<div dir="ltr"><br></div><br><div class="gmail_quote gmail_quote_container"><div dir="ltr" class="gmail_attr">On Mon, 8 Sept 2025 at 16:03, Yakov Revyakin <<a href="mailto:yrevyakin@gmail.com">yrevyakin@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Hi again,<div>After some debugging, what became clear for me:</div><div><br><div>When we create an outbound provisioning rule for an association in UI, Midpoint creates an XML construct with expression based on AssociationConstructionExpressionEvaluatorType. Visually this results in associationConstruction as expression type. AssociationConstructionExpressionEvaluator always uses roles as a source for association. It checks eligibility of roles, so only application roles with appropriate projection in place are allowed as a source. This means that it is impossible to create an outbound provision rule in UI to link an arbitrary group of appropriate entitlement object type with the account projection. At least for 4.9.4.</div><div><br></div><div>We still can define another type of evaluation using assignmentTargetSearch instead of associationConstruction but only directly in XML code. This way breaks the resource UI view - we can't enter the resource page in the UI. This completely blocks further resource development with resource UI. Also, in this case AssociationTargetSearchExpressionEvaluator is used instead of ReferenceAttributeTargetSearchExpressionEvaluator which is considered in context of reference attribute (new associationType). </div><div><br></div><div>Probably Radovan Semancik could provide some comments and plans on this part as he is a developer of these evaluators.</div><div><br><br></div><div><div><br></div></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, 2 Sept 2025 at 14:20, Yakov Revyakin <<a href="mailto:yrevyakin@gmail.com" target="_blank">yrevyakin@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>Thank you Wim,</div>My case is a bit different. As I understand, <span style="font-family:Verdana,sans-serif;font-size:13.3333px"><associationFromLink/> supposes a role-like object with a group projection. This works fine where I need it.</span><div><span style="font-family:Verdana,sans-serif;font-size:13.3333px">My task is how to add an AD account of a specific object type to a specific AD group not involving any roles. All appropriate accounts must have this specific group if they are listed under user projections (accounts imported and linked to user). I have an appropriate group object type as well as association type I mentioned in the 2nd post. Earlier I was able to implement this in the old style <association> as presented in the beginning of my 1st post. </span></div><div><span style="font-family:Verdana,sans-serif;font-size:13.3333px">Actually I can implement required behavior but my implementation breaks the UI - I can't enter the resource page after uploading the resource xml. Reconciliation task works fine for me.<br></span><br></div><div><associationType><br> <name>computer-app</name><br> <subject><br> <objectType><br> <kind>account</kind><br> <intent>computer</intent><br> </objectType><br> <association><br> <ref>ri:computer-app</ref><br> <sourceAttributeRef>ri:group</sourceAttributeRef><br> <outbound><br> <name>computer-app</name><br> <expression><br> <associationTargetSearch><br> <filter><br> <q:equal><br> <q:path>attributes/ri:cn</q:path><br> <q:value>all_computers</q:value><br> </q:equal><br> </filter><br> <searchStrategy>onResourceIfNeeded</searchStrategy><br> </associationTargetSearch><br> </expression><br> </outbound><br> <tolerant>false</tolerant><br> </association><br> </subject><br> <object><br> <objectType><br> <kind>entitlement</kind><br> <intent>computer-app</intent><br> </objectType><br> </object><br></associationType><br><span style="font-family:Verdana,sans-serif;font-size:13.3333px"><br>Each evaluation of this association results in required membership. Even documentation for Entitlements and Associations proposes to use associationTargetSearch as an alternative of </span><span style="font-family:Verdana,sans-serif;font-size:13.3333px">associationFromLink, see </span><a href="https://docs.evolveum.com/midpoint/reference/support-4.9/resources/entitlements/#outbound-mappings" target="_blank">https://docs.evolveum.com/midpoint/reference/support-4.9/resources/entitlements/#outbound-mappings</a>. Also, I can find this approach in samples and tests.</div><div><span style="font-family:Verdana,sans-serif;font-size:13.3333px">With the implementation above I get 500 "</span>com.evolveum.midpoint.gui.impl.factory.wrapper.resourceAssociation.AssociationMappingExpressionWrapperFactory.getEvaluator(com.evolveum.midpoint.xml.ns._public.common.common_3.ExpressionType)" is null<span style="font-family:Verdana,sans-serif;font-size:13.3333px">". It probably makes sense because </span><span style="font-family:Verdana,sans-serif;font-size:13.3333px">associationTargetSearch</span><span style="font-family:Verdana,sans-serif;font-size:13.3333px"> is not among options provided by provisioning outbound mapping in UI for association definition.</span></div><div><span style="font-family:Verdana,sans-serif;font-size:13.3333px"><br></span></div><div><span style="font-family:Verdana,sans-serif;font-size:13.3333px">So, there are actual questions for now:<br>- Is my implementation with </span><span style="font-family:Verdana,sans-serif;font-size:13.3333px">associationTargetSearch</span><span style="font-family:Verdana,sans-serif;font-size:13.3333px"> </span><span style="font-family:Verdana,sans-serif;font-size:13.3333px">correct?</span></div><div><span style="font-family:Verdana,sans-serif;font-size:13.3333px">- If yes, what about UI? How to fix it? Is it a bug? </span></div><div><span style="font-family:Verdana,sans-serif;font-size:13.3333px">- If not, what is the right way to implement my requirement without breaking the UI?</span></div><div><span style="font-family:Verdana,sans-serif;font-size:13.3333px"><br></span></div><div><span style="font-family:Verdana,sans-serif;font-size:13.3333px">Thanks,</span></div><div><span style="font-family:Verdana,sans-serif;font-size:13.3333px">Yakov</span></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, 2 Sept 2025 at 12:10, Wim Beck <<a href="mailto:Wim.Beck@is4u.be" target="_blank">Wim.Beck@is4u.be</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div>
<div lang="en-BE">
<div>
<p class="MsoNormal"><span lang="en-BE" style="font-size:10pt;font-family:Verdana,sans-serif">Hi Yakov,<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="en-BE" style="font-size:10pt;font-family:Verdana,sans-serif"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="en-BE" style="font-size:10pt;font-family:Verdana,sans-serif">Following configuration works for me (validated on
</span><span style="font-size:10pt;font-family:Verdana,sans-serif">AdLdapConnector v3.8 and upwards):<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Verdana,sans-serif"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Verdana,sans-serif">In the AD config options define correct object classes and use the managed association pairs:<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Verdana,sans-serif"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Verdana,sans-serif"><connectorConfiguration><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Verdana,sans-serif"> <icfc:configurationProperties><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Verdana,sans-serif"> [...]<u></u><u></u></span></p>
<p class="MsoNormal" style="text-indent:36pt"><span style="font-size:10pt;font-family:Verdana,sans-serif"><cfc:managedAssociationPairs>"user"+memberOf -# "group"+member</cfc:managedAssociationPairs><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Verdana,sans-serif"> <cfc:managedAssociationPairs>"group"+memberOf -# "group"+member</cfc:managedAssociationPairs><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Verdana,sans-serif"> <cfc:attributesNotReturnedByDefault>member</cfc:attributesNotReturnedByDefault><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Verdana,sans-serif"> <cfc:userObjectClass>user</cfc:userObjectClass><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Verdana,sans-serif"> <cfc:groupObjectClass>group</cfc:groupObjectClass><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Verdana,sans-serif"> <cfc:groupObjectMemberAttribute>member</cfc:groupObjectMemberAttribute><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Verdana,sans-serif"> </icfc:configurationProperties><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Verdana,sans-serif"></connectorConfiguration><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Verdana,sans-serif"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Verdana,sans-serif">Define object type(s) you need. The association type handles the rest. Sample below handles user/group relation. You can define similar association
between other kind/intent objects in a similar way.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Verdana,sans-serif"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Verdana,sans-serif"><associationType id="273"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Verdana,sans-serif"> <name>Account-Group</name><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Verdana,sans-serif"> <subject><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Verdana,sans-serif"> <objectType id="274"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Verdana,sans-serif"> <kind>account</kind><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Verdana,sans-serif"> <intent>Account</intent><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Verdana,sans-serif"> </objectType><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Verdana,sans-serif"> <association><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Verdana,sans-serif"> <ref>ri:group</ref><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Verdana,sans-serif"> <sourceAttributeRef>ri:group</sourceAttributeRef><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Verdana,sans-serif"> <outbound id="289"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Verdana,sans-serif"> <name>account-mapping</name><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Verdana,sans-serif"> <strength>strong</strength><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Verdana,sans-serif"> <expression><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Verdana,sans-serif"> <associationConstruction xsi:type="c:AssociationConstructionExpressionEvaluatorType"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Verdana,sans-serif"> <objectRef id="291"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Verdana,sans-serif"> <ref>ri:group</ref><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Verdana,sans-serif"> <mapping id="292"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Verdana,sans-serif"> <name>membership</name><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Verdana,sans-serif"> <strength>strong</strength><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Verdana,sans-serif"> <expression><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Verdana,sans-serif"> <associationFromLink/><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Verdana,sans-serif"> </expression><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Verdana,sans-serif"> </mapping><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Verdana,sans-serif"> </objectRef><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Verdana,sans-serif"> </associationConstruction><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Verdana,sans-serif"> </expression><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Verdana,sans-serif"> </outbound><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Verdana,sans-serif"> </association><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Verdana,sans-serif"> </subject><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Verdana,sans-serif"> <object id="284"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Verdana,sans-serif"> <objectType id="285"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Verdana,sans-serif"> <kind>entitlement</kind><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Verdana,sans-serif"> <intent>Group</intent><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Verdana,sans-serif"> </objectType><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Verdana,sans-serif"> </object><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Verdana,sans-serif"></associationType><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Verdana,sans-serif"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Verdana,sans-serif">Hope this helps!<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="en-BE" style="font-size:10pt;font-family:Verdana,sans-serif"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="en-BE" style="font-size:10pt;font-family:Verdana,sans-serif">Kind regards,<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-right:0cm;margin-bottom:3.75pt;margin-left:0cm">
<b><span lang="en-BE" style="font-size:11pt;font-family:"Courier New";color:rgb(21,34,123)">Wim Beck |
</span></b><span lang="en-BE" style="font-size:11pt;font-family:"Courier New";color:rgb(119,119,119)">Identity Expert @
</span><b><span lang="en-BE" style="font-size:11pt;font-family:"Courier New";color:rgb(21,34,123)">IS4U</span></b><span lang="en-BE"><u></u><u></u></span></p>
<p class="MsoNormal"><span lang="en-BE" style="font-size:10pt;font-family:Verdana,sans-serif"><u></u> <u></u></span></p>
<div style="border-right:none;border-bottom:none;border-left:none;border-top:1pt solid rgb(225,225,225);padding:3pt 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:11pt;font-family:Calibri,sans-serif">From:</span></b><span lang="EN-US" style="font-size:11pt;font-family:Calibri,sans-serif"> midPoint <<a href="mailto:midpoint-bounces@lists.evolveum.com" target="_blank">midpoint-bounces@lists.evolveum.com</a>>
<b>On Behalf Of </b>Yakov Revyakin via midPoint<br>
<b>Sent:</b> Friday, 29 August 2025 10:24<br>
<b>To:</b> midPoint General Discussion <<a href="mailto:midpoint@lists.evolveum.com" target="_blank">midpoint@lists.evolveum.com</a>><br>
<b>Cc:</b> Yakov Revyakin <<a href="mailto:yrevyakin@gmail.com" target="_blank">yrevyakin@gmail.com</a>><br>
<b>Subject:</b> Re: [midPoint] direct outbound group association on resource level<u></u><u></u></span></p>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<p class="MsoNormal">My associationType<br>
<associationType><br>
<name>computer-app</name><br>
<subject><br>
<objectType><br>
<kind>account</kind><br>
<intent>computer</intent><br>
</objectType><br>
<association><br>
<ref>ri:computer-app</ref><br>
<sourceAttributeRef>ri:group</sourceAttributeRef><br>
<tolerant>false</tolerant><br>
</association><br>
</subject><br>
<object><br>
<objectType><br>
<kind>entitlement</kind><br>
<intent>computer-app</intent><br>
</objectType><br>
</object><br>
</associationType><u></u><u></u></p>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<div>
<p class="MsoNormal">On Fri, 29 Aug 2025 at 11:20, Yakov Revyakin <<a href="mailto:yrevyakin@gmail.com" target="_blank">yrevyakin@gmail.com</a>> wrote:<u></u><u></u></p>
</div>
<blockquote style="border-top:none;border-right:none;border-bottom:none;border-left:1pt solid rgb(204,204,204);padding:0cm 0cm 0cm 6pt;margin-left:4.8pt;margin-right:0cm">
<div>
<p class="MsoNormal">Hi everyone,<br>
I'm trying to migrate my AD resource using 4.9 associationType concept.<u></u><u></u></p>
<div>
<p class="MsoNormal" style="margin-bottom:12pt">For now I can't understand how to migrate the following part:<br>
An account objectType includes static group association which looks like:<u></u><u></u></p>
</div>
<p class="MsoNormal"><association><br>
<ref>ri:group</ref><br>
<tolerant>false</tolerant><br>
<kind>entitlement</kind><br>
<intent>computer-app</intent><br>
<outbound><br>
<expression><br>
<associationTargetSearch><br>
<filter><br>
<q:equal><br>
<q:path>attributes/ri:cn</q:path><br>
<q:value>all_computers</q:value><br>
</q:equal><br>
</filter><br>
<searchStrategy>onResourceIfNeeded</searchStrategy><br>
</associationTargetSearch><br>
</expression><br>
</outbound><br>
....<br>
</association><u></u><u></u></p>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">This association results in association of this specific group with an AD account if it's appearing under user's projections. There are no roles, assignments, inducements to get this kind of association. This account can be imported and
linked only. Create capability for it is denied.<br>
<br>
It is not clear how to make this kind of association with the new 4.9 association types. I defined appropriate associationType but I can't see how to create this association not involving assignment/inducement approach. <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">If someone has an idea or experience please help.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12pt">Yakov<br>
<br>
<br>
<br>
<u></u><u></u></p>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</div></blockquote></div>
</blockquote></div>
</blockquote></div>