Automate target resource group membership

Last modified 21 Nov 2025 08:57 +01:00
Table of Contents

Usually, users of a certain archetype, such as employees, contractors, etc., are assigned to certain groups by default. In this guide, we do not work with roles much and have users of only one archetype (Person), but all users are in the all-users group in the target LDAP resource. You have already automated username creation and target resource provisioning for new users. It is time now to make sure new users also get assigned to the universal group in which all users are.

What awaits you in this module

To assign new users to a group automatically, you will take these steps:

  1. Create an AD Group resource object type in the LDAP resource.

    • We call the type AD Group because we use LDAP here intentionally to get as close as possible to the usual scenario where an actual Active Directory (AD) would be your target resource.

  2. Create an association between the AD Group and LDAP accounts.

  3. Create an association construction in the Person archetype to grant group membership to users of the Person archetype.

  4. Reconcile the source HRIS resource accounts so that users get recomputed and all are granted the group membership.

If you use the Docker images prepared for this guide, most of the settings are already preconfigured. Follow the steps in this module and review the settings to how group assignment works.

1. Create object type for user groups

In midPoint, groups of users (or any other identities) are represented by object types of the entitlement kind. When a user is added to a group, it means the account of the user is associated with the entitlement object type.

Firstly, you need to create the group entitlement object type in the target system schema handling.

  1. In Resources > All resources, go to the LDAP target resource.

  2. In Schema handling, click Add object type.

  3. Basic information about the object type screen:

    • Display name: e.g., AD Group

    • Kind: Entitlement

    • Intent: e.g., adgroup

    • Default: True

  4. Specify the resource data screen:

    • Object class: groupOfNames

  5. Specify the midPoint data screen:

    • Leave unchanged

  6. Click Save settings

  7. Click Back to object types.

The new object type is in the Active lifecycle state by default. You can leave it at that because you will create the association part of the configuration in the Proposed state, meaning the recurring HRIS import task you have set up earlier will not pick up your new configuration until you activate the association.

2. Associate LDAP accounts with the group

With the entitlement for the group ready, you need create an association between the entitlement and user accounts. In short, the association definition tells midPoint the following:

  • With what to associate the resource accounts (the group).

  • In which direction the association works (object to subject, i.e., the group contains list of accounts belonging to the group).

  • Which entitlement object attribute (i.e., which attribute of the group) holds the list of subjects, i.e., accounts.

  • Which subject (i.e., account) attribute to use in the list of subjects belonging to the group—in the case here, it is the distinguished name (dn).

It is worth noting that when you associate accounts to an entitlement, nothing is written neither into the account shadows, nor their respective focal objects. It is the entitlement resource object that holds the membership information and midPoint pulls this information from the resource whenever needed, and merely caches it if configured to do so.

Learn more: Entitlements and Associations

To add the association:

  1. In the target resource, go to Accounts.

  2. Click Configure and select Associations.

  3. Click Add association.

  4. Fill in the form fields to define the association:

    • ref: The name of the entitlement object you have created earlier: adGroup

    • Display name A human-friendly for the association: e.g., AD Group Membership

    • Kind: Select Entitlement

    • Intent: Select adGroup

    • Direction: In this case, the entitlement object holds a list of members; select Object to subject

    • Association attribute: Which attribute in the entitlement object holds the member list: member

      • This depends on the remote resource attribute naming

    • Value attribute: Which account attribute to store in the association attribute of the entitlement object: dn

      • This depends on the remote resource attribute naming

    • Lifecycle state: Proposed

  5. Click Save association settings to save your changes.

Association of LDAP account with the all-users group
Figure 1. Association of LDAP accounts with the all-users group

3. Grant all Persons membership in the group

In this guide, we do not use roles; however, it is necessary to have some key to determine which accounts are entitled to the group membership. Normally, user roles would be the key. Here, instead of roles, we can use archetypes for the classification: Only accounts associated with users of the Person archetype are eligible for the group membership.

To achieve this, you need to induce the entitlement in the Person archetype:

  1. In Archetypes > All archetypes, open the Person archetype for editing.

    • You can filter archetypes by Name.

  2. In Inducements > Resource, select the Construction Associations tab.

  3. Click New to add a new association.

  4. In the modal that appears, select the group entitlement; in our case, cn=all-users,ou=groups,dc=example,dc=com.

    • You may need to click Reload to refresh the list if you do not see the desired entitlement.

  5. Click Done to save the settings.

  6. Click Done in the Construction Associations tab to save the settings.

  7. Click Save in the top toolbar to save the archetype configuration.

Select the group to entitle the Person archetype-related accounts to the group membership
Figure 2. Select the group to entitle the Person archetype-related accounts to the group membership

4. Verify your configuration

To test the new configuration, you need to reconcile the accounts. You can either reconcile the source HRIS accounts or the target LDAP ones, the simulation results will be the same regardless, because the induced entitlement comes from the Person archetype which is "above" the resources. We suggest simulating on the HRIS, though, because it is the HRIS resource from which you import users to midPoint.

Firstly, import preview a single user with empnum 90XX (those are the new users you have added to HRIS when testing the target system provisioning).

Import preview on HRIS of Luise Callahan, showing the projection entitlement would change on the resource object
Figure 3. Import preview of Luise Callahan on the HRIS resource, showing the projection entitlement would change on the resource object

Secondly, after you inspect the results and verify the results are as expected, run a simulated import task on HRIS. You have there one ready for use from the time when you imported users to midPoint.

When the import simulation task finishes, review its results: You should see only the new accounts you have added earlier changed, and the change should only be the addition of entitlement on the LDAP resource object.

HRIS resource import simulation task results overview
Figure 4. The HRIS resource import simulation task results overview shows five resource objects would be changed due to the group membership assignment

5. Put the configuration to production

Once you verify the group is assigned to the new 90XX users and nothing else changes (as it should not), you can put the configuration to production and wait for the recurring HRIS import task on production to pick up the users without the all-users group membership and assign them to the group.

To put the configuration to production, trace back you steps and make sure every new piece you have added is in the Production lifecycle state:

  1. The new LDAP resource object type for entitlements.

    • Go to the LDAP resource > Schema handling and ensure the AD Group entitlement is active.

  2. The association between the entitlement and user accounts.

    • In the LDAP resource > Accounts > Configure > Associations, ensure the association is active.

  3. The construction association in the Person archetype resource inducement.

    • You do not need to do anything here because the archetype is already active and the association construction does not have its own lifecycle.

Once all is active, wait for the recurring HRIS import task to pick up the accounts and process them. After it finishes, you can verify the results in two places:

  1. In the LDAP target resource user interface.

    • If you are using the Docker images prepared for this guide, it is accessible under http://localhost/phpldapadmin.

      The all-users group member list in the LDAP user interface. The new users are shown at the bottom.
      Figure 5. The all-users group member list in the LDAP user interface. The new users are shown at the bottom.

  2. In Users > Persons, where you open one of the new users for inspection, go to Projections, select the LDAP projection, and look into the Associations section.

    The projections screen in Luise Callahan’s user profile in midPoint showing the user is a member of the all-users group on LDAP
    Figure 6. The projections screen in Luise Callahan’s user profile in midPoint showing the user is a member of the all-users group on LDAP

Next steps

Now that you have a complete target resource provisioning configuration, it is time to think about consistency management. In the beginning, you have decided, which resource to use as the single source of truth (SSoT). In the case of this guide, it is the HRIS resource. That means, data on all resources should be consistent with what is in the HRIS resource. The next steps then are to enforce the consistency so that target systems contain the same information as the source system.

When you are through the basics…

Should you want to pursue more complex group membership configurations, take the MidPoint Deployment: Group Synchronization group after you finish this First steps guide.
Was this page helpful?
YES NO
Thanks for your feedback