<div dir="ltr">So, real root cause is <existence> definition.<div>existence=true can break the "none" assignmentPolicyEnforcement. If existence is true than resource account will be created even though assignmentPolicyEnforcement="none"<br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, 19 May 2023 at 16:28, Yakov Revyakin <<a href="mailto:yrevyakin@gmail.com">yrevyakin@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">No, the previous post is a mistake.<br><div>Simply each next import (reconcile, recompute) after the initial one results in creating a Google account.</div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, 19 May 2023 at 16:19, Yakov Revyakin <<a href="mailto:yrevyakin@gmail.com" target="_blank">yrevyakin@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">I've found the root cause. I have a policy rule which triggers "recompute" on a user object.<div>       <policyRule><br>            <policyConstraints><br>                <modification><br>                    <item>extension/profileStatus</item><br>                </modification><br>            </policyConstraints><br>            <policyActions><br>                <scriptExecution><br>                    <object><br>                        <currentObject/><br>                    </object><br>                    <executeScript><br>                        <s:recompute/><br>                    </executeScript><br>                </scriptExecution><br>            </policyActions><br>        </policyRule> <br><br>It looks like this way to recompute a user turns off the "none" projection policy of the Google resource. This results in creating a Google account even though a Google assignmentPolicyEnforcement is "none". </div><div><br></div><div>I tried different available executeOptions without success.</div><div><br></div><div>Is this behavior expected?</div><div><br></div><div>Thanks,</div><div>Yakov<br><br><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, 16 May 2023 at 12:05, Yakov Revyakin <<a href="mailto:yrevyakin@gmail.com" target="_blank">yrevyakin@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">In the archetype assigned to the top org I have inducements of 2 resources. They work fine when a new user comes to or goes from suborgs.<br><br><div>    <inducement><br>        <construction><br>            <!--Google--><br>            <resourceRef oid="ca9a521f-16c1-4662-8f6f-0d6b01308a93" relation="org:default" type="c:ResourceType"/><br>            <kind>account</kind><br>            <intent>default</intent><br>        </construction><br>        <order>3</order<br>        <focusType>UserType</focusType><br>    </inducement><br><br>    <inducement><br>        <construction><br>            <!--Keycloak--><br>            <resourceRef oid="20299cc9-9cf6-47e0-ba45-66e9ede06ee3" relation="org:default" type="c:ResourceType"/><br>            <kind>account</kind><br>            <intent>default</intent><br>            <association><br>                <ref>ri:group</ref><br>                <outbound><br>                    <expression><br>                        <associationFromLink><br>                            <projectionDiscriminator xsi:type="c:ShadowDiscriminatorType"><br>                                <kind>entitlement</kind><br>                                <intent>organization</intent><br>                            </projectionDiscriminator><br>                        </associationFromLink><br>                    </expression><br>                </outbound><br>            </association><br>        </construction><br>        <order>3</order<br>        <focusType>UserType</focusType><br>    </inducement><br><br></div><div>Before importing existing accounts I change assignmentPolicyEnforcement from full to none. </div><div>1) Importing Google accounts with import task doesn't demonstrate the change in assignmentPolicyEnforcement. Midpoint tries to create a new account and modify existing. Discovery works but this is not what I expect. I'd like to see simply only existing accounts linked. </div><div>2) I can see that with Keycloak assignmentPolicyEnforcement=none works as expected - Midpoint doesn't create new Keycloak accounts. But, if, for example, during Google import a user already has a Keycloak account with a group association Midpoint deletes existing group associations. </div><div><br></div><div>Strange behavior. Any ideas? </div><div>MP4.4.3 <br></div><div><br></div><div>Yakov</div><div><br></div><div><br></div></div>
</blockquote></div>
</blockquote></div>
</blockquote></div>