<div dir="ltr">As I understood there is no chance to add association via weak construction. We can modify plain attributes using this type of construction but it doesn't cover associations. Even association mapping is strong. We even can't see an indirect resource assignment among assignments. <div>This is a bit strange. </div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, 24 Feb 2023 at 08:56, Yakov Revyakin <<a href="mailto:yrevyakin@gmail.com">yrevyakin@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr">I use mp4.4.3<div>I have metarole-role assign/revoke working for AD user accounts. I have no any specific logic in group object definition <br><div>I also checked my case with outbound mapping for associations set to strong. Nothing happens.</div><div>Some posts ago I could see that weak construction with associations working for someone - "LDAP Role not unassigned when validTo is reached". He used mp4.6. Can it be the cause?</div><div><br></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, 23 Feb 2023 at 23:12, Yakov Revyakin <<a href="mailto:yrevyakin@gmail.com" target="_blank">yrevyakin@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Hi again,<div>I'm trying to apply weak construction described here</div><div><a href="https://docs.evolveum.com/midpoint/reference/roles-policies/assignment/configuration/#strong-and-weak-constructions" target="_blank">https://docs.evolveum.com/midpoint/reference/roles-policies/assignment/configuration/#strong-and-weak-constructions</a></div><div>for AD computer objects. </div><div>I simply sync existing computer objects linking them with a user and after that apply some policies on them. The solution must work only with existing objects. So, computer creation/deletion is forbidden.</div><div><br></div><div>The first policy is to control a computer's DN - this works fine.</div><div>The second is to add the computer to a group applying role+metarole to a user who owns this computer.</div><div><br></div><div>I'm not sure how to arrange this. I write a weak construction with association but I can't see any influence on computer membership. Could you help to complete this task?</div><div><br></div><div>My meta-role computer's groups:<br><pre style="background-color:rgb(43,43,43);color:rgb(169,183,198);font-family:"JetBrains Mono",monospace;font-size:9.8pt"><span style="color:rgb(232,191,106)"><role><br></span><span style="color:rgb(232,191,106)"> <name></span>Meta IT Computer<span style="color:rgb(232,191,106)"></name><br></span><span style="color:rgb(232,191,106)"> <costCenter></span>managed<span style="color:rgb(232,191,106)"></costCenter><br></span><span style="color:rgb(232,191,106)"> <inducement><br></span><span style="color:rgb(232,191,106)"> <construction><br></span><span style="color:rgb(232,191,106)"> <strength></span>weak<span style="color:rgb(232,191,106)"></strength><br></span><span style="color:rgb(232,191,106)"> <resourceRef </span><span style="color:rgb(186,186,186)">oid</span><span style="color:rgb(106,135,89)">="746ecf5e-3e8c-11e6-b2f9-3c970e44b9e2" </span><span style="color:rgb(186,186,186)">relation</span><span style="color:rgb(106,135,89)">="org:default" </span><span style="color:rgb(186,186,186)">type</span><span style="color:rgb(106,135,89)">="c:ResourceType"</span><span style="color:rgb(232,191,106)">/><br></span><span style="color:rgb(232,191,106)"> <kind></span>account<span style="color:rgb(232,191,106)"></kind><br></span><span style="color:rgb(232,191,106)"> <intent></span>computer<span style="color:rgb(232,191,106)"></intent><br></span><span style="color:rgb(232,191,106)"> <association><br></span><span style="color:rgb(232,191,106)"> <ref></span>ri:group<span style="color:rgb(232,191,106)"></ref><br></span><span style="color:rgb(232,191,106)"> <outbound><br></span><span style="color:rgb(232,191,106)"> <authoritative></span>true<span style="color:rgb(232,191,106)"></authoritative><br></span><span style="color:rgb(232,191,106)"> <expression><br></span><span style="color:rgb(232,191,106)"> <associationFromLink><br></span><span style="color:rgb(232,191,106)"> <projectionDiscriminator </span><span style="color:rgb(152,118,170)">xsi</span><span style="color:rgb(186,186,186)">:type</span><span style="color:rgb(106,135,89)">="c:ShadowDiscriminatorType"</span><span style="color:rgb(232,191,106)">><br></span><span style="color:rgb(232,191,106)"> <kind></span>entitlement<span style="color:rgb(232,191,106)"></kind><br></span><span style="color:rgb(232,191,106)"> <intent></span>group<span style="color:rgb(232,191,106)"></intent><br></span><span style="color:rgb(232,191,106)"> </projectionDiscriminator><br></span><span style="color:rgb(232,191,106)"> </associationFromLink><br></span><span style="color:rgb(232,191,106)"> </expression><br></span><span style="color:rgb(232,191,106)"> </outbound><br></span><span style="color:rgb(232,191,106)"> </association><br></span><span style="color:rgb(232,191,106)"> </construction><br></span><span style="color:rgb(232,191,106)"> <order></span>2<span style="color:rgb(232,191,106)"></order><br></span><span style="color:rgb(232,191,106)"> <focusType></span>UserType<span style="color:rgb(232,191,106)"></focusType><br></span><span style="color:rgb(232,191,106)"> </inducement><br></span><span style="color:rgb(232,191,106)"></role><br></span></pre><div><br></div></div></div>
</blockquote></div></div>
</blockquote></div>