<html dir="ltr">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="text-align:left; direction:ltr;">
<div>I was able to find a reasonable work around for my user population. I have a bulk task that runs every day. One feature that would be nice is this functionality in the query options that I use all of the time in our legacy system in direct SQL</div>
<div><br>
</div>
<div>where pk not in (select pk from other_table where user has some sort of attribute)</div>
<div><br>
</div>
<div>Since I can't figure out how to do that in this query syntax, have a slight work around. I have a bulk task that runs on schedule. It queries for everyone that has one of the attributes I want to blank out. It then iterates through each of those users
to see if they have a shadow in the resource that created those attributes. If they don't, it blanks the attributes out. Attached is one such task. For anyone wondering, I am supporting two different institutions in midPoint, hence the need for custom schema
extension for attributes in midPoint already, like title. Plus I'm higher education, so people can be in multiple departments, hence the "primary". This takes just over 3 minutes on just under 6k people. And we really haven't taken any time to tune the performance
of our environment other than making sure midPoint has plenty of memory assigned to it.</div>
<div><br>
</div>
<div>There's also probably a way to collapse this down to be a bit more efficient, but this is efficient enough for us at this moment. Note my method for checking if the user has a shadow in the specified resource. I was doing bad things previously where I
iterated over all shadows the user had, and that wasn't good. So only hunt for the one you want.</div>
<div><br>
</div>
<div>On Wed, 2020-10-21 at 16:34 +0200, Pavol Mederly via midPoint wrote:</div>
<blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex">
<p>Hello,</p>
<p>as far as I know, this seemingly "innocent" scenario is surprisingly not directly supported by midPoint. Richard Frovarp asked about it here in July. Just look for "How to blank out user properties?" thread.</p>
<p>The technical reason why the data cannot be cleaned up by the same mapping that provides them is the fact that the inbound mapping is no longer applied when the account is gone.</p>
<p>So a workaround has to be conceived. Some of these workarounds are discussed in the mentioned thread. (What comes to my mind, though, is to map data from the resource to a set of auxiliary user properties, from where they are propagated to the "main" properties
- Titolo, Matricola, ... - under condition of hasLinkedAccount for the resource.)</p>
<p>Best regards,<br>
</p>
<pre>Pavol Mederly</pre>
<pre>Software developer</pre>
<pre>evolveum.com</pre>
<pre><br></pre>
<div class="moz-cite-prefix">On 21/10/2020 15:43, Andrea Picconi via midPoint wrote:<br>
</div>
<blockquote type="cite" cite="mid:AM0PR09MB377843EF38F3DCF3A6F4120BF71C0@AM0PR09MB3778.eurprd09.prod.outlook.com" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.StileMessaggioDiPostaElettronica20
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 2.0cm 2.0cm 2.0cm;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">Hi Petr,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US" lang="EN-US">I mean that the field (or fields) must be blank.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US" lang="EN-US">With the account still linked, the fields are filled (example here)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US" lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US" lang="EN-US"><img style="width:4.552in;height:1.4791in" id="Immagine_x0020_1" src="cid:df5ad409679ebf55f0d8ee4eec55763577a41ee4.camel@ndsu.edu" class="" width="437" height="142" data-inline="" data-name="image002.jpg"></span><span style="mso-fareast-language:EN-US" lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US" lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US" lang="EN-US">but if I unlink the account, I expect midpoint to deprovision and remove the attributes of that account (here the same with what I expect)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US" lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US" lang="EN-US"><img style="width:4.8645in;height:1.5104in" id="Immagine_x0020_2" src="cid:6c65daa11e630a21603c8a3f25cbf421316e1909.camel@ndsu.edu" class="" width="467" height="145" data-inline="" data-name="image005.jpg"></span><span style="mso-fareast-language:EN-US" lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US" lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US" lang="EN-US">Thanks<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US" lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US" lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US" lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span lang="EN-US"> Petr Gašparík - AMI Praha a.s.
<a class="moz-txt-link-rfc2396E" href="mailto:petr.gasparik@ami.cz"><petr.gasparik@ami.cz></a>
<br>
<b>Sent:</b> Wednesday, October 21, 2020 3:32 PM<br>
<b>To:</b> midPoint General Discussion <a class="moz-txt-link-rfc2396E" href="mailto:midpoint@lists.evolveum.com">
<midpoint@lists.evolveum.com></a><br>
<b>Cc:</b> Andrea Picconi <a class="moz-txt-link-rfc2396E" href="mailto:andrea.picconi@innovery.net">
<andrea.picconi@innovery.net></a>; Marianna De Biasio <a class="moz-txt-link-rfc2396E" href="mailto:marianna.debiasio@innovery.net">
<marianna.debiasio@innovery.net></a>; Jacopo Giuliano <a class="moz-txt-link-rfc2396E" href="mailto:jacopo.giuliano@innovery.net">
<jacopo.giuliano@innovery.net></a><br>
<b>Subject:</b> Re: [midPoint] Problem deprovisioning<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal">Please elaborate more on what means "delete attributes" :)<br clear="all">
<o:p></o:p></p>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<p><span style="font-size:10.0pt;font-family:"Arial",sans-serif">--</span><o:p></o:p></p>
<p><span style="font-size:10.0pt;font-family:"Arial",sans-serif">s pozdravem</span><o:p></o:p></p>
<div>
<p><strong><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">Petr Gašparík</span></strong><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"><br>
</span><span style="font-size:8.5pt;font-family:"Arial",sans-serif;color:gray">konzultant IT bezpečnosti</span><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"><o:p></o:p></span></p>
</div>
<p><span style="font-size:8.5pt;font-family:"Arial",sans-serif;color:black">gsm: [+420] 603 523 860<br>
e‑mail: <a href="mailto:petr.gasparik@ami.cz" target="_blank" moz-do-not-send="true">petr.gasparik@ami.cz</a><o:p></o:p></span></p>
<p><strong><span style="font-size:8.5pt;font-family:"Arial",sans-serif;color:black">AMI Praha a.s.</span></strong><span style="font-size:8.5pt;font-family:"Arial",sans-serif;color:black"><br>
Pláničkova 11, 162 00 Praha 6<o:p></o:p></span></p>
<p><span style="font-size:8.5pt;font-family:"Arial",sans-serif;color:black">tel.: [+420] 274 783 239 | web: <a href="https://www.ami.cz" target="_blank" moz-do-not-send="true">www.ami.cz</a><o:p></o:p></span></p>
<p style="margin-top:15.0pt"><span style="font-size:7.5pt;font-family:"Verdana",sans-serif;color:black;border:solid
windowtext 1.0pt;padding:0cm"><img style="width:1.0416in;height:1.0416in" id="_x0000_i1025" src="cid:f7493c13c12e68c223f41b79b70a4800d96c0030.camel@ndsu.edu" alt="Immagine rimossa dal
mittente. AMI Praha a.s." class="" width="100" height="100" border="0" data-inline="" data-name="~WRD0000.jpg"></span><span style="font-size:7.5pt;font-family:"Verdana",sans-serif;color:black"><o:p></o:p></span></p>
<p><span style="font-size:8.5pt;font-family:"Arial",sans-serif;color:#AAAAAA">Textem tohoto e‑mailu podepisující neslibuje uzavřít ani neuzavírá za společnost AMI Praha a.s.<br>
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně písemnou formu.<br>
</span><span style="font-size:4.5pt;font-family:"Arial",sans-serif;color:#AAAAAA"> </span><span style="font-size:8.5pt;font-family:"Arial",sans-serif;color:#AAAAAA"><br>
Tento e‑mail je určen výhradně pro potřeby jeho adresáta/ů a může obsahovat důvěrné nebo osobní<br>
informace. Nejste‑li zamýšleným příjemcem, je zakázáno jakékoliv zveřejňování, zprostředkování<br>
nebo jiné použití těchto informací. Pokud jste obdrželi e‑mail neoprávněně, informujte o tom prosím<br>
odesílatele a vymažte neprodleně všechny kopie tohoto e‑mailu včetně všech jeho příloh. Nakládáním<br>
s neoprávněně získanými informacemi se vystavujete riziku právního postihu.<o:p></o:p></span></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">st 21. 10. 2020 v 15:24 odesílatel Andrea Picconi via midPoint <<a href="mailto:midpoint@lists.evolveum.com" moz-do-not-send="true">midpoint@lists.evolveum.com</a>> napsal:<o:p></o:p></p>
</div>
<blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex">
<div>
<div>
<p><span lang="EN-US">Hello everyone,</span><o:p></o:p></p>
<p><span lang="EN-US">I have a problem while unlinking an account from a user: what happens is that the unlink process correctly removes the account inside the Projections tab , but it doesn’t deprovision the attributes that are mapped within that account.</span><o:p></o:p></p>
<p><span lang="EN-US">What could cause this unexpected behaviour? And how do i get all these attributes to be deleted from Midpoint ?</span><o:p></o:p></p>
<p>Regards,<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span style="font-size:10.0pt">Andrea Picconi</span></b><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;margin-bottom:12.0pt"><i><span style="font-size:10.0pt">IAM (Identity Access Management)</span></i><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US"><img style="width:1.4166in;height:.3437in" id="gmail-m_-2628088092099569107Immagine_x0020_1" src="cid:0cd022055b8ebb4d67acfb7cb73747cef4c2c029.camel@ndsu.edu" alt="Innovery" class="" width="136" height="33" border="0" data-inline="" data-name="image003.png"></span><span style="font-size:10.0pt"><br>
Skype: precons</span><br>
<span style="font-size:10.0pt">T: +39 06 51963439 (int. 196) <br>
</span><span style="font-size:12.0pt"><br>
</span><span style="font-size:10.0pt;color:black">Strada Quattro Palazzina A6 c/o Centro Direzionale Milanofiori, 20057 Assago (MI).<br>
</span><span style="font-size:10.0pt"><a href="http://www.innovery.net/" target="_blank" moz-do-not-send="true"><span style="color:#0563C1">www.innovery.net</span></a> | T: +39 06 519 63 439</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
</div>
<p class="MsoNormal">_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank" moz-do-not-send="true">midPoint@lists.evolveum.com</a><br>
<a href="https://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank" moz-do-not-send="true">https://lists.evolveum.com/mailman/listinfo/midpoint</a><o:p></o:p></p>
</blockquote>
</div>
</div>
<br>
<pre>_______________________________________________</pre>
<pre>midPoint mailing list</pre>
<pre><a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a></pre>
<pre><a class="moz-txt-link-freetext" href="https://lists.evolveum.com/mailman/listinfo/midpoint">https://lists.evolveum.com/mailman/listinfo/midpoint</a></pre>
<pre><br></pre>
</blockquote>
<pre>_______________________________________________</pre>
<pre>midPoint mailing list</pre>
<pre><a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a></pre>
<pre><a href="https://lists.evolveum.com/mailman/listinfo/midpoint">https://lists.evolveum.com/mailman/listinfo/midpoint</a></pre>
<pre><br></pre>
</blockquote>
</body>
</html>