<div dir="ltr">In 4.9 associationType covers this case.</div><br><div class="gmail_quote gmail_quote_container"><div dir="ltr" class="gmail_attr">On Mon, 27 Oct 2025 at 16:43, mikhail.nikolaenko via midPoint <<a href="mailto:midpoint@lists.evolveum.com">midpoint@lists.evolveum.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><p>Hello dear Community,</p><p>Before digging into the problem, I’d like to ask if this is a known issue for anyone — maybe I just missed an important point. I am using version <strong>4.8.9</strong>.</p><p>I have configured an <strong>AD Resource</strong> with two object schema handlings — one for <strong>AD Account</strong> and another for <strong>AD Group</strong>.<br>
In general, it works fine: I can reconcile all objects from AD into midPoint, and any changes from midPoint are properly provisioned into AD, including group memberships.</p><p>However, the problem occurs as soon as I try to assign a role (AD Group) as a member of another role (AD Group). In this case, midPoint tries to change the archetype of the parent role from <em>group</em> to <em>account</em>.</p><p>I believe the issue might be in the metarole configuration I’m using to handle associations:</p><pre><code><inducement id="3">
    <construction>
        <resourceRef oid="918a9e79-b62a-4140-bafa-4389b301e9e8" relation="org:default" type="c:ResourceType">
            <!-- AD -->
        </resourceRef>
        <kind>account</kind>
        <intent>default</intent>
        <association id="4">
            <ref>ri:group</ref>
            <outbound>
                <expression>
                    <associationFromLink>
                        <projectionDiscriminator xsi:type="c:ShadowDiscriminatorType">
                            <kind>entitlement</kind>
                            <intent>group</intent>
                        </projectionDiscriminator>
                    </associationFromLink>
                </expression>
            </outbound>
        </association>
    </construction>
    <order>2</order>
</inducement>
</code></pre><p>Here I clearly define <strong>account-to-group</strong>.<br>
But how can I also define the possibility for <strong>group-to-group</strong> (i.e., a group being a member of another group)?</p><p>I checked the samples and even found <em>role-role-metarole.xml</em>, but I still couldn’t understand how to allow both <strong>account-to-group</strong> and <strong>group-to-group</strong> relationships.</p><p style="font-family:Arial,sans-serif;font-size:14px;color:rgb(0,0,0);background-color:rgb(255,255,255)"><br></p><p style="font-family:Arial,sans-serif;font-size:14px;color:rgb(0,0,0);background-color:rgb(255,255,255)">With best regards,</p><p style="font-family:Arial,sans-serif;font-size:14px;color:rgb(0,0,0);background-color:rgb(255,255,255)">Mike</p>_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="https://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">https://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
</blockquote></div>