Book referenceChapter 4: Resources and Mappings, Chapter 5: Synchronization, Chapter 7: Role-Based Access Control, Chapter 8: Object Template, Unwritten chapters
Training referenceMID-101


Organizational structure (manually-maintained), authorizations, self-service, delegated administration.


  • HR System: Employee data are stored in the HR system. There is an export task that exports the content of an HR system into a CSV file in regular interval.

  • Open source LDAP server (OpenLDAP, 389ds or similar): Company-wide LDAP server that is used as central user directory and authentication server for several applications. Accounts should be provisioned into the LDAP server using the standard inetOrgPerson object class.

  • MidPoint: Start the exercise with an empty midPoint server. Alternatively you may start with a configuration from previous exercises.


We have a small company. We have a simple HR system that exports the data to an CSV file that works the same way as in previous exercises. There is also an LDAP server that works as central directory server that also works in the same way as we have seen before. Optionally, you can use the whole setup from previous exercises as a baseline for this exercise.

The goal of this exercise is to create an organizational structure. Organizational structure will be managed manually for the purposes of this exercise. Therefore manually create a hierarchical (functional) organizational structure for your company. You can add some divisions, departments and sections. This do not need to be big, 5-10 organizational units is just fine.

Manually assign users to organizational structure. Most users will be just ordinary members of organizational units. But some of the users will be managers. Try to make it look like a real company.

Make sure that all employees can access self-service part of midPoint user interface. Employees should be able to:

  • Change their own password.

  • Edit some parts of their user profile (e.g. nickname, preferred language, locale and time zone).

  • Read almost all their user profile except for some sensitive fields (e.g. cost center).

Set a delegated administration configuration for organizational unit managers. The managers should be able to log in to midPoint user interface and access selected pages of administration part of midPoint user interface:

  • Managers should be able to see Organizational Structure page. They should have read-only access. Managers should see all organizational units.

  • Managers should be able to read users in organizational units that they are managing. No write access to those users should be provided. Some properties from user profile should not be accessible to managers. Make them different than those properties hidden from users. E.g. hide additional name.

  • Managers should be able to access All users page (user list). But they should be able to see only the users that belong to their organizational units.

Use organizational structure to automatically manage user’s privileges. For example, create a specialized organizational unit for external support engineers. Membership in this organizational unit should automatically grant an LDAP account for the users. Such LDAP account should be specially marked, e.g. it should have value Support Engineer in the title LDAP attribute.