Re: Question about de-assigning role from user.

Mon, 24 Jun 2013 03:16:48 -0700 

On 06/24/2013 11:05 AM, Fabio Martelli wrote:

Il 24/06/2013 10:46, Nik ha scritto:






This seems strange to me, Fabio,


Are you saying when we remove the last role assignment on a user. 
The user will be deleted! Why?

It will be removed from the EXTERNAL resource when the last link 
(directly or indirectly) with this resource will be removed.

Regards,
F.


rgds,
Nik




Hi Fabio,

Ok, if what you say is correct please explain
how the following works, because your explanation
confuses me (I have tested this 3 times with the same
results, happily).

1) I have a user in ldap
2) this user is reconciled into syncopeby a task
3) I create a role in syncope which is propagated to ldap (as a group)

4) I assign that role to my user in syncope (which propagates to 
ldap, confirmed with ismemberof)
5) I UNASSIGNthis role from my user in syncope (which propagatesto 
ldap, confirmed with ismemberof)
   THERE ISONLY ONE ROLE in syncope so it is the last & first role in 
syncope

6) My userboth my role still exists in ldap and syncope!

maybe you have assigned the resource twice:
1. by a direct resource assignment
2. by an indirect resource assignment (by role I mean)

So, you have two link with the resource ....


Thanks Fabio, this DOES indeed explain and clarify my confusion.

[1] I do the task for reconn.

[2] After the user(s) is/are reconn'd into syncope, they are not 
"resource assigned" to the ldap resource (this has always bugged me a bit).
[3] I have to assign all the reconn'd users the ldap resource as a post 
reconn task.


So I guess this is the direct double assignment situation you mention.


With this double assignment, which is mandatory for our application 
users management, we never will fall into your "last role unassignment, 
user
deletion", base case for role unassignment, as far as I can work out - 
can you please confirm this, as I feel we don't have to disable 
One_Phase_Delete

capability, since this is a corner case we will never fall into.

I do have a question.

Is it possible to get the resource assignment on the user reconn in step 
[1] without having to go through step [2]


Regards,
Nik


Rgds,
F.




This appears to be in contradictation to what you state above, unless 
we are discussing two very

different things.

rgds,
Nik



























					Reply via email to