From 919688d06e142a9658adf3aa152dc768843351a0 Mon Sep 17 00:00:00 2001
From: Konrad Windszus <konrad.windszus@netcentric.biz>
Date: Thu, 25 Apr 2024 16:52:54 +0200
Subject: [PATCH] Optionally create/update managed groups in Adobe IMS

This leverages the UMAPI

This closes #698
---
 .github/workflows/maven.yml                   |   9 +
 accesscontroltool-bundle/bnd.bnd              |   4 +-
 accesscontroltool-bundle/pom.xml              |  18 +-
 .../AuthorizableInstallerServiceImpl.java     |  23 +-
 .../ExternalGroupInstallerServiceImpl.java    |   2 +-
 .../configmodel/AuthorizableConfigBean.java   |  19 +-
 .../actool/configreader/YamlConfigReader.java |   4 +
 .../ExternalGroupManagement.java              |  19 ++
 .../ims/IMSUserManagement.java                | 228 ++++++++++++++++++
 .../ims/request/ActionCommand.java            |  20 ++
 .../ims/request/CreateGroupStep.java          |  17 ++
 .../ims/request/Step.java                     |  14 ++
 .../ims/request/UserGroupActionCommand.java   |  13 +
 .../ims/response/AccessToken.java             |  15 ++
 .../ims/response/ActionCommandError.java      |  21 ++
 .../ims/response/ActionCommandIssue.java      |  25 ++
 .../ims/response/ActionCommandResponse.java   |  26 ++
 .../ims/response/ActionCommandWarning.java    |  21 ++
 .../ims/IMSUserManagementIT.java              |  58 +++++
 docs/AdvancedFeatures.md                      |  12 +-
 docs/Configuration.md                         |   5 +-
 .../maximum-environment/maximum-aem.bndrun    |   1 +
 .../minimum-environment/minimum-aem.bndrun    |   1 +
 23 files changed, 565 insertions(+), 10 deletions(-)
 create mode 100644 accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/externalusermanagement/ExternalGroupManagement.java
 create mode 100644 accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/externalusermanagement/ims/IMSUserManagement.java
 create mode 100644 accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/externalusermanagement/ims/request/ActionCommand.java
 create mode 100644 accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/externalusermanagement/ims/request/CreateGroupStep.java
 create mode 100644 accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/externalusermanagement/ims/request/Step.java
 create mode 100644 accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/externalusermanagement/ims/request/UserGroupActionCommand.java
 create mode 100644 accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/externalusermanagement/ims/response/AccessToken.java
 create mode 100644 accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/externalusermanagement/ims/response/ActionCommandError.java
 create mode 100644 accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/externalusermanagement/ims/response/ActionCommandIssue.java
 create mode 100644 accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/externalusermanagement/ims/response/ActionCommandResponse.java
 create mode 100644 accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/externalusermanagement/ims/response/ActionCommandWarning.java
 create mode 100644 accesscontroltool-bundle/src/test/java/biz/netcentric/cq/tools/actool/externalusermanagement/ims/IMSUserManagementIT.java

diff --git a/.github/workflows/maven.yml b/.github/workflows/maven.yml
index 2e1695221..682bb09d4 100644
--- a/.github/workflows/maven.yml
+++ b/.github/workflows/maven.yml
@@ -45,6 +45,11 @@ jobs:
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
           # Needed to get some information about the pull request, if any
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          # Necessary for IMS IT
+          ACTOOL_IMS_IT_ORGANIZATIONID: ${{ env.ACTOOL_IMS_IT_ORGANIZATIONID }}
+          ACTOOL_IMS_IT_CLIENTID: {{ env.ACTOOL_IMS_IT_CLIENTID }}
+          ACTOOL_IMS_IT_CLIENTSECRET: ${{ secrets.ACTOOL_IMS_IT_CLIENTSECRET }}
+          
         run: mvn -e -B -V clean verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=Netcentric_accesscontroltool -Dsonar.organization=netcentric -Dsonar.host.url=https://sonarcloud.io -DnvdApiKeyEnvironmentVariable=NVD_API_KEY -Pdependency-check,coverage-report,integration-tests
 
       - name: Build, Analyse and Deploy with Maven
@@ -58,4 +63,8 @@ jobs:
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
           # Needed to get some information about the pull request, if any
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          # Necessary for IMS IT
+          ACTOOL_IMS_IT_ORGANIZATIONID: ${{ env.ACTOOL_IMS_IT_ORGANIZATIONID }}
+          ACTOOL_IMS_IT_CLIENTID: {{ env.ACTOOL_IMS_IT_CLIENTID }}
+          ACTOOL_IMS_IT_CLIENTSECRET: ${{ secrets.ACTOOL_IMS_IT_CLIENTSECRET }}
         run: mvn -e -B -V clean deploy org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=Netcentric_accesscontroltool -Dsonar.organization=netcentric -Dsonar.host.url=https://sonarcloud.io -DnvdApiKeyEnvironmentVariable=NVD_API_KEY -Pdependency-check,coverage-report,integration-tests
diff --git a/accesscontroltool-bundle/bnd.bnd b/accesscontroltool-bundle/bnd.bnd
index c601423cd..efa2e4ce9 100644
--- a/accesscontroltool-bundle/bnd.bnd
+++ b/accesscontroltool-bundle/bnd.bnd
@@ -7,10 +7,12 @@ Bundle-SymbolicName: biz.netcentric.cq.tools.accesscontroltool.bundle
 
 # allow to run in Sling without AEM bundles
 # allow to run without bouncycastle which is only necessary for some edge cases when managing keys
-Import-Package: \
+Import-Package: 
 com.adobe.granite.crypto;resolution:=optional,\
 com.adobe.granite.keystore;resolution:=optional,\
 com.adobe.granite.jmx.annotation;resolution:=optional,\
+com.fasterxml.jackson.databind;resolution:=optional,\
+org.apache.http.*;resolution:=optional,\
 org.bouncycastle.*;resolution:=optional,\
 org.apache.sling.commons.scheduler.*;resolution:=optional,\
 org.apache.jackrabbit.oak.spi.security.principal;version="[1.5.0,3)",\
diff --git a/accesscontroltool-bundle/pom.xml b/accesscontroltool-bundle/pom.xml
index e3bb6566b..f87be44bb 100644
--- a/accesscontroltool-bundle/pom.xml
+++ b/accesscontroltool-bundle/pom.xml
@@ -150,6 +150,12 @@
             <artifactId>slf4j-simple</artifactId>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>org.osgi</groupId>
+            <artifactId>org.osgi.util.converter</artifactId>
+            <version>1.0.9</version>
+            <scope>test</scope>
+        </dependency>
         <!-- IT dependencies -->
         <dependency>
             <groupId>org.apache.jackrabbit</groupId>
@@ -183,7 +189,17 @@
             <version>3.6.8</version>
             <scope>test</scope>
         </dependency>
-        
+        <dependency>
+            <groupId>org.apache.httpcomponents</groupId>
+            <artifactId>httpclient-osgi</artifactId>
+            <version>4.5.13</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>com.fasterxml.jackson.core</groupId>
+            <artifactId>jackson-databind</artifactId>
+            <scope>test</scope>
+        </dependency>
         <!-- END: Test Dependencies -->
 
         <!-- use the uber-jar always as last dependency because a lot of classes are provided also by other artifacts
diff --git a/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/authorizableinstaller/impl/AuthorizableInstallerServiceImpl.java b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/authorizableinstaller/impl/AuthorizableInstallerServiceImpl.java
index 8e3f64c39..b9a9254b2 100644
--- a/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/authorizableinstaller/impl/AuthorizableInstallerServiceImpl.java
+++ b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/authorizableinstaller/impl/AuthorizableInstallerServiceImpl.java
@@ -18,6 +18,7 @@
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Iterator;
+import java.util.LinkedList;
 import java.util.List;
 import java.util.Map;
 import java.util.Map.Entry;
@@ -65,6 +66,7 @@
 import biz.netcentric.cq.tools.actool.configmodel.pkcs.Key;
 import biz.netcentric.cq.tools.actool.configmodel.pkcs.RandomPassword;
 import biz.netcentric.cq.tools.actool.crypto.DecryptionService;
+import biz.netcentric.cq.tools.actool.externalusermanagement.ExternalGroupManagement;
 import biz.netcentric.cq.tools.actool.helper.AcHelper;
 import biz.netcentric.cq.tools.actool.helper.AccessControlUtils;
 import biz.netcentric.cq.tools.actool.helper.Constants;
@@ -102,7 +104,10 @@ public class AuthorizableInstallerServiceImpl implements
 
     @Reference(policyOption = ReferencePolicyOption.GREEDY)
     SlingRepository repository;
-    
+
+    @Reference(policyOption = ReferencePolicyOption.GREEDY, cardinality = ReferenceCardinality.MULTIPLE)
+    List<ExternalGroupManagement> externalGroupManagementServices;
+
     @Override
     public void installAuthorizables(
             AcConfiguration acConfiguration,
@@ -113,16 +118,32 @@ public void installAuthorizables(
         AuthInstallerUserManager userManager = new AuthInstallerUserManagerPrefetchingImpl(AccessControlUtils.getUserManagerAutoSaveDisabled(session), session.getValueFactory(), installLog);
 
         Set<String> authorizablesFromConfigurations = authorizablesConfigBeans.getAuthorizableIds();
+        Collection<AuthorizableConfigBean> groupsToSyncWithExternalUserMgmt = new LinkedList<>();
         for (AuthorizableConfigBean authorizableConfigBean : authorizablesConfigBeans) {
 
             installAuthorizableConfigurationBean(session, userManager, acConfiguration,
                     authorizableConfigBean, installLog, authorizablesFromConfigurations);
+            
+            if (authorizableConfigBean.isSyncWithExternalUserManagement() && authorizableConfigBean.isGroup() && !externalGroupManagementServices.isEmpty()) {
+                groupsToSyncWithExternalUserMgmt.add(authorizableConfigBean);
+            }
         }
 
         installLog.addMessage(LOG, "Created "+installLog.getCountAuthorizablesCreated() + " authorizables (moved "+installLog.getCountAuthorizablesMoved() + " authorizables)");
+        syncWithExternalGroupManagement(groupsToSyncWithExternalUserMgmt, installLog);
 
     }
 
+    private void syncWithExternalGroupManagement(Collection<AuthorizableConfigBean> groupConfigBeans, InstallationLogger installLog) throws IOException {
+        if (groupConfigBeans.isEmpty()) {
+            return;
+        }
+        for (ExternalGroupManagement externalGroupManagement : externalGroupManagementServices) {
+            externalGroupManagement.updateGroups(groupConfigBeans);
+            installLog.addMessage(LOG, "Synchronized " + groupConfigBeans.size() + " groups with external user management " + externalGroupManagement.getLabel());
+        }
+    }
+    
     private void installAuthorizableConfigurationBean(final Session session,
             AuthInstallerUserManager userManager,
             AcConfiguration acConfiguration,
diff --git a/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/authorizableinstaller/impl/ExternalGroupInstallerServiceImpl.java b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/authorizableinstaller/impl/ExternalGroupInstallerServiceImpl.java
index 35c934a5a..11d9a04d1 100644
--- a/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/authorizableinstaller/impl/ExternalGroupInstallerServiceImpl.java
+++ b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/authorizableinstaller/impl/ExternalGroupInstallerServiceImpl.java
@@ -34,7 +34,7 @@
 import biz.netcentric.cq.tools.actool.helper.Constants;
 import biz.netcentric.cq.tools.actool.history.InstallationLogger;
 
-/** SCR component to create external groups (as configured using "externalId"). Only available if package
+/** SCR component to create groups in AEM which are linked to external directory entries (as configured using {@code externalId}). Only available if package
  * o.a.j.oak.spi.security.authentication.external.basic (optional OSGi import) is available (this is the case starting from AEM 6.1+SP1, the
  * functionality is crucial since the change in AEM 6.2 + oak 1.4.7 (see #140).
  * 
diff --git a/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/configmodel/AuthorizableConfigBean.java b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/configmodel/AuthorizableConfigBean.java
index 7fc65eff1..358ad9ff4 100644
--- a/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/configmodel/AuthorizableConfigBean.java
+++ b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/configmodel/AuthorizableConfigBean.java
@@ -19,6 +19,7 @@
 import biz.netcentric.cq.tools.actool.configmodel.pkcs.Key;
 import biz.netcentric.cq.tools.actool.dumpservice.AcDumpElement;
 import biz.netcentric.cq.tools.actool.dumpservice.AcDumpElementVisitor;
+import biz.netcentric.cq.tools.actool.externalusermanagement.ExternalGroupManagement;
 
 public class AuthorizableConfigBean implements AcDumpElement {
 
@@ -59,6 +60,11 @@ public class AuthorizableConfigBean implements AcDumpElement {
     private Map<String, Key> keys;
     private List<String> impersonationAllowedFor;
 
+    /**
+     * if {@true} synchronized with external user managed. Synchronization happens via all active services of type {@link ExternalGroupManagement}
+     */
+    private boolean syncWithExternalUserManagement;
+    
     public String getAuthorizableId() {
         return authorizableId;
     }
@@ -320,8 +326,9 @@ public String toString() {
         sb.append("isMemberOf: " + getIsMemberOfString() + "\n");
         sb.append("members: " + getMembersString() + "\n");
         sb.append("appendToKeyStore: " + isAppendToKeyStore() + "\n");
-        sb.append("keys:" + getKeys());
-        sb.append("impersonationAllowedFor:" + getImpersonationAllowedFor());
+        sb.append("keys:" + getKeys() + "\n");
+        sb.append("impersonationAllowedFor:" + getImpersonationAllowedFor() + "\n");
+        sb.append("syncWithExternalUserManagement: " + isSyncWithExternalUserManagement());
         return sb.toString();
     }
 
@@ -341,4 +348,12 @@ public void accept(final AcDumpElementVisitor acDumpElementVisitor) {
         acDumpElementVisitor.visit(this);
     }
 
+    public boolean isSyncWithExternalUserManagement() {
+        return syncWithExternalUserManagement;
+    }
+
+    public void setSyncWithExternalUserManagement(boolean syncWithExternalUserManagement) {
+        this.syncWithExternalUserManagement = syncWithExternalUserManagement;
+    }
+
 }
diff --git a/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/configreader/YamlConfigReader.java b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/configreader/YamlConfigReader.java
index 281149dc0..1a9e1f632 100644
--- a/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/configreader/YamlConfigReader.java
+++ b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/configreader/YamlConfigReader.java
@@ -79,6 +79,7 @@ public class YamlConfigReader implements ConfigReader {
     private static final String GROUP_CONFIG_PROPERTY_UNMANAGED_EXTERNAL_MEMBERS_REGEX = "unmanagedExternalMembersRegex";
 
     private static final String GROUP_CONFIG_IS_VIRTUAL = "virtual";
+    private static final String GROUP_CONFIG_SYNC_WITH_EXTERNAL_USERMANAGEMENT = "syncWithExternalUserManagement";
 
     private static final String USER_CONFIG_PROPERTY_IS_SYSTEM_USER = "isSystemUser";
 
@@ -413,6 +414,9 @@ protected void setupAuthorizableBean(
         authorizableConfigBean.setVirtual(Boolean.valueOf(getMapValueAsString(currentPrincipalDataMap,
                 GROUP_CONFIG_IS_VIRTUAL)));
 
+        authorizableConfigBean.setSyncWithExternalUserManagement(Boolean.valueOf(getMapValueAsString(currentPrincipalDataMap,
+                GROUP_CONFIG_SYNC_WITH_EXTERNAL_USERMANAGEMENT)));
+
         authorizableConfigBean.setIsGroup(isGroupSection);
         authorizableConfigBean.setIsSystemUser(Boolean.valueOf(getMapValueAsString(currentPrincipalDataMap,
                 USER_CONFIG_PROPERTY_IS_SYSTEM_USER)));
diff --git a/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/externalusermanagement/ExternalGroupManagement.java b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/externalusermanagement/ExternalGroupManagement.java
new file mode 100644
index 000000000..373b3d1ba
--- /dev/null
+++ b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/externalusermanagement/ExternalGroupManagement.java
@@ -0,0 +1,19 @@
+package biz.netcentric.cq.tools.actool.externalusermanagement;
+
+import java.io.IOException;
+import java.util.Collection;
+
+import biz.netcentric.cq.tools.actool.configmodel.AuthorizableConfigBean;
+
+/**
+ * Implementations of this service synchronize (i.e. create/update/delete) groups in an external directory (outside AEM).
+ */
+public interface ExternalGroupManagement {
+    void updateGroups(Collection<AuthorizableConfigBean> groupConfigs) throws IOException;
+
+    /**
+     * 
+     * @return a label for the external group management tool (e.g. IMS)
+     */
+    String getLabel();
+}
diff --git a/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/externalusermanagement/ims/IMSUserManagement.java b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/externalusermanagement/ims/IMSUserManagement.java
new file mode 100644
index 000000000..15ef34fb6
--- /dev/null
+++ b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/externalusermanagement/ims/IMSUserManagement.java
@@ -0,0 +1,228 @@
+package biz.netcentric.cq.tools.actool.externalusermanagement.ims;
+
+import java.io.IOException;
+import java.io.InputStreamReader;
+import java.io.Reader;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.nio.charset.Charset;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.concurrent.atomic.AtomicInteger;
+import java.util.stream.Collectors;
+
+import org.apache.http.Consts;
+import org.apache.http.HttpEntity;
+import org.apache.http.HttpResponse;
+import org.apache.http.NameValuePair;
+import org.apache.http.StatusLine;
+import org.apache.http.client.ClientProtocolException;
+import org.apache.http.client.HttpResponseException;
+import org.apache.http.client.ResponseHandler;
+import org.apache.http.client.config.RequestConfig;
+import org.apache.http.client.entity.UrlEncodedFormEntity;
+import org.apache.http.client.methods.HttpPost;
+import org.apache.http.entity.ContentType;
+import org.apache.http.entity.StringEntity;
+import org.apache.http.impl.client.CloseableHttpClient;
+import org.apache.http.message.BasicNameValuePair;
+import org.apache.http.osgi.services.HttpClientBuilderFactory;
+import org.apache.http.util.EntityUtils;
+import org.osgi.service.component.annotations.Activate;
+import org.osgi.service.component.annotations.Component;
+import org.osgi.service.component.annotations.ConfigurationPolicy;
+import org.osgi.service.component.annotations.Deactivate;
+import org.osgi.service.component.annotations.Reference;
+import org.osgi.service.metatype.annotations.AttributeDefinition;
+import org.osgi.service.metatype.annotations.Designate;
+import org.osgi.service.metatype.annotations.ObjectClassDefinition;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+
+import biz.netcentric.cq.tools.actool.configmodel.AuthorizableConfigBean;
+import biz.netcentric.cq.tools.actool.externalusermanagement.ExternalGroupManagement;
+import biz.netcentric.cq.tools.actool.externalusermanagement.ims.IMSUserManagement.Configuration;
+import biz.netcentric.cq.tools.actool.externalusermanagement.ims.request.ActionCommand;
+import biz.netcentric.cq.tools.actool.externalusermanagement.ims.request.CreateGroupStep;
+import biz.netcentric.cq.tools.actool.externalusermanagement.ims.request.UserGroupActionCommand;
+import biz.netcentric.cq.tools.actool.externalusermanagement.ims.response.AccessToken;
+import biz.netcentric.cq.tools.actool.externalusermanagement.ims.response.ActionCommandResponse;
+
+/**
+ * Managing Adobe IMS groups via the UMAPI.
+ * 
+ * @see <a href="https://adobe-apiplatform.github.io/umapi-documentation/en/">UMAPI Documentation</a>
+ */
+@Component(configurationPolicy = ConfigurationPolicy.REQUIRE)
+@Designate(ocd=Configuration.class)
+public class IMSUserManagement implements ExternalGroupManagement {
+
+    @ObjectClassDefinition(name = "AC Tool Adobe IMS Groups Synchronisation", description = "Settings of the API for user management tasks (UMAPI) in the Adobe IMS")
+    protected static @interface Configuration {
+        @AttributeDefinition(name = "UMAPI Base URL", description = "UMAPI Endpoint Base URL (the part prior the organization id)")
+        String umapiBaseUrl() default "https://usermanagement.adobe.io/v2/usermanagement/action/";
+        @AttributeDefinition(name = "Organization ID", description = "The unique identifier for an organization. This is a string of the form A495E53@AdobeOrg where the prefix before the @ is a hexadecimal number. You can find this value as part of the URL path for the organization in the Admin Console or in the adobe.io console for your User Management integration.")
+        String organizationId();
+        @AttributeDefinition(name = "Test Only", description = "If true, parameter syntactic and (limited) semantic checking is done, but the specified operations are not performed, so no user accounts or group memberships are created, changed, or deleted.")
+        boolean isTestOnly();
+        @AttributeDefinition(name = "IMS Token Endpoint URL", description = "The URL from which to retrieve the access token.")
+        String imsTokenEndpointUrl() default "https://ims-na1.adobelogin.com/ims/token/v3";
+        @AttributeDefinition(name = "Client ID", description = "The Client ID exposed in the Adobe IO Console for the UMAPI integration used to authorize the session. Also used as \"X-Api-Key\" header value.")
+        String clientId();
+        @AttributeDefinition(name = "Client Secret", description = "The Client ID exposed in the Adobe IO Console for the UMAPI integration used to authorize the session.")
+        String clientSecret();
+        @AttributeDefinition(name = "OAuth Scopes", description = "Scopes for which the access token is requested.")
+        String[] scopes() default { "openid","AdobeID","user_management_sdk" };
+        @AttributeDefinition(name = "Connect Timeout", description = "The maximum time to establish the connection with the remote host in milliseconds.")
+        int connectTimeout() default 2000;
+        @AttributeDefinition(name = "Socket Timeout", description = "The time waiting for data – after establishing the connection; maximum time of inactivity between two data packets. Given in milliseconds.")
+        int socketTimeout() default 10000;
+    }
+
+    public static final Logger LOG = LoggerFactory.getLogger(IMSUserManagement.class);
+    private static final int MAX_NUM_COMMANDS_PER_REQUEST = 10;
+
+    private final Configuration config;
+    private final CloseableHttpClient client;
+
+    @Activate
+    public IMSUserManagement(Configuration config, @Reference HttpClientBuilderFactory httpClientBuilderFactory) {
+        this.config = config;
+        RequestConfig requestConfig = RequestConfig.custom()
+                .setConnectTimeout(config.connectTimeout())
+                .setConnectionRequestTimeout(config.socketTimeout())
+                .setSocketTimeout(config.socketTimeout()).build();
+        client = httpClientBuilderFactory.newBuilder()
+                .setDefaultRequestConfig(requestConfig)
+                .build();
+    }
+    
+    @Deactivate
+    public void deactivate() throws IOException {
+        client.close();
+    }
+
+    private URI getUserManagementActionUrl() throws URISyntaxException {
+        URI uri = new URI(config.umapiBaseUrl() + config.organizationId());
+        if (config.isTestOnly()) {
+            uri = new URI(uri.getScheme(), uri.getAuthority(),
+                    uri.getPath(), "testOnly=true", uri.getFragment());
+        }
+        return uri;
+    }
+
+    @Override
+    public String getLabel() {
+        return "Adobe IMS";
+    }
+
+    @Override
+    public void updateGroups(Collection<AuthorizableConfigBean> groupConfigs) throws IOException {
+        List<ActionCommand> actionCommands = new LinkedList<>();
+        for (AuthorizableConfigBean groupConfig : groupConfigs) {
+            UserGroupActionCommand actionCommand = new UserGroupActionCommand(groupConfig.getAuthorizableId());
+            CreateGroupStep createGroupStep = new CreateGroupStep();
+            //createGroupStep.name = groupConfig.getAuthorizableId();
+            createGroupStep.description = groupConfig.getDescription();
+            actionCommand.addStep(createGroupStep);
+            actionCommands.add(actionCommand);
+        }
+        // update in batches of 10 commands
+        AtomicInteger counter = new AtomicInteger();
+        final Collection<List<ActionCommand>> actionCommandsBatches = actionCommands.stream().collect(Collectors.groupingBy
+                (it->counter.getAndIncrement() / MAX_NUM_COMMANDS_PER_REQUEST))
+                .values();
+        String token = getOAuthServer2ServerToken();
+        for (List<ActionCommand> actionCommandBatch : actionCommandsBatches) {
+            ActionCommandResponse response = sendActionCommand(token, actionCommandBatch);
+            if (!response.errors.isEmpty()) {
+                throw new IOException("Errors updating groups: " + response.errors);
+            }
+            if (!response.warnings.isEmpty()) {
+                response.warnings.stream().forEach(w -> LOG.warn("Warning updating a group: {}", w));
+            }
+        }
+    }
+
+    private ActionCommandResponse sendActionCommand(String token, Collection<ActionCommand> actions) throws IOException {
+        ObjectMapper objectMapper = new ObjectMapper();
+        HttpPost httpPost;
+        try {
+            httpPost = new HttpPost(getUserManagementActionUrl());
+        } catch (URISyntaxException e) {
+            throw new IllegalArgumentException("Could not create valid URI from configuration", e);
+        }
+        // prevent type erasure on the collection as outlined in https://github.com/FasterXML/jackson-databind/pull/1309#issuecomment-234603166
+        //String jsonPayload = objectMapper.writerFor(new TypeReference<Collection<Step>>() { }).writeValueAsString(actions);
+        String jsonPayload = objectMapper.writeValueAsString(actions);
+        httpPost.setEntity(new StringEntity(jsonPayload, ContentType.create("application/json"))); // must be without charset
+        httpPost.setHeader("Authorization", "Bearer " + token);
+        httpPost.setHeader("X-Api-Key", config.clientId());
+        ResponseHandler<ActionCommandResponse> rh = new ResponseHandler<ActionCommandResponse>() {
+            @Override
+            public ActionCommandResponse handleResponse(
+                    final HttpResponse response) throws IOException {
+                StatusLine statusLine = response.getStatusLine();
+                HttpEntity entity = response.getEntity();
+                if (statusLine.getStatusCode() >= 300) {
+                    throw new HttpResponseException(
+                            statusLine.getStatusCode(),
+                            statusLine.getReasonPhrase() + ", body:" + EntityUtils.toString(entity));
+                }
+                if (entity == null) {
+                    throw new ClientProtocolException("Response contains no content");
+                }
+                return objectMapper.readValue(entity.getContent(), ActionCommandResponse.class);
+            }
+        };
+        LOG.debug("Calling UMAPI via {}", httpPost);
+        return client.execute(httpPost, rh);
+    }
+
+    /**
+     * Requests an access token using the OAuth Server to Server authentication flow (OAuth 2.0 client credential grant).
+     * It is valid for 24 hours.
+     * @return the access token
+     * @throws IOException 
+     * @see <a href="https://adobe-apiplatform.github.io/umapi-documentation/en/UM_Authentication.html">OAuth Server to Server Authentication</a>
+     */
+    private String getOAuthServer2ServerToken() throws IOException {
+        HttpPost httpPost = new HttpPost(config.imsTokenEndpointUrl());
+        List<NameValuePair> params = new ArrayList<>();
+        params.add(new BasicNameValuePair("client_id", config.clientId()));
+        params.add(new BasicNameValuePair("client_secret", config.clientSecret()));
+        params.add(new BasicNameValuePair("grant_type", "client_credentials"));
+        params.add(new BasicNameValuePair("scope", String.join(",", config.scopes())));
+        UrlEncodedFormEntity entity = new UrlEncodedFormEntity(params, Consts.UTF_8);
+        httpPost.setEntity(entity);
+
+        ResponseHandler<AccessToken> rh = new ResponseHandler<AccessToken>() {
+            @Override
+            public AccessToken handleResponse(
+                    final HttpResponse response) throws IOException {
+                StatusLine statusLine = response.getStatusLine();
+                HttpEntity entity = response.getEntity();
+                if (statusLine.getStatusCode() >= 300) {
+                    throw new HttpResponseException(
+                            statusLine.getStatusCode(),
+                            statusLine.getReasonPhrase() + ", body:" + EntityUtils.toString(entity));
+                }
+                if (entity == null) {
+                    throw new ClientProtocolException("Response contains no content");
+                }
+                ObjectMapper objectMapper = new ObjectMapper();
+                ContentType contentType = ContentType.getOrDefault(entity);
+                Charset charset = contentType.getCharset();
+                try (Reader reader = new InputStreamReader(entity.getContent(), charset)) {
+                    return objectMapper.readValue(reader, AccessToken.class);
+                }
+            }
+        };
+        AccessToken token = client.execute(httpPost, rh);
+        return token.token;
+    }
+}
diff --git a/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/externalusermanagement/ims/request/ActionCommand.java b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/externalusermanagement/ims/request/ActionCommand.java
new file mode 100644
index 000000000..7b77397c7
--- /dev/null
+++ b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/externalusermanagement/ims/request/ActionCommand.java
@@ -0,0 +1,20 @@
+package biz.netcentric.cq.tools.actool.externalusermanagement.ims.request;
+
+import java.util.Collection;
+import java.util.LinkedList;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+public class ActionCommand {
+
+    @JsonProperty("do")
+    final Collection<Step> steps;
+
+    public ActionCommand() {
+        steps = new LinkedList<>();
+    }
+
+    public boolean addStep(Step step) {
+        return steps.add(step);
+    }
+}
diff --git a/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/externalusermanagement/ims/request/CreateGroupStep.java b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/externalusermanagement/ims/request/CreateGroupStep.java
new file mode 100644
index 000000000..383c7f4c0
--- /dev/null
+++ b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/externalusermanagement/ims/request/CreateGroupStep.java
@@ -0,0 +1,17 @@
+package biz.netcentric.cq.tools.actool.externalusermanagement.ims.request;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.annotation.JsonTypeName;
+
+@JsonTypeName("createUserGroup")
+public class CreateGroupStep implements Step {
+
+    // this cannot be a constant, but still needs to be serialized as literal
+    @JsonProperty("option")
+    final String defaultOption = "updateIfAlreadyExists";
+    //@JsonProperty
+    //String name;
+    @JsonProperty
+    public
+    String description;
+}
diff --git a/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/externalusermanagement/ims/request/Step.java b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/externalusermanagement/ims/request/Step.java
new file mode 100644
index 000000000..88ea3cc70
--- /dev/null
+++ b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/externalusermanagement/ims/request/Step.java
@@ -0,0 +1,14 @@
+package biz.netcentric.cq.tools.actool.externalusermanagement.ims.request;
+
+import com.fasterxml.jackson.annotation.JsonSubTypes;
+import com.fasterxml.jackson.annotation.JsonSubTypes.Type;
+import com.fasterxml.jackson.annotation.JsonTypeInfo;
+import com.fasterxml.jackson.annotation.JsonTypeInfo.As;
+
+@JsonTypeInfo(
+        use = JsonTypeInfo.Id.NAME, 
+        include = As.WRAPPER_OBJECT, visible = true)
+@JsonSubTypes({@Type(CreateGroupStep.class)})
+public interface Step {
+
+}
diff --git a/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/externalusermanagement/ims/request/UserGroupActionCommand.java b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/externalusermanagement/ims/request/UserGroupActionCommand.java
new file mode 100644
index 000000000..6381e4e96
--- /dev/null
+++ b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/externalusermanagement/ims/request/UserGroupActionCommand.java
@@ -0,0 +1,13 @@
+package biz.netcentric.cq.tools.actool.externalusermanagement.ims.request;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+public class UserGroupActionCommand extends ActionCommand {
+
+    public UserGroupActionCommand(String userGroup) {
+        this.userGroup = userGroup;
+    }
+
+    @JsonProperty("usergroup")
+    String userGroup;
+}
diff --git a/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/externalusermanagement/ims/response/AccessToken.java b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/externalusermanagement/ims/response/AccessToken.java
new file mode 100644
index 000000000..78556b8a4
--- /dev/null
+++ b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/externalusermanagement/ims/response/AccessToken.java
@@ -0,0 +1,15 @@
+package biz.netcentric.cq.tools.actool.externalusermanagement.ims.response;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+/** OAuth 2.0 Access Token JSON Format as specified in <a href="https://datatracker.ietf.org/doc/html/rfc6749#section-5.1">RFC6749</a>. */
+@JsonIgnoreProperties(ignoreUnknown = true)
+public class AccessToken {
+    @JsonProperty("access_token")
+    public String token;
+    @JsonProperty("token_type")
+    public String type;
+    @JsonProperty("expires_in")
+    public long lifeTimeInSeconds;
+}
diff --git a/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/externalusermanagement/ims/response/ActionCommandError.java b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/externalusermanagement/ims/response/ActionCommandError.java
new file mode 100644
index 000000000..d16a52531
--- /dev/null
+++ b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/externalusermanagement/ims/response/ActionCommandError.java
@@ -0,0 +1,21 @@
+package biz.netcentric.cq.tools.actool.externalusermanagement.ims.response;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+/**
+ * 
+ * @see <a href="https://adobe-apiplatform.github.io/umapi-documentation/en/api/ActionsRef.html#responses">Action Response Format</a>
+ */
+@JsonIgnoreProperties(ignoreUnknown = true)
+public class ActionCommandError extends ActionCommandIssue {
+
+    @JsonProperty
+    String errorCode;
+
+    @Override
+    public String toString() {
+        return "ActionCommandError [errorCode=" + errorCode + ", requestID=" + requestID + ", index=" + index + ", step=" + step
+                + ", message=" + message + ", user=" + user + "]";
+    }
+}
diff --git a/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/externalusermanagement/ims/response/ActionCommandIssue.java b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/externalusermanagement/ims/response/ActionCommandIssue.java
new file mode 100644
index 000000000..4a814bc18
--- /dev/null
+++ b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/externalusermanagement/ims/response/ActionCommandIssue.java
@@ -0,0 +1,25 @@
+package biz.netcentric.cq.tools.actool.externalusermanagement.ims.response;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+@JsonIgnoreProperties(ignoreUnknown = true)
+public class ActionCommandIssue {
+
+    @JsonProperty(required = false)
+    String requestID;
+    @JsonProperty
+    int index;
+    @JsonProperty
+    int step;
+    @JsonProperty
+    String message;
+    @JsonProperty
+    String user;
+
+    @Override
+    public String toString() {
+        return "ActionCommandIssue [requestID=" + requestID + ", index=" + index + ", step=" + step + ", message=" + message + ", user="
+                + user + "]";
+    }
+}
diff --git a/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/externalusermanagement/ims/response/ActionCommandResponse.java b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/externalusermanagement/ims/response/ActionCommandResponse.java
new file mode 100644
index 000000000..096fdb196
--- /dev/null
+++ b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/externalusermanagement/ims/response/ActionCommandResponse.java
@@ -0,0 +1,26 @@
+package biz.netcentric.cq.tools.actool.externalusermanagement.ims.response;
+
+import java.util.List;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+/** General response format for UMAPI requests */
+@JsonIgnoreProperties(ignoreUnknown = true)
+public class ActionCommandResponse {
+
+    @JsonProperty("completed")
+    public int numCompletedActions;
+    
+    @JsonProperty("notCompleted")
+    public int numNotCompletedActions;
+    
+    @JsonProperty("completedInTestMode")
+    public int numCompletedActionsInTestMode;
+    
+    @JsonProperty("errors")
+    public List<ActionCommandError> errors;
+    
+    @JsonProperty("warnings")
+    public List<ActionCommandWarning> warnings;
+}
diff --git a/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/externalusermanagement/ims/response/ActionCommandWarning.java b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/externalusermanagement/ims/response/ActionCommandWarning.java
new file mode 100644
index 000000000..90dcef1e6
--- /dev/null
+++ b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/externalusermanagement/ims/response/ActionCommandWarning.java
@@ -0,0 +1,21 @@
+package biz.netcentric.cq.tools.actool.externalusermanagement.ims.response;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+/**
+ * 
+ * @see <a href="https://adobe-apiplatform.github.io/umapi-documentation/en/api/ActionsRef.html#responses">Action Response Format</a>
+ */
+@JsonIgnoreProperties(ignoreUnknown = true)
+public class ActionCommandWarning extends ActionCommandIssue {
+
+    @JsonProperty
+    String warningCode;
+
+    @Override
+    public String toString() {
+        return "ActionCommandWarning [warningCode=" + warningCode + ", requestID=" + requestID + ", index=" + index + ", step=" + step
+                + ", message=" + message + ", user=" + user + "]";
+    }
+}
\ No newline at end of file
diff --git a/accesscontroltool-bundle/src/test/java/biz/netcentric/cq/tools/actool/externalusermanagement/ims/IMSUserManagementIT.java b/accesscontroltool-bundle/src/test/java/biz/netcentric/cq/tools/actool/externalusermanagement/ims/IMSUserManagementIT.java
new file mode 100644
index 000000000..223009c7c
--- /dev/null
+++ b/accesscontroltool-bundle/src/test/java/biz/netcentric/cq/tools/actool/externalusermanagement/ims/IMSUserManagementIT.java
@@ -0,0 +1,58 @@
+package biz.netcentric.cq.tools.actool.externalusermanagement.ims;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
+import java.io.IOException;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.Map;
+
+import org.apache.http.impl.client.HttpClientBuilder;
+import org.apache.http.osgi.services.HttpClientBuilderFactory;
+import org.junit.jupiter.api.Test;
+import org.osgi.util.converter.Converters;
+
+import biz.netcentric.cq.tools.actool.configmodel.AuthorizableConfigBean;
+import biz.netcentric.cq.tools.actool.externalusermanagement.ims.IMSUserManagement.Configuration;
+
+/**
+ * Example Adobe Developer Console Project: https://developer.adobe.com/console/projects/25605/4566206088345177434/overview (Organization: Netcentric).
+ * This IT requires the following environment variables to be set:
+ * <ul>
+ * <li>actool_ims_it_organizationid</li>
+ * <li>actool_ims_it_clientid</li>
+ * <li>actool_ims_it_clientsecret</li>
+ * </ul>
+ */
+class IMSUserManagementIT {
+
+    @Test
+    void test() throws IOException {
+        Map<String, Object> properties = new HashMap<>();
+        properties.put("organizationId", getMandatoryEnvironmentVariable("ACTOOL_IMS_IT_ORGANIZATIONID"));
+        properties.put("clientId", getMandatoryEnvironmentVariable("ACTOOL_IMS_IT_CLIENTID"));
+        properties.put("clientSecret", getMandatoryEnvironmentVariable("ACTOOL_IMS_IT_CLIENTSECRET"));
+        properties.put("isTestOnly", Boolean.TRUE);
+        Configuration config = Converters.standardConverter().convert(properties).to(Configuration.class);
+        
+        IMSUserManagement imsUserManagement = new IMSUserManagement(config, new HttpClientBuilderFactory() {
+            @Override
+            public HttpClientBuilder newBuilder() {
+                return HttpClientBuilder.create();
+            }
+        });
+        assertEquals("Adobe IMS", imsUserManagement.getLabel());
+        AuthorizableConfigBean group = new AuthorizableConfigBean();
+        group.setAuthorizableId("testGroup");
+        group.setDescription("my description");
+        imsUserManagement.updateGroups(Collections.singleton(group));
+    }
+
+    private static String getMandatoryEnvironmentVariable(String name) {
+        String value = System.getenv(name);
+        if (value == null) {
+            throw new IllegalStateException("Missing environment variable \"" + name + "\" which is necessary for the IT in " + IMSUserManagementIT.class);
+        }
+        return value;
+    }
+}
diff --git a/docs/AdvancedFeatures.md b/docs/AdvancedFeatures.md
index 9d141d27e..cb6b264d1 100644
--- a/docs/AdvancedFeatures.md
+++ b/docs/AdvancedFeatures.md
@@ -303,9 +303,8 @@ Example:
      name: "TU %{group.name}"
      path: /home/users/myproj-test-users
      skipForRunmodes: prod, preprod
-``` 
+```
 
-  
 ## Configure unmanaged aspects
 
 The following table gives an overview of what is managed (in terms of authorizables themselves, group memberships and ACLs) by AC Tool and what is not:
@@ -434,6 +433,15 @@ Sometimes it is also useful to create intermediate paths that do not even contai
                             </jcr:root>                    
 ```
 
+## Update Groups in External User Management Systems
+
+Since ACTool 3.1.0 there is support for creating/updating groups in [Adobe IMS](https://www.adobe.com/content/dam/cc/en/trust-center/ungated/whitepapers/corporate/adobe-identity-management-services-security-overview.pdf). Those are the groups which are exposed in the Adobe Admin Console and automatically used in AEM for [AEMaaCS](https://experienceleague.adobe.com/en/docs/experience-manager-cloud-service/content/security/ims-support) and also [AEM 6.5 hosted by AMS](https://experienceleague.adobe.com/en/docs/experience-manager-learn/foundation/authentication/adobe-ims-authentication-technical-video-understand).
+
+To enable that feature, just set the property `syncWithExternalUserManagement` on the groups in the YAML file to `true`.
+In addition a configuration for the leveraged [UMAPI](https://adobe-apiplatform.github.io/umapi-documentation/en/) needs to be provided in the configuration PID `biz.netcentric.cq.tools.actool.externalusermanagement.ims.IMSUserManagement`.
+
+Only the group id and the description are set for synchronized groups in IMS. Memberships are not modified.
+
 ## Health Check
 
 The AC Tool comes with a Sling Health Check to returns WARN if the last run of the AC Tool was not successful. The health check can be triggered via `/system/console/healthcheck?tags=actool`. Additional tags can be configured using PID `biz.netcentric.cq.tools.actool.healthcheck.LastRunSuccessHealthCheck` and property `hc.tags`. Also see [Sling Health Check Tools Documentation](https://sling.apache.org/documentation/bundles/sling-health-check-tool.html).
diff --git a/docs/Configuration.md b/docs/Configuration.md
index ad94c77df..9bb3f2fac 100644
--- a/docs/Configuration.md
+++ b/docs/Configuration.md
@@ -55,11 +55,12 @@ description | Description of the group | optional
 externalId | Required for AC setups since AEM 6.2 SP1 that synchronize groups from LDAP to AEM. The value has to be in format LDAP-DN;IDP-NAME where LDAP-DN is the full distinguished name and IDP-NAME is configured in OSGI config PID org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider property "provider-name". Example: `externalId: "cn=group-name,ou=mydepart,ou=Groups,dc=comp,dc=com;IDPNAME"`. Since v1.9.3 | optional
 path | Path of the intermediate node either relative or absolute. If relative, `/home/groups` is automatically prefixed. By default some implementation specific path is choosen. Usually the full group path is the (intermediate) path concatenated with a [randomized authorizable id](https://jackrabbit.apache.org/oak/docs/apidocs/org/apache/jackrabbit/oak/security/user/RandomAuthorizableNodeName.html).  | optional
 isMemberOf | List of groups this groups is a member of. May be provided as yaml list or as comma-separated yaml string (*the use of comma-separated yaml strings is deprecated*, available to remain backwards compatible). | optional
-memberOf | same meaning as `isMemberOf`. This property is *deprecated*, please use `isMemberOf` instead. | optional
+memberOf | Same meaning as `isMemberOf`. This property is *deprecated*, please use `isMemberOf` instead. | optional
 members | List of groups that are member of this group. May be provided as yaml list or as comma-separated yaml string (*the use of comma-separated yaml strings is deprecated*, available to remain backwards compatible). Allows to specify the relationship from the other side compared to `isMemberOf`. **NOTE**: The `isMemberOf` configuration should be preferred over `members` if possible for better readability. Since `isMemberOf` shows what a group inherits, `members` would only show on the other side where permissions get pushed to. Also choosing one approach makes the config files consistent. `members` should therefore only be used in special cases where it is not possible to use `isMemberOf`, e.g. to push rights to a group that is not in the configuration and hence that group can not be annotated with `isMemberOf` | optional
-migrateFrom | a group name assigned member users are taken over from | optional
+migrateFrom | A group name assigned member users are taken over from. This is not supported for external user management. | optional
 virtual | If true, the group is *not* created in repository but only its permissions and isMemberOf relationships are made effective to other groups using the virtual group in isMemberOf. Flattens the effective group tree of users at runtime, but enlarges ACLs as set on path (instead of the virtual group, all referencing groups are listed in a particular path's ACL used by the virtual group). Useful for functionality fragments. False by default. Since v2.1.0 | optional
 unmanaged* Properties | Only use sparsely and with care, see [Advanced Features](AdvancedFeatures.md)   | optional
+syncWithExternalUserManagement | Boolean flag determining whether the group should also be created or updated in a configured external user management system. For further details refer to [Update Groups in External User Management Systems](AdvancedFeatures.html#Update Groups in External User Management Systems). | optional
 
 Example:
 
diff --git a/target-osgi-environment/maximum-environment/maximum-aem.bndrun b/target-osgi-environment/maximum-environment/maximum-aem.bndrun
index 75822b289..ef9c8872a 100644
--- a/target-osgi-environment/maximum-environment/maximum-aem.bndrun
+++ b/target-osgi-environment/maximum-environment/maximum-aem.bndrun
@@ -24,5 +24,6 @@
 # workaround for https://issues.apache.org/jira/browse/SLING-7608 and https://issues.apache.org/jira/browse/SLING-7604
 -runsystemcapabilities: osgi.service;objectClass=org.apache.sling.commons.classloader.DynamicClassLoaderManager,\
 osgi.service;objectClass=com.adobe.granite.crypto.CryptoSupport,\
+osgi.service;objectClass=org.apache.http.osgi.services.HttpClientBuilderFactory,\
 osgi.service;objectClass=org.apache.sling.api.resource.ResourceResolverFactory,\
 osgi.service;objectClass:List<String>="javax.jcr.Repository,org.apache.sling.jcr.api.SlingRepository"
diff --git a/target-osgi-environment/minimum-environment/minimum-aem.bndrun b/target-osgi-environment/minimum-environment/minimum-aem.bndrun
index 5525edda3..c95b49066 100644
--- a/target-osgi-environment/minimum-environment/minimum-aem.bndrun
+++ b/target-osgi-environment/minimum-environment/minimum-aem.bndrun
@@ -24,5 +24,6 @@
 # workaround for https://issues.apache.org/jira/browse/SLING-7608 and https://issues.apache.org/jira/browse/SLING-7604
 -runsystemcapabilities: osgi.service;objectClass=org.apache.sling.commons.classloader.DynamicClassLoaderManager,\
 osgi.service;objectClass=com.adobe.granite.crypto.CryptoSupport,\
+osgi.service;objectClass=org.apache.http.osgi.services.HttpClientBuilderFactory,\
 osgi.service;objectClass=org.apache.sling.api.resource.ResourceResolverFactory,\
 osgi.service;objectClass:List<String>="javax.jcr.Repository,org.apache.sling.jcr.api.SlingRepository"