Il 21/06/2013 17:42, Nik ha scritto:
On 06/21/2013 05:28 PM, Fabio Martelli wrote:
Il 21/06/2013 17:07, German Parente ha scritto:
Hi,
I have a question about role assign/de-assign.
When I want to deassing a role from a user, I am creating a userMod
object and setting into it:
userMod.setId(currentuser.getId());
userMod.addMemberShipToBeRemoved(membershipid)
where membership id is the id of the membership corresponding to the
role I want to de-assign.
I can de-assign roles of the user progressingly with no issue.
Propagation to ldap is taking place in the desired way.
When I de-assign the last membership of the user, the user is
deleted from ldap.
I can see the DELETE operation in ldap logs.
Is anything I am doing wrong when setting UserMod structure ?
Hi German, no you are not doing anything wrong: in case of resource
de-assignment (directly or indirectly) a de-provisioning operation
will be run.
As you have experienced yet, the user won't be de-provisioned on the
resource until the last (indirectly) assignment between the resource
and itself will exist.
If you don't want to perform any de-provisioning on the resource you
have to work with the ldap connector capabilities: to disable any
de-provisioning operation you can uncheck delete capability on your
connector configuration instance.
This seems strange to me, Fabio,
Are you saying when we remove the last role assignment on a user. The
user will be deleted! Why?
If exist the following relationships
User1/RoleA and RoleA/ResourceK
then you have defined indirectly the following one
User1/ResourceK
When you change something to remove this relationship Syncope will
interprets this operation like a de-provisioning request.
I mean, currently a resource unlinking aimplies a de-provisioning.
This behavior have to be changed; please, take a look at
https://issues.apache.org/jira/browse/SYNCOPE-393
Kind regards,
F.
