[midPoint] AD Group as member of another AD Group

mikhail.nikolaenko mikhail.nikolaenko at proton.me
Thu Oct 30 13:40:46 CET 2025 

Hello,

Thank you very much for the solution. The key was the <focusType>c:RoleType</focusType> in the inducement. As suggested, after I created the inducement in the metarole for the group-in-group and specified the focusType, everything works!

Thank you again, and have a nice weekday.

Best regards,
Mike



Sent with Proton Mail secure email.

On Thursday, October 30th, 2025 at 12:53 AM, h2-wada <h2-wada at nri.co.jp> wrote:

> Hello,
> 
> You’ll need to define an additional inducement specifically for group-to-group relationships, while keeping your existing configuration for user-to-group.
> Also each inducement should be scoped to the appropriate focus type to prevent confusion.
> 
> 1. User → Group (account-to-group):
> 
> <inducement id="3">
> 
> <construction>
> 
> <resourceRef oid="918a9e79-b62a-4140-bafa-4389b301e9e8" relation="org:default" type="c:ResourceType">
> 
> <!-- AD -->
> 
> </resourceRef>
> 
> <kind>account</kind>
> 
> <intent>default</intent>
> 
> <association id="4">
> 
> <ref>ri:group</ref>
> 
> <outbound>
> 
> <expression>
> 
> <associationFromLink>
> 
> <projectionDiscriminator xsi:type="c:ShadowDiscriminatorType">
> 
> <kind>entitlement</kind>
> 
> <intent>group</intent>
> 
> </projectionDiscriminator>
> 
> </associationFromLink>
> 
> </expression>
> 
> </outbound>
> 
> </association>
> 
> </construction>
> 
> <focusType>c:UserType</focusType>
> 
> <order>2</order>
> 
> </inducement>
> 
> 
> 2. Group → Group (entitlement-to-entitlement):
> 
> <inducement>
> 
> <construction>
> 
> <resourceRef oid="918a9e79-b62a-4140-bafa-4389b301e9e8" relation="org:default" type="c:ResourceType"/>
> 
> <kind>entitlement</kind>
> 
> <intent>group</intent>
> 
> <association id="6">
> 
> <ref>ri:group</ref>
> 
> <outbound>
> 
> <expression>
> 
> <associationFromLink>
> 
> <projectionDiscriminator xsi:type="c:ShadowDiscriminatorType">
> 
> <kind>entitlement</kind>
> 
> <intent>group</intent>
> 
> </projectionDiscriminator>
> 
> </associationFromLink>
> 
> </expression>
> 
> </outbound>
> 
> </association>
> 
> </construction>
> 
> <focusType>c:RoleType</focusType>
> 
> <order>2</order>
> 
> </inducement>
> 
> 
> Note: If the metarole is for OrgType, use <focusType>c:OrgType</focusType>
> 
> 
> Also, you'll need to define <association> for the entitlement group in AD resource xml:
> 
> 
> <objectType>
> 
> <kind>entitlement</kind>
> 
> <intent>group</intent>
> 
> ...
> <association>
> 
> <c:ref>ri:group</c:ref>
> 
> <tolerant>false</tolerant>
> 
> <displayName>AD Group Membership</displayName>
> 
> <kind>entitlement</kind>
> 
> <intent>group</intent>
> 
> <direction>objectToSubject</direction>
> 
> <associationAttribute>ri:member</associationAttribute>
> 
> <valueAttribute>ri:dn</valueAttribute>
> 
> <shortcutAssociationAttribute>ri:memberOf</shortcutAssociationAttribute>
> 
> <shortcutValueAttribute>ri:dn</shortcutValueAttribute>
> 
> <explicitReferentialIntegrity>false</explicitReferentialIntegrity>
> 
> </association>
> 
> ...
> </objectType>
> 
> 
> 
> Best regards,
> 
> --
> Hiroyuki Wada
> h2-wada at nri.co.jp
> 
> ________________________________________
> 差出人: midPoint midpoint-bounces at lists.evolveum.com が mikhail.nikolaenko via midPoint midpoint at lists.evolveum.com の代理で送信
> 
> 送信日r: 2025年10月27日 23:43
> 宛先: midPoint General Discussion
> CC: mikhail.nikolaenko
> 件名: [midPoint] AD Group as member of another AD Group
> 
> Hello dear Community,
> 
> Before digging into the problem, I’d like to ask if this is a known issue for anyone ― maybe I just missed an important point. I am using version 4.8.9.
> 
> I have configured an AD Resource with two object schema handlings ― one for AD Account and another for AD Group.
> In general, it works fine: I can reconcile all objects from AD into midPoint, and any changes from midPoint are properly provisioned into AD, including group memberships.
> 
> However, the problem occurs as soon as I try to assign a role (AD Group) as a member of another role (AD Group). In this case, midPoint tries to change the archetype of the parent role from group to account.
> 
> I believe the issue might be in the metarole configuration I’m using to handle associations:
> 
> <inducement id="3">
> 
> <construction>
> 
> <resourceRef oid="918a9e79-b62a-4140-bafa-4389b301e9e8" relation="org:default" type="c:ResourceType">
> 
> <!-- AD -->
> 
> </resourceRef>
> 
> <kind>account</kind>
> 
> <intent>default</intent>
> 
> <association id="4">
> 
> <ref>ri:group</ref>
> 
> <outbound>
> 
> <expression>
> 
> <associationFromLink>
> 
> <projectionDiscriminator xsi:type="c:ShadowDiscriminatorType">
> 
> <kind>entitlement</kind>
> 
> <intent>group</intent>
> 
> </projectionDiscriminator>
> 
> </associationFromLink>
> 
> </expression>
> 
> </outbound>
> 
> </association>
> 
> </construction>
> 
> <order>2</order>
> 
> </inducement>
> 
> 
> 
> Here I clearly define account-to-group.
> But how can I also define the possibility for group-to-group (i.e., a group being a member of another group)?
> 
> I checked the samples and even found role-role-metarole.xml, but I still couldn’t understand how to allow both account-to-group and group-to-group relationships.
> 
> 
> With best regards,
> 
> Mike

More information about the midPoint mailing list