Current MidPoint Features

Last modified 15 Mar 2024 11:23 +01:00

This is a list of most important and unique features of midPoint:

Feature Description Compliance
Abstract role (concept) MidPoint supports traditional role-based access control (RBAC) roles, when used both in provisioning and authorization contexts. However, the concept of "role" is much more generic and abstract in midPoint. Other objects can act as a role, most notably archetypes, organizational units (orgs) and services. Such "abstract roles" may behave in the same way as role behaves. E.g. membership in an organizational unit may directly grant privileges and authorizations, without any need for extra configuration.
Access certification Access certification is a review process aimed at reduction of unnecessary access in the system. It works by requesting certification of an access, a process where appropriate reviewers have to certify that access provided to users is still needed. Certifications are often carried out in a form of certification campaigns, certifying access of many users at once. Alternatively, small micro-certifications can be triggered, certifying access of one particular user. ISO27001 5.15
ISO27001 5.16
ISO27001 5.18
ISO27001 5.19
Access request process Access request process is a mechanism for users to request ad-hoc access to applications. The process usually starts with users selecting roles from role catalog into their "shopping cart", submitting the request when appropriate roles are selected. Based on policy applied to the roles, midPoint usually starts an approval process, routing each role request to appropriate approvers. Once the request is approved, the roles are assigned and the access is automatically granted. ISO27001 5.15
ISO27001 5.16
ISO27001 5.18
Actions Automated actions that can process many objects in an automated way. E.g. actions can be used to activate (enable) many users at once, validate and clean up the data, or remove obsolete data.
Administration user interface Administration user interface is a web-based application used to configure and manage midPoint. It is meant to be used by system administrators, identity engineers deploying and configuring midPoint, and also by delegated administrators, managing identities. The user interface has a customizable look and feel.
Applicable policies MidPoint provides significant flexibility when it comes to policies and policy-related configuration. The mechanism of applicable policies is grouping policy statements into manageable units, created in a form of meta-roles. Meta-roles specifying applicable policies can be applied to roles (and other object types) by a simple selection in the user interface. E.g. applicable policy meta-roles can be defined for usual role approval scenarios, such as "approval by manager", "approval by application owner" and "approval by security office". Such meta-roles can be selected in user interface and easily applied when a new role is being created. ISO27001 5.15
Application (concept) Application is an essential concept in identity management. It represents an application or an application-like service in an organization. It is distinct from the concept of identity resource, as one identity resource can be used to manage many applications. E.g. directory services such as Active Directory are often used as an identity repository for numerous applications. Access to such application is managed indirectly using the directory service, instead of direct integration with the application. However, midPoint (and the users) need to know about the applications, as applications and their data are the information assets that need to be managed. In midPoint, an application is a pre-defined archetype, making application a sub-type of service concept. ISO27001 5.15
Application inventory Application inventory is a rich list of all the applications and application-like services in an organization. MidPoint can list all the relevant applications, and link them to identity resources that are used to manage access to applications. Concept of an application is one of the crucial concepts of identity management, hence application inventory is a an essential resource for access control and identity governance. MidPoint can act as an authoritative source of application inventory data, or it can pull application inventory data from other source systems. ISO27001 5.1
ISO27001 5.2
ISO27001 5.9
ISO27001 5.13
ISO27001 5.16
ISO27001 5.18
ISO27001 5.19
ISO27001 5.20
ISO27001 5.21
ISO27001 5.22
ISO27001 5.23
ISO27001 5.25
Approval process Approval process is a natural part of access request process. Once a user submits access request, the request is subject to approval by appropriate approvers. In midPoint, approval process is dynamic and policy-driven. As each role may have its own approval settings and policies, the request may be subdivided to approval by numerous approvers in several approval levels. MidPoint dynamically determines the policy, summarizes approver decisions and applies them to the request. Approved roles are automatically assigned and applied. Approval process is a generic mechanism in midPoint, triggered by policy rules. Apart from access request process, approval process can be applied to other scenarios as well, such as approval of role modification. ISO27001 5.3
ISO27001 5.15
ISO27001 5.16
ISO27001 5.18
Archetype Archetype specifies fine-grain object types, such as "Person", "Employee", "Student", "Business role", "Application" and so on. Archetypes are applied to basic midPoint object types (User, Role, Org, Service). In addition to giving objects a type, archetypes act as meta-roles, specifying policy and behavior common to all objects with that archetype. ISO27001 5.8
ISO27001 5.12
ISO27001 5.14
ISO27001 5.19
ISO27001 5.20
Assignment Assignment represent direct relation between midPoint object. Its primary use is to assign roles to users, however it has much broader application. Assignments can be used to assign users to organizational units, assign owners to roles, associate application roles with applications and so on. Assignment is a rich data structure that can contain temporal constraints (validity from-to), parameters and even conditions. ISO27001 5.10
ISO27001 5.13
ISO27001 5.16
ISO27001 5.18
Assignment metadata Metadata are maintained for every assignment and inducement in relevant midPoint objects. MidPoint records timestamps and actors when assignment is created and modified. Approval information is recorded in the metadata as well, when it is applicable. ISO27001 5.10
ISO27001 5.16
ISO27001 5.18
ISO27001 5.26
ISO27001 5.27
ISO27001 5.28
Asynchronous resources Support for identity resources that are not accessible in a direct, synchronous, CRUD-like way. Such a resource can receive commands to add, modify, or delete accounts and other objects, but processes them asynchronously - in an unspecified time. Resources that are based on messaging interface are a prime example of asynchronous resources.
Attribute caching Ability to store copy of account attribute values in midPoint repository. Attribute caching is reducing the need to access identity resources using a connector. It also collects the data in midPoint repository, enabling queries that would not be possible otherwise (e.g. combining attribute data, meta-data and governance information in a single query).
Audit trail Audit trail is a record of all the activity of the system. MidPoint records all the operations into an audit trail, including change in identity objects, roles, policies and configuration changes. Audit trail is recorded in a form of externally accessing and documented database table. It can be used by external systems (e.g. SIEM systems) to analyze identity management and governance behavior. MidPoint administration interface includes the tools to examine the audit trail. ISO27001 5.1
ISO27001 5.7
ISO27001 5.10
ISO27001 5.15
ISO27001 5.16
ISO27001 5.17
ISO27001 5.18
ISO27001 5.20
ISO27001 5.26
ISO27001 5.27
ISO27001 5.28
ISO27001 5.29
Authorization Authorization is a complex permission or privilege, allowing midPoint users access to parts of midPoint functionality. It is an internal mechanism for access control inside midPoint application, user interface and the services that midPoint exposes. Authorization statements are based on the usual subject-action-object triple used by many authorization systems. However, midPoint extends the basic structure with numerous additional parameters, making the authorization system extremely powerful. Albeit authorizations are meant to express internal access to midPoint functionality, authorization mechanism is well integrated with the usual role-based access control (RBAC) mechanism. Such integration allows to manage internal midPoint authorizations using the familiar mechanisms used to management of privileges in external identity resources. ISO27001 5.3
ISO27001 5.8
Auto-scaling Ability to automatically scale midPoint cluster in cloud environment, dynamically adding and removing midPoint nodes.
Case management Case management is a process of managing variety of cases where automatic processing is not possible and human interaction is necessary. It is a generic functionality used to implement variety of processes, such as approval process, manual provisioning and so on. Case management is designed to support unstructured and semi-structured collaborative processes.
Common identity management data model Common data model for various identity types, such as users, services, roles, organizations. Pre-defined common attributes for each identity type. Objects have the same basic structure, each object type specifies additional properties. All objects can be represented in several data formats (XML, JSON, YAML). ISO27001 5.16
ConnId identity connector framework ConnId identity connector framework is an open source framework, supporting many identity connectors. Identity connectors are used to connect to various identity resources, providing uniform interface to midPoint. Therefore, midPoint can work with variety of identity resources, just by plugging in appropriate identity connector. ISO27001 5.23
ISO27001 5.26
ConnId connector server ConnId server is a small network service that allows remote deployment of identity connectors. Connectors that cannot be co-located with midPoint deployment may be deployed in connector server and placed at any convenient network location. Connector server is used to access identity resources in remote data centers, provide access from cloud to on-premise systems, or reach otherwise inaccessible network locations.
Correlation Correlation mechanism detects and decides which identities represent the same entity. The usual use of correlation is to find owners for newly-detected accounts. Correlation mechanism is querying midPoint repository, looking for candidate owners for an account. Identity are usually correlated based on matching values of specific attributes (e.g. personal number). Smart correlation can find candidate matches based on probabilistic or human-assisted matching. ISO27001 5.16
Dashboard Dashboard functionality allows configuration of custom dashboards, consisting of small widgets that provide brief at-the-glance information about the system. Dashboards are often used to monitor state of midPoint platform, watch the progress of application of new policies or check a summary of operations during a previous day. ISO27001 5.1
Delegated administration Delegated administration is a method of delegating partial administration rights to persons that do not have full system administration entitlements. It is often used to delegate management of business roles to selected business persons that are not supposed to gain system administration privileges. Authorization mechanism is used in midPoint to implement delegated administration schemes. ISO27001 5.8
ISO27001 5.15
Deputy Deputy mechanism provides ability for ad-hoc delegation of privileges from one user to another. It is used mostly for short term delegation of privileges, e.g. delegation for the duration of vacation or time off.
Documentation MidPoint documentation is publicly available to all midPoint users. It is regularly extended and maintained.
Entitlement Entitlement is a privilege associated to an account in identity resource. Whereas roles and assignments refer to access control policy specified in midPoint, entitlements and entitlement associations refer to access control objects in the identity resource. E.g. Active Directory groups and application privileges are considered to be entitlements. Entitlements are always specific to the identity resource (i.e. they are application-specific). ISO27001 5.15
ISO27001 5.16
ISO27001 5.18
ISO27001 5.19
ISO27001 5.23
Entitlement association Entitlement association is relationship between entitlement and account. E.g. when an Active Directory account is a member of Active Directory group, midPoint detects that as an association between the account and the entitlement (group). Even though entitlements are specific to a particular identity resource, association is a generic mechanism that can be applied uniformly to all identity resources (when properly configured).
Escalation Escalation process provides automatic forwarding of a work item in case that the person responsible for the work item fails to acts in a specified time interval. Escalation mechanism is usually applied to approvals and certifications, escalating the work item to a manager of the person that failed to react. ISO27001 5.2
Expression Expression is a generic mechanism to algorithmically create or transform a value. It is usually used in mappings, transforming values of common identity data model (e.g. user's full name) to native attributes used by identity resources (e.g. LDAP attribute 'cn'). ISO27001 5.16
Expression constant Constant is a special type of an expression that has a constant value. Value of a constant is defined outside of midPoint application, e.g. in environment-specific configuration file. Constants are often used to define environment-specific values, such as host names and root context names.
Expression function library Function libraries are dedicated midPoint objects that contain set of reusable functions. The functions can be used in other mappings and expressions in midPoint. Function libraries can be used to group frequently-used parts of the code, therefore simplifying midPoint configuration and maintenance.
Groovy scripting expression Support for Groovy language in scripting expressions. Groovy is default expression language in midPoint.
JavaScript scripting expression Support for JavaScript/ECMAScript language in scripting expressions.
Expression profile Expression profile defines limitations of the means that an expression can use, mostly due to security reasons. E.g. expression profile can limit use of scripting languages and classes or libraries within them, to limit the scripts only to safe operations. The expressions may be limited to disable use of scripting at all, limiting certain expressions only to the most simple and safe mechanisms.
Python scripting expression Support for Python language in scripting expressions.
Extensible object types Object types defined in common identity data model (schema) are extensible with custom attributes.
Flexible authentication MidPoint authentication mechanism is flexible, configurable and customizable. It consists of authentication modules that can be combined to complex sequences, adjusting to various authentication requirements. MidPoint authentication can support numerous authentication scenarios, including multi-factor authentication and special-purpose alternative authentication needs (e.g. password reset scenarios).
Generic object MidPoint usually works with rich pre-defined object types such as "user", "role" or "service". The built-in types are designed to be flexible enough to support almost any identity management use case imaginable. However, there may be a rare occasion when a completely unexpected case has to be supported. Generic objects are designed to support such a case. Being mostly empty objects, generic objects can be customized to any need using object extensibility mechanism.
Generic synchronization Generic synchronization is a generalization of the traditional account-user synchronization principle. MidPoint generic synchronization can synchronize any meaningful pair of objects, not just accounts and users. MidPoint can synchronize organizational units to Active Directory groups, applications to LDAP service accounts, or mobile device identities to inventory database records.
Gradual policy enforcement Policies can be enforced gradually, in step-by-step fashion. As new policies are introduced, policy violations can be reported first, without enforcing the policy. Violations can be gradually addressed over a sufficient period of time, applying full policy enforcement when all violations are addressed. ISO27001 5.3
High availability (HA) MidPoint fully supports highly-available (HA) configurations by the means of midPoint clustering functionality. MidPoint can operate a cluster of several modes, working together as a single midPoint instance, coordinated over one midPoint identity repository. The HA features provide enterprise class scalability (hundred thousands to millions of users). ISO27001 5.30
Identity lifecycle Identities are not static, they evolve in time. There may be a record about the identity before its activation, then the identity becomes active, temporarily suspended, archived and finally deleted. In midPoint, every object in midPoint is in certain lifecycle state, specifying its state or maturity for use. This principle also applies to all objects that represent identities. ISO27001 5.16
ISO27001 5.19
ISO27001 5.20
ISO27001 5.23
ISO27001 5.25
Identity merge MidPoint administration user interface has an ability to interactively merge two identities into one. This functionality is used for ex-post merge of identities, e.g. in case that the correlation did not work correctly and identity duplication is discovered later in the process.
Identity repository Identity repository is a database that stores midPoint objects. It stores all the configuration and data that midPoint needs to operate. MidPoint is designed with flexibility in mind, supporting several database engines as options for identity repository. ISO27001 5.16
ISO27001 5.30
Identity repository cleanup Automatic cleanup of obsolete and out-of-date information from midPoint identity repository. MidPoint gathers variety of information during its operation. Part of that information is important for certain time interval, after which it should be removed. MidPoint contains a mechanism to clean up the repository by deleting such obsolete data.
PostgreSQL identity repository PostgreSQL open source relational database engine can be used as midPoint identity repository. PostgreSQL is primary and recommended choice for midPoint identity repository, it supports all midPoint features and provides the best performance.
Generic identity repository MidPoint contains generic identity repository implementation, an implementation that can support several database engines in a generic way. This repository implementation is mostly historic, it is only partially maintained. It does not support all midPoint features and provides lower performance. Use of this repository implementation is deprecated, and it is generally not recommended for production use.
Inducement Inducement is an indirect assignment. Unlike assignment which grants privileges directly, inducement works indirectly. It is used primarily to build role hierarchy in role-based access control (RBAC) structures. It can also be used to automatically grant privileges associated with organizational structure membership. ISO27001 5.18
ISO27001 5.19
Information classification Applications and other objects that represent can be classified to categories and levels, describing sensitivity of the assets. Classification labels are reflected to the roles, and can be used to construct policies. ISO27001 5.8
ISO27001 5.12
ISO27001 5.13
ISO27001 5.14
ISO27001 5.15
ISO27001 5.16
ISO27001 5.18
ISO27001 5.19
ISO27001 5.20
ISO27001 5.21
ISO27001 5.22
ISO27001 5.23
ISO27001 5.29
Iteration Iteration is mechanism to determine a unique value by iteratively attempting to assign unique identifier, re-trying on failure. E.g. it can be used to determine a unique username by trying values such as foobar, foobar2, foobar3, ... ISO27001 5.16
Linked objects Linked objects are objects that are related. When one of the objects changes, the other object has to be recomputed to reflect the changes. Linked objects mechanism can be used to implement variety of use cases, such as automatic update of nested objects, organization members or devices that belong to a user. Note: Linked objects should not be confused with projection links, which is a separate concept.
Live synchronization Live synchronization is an identity synchronization mechanism processing incremental changes in real time. It detects data changes in identity resource, processing them continuously as they occur. Live synchronization is quite fast and rather lightweight synchronization mechanism. However, it may be unreliable in some cases, failing to detect some changes. Therefore, it is almost always combined with reconciliation. Also, live synchronization is resource-specific, it is not supported by all the identity resources and connectors.
Localization MidPoint user interfaces as well as data in midPoint repository can be localized to various languages and national environments. MidPoint user interfaces are using the usual localization mechanism, allowing translations to be added to system using localization files. In addition to that, midPoint supports special data type used broadly across the platform: Polystring. Polystring can be used to store national variations and translations. It can be used for example to provide localized names for roles, services or resources, which is an essential feature for deployments that span several national environments.
Lookup table Lookup tables are a mechanism how to manage selection and mapping of pre-defined value sets. E.g. locales, time zones, cost center codes and similar properties can be managed as lookup tables.
Manual resources Manual resources are identity resources that are not connected using an automated (on-line) connector. Such resources are modified by human administrators, based on instructions provided by midPoint.
Mapping Mapping is a mechanism that maps properties, transforming the value as needed. Mappings are used in provisioning scenarios, transforming values of common identity data model (e.g. user's full name) to native attributes used by identity resources (e.g. LDAP attribute 'cn'). ISO27001 5.16
Meta-role Meta-role is a role applied to other role. Meta-role is used to specify policy or behavior common to an entire class of roles. E.g. it can be used to specify common behaviour for all application roles linked to Active Directory groups. ISO27001 5.3
ISO27001 5.15
Micro-certification Micro-certification is an access certification executed on a small scale, usually certifying single user. It is a scaled-down review process aimed at reduction of unnecessary access of a single entity (user). It works by requesting certification of an access, a process where appropriate reviewers have to certify that access provided to a user is still needed. Micro-certifications are usually triggered, initiated by an automated process after a certain trigger event is detected. E.g. micro-certification may be triggered by a user changing position in an organizational structure. ISO27001 5.15
ISO27001 5.18
MidPoint query language Objects stored in midPoint repository can be queried using midPoint query language. MidPoint query language is a string-based, readable, user-friendly yet powerful query language which is independent of any underlying database technology. The query language is using the names for items given by the schema (common identity model), therefore it is using the same names as are used other parts of midPoint.
MidPoint object language MidPoint objects have specific structure. The consist of items, such as properties, containers and references. Object structure is defined by the schema, which forms the common identity model of midPoint. Objects can be expressed in form of XML, JSON or YAML. MidPoint object language is a representation of midPoint objects in any of the above forms. It can be used to reliably back-up the data, transfer them between systems, it can be used for diagnostics, as configuration samples, or for sharing snippets and ideas.
Multi-connector resource Identity resource is usually handled by a single connector, providing all the operations that the resource needs. However, there are cases when more than one connector is needed to handle identity resource correctly. There may be scripts that need to be executed after an account is created, e.g. to set up a storage space for home directory. The scripting capability is provided by a specialized connector, that can be added to the primary connector handling the resource. Moreover, semi-manual resource rely on combination of two connectors: manual connector is used for writing, while ordinary automated connector is used for reading. Use of multi-connector resources gives midPoint an incredible provisioning flexibility.
Multi-tenancy Ability to serve several (partially) isolated customers in a single midPoint instance.
Notifications Ability to notify users about various events in the system. Mostly used to notify users about creation of new account.
Non-human identities (NHI) Management of identities (accounts) that do not belong to physical human users, such as accounts used to machine-to-machine communication. ISO27001 5.15
ISO27001 5.16
Object collection and view Object collection is a mechanism to specify a group of related objects, e.g. employees, staff affiliated with London office, active users or proposed roles. Object collection is a type of midPoint object that defines the collection and gives it a name. Collections are accompanied by views, which can used to customize the way how collections are presented.
Object history As midPoint records all the operation in audit trail, such information can be used to reconstruct history of object modifications and their past state. MidPoint provides simplified user interface for accessing audit records concerning a particular objects, displaying its history. User interface can also be used to re-construct a past state of the object. ISO27001 5.7
ISO27001 5.10
ISO27001 5.15
ISO27001 5.18
ISO27001 5.20
Object lifecycle Every object in midPoint is in certain lifecycle state, specifying its state or maturity for use. Many objects start in "draft" state when being prepared, transitioning to "active" state for operation, ending their life in "archived" state. MidPoint provides pre-configured lifecycle model suitable for most situations. ISO27001 5.7
Object mark MidPoint objects can be annotated using special-purpose marks. The marks denote special state or behavior of the object, such as special protection, inability to be modified, objects that violate rules or require manual attention. Marks can be managed manually or automatically, they can be used in reporting and analytics. ISO27001 5.29
Object metadata Metadata are maintained for every midPoint object. MidPoint records timestamps and actors when an object is created and modified. Approval information is recorded in the metadata as well, when it is applicable. ISO27001 5.7
ISO27001 5.10
ISO27001 5.16
ISO27001 5.28
Object template Template that specifies details and mappings that govern internal consistency of midPoint objects. E.g. object template can specify a mapping to compute user's full name from its components (first name, last name). Object template can be used for automatic assignment of roles.
Organizational structure MidPoint supports various forms of organizational structures, including hierarchical tree-like structures and flat structures. Almost any organizational structure can be modeled in midPoint, as long as it can be expressed in a form of oriented acyclic graph. MidPoint supports many organization structures in parallel, where objects can belong to any number of organizational units in any number of structures. Organizational unit objects ("orgs") behave in a way similar to roles, allowing direct assignment of organizational unit privileges. ISO27001 5.2
ISO27001 5.8
ISO27001 5.18
ISO27001 5.19
Orphaned account management Orphaned account management deals with management of accounts that do not have valid owners. Orphaned accounts are detected using correlation and synchronization mechanisms. Synchronization mechanism can also be used to react to orphaned accounts, e.g. to automatically deactivate them.
Outlier detection Outlier detection is a mechanism to detect users and assignments that are not similar to other users. Information provided by outlier detection is useful as supporting data for access certification, role modelling and data cleanup.
Overlay project As midPoint platform is an open source project, it is open to modification and ultimate customization. Overlay project is a convenient and sustainable method to support code-based extensions and modifications of midPoint. Overlay project is meant as an ultimate customization mechanism for expert engineers to support complex and unusual requirements.
Parametric role Parametric role is a role (in role-based access control sense) which is dynamic, its behavior is based on parameters. The parameters are usually specified in assignment, customizing role behavior specifically for every user that has the role assigned. ISO27001 5.15
Password management MidPoint can manage user password in several ways. MidPoint can store password (in encrypted or hashed) form in midPoint identity-repository. MidPoint can distribute the password to connected identity resources, e.g. in case that new account is created or password is changed. This is a way to keep account passwords synchronized. As password management is centralized in midPoint, company-wide password policies can be centrally enforced, such as password complexity rules and retention policy. MidPoint is automatically maintaining password meta-data, such as information when the password was changed and who has changed it. Self-service user interface contains mechanisms for self-service password management and password reset. ISO27001 5.17
ISO27001 5.20
Password policy Password policy specifies the complexity requirements for acceptable password, as well as means to further customize the policy. MidPoint password policy is meant validate password, yet it is also designed to generate passwords that are compliant with the policy. ISO27001 5.17
Policy-driven role-based access control (PDRBAC) Dynamic roles-based access control (RBAC) mechanism, driven by policy statements and expressions. ISO27001 5.15
ISO27001 5.18
ISO27001 5.19
ISO27001 5.23
ISO27001 5.24
ISO27001 5.29
ISO27001 5.30
Persona Persona is a virtual identity - alternative representation of physical person. Personas are associated with their primary identities, sharing selected data items.
Policy rule Policy rules provide a generic mechanism to set up policies and policy constraint in the system. E.g. a policy rule may specify that all departments must have exactly one manager, or that each business role must have at least one owner. Many midPoint features are implemented by policy rules, most notably approval policies, segregation of duties and triggered micro-certifications. ISO27001 5.3
ISO27001 5.8
ISO27001 5.12
ISO27001 5.14
ISO27001 5.15
ISO27001 5.18
ISO27001 5.19
ISO27001 5.21
ISO27001 5.22
ISO27001 5.29
Polystring Polystring is a string-based data type that can store a string value in several forms. It is used primarily in international environment. It can be used to store string values in normalized form, e.g. transliterating national characters to plain ASCII characters). It can also be used to store several versions of the string, localized to various national representation.
Power of attorney Power of attorney feature allows one user to act in the name of another user. This feature can be used to allow managers of approvers to see their work items and act upon them. Ability to assume power of attorney is controlled by authorization mechanism. The implementation is still somehow limited.
Projection link The term "projection" describes an object in identity resource, which is an representation of an identity. Projection is usually an user account in application. Projections are linked to the identity which they represent, e.g. user account is linked to the user that is an owner of the account. MidPoint is automatically establishing the links (e.g. using correlation) and maintaining them, keeping track of projection owners at all times. ISO27001 5.11
ISO27001 5.16
ISO27001 5.25
Projection policy MidPoint is usually fully enforcing projection consistency, which means that is a project should not exist (there is no assignment for it), the projection is deprovisioned (deleted or deactivated). E.g. if there is no role specifying that a particular account should exist, then such account is deleted. This is the usual approach for target resources. However, it does not work well for source resources, where appropriate assignment or role does not exist. In such cases, projection policy setting can be used to adjust the enforcement of projection consistency. ISO27001 5.16
Protected accounts MidPoint can protect specific accounts against any change. Such accounts cannot be modified or deleted from midPoint, they will not be reconciled or otherwise synchronized. Protected account feature could be used to protect sensitive or system accounts, such as emergency recovery accounts.
Provisioning Provisioning is a basic feature of identity management platform. It makes sure user accounts are properly created on identity resources, that their attributes are set to correct values, that the account has correct group membership and so on. In midPoint, provisioning also takes care of inbound processing, dealing with data feeds coming from source systems. ISO27001 5.16
ISO27001 5.18
ISO27001 5.19
ISO27001 5.23
ISO27001 5.29
ISO27001 5.30
Provisioning consistency Provisioning mechanism in midPoint is robust, making sure that data in identity resources (e.g. accounts) are as consistent as possible. E.g. midPoint can deal with systems that are off-line or inaccessible. Operations that cannot be completed immediately are persistently stored and re-tried later. MidPoint can opportunistically detect that a legal account was deleted, re-creating the account with appropriate attributes. MidPoint can detect that a conflicting account exists when attempting to create a new account, processing the existing account before proceeding. Overall, midPoint will try to make the account data as correct as possible, automatically correcting any errors that it discovers. ISO27001 5.29
ISO27001 5.30
Provisioning dependencies Provisioning dependencies deal with accounts and other object that depend on each other. E.g. in case that operating system account must be created before database administration account is created. MidPoint takes care that the accounts are created and deleted in the correct order.
Provisioning propagation Propagation of provisioning changes to identity resources may be delayed, optionally combining several pending changes into a single change. This feature helps to reduce the number of operations on identity resources, reducing load on target resources and making resource logs more readable. It is a crucial feature for manual resources, reducing the number of operations that human administrators have to carry out.
Provisioning script Scripts executed before and/or after specific provisioning operation. E.g. scripts that create home directory or mailbox after account is created, script that archives home directory after an account is deleted.
Role-based access control (RBAC) Access control and provisioning based on concept of roles. MidPoint roles can form a hierarchy by using inducement relations. ISO27001 5.2
ISO27001 5.12
ISO27001 5.13
ISO27001 5.14
ISO27001 5.15
ISO27001 5.16
Reconciliation Reconciliation is an identity synchronization mechanism that compares existing values of account attributes with values stored in indentity repository and/or computed by a policy. As all synchronization mechanisms, reconciliation has an ability to correct the values. As reconciliation compares all the accounts one-by-one, it is rather heavy-weight, yet very reliable mechanism.
Reporting Reporting features provide ability to create pre-defined and custom reports, reporting on data stored in midPoint identity repository. Reports can be scheduled or executed ad-hoc using the administration interface. ISO27001 5.1
ISO27001 5.3
ISO27001 5.7
ISO27001 5.24
ISO27001 5.26
ISO27001 5.27
ISO27001 5.28
Resource wizard Resource wizard is a part of midPoint administration user interface, dedicated to configuration of identity resources. Resource wizard is used to easily connect source and target resources in an interactive and user friendly manner.
REST API MidPoint is exposing vast majority of its functionality by the means of HTTP-based RESTful interface (API).
Relation Relation specifies type of relationship between two objects. E.g. it distinguishes whether a user is an member or an owner of a role, whether user is a member or manager of organizational unit, whether user is a reader, writer or administrator of a service and so on. Relations are primarily used as a parameter in assignments. ISO27001 5.8
ISO27001 5.9
Object representation in XML MidPoint configuration and data objects can be represented in XML form.
Object representation in JSON MidPoint configuration and data objects can be represented in JSON form.
Object representation in YAML MidPoint configuration and data objects can be represented in YAML form.
Rosource schema MidPoint can automatically discover schema of an identity resource. Object classes, their attributes and attribute types can be discovered and automatically used by midPoint. MidPoint discovers and categorized identifiers for each object class, distinguishing primary and secondary indentifiers. ISO27001 5.16
Role autoassignment Expressions specified in roles, determining when a role should be automatically assigned to a user. It is a part of policy-diven RBAC mechanism. ISO27001 5.18
Role catalog Role catalog is an organization of roles into categories. Its primary use is to present the roles to user using user-friendly and logical organization similar to on-line shopping experience. Technically, midPoint role catalog is a form of organizational structure, organizing roles instead of users. Being an organizational structure, role catalog may specify common behavior or policy for roles organized in the catalog.
Role certification Role certification is a controlled review of role definitions, a process where appropriate reviewers have to certify that access granted by a role is correct. Certifications are often carried out in a form of certification campaigns, certifying access of many roles at once. Alternatively, small micro-certifications can be triggered, certifying access of one particular role.
Role governance Governance of the role model includes specification of role owners, approvers, access control over role modification, role certification and other controls applicable to creation, maintenance and evolution of role definitions. Mechanisms of role governance equivalently applies to other midPoint objects, particularly to organizational units, applications and services. ISO27001 5.2
ISO27001 5.9
ISO27001 5.12
ISO27001 5.15
ISO27001 5.18
Role mining Role mining is a semi-automated mechanism to discover new role definitions based on patterns and regularities in underlying data. MidPoint role mining mechanism is based on machine learning techniques, suggesting new role definitions using an interactive user interface.
Role wizard Role wizard is a part of midPoint administration user interface, dedicated to creation of RBAC roles. Role wizard is usually used to easily define new application or business role in an interactive and user friendly manner. ISO27001 5.15
Schema-aware system MidPoint is completely schema-aware, everything that midPoint does is governed by system schema. E.g. custom properties defined in the schema are automatically displayed in user interface, used by the wizards and so on.
Activation schema MidPoint provides off-the-shelf schema for object activation, specifying whether object is enabled (active) or disabled. This also includes ability to specify time intervals (from, to) when the object is active (validity time constraints). ISO27001 5.16
ISO27001 5.18
ISO27001 5.19
ISO27001 5.25
ISO27001 5.26
Scripting hook Scripting hook is a piece of scripting code that can effect many aspects of object processing and computation in midPoint. Scripting hook is meant as an ultimate customization mechanism for expert engineers to support complex and unusual requirements.
Self-registration Self-registration is an ability for a user to register a new account using self-service interface. New account has to be validated before it becomes active, e.g. by using magic link delivered by e-mail. Self-registration is disabled by default, it has to be explicitly enabled and properly configured.
Self-service password reset Self-service user interface provides a mechanism enabling users to reset their own password, after a successful alternative authentication. ISO27001 5.17
Self-service user interface Self-service user interface is a web-based application aimed at individual users. It provides self-service functionality, such as review and modification of user's own profile information, password management, submission of access request and review of submitted requests. Technically, it is a part of administration user interface, which is dedicated to user-centric functionality. The user interface has a customizable look and feel. ISO27001 5.17
Semi-manual resources Semi-manual resources are identity resources that are only partially connected using an automated (on-line) connector. The usual scenario allows for automated read from the resource, usually by means of CSV export from the resource. However, write operations (add, modify, delete) are executed manually by human administrators, based on instructions provided by midPoint.
Sequence Sequences are persistent objects in midPoint repository that efficiently maintain sequential counters. Sequence can be used to assign unique identifiers to large number of midPoint objects in a very efficient and reliable fashion. ISO27001 5.16
Service (concept) Service is one of several principal object types in midPoint. It is meant to define non-person identities, such as devices, "things", applications, APIs, servers and cloud services. Services are abstract roles, they have ability to grant privileges to other entities. Services are considered active entities (actors), therefore they can behave similarly to users. Services can be used as machine accounts. They have the ability log into midPoint, which is used to access midPoint REST API in a secure manner.
Simulation The "simulation" is an umbrella term covering various mechanisms of "what-if" analysis in midPoint. It could be characterized as an ability to see expected effects of some actions without the risk of damaging the system state. ISO27001 5.1
ISO27001 5.2
ISO27001 5.15
ISO27001 5.24
ISO27001 5.27
Segregation of duties (SoD) Segregation of duties (SoD) is a principle prohibiting conflicting responsibilities to be assigned to a single person. For example SoD may prevent a single user to hold executive as well as controlling duties. MidPoint SoD mechanism is implemented by using policy rules that exclude conflicting roles to be assigned to one user at the same time. ISO27001 5.3
ISO27001 5.15
ISO27001 5.18
ISO27001 5.28
ISO27001 5.29
Shopping cart Shopping cart is a mechanism allowing users to browse and collect roles at the beginning of access request process. The mechanism is designed to remind of on-line shopping experience, allowing users to start access request process in an intuitive way.
Synchronization Ability to keep identity data synchronized across many systems. Synchronization is a complex feature, consisting of several mechanisms and tasks, with significant variability and customizability. It is crucial part of identity management solution. ISO27001 5.26
ISO27001 5.27
ISO27001 5.28
ISO27001 5.29
ISO27001 5.30
Synchronization reaction At the beginning of synchronization process, midPoint determines synchronization situation for every account. Based on the situation, midPoint can launch synchronization reactions. E.g. midPoint can react to new account (situation=unmatched) by creating a new user identity (reaction=createFocus). Situation reactions can be set up specifically for every resource and object type, customizing the synchronization process. ISO27001 5.29
Task management Task management is an internal midPoint mechanism to manage asynchronous and/or long-running tasks, distribution of work among cluster nodes and overall management of activities that midPoint conducts.
Threshold Threshold is a mechanism to stop midPoint operation in case that a number of problems have accumulated. E.g. it can be used to stop synchronization task when errors start accumulating to limit the impact of the problem, avoiding large-scale damage.
User (concept) User is perhaps the most important principal object type in midPoint. It is meant to represent person identities, such as employee, student, staff, contractor or customer. User objects are stored in midPoint repository. They are linked to projections (accounts) stored in identity resources.
Value metadata Metadata can be maintained for every value of every item of every midPoint object. MidPoint can record provenance (origin), timestamps, actors and other meta-information related to data values. ISO27001 5.16
ISO27001 5.28
Was this page helpful?
YES NO
Thanks for your feedback