto:gugalou38@gmail.com">gugalou38@gmail.com</a>> escreveu:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>Hi Ivan</div><div><br></div><div>I've attached my configs:</div><div>Resource: AD Resource</div><div>Role: Rbac Role - SOC - Sec</div><div>Role: Metarole AD Group</div><div>Role: gs_snow_sec_soc</div><div>Role: gs_jira_sec_soc</div><div>Role: gs_spo_sec_soc</div><div><br></div><div><span lang="en"><span title="">I checked the mapping and there is only one field like strong in my Resource - AD:</span></span></div><div><span lang="en"><span title=""><attribute id="18"><br> <c:ref xmlns:ri="<a href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" target="_blank">http://midpoint.evolveum.com/xml/ns/public/resource/instance-3</a>">ri:description</c:ref><br> <outbound><br> <strength>strong</strength><br> <source><br> <c:path>description</c:path><br> </source><br> </outbound><br> <inbound id="20"><br> <target><br> <c:path>description</c:path><br> </target><br> </inbound><br> </attribute></span></span></div><div><br></div><div>Best Regards</div><div><br></div><div>Gus<br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Em seg., 22 de jun. de 2020 às 08:29, Ivan Noris <<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>> escreveu:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<p>Hi Gus,</p>
<p>I don't know if you are referring to a specific sample, e.g. for
the metarole.</p>
<p>Sharing it would be helpful.</p>
<p>So far my only idea is to check if the (2nd order) mapping for
association has strong strength.</p>
<p>Best regards,</p>
<p>Ivan<br>
</p>
<div>On 22. 6. 2020 1:18, Gus Lou wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr"><span lang="en">Hi Guys<br>
I need the permissions of users assigned to a Role (Rbac role
named "Sec - SOC") to be updated after adding a new group
(gs_spo_sec_soc) to this Role.<br>
After adding the group to the role, I ran a recompute task, I
expected the new group to be added to users but it didn't. If
I add a new user to the role he receives all groups.<br>
<br>
Did I do something wrong, did any steps miss?<br>
<br>
I followed the instructions on the wiki:<br>
<a href="https://wiki.evolveum.com/display/midPoint/Recompute+Task" target="_blank">https://wiki.evolveum.com/display/midPoint/Recompute+Task</a><br>
<br>
And also in this thread:<br>
<a href="https://lists.evolveum.com/pipermail/midpoint/2014-November/000639.html" target="_blank">https://lists.evolveum.com/pipermail/midpoint/2014-November/000639.html</a><br>
<br>
<b>My Lab</b><br>
01 Midpoint 4.1<br>
01 Active Directory (Connector Ldap / AD 3.0) Resource<br>
01 Metarole: "Metarole for groups - AD" (inducement to Active
Directory (LDAP) Resource<br>
03 Groups (gs_snow_sec_soc, gs_jira_sec_soc, gs_spo_sec_soc)
assigned to Metarole<br>
</span>
<div><span lang="en">01 Rbac Role "Sec - SOC" inducements
(gs_snow_sec_soc, gs_jira_sec_soc, gs_spo_sec_soc) <br>
</span></div>
<div><span lang="en"><br>
</span></div>
<div><span lang="en"><br>
</span></div>
<div><span lang="en">Best Regards</span></div>
<div><span lang="en">Gus<br>
</span></div>
<div><span lang="en"><br>
</span></div>
</div>
<br>
<fieldset></fieldset>
<pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="https://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">https://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<pre cols="72">--
Ivan Noris
Senior Identity Engineer
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
</div>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="https://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">https://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
</blockquote></div>
</blockquote></div>