<div dir="ltr">In the archetype assigned to the top org I have inducements of 2 resources. They work fine when a new user comes to or goes from suborgs.<br><br><div>    <inducement><br>        <construction><br>            <!--Google--><br>            <resourceRef oid="ca9a521f-16c1-4662-8f6f-0d6b01308a93" relation="org:default" type="c:ResourceType"/><br>            <kind>account</kind><br>            <intent>default</intent><br>        </construction><br>        <order>3</order<br>        <focusType>UserType</focusType><br>    </inducement><br><br>    <inducement><br>        <construction><br>            <!--Keycloak--><br>            <resourceRef oid="20299cc9-9cf6-47e0-ba45-66e9ede06ee3" relation="org:default" type="c:ResourceType"/><br>            <kind>account</kind><br>            <intent>default</intent><br>            <association><br>                <ref>ri:group</ref><br>                <outbound><br>                    <expression><br>                        <associationFromLink><br>                            <projectionDiscriminator xsi:type="c:ShadowDiscriminatorType"><br>                                <kind>entitlement</kind><br>                                <intent>organization</intent><br>                            </projectionDiscriminator><br>                        </associationFromLink><br>                    </expression><br>                </outbound><br>            </association><br>        </construction><br>        <order>3</order<br>        <focusType>UserType</focusType><br>    </inducement><br><br></div><div>Before importing existing accounts I change assignmentPolicyEnforcement from full to none. </div><div>1) Importing Google accounts with import task doesn't demonstrate the change in assignmentPolicyEnforcement. Midpoint tries to create a new account and modify existing. Discovery works but this is not what I expect. I'd like to see simply only existing accounts linked. </div><div>2) I can see that with Keycloak assignmentPolicyEnforcement=none works as expected - Midpoint doesn't create new Keycloak accounts. But, if, for example, during Google import a user already has a Keycloak account with a group association Midpoint deletes existing group associations. </div><div><br></div><div>Strange behavior. Any ideas? </div><div>MP4.4.3 <br></div><div><br></div><div>Yakov</div><div><br></div><div><br></div></div>