<div dir="ltr">I've found the root cause. I have a policy rule which triggers "recompute" on a user object.<div> <policyRule><br> <policyConstraints><br> <modification><br> <item>extension/profileStatus</item><br> </modification><br> </policyConstraints><br> <policyActions><br> <scriptExecution><br> <object><br> <currentObject/><br> </object><br> <executeScript><br> <s:recompute/><br> </executeScript><br> </scriptExecution><br> </policyActions><br> </policyRule> <br><br>It looks like this way to recompute a user turns off the "none" projection policy of the Google resource. This results in creating a Google account even though a Google assignmentPolicyEnforcement is "none". </div><div><br></div><div>I tried different available executeOptions without success.</div><div><br></div><div>Is this behavior expected?</div><div><br></div><div>Thanks,</div><div>Yakov<br><br><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, 16 May 2023 at 12:05, Yakov Revyakin <<a href="mailto:yrevyakin@gmail.com">yrevyakin@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">In the archetype assigned to the top org I have inducements of 2 resources. They work fine when a new user comes to or goes from suborgs.<br><br><div> <inducement><br> <construction><br> <!--Google--><br> <resourceRef oid="ca9a521f-16c1-4662-8f6f-0d6b01308a93" relation="org:default" type="c:ResourceType"/><br> <kind>account</kind><br> <intent>default</intent><br> </construction><br> <order>3</order<br> <focusType>UserType</focusType><br> </inducement><br><br> <inducement><br> <construction><br> <!--Keycloak--><br> <resourceRef oid="20299cc9-9cf6-47e0-ba45-66e9ede06ee3" relation="org:default" type="c:ResourceType"/><br> <kind>account</kind><br> <intent>default</intent><br> <association><br> <ref>ri:group</ref><br> <outbound><br> <expression><br> <associationFromLink><br> <projectionDiscriminator xsi:type="c:ShadowDiscriminatorType"><br> <kind>entitlement</kind><br> <intent>organization</intent><br> </projectionDiscriminator><br> </associationFromLink><br> </expression><br> </outbound><br> </association><br> </construction><br> <order>3</order<br> <focusType>UserType</focusType><br> </inducement><br><br></div><div>Before importing existing accounts I change assignmentPolicyEnforcement from full to none. </div><div>1) Importing Google accounts with import task doesn't demonstrate the change in assignmentPolicyEnforcement. Midpoint tries to create a new account and modify existing. Discovery works but this is not what I expect. I'd like to see simply only existing accounts linked. </div><div>2) I can see that with Keycloak assignmentPolicyEnforcement=none works as expected - Midpoint doesn't create new Keycloak accounts. But, if, for example, during Google import a user already has a Keycloak account with a group association Midpoint deletes existing group associations. </div><div><br></div><div>Strange behavior. Any ideas? </div><div>MP4.4.3 <br></div><div><br></div><div>Yakov</div><div><br></div><div><br></div></div>
</blockquote></div>