[midPoint] direct outbound group association on resource level

Yakov Revyakin yrevyakin at gmail.com
Fri Aug 29 10:23:35 CEST 2025 

My associationType
<associationType>
    <name>computer-app</name>
    <subject>
        <objectType>
            <kind>account</kind>
            <intent>computer</intent>
        </objectType>
        <association>
            <ref>ri:computer-app</ref>
            <sourceAttributeRef>ri:group</sourceAttributeRef>
            <tolerant>false</tolerant>
        </association>
    </subject>
    <object>
        <objectType>
            <kind>entitlement</kind>
            <intent>computer-app</intent>
        </objectType>
    </object>
</associationType>

On Fri, 29 Aug 2025 at 11:20, Yakov Revyakin <yrevyakin at gmail.com> wrote:

> Hi everyone,
> I'm trying to migrate my AD resource using 4.9 associationType concept.
> For now I can't understand how to migrate the following part:
> An account objectType includes static group association which looks like:
>
> <association>
>     <ref>ri:group</ref>
>     <tolerant>false</tolerant>
>     <kind>entitlement</kind>
>     <intent>computer-app</intent>
>     <outbound>
>         <expression>
>             <associationTargetSearch>
>                 <filter>
>                     <q:equal>
>                         <q:path>attributes/ri:cn</q:path>
>                         <q:value>all_computers</q:value>
>                     </q:equal>
>                 </filter>
>                 <searchStrategy>onResourceIfNeeded</searchStrategy>
>             </associationTargetSearch>
>         </expression>
>     </outbound>
>     ....
> </association>
>
> This association results in association of this specific group with an AD
> account if it's appearing under user's projections. There are no roles,
> assignments, inducements to get this kind of association. This account can
> be imported and linked only. Create capability for it is denied.
>
> It is not clear how to make this kind of association with the new 4.9
> association types. I defined appropriate associationType but I can't see
> how to create this association not involving assignment/inducement
> approach.
>
> If someone has an idea or experience please help.
> Yakov
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20250829/45b37545/attachment.htm>

More information about the midPoint mailing list