<div dir="ltr"><div><div>something like this inside your schema handling in your active directory resource could do the trick.</div><div><br></div><div><objectType></div><div> <kind>entitlement</kind></div><div> <intent>group</intent></div><div> <displayName>AD Group</displayName></div><div> <default>true</default></div><div> <objectClass>ri:group</objectClass></div></div><div>...</div><div>...</div><div> <association></div><div> <c:ref>ri:group</c:ref></div><div> <displayName>AD Group Membership</displayName></div><div> <kind>entitlement</kind></div><div> <intent>group</intent></div><div> <direction>objectToSubject</direction></div><div> <associationAttribute>ri:member</associationAttribute></div><div> <valueAttribute>ri:dn</valueAttribute></div><div> <shortcutAssociationAttribute>ri:memberOf</shortcutAssociationAttribute></div><div> <shortcutValueAttribute>ri:dn</shortcutValueAttribute></div><div> <explicitReferentialIntegrity>false</explicitReferentialIntegrity></div><div> </association></div><div>...</div><div>...</div><div></objectType></div><div><br></div><div>next thing you need is inducement on meta-role like:</div><div><div><inducement></div><div> <construction></div><div> <resourceRef oid="AD-resource"</div><div> relation="org:default"</div><div> type="c:ResourceType"></resourceRef></div><div> <kind>account</kind></div><div> <intent>default</intent></div><div> <association></div><div> <c:ref>ri:group</c:ref></div><div> <outbound></div><div> <strength>strong</strength></div><div> <expression></div><div> <associationFromLink xmlns:xsi="<a href="http://www.w3.org/2001/XMLSchema-instance">http://www.w3.org/2001/XMLSchema-instance</a>"</div><div> xsi:type="c:AssociationFromLinkExpressionEvaluatorType"></div><div> <projectionDiscriminator></div><div> <kind>entitlement</kind></div><div> <intent>group</intent></div><div> </projectionDiscriminator></div><div> </associationFromLink></div><div> </expression></div><div> </outbound></div><div> </association></div><div> </construction></div><div> <order>2</order></div><div> </inducement></div></div><div><br></div><div>for further info look at the link to wiki I sent you.</div><div><br></div><div>Best Regards</div><div>Oskar Butovič</div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">2017-10-31 7:55 GMT+01:00 Ian Chen <span dir="ltr"><<a href="mailto:ianchen.op@gmail.com" target="_blank">ianchen.op@gmail.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi Oskar,<div><br></div><div>I mapped all org to Entitlement as AD groups.</div><div>But I cannot find how to map parent org of assignment, could you share some details?</div><div>Thanks.</div><div><br></div><div>Regards,</div><div>Ian</div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Oct 25, 2017 at 6:33 PM, Oskar Butovič - AMI Praha a.s. <span dir="ltr"><<a href="mailto:oskar.butovic@ami.cz" target="_blank">oskar.butovic@ami.cz</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi Chen,<div><br></div><div>I suggest mapping this as an association. <a href="https://wiki.evolveum.com/display/midPoint/Entitlements#Entitlements-AssociationDefinitionExamples" target="_blank">https://wiki.evol<wbr>veum.com/display/midPoint/Enti<wbr>tlements#Entitlements-Associat<wbr>ionDefinitionExamples</a> . Association can handle both direction of membership (members in group or groups in user). So for example if you assign parrent org to user or other org midpoint also modifies group represented by parrent org. Hope it makes sense. :-)</div><div><br></div><div>Association works with assignments. If properly assigned child orgs should have parrent org in one of assignments and also in parrentOrgRef element.</div><div><br></div><div>Best Regards</div><div>Oskar Butovič</div></div><div class="gmail_extra"><br><div class="gmail_quote"><div><div class="m_7824619616342172673h5">2017-10-25 12:23 GMT+02:00 Ian Chen <span dir="ltr"><<a href="mailto:ianchen.op@gmail.com" target="_blank">ianchen.op@gmail.com</a>></span>:<br></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="m_7824619616342172673h5"><div dir="ltr">Hi List,<div><br></div><div>I'm new here are trying to solve mapping Org to AD groups as <a href="https://evolveum.com/blog/practical-organization-structure-in-active-directory/" target="_blank">https://evolveum.com/blog/prac<wbr>tical-organization-structure-i<wbr>n-active-directory/</a>. I'm stuck at setting member for group.</div><div><br></div><div>It seems AD group can only have member (children), while in midpoint Org is assigned upwards (parent). As I cannot find children Org in outbound mapping, I added an extension attribute to hold parentID of parent Org. My plan is when outbound mapping, searching for any Org with parentID set to current Org ID, but I cannot find how. Please help!</div><div><br></div><div>Also if there is better/simpler method to do this, please let me know.</div><div><br></div><div>Thanks!</div><span class="m_7824619616342172673m_-4222946517098995713HOEnZb"><font color="#888888"><div>Ian</div>
</font></span></div>
<br></div></div>______________________________<wbr>_________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="m_7824619616342172673m_-4222946517098995713gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><table style="font-family:Verdana,Arial,Helvetica,sans-serif;border-collapse:collapse;padding:0px;margin:0px;border-width:0px!important;border-style:solid!important;width:482px!important"><tbody><tr style="padding:0px;margin:0px;border:0px solid gray!important"><td style="color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:11px;width:160px;vertical-align:bottom;padding:0px;border:0px solid gray!important"><p><span style="font-size:14px;font-weight:bold">Oskar Butovič</span><br>solution architect<br><br>gsm: <a href="tel:+420%20774%20480%20101" value="+420774480101" target="_blank">[+420] 774 480 101</a><br>e-mail: <a href="mailto:oskar.butovic@ami.cz" target="_blank">oskar.butovic@ami.cz</a></p></td><td style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;border-right-width:1px;border-right-style:solid;border-right-color:rgb(204,204,204);padding:0px;border-top-width:0px!important;border-bottom-width:0px!important;border-left-width:0px!important;border-top-style:solid!important;border-bottom-style:solid!important;border-left-style:solid!important;border-top-color:gray!important;border-bottom-color:gray!important;border-left-color:gray!important"> </td><td style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;padding:0px;border:0px solid gray!important"> </td><td style="color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:11px;vertical-align:bottom;padding:0px;width:123px;border:0px solid gray!important"><p>AMI Praha a.s.<br>Pláničkova 11<br>162 00 Praha 6<br>tel.: <a href="tel:+420%20274%20783%20239" value="+420274783239" target="_blank">[+420] 274 783 239</a><br>web: <a href="http://www.ami.cz/" target="_blank">www.ami.cz</a></p></td><td style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;border-right-width:1px;border-right-style:solid;border-right-color:rgb(204,204,204);padding:0px;border-top-width:0px!important;border-bottom-width:0px!important;border-left-width:0px!important;border-top-style:solid!important;border-bottom-style:solid!important;border-left-style:solid!important;border-top-color:gray!important;border-bottom-color:gray!important;border-left-color:gray!important"> </td><td style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;padding:0px;border:0px solid gray!important"> </td><td style="color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:11px;margin:8px;border:0px solid gray!important;width:116px"><p><img src="http://www.ami.cz/images/podpis/ami_logo.gif" alt="AMI Praha a.s." style="border:0px"></p></td></tr><tr style="padding:0px;margin:0px;border:0px solid gray!important"><td colspan="7" style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;padding:0px;width:480px;border:0px solid gray!important"><br><a href="http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management" target="_blank"><img src="http://www.ami.cz/images/podpis/AMI-podpis-IdM_1.png" alt="AMI Praha a.s." style="border:0px;width:480px!important;height:82px!important"></a></td></tr><tr style="padding:0px;margin:0px;border:0px solid gray!important"><td colspan="7" style="color:rgb(128,128,128);font-family:Arial,sans-serif;font-size:11px;padding:0px;border:0px solid gray!important"><br>Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za společnost AMI Praha a.s.<br>jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně písemnou formu.<br><br></td></tr></tbody></table></div></div></div></div></div></div></div>
</div>
<br>______________________________<wbr>_________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/" target="_blank">http://lists.evolveum.com/</a>mail<wbr>man/listinfo/midpoint<br>
<br></blockquote></div><br></div>
</div></div><br>______________________________<wbr>_________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><table style="font-family:Verdana,Arial,Helvetica,sans-serif;border-collapse:collapse;padding:0px;margin:0px;border-width:0px!important;border-style:solid!important;width:482px!important"><tbody><tr style="padding:0px;margin:0px;border:0px solid gray!important"><td style="color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:11px;width:160px;vertical-align:bottom;padding:0px;border:0px solid gray!important"><p><span style="font-size:14px;font-weight:bold">Oskar Butovič</span><br>solution architect<br><br>gsm: [+420] 774 480 101<br>e-mail: <a href="mailto:oskar.butovic@ami.cz" target="_blank">oskar.butovic@ami.cz</a></p></td><td style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;border-right-width:1px;border-right-style:solid;border-right-color:rgb(204,204,204);padding:0px;border-top-width:0px!important;border-bottom-width:0px!important;border-left-width:0px!important;border-top-style:solid!important;border-bottom-style:solid!important;border-left-style:solid!important;border-top-color:gray!important;border-bottom-color:gray!important;border-left-color:gray!important"> </td><td style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;padding:0px;border:0px solid gray!important"> </td><td style="color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:11px;vertical-align:bottom;padding:0px;width:123px;border:0px solid gray!important"><p>AMI Praha a.s.<br>Pláničkova 11<br>162 00 Praha 6<br>tel.: [+420] 274 783 239<br>web: <a href="http://www.ami.cz/" target="_blank">www.ami.cz</a></p></td><td style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;border-right-width:1px;border-right-style:solid;border-right-color:rgb(204,204,204);padding:0px;border-top-width:0px!important;border-bottom-width:0px!important;border-left-width:0px!important;border-top-style:solid!important;border-bottom-style:solid!important;border-left-style:solid!important;border-top-color:gray!important;border-bottom-color:gray!important;border-left-color:gray!important"> </td><td style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;padding:0px;border:0px solid gray!important"> </td><td style="color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:11px;margin:8px;border:0px solid gray!important;width:116px"><p><img src="http://www.ami.cz/images/podpis/ami_logo.gif" alt="AMI Praha a.s." style="border:0px"></p></td></tr><tr style="padding:0px;margin:0px;border:0px solid gray!important"><td colspan="7" style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;padding:0px;width:480px;border:0px solid gray!important"><br><a href="http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management" target="_blank"><img src="http://www.ami.cz/images/podpis/AMI-podpis-IdM_1.png" alt="AMI Praha a.s." style="border:0px;width:480px!important;height:82px!important"></a></td></tr><tr style="padding:0px;margin:0px;border:0px solid gray!important"><td colspan="7" style="color:rgb(128,128,128);font-family:Arial,sans-serif;font-size:11px;padding:0px;border:0px solid gray!important"><br>Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za společnost AMI Praha a.s.<br>jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně písemnou formu.<br><br></td></tr></tbody></table></div></div></div></div></div></div></div>
</div>