<div dir="ltr"><div dir="ltr" data-smartmail="gmail_signature"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div><div>Hi,<br><br>I use Midpoint version 4.4.1. <br><br>I would like to create Attribute-Based Access Control (ABAC) roles. I tried with role object auto assignment and object template, you can see the configuration below. It was working very well in most cases.</div><div>  <br>But when I changed the auto assign mapping rule of the role, then the unassign operation was not running to users who were only in the kitchen organizational unit.</div><div>   <b>Old ABAC rule:</b>  <font face="monospace">organizationalUnit?.norm == 'kitchen' </font><br>   <b>New ABAC rule:</b> <font face="monospace">organizationalUnit?.norm == 'livingroom'</font></div><div>  <br>It was the same effect on object templates with another rule. </div><div>   <b>Old ABAC rule:  </b><span style="font-family:monospace">employeeNumber == '12345'</span></div><div>   <b>New </b><b>ABAC rule: </b><span style="font-family:monospace">employeeNumber == '123456789'</span></div><div><br></div><div>So, the role membership revoke from the users were not evaluating, when the role mapping rule was changing. I tried to run recomputation tasks too, but nothing happened.</div><div><br>Is there a way to automatically unassign the role form users after the role auto assign rule changed? </div><div><br></div><div>If the unassing has to be done manually, is there a best practice for this case?<br><br>Thank you for helping!<br>         <br>Best regards,</div><div>Adam Nemet<br><br>                            <b>Configuration:</b><br><font face="monospace"><?xml version="1.0" encoding="UTF-8"?><br><br><config><br>  <role  oid="1638b6d0-e0de-45b8-9828-c3b5ab6bf46e"><br>    <name>Requester</name><br>    <autoassign><br>      <enabled>true</enabled><br>      <focus><br>        <mapping id="16"><br>          <strength>strong</strength><br>          <source><br>            <path>organizationalUnit</path><br>          </source><br>          <condition><br>            <script><br>              <code><br>             organizationalUnit?.norm == 'kitchen'<br>            </code><br>            </script><br>          </condition><br>        </mapping><br>        <selector><br>          <type>UserType</type><br>        </selector><br>      </focus><br>    </autoassign><br>  </role><br><br><br>  <objectTemplate oid="516a979a-824d-497d-ac44-53f8af592a12"><br>    <name>User AD role auto assigment</name><br>    <mapping><br>      <authoritative>true</authoritative><br>      <source><br>        <path>employeeNumber</path><br>      </source><br>      <expression><br>        <value><br>          <targetRef oid="e8fe3a12-6701-4943-8180-c3aff2d132e6" type="RoleType"/><br>        </value><br>      </expression><br>      <target><br>        <path>assignment</path><br>      </target><br>      <condition><br>        <script><br>          <code>employeeNumber == '12345'</code><br>        </script><br>      </condition><br>    </mapping><br>  </objectTemplate><br><br><br>  <systemConfiguration><br>    ...<br>    <roleManagement><br>      <roleCatalogRef oid="20000000-7798-11e2-964e-200000000100" relation="org:default" type="c:OrgType"><br>        <!-- IT Department --><br>      </roleCatalogRef><br>      <roleCatalogCollections><br>        <collection><br>          <collectionUri><a href="http://midpoint.evolveum.com/xml/ns/public/common/object-collections-3#roleCatalog">http://midpoint.evolveum.com/xml/ns/public/common/object-collections-3#roleCatalog</a></collectionUri><br>        </collection><br>        <collection><br>          <collectionUri><a href="http://midpoint.evolveum.com/xml/ns/public/common/object-collections-3#allRoles">http://midpoint.evolveum.com/xml/ns/public/common/object-collections-3#allRoles</a></collectionUri><br>        </collection><br>      </roleCatalogCollections><br>      <defaultCollection><br>        <collectionUri><a href="http://midpoint.evolveum.com/xml/ns/public/common/object-collections-3#roleCatalog">http://midpoint.evolveum.com/xml/ns/public/common/object-collections-3#roleCatalog</a></collectionUri><br>      </defaultCollection><br>      <autoassignEnabled>true</autoassignEnabled><br>    </roleManagement><br>    ...<br>    <defaultObjectPolicyConfiguration><br>      <objectTemplateRef oid="516a979a-824d-497d-ac44-53f8af592a12" relation="org:default" type="c:ObjectTemplateType"><br>        <!-- User Template --><br>      </objectTemplateRef><br>      <type>UserType</type><br>    </defaultObjectPolicyConfiguration><br>    ...<br>  </systemConfiguration><br></config><br><font style="font-size:12.8px"><font size="1"><font color="#0b5394"><br></font></font></font></font></div></div><div><br></div><div><br></div><div><br><br></div></div></div></div></div></div></div>