<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Ľubomír,</p>
<p>what you observe is basically a missing functionality in the
validation scanning activity. I have update the docs to make it
more clear.</p>
<p>Please see the Limitations section in <a moz-do-not-send="true"
href="https://docs.evolveum.com/midpoint/reference/tasks/specific/focus-validity-scan/"
class="moz-txt-link-freetext">https://docs.evolveum.com/midpoint/reference/tasks/specific/focus-validity-scan/</a>.<br>
</p>
<pre class="moz-signature" cols="72">--
Pavol Mederly
Software developer
evolveum.com</pre>
<div class="moz-cite-prefix">On 10/02/2022 16:54, Lubomir Odlevak
via midPoint wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CABppFo7FKO9tv=rMb3Gh4v-S5khMC5wusJGo6gG=nTq61+-jcA@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">Hi Pavol, this problem still persists in all mP
versions, 4.4 included. I already created JIRA ticket: <a
href="https://jira.evolveum.com/browse/MID-7194"
moz-do-not-send="true" class="moz-txt-link-freetext">https://jira.evolveum.com/browse/MID-7194</a>.
<div>If the effective status of the assignment is changed to
"disabled" and you try to unassign this assignment via mP, it
will NOT unnassign
AD role membership in AD (assignments with the valid-to time
in future don't work either).</div>
<div><br>
</div>
<div>Regards</div>
<div>Lubomir<br>
<div><br>
</div>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">pi 30. 10. 2020 o 12:21 Pavol
Mederly via midPoint <<a
href="mailto:midpoint@lists.evolveum.com"
moz-do-not-send="true" class="moz-txt-link-freetext">midpoint@lists.evolveum.com</a>>
napísal(a):<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<p>Lubomir,</p>
<p>this might be a side effect of changes in expression
evaluation in 4.2.</p>
<p>What is unclear to me is this: As far as I know, the AD
role membership should be removed as soon as the effective
status of the assignment is changed to "disabled".
(Obviously, disabled assignments should not give their
owner any entitlements.)</p>
<p>How 3.8 and 4.1 behaved in this respect?</p>
<p>Best regards,<br>
</p>
<pre cols="72">Pavol Mederly
Software developer
<a href="http://evolveum.com" target="_blank" moz-do-not-send="true">evolveum.com</a>
</pre>
<div>On 30/10/2020 10:19, Lubomir Odlevak via midPoint
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Pascal thanks for the task, but I can
unassign the role in mP. The problem is that change
(unassignment) is not propagated into AD for role
assignment with effectiveStatus = "disabled".
<div>My case:</div>
<div>The role is assigned to the user and valid-to
parameter is set on assignment and is propagated to AD
(assigned to the user in AD). At valid-to time mP set
effectiveStatus = "disabled" for this
assignment automatically, and the role is still
assigned in mP and AD.</div>
<div>Now if I manually or with the hook unassign that
role from mP, then it is not propagated to AD and the
user has still assigned the AD group.</div>
<div>I want to achieve that mP valid-to role will be
unassigned both from mP and AD after valid-to
parameter is exceeded. </div>
<div><br>
</div>
<div>Regards</div>
<div>Lubomir</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">pi 16. 10. 2020
o 13:16 Pascal PÉRICHON via midPoint <<a
href="mailto:midpoint@lists.evolveum.com"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">midpoint@lists.evolveum.com</a>>
napísal(a):<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px
0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div>
<p>this task could be a good start :<br>
</p>
<p><br>
</p>
<p> <task><br>
<name>task suppress Assignement
ETUDIANT-LICENCE</name><br>
<extension><br>
<scext:executeScript xmlns:scext=<a
href="http://midpoint.evolveum.com/xml/ns/public/model/scripting/extension-3"
target="_blank" moz-do-not-send="true">"http://midpoint.evolveum.com/xml/ns/public/model/scripting/extension-3"</a><br>
xmlns:s=<a
href="http://midpoint.evolveum.com/xml/ns/public/model/scripting-3"
target="_blank" moz-do-not-send="true">"http://midpoint.evolveum.com/xml/ns/public/model/scripting-3"</a><br>
xmlns:c=<a
href="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
target="_blank" moz-do-not-send="true">"http://midpoint.evolveum.com/xml/ns/public/common/common-3"</a><br>
xmlns:t=<a
href="http://prism.evolveum.com/xml/ns/public/types-3"
target="_blank" moz-do-not-send="true">"http://prism.evolveum.com/xml/ns/public/types-3"</a><br>
xmlns:xsi=<a
href="http://www.w3.org/2001/XMLSchema-instance"
target="_blank" moz-do-not-send="true">"http://www.w3.org/2001/XMLSchema-instance"</a><br>
xmlns:api=<a
href="http://midpoint.evolveum.com/xml/ns/public/common/api-types-3"
target="_blank" moz-do-not-send="true">"http://midpoint.evolveum.com/xml/ns/public/common/api-types-3"</a><br>
xmlns:q=<a
href="http://prism.evolveum.com/xml/ns/public/query-3"
target="_blank" moz-do-not-send="true">"http://prism.evolveum.com/xml/ns/public/query-3"</a><br>
xmlns:xsd=<a
href="http://www.w3.org/2001/XMLSchema"
target="_blank" moz-do-not-send="true">"http://www.w3.org/2001/XMLSchema"</a><br>
xmlns:org=<a
href="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
target="_blank" moz-do-not-send="true">"http://midpoint.evolveum.com/xml/ns/public/common/org-3"</a>><br>
<s:search><br>
<s:type>c:UserType</s:type><br>
<s:query><br>
<q:filter><br>
<q:and><br>
<q:equal><br>
<q:path>subtype</q:path><br>
<q:value>ETUDIANT-DOCTORAT</q:value><br>
</q:equal><br>
<q:substring><br>
<q:matching>polyStringNorm</q:matching><br>
<q:path>name</q:path><br>
<q:value>a</q:value><br>
<q:anchorStart>true</q:anchorStart><br>
</q:substring><br>
<q:equal><br>
<q:path>c:assignment/targetRef/@/name</q:path><br>
<q:value>etudiants-cursus-doctorat</q:value><br>
</q:equal><br>
<!--q:org><br>
<q:orgRef><br>
<q:oid>u75-etudiants-cursus-licence</q:oid--><br>
<!--q:oid>u75-etudiants-cursus-master</q:oid--><br>
<!--q:oid>u75-etudiants-cursus-doctorat</q:oid--><br>
<!--/q:orgRef><br>
<q:maxDepth>unbounded</q:maxDepth><br>
</q:org--><br>
</q:and><br>
</q:filter><br>
</s:query><br>
<br>
<s:action><br>
<s:type>modify</s:type><br>
<s:parameter><br>
<s:name>delta</s:name><br>
<c:value
xsi:type="t:ObjectDeltaType"><br>
<t:changeType>modify</t:changeType><br>
<t:itemDelta><br>
<t:modificationType>delete</t:modificationType><br>
<t:path>c:assignment</t:path><br>
<t:value
xsi:type="c:AssignmentType"><br>
<targetRef oid="u75-etudiants-cursus-doctorat"
relation="org:default" type="c:RoleType"/><br>
<!--targetRef
oid="u75-etudiants-cursus-doctorat"
relation="org:default" type="c:OrgType"/--><br>
</t:value><br>
</t:itemDelta><br>
</c:value><br>
</s:parameter><br>
</s:action><br>
<br>
</s:search><br>
</scext:executeScript><br>
</extension><br>
<ownerRef
oid="00000000-0000-0000-0000-000000000002"/><br>
<executionStatus>runnable</executionStatus><br>
<br>
<category>BulkActions</category><br>
<handlerUri><a
href="http://midpoint.evolveum.com/xml/ns/public/model/scripting/handler-3"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">http://midpoint.evolveum.com/xml/ns/public/model/scripting/handler-3</a></handlerUri><br>
<recurrence>single</recurrence><br>
</task><br>
<br>
</p>
<div>Le 16/10/2020 à 12:46, Lubomir Odlevak via
midPoint a écrit :<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hello all, <br>
<br>
I have assigned role to MP user and set
Activation valid on this assignment. Role has
been assigned in MP and AD successfully.<br>
When valid-to-time has been exceeded,i have run
user reconcilation (or validity task) and
effectiveStatus has been set to "disable" for
the assignment.<br>
Both mP role and AD role are still assigned.
Now, I'm trying unassign role assignment from MP
user (manually or with hook), but it is not
removed in AD and user is still member of that
AD group. How can I achieve it ?<br>
How to unassign assignment with
effectiveStatus="disabled" and propagate this
change to AD and remove user from the AD group?<br>
<br>
btw: The unassigment with effective status set
to "enabled" are unassigned properly in AD.<br>
Tested on mp 3.8 and 4.1.<br>
<br>
Regards<br>
Lubomir Odlevak<br>
</div>
<br>
<fieldset></fieldset>
<pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">midPoint@lists.evolveum.com</a>
<a href="https://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">https://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
</div>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">midPoint@lists.evolveum.com</a><br>
<a
href="https://lists.evolveum.com/mailman/listinfo/midpoint"
rel="noreferrer" target="_blank"
moz-do-not-send="true" class="moz-txt-link-freetext">https://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
</blockquote>
</div>
<br>
<fieldset></fieldset>
<pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">midPoint@lists.evolveum.com</a>
<a href="https://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">https://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
</div>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank"
moz-do-not-send="true" class="moz-txt-link-freetext">midPoint@lists.evolveum.com</a><br>
<a href="https://lists.evolveum.com/mailman/listinfo/midpoint"
rel="noreferrer" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
</blockquote>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="https://lists.evolveum.com/mailman/listinfo/midpoint">https://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
</body>
</html>