There are quite some problems that can happen if external groups (or better external roles, AEM groups that have externalId set) are used to build up other roles. Problems are
If a role is open for adding member on AEM side, then roles show up in the members list
IMS uses dynamic groups that can lead to javax.jcr.nodetype.ConstraintViolationException: OakConstraint0077
Therefore it should be validated that groups with externalId set are not used in isMemberOf clauses - if a configuration contains such a setup, an error should be thrown.
There are quite some problems that can happen if external groups (or better external roles, AEM groups that have
externalIdset) are used to build up other roles. Problems arejavax.jcr.nodetype.ConstraintViolationException: OakConstraint0077Therefore it should be validated that groups with
externalIdset are not used inisMemberOfclauses - if a configuration contains such a setup, an error should be thrown.