Resource wizard: Object type configuration

Last modified 15 Apr 2025 15:55 +02:00

Since 4.9

This functionality is available since version 4.9.

Table of Contents

Basic attributes
Specify the Resource Data
Specify the midPoint Data
Further Object Type Configuration
Configuration of resource wizard panels
How to Use Lifecycle States
Limitations

In midPoint, configuring object types is the key to defining the structure of different identity objects, such as users, roles, and resources. This guide is here to guide you through the basic steps involved in setting up object types. It also provides links to follow-up materials for more advanced configurations.

You can configure the object types for schema handling, essentially defining the behavior of midPoint with respect to the resource. You can define one or more object types based on the resource characteristics (i.e., the characteristics of the system the resource represents). For example, a CSV resource typically contains a single object type (e.g., accounts) while an LDAP resource can contain multiple object types (e.g., accounts and groups).

To create a new object type definition using the configuration wizard:

In Resources > All resources, select your resource.
Go to Schema handling > Object types in the selected resource.
Click Add object type.

Figure 1. List of object types

Basic attributes

Define the basic information about the object type.

Display name: User-friendly name displayed in the midPoint user interface.
Kind: Select Account for user accounts and Entitlement for role-like objects usually associated with user accounts.
Intent: Used when you use multiple object types, e.g., standard and administrative accounts. Keep the default (empty) value if you work with just one type of accounts.
Default: Specifies if the provided intent should be used as a default in case you define multiple intents for the same object kind. Select True if you use only a single intent.
Lifecycle state: Set to Proposed before you finish the setup and test it. Refer to the brief guide on using lifecycle states for more details.

Click Next: Resource data to continue to the next object type configuration screen.

You first object type will almost always be of the account kind, with an empty intent, and the default attribute set to True. That’s usual for the first user data source, i.e., an HR system. Later, when you set up roles and more account types, you’ll also use the entitlement kind and specific intents.

Learn more about kinds, intents, and object classes: Kind, Intent and ObjectClass

Figure 2. Basic configuration of object type

Specify the Resource Data

Define the resource-specific configuration for this object type.

Object class: One of the object classes supported by the connector for the resource. Resources like CSV support only one object class which is displayed as AccountObjectClass.
Filter: Define a classification rules using midPoint query language
Classification condition: Define a classification condition (midPoint expression, not query)

Click Next: MidPoint data to continue to the next object type configuration screen.

Filtering use case

Filtering is useful for limiting which resource data (e.g., accounts) are considered a part of this object type definition.

To do that, use the Filter field and type a classification query.

For example, to ignore all accounts with part-time employees, use attributes/emptype != "PTE" as the classification condition query. emptype is the employment type attribute here.

You don’t need to use filtering and classification at all. If you’re not sure, don’t use it.

Learn more about schema handling, classification, and delineation:

Figure 3. Resource data

Specify the midPoint Data

Define the midPoint-specific configuration of focus objects for this object type.

Type: Specify type of midPoint objects that correspond to the resource objects (e.g., User or Role). Objects of the Account kind are usually of the User type. The Entitlement kind usually means the Role type.
Archetype: Select or create a new archetype that best matches what the focal objects in midPoint represent. For instance, the Person archetype is often suitable for objects representing user accounts. The focus archetype defines the type of resource objects and must be applied to all linked focus objects. If a focus object lacks the required archetype, it is added. If a different archetype is present, an error occurs. This enforcement applies to all projections, but the order in which projections are added can affect how archetype inducements are processed.
- If unsure, select No archetype. You can edit the object type later.
- Otherwise, select an existing or create a new archetype.

Click Save settings to save the object type configuration.

You can modify the selected archetype outside the resource wizard later.

Figure 4. Midpoint data

Further Object Type Configuration

Further configuration is required.

Figure 5. Parts of object type configuration

First of all, we suggest you click Preview data to display resource data according to the configuration of this particular object type.

Figure 6. Data preview of object type

After you confirm whether your settings produce expected results, you can choose your next steps to configure other parts of your object type:

Basic attributes: Get back to the basic configuration of your object type.
Mappings: Configure resource attribute mappings.
Synchronization: Configure synchronization situations and reactions.
Correlation: Configure correlation rules for resource objects.
Capabilities: Disable/override some functionality of the resource and/or connector without changing the connector implementation.
Activation: Configure rules (mappings) for activation.
Credentials: Configure mappings for credentials (e.g., passwords).
Policies: Configure the resource operation policies.

Configuration of resource wizard panels

Some wizard panels are configurable, for more information see Wizard panels.

How to Use Lifecycle States

You can use different lifecycle states for resources, object types, attributes, mappings, synchronization situations, and other aspects of resource configuration. You can use the lifecycle state property for simulations. Resources are created in the Proposed lifecycle state by default, and don’t work in normal deployment before switching the state to Active.

You can use the Proposed lifecycle state to test (simulate) the configuration without causing any damage to your target system data. When the simulation results are satisfactory, you can switch the lifecycle state to Active.

You can set different lifecycle states for various configuration items, which lets you put specific parts of configuration to production incrementally.

For example, after you switch your resource to the Active lifecycle state, you can add new mappings in Proposed lifecycle state first. You can simulate the new mapping safely and switch it to Active when it’s ready.

Limitations

Resource wizard has several limitations as of midPoint 4.8, such as:

expression editor supports As is, Script, Literal and Generate expressions only
mapping ranges are not supported
mapping domains are not supported
correlation configuration currently supports only The items Correlator

midPoint resource wizard won’t be able to show or allow editing of these features but should tolerate them and keep them in the configuration.

Was this page helpful?

YES NO

Thanks for your feedback