<!DOCTYPE html><html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /></head><body><div data-html-editor-font-wrapper="true" style="font-family: arial, sans-serif; font-size: 13px;">Hi Frédéric,<br><br>I had the same issue. What fixed it for me was adding <assignmentPathIndex>1</assignmentPathIndex><br><br>This is our associationFromLink:<br> <pre><associationFromLink xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xsi:type="c:AssociationFromLinkExpressionEvaluatorType"> <projectionDiscriminator xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="c:ShadowDiscriminatorType"> <kind>entitlement</kind> <intent>Group</intent> </projectionDiscriminator> <assignmentPathIndex>1</assignmentPathIndex> </associationFromLink> </pre> <br>before that I had exactly the same behaviour that you are describing.<br><br>Regards,<br>Chris<br><br><br>June 17, 2020 6:57 PM, "Frédéric Lohier" <<a target="_blank" tabindex="-1" href="mailto:%22Fr%C3%A9d%C3%A9ric%20Lohier%22%20<frederic@lohier.org>">frederic@lohier.org</a>> wrote:<br> <blockquote><div><div><div dir="auto"><div style="font-family: sans-serif;font-size: 12.8px" dir="auto"> <div style="width: 380.19px;margin: 16px 0px"> <p>Hello,</p> <p>I am trying to setup the outbound synchronization of users and roles and their association from Midpoint to an openLDAP.</p> <p>Everything is working except for the association between account shadows and entitlements that is working only under a strange condition : the meta-role “LDAP Role” inducing the construction of the account and the association of the entitlement to the account has to be DIRECTLY assigned to the midpoint roles I want to synchronize to the LDAP.</p> <p>If I INDIRECTLY assign this meta-role through an Archetype, I can see the indirect assignment in the role assignment tab, but when I reconcile a user assigned to a role with this (indirect) meta-role, the association between the account and entitlement is removed and the account is removed from the group in the LDAP. The account and the group are still on the LDAP and properly synced.</p> <p>Any idea why my meta-role works OK when directly assigned and not when indirectly assigned?</p> <p>Below is a simplified version of my meta-role and archetype :</p> <p><role oid="001"></p> <p><name>LDAP group meta-role</name></p> <p><inducement></p> <p><construction></p> <p><resourceRef oid="000-000-0000-0000" relation="org:default" type="c:ResourceType"></p> <p></resourceRef></p> <p><kind>entitlement</kind></p> <p><intent>group</intent></p> <p></construction></p> <p><order>1</order></p> <p></inducement></p> <p><inducement></p> <p><construction></p> <p><resourceRef oid="000-000-0000-0000" relation="org:default" type="c:ResourceType"></p> <p></resourceRef></p> <p><kind>account</kind></p> <p><intent>default</intent></p> <p><association></p> <p><ref>ri:group</ref></p> <p><outbound></p> <p><expression></p> <p><associationFromLink></p> <p><projectionDiscriminator></p> <p><kind>entitlement</kind></p> <p><intent>group</intent></p> <p></projectionDiscriminator></p> <p></associationFromLink></p> <p></expression></p> <p><strength>strong</strength></p> <p></outbound></p> <p></association></p> <p></construction></p> <p><order>2</order></p> <p></inducement></p> <p><requestable>false</requestable></p> <p></role></p> <p><archetype></p> <p><name>Group</name></p> <p><assignment></p> <p><activation></p> <p><effectiveStatus>enabled</effectiveStatus></p> <p></activation></p> <p><assignmentRelation></p> <p><holderType>RoleType</holderType></p> <p></assignmentRelation></p> <p></assignment></p> <p><inducement></p> <p><description>Induction of the “LDAP group meta-role” role to all role assigned to this archetype</description></p> <p><targetRef oid="001" relation="default" type="RoleType"/></p> <p></inducement></p> <p><iteration>0</iteration></p> <p><iterationToken/></p> <p><activation></p> <p><effectiveStatus>enabled</effectiveStatus></p> <p></activation></p> <p><archetypePolicy></p> <p><display></p> <p><label>Group</label></p> <p><pluralLabel>Groups</pluralLabel></p> <p><color>#4a148c</color></p> <p><icon></p> <p><cssClass>fe fe-role_icon</cssClass></p> <p><color>#4a148c</color></p> <p></icon></p> <p></display></p> <p></archetypePolicy></p> <p></archetype></p> </div> <div style="height: 44px"></div> </div></div></div></div></blockquote> <signature></signature><br> </div></body></html>