Content
Updated by Pavol Mederly 2 months ago
**UPDATE 31.3.2025:**
There is a scenario described in the comments that demonstrates obviously erroneous behavior: If role B is assigned to role A (both having a projection onto a resource), and projection of B is deleted before the operation, then - as a result of creating the assignment - role A is deleted, which is wrong.
This is a bug that should be fixed.
I am not sure if the original issue is fixable along with this scenario. If so, great. If not, it will remain open as an improvement.
**Original text:**
As described in the further updates of <mention class="mention" data-id="9487" data-type="work_package" data-text="#9487">#9487</mention>, there may be situations like this:
1. There is a role with a projection (group) on AD.
2. The group is deleted from AD.
3. Without midPoint knowing that the group no longer exists, the role is assigned to a user.
Currently, this operation fails.
MidPoint has a consistency mechanism that can cope with unexpected situations on a resource, however, this mechanism is limited to a single object and its projections.
We need to improve it to cover also problems occurring on different (but related) objects. In this case, when dealing with a user, we need to resolve the issue of missing group (a projection of a role).
Note that this is quite a complex issue, as the deletion of a role (which is a natural reaction to a group being deleted) is not straightforward. For example, there may be assignments to this role (on potentially large number of users). So, a well-thought-out decommissioning process should be executed.
There is a scenario described in the comments that demonstrates obviously erroneous behavior: If role B is assigned to role A (both having a projection onto a resource), and projection of B is deleted before the operation, then - as a result of creating the assignment - role A is deleted, which is wrong.
This is a bug that should be fixed.
I am not sure if the original issue is fixable along with this scenario. If so, great. If not, it will remain open as an improvement.
**Original text:**
As described in the further updates of <mention class="mention" data-id="9487" data-type="work_package" data-text="#9487">#9487</mention>, there may be situations like this:
1. There is a role with a projection (group) on AD.
2. The group is deleted from AD.
3. Without midPoint knowing that the group no longer exists, the role is assigned to a user.
Currently, this operation fails.
MidPoint has a consistency mechanism that can cope with unexpected situations on a resource, however, this mechanism is limited to a single object and its projections.
We need to improve it to cover also problems occurring on different (but related) objects. In this case, when dealing with a user, we need to resolve the issue of missing group (a projection of a role).
Note that this is quite a complex issue, as the deletion of a role (which is a natural reaction to a group being deleted) is not straightforward. For example, there may be assignments to this role (on potentially large number of users). So, a well-thought-out decommissioning process should be executed.