[midPoint] AD Group as member of another AD Group
mikhail.nikolaenko
mikhail.nikolaenko at proton.me
Mon Oct 27 15:43:13 CET 2025
Hello dear Community,
Before digging into the problem, I’d like to ask if this is a known issue for anyone — maybe I just missed an important point. I am using version 4.8.9.
I have configured an AD Resource with two object schema handlings — one for AD Account and another for AD Group.
In general, it works fine: I can reconcile all objects from AD into midPoint, and any changes from midPoint are properly provisioned into AD, including group memberships.
However, the problem occurs as soon as I try to assign a role (AD Group) as a member of another role (AD Group). In this case, midPoint tries to change the archetype of the parent role from group to account.
I believe the issue might be in the metarole configuration I’m using to handle associations:
<inducement id="3">
<construction>
<resourceRef oid="918a9e79-b62a-4140-bafa-4389b301e9e8" relation="org:default" type="c:ResourceType">
<!-- AD -->
</resourceRef>
<kind>account</kind>
<intent>default</intent>
<association id="4">
<ref>ri:group</ref>
<outbound>
<expression>
<associationFromLink>
<projectionDiscriminator xsi:type="c:ShadowDiscriminatorType">
<kind>entitlement</kind>
<intent>group</intent>
</projectionDiscriminator>
</associationFromLink>
</expression>
</outbound>
</association>
</construction>
<order>2</order>
</inducement>
Here I clearly define account-to-group.
But how can I also define the possibility for group-to-group (i.e., a group being a member of another group)?
I checked the samples and even found role-role-metarole.xml, but I still couldn’t understand how to allow both account-to-group and group-to-group relationships.
With best regards,
Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20251027/62e0a3b1/attachment.htm>
More information about the midPoint
mailing list