[midPoint] Enforcing group membership not working

Thu Mar 27 14:35:24 CET 2025

Hello,

> However, if I manually add a user to a group in the database using database tools the Group object in midpoint does not reflect this.

Have you defined an inbound mapping for the association?
If you want to update membership on the resource side and reflect it in midPoint (e.g., as a member of a RoleType), an inbound mapping is required.

https://docs.evolveum.com/midpoint/reference/support-4.8/expressions/mappings/inbound-mapping/#association

> If I then add the same user through the UI it is not triggering any 'update()" method in my connector - almost as if Midpoint is aware that the user is already in the correct group in the database

Before updating a resource, midPoint fetches the latest state of the resource and calculates the delta.
Since the connector returns the membership that was directly added on the resource side, midPoint sees no membership changes to apply, and the update is not triggered.

> I also expected the group synchronization to actually trigger an "update" or "remove" in the code in my connector to remove the user from the group since he's not "officially" added in the group, however no such functionality is triggered either.

By default, midPoint does not remove memberships added on the resource side.
However, you can change this behavior by setting <tolerant>false</tolerant>, which allows midPoint to remove such memberships.

https://docs.evolveum.com/midpoint/reference/support-4.8/resources/entitlements/#entitlement-membership-removal

Note: The configuration of associations has changed significantly in v4.9. Please refer to the documentation corresponding to your midPoint version.

Best regards,

--
Hiroyuki Wada
h2-wada at nri.co.jp

________________________________________
差出人: midPoint <midpoint-bounces at lists.evolveum.com> が Odd Arne Beck via midPoint <midpoint at lists.evolveum.com> の代理で送信
送信日時: 2025年3月27日 6:09
宛先: midPoint General Discussion
CC: Odd Arne Beck
件名: [midPoint] Enforcing group membership not working

Hi!

I have created a test-connector where users and groups are created in a database, and I can also add groups/membership (entitlements) and that is also reflected in the database.

If I create a new group it is automatically created in the resource, and when I assign a user to a group the user is created in the resource and the membership is added in the database. When unassigning the user from the group the user is deleted from the resource and also removed from the mapping table for user-> group.

However, if I manually add a user to a group in the database using database tools the Group object in midpoint does not reflect this. If I then add the same user through the UI it is not triggering any 'update()" method in my connector - almost as if Midpoint is aware that the user is already in the correct group in the database. If I then remove the same user and re-add the user to the group he is removed and then properly added and the group reflects this and the correct update code is run in my connector.

When adding the user 'manually' It's almost as if midpoint is halfway aware that the user is in the group but not in the group in the UI.

I also expected the group synchronization to actually trigger an "update" or "remove" in the code in my connector to remove the user from the group since he's not "officially" added in the group, however no such functionality is triggered either.

Does anyone have an input as to what mechanism I seem to be missing?

Best regards,

Odd Beck