Generic Synchronization

Last modified 22 Apr 2021 17:31 +02:00
Since 3.0
This functionality is available since version 3.0.

Identity Synchronization

Most traditional provisioning systems are limited to synchronization of users and accounts. It makes perfect sense because this is what Identity Management is mostly about. And this is also the way that early IDM systems (including early midpoint versions) supported.

gensync 1 user account

Generic Synchronization

The world has moved on and the capabilities of traditional Identity Management systems are not longer sufficient. Recent IDM deployments require ability to synchronize groups to roles, organizational units to groups, roles to ACLs and so on. Simply speaking the current IDM deployments require much more generic synchronization capabilities.

The midPoint development team anticipated this very early in the midPoint development process. Therefore midPoint architecture was designed to support much broader set of synchronization options than just user-account pair. However as we try really hard to keep midPoint development pragmatic we have started to develop and test midPoint on user-account pair. When we were happy with the code structure and stability of this synchronization mechanisms we have extended the mechanism to be much more generic and to allow synchronization of a broader sets of objects. And this is what we call "Generic Synchronization".

gensync 2 user account org group

Generic synchronization applies the same synchronization principles to all object types. The powerful features that midPoint already has for user-account synchronization can be also applied to other synchronization schemes. The figure above shows the traditional way how accounts are linked to users. Therefore if a user is modified the modifications can be propagated to accounts. The same principle can also be used for other object types such as Orgs (midPoint organizational units) and groups. Groups can be linked to an Org in midPoint. Therefore if the Org changes then the changes can be propagated to groups. This feature allows to re-use all the usual midPoint capabilities for unusual situations. E.g. groups can be automatically created based on organizational structure. Such groups will correspond to departments, sections or projects. The groups can automatically be deleted when an Org is gone (e.g. a project is closed) limiting a "dead weight" in the corporate directory. The groups can also be synchronized with midPoint roles creating a access control structure consistent across the whole organization. And actually the extremely poweful RBAC mechanism can also be reused for these unusual links creating a kind of meta-roles. E.g. and Org itself can be assigned to a meta-role which defines in which systems the corresponding groups has to be created for this Org. This simple mechanism is introducing a completely new dimension to midPoint RBAC structures.