Use case: running dry-run reconciliation to see if my matching rules are ok.
The resource is configured to have multiple account types (various intents) and multiple other objects/intents (entitlements, generic, etc. based on generic synchronization contept).
I have configured protected accounts in schema handling for VARIOUS intents. That means, each account intent has DIFFERENT protected accounts in schema handling.
When running dry-run recon, shadows are created in midPoint, kind=account, but the intent information is missing. So how does provisioning even know which accounts are protected...?
This, coupled with the Resource-Accounts page allows the administrator to delete/disable protected accounts if the shadows don't have intent stored...