[midPoint] direct outbound group association on resource level

Wim Beck Wim.Beck at is4u.be
Tue Sep 2 11:10:24 CEST 2025 

Hi Yakov,

Following configuration works for me (validated on AdLdapConnector v3.8 and upwards):

In the AD config options define correct object classes and use the managed association pairs:

<connectorConfiguration>
    <icfc:configurationProperties>
          [...]
<cfc:managedAssociationPairs>"user"+memberOf -# "group"+member</cfc:managedAssociationPairs>
            <cfc:managedAssociationPairs>"group"+memberOf -# "group"+member</cfc:managedAssociationPairs>
            <cfc:attributesNotReturnedByDefault>member</cfc:attributesNotReturnedByDefault>
            <cfc:userObjectClass>user</cfc:userObjectClass>
            <cfc:groupObjectClass>group</cfc:groupObjectClass>
            <cfc:groupObjectMemberAttribute>member</cfc:groupObjectMemberAttribute>
    </icfc:configurationProperties>
</connectorConfiguration>

Define object type(s) you need. The association type handles the rest. Sample below handles user/group relation. You can define similar association between other kind/intent objects in a similar way.

<associationType id="273">
            <name>Account-Group</name>
            <subject>
                <objectType id="274">
                    <kind>account</kind>
                    <intent>Account</intent>
                </objectType>
                <association>
                    <ref>ri:group</ref>
                    <sourceAttributeRef>ri:group</sourceAttributeRef>
                    <outbound id="289">
                        <name>account-mapping</name>
                        <strength>strong</strength>
                        <expression>
                            <associationConstruction xsi:type="c:AssociationConstructionExpressionEvaluatorType">
                                <objectRef id="291">
                                    <ref>ri:group</ref>
                                    <mapping id="292">
                                        <name>membership</name>
                                        <strength>strong</strength>
                                        <expression>
                                            <associationFromLink/>
                                        </expression>
                                    </mapping>
                                </objectRef>
                            </associationConstruction>
                        </expression>
                    </outbound>
                </association>
            </subject>
            <object id="284">
                <objectType id="285">
                    <kind>entitlement</kind>
                    <intent>Group</intent>
                </objectType>
            </object>
</associationType>

Hope this helps!

Kind regards,
Wim Beck | Identity Expert @ IS4U

From: midPoint <midpoint-bounces at lists.evolveum.com> On Behalf Of Yakov Revyakin via midPoint
Sent: Friday, 29 August 2025 10:24
To: midPoint General Discussion <midpoint at lists.evolveum.com>
Cc: Yakov Revyakin <yrevyakin at gmail.com>
Subject: Re: [midPoint] direct outbound group association on resource level

My associationType
<associationType>
    <name>computer-app</name>
    <subject>
        <objectType>
            <kind>account</kind>
            <intent>computer</intent>
        </objectType>
        <association>
            <ref>ri:computer-app</ref>
            <sourceAttributeRef>ri:group</sourceAttributeRef>
            <tolerant>false</tolerant>
        </association>
    </subject>
    <object>
        <objectType>
            <kind>entitlement</kind>
            <intent>computer-app</intent>
        </objectType>
    </object>
</associationType>

On Fri, 29 Aug 2025 at 11:20, Yakov Revyakin <yrevyakin at gmail.com<mailto:yrevyakin at gmail.com>> wrote:
Hi everyone,
I'm trying to migrate my AD resource using 4.9 associationType concept.
For now I can't understand how to migrate the following part:
An account objectType includes static group association which looks like:
<association>
    <ref>ri:group</ref>
    <tolerant>false</tolerant>
    <kind>entitlement</kind>
    <intent>computer-app</intent>
    <outbound>
        <expression>
            <associationTargetSearch>
                <filter>
                    <q:equal>
                        <q:path>attributes/ri:cn</q:path>
                        <q:value>all_computers</q:value>
                    </q:equal>
                </filter>
                <searchStrategy>onResourceIfNeeded</searchStrategy>
            </associationTargetSearch>
        </expression>
    </outbound>
    ....
</association>

This association results in association of this specific group with an AD account if it's appearing under user's projections. There are no roles, assignments, inducements to get this kind of association. This account can be imported and linked only. Create capability for it is denied.

It is not clear how to make this kind of association with the new 4.9 association types. I defined appropriate associationType but I can't see how to create this association not involving assignment/inducement approach.

If someone has an idea or experience please help.
Yakov



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20250902/3c96e796/attachment-0001.htm>

More information about the midPoint mailing list