<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Hi,</p>
<p>can you share the role (in your case probably the metarole)? I
think you might be missing strong in the outbound mapping for
association for order=2 mapping.</p>
<p>Ivan<br>
</p>
<br>
<div class="moz-cite-prefix">On 24.01.2018 23:08, Alcides Carlos de
Moraes Neto wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAMLLNm=pXsBtxgs3HCciTNsSZNEFwA_qYCVTnq9fb+ATgLSEnQ@mail.gmail.com">
<div dir="ltr">
<div>
<div>
<div>Hello list,<br>
<br>
</div>
I have a OrgType -> AD Group projection, with
construction and entitlement association all done in a
single Meta Role. This works, the groups are created and the
Org Members are added to the group.<br>
<br>
</div>
However, if the AD user account already is a member of any
other group, its not added to the Org AD Group. And if I
remove a user account from the AD group from within Windows
Server, Midpoint does not create the association again. It's
behaving like a weak mapping.<br>
</div>
How do I make Midpoint enforce the group membership? The
association definition has tolerant attribute set to FALSE .
I've tried setting assignmentPolicyEnforcement to FULL for the
resource, it does not work either.<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Ivan Noris
Senior Identity Engineer
evolveum.com
</pre>
</body>
</html>