[midPoint] AD Group as member of another AD Group

Yakov Revyakin yrevyakin at gmail.com
Tue Oct 28 09:14:03 CET 2025 

In 4.9 associationType covers this case.

On Mon, 27 Oct 2025 at 16:43, mikhail.nikolaenko via midPoint <
midpoint at lists.evolveum.com> wrote:

> Hello dear Community,
>
> Before digging into the problem, I’d like to ask if this is a known issue
> for anyone — maybe I just missed an important point. I am using version
> *4.8.9*.
>
> I have configured an *AD Resource* with two object schema handlings — one
> for *AD Account* and another for *AD Group*.
> In general, it works fine: I can reconcile all objects from AD into
> midPoint, and any changes from midPoint are properly provisioned into AD,
> including group memberships.
>
> However, the problem occurs as soon as I try to assign a role (AD Group)
> as a member of another role (AD Group). In this case, midPoint tries to
> change the archetype of the parent role from *group* to *account*.
>
> I believe the issue might be in the metarole configuration I’m using to
> handle associations:
>
> <inducement id="3">
>     <construction>
>         <resourceRef oid="918a9e79-b62a-4140-bafa-4389b301e9e8" relation="org:default" type="c:ResourceType">
>             <!-- AD -->
>         </resourceRef>
>         <kind>account</kind>
>         <intent>default</intent>
>         <association id="4">
>             <ref>ri:group</ref>
>             <outbound>
>                 <expression>
>                     <associationFromLink>
>                         <projectionDiscriminator xsi:type="c:ShadowDiscriminatorType">
>                             <kind>entitlement</kind>
>                             <intent>group</intent>
>                         </projectionDiscriminator>
>                     </associationFromLink>
>                 </expression>
>             </outbound>
>         </association>
>     </construction>
>     <order>2</order>
> </inducement>
>
> Here I clearly define *account-to-group*.
> But how can I also define the possibility for *group-to-group* (i.e., a
> group being a member of another group)?
>
> I checked the samples and even found *role-role-metarole.xml*, but I
> still couldn’t understand how to allow both *account-to-group* and
> *group-to-group* relationships.
>
>
> With best regards,
>
> Mike
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20251028/84b8eb66/attachment.htm>

More information about the midPoint mailing list