[midPoint] AD group membership - midPoint inducement
João Paulo Ribeiro
joparibeiro at gmail.com
Mon Jul 14 18:20:16 CEST 2025
Hello! I'd like to know if anyone has experienced a similar situation:
In my Org archetype, I have an inducement that adds the user as a member of
the Org's AD group when that Org is assigned to them. So, if IN THE SAME
OPERATION, I unassign Org X from the user and assign Org Y, I would expect:
1) midPoint to include the user as a member of Org Y's AD group
2) midPoint to remove the user from Org X's AD group.
Step 1 occurs normally, as expected, immediately. However, midPoint does
not immediately remove the user from Org X's group. Only in the subsequent
reconciliation for that user is the user removed from Org X's AD group. Do
you know if there's a configuration to make both changes occur in the same
reconciliation? The inducement is below:
<inducement>
<construction>
<strength>weak</strength>
<resourceRef oid="57f9e093-4421-4998-9a20-3df02678790c" />
<kind>account</kind>
<intent>default</intent>
<association>
<ref>ri:group</ref>
<displayName>AD Group Membership</displayName>
<outbound>
<strength>strong</strength>
<source>
<path>name</path>
</source>
<expression>
<associationTargetSearch>
<filter>
<q:equal>
<q:path>attributes/ri:dn</q:path>
<expression>
<script>
<code>basic.composeDnWithSuffix('cn', immediateRole.displayName,
midpoint.getConst('adCtxOrgUnitGroups'))</code>
</script>
</expression>
</q:equal>
</filter>
</associationTargetSearch>
</expression>
</outbound>
<kind>entitlement</kind>
<intent>orgUnit</intent>
</association>
</construction>
<order>2</order>
<focusType>UserType</focusType>
</inducement>
Thanks in advance!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20250714/e1be0639/attachment.htm>
More information about the midPoint
mailing list