Resource Capabilities

Last modified 22 Apr 2021 17:31 +02:00

Capabilities are definitions of a specific things that a resource can do. There is plethora of various resource types and configuration. Some resources can enable/disable an account, while others cannot. Some resource can provide live feed of changes, some can not. The capabilities section list the features that the resource has.

There are two sections of capabilities definition:

  • Native capabilities are native to the resource. There are the things that resource can do all by itself without any help from midPoint. The list of native capabilities is provided by the connector and does not need to be configured. It is stored in the resource object for performance reasons. If this section is not present in the resource configuration it will be automatically fetched from the resource before its first use.

  • Configured capabilities are decision of an administrator how to use native capabilities. This section can be used to disable native capabilities or add capabilities. Some capabilities can be simulated by midPoint. E.g. A resource does not support account enable/disable directly. But administrator know that the enable/disable may be done by flipping a boolean value of a specific attribute. Such simulated capability can be configured in this section. MidPoint will then pretend that the resource has the enable/disable ability. But each time the ability us used it will transparently convert the operation to modification of the special attribute. That’s how midPoint simulates some capabilities.

These two sections are added together to form presented capabilities (or just "capabilities"). These are all the features that the resource can do by itself (native capabilities), minus the capabilities that were disabled, plus the capabilities that are simulated. GUI, IDM model and business logic will all work only with presented capabilities, whether the capability is native or simulated does not matter for such upper system layers.

The following example shows a configuration for a simulated activation capability using OpenDJ "ri:ds-pwp-account-disabled" attribute (the value "true" means, the OpenDJ account is disabled; empty value means, the OpenDJ account is enabled) and a configuration for disabling "liveSync" capability. The resource would ignore tha "liveSync" capability as if it would not be supported by the connector.

LDAP Resource Capabilities Example

The capabilities can be used also to disable provisioning operations on the resource, e.g. during imports, reconciliation etc. The following example shows a configuration for a resource, where no "create" or "delete" operations are possible, only "update". Attempt to create or delet any object on the resource would fail with an error.

<capabilities xmlns:cap="">

Another example: Precise token value in Live synchronization

Since 4.0
This functionality is available since version 4.0.

As another example let’s consider preciseTokenValue property in cap:liveSync capability:

<capabilities xmlns:cap="">

This tells midPoint that the resource provides live synchronization capability with the additional assurance that token values that are attached to each change emitted by the resource are precise enough to guarantee correct restart of live synchronization process after processing of each given change. If this information is not present, midPoint restarts live synchronization (in case of suspension or failure) at the same place where it was started, instead where it was stopped.

Some resources are known to provide precise token values, others are known of not doing so (e.g. for performance reasons). Others - e.g. those served by ScriptedSQL connector - depend on particular configuration of the connector.