<div dir="ltr">Hi Markus, <br><br>I was able to resolve the issue by fixing the mappings in the correlation settings with weight, tier and correct mapping with Personal number. I appreciate your reaching out to me.<br><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, May 2, 2024 at 4:09 AM <<a href="mailto:midpoint-request@lists.evolveum.com">midpoint-request@lists.evolveum.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Send midPoint mailing list submissions to<br>
        <a href="mailto:midpoint@lists.evolveum.com" target="_blank">midpoint@lists.evolveum.com</a><br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
        <a href="https://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">https://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
or, via email, send a message with subject or body 'help' to<br>
        <a href="mailto:midpoint-request@lists.evolveum.com" target="_blank">midpoint-request@lists.evolveum.com</a><br>
<br>
You can reach the person managing the list at<br>
        <a href="mailto:midpoint-owner@lists.evolveum.com" target="_blank">midpoint-owner@lists.evolveum.com</a><br>
<br>
When replying, please edit your Subject line so it is more specific<br>
than "Re: Contents of midPoint digest..."<br>
<br>
<br>
Today's Topics:<br>
<br>
   1. Re: Issue with correlation with AD (Markus Calmius)<br>
   2. Entitlements and Object Templates (Hilmar Kistemaker)<br>
<br>
<br>
----------------------------------------------------------------------<br>
<br>
Message: 1<br>
Date: Wed, 01 May 2024 10:32:19 +0000<br>
From: Markus Calmius <<a href="mailto:markus.calmius@proton.ch" target="_blank">markus.calmius@proton.ch</a>><br>
To: <a href="mailto:midpoint@lists.evolveum.com" target="_blank">midpoint@lists.evolveum.com</a><br>
Subject: Re: [midPoint] Issue with correlation with AD<br>
Message-ID:<br>
        <VxQjscnAQfxY2uhp3FfMbFFWo2zuCt9DM1whfoX-IRG9SCGDGjymHxBkesyxrLniJATVDsP8CSUNqVCV4SscR-Ezj4tZkoT460v7EtTi1gY=@<a href="http://proton.ch" rel="noreferrer" target="_blank">proton.ch</a>><br>
<br>
Content-Type: text/plain; charset=utf-8<br>
<br>
<br>
Hi Tushar,<br>
<br>
not that I use AD, but maybe you can you the resource configuration?<br>
<br>
Kind regards,<br>
Markus <br>
<br>
<br>
On Wednesday, 1 May 2024 at 12:00, <a href="mailto:midpoint-request@lists.evolveum.com" target="_blank">midpoint-request@lists.evolveum.com</a> <<a href="mailto:midpoint-request@lists.evolveum.com" target="_blank">midpoint-request@lists.evolveum.com</a>> wrote:<br>
<br>
> Send midPoint mailing list submissions to<br>
> <a href="mailto:midpoint@lists.evolveum.com" target="_blank">midpoint@lists.evolveum.com</a><br>
> <br>
> To subscribe or unsubscribe via the World Wide Web, visit<br>
> <a href="https://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">https://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
> or, via email, send a message with subject or body 'help' to<br>
> <a href="mailto:midpoint-request@lists.evolveum.com" target="_blank">midpoint-request@lists.evolveum.com</a><br>
> <br>
> You can reach the person managing the list at<br>
> <a href="mailto:midpoint-owner@lists.evolveum.com" target="_blank">midpoint-owner@lists.evolveum.com</a><br>
> <br>
> When replying, please edit your Subject line so it is more specific<br>
> than "Re: Contents of midPoint digest..."<br>
> <br>
> <br>
> Today's Topics:<br>
> <br>
> 1. Smart Correlation Webinar Video & Blog Post (Evolveum Marketing)<br>
> 2. Issue with correlation with AD (Tushar Walaskar)<br>
> <br>
> <br>
> ----------------------------------------------------------------------<br>
> <br>
> Message: 1<br>
> Date: Tue, 30 Apr 2024 16:45:58 +0200<br>
> From: Evolveum Marketing <a href="mailto:vera@evolveum.com" target="_blank">vera@evolveum.com</a><br>
> <br>
> To: midPoint General Discussion <a href="mailto:midpoint@lists.evolveum.com" target="_blank">midpoint@lists.evolveum.com</a><br>
> <br>
> Subject: [midPoint] Smart Correlation Webinar Video & Blog Post<br>
> Message-ID: <a href="mailto:cb08f098-7698-4329-8d9d-97ab67985434@evolveum.com" target="_blank">cb08f098-7698-4329-8d9d-97ab67985434@evolveum.com</a><br>
> <br>
> Content-Type: text/plain; charset="utf-8"; Format="flowed"<br>
> <br>
> Dear midPoint Community,<br>
> <br>
> We invite you to check out our blog post or watch the webinar recording<br>
> featuring our Senior Software Developer, Pavol Mederly, discussing smart<br>
> correlation. The webinar provides insights into how to effectively use<br>
> smart correlation to align identity data with existing focus objects in<br>
> the repository. In the blog post, you'll also find Pavol's responses to<br>
> audience questions.<br>
> <br>
> Learn more here: Smart Correlation Webinar Summary<br>
> <a href="https://evolveum.com/smart-correlation-webinar-summary/" rel="noreferrer" target="_blank">https://evolveum.com/smart-correlation-webinar-summary/</a>.<br>
> <br>
> <br>
> Enjoy exploring these resources!<br>
> <br>
> --<br>
> <br>
> Veronika Kolpascikova<br>
> Marketing Specialist<br>
> <a href="http://evolveum.com" rel="noreferrer" target="_blank">evolveum.com</a><br>
> -------------- next part --------------<br>
> An HTML attachment was scrubbed...<br>
> URL: <a href="https://lists.evolveum.com/pipermail/midpoint/attachments/20240430/8fe5ed94/attachment-0001.htm" rel="noreferrer" target="_blank">https://lists.evolveum.com/pipermail/midpoint/attachments/20240430/8fe5ed94/attachment-0001.htm</a><br>
> <br>
> <br>
> ------------------------------<br>
> <br>
> Message: 2<br>
> Date: Tue, 30 Apr 2024 11:33:48 -0600<br>
> From: Tushar Walaskar <a href="mailto:tusharwalaskar1@weber.edu" target="_blank">tusharwalaskar1@weber.edu</a><br>
> <br>
> To: <a href="mailto:midpoint@lists.evolveum.com" target="_blank">midpoint@lists.evolveum.com</a><br>
> Subject: [midPoint] Issue with correlation with AD<br>
> Message-ID:<br>
> CA+Xa8fcs=ACv=Nnqwv5LF1ddbFSE05BsmPC9vdogmMXW6dd=<a href="mailto:UA@mail.gmail.com" target="_blank">UA@mail.gmail.com</a><br>
> <br>
> Content-Type: text/plain; charset="utf-8"<br>
> <br>
> Hi everyone,<br>
> <br>
> I am having an issue with Correlation in Midpoint with AD.<br>
> <br>
> A bit of context, I am trying to import AD users into Midpoint, which<br>
> already has some users from the HR System. I used the correlation of<br>
> EmployeeNumber in AD to PersonalNumber in Midpoint.<br>
> <br>
> When I am trying to import preview the objects which are already existing<br>
> in both AD and HR systems, the items are "unmatched" even though they<br>
> should be "unlinked" Also while running the reconciliation job I get this<br>
> error frequently,<br>
> <br>
> 4/30/24, 5:23 PM com.evolveum.midpoint.util.exception.SystemException:<br>
> Error occurred during resource object shadow owner lookup, reason: No<br>
> correlation items in<br>
> CorrelatorContext{configurationBean=PCV(23):[PP({.../common/common-3}name):[PPV(String:personalNumber-correlation)],<br>
> PP({.../common/common-3}description):[PPV(String:Correlation using<br>
> personalNumber. Please note: inbound mapping for personalNumber is used<br>
> only during correlation.)],<br>
> PP({.../common/common-3}enabled):[PPV(Boolean:true)],<br>
> PC(composition):[PCV(null):[PP({.../common/common-3}tier):[PPV(Integer:1)]]]]}<br>
> <br>
> Can anyone help make sense of this and if possible help solving this issue?<br>
> <br>
> --<br>
> Warmest Regards,<br>
> <br>
> Tushar Walaskar MS MIS, CISSP, CCSP, CIPM<br>
> *Senior IAM Engineer *<br>
> -------------- next part --------------<br>
> An HTML attachment was scrubbed...<br>
> URL: <a href="https://lists.evolveum.com/pipermail/midpoint/attachments/20240430/ccbd9fbb/attachment-0001.htm" rel="noreferrer" target="_blank">https://lists.evolveum.com/pipermail/midpoint/attachments/20240430/ccbd9fbb/attachment-0001.htm</a><br>
> <br>
> <br>
> ------------------------------<br>
> <br>
> Subject: Digest Footer<br>
> <br>
> _______________________________________________<br>
> midPoint mailing list<br>
> <a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
> <a href="https://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">https://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
> <br>
> <br>
> ------------------------------<br>
> <br>
> End of midPoint Digest, Vol 145, Issue 1<br>
> ****************************************<br>
<br>
<br>
------------------------------<br>
<br>
Message: 2<br>
Date: Wed, 1 May 2024 18:38:59 +0200<br>
From: Hilmar Kistemaker <<a href="mailto:hilmar.kistemaker@mollie.com" target="_blank">hilmar.kistemaker@mollie.com</a>><br>
To: <a href="mailto:midpoint@lists.evolveum.com" target="_blank">midpoint@lists.evolveum.com</a><br>
Subject: [midPoint] Entitlements and Object Templates<br>
Message-ID:<br>
        <<a href="mailto:CAHLViaJtt0iwPOn0CDsJJkkEmG9AM8Fu9w1FHVXbZ7OwHAHShA@mail.gmail.com" target="_blank">CAHLViaJtt0iwPOn0CDsJJkkEmG9AM8Fu9w1FHVXbZ7OwHAHShA@mail.gmail.com</a>><br>
Content-Type: text/plain; charset="utf-8"<br>
<br>
Hi,<br>
<br>
I'm encountering an issue with entitlements and object templates in<br>
midPoint and could use some assistance in resolving it.<br>
<br>
The condition in the object template checks the Team attribute on the<br>
user's midPoint profile. If the condition is true, the expression searches<br>
for an organization object that matches the display name and assigns the<br>
correct organization object to the user. The organization object contains 2<br>
inducements: 1 Google Group and 1 Okta group. The user does get added to<br>
the groups in the systems when the Object Template assigns the organization<br>
object to the user.<br>
<br>
The problem arises during unassignment. When a user moves teams, the<br>
organization object gets unassigned, and the new organization object gets<br>
assigned. However, the user is not removed from the old team Google/Okta<br>
group.<br>
<br>
If I manually unassign an organization object, the user does get removed<br>
from the Google/Okta groups.<br>
<br>
This is the object template mapping I use:<br>
<br>
<mapping><br>
    <name>Team</name><br>
    <source><br>
        <path<br>
<br>
xmlns:gen849="urlRedacted/xml/ns/extension">c:extension/gen849:team<br>
        </path><br>
    </source><br>
    <source><br>
        <path<br>
<br>
xmlns:gen569="urlRedacted/xml/ns/extension">c:extension/gen569:domain<br>
        </path><br>
    </source><br>
    <expression><br>
        <script><br>
            <code><br>
  import com.evolveum.midpoint.xml.ns._public.common.common_3.*<br>
  import com.evolveum.midpoint.prism.delta.builder.*<br>
  import com.evolveum.midpoint.prism.query.ObjectFilter;<br>
  import com.evolveum.midpoint.schema.SelectorOptions;<br>
  import com.evolveum.midpoint.schema.GetOperationOptions;<br>
  import com.evolveum.midpoint.xml.ns._public.common.common_3.*<br>
  import com.evolveum.midpoint.model.api.*<br>
<br>
  teamName = team<br>
  orgName = domain<br>
<br>
  if (orgName != null) {<br>
    ObjectFilter domainFilter = prismContext.queryFor(OrgType.class)<br>
    .item(OrgType.F_DISPLAY_NAME).eq(orgName)<br>
    .buildFilter();<br>
<br>
  fetchedOrgs = midpoint.searchObjects(OrgType.class,<br>
prismContext.queryFactory().createQuery(domainFilter));<br>
<br>
  if (fetchedOrgs[0] != null) {<br>
    assignmentTargetOid = fetchedOrgs[0].getOid()<br>
<br>
    ObjectFilter teamFilter = prismContext.queryFor(OrgType.class)<br>
    .item(OrgType.F_DISPLAY_NAME).eq(teamName)<br>
    .and()<br>
<br>
.item(OrgType.F_ASSIGNMENT,AssignmentType.F_TARGET_REF).ref(assignmentTargetOid)<br>
    .buildFilter();<br>
<br>
    fetchedTeams = midpoint.searchObjects(OrgType.class,<br>
prismContext.queryFactory().createQuery(teamFilter));<br>
<br>
    if (fetchedTeams[0] != null) {<br>
        roleOrt = new ObjectReferenceType();<br>
        roleOrt.setOid(fetchedTeams[0].getOid());<br>
        roleOrt.setType(OrgType.COMPLEX_TYPE);<br>
<br>
        AssignmentType assignment = new AssignmentType();<br>
        assignment.asPrismContainerValue()<br>
        assignment.setTargetRef(roleOrt);<br>
<br>
        return assignment<br>
    } else {<br>
        log.warn("No Team orgs found!")<br>
    }<br>
<br>
   }<br>
  } else {<br>
    log.warn("No Domain set on user profile. Skipping Team assignment.")<br>
  }<br>
  </code><br>
        </script><br>
    </expression><br>
    <target><br>
        <path>c:assignment</path><br>
    </target><br>
    <condition><br>
        <script><br>
            <code><br>
      fetchedTeam = team;<br>
       if (fetchedTeam != null) {<br>
        log.warn("Team not empty, try to assign OU in MP")<br>
        return true<br>
      } else {<br>
          log.warn("User has no team assigned!")<br>
      }<br>
   </code><br>
        </script><br>
    </condition><br>
    <enabled>true</enabled><br>
</mapping><br>
<br>
Thanks,<br>
Hilmar<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="https://lists.evolveum.com/pipermail/midpoint/attachments/20240501/58dbde48/attachment-0001.htm" rel="noreferrer" target="_blank">https://lists.evolveum.com/pipermail/midpoint/attachments/20240501/58dbde48/attachment-0001.htm</a>><br>
<br>
------------------------------<br>
<br>
Subject: Digest Footer<br>
<br>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="https://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">https://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br>
<br>
------------------------------<br>
<br>
End of midPoint Digest, Vol 145, Issue 2<br>
****************************************<br>
</blockquote></div><br clear="all"><div><br></div><span class="gmail_signature_prefix">-- </span><br><div dir="ltr" class="gmail_signature"><div dir="ltr"><b>Warmest Regards,</b><br><br><b><font color="#3d85c6" size="4" face="tahoma, sans-serif">Tushar Walaskar MS MIS, CISSP, CCSP, CIPM</font></b><br><b>Senior IAM Engineer </b><div><b><img width="96" height="67" src="https://ci3.googleusercontent.com/mail-sig/AIorK4w4Wx-Vaq5FSQFmznfYWa2GaDIQnR0NHULRS2D1pfQ5EWmKSnpxdvgiKOpYJztePgxYS_bP5rI"><img width="96" height="96" src="https://ci3.googleusercontent.com/mail-sig/AIorK4zMJ6UbeDsrS4qgqROSz69NCaNr3Y7oCjpH0zeqFctOXTF2qhiU9l_FuoUKmgo-TNmRCoTe1rM"></b><img width="96" height="96" src="https://ci3.googleusercontent.com/mail-sig/AIorK4yQx9W6D_5Q2Lp6pqSGTj_FlJIrSd2OnuY6veVv59tZHs0LSgxkF2Gq0F4VNxNXpFoGIH2u00g"><b><img width="96" height="96" src="https://ci3.googleusercontent.com/mail-sig/AIorK4xCJX519edAPnRLeG3qQcLHEJMnISfQ_SInRGvFv3zGJZU2lEzRKVnl1Kv1ClPg6bjkexYeF4QE820e"><br></b></div></div></div>