Current MidPoint Features
This is a list of most important and unique features of midPoint:
-
Common identity management data model
-
Extensible object types:
-
User objects to represent users, physical persons and personas
-
Role objects to represent roles, privileges, jobs and so on
-
Org objects to represent organizational units, teams, workgroups, etc.
-
Service objects to represent servers, network devices, mobile devices, network services, etc.
-
-
Numerous built-in properties (a.k.a. core identity schema)
-
Extensibility by custom properties
-
Completely schema-aware system
-
Dynamic schema automatically retrieved from resource
-
Support for primitive data types
-
Native support of multi-value attributes
-
Limited support for complex data types
-
-
Processing and computation fully based on relative changes
-
Off-the-shelf support for user password credentials
-
Off-the-shelf support for activation (users, roles, orgs, services)
-
Enabled/disabled states (extensible in the future)
-
Support for user validity time constraints (valid from, valid to)
-
-
Object template to define policies, default values, etc.
-
Ability to use conditional mappings (e.g. to create RB-RBAC setup)
-
Ability to include other object templates
-
Global and resource-specific template setup
-
-
Representation of all configuration and data objects in XML, JSON and YAML
-
Annotation support (such as "experimental" and "deprecated" annotation to control data model evolution)
-
-
Identity management
-
Support for mapping and expressions to determine account attributes
-
-
Higher-order dependencies (enables partial support for circular provisioning dependencies)
-
-
Provisioning robustness - ability to provision to non-accessible (offline) resources
-
Provisioning consistency - ability to handle provisioning errors and compensate for inconsistencies
-
Support for tolerant attributes
-
Ability to select tolerant and non-tolerant values using a pattern (regexp)
-
-
Support for volatile attributes (attributes changed by the resource)
-
-
Matching rules to support case insensitive attributes, DN and UUID attributes, XML attributes, etc. (extensible)
-
Automatic matching rule discovery
-
-
Provisioning scripts
-
Ability to execute scripts before/after provisioning operations
-
Ad-hoc provisioning script execution
-
-
Import from file and resource
-
Advanced support for account activation (enabled/disabled states)
-
Standardized account activation that matches user activation schema for easy integration
-
Ability to simulate activation capability if the connector does not provide it
-
Support for account lock-out
-
Support for account validity time constrains (valid from, valid to)
-
Support easy activation existence mappings (e.g. easy configuration of "disables instead of delete" feature)
-
Support for mapping time constraints in activation mappings that allow configuring time-related provisioning features such as deferred account delete or pre-provisioning.
-
-
Ability to specify set of protected accounts that will not be affected by IDM system
-
Support for base context searches for connectors that support object hierarchies (such as LDAP)
-
Passive Attribute Caching (EXPERIMENTAL)
-
Partial multi-tenancy support
-
Synchronization
-
-
Ability to execute scripts before/after reconciliation
-
-
Correlation and confirmation expressions
-
Conditional correlation expressions
-
-
Concept of channel that can be used to adjust synchronization behavior in some situations
-
Generic Synchronization allows synchronization of roles to groups to organizational units to … anything
-
Self-healing consistency mechanism
-
Advanced RBAC
-
Hierarchical roles
-
Conditional roles and assignments/inducements
-
Parametric roles (including ability to assign the same role several times with different parameters)
-
Note: role parameters are only partially supported in midPoint user interface (hardcoded parameters only)
-
-
Temporal constraints (validity dates: valid from, valid to)
-
Role catalog
-
Role request based on shopping cart paradigm
-
Several assignment enforcement modes
-
Ability to specify global or resource-specific enforcement mode
-
Ability to "legalize" assignment that violates the enforcement mode
-
-
Rule-based RBAC (RB-RBAC) ability by using conditional mappings in user template and role autoassignment
-
Entitlements and entitlement associations
-
GUI support for entitlement listing, membership and editing
-
Entitlement approval
-
User-friendly entitlement association management
-
-
Organizational and Identity governance
-
Powerful organizational structure management
-
-
Declarative policy-based multi-level approval process
-
Visualization of approval process
-
-
Access certification campaigns
-
Ad-hoc recertificaiton
-
-
Escalation in approval and certification processes
-
Object history (time machine)
-
Rich assignment meta-data
-
Deputy (ad-hoc privilege delegation)
-
Object lifecycle property
-
Policy Rules as a unified mechanism to define identity management, governance and compliance policies
-
Policy-based approvals driven by policy rules
-
Policy rules based on modification of objects, change in assignments and many other conditions
-
Policy rules can set policy situation that can be used for basic compliance reports
-
-
Segregation of Duties (SoD)
-
Many options to define role exclusions
-
SoD approvals
-
SoD certification
-
-
Assignment constraints for roles and organizational structure
-
Basic role lifecycle management (role approvals)
-
-
Expressions, mappings and other dynamic features
-
Sequences for reliable allocation of unique identifiers
-
-
Built-in libraries with a convenient set of functions
-
PolyString support allows automatic conversion of strings in national alphabets
-
Mechanism to iteratively determine unique usernames and other identifier
-
-
Web-based administration user interface
-
Ability to execute identity management operations on users and accounts
-
User-centric views
-
Account-centric views (browse and search accounts directly)
-
Resource wizard
-
Layout automatically adapts to screen size
-
Note: intended for desktop only. Small mobile screens may not be supported.
-
-
Easily customizable look & feel
-
Built-in XML/JSON/YAML editor for identity and configuration objects
-
Identity merge
-
Support for custom static web content
-
-
Self-service
-
User profile page
-
Password management page
-
Role selection and request dialog
-
Self-registration
-
Email-based password reset
-
-
Connectors
-
Integration of ConnId identity connector framework
-
Support for Evolveum Polygon connectors
-
Support for ConnId connectors
-
Support for OpenICF connectors (limited)
-
-
Automatic generation and caching of resource schema from the connector
-
Support for connector hosts and remote connectors, identity connector and connectors host type
-
Remote connector discovery
-
-
Flexible identity repository implementations and SQL repository implementation
-
Keeping metadata for all objects (creation, modification, approvals)
-
Automatic repository cleanup to keep the data store size sustainable
-
Security
-
-
Service authentication
-
-
Fine-grained authorization model
-
Limited power of attorney implementation
-
Organizational structure and RBAC integration
-
Delegated administration
-
Password management
-
Password distribution
-
Password retention policy
-
Password metadata
-
Self-service password management
-
Password storage options (encryption, hashing)
-
Mail-based initialization of passwords for new accounts
-
-
CSRF protection
-
-
-
Auditing to file (logging)
-
Auditing to SQL table
-
Interactive audit log viewer
-
-
Extensibility
-
Support for overlay projects and deep customization
-
Support for programmatic custom GUI forms (Apache Wicket components)
-
Basic support for declarative custom forms
-
API accessible using a REST, web services (SOAP) and local JAVA calls
-
Reporting
-
Scheduled reports
-
Lightweight reporting (CSV export) built into user interface
-
Comprehensive reporting based on Jasper Reports
-
-
Internals
-
Operations
-
Lightweight deployment structure with two deployment options:
-
Deployment to web container (WAR)
-
Comprehensive logging designed to aid troubleshooting
-
Enterprise class scalability (hundreds of thousands of users)
-
-
Documentation
-
Schema documentation automatically generated from the definition (schemadoc)
Following pages provide more information about the features:
- Repository Database Support
- Access Certification
- Approval
- Archetypes
- Assignment
- Asynchronous (Messaging) Inbound Resources
- Asynchronous (Messaging) Outbound Resources
- Attribute Caching
- Auditing
- Authorization
- Auxiliary Object Classes
- Bulk Actions
- Common Data Model
- Consistency mechanism
- Constants
- Custom forms
- Dashboards
- Deputy
- Entitlements
- Expression Profiles
- Flexible Authentication
- Function Libraries
- Generic Objects
- Generic Synchronization
- High Availability and Load Balancing
- Iteration
- Linked Objects
- Localization
- Lookup Tables
- Manual Resource and ITSM Integration
- Mappings and Expressions
- Matching Rules
- Meta-roles
- Multi-Connector Resource
- Multi-tenancy
- Notifications
- Object Collections and Views
- Object Lifecycle
- Object Marks
- Object Template
- Password Policy
- Personas
- Policy Rules
- Policy-based approvals
- PolyString
- Prism
- Protected Accounts
- Provisioning Dependencies
- Provisioning Propagation
- RBAC
- Relativity
- Resource Maintenance State
- REST API
- Role Autoassignment
- Role Catalog
- Role Lifecycle
- Role Request and Shopping Cart
- Sections (virtual containers) in object details
- Segregation of Duties
- Sequences
- Service Account Management
- Services
- Simulations
- Smart Correlation
- Spring Boot Actuator Endpoints
- Stand-Alone Deployment
- Subtype
- Synchronization
- Thresholds
- User-Friendly Policy Selection
- Workflowless