[midPoint] direct outbound group association on resource level
Yakov Revyakin
yrevyakin at gmail.com
Mon Sep 8 15:07:17 CEST 2025
On Mon, 8 Sept 2025 at 16:03, Yakov Revyakin <yrevyakin at gmail.com> wrote:
> Hi again,
> After some debugging, what became clear for me:
>
> When we create an outbound provisioning rule for an association in UI,
> Midpoint creates an XML construct with expression based on
> AssociationConstructionExpressionEvaluatorType. Visually this results
> in associationConstruction as expression type.
> AssociationConstructionExpressionEvaluator always uses roles as a source
> for association. It checks eligibility of roles, so only application roles
> with appropriate projection in place are allowed as a source. This means
> that it is impossible to create an outbound provision rule in UI to link an
> arbitrary group of appropriate entitlement object type with the account
> projection. At least for 4.9.4.
>
> We still can define another type of evaluation
> using assignmentTargetSearch instead of associationConstruction but only
> directly in XML code. This way breaks the resource UI view - we can't enter
> the resource page in the UI. This completely blocks further resource
> development with resource UI. Also, in this
> case AssociationTargetSearchExpressionEvaluator is used instead of
> ReferenceAttributeTargetSearchExpressionEvaluator which is considered in
> context of reference attribute (new associationType).
>
> Probably Radovan Semancik could provide some comments and plans on this
> part as he is a developer of these evaluators.
>
>
>
>
> On Tue, 2 Sept 2025 at 14:20, Yakov Revyakin <yrevyakin at gmail.com> wrote:
>
>> Thank you Wim,
>> My case is a bit different. As I understand, <associationFromLink/>
>> supposes a role-like object with a group projection. This works fine where
>> I need it.
>> My task is how to add an AD account of a specific object type to a
>> specific AD group not involving any roles. All appropriate accounts must
>> have this specific group if they are listed under user projections
>> (accounts imported and linked to user). I have an appropriate group object
>> type as well as association type I mentioned in the 2nd post. Earlier I was
>> able to implement this in the old style <association> as presented in the
>> beginning of my 1st post.
>> Actually I can implement required behavior but my implementation breaks
>> the UI - I can't enter the resource page after uploading the resource xml.
>> Reconciliation task works fine for me.
>>
>> <associationType>
>> <name>computer-app</name>
>> <subject>
>> <objectType>
>> <kind>account</kind>
>> <intent>computer</intent>
>> </objectType>
>> <association>
>> <ref>ri:computer-app</ref>
>> <sourceAttributeRef>ri:group</sourceAttributeRef>
>> <outbound>
>> <name>computer-app</name>
>> <expression>
>> <associationTargetSearch>
>> <filter>
>> <q:equal>
>> <q:path>attributes/ri:cn</q:path>
>> <q:value>all_computers</q:value>
>> </q:equal>
>> </filter>
>>
>> <searchStrategy>onResourceIfNeeded</searchStrategy>
>> </associationTargetSearch>
>> </expression>
>> </outbound>
>> <tolerant>false</tolerant>
>> </association>
>> </subject>
>> <object>
>> <objectType>
>> <kind>entitlement</kind>
>> <intent>computer-app</intent>
>> </objectType>
>> </object>
>> </associationType>
>>
>> Each evaluation of this association results in required membership. Even
>> documentation for Entitlements and Associations proposes to use
>> associationTargetSearch as an alternative of associationFromLink, see
>> https://docs.evolveum.com/midpoint/reference/support-4.9/resources/entitlements/#outbound-mappings.
>> Also, I can find this approach in samples and tests.
>> With the implementation above I get 500 "com.evolveum.midpoint.gui.impl.factory.wrapper.resourceAssociation.AssociationMappingExpressionWrapperFactory.getEvaluator(com.evolveum.midpoint.xml.ns._public.common.common_3.ExpressionType)"
>> is null". It probably makes sense because associationTargetSearch is not
>> among options provided by provisioning outbound mapping in UI for
>> association definition.
>>
>> So, there are actual questions for now:
>> - Is my implementation with associationTargetSearch correct?
>> - If yes, what about UI? How to fix it? Is it a bug?
>> - If not, what is the right way to implement my requirement without
>> breaking the UI?
>>
>> Thanks,
>> Yakov
>>
>> On Tue, 2 Sept 2025 at 12:10, Wim Beck <Wim.Beck at is4u.be> wrote:
>>
>>> Hi Yakov,
>>>
>>>
>>>
>>> Following configuration works for me (validated on AdLdapConnector v3.8
>>> and upwards):
>>>
>>>
>>>
>>> In the AD config options define correct object classes and use the
>>> managed association pairs:
>>>
>>>
>>>
>>> <connectorConfiguration>
>>>
>>> <icfc:configurationProperties>
>>>
>>> [...]
>>>
>>> <cfc:managedAssociationPairs>"user"+memberOf -#
>>> "group"+member</cfc:managedAssociationPairs>
>>>
>>> <cfc:managedAssociationPairs>"group"+memberOf -#
>>> "group"+member</cfc:managedAssociationPairs>
>>>
>>>
>>> <cfc:attributesNotReturnedByDefault>member</cfc:attributesNotReturnedByDefault>
>>>
>>> <cfc:userObjectClass>user</cfc:userObjectClass>
>>>
>>> <cfc:groupObjectClass>group</cfc:groupObjectClass>
>>>
>>>
>>> <cfc:groupObjectMemberAttribute>member</cfc:groupObjectMemberAttribute>
>>>
>>> </icfc:configurationProperties>
>>>
>>> </connectorConfiguration>
>>>
>>>
>>>
>>> Define object type(s) you need. The association type handles the rest.
>>> Sample below handles user/group relation. You can define similar
>>> association between other kind/intent objects in a similar way.
>>>
>>>
>>>
>>> <associationType id="273">
>>>
>>> <name>Account-Group</name>
>>>
>>> <subject>
>>>
>>> <objectType id="274">
>>>
>>> <kind>account</kind>
>>>
>>> <intent>Account</intent>
>>>
>>> </objectType>
>>>
>>> <association>
>>>
>>> <ref>ri:group</ref>
>>>
>>> <sourceAttributeRef>ri:group</sourceAttributeRef>
>>>
>>> <outbound id="289">
>>>
>>> <name>account-mapping</name>
>>>
>>> <strength>strong</strength>
>>>
>>> <expression>
>>>
>>> <associationConstruction
>>> xsi:type="c:AssociationConstructionExpressionEvaluatorType">
>>>
>>> <objectRef id="291">
>>>
>>> <ref>ri:group</ref>
>>>
>>> <mapping id="292">
>>>
>>> <name>membership</name>
>>>
>>> <strength>strong</strength>
>>>
>>> <expression>
>>>
>>> <associationFromLink/>
>>>
>>> </expression>
>>>
>>> </mapping>
>>>
>>> </objectRef>
>>>
>>> </associationConstruction>
>>>
>>> </expression>
>>>
>>> </outbound>
>>>
>>> </association>
>>>
>>> </subject>
>>>
>>> <object id="284">
>>>
>>> <objectType id="285">
>>>
>>> <kind>entitlement</kind>
>>>
>>> <intent>Group</intent>
>>>
>>> </objectType>
>>>
>>> </object>
>>>
>>> </associationType>
>>>
>>>
>>>
>>> Hope this helps!
>>>
>>>
>>>
>>> Kind regards,
>>>
>>> *Wim Beck | *Identity Expert @ *IS4U*
>>>
>>>
>>>
>>> *From:* midPoint <midpoint-bounces at lists.evolveum.com> *On Behalf Of *Yakov
>>> Revyakin via midPoint
>>> *Sent:* Friday, 29 August 2025 10:24
>>> *To:* midPoint General Discussion <midpoint at lists.evolveum.com>
>>> *Cc:* Yakov Revyakin <yrevyakin at gmail.com>
>>> *Subject:* Re: [midPoint] direct outbound group association on resource
>>> level
>>>
>>>
>>>
>>> My associationType
>>> <associationType>
>>> <name>computer-app</name>
>>> <subject>
>>> <objectType>
>>> <kind>account</kind>
>>> <intent>computer</intent>
>>> </objectType>
>>> <association>
>>> <ref>ri:computer-app</ref>
>>> <sourceAttributeRef>ri:group</sourceAttributeRef>
>>> <tolerant>false</tolerant>
>>> </association>
>>> </subject>
>>> <object>
>>> <objectType>
>>> <kind>entitlement</kind>
>>> <intent>computer-app</intent>
>>> </objectType>
>>> </object>
>>> </associationType>
>>>
>>>
>>>
>>> On Fri, 29 Aug 2025 at 11:20, Yakov Revyakin <yrevyakin at gmail.com>
>>> wrote:
>>>
>>> Hi everyone,
>>> I'm trying to migrate my AD resource using 4.9 associationType concept.
>>>
>>> For now I can't understand how to migrate the following part:
>>> An account objectType includes static group association which looks like:
>>>
>>> <association>
>>> <ref>ri:group</ref>
>>> <tolerant>false</tolerant>
>>> <kind>entitlement</kind>
>>> <intent>computer-app</intent>
>>> <outbound>
>>> <expression>
>>> <associationTargetSearch>
>>> <filter>
>>> <q:equal>
>>> <q:path>attributes/ri:cn</q:path>
>>> <q:value>all_computers</q:value>
>>> </q:equal>
>>> </filter>
>>> <searchStrategy>onResourceIfNeeded</searchStrategy>
>>> </associationTargetSearch>
>>> </expression>
>>> </outbound>
>>> ....
>>> </association>
>>>
>>>
>>>
>>> This association results in association of this specific group with an
>>> AD account if it's appearing under user's projections. There are no roles,
>>> assignments, inducements to get this kind of association. This account can
>>> be imported and linked only. Create capability for it is denied.
>>>
>>> It is not clear how to make this kind of association with the new 4.9
>>> association types. I defined appropriate associationType but I can't see
>>> how to create this association not involving assignment/inducement
>>> approach.
>>>
>>>
>>>
>>> If someone has an idea or experience please help.
>>>
>>> Yakov
>>>
>>>
>>>
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20250908/b209e3d7/attachment-0001.htm>
More information about the midPoint
mailing list