[midPoint] AD Group as member of another AD Group

h2-wada h2-wada at nri.co.jp
Thu Oct 30 00:53:07 CET 2025 

Hello,

You¡¯ll need to define an additional inducement specifically for group-to-group relationships, while keeping your existing configuration for user-to-group.
Also each inducement should be scoped to the appropriate focus type to prevent confusion.

1. User ¡ú Group (account-to-group):

<inducement id="3">
    <construction>
        <resourceRef oid="918a9e79-b62a-4140-bafa-4389b301e9e8" relation="org:default" type="c:ResourceType">
            <!-- AD -->
        </resourceRef>
        <kind>account</kind>
        <intent>default</intent>
        <association id="4">
            <ref>ri:group</ref>
            <outbound>
                <expression>
                    <associationFromLink>
                        <projectionDiscriminator xsi:type="c:ShadowDiscriminatorType">
                            <kind>entitlement</kind>
                            <intent>group</intent>
                        </projectionDiscriminator>
                    </associationFromLink>
                </expression>
            </outbound>
        </association>
    </construction>
    <focusType>c:UserType</focusType>
    <order>2</order>
</inducement>

2. Group ¡ú Group (entitlement-to-entitlement):

<inducement>
    <construction>
        <resourceRef oid="918a9e79-b62a-4140-bafa-4389b301e9e8" relation="org:default" type="c:ResourceType"/>
        <kind>entitlement</kind>
        <intent>group</intent>
        <association id="6">
            <ref>ri:group</ref>
            <outbound>
                <expression>
                    <associationFromLink>
                        <projectionDiscriminator xsi:type="c:ShadowDiscriminatorType">
                            <kind>entitlement</kind>
                            <intent>group</intent>
                        </projectionDiscriminator>
                    </associationFromLink>
                </expression>
            </outbound>
        </association>
    </construction>
    <focusType>c:RoleType</focusType>
    <order>2</order>
</inducement>

Note: If the metarole is for OrgType, use <focusType>c:OrgType</focusType>

Also, you'll need to define <association> for the entitlement group in AD resource xml:

        <objectType>
            <kind>entitlement</kind>
            <intent>group</intent>
            ...
            <association>
                <c:ref>ri:group</c:ref>
                <tolerant>false</tolerant>
                <displayName>AD Group Membership</displayName>
                <kind>entitlement</kind>
                <intent>group</intent>
                <direction>objectToSubject</direction>
                <associationAttribute>ri:member</associationAttribute>
                <valueAttribute>ri:dn</valueAttribute>
                <shortcutAssociationAttribute>ri:memberOf</shortcutAssociationAttribute>
                <shortcutValueAttribute>ri:dn</shortcutValueAttribute>
                <explicitReferentialIntegrity>false</explicitReferentialIntegrity>
            </association>
            ...
        </objectType>


Best regards,

--
Hiroyuki Wada
h2-wada at nri.co.jp

________________________________________
²î³öÈË: midPoint <midpoint-bounces at lists.evolveum.com> ¤¬ mikhail.nikolaenko via midPoint <midpoint at lists.evolveum.com> ¤Î´úÀí¤ÇËÍÐÅ
ËÍÐÅÈÕ•r: 2025Äê10ÔÂ27ÈÕ 23:43
ÍðÏÈ: midPoint General Discussion
CC: mikhail.nikolaenko
¼þÃû: [midPoint] AD Group as member of another AD Group

Hello dear Community,

Before digging into the problem, I¡¯d like to ask if this is a known issue for anyone ¡ª maybe I just missed an important point. I am using version 4.8.9.

I have configured an AD Resource with two object schema handlings ¡ª one for AD Account and another for AD Group.
In general, it works fine: I can reconcile all objects from AD into midPoint, and any changes from midPoint are properly provisioned into AD, including group memberships.

However, the problem occurs as soon as I try to assign a role (AD Group) as a member of another role (AD Group). In this case, midPoint tries to change the archetype of the parent role from group to account.

I believe the issue might be in the metarole configuration I¡¯m using to handle associations:

<inducement id="3">
    <construction>
        <resourceRef oid="918a9e79-b62a-4140-bafa-4389b301e9e8" relation="org:default" type="c:ResourceType">
            <!-- AD -->
        </resourceRef>
        <kind>account</kind>
        <intent>default</intent>
        <association id="4">
            <ref>ri:group</ref>
            <outbound>
                <expression>
                    <associationFromLink>
                        <projectionDiscriminator xsi:type="c:ShadowDiscriminatorType">
                            <kind>entitlement</kind>
                            <intent>group</intent>
                        </projectionDiscriminator>
                    </associationFromLink>
                </expression>
            </outbound>
        </association>
    </construction>
    <order>2</order>
</inducement>


Here I clearly define account-to-group.
But how can I also define the possibility for group-to-group (i.e., a group being a member of another group)?

I checked the samples and even found role-role-metarole.xml, but I still couldn¡¯t understand how to allow both account-to-group and group-to-group relationships.


With best regards,

Mike

More information about the midPoint mailing list