<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Lubomir,</p>
<p>this might be a side effect of changes in expression evaluation
in 4.2.</p>
<p>What is unclear to me is this: As far as I know, the AD role
membership should be removed as soon as the effective status of
the assignment is changed to "disabled". (Obviously, disabled
assignments should not give their owner any entitlements.)</p>
<p>How 3.8 and 4.1 behaved in this respect?</p>
<p>Best regards,<br>
</p>
<pre class="moz-signature" cols="72">Pavol Mederly
Software developer
evolveum.com
</pre>
<div class="moz-cite-prefix">On 30/10/2020 10:19, Lubomir Odlevak
via midPoint wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CABppFo4AGTsbhVCeXanyt+KSFad4+_+Z0n_6D7G3V8aNMNYntg@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">Pascal thanks for the task, but I can unassign the
role in mP. The problem is that change (unassignment) is not
propagated into AD for role assignment with effectiveStatus =
"disabled".
<div>My case:</div>
<div>The role is assigned to the user and valid-to parameter is
set on assignment and is propagated to AD (assigned to the
user in AD). At valid-to time mP set effectiveStatus =
"disabled" for this assignment automatically, and the role is
still assigned in mP and AD.</div>
<div>Now if I manually or with the hook unassign that role from
mP, then it is not propagated to AD and the user has still
assigned the AD group.</div>
<div>I want to achieve that mP valid-to role will be unassigned
both from mP and AD after valid-to parameter is exceeded. </div>
<div><br>
</div>
<div>Regards</div>
<div>Lubomir</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">pi 16. 10. 2020 o 13:16 Pascal
PÉRICHON via midPoint <<a
href="mailto:midpoint@lists.evolveum.com"
moz-do-not-send="true">midpoint@lists.evolveum.com</a>>
napísal(a):<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<p>this task could be a good start :<br>
</p>
<p><br>
</p>
<p> <task><br>
<name>task suppress Assignement
ETUDIANT-LICENCE</name><br>
<extension><br>
<scext:executeScript
xmlns:scext=<a
href="http://midpoint.evolveum.com/xml/ns/public/model/scripting/extension-3"
target="_blank" moz-do-not-send="true">"http://midpoint.evolveum.com/xml/ns/public/model/scripting/extension-3"</a><br>
xmlns:s=<a
href="http://midpoint.evolveum.com/xml/ns/public/model/scripting-3"
target="_blank" moz-do-not-send="true">"http://midpoint.evolveum.com/xml/ns/public/model/scripting-3"</a><br>
xmlns:c=<a
href="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
target="_blank" moz-do-not-send="true">"http://midpoint.evolveum.com/xml/ns/public/common/common-3"</a><br>
xmlns:t=<a
href="http://prism.evolveum.com/xml/ns/public/types-3"
target="_blank" moz-do-not-send="true">"http://prism.evolveum.com/xml/ns/public/types-3"</a><br>
xmlns:xsi=<a
href="http://www.w3.org/2001/XMLSchema-instance"
target="_blank" moz-do-not-send="true">"http://www.w3.org/2001/XMLSchema-instance"</a><br>
xmlns:api=<a
href="http://midpoint.evolveum.com/xml/ns/public/common/api-types-3"
target="_blank" moz-do-not-send="true">"http://midpoint.evolveum.com/xml/ns/public/common/api-types-3"</a><br>
xmlns:q=<a
href="http://prism.evolveum.com/xml/ns/public/query-3"
target="_blank" moz-do-not-send="true">"http://prism.evolveum.com/xml/ns/public/query-3"</a><br>
xmlns:xsd=<a
href="http://www.w3.org/2001/XMLSchema" target="_blank"
moz-do-not-send="true">"http://www.w3.org/2001/XMLSchema"</a><br>
xmlns:org=<a
href="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
target="_blank" moz-do-not-send="true">"http://midpoint.evolveum.com/xml/ns/public/common/org-3"</a>><br>
<s:search><br>
<s:type>c:UserType</s:type><br>
<s:query><br>
<q:filter><br>
<q:and><br>
<q:equal><br>
<q:path>subtype</q:path><br>
<q:value>ETUDIANT-DOCTORAT</q:value><br>
</q:equal><br>
<q:substring><br>
<q:matching>polyStringNorm</q:matching><br>
<q:path>name</q:path><br>
<q:value>a</q:value><br>
<q:anchorStart>true</q:anchorStart><br>
</q:substring><br>
<q:equal><br>
<q:path>c:assignment/targetRef/@/name</q:path><br>
<q:value>etudiants-cursus-doctorat</q:value><br>
</q:equal><br>
<!--q:org><br>
<q:orgRef><br>
<q:oid>u75-etudiants-cursus-licence</q:oid--><br>
<!--q:oid>u75-etudiants-cursus-master</q:oid--><br>
<!--q:oid>u75-etudiants-cursus-doctorat</q:oid--><br>
<!--/q:orgRef><br>
<q:maxDepth>unbounded</q:maxDepth><br>
</q:org--><br>
</q:and><br>
</q:filter><br>
</s:query><br>
<br>
<s:action><br>
<s:type>modify</s:type><br>
<s:parameter><br>
<s:name>delta</s:name><br>
<c:value
xsi:type="t:ObjectDeltaType"><br>
<t:changeType>modify</t:changeType><br>
<t:itemDelta><br>
<t:modificationType>delete</t:modificationType><br>
<t:path>c:assignment</t:path><br>
<t:value
xsi:type="c:AssignmentType"><br>
<targetRef
oid="u75-etudiants-cursus-doctorat" relation="org:default"
type="c:RoleType"/><br>
<!--targetRef
oid="u75-etudiants-cursus-doctorat" relation="org:default"
type="c:OrgType"/--><br>
</t:value><br>
</t:itemDelta><br>
</c:value><br>
</s:parameter><br>
</s:action><br>
<br>
</s:search><br>
</scext:executeScript><br>
</extension><br>
<ownerRef
oid="00000000-0000-0000-0000-000000000002"/><br>
<executionStatus>runnable</executionStatus><br>
<br>
<category>BulkActions</category><br>
<handlerUri><a
href="http://midpoint.evolveum.com/xml/ns/public/model/scripting/handler-3"
target="_blank" moz-do-not-send="true">http://midpoint.evolveum.com/xml/ns/public/model/scripting/handler-3</a></handlerUri><br>
<recurrence>single</recurrence><br>
</task><br>
<br>
</p>
<div>Le 16/10/2020 à 12:46, Lubomir Odlevak via midPoint a
écrit :<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hello all, <br>
<br>
I have assigned role to MP user and set Activation
valid on this assignment. Role has been assigned in MP
and AD successfully.<br>
When valid-to-time has been exceeded,i have run user
reconcilation (or validity task) and effectiveStatus has
been set to "disable" for the assignment.<br>
Both mP role and AD role are still assigned. Now, I'm
trying unassign role assignment from MP user (manually
or with hook), but it is not removed in AD and user is
still member of that AD group. How can I achieve it ?<br>
How to unassign assignment with
effectiveStatus="disabled" and propagate this change to
AD and remove user from the AD group?<br>
<br>
btw: The unassigment with effective status set to
"enabled" are unassigned properly in AD.<br>
Tested on mp 3.8 and 4.1.<br>
<br>
Regards<br>
Lubomir Odlevak<br>
</div>
<br>
<fieldset></fieldset>
<pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank" moz-do-not-send="true">midPoint@lists.evolveum.com</a>
<a href="https://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank" moz-do-not-send="true">https://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
</div>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank"
moz-do-not-send="true">midPoint@lists.evolveum.com</a><br>
<a href="https://lists.evolveum.com/mailman/listinfo/midpoint"
rel="noreferrer" target="_blank" moz-do-not-send="true">https://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
</blockquote>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="https://lists.evolveum.com/mailman/listinfo/midpoint">https://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
</body>
</html>