<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Ľubomír,</p>
<p>you may be right, but may not. I am not sure. I would try to
apply the same principle to the association (by making it
non-tolerant). Then there will be no place for keeping
"unauthorized" values there. :)</p>
<p>Unfortunately, the usual disclaimer applies here: this is the
most I can do for you without a subscription. Maybe someone from
the community?<br>
</p>
<pre class="moz-signature" cols="72">--
Pavol Mederly
Software developer
evolveum.com</pre>
<div class="moz-cite-prefix">On 21/04/2022 11:24, Lubomir Odlevak
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CABppFo7dOoVzr1FT51xsS6sp2kAQ_f6WCUMWdLKVt4ou-KmBuw@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">Pavol,
<div>I have tried to apply range, but it didn't work properly.
IDM role was successfully unassign from user, but deletion was
not automatically applied to the respective objects (role
membership in AD). It seems that effective status is set
before the role unassignment and that is the main problem.<br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">st 20. 4. 2022 o 12:15 Pavol
Mederly via midPoint <<a
href="mailto:midpoint@lists.evolveum.com"
moz-do-not-send="true" class="moz-txt-link-freetext">midpoint@lists.evolveum.com</a>>
napísal(a):<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<p>Ľubomír,</p>
<p>what you observe is basically a missing functionality in
the validation scanning activity. I have update the docs
to make it more clear.</p>
<p>Please see the Limitations section in <a
href="https://docs.evolveum.com/midpoint/reference/tasks/specific/focus-validity-scan/"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://docs.evolveum.com/midpoint/reference/tasks/specific/focus-validity-scan/</a>.<br>
</p>
<pre cols="72">--
Pavol Mederly
Software developer
<a href="http://evolveum.com" target="_blank" moz-do-not-send="true">evolveum.com</a></pre>
<div>On 10/02/2022 16:54, Lubomir Odlevak via midPoint
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi Pavol, this problem still persists in
all mP versions, 4.4 included. I already created JIRA
ticket: <a
href="https://jira.evolveum.com/browse/MID-7194"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://jira.evolveum.com/browse/MID-7194</a>.
<div>If the effective status of the assignment is
changed to "disabled" and you try to unassign this
assignment via mP, it will NOT unnassign AD role
membership in AD (assignments with the valid-to time
in future don't work either).</div>
<div><br>
</div>
<div>Regards</div>
<div>Lubomir<br>
<div><br>
</div>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">pi 30. 10. 2020
o 12:21 Pavol Mederly via midPoint <<a
href="mailto:midpoint@lists.evolveum.com"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">midpoint@lists.evolveum.com</a>>
napísal(a):<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px
0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div>
<p>Lubomir,</p>
<p>this might be a side effect of changes in
expression evaluation in 4.2.</p>
<p>What is unclear to me is this: As far as I know,
the AD role membership should be removed as soon
as the effective status of the assignment is
changed to "disabled". (Obviously, disabled
assignments should not give their owner any
entitlements.)</p>
<p>How 3.8 and 4.1 behaved in this respect?</p>
<p>Best regards,<br>
</p>
<pre cols="72">Pavol Mederly
Software developer
<a href="http://evolveum.com" target="_blank" moz-do-not-send="true">evolveum.com</a>
</pre>
<div>On 30/10/2020 10:19, Lubomir Odlevak via
midPoint wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Pascal thanks for the task, but I
can unassign the role in mP. The problem is that
change (unassignment) is not propagated into AD
for role assignment with effectiveStatus =
"disabled".
<div>My case:</div>
<div>The role is assigned to the user and
valid-to parameter is set on assignment and is
propagated to AD (assigned to the user in AD).
At valid-to time mP set effectiveStatus =
"disabled" for this assignment automatically,
and the role is still assigned in mP and AD.</div>
<div>Now if I manually or with the hook unassign
that role from mP, then it is not propagated
to AD and the user has still assigned the AD
group.</div>
<div>I want to achieve that mP valid-to role
will be unassigned both from mP and AD after
valid-to parameter is exceeded. </div>
<div><br>
</div>
<div>Regards</div>
<div>Lubomir</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">pi 16. 10.
2020 o 13:16 Pascal PÉRICHON via midPoint <<a
href="mailto:midpoint@lists.evolveum.com"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">midpoint@lists.evolveum.com</a>>
napísal(a):<br>
</div>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div>
<p>this task could be a good start :<br>
</p>
<p><br>
</p>
<p> <task><br>
<name>task suppress
Assignement ETUDIANT-LICENCE</name><br>
<extension><br>
<scext:executeScript
xmlns:scext=<a
href="http://midpoint.evolveum.com/xml/ns/public/model/scripting/extension-3"
target="_blank" moz-do-not-send="true">"http://midpoint.evolveum.com/xml/ns/public/model/scripting/extension-3"</a><br>
xmlns:s=<a
href="http://midpoint.evolveum.com/xml/ns/public/model/scripting-3"
target="_blank" moz-do-not-send="true">"http://midpoint.evolveum.com/xml/ns/public/model/scripting-3"</a><br>
xmlns:c=<a
href="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
target="_blank" moz-do-not-send="true">"http://midpoint.evolveum.com/xml/ns/public/common/common-3"</a><br>
xmlns:t=<a
href="http://prism.evolveum.com/xml/ns/public/types-3" target="_blank"
moz-do-not-send="true">"http://prism.evolveum.com/xml/ns/public/types-3"</a><br>
xmlns:xsi=<a
href="http://www.w3.org/2001/XMLSchema-instance"
target="_blank" moz-do-not-send="true">"http://www.w3.org/2001/XMLSchema-instance"</a><br>
xmlns:api=<a
href="http://midpoint.evolveum.com/xml/ns/public/common/api-types-3"
target="_blank" moz-do-not-send="true">"http://midpoint.evolveum.com/xml/ns/public/common/api-types-3"</a><br>
xmlns:q=<a
href="http://prism.evolveum.com/xml/ns/public/query-3" target="_blank"
moz-do-not-send="true">"http://prism.evolveum.com/xml/ns/public/query-3"</a><br>
xmlns:xsd=<a
href="http://www.w3.org/2001/XMLSchema"
target="_blank" moz-do-not-send="true">"http://www.w3.org/2001/XMLSchema"</a><br>
xmlns:org=<a
href="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
target="_blank" moz-do-not-send="true">"http://midpoint.evolveum.com/xml/ns/public/common/org-3"</a>><br>
<s:search><br>
<s:type>c:UserType</s:type><br>
<s:query><br>
<q:filter><br>
<q:and><br>
<q:equal><br>
<q:path>subtype</q:path><br>
<q:value>ETUDIANT-DOCTORAT</q:value><br>
</q:equal><br>
<q:substring><br>
<q:matching>polyStringNorm</q:matching><br>
<q:path>name</q:path><br>
<q:value>a</q:value><br>
<q:anchorStart>true</q:anchorStart><br>
</q:substring><br>
<q:equal><br>
<q:path>c:assignment/targetRef/@/name</q:path><br>
<q:value>etudiants-cursus-doctorat</q:value><br>
</q:equal><br>
<!--q:org><br>
<q:orgRef><br>
<q:oid>u75-etudiants-cursus-licence</q:oid--><br>
<!--q:oid>u75-etudiants-cursus-master</q:oid--><br>
<!--q:oid>u75-etudiants-cursus-doctorat</q:oid--><br>
<!--/q:orgRef><br>
<q:maxDepth>unbounded</q:maxDepth><br>
</q:org--><br>
</q:and><br>
</q:filter><br>
</s:query><br>
<br>
<s:action><br>
<s:type>modify</s:type><br>
<s:parameter><br>
<s:name>delta</s:name><br>
<c:value
xsi:type="t:ObjectDeltaType"><br>
<t:changeType>modify</t:changeType><br>
<t:itemDelta><br>
<t:modificationType>delete</t:modificationType><br>
<t:path>c:assignment</t:path><br>
<t:value
xsi:type="c:AssignmentType"><br>
<targetRef
oid="u75-etudiants-cursus-doctorat"
relation="org:default"
type="c:RoleType"/><br>
<!--targetRef
oid="u75-etudiants-cursus-doctorat"
relation="org:default"
type="c:OrgType"/--><br>
</t:value><br>
</t:itemDelta><br>
</c:value><br>
</s:parameter><br>
</s:action><br>
<br>
</s:search><br>
</scext:executeScript><br>
</extension><br>
<ownerRef
oid="00000000-0000-0000-0000-000000000002"/><br>
<executionStatus>runnable</executionStatus><br>
<br>
<category>BulkActions</category><br>
<handlerUri><a
href="http://midpoint.evolveum.com/xml/ns/public/model/scripting/handler-3"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">http://midpoint.evolveum.com/xml/ns/public/model/scripting/handler-3</a></handlerUri><br>
<recurrence>single</recurrence><br>
</task><br>
<br>
</p>
<div>Le 16/10/2020 à 12:46, Lubomir Odlevak
via midPoint a écrit :<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hello all, <br>
<br>
I have assigned role to MP user and set
Activation valid on this assignment.
Role has been assigned in MP and AD
successfully.<br>
When valid-to-time has been exceeded,i
have run user reconcilation (or validity
task) and effectiveStatus has been set
to "disable" for the assignment.<br>
Both mP role and AD role are still
assigned. Now, I'm trying unassign role
assignment from MP user (manually or
with hook), but it is not removed in AD
and user is still member of that AD
group. How can I achieve it ?<br>
How to unassign assignment with
effectiveStatus="disabled" and propagate
this change to AD and remove user from
the AD group?<br>
<br>
btw: The unassigment with effective
status set to "enabled" are unassigned
properly in AD.<br>
Tested on mp 3.8 and 4.1.<br>
<br>
Regards<br>
Lubomir Odlevak<br>
</div>
<br>
<fieldset></fieldset>
<pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">midPoint@lists.evolveum.com</a>
<a href="https://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">https://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
</div>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">midPoint@lists.evolveum.com</a><br>
<a
href="https://lists.evolveum.com/mailman/listinfo/midpoint"
rel="noreferrer" target="_blank"
moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
</blockquote>
</div>
<br>
<fieldset></fieldset>
<pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">midPoint@lists.evolveum.com</a>
<a href="https://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">https://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
</div>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">midPoint@lists.evolveum.com</a><br>
<a
href="https://lists.evolveum.com/mailman/listinfo/midpoint"
rel="noreferrer" target="_blank"
moz-do-not-send="true" class="moz-txt-link-freetext">https://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
</blockquote>
</div>
<br>
<fieldset></fieldset>
<pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">midPoint@lists.evolveum.com</a>
<a href="https://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">https://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
</div>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank"
moz-do-not-send="true" class="moz-txt-link-freetext">midPoint@lists.evolveum.com</a><br>
<a href="https://lists.evolveum.com/mailman/listinfo/midpoint"
rel="noreferrer" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
</blockquote>
</div>
</blockquote>
</body>
</html>