<div dir="ltr"><div>Thanks Ivan, that was it. I didn't notice I could set strenght in the association mapping.</div><div>I have a weak construction with a strong mapping, that's a bit crazy, but it works. :)</div><div><br></div>My metarole is thus:<br><br><inducement id="1"><br>      <description>Group construction</description><br>      <construction><br>         <resourceRef oid="3341f1ce-f96f-43fe-8bc9-7a9ec051b71b"<br>                      relation="org:default"<br>                      type="c:ResourceType"><!-- AD --></resourceRef><br>         <kind>entitlement</kind><br>         <intent>org-group</intent><br>      </construction><br>   </inducement><br>   <inducement id="2"><br>      <description>Add users to group</description><br>      <construction><br>         <strength>weak</strength><br>         <resourceRef oid="3341f1ce-f96f-43fe-8bc9-7a9ec051b71b"<br>                      relation="org:default"<br>                      type="c:ResourceType"><!-- AD --></resourceRef><br>         <kind>account</kind><br>         <intent>default</intent><br>         <association><br>            <c:ref>ri:group</c:ref><br>            <tolerant>false</tolerant><br>            <outbound><br>              <b> <strength>strong</strength></b><br>               <expression><br>                  <associationFromLink xmlns:xsi="<a href="http://www.w3.org/2001/XMLSchema-instance">http://www.w3.org/2001/XMLSchema-instance</a>"<br>                                       xsi:type="c:AssociationFromLinkExpressionEvaluatorType"><br>                     <projectionDiscriminator><br>                        <kind>entitlement</kind><br>                        <intent>org-group</intent><br>                     </projectionDiscriminator><br>                  </associationFromLink><br>               </expression><br>            </outbound><br>         </association><br>      </construction><br>      <order>2</order><br>      <condition><br>         <expression><br>            <script xmlns:xsi="<a href="http://www.w3.org/2001/XMLSchema-instance">http://www.w3.org/2001/XMLSchema-instance</a>"<br>                    xsi:type="c:ScriptExpressionEvaluatorType"><br>               <code>focus.getClass() == com.evolveum.midpoint.xml.ns._public.common.common_3.UserType.class &amp;&amp; (focus.getEmployeeType().contains("TYPE1") || focus.getEmployeeType().contains("TYPE2"))</code><br>            </script><br>         </expression><br>      </condition><br>   </inducement><br></div><div class="gmail_extra"><br><div class="gmail_quote">2018-01-25 6:29 GMT-02:00 Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div text="#000000" bgcolor="#FFFFFF">
    <p>Hi,</p>
    <p>can you share the role (in your case probably the metarole)? I
      think you might be missing strong in the outbound mapping for
      association for order=2 mapping.</p>
    <p>Ivan<br>
    </p><div><div class="h5">
    <br>
    <div class="m_9040067883390274738moz-cite-prefix">On 24.01.2018 23:08, Alcides Carlos de
      Moraes Neto wrote:<br>
    </div>
    </div></div><blockquote type="cite"><div><div class="h5">
      <div dir="ltr">
        <div>
          <div>
            <div>Hello list,<br>
              <br>
            </div>
            I have a OrgType -> AD Group projection, with
            construction and entitlement association all done in a
            single Meta Role. This works, the groups are created and the
            Org Members are added to the group.<br>
            <br>
          </div>
          However, if the AD user account already is a member of any
          other group, its not added to the Org AD Group. And if I
          remove a user account from the AD group from within Windows
          Server, Midpoint does not create the association again. It's
          behaving like a weak mapping.<br>
        </div>
        How do I make Midpoint enforce the group membership? The
        association definition has tolerant attribute set to FALSE .
        I've tried setting assignmentPolicyEnforcement to FULL for the
        resource, it does not work either.<br>
      </div>
      <br>
      <fieldset class="m_9040067883390274738mimeAttachmentHeader"></fieldset>
      <br>
      </div></div><pre>______________________________<wbr>_________________
midPoint mailing list
<a class="m_9040067883390274738moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a class="m_9040067883390274738moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a><span class="HOEnZb"><font color="#888888">
</font></span></pre><span class="HOEnZb"><font color="#888888">
    </font></span></blockquote><span class="HOEnZb"><font color="#888888">
    <br>
    <pre class="m_9040067883390274738moz-signature" cols="72">-- 
Ivan Noris
Senior Identity Engineer
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
  </font></span></div>

<br>______________________________<wbr>_________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a><br>
<br></blockquote></div><br></div>