diff --git a/demo/complex2s/midpoint-objects/functionLibraries/function-library-grouper.xml b/demo/complex2s/midpoint-objects/functionLibraries/function-library-grouper.xml
index 80197aa..6219eb0 100644
--- a/demo/complex2s/midpoint-objects/functionLibraries/function-library-grouper.xml
+++ b/demo/complex2s/midpoint-objects/functionLibraries/function-library-grouper.xml
@@ -1,17 +1,8 @@
 <!--
-  ~ Copyright (c) 2010-2019 Evolveum
+  ~ Copyright (c) 2019 Evolveum and contributors
   ~
-  ~ Licensed under the Apache License, Version 2.0 (the "License");
-  ~ you may not use this file except in compliance with the License.
-  ~ You may obtain a copy of the License at
-  ~
-  ~     http://www.apache.org/licenses/LICENSE-2.0
-  ~
-  ~ Unless required by applicable law or agreed to in writing, software
-  ~ distributed under the License is distributed on an "AS IS" BASIS,
-  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-  ~ See the License for the specific language governing permissions and
-  ~ limitations under the License.
+  ~ This work is dual-licensed under the Apache License 2.0
+  ~ and European Union Public License. See LICENSE file for details.
   -->
 
 <functionLibrary oid="2eef4181-25fa-420f-909d-846a36ca90f3"
@@ -49,14 +40,14 @@
 	  "encrypted": false,
 	  "esbEvent": [
 		{
-		  "displayName": "ref:alumni",
+		  "displayName": "ref:affiliation:alumni",
 		  "changeOccurred": false,
 		  "createdOnMicros": 1551884850499000,
 		  "parentStemId": "9a7ce40af6c546148b41eec81b8ca18d",
 		  "id": "00000000000000000000000000000002",
 		  "sequenceNumber": "110",
 		  "eventType": "GROUP_ADD",
-		  "name": "ref:alumni"
+		  "name": "ref:affiliation:alumni"
 		}
 	  ]
 	}
diff --git a/demo/complex2s/midpoint-objects/objectTemplates/template-user.xml b/demo/complex2s/midpoint-objects/objectTemplates/template-user.xml
index 8c7959f..9442803 100644
--- a/demo/complex2s/midpoint-objects/objectTemplates/template-user.xml
+++ b/demo/complex2s/midpoint-objects/objectTemplates/template-user.xml
@@ -1,4 +1,11 @@
 <?xml version="1.0"?>
+<!--
+  ~ Copyright (c) 2019 Evolveum and contributors
+  ~
+  ~ This work is dual-licensed under the Apache License 2.0
+  ~ and European Union Public License. See LICENSE file for details.
+  -->
+
 <objectTemplate xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3" oid="8098b124-c20c-4965-8adf-e528abedf7a4">
     <name>User Template</name>
     <mapping>
@@ -21,13 +28,13 @@
                     
                     memberDef = prismContext.definitionFactory().createPropertyDefinition(MEMBER_NAME, DOMUtil.XSD_STRING)
                     memberDef.setMaxOccurs(-1)
-                    
-                    // TODO check for exists/dead
+
                     shadowQuery = prismContext.queryFor(ShadowType.class)
                         .item(ShadowType.F_RESOURCE_REF).ref(GROUPER_RESOURCE_OID)
                         .and().item(ShadowType.F_SYNCHRONIZATION_SITUATION).eq(SynchronizationSituationType.LINKED)
                         .and().item(ShadowType.F_KIND).eq(ShadowKindType.ENTITLEMENT)
                         .and().item(ShadowType.F_INTENT).eq('group')
+                        .and().block().item(ShadowType.F_DEAD).isNull().or().item(ShadowType.F_DEAD).eq(false).endBlock()
                         .and().item(ItemPath.create(ShadowType.F_ATTRIBUTES, MEMBER_NAME), memberDef).eq(basic.stringify(name))
                         .build()
                         
diff --git a/demo/complex2s/midpoint-objects/orgs/org-affiliations.xml b/demo/complex2s/midpoint-objects/orgs/org-affiliations.xml
index 618f9ee..577c894 100644
--- a/demo/complex2s/midpoint-objects/orgs/org-affiliations.xml
+++ b/demo/complex2s/midpoint-objects/orgs/org-affiliations.xml
@@ -1,4 +1,11 @@
 <?xml version="1.0"?>
+<!--
+  ~ Copyright (c) 2019 Evolveum and contributors
+  ~
+  ~ This work is dual-licensed under the Apache License 2.0
+  ~ and European Union Public License. See LICENSE file for details.
+  -->
+
 <org xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
     oid="1d7c0e3a-4456-409c-9f50-95407b2eb785">
     <name>affiliations</name>
diff --git a/demo/complex2s/midpoint-objects/orgs/org-courses.xml b/demo/complex2s/midpoint-objects/orgs/org-courses.xml
index 71d1f7e..47147d5 100644
--- a/demo/complex2s/midpoint-objects/orgs/org-courses.xml
+++ b/demo/complex2s/midpoint-objects/orgs/org-courses.xml
@@ -1,4 +1,11 @@
 <?xml version="1.0"?>
+<!--
+  ~ Copyright (c) 2019 Evolveum and contributors
+  ~
+  ~ This work is dual-licensed under the Apache License 2.0
+  ~ and European Union Public License. See LICENSE file for details.
+  -->
+
 <org xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
     oid="225e9360-0639-40ba-8a31-7f31bef067be">
     <name>courses</name>
diff --git a/demo/complex2s/midpoint-objects/orgs/org-departments.xml b/demo/complex2s/midpoint-objects/orgs/org-departments.xml
index 5320c1e..b5638d4 100644
--- a/demo/complex2s/midpoint-objects/orgs/org-departments.xml
+++ b/demo/complex2s/midpoint-objects/orgs/org-departments.xml
@@ -1,4 +1,11 @@
 <?xml version="1.0"?>
+<!--
+  ~ Copyright (c) 2019 Evolveum and contributors
+  ~
+  ~ This work is dual-licensed under the Apache License 2.0
+  ~ and European Union Public License. See LICENSE file for details.
+  -->
+
 <org xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
     oid="bee44c51-2469-411d-bac7-695728e9c241">
     <name>departments</name>
diff --git a/demo/complex2s/midpoint-objects/orgs/org-generic-groups.xml b/demo/complex2s/midpoint-objects/orgs/org-generic-groups.xml
index fa39bbc..baa2c79 100644
--- a/demo/complex2s/midpoint-objects/orgs/org-generic-groups.xml
+++ b/demo/complex2s/midpoint-objects/orgs/org-generic-groups.xml
@@ -1,4 +1,11 @@
 <?xml version="1.0"?>
+<!--
+  ~ Copyright (c) 2019 Evolveum and contributors
+  ~
+  ~ This work is dual-licensed under the Apache License 2.0
+  ~ and European Union Public License. See LICENSE file for details.
+  -->
+
 <org xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
     oid="1f339075-5b2f-4a18-9c98-451f3eb0d28d">
     <name>generic-groups</name>
diff --git a/demo/complex2s/midpoint-objects/orgs/org-grouper-sysadmin.xml b/demo/complex2s/midpoint-objects/orgs/org-grouper-sysadmin.xml
index a748ebe..201777a 100644
--- a/demo/complex2s/midpoint-objects/orgs/org-grouper-sysadmin.xml
+++ b/demo/complex2s/midpoint-objects/orgs/org-grouper-sysadmin.xml
@@ -1,12 +1,11 @@
-<org xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3" 
-      xmlns:apti="http://midpoint.evolveum.com/xml/ns/public/common/api-types-3" 
-      xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" 
-      xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" 
-      xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3" 
-      xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
-      xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" 
-      xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3" 
-      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
+<!--
+  ~ Copyright (c) 2019 Evolveum and contributors
+  ~
+  ~ This work is dual-licensed under the Apache License 2.0
+  ~ and European Union Public License. See LICENSE file for details.
+  -->
+
+<org xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
       oid="d48ec05b-fffd-4262-acd3-d9ff63365b62">
     <name>org-grouper-sysadmin</name>
     <displayName>Grouper Administrators</displayName>
diff --git a/demo/complex2s/midpoint-objects/orgs/org-mailing-lists.xml b/demo/complex2s/midpoint-objects/orgs/org-mailing-lists.xml
index 136c3ee..6674745 100644
--- a/demo/complex2s/midpoint-objects/orgs/org-mailing-lists.xml
+++ b/demo/complex2s/midpoint-objects/orgs/org-mailing-lists.xml
@@ -1,4 +1,11 @@
 <?xml version="1.0"?>
+<!--
+  ~ Copyright (c) 2019 Evolveum and contributors
+  ~
+  ~ This work is dual-licensed under the Apache License 2.0
+  ~ and European Union Public License. See LICENSE file for details.
+  -->
+
 <org xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
     oid="d81fb46c-20c7-44d3-8402-fef404ea1264">
     <name>mailing-lists</name>
diff --git a/demo/complex2s/midpoint-objects/orgs/org-midpoint-groups.xml b/demo/complex2s/midpoint-objects/orgs/org-midpoint-groups.xml
index 5bb3a7f..9c0658d 100644
--- a/demo/complex2s/midpoint-objects/orgs/org-midpoint-groups.xml
+++ b/demo/complex2s/midpoint-objects/orgs/org-midpoint-groups.xml
@@ -1,4 +1,11 @@
 <?xml version="1.0"?>
+<!--
+  ~ Copyright (c) 2019 Evolveum and contributors
+  ~
+  ~ This work is dual-licensed under the Apache License 2.0
+  ~ and European Union Public License. See LICENSE file for details.
+  -->
+
 <org xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
     oid="4790ab69-7ef0-41a4-8992-78877f3beb23">
     <name>midpoint-groups</name>
diff --git a/demo/complex2s/midpoint-objects/resources/ldap-main.xml b/demo/complex2s/midpoint-objects/resources/ldap-main.xml
index 66a66dd..09934db 100644
--- a/demo/complex2s/midpoint-objects/resources/ldap-main.xml
+++ b/demo/complex2s/midpoint-objects/resources/ldap-main.xml
@@ -1,13 +1,10 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!-- ~ Copyright (c) 2010-2017 Evolveum ~ ~ Licensed under the Apache License, 
-	Version 2.0 (the "License"); ~ you may not use this file except in compliance 
-	with the License. ~ You may obtain a copy of the License at ~ ~ http://www.apache.org/licenses/LICENSE-2.0 
-	~ ~ Unless required by applicable law or agreed to in writing, software ~ 
-	distributed under the License is distributed on an "AS IS" BASIS, ~ WITHOUT 
-	WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ~ See the 
-	License for the specific language governing permissions and ~ limitations 
-	under the License. -->
-
+<!--
+  ~ Copyright (c) 2019 Evolveum and contributors
+  ~
+  ~ This work is dual-licensed under the Apache License 2.0
+  ~ and European Union Public License. See LICENSE file for details.
+  -->
 
 <resource oid="0a37121f-d515-4a23-9b6d-554c5ef61272"
         xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
@@ -84,7 +81,7 @@
                     <minOccurs>0</minOccurs>
                 </limitations>
                 <tolerant>false</tolerant>
-				<matchingRule>mr:stringIgnoreCase</matchingRule>
+				<matchingRule>mr:distinguishedName</matchingRule>
                 <outbound>
                     <strength>strong</strength>
                     <source>
@@ -201,7 +198,7 @@
 			<protected>
 				<filter>
 					<q:equal>
-						<q:matching>http://prism.evolveum.com/xml/ns/public/matching-rule-3#stringIgnoreCase</q:matching>
+						<q:matching>http://prism.evolveum.com/xml/ns/public/matching-rule-3#distinguishedName</q:matching>
 						<q:path>attributes/ri:dn</q:path>
 						<q:value>cn=root,dc=internet2,dc=edu</q:value>
 					</q:equal>
@@ -226,7 +223,7 @@
             </attribute>
             <attribute>
                 <ref>ri:dn</ref>
-                <matchingRule>mr:stringIgnoreCase</matchingRule>
+                <matchingRule>mr:distinguishedName</matchingRule>
                 <outbound>
                     <strength>strong</strength>
                     <source>
@@ -244,6 +241,11 @@
                     </source>
                 </outbound>
             </attribute>
+            <attribute>
+                <ref>ri:uniqueMember</ref>
+                <matchingRule>mr:distinguishedName</matchingRule>
+				<fetchStrategy>minimal</fetchStrategy>
+            </attribute>
         </objectType>
 	</schemaHandling>
 
diff --git a/demo/complex2s/midpoint-objects/resources/resource-grouper.xml b/demo/complex2s/midpoint-objects/resources/resource-grouper.xml
index 125961e..f21c797 100644
--- a/demo/complex2s/midpoint-objects/resources/resource-grouper.xml
+++ b/demo/complex2s/midpoint-objects/resources/resource-grouper.xml
@@ -1,18 +1,9 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
-  ~ Copyright (c) 2010-2019 Evolveum
+  ~ Copyright (c) 2019 Evolveum and contributors
   ~
-  ~ Licensed under the Apache License, Version 2.0 (the "License");
-  ~ you may not use this file except in compliance with the License.
-  ~ You may obtain a copy of the License at
-  ~
-  ~     http://www.apache.org/licenses/LICENSE-2.0
-  ~
-  ~ Unless required by applicable law or agreed to in writing, software
-  ~ distributed under the License is distributed on an "AS IS" BASIS,
-  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-  ~ See the License for the specific language governing permissions and
-  ~ limitations under the License.
+  ~ This work is dual-licensed under the Apache License 2.0
+  ~ and European Union Public License. See LICENSE file for details.
   -->
 
 <resource oid="1eff65de-5bb6-483d-9edf-8cc2c2ee0233"
@@ -168,9 +159,9 @@
             </reaction>
             <reaction>
                 <situation>deleted</situation>
-                <action>
-                    <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#deleteFocus</handlerUri>
-                </action>
+                <!-- a separate task will take care of deleted groups -->
+                <!-- we don't even need to unlink the shadow -->
+                <synchronize>true</synchronize>
             </reaction>
             <reaction>
                 <situation>unlinked</situation>
diff --git a/demo/complex2s/midpoint-objects/resources/scriptedsql-sis-persons.xml b/demo/complex2s/midpoint-objects/resources/scriptedsql-sis-persons.xml
index d95d39e..e47a0a7 100644
--- a/demo/complex2s/midpoint-objects/resources/scriptedsql-sis-persons.xml
+++ b/demo/complex2s/midpoint-objects/resources/scriptedsql-sis-persons.xml
@@ -1,6 +1,13 @@
 <?xml version="1.0" encoding="UTF-8"?>
 
-<c:resource oid="4d70a0da-02dd-41cf-b0a1-00e75d3eaa15" 
+<!--
+  ~ Copyright (c) 2019 Evolveum and contributors
+  ~
+  ~ This work is dual-licensed under the Apache License 2.0
+  ~ and European Union Public License. See LICENSE file for details.
+  -->
+
+<c:resource oid="4d70a0da-02dd-41cf-b0a1-00e75d3eaa15"
     xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
     xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
diff --git a/demo/complex2s/midpoint-objects/resources/target-cs-portal.xml b/demo/complex2s/midpoint-objects/resources/target-cs-portal.xml
index 7706bcb..2a4f239 100644
--- a/demo/complex2s/midpoint-objects/resources/target-cs-portal.xml
+++ b/demo/complex2s/midpoint-objects/resources/target-cs-portal.xml
@@ -1,3 +1,10 @@
+<!--
+  ~ Copyright (c) 2019 Evolveum and contributors
+  ~
+  ~ This work is dual-licensed under the Apache License 2.0
+  ~ and European Union Public License. See LICENSE file for details.
+  -->
+
 <c:resource oid="a343fc2e-3954-4034-ba1a-2b72c21e577a" xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
 	xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3" xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" xmlns:my="http://myself.me/schemas/whatever"
diff --git a/demo/complex2s/midpoint-objects/resources/target-faculty-portal.xml b/demo/complex2s/midpoint-objects/resources/target-faculty-portal.xml
index f3e7aed..94d54d0 100644
--- a/demo/complex2s/midpoint-objects/resources/target-faculty-portal.xml
+++ b/demo/complex2s/midpoint-objects/resources/target-faculty-portal.xml
@@ -1,3 +1,10 @@
+<!--
+  ~ Copyright (c) 2019 Evolveum and contributors
+  ~
+  ~ This work is dual-licensed under the Apache License 2.0
+  ~ and European Union Public License. See LICENSE file for details.
+  -->
+
 <c:resource oid="e417225d-8a08-46f3-9b5d-624990b52386" xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
 	xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3" xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" xmlns:my="http://myself.me/schemas/whatever"
diff --git a/demo/complex2s/midpoint-objects/resources/target-mailing-lists.xml b/demo/complex2s/midpoint-objects/resources/target-mailing-lists.xml
index 4d60d27..19f5460 100644
--- a/demo/complex2s/midpoint-objects/resources/target-mailing-lists.xml
+++ b/demo/complex2s/midpoint-objects/resources/target-mailing-lists.xml
@@ -1,3 +1,10 @@
+<!--
+  ~ Copyright (c) 2019 Evolveum and contributors
+  ~
+  ~ This work is dual-licensed under the Apache License 2.0
+  ~ and European Union Public License. See LICENSE file for details.
+  -->
+
 <c:resource oid="fe805d13-481b-43ec-97d8-9d2df72cd38e" xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
 	xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3" xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" xmlns:my="http://myself.me/schemas/whatever"
diff --git a/demo/complex2s/midpoint-objects/roles/metarole-grouper-provided-group.xml b/demo/complex2s/midpoint-objects/roles/metarole-grouper-provided-group.xml
index eabaf9d..1274be7 100644
--- a/demo/complex2s/midpoint-objects/roles/metarole-grouper-provided-group.xml
+++ b/demo/complex2s/midpoint-objects/roles/metarole-grouper-provided-group.xml
@@ -1,4 +1,11 @@
-<role xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3" 
+<!--
+  ~ Copyright (c) 2019 Evolveum and contributors
+  ~
+  ~ This work is dual-licensed under the Apache License 2.0
+  ~ and European Union Public License. See LICENSE file for details.
+  -->
+
+<role xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
       xmlns:apti="http://midpoint.evolveum.com/xml/ns/public/common/api-types-3" 
       xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" 
       xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" 
@@ -141,6 +148,38 @@
                     <path>displayName</path>
                 </target>
             </mapping>
+
+            <mapping>
+                <name>lifecycle state</name>
+                <description>This mapping sets org lifecycle state to be either "active" or "retired", depending on
+                    whether Grouper group for this org still exists. Orgs in the latter state are on the way to deletion:
+                    their members are unassigned and after no members are there, the org is automatically deleted.</description>
+                <strength>strong</strength>
+                <expression>
+                    <script>
+                        <code>
+                            import com.evolveum.midpoint.model.impl.expr.*
+                            import com.evolveum.midpoint.schema.*
+                            import com.evolveum.midpoint.xml.ns._public.common.common_3.*
+
+                            GROUPER_RESOURCE_OID = '1eff65de-5bb6-483d-9edf-8cc2c2ee0233'
+
+                            modelContext = ModelExpressionThreadLocalHolder.lensContext
+                            rsd = new ResourceShadowDiscriminator(GROUPER_RESOURCE_OID, ShadowKindType.ENTITLEMENT, 'group', null, false)
+                            if (modelContext.findProjectionContext(rsd) != null) {
+                                log.info('Projection context for Grouper group found, marking as "active"')
+                                'active'
+                            } else {
+                                log.info('No projection context for Grouper group, marking as "retired"')
+                                'retired'
+                            }
+                        </code>
+                    </script>
+                </expression>
+                <target>
+                    <path>lifecycleState</path>
+                </target>
+            </mapping>
         </focusMappings>
         
         <!-- 
diff --git a/demo/complex2s/midpoint-objects/roles/metarole-ldap-group.xml b/demo/complex2s/midpoint-objects/roles/metarole-ldap-group.xml
index c1bd880..91bf370 100644
--- a/demo/complex2s/midpoint-objects/roles/metarole-ldap-group.xml
+++ b/demo/complex2s/midpoint-objects/roles/metarole-ldap-group.xml
@@ -1,4 +1,11 @@
-<role xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3" 
+<!--
+  ~ Copyright (c) 2019 Evolveum and contributors
+  ~
+  ~ This work is dual-licensed under the Apache License 2.0
+  ~ and European Union Public License. See LICENSE file for details.
+  -->
+
+<role xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
       xmlns:apti="http://midpoint.evolveum.com/xml/ns/public/common/api-types-3" 
       xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" 
       xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" 
diff --git a/demo/complex2s/midpoint-objects/roles/role-ldap-basic.xml b/demo/complex2s/midpoint-objects/roles/role-ldap-basic.xml
index 81c4b4d..731f024 100644
--- a/demo/complex2s/midpoint-objects/roles/role-ldap-basic.xml
+++ b/demo/complex2s/midpoint-objects/roles/role-ldap-basic.xml
@@ -1,4 +1,11 @@
-<role xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3" 
+<!--
+  ~ Copyright (c) 2019 Evolveum and contributors
+  ~
+  ~ This work is dual-licensed under the Apache License 2.0
+  ~ and European Union Public License. See LICENSE file for details.
+  -->
+
+<role xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
       xmlns:apti="http://midpoint.evolveum.com/xml/ns/public/common/api-types-3" 
       xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" 
       xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" 
diff --git a/demo/complex2s/midpoint-objects/systemConfigurations/SystemConfiguration.xml b/demo/complex2s/midpoint-objects/systemConfigurations/SystemConfiguration.xml
index dce8990..de75d62 100644
--- a/demo/complex2s/midpoint-objects/systemConfigurations/SystemConfiguration.xml
+++ b/demo/complex2s/midpoint-objects/systemConfigurations/SystemConfiguration.xml
@@ -1,115 +1,55 @@
-<systemConfiguration xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:apti="http://midpoint.evolveum.com/xml/ns/public/common/api-types-3" xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3" xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3" xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" oid="00000000-0000-0000-0000-000000000001" version="2">
-      <name>SystemConfiguration</name>
-      <globalSecurityPolicyRef xmlns:tns="http://midpoint.evolveum.com/xml/ns/public/common/common-3" oid="00000000-0000-0000-0000-000000000120" relation="org:default" type="tns:SecurityPolicyType"/>
 <!--
-      <modelHooks>
-         <change>
-            <hook>
-               <name>Recompute affected users</name>
-               <state>final</state>
-               <focusType>OrgType</focusType>
-               <script>
-                  <code>
-                      import com.evolveum.midpoint.prism.delta.*
-                      import com.evolveum.midpoint.xml.ns._public.common.common_3.*
-                      import com.evolveum.midpoint.prism.path.*
- 
-                      log.info('Starting Org change hook execution')
-
-                      affectedUsers = new HashSet()
-                        
-                      MEMBER_PATH = ItemPath.create(ObjectType.F_EXTENSION, 'member')
-                        
-                      for (delta in modelContext.allChanges) {
-                         if (delta.objectTypeClass == OrgType.class) {
-                            log.info('Found Org delta: {}', delta)
-                            if (delta.isDelete()) {
-                               addFromObject(affectedUsers, modelContext.focusContext.objectOld)
-                            } else {
-                               memberDelta = delta.findPropertyDelta(MEMBER_PATH)
-                               if (memberDelta != null) {
-                                  log.info('Found member delta: {}', memberDelta)
-                                  if (memberDelta.isReplace()) {
-                                     addFromObject(affectedUsers, modelContext.focusContext.objectOld)
-                                     addFromValues(affectedUsers, memberDelta.valuesToReplace)
-                                  } else {
-                                     addFromValues(affectedUsers, memberDelta.valuesToAdd)
-                                     addFromValues(affectedUsers, memberDelta.valuesToDelete)
-                                  }
-                               }
-                            }
-                         }
-                      }
-                      log.info('Affected users = {}', affectedUsers)
-                      for (userName in affectedUsers) {
-                         user = midpoint.searchObjectByName(UserType.class, userName)
-                         if (user != null) {
-                            midpoint.addRecomputeTrigger(user, null)
-                            log.info('Recompute trigger added to {}', user)
-                         } else {
-                            log.warn('User {} couldn\'t be found', userName)
-                         }
-                      }
-                      log.info('Finishing Org change hook execution')
-                        
-                      def addFromObject(users, object) {
-                         addFromValues(users, object?.findExtensionItem('member')?.values)
-                      }
-                      def addFromValues(users, values) {
-                         if (values != null) {
-                            for (value in values) {
-                               users.add(value.realValue)
-                            }
-                         }
-                      }
-                  </code>
-               </script>
-            </hook>
-         </change>
-      </modelHooks>
+  ~ Copyright (c) 2019 Evolveum and contributors
+  ~
+  ~ This work is dual-licensed under the Apache License 2.0
+  ~ and European Union Public License. See LICENSE file for details.
   -->
-      <logging>
-         <classLogger id="1">
+
+<systemConfiguration xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:apti="http://midpoint.evolveum.com/xml/ns/public/common/api-types-3" xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3" xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3" xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" oid="00000000-0000-0000-0000-000000000001" version="2">
+    <name>SystemConfiguration</name>
+    <globalSecurityPolicyRef xmlns:tns="http://midpoint.evolveum.com/xml/ns/public/common/common-3" oid="00000000-0000-0000-0000-000000000120" relation="org:default" type="tns:SecurityPolicyType"/>
+    <logging>
+        <classLogger id="1">
             <level>ERROR</level>
             <package>ro.isdc.wro.extensions.processor.css.Less4jProcessor</package>
-         </classLogger>
-         <classLogger id="2">
+        </classLogger>
+        <classLogger id="2">
             <level>OFF</level>
             <package>org.hibernate.engine.jdbc.spi.SqlExceptionHelper</package>
-         </classLogger>
-         <classLogger id="3">
+        </classLogger>
+        <classLogger id="3">
             <level>OFF</level>
             <package>org.hibernate.engine.jdbc.batch.internal.BatchingBatch</package>
-         </classLogger>
-         <classLogger id="4">
+        </classLogger>
+        <classLogger id="4">
             <level>WARN</level>
             <package>org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl</package>
-         </classLogger>
-         <classLogger id="5">
+        </classLogger>
+        <classLogger id="5">
             <level>OFF</level>
             <package>org.hibernate.internal.ExceptionMapperStandardImpl</package>
-         </classLogger>
-         <classLogger id="6">
+        </classLogger>
+        <classLogger id="6">
             <level>OFF</level>
             <package>net.sf.jasperreports.engine.fill.JRFillDataset</package>
-         </classLogger>
-         <classLogger id="7">
+        </classLogger>
+        <classLogger id="7">
             <level>WARN</level>
             <package>org.apache.wicket.resource.PropertiesFactory</package>
-         </classLogger>
-         <classLogger id="8">
+        </classLogger>
+        <classLogger id="8">
             <level>ERROR</level>
             <package>org.springframework.context.support.ResourceBundleMessageSource</package>
-         </classLogger>
-         <classLogger id="9">
+        </classLogger>
+        <classLogger id="9">
             <level>INFO</level>
             <package>com.evolveum.midpoint.model.impl.lens.projector.Projector</package>
-         </classLogger>
-         <classLogger id="10">
+        </classLogger>
+        <classLogger id="10">
             <level>INFO</level>
             <package>com.evolveum.midpoint.model.impl.lens.Clockwork</package>
-         </classLogger>
-         <appender id="11" xsi:type="c:FileAppenderConfigurationType">
+        </classLogger>
+        <appender id="11" xsi:type="c:FileAppenderConfigurationType">
             <pattern>%date [%X{subsystem}] [%thread] %level \(%logger\): %msg%n</pattern>
             <name>MIDPOINT_LOG</name>
             <fileName>${midpoint.home}/log/midpoint.log</fileName>
@@ -117,8 +57,8 @@
             <maxHistory>10</maxHistory>
             <maxFileSize>100MB</maxFileSize>
             <append>true</append>
-         </appender>
-         <appender id="12" xsi:type="c:FileAppenderConfigurationType">
+        </appender>
+        <appender id="12" xsi:type="c:FileAppenderConfigurationType">
             <pattern>%date %level: %msg%n</pattern>
             <name>MIDPOINT_PROFILE_LOG</name>
             <fileName>${midpoint.home}/log/midpoint-profile.log</fileName>
@@ -126,97 +66,106 @@
             <maxHistory>10</maxHistory>
             <maxFileSize>100MB</maxFileSize>
             <append>true</append>
-         </appender>
-         <rootLoggerAppender>MIDPOINT_LOG</rootLoggerAppender>
-         <rootLoggerLevel>INFO</rootLoggerLevel>
-         <auditing>
+        </appender>
+        <rootLoggerAppender>MIDPOINT_LOG</rootLoggerAppender>
+        <rootLoggerLevel>INFO</rootLoggerLevel>
+        <auditing>
             <enabled>false</enabled>
             <details>false</details>
-         </auditing>
-      </logging>
-      <defaultObjectPolicyConfiguration id="101">
-         <type>UserType</type>
-         <objectTemplateRef xmlns:tns="http://midpoint.evolveum.com/xml/ns/public/common/common-3" oid="8098b124-c20c-4965-8adf-e528abedf7a4" relation="org:default" type="tns:ObjectTemplateType"/>
-      </defaultObjectPolicyConfiguration>
-      <cleanupPolicy>
-         <auditRecords>
+        </auditing>
+    </logging>
+    <defaultObjectPolicyConfiguration id="101">
+        <type>UserType</type>
+        <objectTemplateRef xmlns:tns="http://midpoint.evolveum.com/xml/ns/public/common/common-3" oid="8098b124-c20c-4965-8adf-e528abedf7a4" relation="org:default" type="tns:ObjectTemplateType"/>
+    </defaultObjectPolicyConfiguration>
+    <defaultObjectPolicyConfiguration>
+        <type>OrgType</type>
+        <lifecycleStateModel>
+            <state>
+                <name>retired</name>
+                <!-- object in this model is active but on its way to deletion -->
+            </state>
+        </lifecycleStateModel>
+    </defaultObjectPolicyConfiguration>
+    <cleanupPolicy>
+        <auditRecords>
             <maxAge>P3M</maxAge>
-         </auditRecords>
-         <closedTasks>
+        </auditRecords>
+        <closedTasks>
             <maxAge>P1M</maxAge>
-         </closedTasks>
-      </cleanupPolicy>
-      <internals>
-         <enableExperimentalCode>true</enableExperimentalCode>
-         <operationExecutionRecording>
-             <skipWhenSuccess>true</skipWhenSuccess>
-         </operationExecutionRecording>
-         <focusConstraintsChecking>
-             <skipWhenNoChange>true</skipWhenNoChange>
-             <skipWhenNoIteration>true</skipWhenNoIteration>
-         </focusConstraintsChecking>
-         <projectionConstraintsChecking>
-             <skipWhenNoChange>true</skipWhenNoChange>
-             <skipWhenNoIteration>true</skipWhenNoIteration>
-         </projectionConstraintsChecking>
-         <synchronizationSituationUpdating>
-             <skipWhenNoChange>true</skipWhenNoChange>
-         </synchronizationSituationUpdating>
-         <caching>
-             <profile>
-                 <global>true</global>
-                 <localRepoCache>
-                     <statistics>
-                         <classification>perCacheAndObjectType</classification>
-                     </statistics>
-                 </localRepoCache>
-                 <globalRepoCache>
-                     <timeToLive>60</timeToLive>
-                     <objectTypeSettings>
-                         <objectType>SystemConfigurationType</objectType>
-                         <objectType>ArchetypeType</objectType>
-                         <objectType>ObjectTemplateType</objectType>
-                         <objectType>SecurityPolicyType</objectType>
-                         <objectType>ValuePolicyType</objectType>
-                         <objectType>ResourceType</objectType>
-                         <objectType>RoleType</objectType>
-                         <objectType>OrgType</objectType>
-                         <objectType>ServiceType</objectType>
-                         <objectType>ShadowType</objectType>
-                     </objectTypeSettings>
-                     <statistics>
-                         <classification>perCacheAndObjectType</classification>
-                     </statistics>
-                 </globalRepoCache>
-             </profile>
-         </caching>
-         <repository>
-             <statistics>
+        </closedTasks>
+    </cleanupPolicy>
+    <internals>
+        <enableExperimentalCode>true</enableExperimentalCode>
+        <operationExecutionRecording>
+            <skipWhenSuccess>true</skipWhenSuccess>
+        </operationExecutionRecording>
+        <focusConstraintsChecking>
+            <skipWhenNoChange>true</skipWhenNoChange>
+            <skipWhenNoIteration>true</skipWhenNoIteration>
+        </focusConstraintsChecking>
+        <projectionConstraintsChecking>
+            <skipWhenNoChange>true</skipWhenNoChange>
+            <skipWhenNoIteration>true</skipWhenNoIteration>
+        </projectionConstraintsChecking>
+        <synchronizationSituationUpdating>
+            <skipWhenNoChange>true</skipWhenNoChange>
+        </synchronizationSituationUpdating>
+        <caching>
+            <profile>
+                <global>true</global>
+                <localRepoCache>
+                    <statistics>
+                        <classification>perCacheAndObjectType</classification>
+                    </statistics>
+                </localRepoCache>
+                <globalRepoCache>
+                    <timeToLive>60</timeToLive>
+                    <objectTypeSettings>
+                        <objectType>SystemConfigurationType</objectType>
+                        <objectType>ArchetypeType</objectType>
+                        <objectType>ObjectTemplateType</objectType>
+                        <objectType>SecurityPolicyType</objectType>
+                        <objectType>ValuePolicyType</objectType>
+                        <objectType>ResourceType</objectType>
+                        <objectType>RoleType</objectType>
+                        <objectType>OrgType</objectType>
+                        <objectType>ServiceType</objectType>
+                        <objectType>ShadowType</objectType>
+                    </objectTypeSettings>
+                    <statistics>
+                        <classification>perCacheAndObjectType</classification>
+                    </statistics>
+                </globalRepoCache>
+            </profile>
+        </caching>
+        <repository>
+            <statistics>
                 <classification>perOperationAndObjectType</classification>
             </statistics>
-         </repository>
-         <tracing>
-             <profile>
-                 <name>performance</name>
-                 <displayName>Performance tracing</displayName>
-                 <visible>true</visible>
-                 <default>true</default>
-                 <fileNamePattern>performance-trace %{timestamp} %{focusName} %{milliseconds}</fileNamePattern>
-                 <createRepoObject>true</createRepoObject>
-                 <compressOutput>true</compressOutput>
-             </profile>
-             <profile>
-                 <name>functional</name>
-                 <displayName>Functional tracing</displayName>
-                 <visible>true</visible>
-                 <fileNamePattern>functional-trace %{timestamp} %{focusName}</fileNamePattern>
-                 <createRepoObject>true</createRepoObject>
-                 <compressOutput>true</compressOutput>
-                 <collectLogEntries>true</collectLogEntries>
-                 <tracingTypeProfile>
-                     <level>normal</level>
-                 </tracingTypeProfile>
-             </profile>
+        </repository>
+        <tracing>
+            <profile>
+                <name>performance</name>
+                <displayName>Performance tracing</displayName>
+                <visible>true</visible>
+                <default>true</default>
+                <fileNamePattern>performance-trace %{timestamp} %{focusName} %{milliseconds}</fileNamePattern>
+                <createRepoObject>true</createRepoObject>
+                <compressOutput>true</compressOutput>
+            </profile>
+            <profile>
+                <name>functional</name>
+                <displayName>Functional tracing</displayName>
+                <visible>true</visible>
+                <fileNamePattern>functional-trace %{timestamp} %{focusName}</fileNamePattern>
+                <createRepoObject>true</createRepoObject>
+                <compressOutput>true</compressOutput>
+                <collectLogEntries>true</collectLogEntries>
+                <tracingTypeProfile>
+                    <level>normal</level>
+                </tracingTypeProfile>
+            </profile>
             <profile>
                 <name>functional-model-logging</name>
                 <displayName>Functional tracing (with model logging)</displayName>
@@ -253,52 +202,56 @@
                     <level>normal</level>
                 </tracingTypeProfile>
             </profile>
-         </tracing>
-      </internals>
-      <deploymentInformation>
-         <name>demo/complex2s</name>
-      </deploymentInformation>
-      <adminGuiConfiguration>
-         <userDashboardLink id="13">
+        </tracing>
+    </internals>
+    <deploymentInformation>
+        <name>demo/complex2s</name>
+    </deploymentInformation>
+    <adminGuiConfiguration>
+        <userDashboardLink id="13">
             <targetUrl>/self/profile</targetUrl>
             <label>Profile</label>
             <description>View/edit your profile</description>
             <icon>
-               <cssClass>fa fa-user</cssClass>
+                <cssClass>fa fa-user</cssClass>
             </icon>
             <color>green</color>
             <authorization>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#selfProfile</authorization>
             <authorization>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#selfAll</authorization>
-         </userDashboardLink>
-         <userDashboardLink id="14">
+        </userDashboardLink>
+        <userDashboardLink id="14">
             <targetUrl>/self/credentials</targetUrl>
             <label>Credentials</label>
             <description>View/edit your credentials</description>
             <icon>
-               <cssClass>fa fa-shield</cssClass>
+                <cssClass>fa fa-shield</cssClass>
             </icon>
             <color>blue</color>
             <authorization>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#selfCredentials</authorization>
             <authorization>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#selfAll</authorization>
-         </userDashboardLink>
-         <userDashboardLink id="15">
+        </userDashboardLink>
+        <userDashboardLink id="15">
             <targetUrl>/admin/users</targetUrl>
             <label>List users</label>
             <icon>
-               <cssClass>fa fa-users</cssClass>
+                <cssClass>fa fa-users</cssClass>
             </icon>
             <color>red</color>
             <authorization>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#users</authorization>
-         </userDashboardLink>
-         <userDashboardLink id="16">
+        </userDashboardLink>
+        <userDashboardLink id="16">
             <targetUrl>/admin/resources</targetUrl>
             <label>List resources</label>
             <icon>
-               <cssClass>fa fa-database</cssClass>
+                <cssClass>fa fa-database</cssClass>
             </icon>
             <color>purple</color>
             <authorization>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#resources</authorization>
-         </userDashboardLink>
-         <enableExperimentalFeatures>true</enableExperimentalFeatures>
-      </adminGuiConfiguration>
-   </systemConfiguration>
+        </userDashboardLink>
+        <enableExperimentalFeatures>true</enableExperimentalFeatures>
+    </adminGuiConfiguration>
+    <workflowConfiguration>
+        <useLegacyApproversSpecification>never</useLegacyApproversSpecification>
+        <useDefaultApprovalPolicyRules>never</useDefaultApprovalPolicyRules>
+    </workflowConfiguration>
+</systemConfiguration>
diff --git a/demo/complex2s/midpoint-objects/tasks/task-group-scavenger.xml b/demo/complex2s/midpoint-objects/tasks/task-group-scavenger.xml
new file mode 100644
index 0000000..60f9852
--- /dev/null
+++ b/demo/complex2s/midpoint-objects/tasks/task-group-scavenger.xml
@@ -0,0 +1,85 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright (c) 2019 Evolveum and contributors
+  ~
+  ~ This work is dual-licensed under the Apache License 2.0
+  ~ and European Union Public License. See LICENSE file for details.
+  -->
+
+<!--
+
+Looks for groups with the lifecycleState of 'retired' and completes their deletion:
+ - unassigns all the users (simply by recomputing them)
+
+-->
+
+<task xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+	  xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+	  xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
+	  xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
+	  xmlns:s="http://midpoint.evolveum.com/xml/ns/public/model/scripting-3"
+	  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	  xmlns:mext="http://midpoint.evolveum.com/xml/ns/public/model/extension-3"
+	  xmlns:scext="http://midpoint.evolveum.com/xml/ns/public/model/scripting/extension-3"
+	  oid="1d7bef40-953e-443e-8e9a-ec6e313668c4">
+	<name>Group Scavenger</name>
+	<extension>
+		<scext:executeScript>
+			<s:action>
+				<s:type>execute-script</s:type>
+				<s:parameter>
+					<s:name>script</s:name>
+					<c:value xsi:type="c:ScriptExpressionEvaluatorType">
+						<c:code>import com.evolveum.midpoint.xml.ns._public.common.common_3.*
+
+						result = midpoint.currentResult
+						log.info('Processing dead group: {}', input)
+						query = prismContext.queryFor(UserType.class)
+								.item(UserType.F_ROLE_MEMBERSHIP_REF).ref(input.oid)
+								.build()
+						members = midpoint.repositoryService.searchObjects(UserType.class, query, null, result)
+						log.info('Found {} members: {}', members.size(), members)
+
+						for (member in members) {
+							log.info('Going to recompute {}', member)
+							try {
+								midpoint.recompute(UserType.class, member.oid)
+							} catch (Throwable t) {
+								log.error('Couldn\'t recompute {}: {}', member, t.message, t)
+							}
+						}
+						log.info('Members recomputed; checking if the org is still in "retired" state')
+						orgAfter = midpoint.repositoryService.getObject(OrgType.class, input.oid, null, result)
+						currentState = orgAfter.asObjectable().lifecycleState
+						log.info('Current state = {}', currentState)
+						if (currentState == 'retired') {
+							log.info('Deleting the org: {}', orgAfter)
+							midpoint.deleteObject(OrgType.class, orgAfter.oid, null)
+						} else {
+							log.info('State has changed, not deleting the org: {}', orgAfter)
+						}
+						log.info('Dead group processing done: {}', input)
+						</c:code>
+					</c:value>
+				</s:parameter>
+			</s:action>
+		</scext:executeScript>
+		<mext:objectType>OrgType</mext:objectType>
+		<mext:objectQuery>
+			<q:filter>
+				<q:equal>
+					<q:path>lifecycleState</q:path>
+					<q:value>retired</q:value>
+				</q:equal>
+			</q:filter>
+		</mext:objectQuery>
+	</extension>
+	<ownerRef oid="00000000-0000-0000-0000-000000000002"/>
+	<executionStatus>runnable</executionStatus>
+	<category>BulkActions</category>
+	<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/iterative-scripting/handler-3</handlerUri>
+	<recurrence>recurring</recurrence>
+	<schedule>
+		<interval>60</interval>
+	</schedule>
+</task>
diff --git a/demo/complex2s/midpoint-objects/users/user-banderson.xml b/demo/complex2s/midpoint-objects/users/user-banderson.xml
index 6ef2563..10197ea 100644
--- a/demo/complex2s/midpoint-objects/users/user-banderson.xml
+++ b/demo/complex2s/midpoint-objects/users/user-banderson.xml
@@ -1,4 +1,11 @@
-<user xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3" 
+<!--
+  ~ Copyright (c) 2019 Evolveum and contributors
+  ~
+  ~ This work is dual-licensed under the Apache License 2.0
+  ~ and European Union Public License. See LICENSE file for details.
+  -->
+
+<user xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
       xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
       xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3" 
       oid="e897468f-20bd-419c-8fc5-1fe60e2600de">