<div dir="ltr">Pascal thanks for the task, but I can unassign the role in mP. The problem is that change (unassignment) is not propagated into AD for role assignment with effectiveStatus = "disabled".<div>My case:</div><div>The role is assigned to the user and valid-to parameter is set on assignment and is propagated to AD (assigned to the user in AD). At valid-to time mP set effectiveStatus = "disabled" for this assignment automatically, and the role is still assigned in mP and AD.</div><div>Now if I manually or with the hook unassign that role from mP, then it is not propagated to AD and the user has still assigned the AD group.</div><div>I want to achieve that mP
valid-to role will be unassigned both from mP and AD after valid-to parameter is exceeded. </div><div><br></div><div>Regards</div><div>Lubomir</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">pi 16. 10. 2020 o 13:16 Pascal PÉRICHON via midPoint <<a href="mailto:midpoint@lists.evolveum.com">midpoint@lists.evolveum.com</a>> napísal(a):<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<p>this task could be a good start :<br>
</p>
<p><br>
</p>
<p> <task><br>
<name>task suppress Assignement
ETUDIANT-LICENCE</name><br>
<extension><br>
<scext:executeScript
xmlns:scext=<a href="http://midpoint.evolveum.com/xml/ns/public/model/scripting/extension-3" target="_blank">"http://midpoint.evolveum.com/xml/ns/public/model/scripting/extension-3"</a><br>
xmlns:s=<a href="http://midpoint.evolveum.com/xml/ns/public/model/scripting-3" target="_blank">"http://midpoint.evolveum.com/xml/ns/public/model/scripting-3"</a><br>
xmlns:c=<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3" target="_blank">"http://midpoint.evolveum.com/xml/ns/public/common/common-3"</a><br>
xmlns:t=<a href="http://prism.evolveum.com/xml/ns/public/types-3" target="_blank">"http://prism.evolveum.com/xml/ns/public/types-3"</a><br>
xmlns:xsi=<a href="http://www.w3.org/2001/XMLSchema-instance" target="_blank">"http://www.w3.org/2001/XMLSchema-instance"</a><br>
xmlns:api=<a href="http://midpoint.evolveum.com/xml/ns/public/common/api-types-3" target="_blank">"http://midpoint.evolveum.com/xml/ns/public/common/api-types-3"</a><br>
xmlns:q=<a href="http://prism.evolveum.com/xml/ns/public/query-3" target="_blank">"http://prism.evolveum.com/xml/ns/public/query-3"</a><br>
xmlns:xsd=<a href="http://www.w3.org/2001/XMLSchema" target="_blank">"http://www.w3.org/2001/XMLSchema"</a><br>
xmlns:org=<a href="http://midpoint.evolveum.com/xml/ns/public/common/org-3" target="_blank">"http://midpoint.evolveum.com/xml/ns/public/common/org-3"</a>><br>
<s:search><br>
<s:type>c:UserType</s:type><br>
<s:query><br>
<q:filter><br>
<q:and><br>
<q:equal><br>
<q:path>subtype</q:path><br>
<q:value>ETUDIANT-DOCTORAT</q:value><br>
</q:equal><br>
<q:substring><br>
<q:matching>polyStringNorm</q:matching><br>
<q:path>name</q:path><br>
<q:value>a</q:value><br>
<q:anchorStart>true</q:anchorStart><br>
</q:substring><br>
<q:equal><br>
<q:path>c:assignment/targetRef/@/name</q:path><br>
<q:value>etudiants-cursus-doctorat</q:value><br>
</q:equal><br>
<!--q:org><br>
<q:orgRef><br>
<q:oid>u75-etudiants-cursus-licence</q:oid--><br>
<!--q:oid>u75-etudiants-cursus-master</q:oid--><br>
<!--q:oid>u75-etudiants-cursus-doctorat</q:oid--><br>
<!--/q:orgRef><br>
<q:maxDepth>unbounded</q:maxDepth><br>
</q:org--><br>
</q:and><br>
</q:filter><br>
</s:query><br>
<br>
<s:action><br>
<s:type>modify</s:type><br>
<s:parameter><br>
<s:name>delta</s:name><br>
<c:value
xsi:type="t:ObjectDeltaType"><br>
<t:changeType>modify</t:changeType><br>
<t:itemDelta><br>
<t:modificationType>delete</t:modificationType><br>
<t:path>c:assignment</t:path><br>
<t:value
xsi:type="c:AssignmentType"><br>
<targetRef
oid="u75-etudiants-cursus-doctorat" relation="org:default"
type="c:RoleType"/><br>
<!--targetRef
oid="u75-etudiants-cursus-doctorat" relation="org:default"
type="c:OrgType"/--><br>
</t:value><br>
</t:itemDelta><br>
</c:value><br>
</s:parameter><br>
</s:action><br>
<br>
</s:search><br>
</scext:executeScript><br>
</extension><br>
<ownerRef
oid="00000000-0000-0000-0000-000000000002"/><br>
<executionStatus>runnable</executionStatus><br>
<br>
<category>BulkActions</category><br>
<handlerUri><a href="http://midpoint.evolveum.com/xml/ns/public/model/scripting/handler-3" target="_blank">http://midpoint.evolveum.com/xml/ns/public/model/scripting/handler-3</a></handlerUri><br>
<recurrence>single</recurrence><br>
</task><br>
<br>
</p>
<div>Le 16/10/2020 à 12:46, Lubomir Odlevak
via midPoint a écrit :<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hello all, <br>
<br>
I have assigned role to MP user and set Activation valid on
this assignment. Role has been assigned in MP and AD
successfully.<br>
When valid-to-time has been exceeded,i have run user
reconcilation (or validity task) and effectiveStatus has been
set to "disable" for the assignment.<br>
Both mP role and AD role are still assigned. Now, I'm trying
unassign role assignment from MP user (manually or with hook),
but it is not removed in AD and user is still member of that AD
group. How can I achieve it ?<br>
How to unassign assignment with effectiveStatus="disabled" and
propagate this change to AD and remove user from the AD group?<br>
<br>
btw: The unassigment with effective status set to "enabled" are
unassigned properly in AD.<br>
Tested on mp 3.8 and 4.1.<br>
<br>
Regards<br>
Lubomir Odlevak<br>
</div>
<br>
<fieldset></fieldset>
<pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="https://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">https://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
</div>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="https://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">https://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
</blockquote></div>