That is an important point that I missed. I was thinking you just need to control where you collect groups from, but becuase the users are not in both systems, those assignments from one side don't cover everything. With that in mind, I better understand your initial request.

However, I think you are in a pickle.

* You need to collect the permissions and permission holders from AD to show any AD only accounts have a permission
* You need to collect the permisisons and permission holders from IDM to show any IDV accounts have a permission

And you want that permission that is collected from AD and IDV to be the same IG object, and I think that's where it breaks.

Its worth a test though, if you can have both collectors create a permisison that generates/uses the same permissionId value, that's the best chance you might have. I suspect the application they are pulled from is used when making assignments in IG though, so I'm not sure if permissionId being equal is enough.

--Jim