<div dir="ltr">Hi,<div><br>I'm encountering an issue with entitlements and object templates in midPoint and could use some assistance in resolving it.<br><br>The condition in the object template checks the Team attribute on the user's midPoint profile. If the condition is true, the expression searches for an organization object that matches the display name and assigns the correct organization object to the user. The organization object contains 2 inducements: 1 Google Group and 1 Okta group. The user does get added to the groups in the systems when the Object Template assigns the organization object to the user.<div><br>The problem arises during unassignment. When a user moves teams, the organization object gets unassigned, and the new organization object gets assigned. However, the user is not removed from the old team Google/Okta group.<br><br>If I manually unassign an organization object, the user does get removed from the Google/Okta groups.<br><br>This is the object template mapping I use:<br><br><mapping><br>    <name>Team</name><br>    <source><br>        <path<br>            xmlns:gen849="urlRedacted/xml/ns/extension">c:extension/gen849:team<br>        </path><br>    </source><br>    <source><br>        <path<br>            xmlns:gen569="urlRedacted/xml/ns/extension">c:extension/gen569:domain<br>        </path><br>    </source><br>    <expression><br>        <script><br>            <code><br>  import com.evolveum.midpoint.xml.ns._public.common.common_3.*<br>  import com.evolveum.midpoint.prism.delta.builder.*<br>  import com.evolveum.midpoint.prism.query.ObjectFilter;<br>  import com.evolveum.midpoint.schema.SelectorOptions;<br>  import com.evolveum.midpoint.schema.GetOperationOptions;<br>  import com.evolveum.midpoint.xml.ns._public.common.common_3.*<br>  import com.evolveum.midpoint.model.api.*<br><br>  teamName = team<br>  orgName = domain<br><br>  if (orgName != null) {<br>    ObjectFilter domainFilter = prismContext.queryFor(OrgType.class)<br>    .item(OrgType.F_DISPLAY_NAME).eq(orgName)<br>    .buildFilter();<br>    <br>  fetchedOrgs = midpoint.searchObjects(OrgType.class, prismContext.queryFactory().createQuery(domainFilter));<br><br>  if (fetchedOrgs[0] != null) {<br>    assignmentTargetOid = fetchedOrgs[0].getOid()<br>    <br>    ObjectFilter teamFilter = prismContext.queryFor(OrgType.class)<br>    .item(OrgType.F_DISPLAY_NAME).eq(teamName)<br>    .and()<br>    .item(OrgType.F_ASSIGNMENT,AssignmentType.F_TARGET_REF).ref(assignmentTargetOid)<br>    .buildFilter();<br>    <br>    fetchedTeams = midpoint.searchObjects(OrgType.class, prismContext.queryFactory().createQuery(teamFilter));<br>    <br>    if (fetchedTeams[0] != null) {      <br>        roleOrt = new ObjectReferenceType();<br>        roleOrt.setOid(fetchedTeams[0].getOid());<br>        roleOrt.setType(OrgType.COMPLEX_TYPE);<br><br>        AssignmentType assignment = new AssignmentType();<br>        assignment.asPrismContainerValue()<br>        assignment.setTargetRef(roleOrt);<br><br>        return assignment<br>    } else {<br>        log.warn("No Team orgs found!")<br>    }<br><br>   }<br>  } else {<br>    log.warn("No Domain set on user profile. Skipping Team assignment.")<br>  }<br>  </code><br>        </script><br>    </expression><br>    <target><br>        <path>c:assignment</path><br>    </target><br>    <condition><br>        <script><br>            <code><br>      fetchedTeam = team;<br>       if (fetchedTeam != null) {<br>        log.warn("Team not empty, try to assign OU in MP")<br>        return true<br>      } else {<br>          log.warn("User has no team assigned!")<br>      }<br>   </code><br>        </script><br>    </condition><br>    <enabled>true</enabled><br></mapping><br clear="all"><div><br></div></div></div><div>Thanks,</div><div>Hilmar</div></div>