Resource wizard: Object type policies

Last modified 26 Sep 2025 08:59 +02:00
Since 4.9
This functionality is available since version 4.9.
Table of Contents

This page describes how to use object marks in the Object type policies section of the midPoint graphical user interface (GUI), thus enabling you to control the behavior of groups of accounts and entitlements through policies.

Introduction

In midPoint GUI, you can group accounts and entitlements in resources so that you can apply policies only to such groups. This is done in the Object type policies section of the application, where you can configure the following features:

  • Marking - Groups accounts or entitlements by filtering them and assigning marks to them.

  • Default Operation Policy - Defines the default policy for objects that have not been explicitly assigned marks in the Marking section.

object type policies
Figure 1. Object type policies

For more technical details on object marks, and to see how you can use them in your workflows, see Object Marks.

Classify objects using marks

Objects are classified by selecting a mark, and subsequently, defining a filter that matches the objects that will be grouped under that mark.

As classification is done using already existing object marks, create them in Marks > Object marks, if you have not already done so.

Once you have all marks created and ready to be used, classify your objects:

  1. Go to the resource that contains the objects to which you want to apply marks by clicking Resources > All resources > resource.

  2. In the resource, depending on which objects you want to group, click Accounts or Entitlements.

  3. Click Configure and select Policies.

    resource account
    Figure 2. Access marks in a resource

  4. Click Marking.

  5. Click New marking rule.

  6. Select the mark that you want to use for your group of objects.

  7. In Application time, select when the mark should be applied to objects:

    • Always - Anytime that midPoint works with the objects.

    • Classification - Only once when the objects are created in the midPoint repository.

  8. Click Edit and enter a filter query that matches the objects you want to group under the selected mark.

  9. Click Done.

  10. Click Save marking rules to put the marking policy in effect. The selected mark will be applied to objects based on how you have configured the Application time.

Define default operation policy

Default operation policy applies to objects that are not explicitly marked in the Marking section of Object type policies. This enables you to define the default behavior for objects that do not need a specific treatment. For example, you may want to set the Default operation policy to Unmanaged to make all objects of the object type effectively read-only (outbound behavior will be ignored) during object management migration to midPoint.

  1. Go to the resource that contains the objects to which you want to apply the default operation policy by clicking Resources > All resources > resource.

  2. In the resource, depending on the objects for which you want to set up the default operation policy, click Accounts or Entitlements.

  3. Click Configure and select Policies.

  4. Click Default operation policies.

  5. Click Add new policy.

  6. In the Policy field, select the mark to which your default policy applies.
    To create a new mark, click Edit and select Create new mark in the Default operation policy dialog. This way you can enable/disable the policy for individual operations, such as Add or Modify, and define what the system reports when those operations occur.

  7. Select the lifecycle state for your policy.

  8. Click Save policies.

Use default operation policy in Methodology: Group Synchronization. For example, set it to Unmanaged to automatically consider all resource groups as "inbound-only" objects.

Mark objects manually

In addition to marking objects in bulk by filtering them in the Marking section, you can also mark individual objects manually in the following areas of the midPoint GUI:

Accounts

  1. Go to Resources > All resources > resource.

  2. In the resource, click Accounts.

    object add mark 01
    Figure 3. Navigate to accounts

  3. Click the name of the account that you want to mark.

  4. Go to the Marks tab.

    object add mark 02
    Figure 4. Add marks to accounts

  5. Click Add mark to add a new mark.

Entitlements

  1. Go to Resources > All resources > resource.

  2. In the resource, click Entitlements.

  3. Click the dropdown button at the far right for the entitlement you want to mark and select Modify marks.

    object add mark 03
    Figure 5. Add marks to entitlements

  4. Click Add mark to add a new mark.

Simulations

  1. Go to Simulations > All results.

  2. Click the name of a simulation.

  3. Click the View processed objects button.

  4. For the object to which you want to assign marks, you can:

    • Mark the object directly as Protected by clicking the Mark as Protected button.

      simulations add mark
      Figure 6. Add marks in simulation results

    • Assign other marks by clicking the dropdown button next to the Mark as Protected button, and selecting Modify marks.

Review marks

You can review marked objects by going to Marks > Object marks > mark > Marked shadows.

object marks review
Figure 7. Review object marks

See also

Here are additional resources to explore:

Was this page helpful?
YES NO
Thanks for your feedback