Il 21/06/2013 17:42, Nik ha scritto:
On 06/21/2013 05:28 PM, Fabio Martelli wrote:
Il 21/06/2013 17:07, German Parente ha scritto:
Hi,
I have a question about role assign/de-assign.
When I want to deassing a role from a user, I am creating a userMod
object and setting into it:
userMod.setId(currentuser.getId());
userMod.addMemberShipToBeRemoved(membershipid)
where membership id is the id of the membership corresponding to the
role I want to de-assign.
I can de-assign roles of the user progressingly with no issue.
Propagation to ldap is taking place in the desired way.
When I de-assign the last membership of the user, the user is
deleted from ldap.
I can see the DELETE operation in ldap logs.
Is anything I am doing wrong when setting UserMod structure ?
Hi German, no you are not doing anything wrong: in case of resource
de-assignment (directly or indirectly) a de-provisioning operation
will be run.
As you have experienced yet, the user won't be de-provisioned on the
resource until the last (indirectly) assignment between the resource
and itself will exist.
If you don't want to perform any de-provisioning on the resource you
have to work with the ldap connector capabilities: to disable any
de-provisioning operation you can uncheck delete capability on your
connector configuration instance.
This seems strange to me, Fabio,
Are you saying when we remove the last role assignment on a user. The
user will be deleted! Why?
It will be removed from the EXTERNAL resource when the last link
(directly or indirectly) with this resource will be removed.
Regards,
F.
rgds,
Nik
