IdStory Identity Manager

Version 8.1.6, AD connector 1.3.4.25 (newest)

This problem occurred only in 2 out of 5 attempts to simulate it, but the result is a security problem.
Sorry about the complicated use-case :-(

• System "AD user" has the multivalued attribute "ldapGroups" with the strategy "Merge"
• System "AD user" has the attribute "__ENABLED__", which is filled by a script, which returns false, if the identity is disabled or if the account is in protection.
• One role "AD uživatel" which grants account on the system "AD user"
• Second role "AD group" which adds one group in the system "AD users" = it fills the attribute "ldapGroups" with its value
• These two roles are automatic by organization structure for a position P
• A user has an active contract on the position P (so he has an active AD account with 1 group)
• The password for the AD account was changed by IdM

• The contract of the user is ended in HR and set to excluded
• The synchronization of the contracts sets the contract "valid till"="31.12.2016", "state"="EXCLUDED" and automatically sets the validity of both roles to the past (see contracted_position.png, assigned_roles.png)
• IdM disables the AD account (it correctly sends "__ENABLED__" = false), but it doesn't clear the groups (even though the provisioning operation contains empty ldapGroups in the left table - see provisioning_log.png)
• After some minutes, HrEndContractProcess (started at the end of sync) removes both roles from the identity, but sends no other AD operation (because it's in protection)

I attached also audit_log.png and entity_events.png which correspond to my use case.

I set the category to provisioning, because it looks like a problem in computing the attributes (IdM knew that ldapGroups should be empty, but didn't send them, even though they were not empty on the system).

Please note that if the user has some manually assigned roles, everything worked well (I tried it several times). These roles were removed as late as HrEndContractProcess.