Resource wizard: Object type activation

Last modified 19 Mar 2026 15:54 +01:00
Since 4.9
This functionality is available since version 4.9.
Table of Contents

This part of object type wizard allows you to define behavior for activation.

Introduction

The term activation in midPoint denotes a set of properties that describe the activation state of an object (typically a user or an account), such as whether it is enabled or disabled, and any time constraints defining when it should be active.

Activation rules described in this section define how the activation state of resource objects on connected systems should reflect the state of objects in midPoint, and vice versa. They determine when accounts should be enabled, disabled, locked, or deleted. As the primary targets are typically users and accounts, we will use these terms in the following sections; however, the same principles apply to any object type.

Activation rules allow you to automatically reflect real-world situations, for example, when a new employee joins the organization, when their access must be temporarily suspended during a planned leave, or when someone leaves the organization and their access must be removed. By defining these rules centrally, access to systems consistently matches the actual status of individuals in the organization.

In modern connectors, activation is handled through the activation capability. If you are using an older or more specialized connector that does not support this capability, or if you need to define more complex activation logic, you can define activation behavior using activation rules which are described at this page.

For more details on the concept of activation, see Activation.

Inbound activation rules

step 6 activation inbounds
Figure 1. Inbound activation rules

Inbound activation rules define how the activation state of objects in midPoint should reflect the state of accounts on connected systems (i.e., connected systems → midPoint).

To add a new inbound activation rule:

  1. In   Resources >  All Resources, select your resource.

  2. In  Accounts, click  Configure > Activation.

  3. Click Add inbound.

  4. Select an activation rule type to add.

    activation inbound
    Figure 2. Types of inbound activation rules

    • Administrative status is the most common type of activation rule, which allows you to define how the administrative status of an account is reflected between midPoint and connected systems.
      The source, target, and expression for this rule are implicit, so you may not need to configure this rule further. By default:

      • For inbound rules, the source is the attribute supported by the connector, and the target is the midPoint’s administrativeStatus property.

      • For outbound rules, the source is the effectiveStatus property, and the target is the attribute supported by the connector.

      The valid values are no value, enabled, and disabled.
      See Administrative status for more details.

    • Valid from and Valid to allow you to define activation rules based on the validity period of a user. For example, you can specify that an account should be enabled only during the user’s employment period.
      By default:

      • For inbound rules, the source is the attribute supported by the connector, and the target is the midPoint’s validFrom or validTo property.

      • For outbound rules, the source is the validFrom or validTo property, and the target is the attribute supported by the connector.

    See Validity for more details.

    • Lockout status defines if user accounts are locked or unlocked. This is typically used to automatically lock accounts after a certain number of failed login attempts (for example, to avoid brute-force password attacks) or to reflect the lockout status from an external system.
      The valid values are no value, normal, and locked.
      See Lockout for more details.

  5. If you need to define details, such as conditions, for your rule, click  Settings, adjust the settings as needed, and save them.
    Activation rules are representations of real schema attributes, i.e., the rule source and target attribute/property are already predefined and in many scenarios, you will not have to do any configuring.
    Some of the activation rules only have one configuration step, such as the outbound Delayed delete rule.

    activation delayed delete
    Figure 3. 'Delayed delete' rule

    Other rules have more options organized into two configuration steps.
    Their configuration is based on the principles of object type mapping.

  6. Set the Lifecycle state of the rule by selecting it in the drop-down menu, e.g., Active (production).
    This allows you to only simulate the activation rule by setting the lifecycle state to Proposed (simulation), or to disable it by setting it to Draft, etc.

    activation rule valid from
    Figure 4. Lifecycle state selection in the activation rule configuration

  7. Add other rules as needed.

  8. Click  Save settings when done to save the changes and return to the resource.

Outbound activation rules

Outbound activation rules define how the activation state of accounts on connected systems should reflect the state of objects in midPoint (i.e., midPoint → connected systems).

activation outbound rules
Figure 5. Outbound activation rules

  1. In   Resources >  All Resources, select your resource.

  2. In  Accounts, click  Configure > Activation.

  3. Click Add outbound.

  4. Select the type of rule that you want to add:

    • Administrative status - See inbound activation rules.

    • Disable instead of delete - When an account is unassigned and there is no other existing assignment for the account, midPoint deprovisions the account by disabling it instead of deleting it. This is useful for auditing purposes, as it allows you to keep the account in the system while preventing its use, or for easier future re-activation of the account if the user returns to the organization.
      See Disable instead of Delete for more details.

    • Delayed delete - Sets when an account is actually deleted after it is unassigned and there is no other existing assignment for the account. This is useful for auditing or legal purposes, but also as a safety measure to prevent accidental deletion of accounts.

    • Pre-provision - This makes sure accounts are created before their assignments become effective, so they already exist when activation occurs. This is useful, for example, when provisioning is time-consuming and you want to avoid delays in activation, when you have a more complex provisioning flow and you need accounts to exist so that you can apply attributes or entitlements, or when you simply want to have accounts ready for future activation.

    • Valid from and Valid to - See inbound activation rules.

    • Lockout status - See inbound activation rules.

    • Existence - Defines if an account exists (true) or does not exist (false). Effectively, this allows you to delete accounts when they are unassigned (as opposed to the "Disable instead of delete" rule) or to keep accounts even after they are unassigned (as opposed to the "Delayed delete" rule).

  5. Configure the rule’s settings in the same way as for inbound activation rules.

  6. Click  Save settings when done.

  7. Set the Lifecycle state of the rule by selecting it in the drop-down menu, e.g., Active (production).
    This allows you to only simulate the activation rule by setting the lifecycle state to Proposed (simulation), or to disable it by setting it to Draft, etc.

  8. Add other rules as needed.

  9. Click  Save settings when done to save the changes and return to the resource.

Limitations

Resource wizard has several limitations, such as:

MidPoint resource wizard can’t show or edit these features but tolerates them and keeps them untouched if you configure them in XML.

See also

Was this page helpful?
YES NO
Thanks for your feedback