From b1896ed72d5542d8249cde0ee6417c168441078b Mon Sep 17 00:00:00 2001
From: Radovan Semancik <radovan.semancik@evolveum.com>
Date: Fri, 13 Apr 2018 14:44:16 +0200
Subject: [PATCH] Fixing tricky dependencies bug (MID-4554)

---
 .../lens/projector/ActivationProcessor.java   |  36 +-
 .../impl/lens/projector/MappingEvaluator.java |   6 +-
 .../projector/MappingEvaluatorParams.java     |   6 +-
 .../impl/lens/projector/MappingTimeEval.java  |  26 +
 .../ProjectionCredentialsProcessor.java       |   5 +-
 .../focus/AssignmentTripleEvaluator.java      |  13 +-
 .../projector/focus/InboundProcessor.java     |   3 +-
 .../model/intest/TestMultiResource.java       | 257 ++++++++--
 .../midpoint/model/intest/rbac/TestRbac.java  |   2 +-
 .../src/test/resources/logback-test.xml       |   6 +-
 ...sable.xml => resource-dummy-dark-peru.xml} |   7 +-
 .../multi/resource-dummy-dark-yellow.xml      | 482 ++++++++++++++++++
 ...-disable.xml => role-dark-yellow-peru.xml} |   8 +-
 .../test/AbstractModelIntegrationTest.java    |  37 +-
 14 files changed, 802 insertions(+), 92 deletions(-)
 create mode 100644 model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/MappingTimeEval.java
 rename model/model-intest/src/test/resources/multi/{resource-dummy-peru-disable.xml => resource-dummy-dark-peru.xml} (95%)
 create mode 100644 model/model-intest/src/test/resources/multi/resource-dummy-dark-yellow.xml
 rename model/model-intest/src/test/resources/multi/{role-yellow-peru-disable.xml => role-dark-yellow-peru.xml} (82%)

diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/ActivationProcessor.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/ActivationProcessor.java
index dc383c1d266..6fc31a31b02 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/ActivationProcessor.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/ActivationProcessor.java
@@ -179,9 +179,11 @@ public <F extends FocusType> void processActivationUserCurrent(LensContext<F> co
     		return;
     	}
     	
-    	boolean shadowShouldExist = evaluateExistenceMapping(context, projCtx, now, true, task, result);
+    	LOGGER.trace("Evaluating intended existence of projection {} (legal={})", projCtxDesc, projCtx.isLegal());
+    	
+    	boolean shadowShouldExist = evaluateExistenceMapping(context, projCtx, now, MappingTimeEval.CURRENT, task, result);
 
-    	LOGGER.trace("Evaluated intended existence of projection {} to {}", projCtxDesc, shadowShouldExist);
+    	LOGGER.trace("Evaluated intended existence of projection {} to {} (legal={})", projCtxDesc, shadowShouldExist, projCtx.isLegal());
 
     	// Let's reconcile the existence intent (shadowShouldExist) and the synchronization intent in the context
 
@@ -296,7 +298,7 @@ public <F extends FocusType> void processActivationUserCurrent(LensContext<F> co
 	    	evaluateActivationMapping(context, projCtx,
 	    			activationType.getAdministrativeStatus(),
 	    			SchemaConstants.PATH_ACTIVATION_ADMINISTRATIVE_STATUS, SchemaConstants.PATH_ACTIVATION_ADMINISTRATIVE_STATUS,
-	    			capActivation, now, true, ActivationType.F_ADMINISTRATIVE_STATUS.getLocalPart(), task, result);
+	    			capActivation, now, MappingTimeEval.CURRENT, ActivationType.F_ADMINISTRATIVE_STATUS.getLocalPart(), task, result);
         } else {
         	LOGGER.trace("Skipping activation administrative status processing because {} does not have activation administrative status capability", projCtx.getResource());
         }
@@ -309,7 +311,7 @@ public <F extends FocusType> void processActivationUserCurrent(LensContext<F> co
         } else {
 	    	evaluateActivationMapping(context, projCtx, activationType.getValidFrom(),
 	    			SchemaConstants.PATH_ACTIVATION_VALID_FROM, SchemaConstants.PATH_ACTIVATION_VALID_FROM,
-	    			null, now, true, ActivationType.F_VALID_FROM.getLocalPart(), task, result);
+	    			null, now, MappingTimeEval.CURRENT, ActivationType.F_VALID_FROM.getLocalPart(), task, result);
         }
 
         ResourceBidirectionalMappingType validToMappingType = activationType.getValidTo();
@@ -320,14 +322,14 @@ public <F extends FocusType> void processActivationUserCurrent(LensContext<F> co
         } else {
 	    	evaluateActivationMapping(context, projCtx, activationType.getValidTo(),
 	    			SchemaConstants.PATH_ACTIVATION_VALID_TO, SchemaConstants.PATH_ACTIVATION_VALID_TO,
-	    			null, now, true, ActivationType.F_VALID_TO.getLocalPart(), task, result);
+	    			null, now, MappingTimeEval.CURRENT, ActivationType.F_VALID_TO.getLocalPart(), task, result);
 	    }
 
         if (capLockoutStatus != null) {
 	    	evaluateActivationMapping(context, projCtx,
 	    			activationType.getLockoutStatus(),
 	    			SchemaConstants.PATH_ACTIVATION_LOCKOUT_STATUS, SchemaConstants.PATH_ACTIVATION_LOCKOUT_STATUS,
-	    			capActivation, now, true, ActivationType.F_LOCKOUT_STATUS.getLocalPart(), task, result);
+	    			capActivation, now, MappingTimeEval.CURRENT, ActivationType.F_LOCKOUT_STATUS.getLocalPart(), task, result);
         } else {
         	LOGGER.trace("Skipping activation lockout status processing because {} does not have activation lockout status capability", projCtx.getResource());
         }
@@ -417,7 +419,7 @@ public <F extends FocusType> void processActivationUserFuture(LensContext<F> con
 
     	accCtx.recompute();
 
-    	evaluateExistenceMapping(context, accCtx, now, false, task, result);
+    	evaluateExistenceMapping(context, accCtx, now, MappingTimeEval.FUTURE, task, result);
 
         PrismObject<F> focusNew = context.getFocusContext().getObjectNew();
         if (focusNew == null) {
@@ -448,26 +450,26 @@ public <F extends FocusType> void processActivationUserFuture(LensContext<F> con
 
 	    	evaluateActivationMapping(context, accCtx, activationType.getAdministrativeStatus(),
 	    			SchemaConstants.PATH_ACTIVATION_ADMINISTRATIVE_STATUS, SchemaConstants.PATH_ACTIVATION_ADMINISTRATIVE_STATUS,
-	    			capActivation, now, false, ActivationType.F_ADMINISTRATIVE_STATUS.getLocalPart(), task, result);	
+	    			capActivation, now, MappingTimeEval.FUTURE, ActivationType.F_ADMINISTRATIVE_STATUS.getLocalPart(), task, result);	
         }
 
         if (capValidFrom != null) {
 	    	evaluateActivationMapping(context, accCtx, activationType.getAdministrativeStatus(),
 	    			SchemaConstants.PATH_ACTIVATION_VALID_FROM, SchemaConstants.PATH_ACTIVATION_VALID_FROM,
-	    			null, now, false, ActivationType.F_VALID_FROM.getLocalPart(), task, result);
+	    			null, now, MappingTimeEval.FUTURE, ActivationType.F_VALID_FROM.getLocalPart(), task, result);
         }
 
         if (capValidTo != null) {
 	    	evaluateActivationMapping(context, accCtx, activationType.getAdministrativeStatus(),
 	    			SchemaConstants.PATH_ACTIVATION_VALID_TO, SchemaConstants.PATH_ACTIVATION_VALID_TO,
-	    			null, now, false, ActivationType.F_VALID_FROM.getLocalPart(), task, result);
+	    			null, now, MappingTimeEval.FUTURE, ActivationType.F_VALID_FROM.getLocalPart(), task, result);
 	    }
 
     }
 
 
     private <F extends FocusType> boolean evaluateExistenceMapping(final LensContext<F> context,
-    		final LensProjectionContext projCtx, final XMLGregorianCalendar now, final boolean current,
+    		final LensProjectionContext projCtx, final XMLGregorianCalendar now, final MappingTimeEval current,
             Task task, final OperationResult result)
     				throws ExpressionEvaluationException, ObjectNotFoundException, SchemaException, CommunicationException, ConfigurationException, SecurityViolationException {
     	final String projCtxDesc = projCtx.toHumanReadableString();
@@ -477,8 +479,6 @@ private <F extends FocusType> boolean evaluateExistenceMapping(final LensContext
     		throw new IllegalStateException("Null 'legal' for "+projCtxDesc);
     	}
 
-    	LOGGER.trace("Evaluating intended existence of projection {}; legal={}", projCtxDesc, legal);
-
     	ResourceObjectTypeDefinitionType resourceAccountDefType = projCtx.getResourceObjectTypeDefinitionType();
         if (resourceAccountDefType == null) {
             return legal;
@@ -583,7 +583,7 @@ private <F extends FocusType> boolean evaluateExistenceMapping(final LensContext
     private <T, F extends FocusType> void evaluateActivationMapping(final LensContext<F> context,
 			final LensProjectionContext projCtx, ResourceBidirectionalMappingType bidirectionalMappingType,
 			final ItemPath focusPropertyPath, final ItemPath projectionPropertyPath,
-   			final ActivationCapabilityType capActivation, XMLGregorianCalendar now, final boolean current,
+   			final ActivationCapabilityType capActivation, XMLGregorianCalendar now, final MappingTimeEval current,
    			String desc, final Task task, final OperationResult result) throws ExpressionEvaluationException, ObjectNotFoundException, SchemaException, CommunicationException, ConfigurationException, SecurityViolationException {
 
     	MappingInitializer<PrismPropertyValue<T>,PrismPropertyDefinition<T>> initializer =
@@ -647,7 +647,7 @@ private <T, F extends FocusType> void evaluateOutboundMapping(final LensContext<
 			final LensProjectionContext projCtx, ResourceBidirectionalMappingType bidirectionalMappingType,
 			final ItemPath focusPropertyPath, final ItemPath projectionPropertyPath,
 			final MappingInitializer<PrismPropertyValue<T>,PrismPropertyDefinition<T>> initializer,
-			XMLGregorianCalendar now, final boolean evaluateCurrent, String desc, final Task task, final OperationResult result) throws ExpressionEvaluationException, ObjectNotFoundException, SchemaException, CommunicationException, ConfigurationException, SecurityViolationException {
+			XMLGregorianCalendar now, final MappingTimeEval evaluateCurrent, String desc, final Task task, final OperationResult result) throws ExpressionEvaluationException, ObjectNotFoundException, SchemaException, CommunicationException, ConfigurationException, SecurityViolationException {
 
 		if (bidirectionalMappingType == null) {
             LOGGER.trace("No '{}' definition in projection {}, skipping", desc, projCtx.toHumanReadableString());
@@ -696,7 +696,7 @@ private <T, F extends FocusType> void evaluateOutboundMapping(final LensContext<
 		Map<ItemPath, MappingOutputStruct<PrismPropertyValue<T>>> outputTripleMap = mappingEvaluator.evaluateMappingSetProjection(params, task, result);
 		
 		if (LOGGER.isTraceEnabled()) {
-			LOGGER.trace("Mapping processing output after {}:\n{}", desc, DebugUtil.debugDump(outputTripleMap, 1));
+			LOGGER.trace("Mapping processing output after {} ({}):\n{}", desc, evaluateCurrent, DebugUtil.debugDump(outputTripleMap, 1));
 		}
 		
 		if (projCtx.isDoReconciliation()) {
@@ -704,7 +704,7 @@ private <T, F extends FocusType> void evaluateOutboundMapping(final LensContext<
 		}
 
 	}
-
+	
 	/**
 	 * TODO: can we align this with ReconciliationProcessor?
 	 */
@@ -926,7 +926,7 @@ private <F extends FocusType> void processLifecycleFocus(LensContext<F> context,
         	LOGGER.trace("Computing projection lifecycle (mapping): {}", lifecycleStateMappingType);
 	    	evaluateActivationMapping(context, projCtx, lifecycleStateMappingType,
 	    			SchemaConstants.PATH_LIFECYCLE_STATE, SchemaConstants.PATH_LIFECYCLE_STATE,
-	    			null, now, true, ObjectType.F_LIFECYCLE_STATE.getLocalPart(), task, result);
+	    			null, now, MappingTimeEval.CURRENT, ObjectType.F_LIFECYCLE_STATE.getLocalPart(), task, result);
         }
 
     }
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/MappingEvaluator.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/MappingEvaluator.java
index 4cb4fb79023..46eaa1b3ce4 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/MappingEvaluator.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/MappingEvaluator.java
@@ -156,7 +156,7 @@ public <T, F extends FocusType> void evaluateOutboundMapping(final LensContext<F
 			final LensProjectionContext projCtx, List<MappingType> outboundMappings,
 			final ItemPath focusPropertyPath, final ItemPath projectionPropertyPath,
 			final MappingInitializer<PrismPropertyValue<T>,PrismPropertyDefinition<T>> initializer, MappingOutputProcessor<PrismPropertyValue<T>> processor,
-			XMLGregorianCalendar now, final boolean evaluateCurrent, boolean evaluateWeak,
+			XMLGregorianCalendar now, final MappingTimeEval evaluateCurrent, boolean evaluateWeak,
    			String desc, final Task task, final OperationResult result) throws ExpressionEvaluationException, ObjectNotFoundException, SchemaException, CommunicationException, ConfigurationException, SecurityViolationException {
 
     	String projCtxDesc = projCtx.toHumanReadableString();
@@ -245,11 +245,11 @@ public <V extends PrismValue, D extends ItemDefinition, T extends ObjectType, F
 			Boolean timeConstraintValid = mapping.evaluateTimeConstraintValid(task, result);
 
 			if (params.getEvaluateCurrent() != null) {
-				if (params.getEvaluateCurrent() && !timeConstraintValid) {
+				if (params.getEvaluateCurrent() == MappingTimeEval.CURRENT && !timeConstraintValid) {
 					LOGGER.trace("Mapping {} is non-current, but evulating current mappings, skipping {}", mappingName, params.getContext().getChannel());
 					continue;
 				}
-				if (!params.getEvaluateCurrent() && timeConstraintValid) {
+				if (params.getEvaluateCurrent() == MappingTimeEval.FUTURE && timeConstraintValid) {
 					LOGGER.trace("Mapping {} is current, but evulating non-current mappings, skipping {}", mappingName, params.getContext().getChannel());
 					continue;
 				}
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/MappingEvaluatorParams.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/MappingEvaluatorParams.java
index 951baa1ca61..cf276306308 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/MappingEvaluatorParams.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/MappingEvaluatorParams.java
@@ -50,7 +50,7 @@ public class MappingEvaluatorParams<V extends PrismValue, D extends ItemDefiniti
 	private ItemPath defaultTargetItemPath;
 	// Only needed if defaultTargetItemPath == null
 	private D targetItemDefinition;
-	private Boolean evaluateCurrent;
+	private MappingTimeEval evaluateCurrent;
 	private boolean evaluateWeak = true;
 	private LensContext<F> context;
 	private boolean hasFullTargetObject;
@@ -137,11 +137,11 @@ public void setSourceContext(ObjectDeltaObject<?> sourceContext) {
 		this.sourceContext = sourceContext;
 	}
 
-	public Boolean getEvaluateCurrent() {
+	public MappingTimeEval getEvaluateCurrent() {
 		return evaluateCurrent;
 	}
 
-	public void setEvaluateCurrent(Boolean evaluateCurrent) {
+	public void setEvaluateCurrent(MappingTimeEval evaluateCurrent) {
 		this.evaluateCurrent = evaluateCurrent;
 	}
 
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/MappingTimeEval.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/MappingTimeEval.java
new file mode 100644
index 00000000000..d049c9a1537
--- /dev/null
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/MappingTimeEval.java
@@ -0,0 +1,26 @@
+/**
+ * Copyright (c) 2018 Evolveum
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.evolveum.midpoint.model.impl.lens.projector;
+
+/**
+ * @author semancik
+ *
+ */
+public enum MappingTimeEval {
+	
+	CURRENT, FUTURE;
+
+}
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/credentials/ProjectionCredentialsProcessor.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/credentials/ProjectionCredentialsProcessor.java
index a0b0768a3ba..2b302c2c46d 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/credentials/ProjectionCredentialsProcessor.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/credentials/ProjectionCredentialsProcessor.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2017 Evolveum
+ * Copyright (c) 2010-2018 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -40,6 +40,7 @@
 import com.evolveum.midpoint.model.impl.lens.projector.MappingEvaluator;
 import com.evolveum.midpoint.model.impl.lens.projector.MappingInitializer;
 import com.evolveum.midpoint.model.impl.lens.projector.MappingOutputProcessor;
+import com.evolveum.midpoint.model.impl.lens.projector.MappingTimeEval;
 import com.evolveum.midpoint.prism.ItemDefinition;
 import com.evolveum.midpoint.prism.OriginType;
 import com.evolveum.midpoint.prism.PrismContainerValue;
@@ -255,7 +256,7 @@ public ValuePolicyType resolve() {
 
 		mappingEvaluator.evaluateOutboundMapping(context, projCtx, outboundMappingTypes,
 				SchemaConstants.PATH_PASSWORD_VALUE, SchemaConstants.PATH_PASSWORD_VALUE, initializer, processor,
-				now, true, evaluateWeak, "password mapping", task, result);
+				now, MappingTimeEval.CURRENT, evaluateWeak, "password mapping", task, result);
 
 	}
 
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/focus/AssignmentTripleEvaluator.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/focus/AssignmentTripleEvaluator.java
index 90c19e34f35..63f8e0a2366 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/focus/AssignmentTripleEvaluator.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/focus/AssignmentTripleEvaluator.java
@@ -396,16 +396,25 @@ private void processAssignment(DeltaSetTriple<EvaluatedAssignmentImpl<F>> evalua
 	            } else {
 	                // No change in assignment
 	            	if (LOGGER.isTraceEnabled()) {
-	            		LOGGER.trace("Processing unchanged assignment {}", SchemaDebugUtil.prettyPrint(assignmentCVal));
+	            		LOGGER.trace("Processing unchanged assignment ({}) {}",
+	            				presentInCurrent ? "present" : "not present",
+	            				SchemaDebugUtil.prettyPrint(assignmentCVal));
 	            	}
 	            	EvaluatedAssignmentImpl<F> evaluatedAssignment = evaluateAssignment(createAssignmentIdiNoChange(assignmentCVal), PlusMinusZero.ZERO, false, context, source, assignmentEvaluator, assignmentPlacementDesc, task, result);
 	                if (evaluatedAssignment == null) {
 	                	return;
 	                }
+	                // NOTE: unchanged may mean both:
+	                //   * was there before, is there now
+	                //   * was not there before, is not there now
 					evaluatedAssignment.setPresentInCurrentObject(presentInCurrent);
 					evaluatedAssignment.setPresentInOldObject(presentInOld);
 					evaluatedAssignment.setWasValid(evaluatedAssignment.isValid());
-	                collectToZero(evaluatedAssignmentTriple, evaluatedAssignment, forceRecon);
+					if (presentInCurrent) {
+						collectToZero(evaluatedAssignmentTriple, evaluatedAssignment, forceRecon);
+					} else {
+						collectToMinus(evaluatedAssignmentTriple, evaluatedAssignment, forceRecon);
+					}
 	            }
         	}
         }
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/focus/InboundProcessor.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/focus/InboundProcessor.java
index d00d9ba6426..909c823c8e0 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/focus/InboundProcessor.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/focus/InboundProcessor.java
@@ -58,6 +58,7 @@
 import com.evolveum.midpoint.model.impl.lens.projector.MappingEvaluatorParams;
 import com.evolveum.midpoint.model.impl.lens.projector.MappingInitializer;
 import com.evolveum.midpoint.model.impl.lens.projector.MappingOutputProcessor;
+import com.evolveum.midpoint.model.impl.lens.projector.MappingTimeEval;
 import com.evolveum.midpoint.model.impl.lens.projector.credentials.CredentialsProcessor;
 import com.evolveum.midpoint.prism.Item;
 import com.evolveum.midpoint.prism.ItemDefinition;
@@ -1438,7 +1439,7 @@ private <F extends FocusType> void processSpecialPropertyInbound(Collection<Mapp
         params.setAPrioriTargetDelta(userPrimaryDelta);
         params.setTargetContext(context.getFocusContext());
         params.setDefaultTargetItemPath(targetPath);
-        params.setEvaluateCurrent(true);
+        params.setEvaluateCurrent(MappingTimeEval.CURRENT);
         params.setContext(context);
         params.setHasFullTargetObject(true);
 		mappingEvaluator.evaluateMappingSetProjection(params, task, opResult);
diff --git a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestMultiResource.java b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestMultiResource.java
index 06f5eca8dfd..0960d59e1ba 100644
--- a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestMultiResource.java
+++ b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestMultiResource.java
@@ -106,10 +106,16 @@ public class TestMultiResource extends AbstractInitializedModelIntegrationTest {
 	protected static final String RESOURCE_DUMMY_PERU_NAMESPACE = MidPointConstants.NS_RI;
 
 	// PERU dummy resource has a RELAXED dependency on YELLOW dummy resource and disable instead of delete
-	protected static final File RESOURCE_DUMMY_PERU_DISABLE_FILE = new File(TEST_DIR, "resource-dummy-peru-disable.xml");
-	protected static final String RESOURCE_DUMMY_PERU_DISABLE_OID = "f5253596-333d-11e8-8894-37a2f88e7609";
-	protected static final String RESOURCE_DUMMY_PERU_DISABLE_NAME = "peru-disable";
-	protected static final String RESOURCE_DUMMY_PERU_DISABLE_NAMESPACE = MidPointConstants.NS_RI;
+	protected static final File RESOURCE_DUMMY_DARK_PERU_FILE = new File(TEST_DIR, "resource-dummy-dark-peru.xml");
+	protected static final String RESOURCE_DUMMY_DARK_PERU_OID = "f5253596-333d-11e8-8894-37a2f88e7609";
+	protected static final String RESOURCE_DUMMY_DARK_PERU_NAME = "dark-peru";
+	protected static final String RESOURCE_DUMMY_DARK_PERU_NAMESPACE = MidPointConstants.NS_RI;
+
+	// Similar to YELLOW, but has disable instead of delete
+	protected static final File RESOURCE_DUMMY_DARK_YELLOW_FILE = new File(TEST_DIR, "resource-dummy-dark-yellow.xml");
+	protected static final String RESOURCE_DUMMY_DARK_YELLOW_OID = "33da1afe-3efb-11e8-a5e3-4fed83f61ae7";
+	protected static final String RESOURCE_DUMMY_DARK_YELLOW_NAME = "dark-yellow";
+	protected static final String RESOURCE_DUMMY_DARK_YELLOW_NAMESPACE = MidPointConstants.NS_RI;
 
 	protected static final File RESOURCE_DUMMY_DAVID_FILE = new File(TEST_DIR, "resource-dummy-david.xml");
 	protected static final String RESOURCE_DUMMY_DAVID_OID = "10000000-0000-0000-0000-000000300001";
@@ -134,8 +140,8 @@ public class TestMultiResource extends AbstractInitializedModelIntegrationTest {
 	protected static final File ROLE_FIGHT_FILE = new File(TEST_DIR, "role-fight.xml");
 	protected static final String ROLE_FIGHT_OID = "12345678-d34d-b33f-f00d-5555550303dd";
 	
-	protected static final File ROLE_YELLOW_PERU_DISABLE_FILE = new File(TEST_DIR, "role-yellow-peru-disable.xml");
-	protected static final String ROLE_YELLOW_PERU_DISABLE_OID = "95213bbc-3357-11e8-aeb8-439c6ddc0fa0";
+	protected static final File ROLE_DARK_YELLOW_PERU_FILE = new File(TEST_DIR, "role-dark-yellow-peru.xml");
+	protected static final String ROLE_DARK_YELLOW_PERU_OID = "95213bbc-3357-11e8-aeb8-439c6ddc0fa0";
 
     protected static final String USER_WORLD_NAME = "world";
     protected static final String USER_WORLD_FULL_NAME = "The World";
@@ -160,8 +166,11 @@ public void initSystem(Task initTask, OperationResult initResult) throws Excepti
 		initDummyResourcePirate(RESOURCE_DUMMY_PERU_NAME,
 				RESOURCE_DUMMY_PERU_FILE, RESOURCE_DUMMY_PERU_OID, initTask, initResult);
 		
-		initDummyResourcePirate(RESOURCE_DUMMY_PERU_DISABLE_NAME,
-				RESOURCE_DUMMY_PERU_DISABLE_FILE, RESOURCE_DUMMY_PERU_DISABLE_OID, initTask, initResult);
+		initDummyResourcePirate(RESOURCE_DUMMY_DARK_PERU_NAME,
+				RESOURCE_DUMMY_DARK_PERU_FILE, RESOURCE_DUMMY_DARK_PERU_OID, initTask, initResult);
+		
+		initDummyResourcePirate(RESOURCE_DUMMY_DARK_YELLOW_NAME,
+				RESOURCE_DUMMY_DARK_YELLOW_FILE, RESOURCE_DUMMY_DARK_YELLOW_OID, initTask, initResult);
 		
 		initDummyResourcePirate(RESOURCE_DUMMY_DAVID_NAME,
 				RESOURCE_DUMMY_DAVID_FILE, RESOURCE_DUMMY_DAVID_OID, initTask, initResult);
@@ -173,7 +182,7 @@ public void initSystem(Task initTask, OperationResult initResult) throws Excepti
 		repoAddObjectFromFile(ROLE_DUMMIES_IVORY_FILE, initResult);
 		repoAddObjectFromFile(ROLE_DUMMIES_BEIGE_FILE, initResult);
 		repoAddObjectFromFile(ROLE_FIGHT_FILE, initResult);
-		repoAddObjectFromFile(ROLE_YELLOW_PERU_DISABLE_FILE, initResult);
+		repoAddObjectFromFile(ROLE_DARK_YELLOW_PERU_FILE, initResult);
 
 		getDummyResource().resetBreakMode();
 	}
@@ -2285,37 +2294,75 @@ public void test440DavidAndGoliathAssignRoleAndCreateUserInOneStep() throws Exce
 	}
     
     @Test
-    public void test500JackAssignDummyYellow() throws Exception {
-		final String TEST_NAME = "test500JackAssignDummyYellow";
+    public void test500PrepareJack() throws Exception {
+		final String TEST_NAME = "test500PrepareJack";
 		displayTestTitle(TEST_NAME);
 		
 		// GIVEN
 		Task task = createTask(TEST_NAME);
         OperationResult result = task.getResult();
         assumeAssignmentPolicy(AssignmentPolicyEnforcementType.RELATIVE);
+        
+        // ... to satisfy yellow password policy
+        modifyUserChangePassword(USER_JACK_OID, "d3adM3Nt3llN0tal3s", task, result);
 
         PrismObject<UserType> userBefore = getUser(USER_JACK_OID);
         display("User before", userBefore);
         assertAssignments(userBefore, 0);
+        assertLinks(userBefore, 1);
 
 		// WHEN
 		displayWhen(TEST_NAME);
-		assignAccount(USER_JACK_OID, RESOURCE_DUMMY_YELLOW_OID, null, task, result);
+		deleteUserAccount(USER_JACK_OID, RESOURCE_DUMMY_YELLOW_OID, task, result);
 
 		// THEN
 		displayThen(TEST_NAME);
 		assertSuccess(result);
 
         PrismObject<UserType> userAfter = getUser(USER_JACK_OID);
+        display("User after", userAfter);
+        assertAssignments(userAfter, 0);
+        assertLinks(userAfter, 0);
+
+        assertNoDummyAccount(RESOURCE_DUMMY_YELLOW_NAME, ACCOUNT_JACK_DUMMY_USERNAME);
+        assertNoDummyAccount(RESOURCE_DUMMY_DARK_YELLOW_NAME, ACCOUNT_JACK_DUMMY_USERNAME);
+        assertNoDummyAccount(RESOURCE_DUMMY_DARK_PERU_NAME, ACCOUNT_JACK_DUMMY_USERNAME);
+	}
+
+    @Test
+    public void test501JackAssignDummyDarkYellow() throws Exception {
+		final String TEST_NAME = "test501JackAssignDummyDarkYellow";
+		displayTestTitle(TEST_NAME);
+		
+		// GIVEN
+		Task task = createTask(TEST_NAME);
+        OperationResult result = task.getResult();
+        assumeAssignmentPolicy(AssignmentPolicyEnforcementType.RELATIVE);
+        
+        PrismObject<UserType> userBefore = getUser(USER_JACK_OID);
+        display("User before", userBefore);
+        assertAssignments(userBefore, 0);
+        assertLinks(userBefore, 0);
+
+		// WHEN
+		displayWhen(TEST_NAME);
+		assignAccount(USER_JACK_OID, RESOURCE_DUMMY_DARK_YELLOW_OID, null, task, result);
+
+		// THEN
+		displayThen(TEST_NAME);
+		assertSuccess(result);
+
+        PrismObject<UserType> userAfter = getUser(USER_JACK_OID);
+        display("User after", userAfter);
         assertAssignments(userAfter, 1);
         assertLinks(userAfter, 1);
 
-        assertDummyAccount(RESOURCE_DUMMY_YELLOW_NAME, ACCOUNT_JACK_DUMMY_USERNAME, ACCOUNT_JACK_DUMMY_FULLNAME, true);
+        assertDummyAccount(RESOURCE_DUMMY_DARK_YELLOW_NAME, ACCOUNT_JACK_DUMMY_USERNAME, ACCOUNT_JACK_DUMMY_FULLNAME, true);
 	}
-    
+
     @Test
-    public void test502JackAssignDummyPeruDisable() throws Exception {
-		final String TEST_NAME = "test502JackAssignDummyPeruDisable";
+    public void test502JackAssignDummyDarkPeru() throws Exception {
+		final String TEST_NAME = "test502JackAssignDummyDarkPeru";
 		displayTestTitle(TEST_NAME);
 		
 		// GIVEN
@@ -2327,26 +2374,27 @@ public void test502JackAssignDummyPeruDisable() throws Exception {
 
 		// WHEN
 		displayWhen(TEST_NAME);
-		assignAccount(USER_JACK_OID, RESOURCE_DUMMY_PERU_DISABLE_OID, null, task, result);
+		assignAccount(USER_JACK_OID, RESOURCE_DUMMY_DARK_PERU_OID, null, task, result);
 
 		// THEN
 		displayThen(TEST_NAME);
 		assertSuccess(result);
 
         PrismObject<UserType> userAfter = getUser(USER_JACK_OID);
+        display("User after", userAfter);
         assertAssignments(userAfter, 2);
         assertLinks(userAfter, 2);
 
-        assertDummyAccount(RESOURCE_DUMMY_YELLOW_NAME, ACCOUNT_JACK_DUMMY_USERNAME, ACCOUNT_JACK_DUMMY_FULLNAME, true);
-        assertDummyAccount(RESOURCE_DUMMY_PERU_DISABLE_NAME, ACCOUNT_JACK_DUMMY_USERNAME, ACCOUNT_JACK_DUMMY_FULLNAME, true);
+        assertDummyAccount(RESOURCE_DUMMY_DARK_YELLOW_NAME, ACCOUNT_JACK_DUMMY_USERNAME, ACCOUNT_JACK_DUMMY_FULLNAME, true);
+        assertDummyAccount(RESOURCE_DUMMY_DARK_PERU_NAME, ACCOUNT_JACK_DUMMY_USERNAME, ACCOUNT_JACK_DUMMY_FULLNAME, true);
 	}
     
     /**
      * MID-4554
      */
     @Test
-    public void test504JackUnassignDummyPeruDisable() throws Exception {
-		final String TEST_NAME = "test504JackUnassignDummyPeruDisable";
+    public void test504JackUnassignDummyDarkPeru() throws Exception {
+		final String TEST_NAME = "test504JackUnassignDummyDarkPeru";
 		displayTestTitle(TEST_NAME);
 		
 		// GIVEN
@@ -2358,23 +2406,24 @@ public void test504JackUnassignDummyPeruDisable() throws Exception {
 
 		// WHEN
 		displayWhen(TEST_NAME);
-		unassignAccount(USER_JACK_OID, RESOURCE_DUMMY_PERU_DISABLE_OID, null, task, result);
+		unassignAccount(USER_JACK_OID, RESOURCE_DUMMY_DARK_PERU_OID, null, task, result);
 
 		// THEN
 		displayThen(TEST_NAME);
 		assertSuccess(result);
 
         PrismObject<UserType> userAfter = getUser(USER_JACK_OID);
+        display("User after", userAfter);
         assertAssignments(userAfter, 1);
         assertLinks(userAfter, 2);
 
-        assertDummyAccount(RESOURCE_DUMMY_YELLOW_NAME, ACCOUNT_JACK_DUMMY_USERNAME, ACCOUNT_JACK_DUMMY_FULLNAME, true);
-        assertDummyAccount(RESOURCE_DUMMY_PERU_DISABLE_NAME, ACCOUNT_JACK_DUMMY_USERNAME, ACCOUNT_JACK_DUMMY_FULLNAME, false);
+        assertDummyAccount(RESOURCE_DUMMY_DARK_YELLOW_NAME, ACCOUNT_JACK_DUMMY_USERNAME, ACCOUNT_JACK_DUMMY_FULLNAME, true);
+        assertDummyAccount(RESOURCE_DUMMY_DARK_PERU_NAME, ACCOUNT_JACK_DUMMY_USERNAME, ACCOUNT_JACK_DUMMY_FULLNAME, false);
 	}
     
     @Test
-    public void test509JackUnassignDummyYellow() throws Exception {
-		final String TEST_NAME = "test509JackUnassignDummyYellow";
+    public void test507JackUnassignDummyDarkYellow() throws Exception {
+		final String TEST_NAME = "test507JackUnassignDummyDarkYellow";
 		displayTestTitle(TEST_NAME);
 		
 		// GIVEN
@@ -2386,23 +2435,82 @@ public void test509JackUnassignDummyYellow() throws Exception {
 
 		// WHEN
 		displayWhen(TEST_NAME);
-		unassignAccount(USER_JACK_OID, RESOURCE_DUMMY_YELLOW_OID, null, task, result);
+		unassignAccount(USER_JACK_OID, RESOURCE_DUMMY_DARK_YELLOW_OID, null, task, result);
 
 		// THEN
 		displayThen(TEST_NAME);
 		assertSuccess(result);
 
         PrismObject<UserType> userAfter = getUser(USER_JACK_OID);
+        display("User after", userAfter);
+        assertAssignments(userAfter, 0);
+        assertLinks(userAfter, 2);
+
+        assertDummyAccount(RESOURCE_DUMMY_DARK_YELLOW_NAME, ACCOUNT_JACK_DUMMY_USERNAME, ACCOUNT_JACK_DUMMY_FULLNAME, false);
+        assertDummyAccount(RESOURCE_DUMMY_DARK_PERU_NAME, ACCOUNT_JACK_DUMMY_USERNAME, ACCOUNT_JACK_DUMMY_FULLNAME, false);
+	}
+
+    @Test
+    public void test508JackDeleteDummyDarkYellowAccount() throws Exception {
+		final String TEST_NAME = "test508JackDeleteDummyDarkYellowAccount";
+		displayTestTitle(TEST_NAME);
+		
+		// GIVEN
+		Task task = createTask(TEST_NAME);
+        OperationResult result = task.getResult();
+
+        PrismObject<UserType> userBefore = getUser(USER_JACK_OID);
+        display("User before", userBefore);
+
+		// WHEN
+		displayWhen(TEST_NAME);
+		deleteUserAccount(USER_JACK_OID, RESOURCE_DUMMY_DARK_YELLOW_OID, task, result);
+
+		// THEN
+		displayThen(TEST_NAME);
+		assertSuccess(result);
+
+        PrismObject<UserType> userAfter = getUser(USER_JACK_OID);
+        display("User after", userAfter);
         assertAssignments(userAfter, 0);
         assertLinks(userAfter, 1);
 
-        assertNoDummyAccount(RESOURCE_DUMMY_YELLOW_NAME, ACCOUNT_JACK_DUMMY_USERNAME);
-        assertDummyAccount(RESOURCE_DUMMY_PERU_DISABLE_NAME, ACCOUNT_JACK_DUMMY_USERNAME, ACCOUNT_JACK_DUMMY_FULLNAME, false);
+        assertNoDummyAccount(RESOURCE_DUMMY_DARK_YELLOW_NAME, ACCOUNT_JACK_DUMMY_USERNAME);
+        assertDummyAccount(RESOURCE_DUMMY_DARK_PERU_NAME, ACCOUNT_JACK_DUMMY_USERNAME, ACCOUNT_JACK_DUMMY_FULLNAME, false);
 	}
     
     @Test
-    public void test510JackAssignRoleYellowPeruDisable() throws Exception {
-		final String TEST_NAME = "test510JackAssignRoleYellowPeruDisable";
+    public void test509JackDeleteDummyDarkPeruAccount() throws Exception {
+		final String TEST_NAME = "test509JackDeleteDummyDarkPeruAccount";
+		displayTestTitle(TEST_NAME);
+		
+		// GIVEN
+		Task task = createTask(TEST_NAME);
+        OperationResult result = task.getResult();
+
+        PrismObject<UserType> userBefore = getUser(USER_JACK_OID);
+        display("User before", userBefore);
+
+		// WHEN
+		displayWhen(TEST_NAME);
+		deleteUserAccount(USER_JACK_OID, RESOURCE_DUMMY_DARK_PERU_OID, task, result);
+
+		// THEN
+		displayThen(TEST_NAME);
+		assertSuccess(result);
+
+        PrismObject<UserType> userAfter = getUser(USER_JACK_OID);
+        display("User after", userAfter);
+        assertAssignments(userAfter, 0);
+        assertLinks(userAfter, 0);
+
+        assertNoDummyAccount(RESOURCE_DUMMY_DARK_YELLOW_NAME, ACCOUNT_JACK_DUMMY_USERNAME);
+        assertNoDummyAccount(RESOURCE_DUMMY_DARK_PERU_NAME, ACCOUNT_JACK_DUMMY_USERNAME);
+	}
+
+    @Test
+    public void test510JackAssignRoleDarkYellowPeru() throws Exception {
+		final String TEST_NAME = "test510JackAssignRoleDarkYellowPeru";
 		displayTestTitle(TEST_NAME);
 		
 		// GIVEN
@@ -2419,26 +2527,27 @@ public void test510JackAssignRoleYellowPeruDisable() throws Exception {
 
 		// WHEN
 		displayWhen(TEST_NAME);
-		assignRole(USER_JACK_OID, ROLE_YELLOW_PERU_DISABLE_OID, task, result);
+		assignRole(USER_JACK_OID, ROLE_DARK_YELLOW_PERU_OID, task, result);
 
 		// THEN
 		displayThen(TEST_NAME);
 		assertSuccess(result);
 
         PrismObject<UserType> userAfter = getUser(USER_JACK_OID);
+        display("User after", userAfter);
         assertAssignments(userAfter, 1);
         assertLinks(userAfter, 2);
 
-        assertDummyAccount(RESOURCE_DUMMY_YELLOW_NAME, ACCOUNT_JACK_DUMMY_USERNAME, ACCOUNT_JACK_DUMMY_FULLNAME, true);
-        assertDummyAccount(RESOURCE_DUMMY_PERU_DISABLE_NAME, ACCOUNT_JACK_DUMMY_USERNAME, ACCOUNT_JACK_DUMMY_FULLNAME, true);
+        assertDummyAccount(RESOURCE_DUMMY_DARK_YELLOW_NAME, ACCOUNT_JACK_DUMMY_USERNAME, ACCOUNT_JACK_DUMMY_FULLNAME, true);
+        assertDummyAccount(RESOURCE_DUMMY_DARK_PERU_NAME, ACCOUNT_JACK_DUMMY_USERNAME, ACCOUNT_JACK_DUMMY_FULLNAME, true);
 	}
     
     /**
      * MID-4554
      */
     @Test
-    public void test519JackUnassignRoleYellowPeruDisable() throws Exception {
-		final String TEST_NAME = "test519JackUnassignRoleYellowPeruDisable";
+    public void test519JackUnassignDarkRoleYellowPeru() throws Exception {
+		final String TEST_NAME = "test519JackUnassignDarkRoleYellowPeru";
 		displayTestTitle(TEST_NAME);
 		
 		// GIVEN
@@ -2450,18 +2559,86 @@ public void test519JackUnassignRoleYellowPeruDisable() throws Exception {
 
 		// WHEN
 		displayWhen(TEST_NAME);
-		unassignRole(USER_JACK_OID, ROLE_YELLOW_PERU_DISABLE_OID, task, result);
+		unassignRole(USER_JACK_OID, ROLE_DARK_YELLOW_PERU_OID, task, result);
 
 		// THEN
 		displayThen(TEST_NAME);
 		assertSuccess(result);
 
         PrismObject<UserType> userAfter = getUser(USER_JACK_OID);
+        display("User after", userAfter);
         assertAssignments(userAfter, 0);
-        assertLinks(userAfter, 1);
+        assertLinks(userAfter, 2);
 
-        assertNoDummyAccount(RESOURCE_DUMMY_YELLOW_NAME, ACCOUNT_JACK_DUMMY_USERNAME);
-        assertDummyAccount(RESOURCE_DUMMY_PERU_DISABLE_NAME, ACCOUNT_JACK_DUMMY_USERNAME, ACCOUNT_JACK_DUMMY_FULLNAME, false);
+        assertDummyAccount(RESOURCE_DUMMY_DARK_YELLOW_NAME, ACCOUNT_JACK_DUMMY_USERNAME, ACCOUNT_JACK_DUMMY_FULLNAME, false);
+        assertDummyAccount(RESOURCE_DUMMY_DARK_PERU_NAME, ACCOUNT_JACK_DUMMY_USERNAME, ACCOUNT_JACK_DUMMY_FULLNAME, false);
+	}
+    
+    @Test
+    public void test520JackAssignRoleDarkYellowPeru() throws Exception {
+		final String TEST_NAME = "test520JackAssignRoleDarkYellowPeru";
+		displayTestTitle(TEST_NAME);
+		
+		// GIVEN
+		Task task = createTask(TEST_NAME);
+        OperationResult result = task.getResult();
+        assumeAssignmentPolicy(AssignmentPolicyEnforcementType.RELATIVE);
+        
+        // Old password too short for yellow resource
+        modifyUserChangePassword(USER_JACK_OID, "123abc456QWE", task, result);
+
+        PrismObject<UserType> userBefore = getUser(USER_JACK_OID);
+        display("User before", userBefore);
+        assertAssignments(userBefore, 0);
+
+		// WHEN
+		displayWhen(TEST_NAME);
+		assignRole(USER_JACK_OID, ROLE_DARK_YELLOW_PERU_OID, task, result);
+
+		// THEN
+		displayThen(TEST_NAME);
+		assertSuccess(result);
+
+        PrismObject<UserType> userAfter = getUser(USER_JACK_OID);
+        display("User after", userAfter);
+        assertAssignments(userAfter, 1);
+        assertLinks(userAfter, 2);
+
+        assertDummyAccount(RESOURCE_DUMMY_DARK_YELLOW_NAME, ACCOUNT_JACK_DUMMY_USERNAME, ACCOUNT_JACK_DUMMY_FULLNAME, true);
+        assertDummyAccount(RESOURCE_DUMMY_DARK_PERU_NAME, ACCOUNT_JACK_DUMMY_USERNAME, ACCOUNT_JACK_DUMMY_FULLNAME, true);
+	}
+    
+    /**
+     * MID-4554
+     */
+    @Test
+    public void test529JackUnassignRoleDarkYellowPeru() throws Exception {
+		final String TEST_NAME = "test529JackUnassignRoleDarkYellowPeru";
+		displayTestTitle(TEST_NAME);
+		
+		// GIVEN
+		Task task = createTask(TEST_NAME);
+        OperationResult result = task.getResult();
+
+        PrismObject<UserType> userBefore = getUser(USER_JACK_OID);
+        display("User before", userBefore);
+        AssignmentType currentAssignment = findAssignmentByTargetRequired(userBefore, ROLE_DARK_YELLOW_PERU_OID);
+
+		// WHEN
+		displayWhen(TEST_NAME);
+		unassign(UserType.class, USER_JACK_OID, currentAssignment.getId(), task, result);
+
+		// THEN
+		displayThen(TEST_NAME);
+		assertSuccess(result);
+
+        PrismObject<UserType> userAfter = getUser(USER_JACK_OID);
+        display("User after", userAfter);
+        assertAssignments(userAfter, 0);
+        assertLinks(userAfter, 2);
+
+        assertDummyAccount(RESOURCE_DUMMY_DARK_YELLOW_NAME, ACCOUNT_JACK_DUMMY_USERNAME, ACCOUNT_JACK_DUMMY_FULLNAME, false);
+        assertDummyAccount(RESOURCE_DUMMY_DARK_PERU_NAME, ACCOUNT_JACK_DUMMY_USERNAME, ACCOUNT_JACK_DUMMY_FULLNAME, false);
 	}
     
 }
diff --git a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/rbac/TestRbac.java b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/rbac/TestRbac.java
index c6224f683ff..ed176ccc2cc 100644
--- a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/rbac/TestRbac.java
+++ b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/rbac/TestRbac.java
@@ -1525,7 +1525,7 @@ public void test539JackUnAssignRoleCleric() throws Exception {
 
         // WHEN
 		displayWhen(TEST_NAME);
-        modelService.executeChanges(MiscSchemaUtil.createCollection(assignmentDelta), getDefaultOptions(), task, result);
+        executeChanges(assignmentDelta, getDefaultOptions(), task, result);
 
         // THEN
         displayThen(TEST_NAME);
diff --git a/model/model-intest/src/test/resources/logback-test.xml b/model/model-intest/src/test/resources/logback-test.xml
index 51016166b76..81fc1303dea 100644
--- a/model/model-intest/src/test/resources/logback-test.xml
+++ b/model/model-intest/src/test/resources/logback-test.xml
@@ -49,20 +49,20 @@
  	<logger name="com.evolveum.midpoint.model.impl.lens.projector.Projector" level="DEBUG" />
  	<logger name="com.evolveum.midpoint.model.impl.lens.projector.ContextLoader" level="DEBUG" />
     <logger name="com.evolveum.midpoint.model.impl.lens.projector.PasswordPolicyProcessor" level="DEBUG" />
-    <logger name="com.evolveum.midpoint.model.impl.lens.projector.AssignmentProcessor" level="DEBUG" />
     <logger name="com.evolveum.midpoint.model.impl.lens.projector.ConstructionProcessor" level="DEBUG" />
     <logger name="com.evolveum.midpoint.model.impl.lens.projector.ProjectionValuesProcessor" level="DEBUG" />
     <logger name="com.evolveum.midpoint.model.impl.lens.projector.OutboundProcessor" level="DEBUG" />
     <logger name="com.evolveum.midpoint.model.impl.lens.projector.ConsolidationProcessor" level="DEBUG" />
     <logger name="com.evolveum.midpoint.model.impl.lens.projector.ReconciliationProcessor" level="DEBUG" />
     <logger name="com.evolveum.midpoint.model.impl.lens.projector.ActivationProcessor" level="DEBUG" />
-    <logger name="com.evolveum.midpoint.model.impl.lens.projector.DependencyProcessor" level="TRACE" />
+    <logger name="com.evolveum.midpoint.model.impl.lens.projector.DependencyProcessor" level="DEBUG" />
     <logger name="com.evolveum.midpoint.model.impl.lens.projector.MappingEvaluator" level="DEBUG" />
  	<logger name="com.evolveum.midpoint.model.impl.lens.projector.focus.FocusProcessor" level="DEBUG" />
  	<logger name="com.evolveum.midpoint.model.impl.lens.projector.focus.InboundProcessor" level="DEBUG" />
     <logger name="com.evolveum.midpoint.model.impl.lens.projector.focus.FocusConstraintsChecker" level="DEBUG" />
     <logger name="com.evolveum.midpoint.model.impl.lens.projector.focus.FocusPolicyProcessor" level="DEBUG" />
     <logger name="com.evolveum.midpoint.model.impl.lens.projector.focus.ObjectTemplateProcessor" level="DEBUG" />
+    <logger name="com.evolveum.midpoint.model.impl.lens.projector.focus.AssignmentProcessor" level="DEBUG" />
     <logger name="com.evolveum.midpoint.model.impl.lens.projector.focus.AssignmentTripleEvaluator" level="DEBUG" />
     <logger name="com.evolveum.midpoint.model.impl.lens.projector.focus.InboundProcessor" level="DEBUG"/>
     <logger name="com.evolveum.midpoint.model.impl.lens.projector.credentials.CredentialsProcessor" level="DEBUG" />
@@ -89,7 +89,7 @@
 	<logger name="com.evolveum.midpoint.expression" level="DEBUG" />
 	<logger name="com.evolveum.midpoint.model.common.expression" level="DEBUG" />
 	<logger name="com.evolveum.midpoint.model.common.expression.Expression" level="DEBUG" />
- 	<logger name="com.evolveum.midpoint.model.common.mapping" level="TRACE" />
+ 	<logger name="com.evolveum.midpoint.model.common.mapping" level="DEBUG" />
  	<logger name="com.evolveum.midpoint.model.common.expression.evaluator.AbstractSearchExpressionEvaluator" level="DEBUG" />
  	<logger name="com.evolveum.midpoint.model.common.expression.evaluator.AssignmentExpressionEvaluator" level="DEBUG" />
  	<logger name="com.evolveum.midpoint.model.common.expression.evaluator.AssociationExpressionEvaluator" level="DEBUG" />
diff --git a/model/model-intest/src/test/resources/multi/resource-dummy-peru-disable.xml b/model/model-intest/src/test/resources/multi/resource-dummy-dark-peru.xml
similarity index 95%
rename from model/model-intest/src/test/resources/multi/resource-dummy-peru-disable.xml
rename to model/model-intest/src/test/resources/multi/resource-dummy-dark-peru.xml
index f5b9c07c50f..02b77cb71e3 100644
--- a/model/model-intest/src/test/resources/multi/resource-dummy-peru-disable.xml
+++ b/model/model-intest/src/test/resources/multi/resource-dummy-dark-peru.xml
@@ -29,7 +29,7 @@
           xmlns:xsd="http://www.w3.org/2001/XMLSchema"
           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
 								  
-	<name>Dummy Resource Peru Disable</name>
+	<name>Dummy Resource Dark Peru</name>
 	<connectorRef type="c:ConnectorType">
 		<filter>
 			<q:and>
@@ -48,7 +48,7 @@
 	               xmlns:icfc="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/connector-schema-3">
 					   
 		<icfc:configurationProperties>
-			<icfi:instanceId>peru-disable</icfi:instanceId>
+			<icfi:instanceId>dark-peru</icfi:instanceId>
 		</icfc:configurationProperties>
 
 	</connectorConfiguration>
@@ -99,7 +99,7 @@
 				</outbound>
 			</attribute>
 			<dependency>
-				<resourceRef oid="10000000-0000-0000-0000-000000000704"/> <!-- yellow dummy -->
+				<resourceRef oid="33da1afe-3efb-11e8-a5e3-4fed83f61ae7"/> <!-- dark yellow dummy -->
 				<strictness>relaxed</strictness>
 			</dependency>
 			<activation>
@@ -113,7 +113,6 @@
                 </existence>
                 <administrativeStatus>
                     <outbound>
-                    	<strength>strong</strength>
                         <expression>
                             <script>
                                 <code>
diff --git a/model/model-intest/src/test/resources/multi/resource-dummy-dark-yellow.xml b/model/model-intest/src/test/resources/multi/resource-dummy-dark-yellow.xml
new file mode 100644
index 00000000000..7c740d8b213
--- /dev/null
+++ b/model/model-intest/src/test/resources/multi/resource-dummy-dark-yellow.xml
@@ -0,0 +1,482 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright (c) 2010-2017 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<!-- yellow resource - almost same as resource-dummy but with strong asIs administrativeStatus mapping 
+                       also has a modified synchronization section: just correlation but no reactions.
+                       also it has minimum password length constraint (resource-enforced, not midPoint password policy)
+                       also it is using some constants in the configuration and expressions
+                       also it has conditional provisioning scripts -->
+
+<resource oid="33da1afe-3efb-11e8-a5e3-4fed83f61ae7"
+		  xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+          xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+          xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
+          xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
+          xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
+          xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance/10000000-0000-0000-0000-000000000704"
+          xmlns:piracy="http://midpoint.evolveum.com/xml/ns/samples/piracy"
+          xmlns:xsd="http://www.w3.org/2001/XMLSchema"
+          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+
+	<name>Dummy Dark Yellow Resource</name>
+	<connectorRef type="c:ConnectorType">
+		<filter>
+			<q:and>
+				<q:equal>
+					<q:path>connectorType</q:path>
+					<q:value>com.evolveum.icf.dummy.connector.DummyConnector</q:value>
+				</q:equal>
+				<q:equal>
+					<q:path>connectorVersion</q:path>
+					<q:value>2.0</q:value>
+				</q:equal>
+			</q:and>
+		</filter>
+	</connectorRef>
+	<connectorConfiguration xmlns:icfi="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/bundle/com.evolveum.icf.dummy/com.evolveum.icf.dummy.connector.DummyConnector"
+	               xmlns:icfc="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/connector-schema-3">
+					   
+		<icfc:configurationProperties>
+			<icfi:instanceId>dark-yellow</icfi:instanceId>
+			<icfi:requireExplicitEnable>true</icfi:requireExplicitEnable>
+			<icfi:uselessString>
+				<expression>
+					<const>useless</const>
+				</expression>
+			</icfi:uselessString>
+			<icfi:uselessGuardedString>
+				<clearValue>whatever</clearValue>
+			</icfi:uselessGuardedString>
+			<icfi:requireUselessString>true</icfi:requireUselessString>
+			<icfi:minPasswordLength>3</icfi:minPasswordLength>
+			<icfi:addConnectorStateAttributes>true</icfi:addConnectorStateAttributes>
+		</icfc:configurationProperties>
+
+	</connectorConfiguration>
+	
+	<namespace>http://midpoint.evolveum.com/xml/ns/public/resource/instance/10000000-0000-0000-0000-000000000704</namespace>
+
+	<schemaHandling>
+		<objectType>
+			<kind>account</kind>
+			<intent>default</intent>
+			<displayName>Default Account</displayName>
+			<default>true</default>
+			<objectClass>ri:AccountObjectClass</objectClass>
+			<attribute>
+				<ref>icfs:name</ref>
+				<displayName>Username</displayName>
+				<outbound>
+				    <strength>strong</strength>
+				    <source>
+				    	<path>$user/name</path>
+				    </source>
+					<expression>
+						<script>
+							<code>
+								name + iterationToken
+							</code>
+						</script>
+					</expression>
+				</outbound>
+				<inbound>
+					<!-- This avoids "kickback" of a name from account to a user. -->
+					<strength>weak</strength>
+					<target>
+						<path>$c:user/c:name</path>
+					</target>
+				</inbound>
+			</attribute>
+			<attribute>
+				<ref>icfs:uid</ref>
+				<displayName>UID</displayName>
+			</attribute>
+			<attribute>
+				<ref>ri:fullname</ref>
+				<displayName>Full Name</displayName>
+				<outbound>
+					<source>
+						<path>$user/fullName</path>
+					</source>
+				</outbound>
+				<inbound>
+					<strength>weak</strength>
+					<target>
+						<path>$user/fullName</path>
+					</target>
+				</inbound>
+			</attribute>
+			<attribute>
+				<ref>ri:location</ref>
+				<displayName>Location</displayName>
+				<outbound>
+					<strength>strong</strength>
+					<source>
+						<path>
+							$c:user/c:locality
+						</path>
+					</source>
+					<expression>
+						<script>
+							<code>
+								def evaluateNew = midpoint.isEvaluateNew()
+								log.debug("Location outbound evaluateNew: {} : {}", evaluateNew, locality)
+								assert evaluateNew != null : "null evaluateNew"
+								return locality
+							</code>
+						</script>
+					</expression>
+				</outbound>
+				<inbound>
+					<channel>http://midpoint.evolveum.com/xml/ns/public/provisioning/channels-3#import</channel>
+					<expression>
+						<script>
+							<code>'Came from ' + input</code>
+						</script>
+					</expression>
+					<target>
+						<path>description</path>
+					</target>
+				</inbound>
+			</attribute>
+			<attribute>
+				<ref>ri:ship</ref>
+				<displayName>Ship</displayName>
+				<inbound>
+					<expression>
+						<script>
+							<code>'The crew of ' + input</code>
+						</script>
+					</expression>
+					<target>
+						<path>organizationalUnit</path>
+					</target>
+					<condition>
+						<script>
+							<code>input != null</code>
+						</script>
+					</condition>
+				</inbound>
+			</attribute>
+			<attribute>
+				<ref>ri:loot</ref>
+				<displayName>Loot</displayName>
+				<fetchStrategy>explicit</fetchStrategy>
+				<outbound>
+					<channel>http://pirates.net/avast</channel>
+					<expression>
+						<script>
+							<code>9999 + 1</code>
+						</script>
+					</expression>
+				</outbound>
+			</attribute>
+			<attribute>
+				<ref>ri:weapon</ref>
+				<displayName>Weapon</displayName>
+				<outbound>
+					<strength>weak</strength>
+					<source>
+						<path>
+                            declare namespace piracy = "http://midpoint.evolveum.com/xml/ns/samples/piracy";
+							$user/extension/piracy:weapon
+						</path>
+					</source>
+				</outbound>
+			</attribute>
+			<attribute>
+				<ref>ri:drink</ref>
+				<displayName>Drink</displayName>
+				<tolerant>false</tolerant>
+				<outbound>
+					<strength>strong</strength>
+					<expression>
+						<const>drink</const>
+					</expression>
+				</outbound>
+			</attribute>
+			<attribute>
+				<ref>ri:quote</ref>
+				<displayName>Quote</displayName>
+				<tolerant>false</tolerant>
+				<outbound>
+					<name>yellow-outbound-quote</name>
+					<strength>strong</strength>
+					<source>
+						<name>shadowStatus</name>
+						<path>$shadow/activation/administrativeStatus</path>
+					</source>
+					<expression>
+						<script>
+							<code>
+								midpoint.getConst('blabla') + ' ' + midpoint.getPrincipal().getUsername() + ' -- ' + actor?.getName()
+							</code>
+						</script>
+					</expression>
+					<condition> <!--MID-3946 -->
+						<script>
+							<code>
+								shadowStatus == com.evolveum.midpoint.xml.ns._public.common.common_3.ActivationStatusType.ENABLED
+							</code>
+						</script>
+					</condition>
+				</outbound>
+			</attribute>
+            <attribute>
+                <ref>ri:gossip</ref>
+                <displayName>Gossip</displayName>
+                <outbound>
+                	<expression>
+                		<!-- MID-3816 -->
+                		<runAsRef oid="c0c010c0-d34d-b33f-f00d-11111111111e"/> <!-- Elaine -->
+						<script>
+							<code>
+								'Some say ' + midpoint.getPrincipal().getUsername() + ' -- ' + actor?.getName()
+							</code>
+						</script>
+					</expression>
+				</outbound>
+            </attribute>
+            <attribute>
+                <ref>ri:water</ref>
+                <limitations>
+                	<ignore>true</ignore>
+                </limitations>
+                <outbound>
+                	<!-- Make sure this mapping is really ignored -->
+					<expression>
+						<value>fishy</value>
+					</expression>
+				</outbound>
+				<inbound>
+                	<!-- Make sure this mapping is really ignored -->
+					<expression>
+						<value>very FISHY</value>
+					</expression>
+					<target>
+						<path>$user/fullName</path>
+					</target>
+				</inbound>
+            </attribute>
+
+			<iteration>
+				<maxIterations>5</maxIterations>
+			</iteration>
+            
+            <protected>
+            	<icfs:name>daviejones</icfs:name>
+            </protected>
+            <protected>
+            	<icfs:name>calypso</icfs:name>
+            </protected>
+            
+            <activation>
+				<existence>
+                    <outbound>
+                        <strength>weak</strength>
+                        <expression>
+                            <path>$focusExists</path>
+                        </expression>
+                    </outbound>
+                </existence>
+                <administrativeStatus>
+                    <outbound>
+                        <expression>
+                            <script>
+                                <code>
+                                    import com.evolveum.midpoint.xml.ns._public.common.common_3.ActivationStatusType;
+                                    if (legal &amp;&amp; assigned) {
+                                        input;
+                                    } else {
+                                        ActivationStatusType.DISABLED;
+                                    }
+                                </code>
+                            </script>
+                        </expression>
+                    </outbound>
+                </administrativeStatus>
+            </activation>
+            
+            <credentials>
+                <password>
+                    <outbound>
+                    	<name>passwd-asis</name>
+                    	<expression>
+                        	<asIs/>
+                        </expression>
+                    </outbound>
+                    <outbound>
+                    	<name>passwd-generate</name>
+                    	<strength>weak</strength>
+                    	<expression>
+                        	<generate/>
+                        </expression>
+                    </outbound>
+                    <inbound>
+                    	<strength>weak</strength>
+                        <expression>
+                            <generate/>
+                        </expression>
+                    </inbound>
+                </password>
+            </credentials>
+            
+		</objectType>
+		
+	</schemaHandling>
+	
+	<scripts>
+		<script>
+			<host>resource</host>
+			<language>Logo</language>
+			<argument>
+				<script>
+					<code>
+					'user: ' + user?.getName()
+					</code>
+				</script> 
+				<name>usr</name>
+			</argument>
+			<argument>
+				<script>
+					<!-- Note: We cannot test for account name as name is only assigned in provisioning -->
+					<code>
+					'account: ' + account?.getActivation()?.getAdministrativeStatus()
+					</code>
+				</script> 
+				<name>acc</name>
+			</argument>
+			<argument>
+				<script>
+					<code>
+					'resource: ' + resource?.getName()
+					</code>
+				</script> 
+				<name>res</name>
+			</argument>
+			<argument>
+ 				<value>3</value>
+				<name>size</name>
+			</argument>
+			<code>
+to spiral :size
+   if  :size > 30 [stop]
+   fd :size rt 15
+   spiral :size *1.02
+end
+			</code>
+			<operation>add</operation>
+			<order>after</order>
+			<condition> 
+				<script> <!-- MID-4008 -->
+					<code>
+						assert operation == 'add'
+						return true;
+					</code>
+				</script>
+			</condition>
+		</script>
+		<script>
+			<host>resource</host>
+			<language>Gibberish</language>
+			<argument>
+				<path>$user/costCenter</path>
+				<name>howMuch</name>
+			</argument>
+			<argument>
+				<value>from here to there</value>
+				<name>howLong</name>
+			</argument>
+			<argument>
+				<path>$user/name</path>
+				<name>who</name>
+			</argument>
+			<argument>
+				<path>$user/fullName</path>
+				<name>whatchacallit</name>
+			</argument>
+			<code>Beware the Jabberwock, my son!</code>
+			<operation>modify</operation>
+			<order>before</order>
+			<condition> 
+				<script>  <!-- MID-4008 -->
+					<code>
+						assert operation == 'modify'
+						return true;
+					</code>
+				</script>
+			</condition>
+		</script>
+		<script>
+			<host>resource</host>
+			<language>Gibberish</language>
+			<code>The Jabberwock, with eyes of flame</code>
+			<operation>delete</operation>
+			<order>after</order>
+			<condition> 
+				<script>  <!-- MID-4008 -->
+					<code>
+						assert operation == 'delete'
+						return true;
+					</code>
+				</script>
+			</condition>
+		</script>
+		<script>
+			<host>resource</host>
+			<language>Gibberish</language>
+			<argument>
+				<path>$focus/name</path>
+				<name>who</name>
+			</argument>
+			<code>The vorpal blade went snicker-snack!</code>
+			<operation>reconcile</operation>
+			<order>before</order>
+		</script>
+		<script>
+			<host>resource</host>
+			<language>Gibberish</language>
+			<argument>
+				<path>$shadow/activation/administrativeStatus</path>
+				<name>how</name>
+			</argument>
+			<code>He left it dead, and with its head</code>
+			<operation>reconcile</operation>
+			<order>after</order>
+		</script>
+	</scripts>
+	
+	<consistency>
+		<avoidDuplicateValues>true</avoidDuplicateValues>
+	</consistency>
+	
+	<synchronization>
+		<objectSynchronization>
+			<enabled>true</enabled>
+			<correlation>
+				<q:equal>
+					<q:path>c:name</q:path>
+					<expression>
+						<path>declare namespace icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3";
+                            $account/attributes/icfs:name</path>
+					</expression>
+				</q:equal>
+			</correlation>
+        </objectSynchronization>
+	</synchronization>
+
+</resource>
diff --git a/model/model-intest/src/test/resources/multi/role-yellow-peru-disable.xml b/model/model-intest/src/test/resources/multi/role-dark-yellow-peru.xml
similarity index 82%
rename from model/model-intest/src/test/resources/multi/role-yellow-peru-disable.xml
rename to model/model-intest/src/test/resources/multi/role-dark-yellow-peru.xml
index 7095aadcdae..4d76765a876 100644
--- a/model/model-intest/src/test/resources/multi/role-yellow-peru-disable.xml
+++ b/model/model-intest/src/test/resources/multi/role-dark-yellow-peru.xml
@@ -18,17 +18,17 @@
         xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
         xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
         xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">
-    <name>Yellow Peru Disable</name>
-    <description>Yellow account + Peru disable account</description>    
+    <name>Dark Yellow Peru</name>
+    <description>Dark yellow account + dark peru account</description>    
     <inducement>
     	<construction>
-    		<resourceRef oid="10000000-0000-0000-0000-000000000704" type="c:ResourceType"/> <!-- Yellow -->
+    		<resourceRef oid="33da1afe-3efb-11e8-a5e3-4fed83f61ae7" type="c:ResourceType"/> <!-- Dark yellow -->
     		<kind>account</kind>
     	</construction>
     </inducement>    
     <inducement>
     	<construction>
-    		<resourceRef oid="f5253596-333d-11e8-8894-37a2f88e7609" type="c:ResourceType"/> <!-- Peru disable -->
+    		<resourceRef oid="f5253596-333d-11e8-8894-37a2f88e7609" type="c:ResourceType"/> <!-- Dark peru -->
     		<kind>account</kind>
     	</construction>
     </inducement>
diff --git a/model/model-test/src/main/java/com/evolveum/midpoint/model/test/AbstractModelIntegrationTest.java b/model/model-test/src/main/java/com/evolveum/midpoint/model/test/AbstractModelIntegrationTest.java
index 884ddcefb33..ead7c93b000 100644
--- a/model/model-test/src/main/java/com/evolveum/midpoint/model/test/AbstractModelIntegrationTest.java
+++ b/model/model-test/src/main/java/com/evolveum/midpoint/model/test/AbstractModelIntegrationTest.java
@@ -991,8 +991,7 @@ protected void modifyUserAssignment(String userOid, String roleOid, QName refTyp
 			SchemaException, ExpressionEvaluationException, CommunicationException, ConfigurationException, ObjectAlreadyExistsException,
 			PolicyViolationException, SecurityViolationException {
 		ObjectDelta<UserType> userDelta = createAssignmentUserDelta(userOid, roleOid, refType, relation, extension, activationType, add);
-		Collection<ObjectDelta<? extends ObjectType>> deltas = MiscSchemaUtil.createCollection(userDelta);
-		modelService.executeChanges(deltas, options, task, result);
+		executeChanges(userDelta, options, task, result);
 	}
 
 	protected <F extends FocusType> void modifyFocusAssignment(Class<F> focusClass, String focusOid, String roleOid, QName refType, QName relation, Task task,
@@ -1009,8 +1008,7 @@ protected <F extends FocusType> void modifyFocusAssignment(Class<F> focusClass,
 			SchemaException, ExpressionEvaluationException, CommunicationException, ConfigurationException, ObjectAlreadyExistsException,
 			PolicyViolationException, SecurityViolationException {
 		ObjectDelta<F> delta = createAssignmentFocusDelta(focusClass, focusOid, roleOid, refType, relation, extension, activationType, add);
-		Collection<ObjectDelta<? extends ObjectType>> deltas = MiscSchemaUtil.createCollection(delta);
-		modelService.executeChanges(deltas, options, task, result);
+		executeChanges(delta, options, task, result);
 	}
 
 	protected void modifyUserAssignment(String userOid, String roleOid, QName refType, QName relation, Task task,
@@ -1036,7 +1034,7 @@ protected <F extends FocusType> void modifyFocusAssignment(Class<F> focusClass,
 			throws ObjectNotFoundException, SchemaException, ExpressionEvaluationException, CommunicationException, ConfigurationException, ObjectAlreadyExistsException, PolicyViolationException, SecurityViolationException {
 		ObjectDelta<F> focusDelta = createAssignmentFocusDelta(focusClass, focusOid, roleOid, refType, relation, modificationBlock, add);
 		Collection<ObjectDelta<? extends ObjectType>> deltas = MiscSchemaUtil.createCollection(focusDelta);
-		modelService.executeChanges(deltas, options, task, result);
+		executeChanges(focusDelta, options, task, result);
 	}
 		
 	protected <F extends FocusType> void deleteFocusAssignmentEmptyDelta(PrismObject<F> existingFocus, String targetOid, Task task, OperationResult result)
@@ -1053,10 +1051,19 @@ protected <F extends FocusType> void deleteFocusAssignmentEmptyDelta(PrismObject
 			ModelExecuteOptions options, Task task, OperationResult result)
 			throws ObjectNotFoundException, SchemaException, ExpressionEvaluationException, CommunicationException, ConfigurationException, ObjectAlreadyExistsException, PolicyViolationException, SecurityViolationException {
 		ObjectDelta<F> focusDelta = createAssignmentFocusEmptyDeleteDelta(existingFocus, targetOid, relation);
-		Collection<ObjectDelta<? extends ObjectType>> deltas = MiscSchemaUtil.createCollection(focusDelta);
-		modelService.executeChanges(deltas, options, task, result);
+		executeChanges(focusDelta, options, task, result);
+	}
+	
+	protected <F extends FocusType> void unassign(Class<F> focusClass, String focusOid, long assignmentId, Task task, OperationResult result)
+			throws ObjectNotFoundException, SchemaException, ExpressionEvaluationException, CommunicationException, ConfigurationException, ObjectAlreadyExistsException, PolicyViolationException, SecurityViolationException {
+		unassign(focusClass, focusOid, assignmentId, null, task, result);
 	}
 
+	protected <F extends FocusType> void unassign(Class<F> focusClass, String focusOid, long assignmentId, ModelExecuteOptions options, Task task, OperationResult result)
+			throws ObjectNotFoundException, SchemaException, ExpressionEvaluationException, CommunicationException, ConfigurationException, ObjectAlreadyExistsException, PolicyViolationException, SecurityViolationException {
+		unassign(focusClass, focusOid, createAssignmentIdOnly(assignmentId), options, task, result);
+	}
+	
 	protected <F extends FocusType> void unassign(Class<F> focusClass, String focusOid, AssignmentType currentAssignment, ModelExecuteOptions options, Task task, OperationResult result)
 			throws ObjectNotFoundException, SchemaException, ExpressionEvaluationException, CommunicationException, ConfigurationException, ObjectAlreadyExistsException, PolicyViolationException, SecurityViolationException {
 		Collection<ItemDelta<?,?>> modifications = new ArrayList<>();
@@ -1064,8 +1071,7 @@ protected <F extends FocusType> void unassign(Class<F> focusClass, String focusO
 		assignmentDelta.addValuesToDelete(currentAssignment.asPrismContainerValue().clone());
 		modifications.add(assignmentDelta);
 		ObjectDelta<F> focusDelta = ObjectDelta.createModifyDelta(focusOid, modifications, focusClass, prismContext);
-		Collection<ObjectDelta<? extends ObjectType>> deltas = MiscSchemaUtil.createCollection(focusDelta);
-		modelService.executeChanges(deltas, options, task, result);
+		executeChanges(focusDelta, options, task, result);
 	}
 	
 	/**
@@ -2597,7 +2603,11 @@ protected ObjectDelta<UserType> createModifyUserDeleteDummyAccount(String userOi
 	}
 	
 	protected ObjectDelta<UserType> createModifyUserDeleteAccount(String userOid, PrismObject<ResourceType> resource) throws SchemaException, ObjectNotFoundException, SecurityViolationException, CommunicationException, ConfigurationException, ExpressionEvaluationException {
-		String accountOid = getLinkRefOid(userOid, resource.getOid());
+		return createModifyUserDeleteAccount(userOid, resource.getOid());
+	}
+	
+	protected ObjectDelta<UserType> createModifyUserDeleteAccount(String userOid, String resourceOid) throws SchemaException, ObjectNotFoundException, SecurityViolationException, CommunicationException, ConfigurationException, ExpressionEvaluationException {
+		String accountOid = getLinkRefOid(userOid, resourceOid);
 		PrismObject<ShadowType> account = getShadowModel(accountOid);
 
 		ObjectDelta<UserType> userDelta = ObjectDelta.createEmptyModifyDelta(UserType.class, userOid, prismContext);
@@ -2620,6 +2630,11 @@ protected ObjectDelta<UserType> createModifyUserUnlinkAccount(String userOid, Pr
 
 		return userDelta;
 	}
+	
+	protected void deleteUserAccount(String userOid, String resourceOid, Task task, OperationResult result) throws ObjectAlreadyExistsException, ObjectNotFoundException, SchemaException, ExpressionEvaluationException, CommunicationException, ConfigurationException, PolicyViolationException, SecurityViolationException {
+		ObjectDelta<UserType> userDelta = createModifyUserDeleteAccount(userOid, resourceOid);
+        executeChanges(userDelta, null, task, result);
+	}
 
 
 	// TASKS
@@ -4166,7 +4181,7 @@ protected void modifyRoleDeleteInducement(String roleOid, long inducementId, boo
 				RoleType.F_INDUCEMENT, prismContext, inducement);
         ModelExecuteOptions options = nullToEmpty(defaultOptions);
         options.setReconcileAffected(reconcileAffected);
-        modelService.executeChanges(MiscSchemaUtil.createCollection(roleDelta), options, task, result);
+        executeChanges(roleDelta, options, task, result);
         result.computeStatus();
         if (reconcileAffected) {
             TestUtil.assertInProgressOrSuccess(result);