MidPoint 4.9.1 "Verne" - Update 1

Shadow caching was significantly improved and is now a regular midPoint feature.

Native Repository Support for searchContainersIteratively for all container types

Added support for external data in protected strings, that can be resolved via secrets providers. This allows to store secrets in external systems, such as HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, etc. For more information see Secrets providers.

Improvements regarding shadow associations:

Value metadata (@metadata) are default storage for object and assignment metadata replacing previous metadata container.

Default range for mappings emitting multivalued properties is based on provenance metadata. Such mappings will automatically remove values added by them in the past which are no longer produced by them.

Ninja

Role Mining

Outlier Detection

Request access

Schema extension

Object marks

Regulatory compliance

Spring Boot/hibernate upgrade

Shadow table Partitioning in Native PostgreSQL Repository

Native Repository uses splitted full-object model for data storage: operationExecution, assignment, linkRef and roleMembershipRef in their separate tables outside of object fullObject columns

Support for H2 database was removed. Clean midPoint will fail to start with embedded H2 database. The preferred option to start simple midPoint instance is via docker compose. For more information see here. Otherwise, config.xml in midPoint home directory needs to be populated with database connection information.

Access Certification new UI.

Deployment Methodology

Also, please have a look at changes mentioned in Changes with Respect To Version 4.9.

The indication of official vs. unofficial build was added to the About page. See MidPoint JAR Signature Status for details.

We have added a new algorithm to detect which users are in the production-like environment. It would have the following impact, depending on your subscription status.

Duplication function of object or container showed in table.

Adding panel in gui, that support of creating new archetype for reference in resource object type.

Changing of input field for documentation element to multi-line text field.

Adding possibility for use 'Preview' button with development configuration on page details.

Adding 'Shadow reclassification' task as a new separate activity of the task type.

New implementation and look of date time picker.

Support for item deltas targeting value metadata only (without the need to replace whole container value)

Resolving the issue for creating a new member object with predefined by archetype options on members panel.

Resolving several issues for Self Credentials page. Now password propagation to resource takes into account the script, defined in resource for credentials, in case of the appropriate configuration.

Notification sending strategy was added to the general notifier configuration. It is possible to configure now if the notification message should be generated once and sent to all recipients in the same form or if the message should be generated for each recipient separately. More details can be found in the Basic structure of the notification definition.

Role wizard is now supported also for children of application and business roles (archetypes).

Dedicated data type for policy objects (PolicyType)

Implementation of new task activities for opening next stage of certification campaign and certification remediation. More details can be found in the Work Definition (Types of Activities).

Add a confirmation dialogue after changing the resource lifecycle state. See MID-9315.

Added the ability to modify selected object classes for resources via the Resource Schema panel. See MID-8476.

Renamed "Bulk actions" to "Actions" in GUI. See MID-9619.

Added the ability to configure UI form of the authentication sequence module with a label, description and external link. More information can be found in the Authentication Sequence Module. The sample is located by the link Example of the default GUI sequence with configured login form.

'Resource object types' panel identifier changed from 'schemaHandling' to 'resourceObjectTypes' and panel was moved from top level menu item to submenu of new top level menu item 'Schema handling'. The 'schemaHandling' identifier is now used for the top level menu item.

Added missing indexes for extension poly-string properties and shadow attributes for generic repositories (Oracle, MS SQL Server). For more info see SQL upgrade scripts.

Fixed closing multi-node tasks when some nodes are not available. See MID-10021.

Updated caniuse-lite (javascript). See MID-9926.

Updated and clarified documentation regarding compilation of admin GUI profile during login. See MID-9776.

Added support for new subscription types, see MID-9640.

Fixed upload/download of files (eg. jpegPhoto) where download didn’t return proper Content-Type and file extension. See MID-9990.

Fixed stylesheets for saved searches menu in case name of search is too long. See MID-10078.

Fixed Internal error 500 in Preview Changes - serialization exception. See MID-10028.

Fixed resolving of authentication sequence when request contains 'Authorization' header. See MID-10068.

Fixed removal of value in form field on details panel (e.g. assignment or projection) when using custom expression validation. See MID-10091.

Fixed removal of unused authentication filters created by the rest authentication module invoked from the browser. See MID-9580.

Use the username from the identification authentication module in the LDAP authentication module. See MID-10104.

Small improvements and fixed bugs in resource wizard. See MID-9311, MID-9320 and MID-9397.

Fixed the issue with unassign member action to process only selected relation members. See MID-9936.

Fixed the issue with incorrect password strength check against the password policy. See MID-10067.

Fixed encoding of objects display name on user assignments details panel. See MID-10056.

Fixed displaying of the "Name" column header in the Projections table. See MID-10093.

Fixed assignments count issue to display the number of the just existing assignments. See MID-10099.

Fixed warning message translation during password change. See MID-10108.

Fixed Out of memory error during bulk action on the work items panel. See MID-9671.

Fixed the issue with DateTime parameters during report configuration. See MID-9828.

Fixed the issue with manual user unlock. See MID-9856.

Fixed the issue of the assignment details panel in the shopping cart. See MID-9858.

Fixed the issue with saving a filter on the Tasks list page. See MID-9751.

Saved filter uses now midPoint query language form (not xml). See MID-9568.

Fixed archetype reference item of parent archetype for object with archived lifecycle state. See MID-10101.

Fixed handling archetype-related authorizations when creating new objects. See MID-9268.

Fixed fuzzy searches for string values having an apostrophe. See MID-9405.

Fixed displaying correlation properties. See MID-9408, MID-9411, and MID-9412.

Fixed resource-level auditing with expressions. See MID-9382.

Fixed delayed deletion of already disabled shadows. See MID-9220.

Fixed creating org objects in draft lifecycle state. See MID-9264.

Fixed handling of tasks without taskIdentifier property. See MID-9423.

Fixed previewing changes with some objects created on demand. See MID-9426.

Fixed searching by properties of referenced objects on the generic repository. See MID-9427.

Fixed a security issue by checking authorizations (in a preliminary mode) right at the operation start. See the security advisory #22 and MID-9459.

Fixed a security issue by adding authorization checks to selected REST methods that did not have them. As part of this, authorizations for individual REST operations were added. See the security advisory #23, Service Authorizations, and MID-9460.

Added a shadow reclassification task. See MID-9514.

Association and assignment search expressions can now have multiple filters. See commit 554eb0.

Fixed associationTargetSearch expressions when the association has multiple intents. See MID-9561 and MID-9565.

Fixed associationFromLink expressions when there are dead shadows. See MID-9468 and MID-9487.

Fixed executing changes without the focus (e.g., changing a shadow) when partial processing option is set. See MID-9477.

Fixed fetching associations defined only on selected object types, when expression-based classification is in use. See MID-9591.

Fixed editing additional connector configuration. See MID-7918.

Improved authorizations for filter items. See MID-9638.

Added a simple method for setting extension property values to basic functions object. Extension-related methods were also grouped together and documented. See MID-9554.

Treating accidentally removed cases for manual resource operations (add, modify, delete account) gracefully. See MID-9286.

Fixed simulated activation specific to a single object class. See MID-9765.

Improved optimizing trigger creator to avoid creating duplicate triggers e.g. in clustered environment. See MID-9368.

Fixed unlinking/deleting dead shadows (with some limitations for the deletion case). See MID-9668.

Added midpoint.isFocusDeleted() method that can be used in conditions for mappings that control attributes that have to be kept intact on user deletion. See MID-9669.

Fixed displaying indirect roles in "All direct/indirect assignments" view, when non-member relations (e.g., approver or owner) are present. See MID-9467.

Treating blank mail recipients correctly by skipping them. See MID-9791.

Removed a fixed limit of 10 logfiles. See MID-9833.

Fixed showing Save button for execution-phase #modify authorization. See MID-9898.

Fixed (obsolete) defaultAssignee configuration parameter for manual connector + updated docs to use the supported business/operatorRef item instead. See MID-9870.

Various issues related to preview changes were fixed by switching the operation to use the new "simulations" feature. See, e.g., MID-9853.

Policy statements can now have a lifecycle state. See commit c22830.

Fixed an error when reviewer without read rights for AccessCertificationCampaignType opened "My work items" for certifications. See MID-9331.

Fixed statistics about the shadows deleted by the reconciliation. See MID-9217.

No longer adding a dangling personaRef items during simulation. See MID-10080.

Fixed localization for visualization of modify assignment delta. See MID-10091.

New version (1.5.2.0) of DatabaseTable Connector was released and bundled with midPoint. The connector suggest all names of columns for configuration properties related with name of column.

New version (2.8) of CSV Connector was released and bundled with midPoint. The connector suggest all names of columns for configuration properties related with name of column.

New version (3.8) of AD/LDAP Connector was released and bundled with midPoint. The connector suggest all names of columns for configuration properties related with name of column.

Functionality that is marked as Experimental Functionality is not supported for general use (yet). Such features are not covered by midPoint support. They are supported only for those subscribers that funded the development of this feature by the means of subscriptions and sponsoring or for those that explicitly negotiated such support in their support contracts.

MidPoint comes with bundled LDAP Connector. Support for LDAP connector is included in standard midPoint support service, but there are limitations. This "bundled" support only includes operations of LDAP connector that 100% compliant with LDAP standards. Any non-standard functionality is explicitly excluded from the bundled support. We strongly recommend to explicitly negotiate support for a specific LDAP server in your midPoint support contract. Otherwise, only standard LDAP functionality is covered by the support. See LDAP Connector page for more details.

MidPoint comes with bundled Active Directory Connector (LDAP). Support for AD connector is included in standard midPoint support service, but there are limitations. Only some versions of Active Directory deployments are supported. Basic AD operations are supported, but advanced operations may not be supported at all. The connector does not claim to be feature-complete. See Active Directory Connector (LDAP) page for more details.

MidPoint user interface has flexible (responsive) design, it is able to adapt to various screen sizes, including screen sizes used by some mobile devices. However, midPoint administration interface is also quite complex, and it would be very difficult to correctly support all midPoint functionality on very small screens. Therefore, midPoint often works well on larger mobile devices (tablets), but it is very likely to be problematic on small screens (mobile phones). Even though midPoint may work well on mobile devices, the support for small screens is not included in standard midPoint subscription. Partial support for small screens (e.g. only for self-service purposes) may be provided, but it has to be explicitly negotiated in a subscription contract.

There are several add-ons and extensions for midPoint that are not explicitly distributed with midPoint. This includes Java client library, various samples, scripts, connectors and other non-bundled items. Support for these non-bundled items is limited. Generally speaking, those non-bundled items are supported only for platform subscribers and those that explicitly negotiated the support in their contract.

MidPoint contains a basic case management user interface. This part of midPoint user interface is not finished. The only supported parts of this user interface are those that are used to process requests, approvals, and manual correlation. Other parts of case management user interface are considered to be experimental, especially the parts dealing with manual provisioning cases.

Linux (x86_64)

Windows Server (2022)

Java 21. This is a recommended platform.

Java 17.

Firefox

Safari

Chrome

Edge

Opera

There are database schema changes (see Database schema upgrade).

Version numbers of some bundled connectors have changed. Connector references from the resource definitions that are using the bundled connectors need to be updated.

See also the Actions required information below.

040-role-enduser.xml: The End user role was updated with a hidden visibility for myCertificationItems dashboard widget.

042-role-enduser.xml: The Reviewer role was extended with myActiveCertificationCampaigns UI authorization for active campaigns page and with more items of the certification campaign object to be read.

000-system-configuration.xml: The SystemConfiguration object was extended with a new dashboard widget configuration for certification items.

250-object-collection-resource.xml: The All resources object collection was updated with a filter to exclude resource templates.

251-object-collection-resource-up.xml: The Resources up object collection was updated with a filter to exclude resource templates.

520-archetype-task-certification.xml: Changes for proper functioning of certification related tasks.

534-archetype-task-certification-campaign-open-next-stage.xml: Archetype for campaign open next stage (start campaign) related task.

535-archetype-task-certification-remediation.xml: Archetype for campaign remediation related task.

A set of initial objects was updated to extend polystring type elements with translation keys configuration. The full set of changed objects you can see in the commit with some further changes in the next commits: archetype correlation case label fix, fixes in system configuration object, archetype and report objects fixes, application label fix.

029-archetype-application.xml: updated panels for application archetype.

700-archetype-event-mark.xml: updated admin gui configuration - hidden object operation policy panel.

800-804 marks: updated object operation policy membership.

030-role-superuser.xml: updated policy.

Inspect your configuration for deprecated items, and replace them by their suggested equivalents. Make sure you don’t use any removed items. You can use ninja tool for this.

Be sure to apply the changes to initial objects 800-804 (object marks), as well as to your custom object marks to handle the membership in the expected way.

Checking for conflicts for single-valued items was fixed (strengthened). In 4.8.3 and before, there were situations that two strong mappings produced different values for a given single-valued item, yet no error was produced. (If the item contained the same value that was produced by one of these mappings.) Such configurations are in principle unstable, so this kind of errors should be identified and fixed. Please see MID-9621 and this commit.

The default configuration for caching was changed. Currently, only the attributes defined in schemaHandling are cached by default. (Except for the situation when the caching is enabled by cachingOnly property in the read capability.)

When processing live sync changes that contain only the object identifiers, a more aggressive approach to fetching actual objects was adopted: We now always fetch the actual object, if possible. The reason is that the cached version may be incomplete or outdated.

The behavior of disableTimestamp and disableReason in the shadow activation container was changed. Before 4.9/4.8.1, these properties were updated only if there was an actual change in the administrative status from something to DISABLED. Since 4.9/4.8.1, both of these properties are updated even if the administrative status is already DISABLED: the disableReason is determined anew, and the disableTimestamp is updated if the status and/or the reason are modified. See MID-9220.

Automatic caching of association binding attributes (the "value" side, i.e. valueAttribute in the association definition) is no longer provided. It is recommended to mark them as secondary identifiers.

The filtering of associations was changed slightly. In particular, even if the required auxiliary object class is not present for the subject, the association values are still shown - if they exist on the resource. (They were hidden before.)

To address MID-9638 and MID-9670 (leaking data via searching objects by filters), the handling of items allowed for search operations was changed.

The effectiveMarkRef item now has value metadata to determine the values' origin. See commit 351d7e.

The mapping specification in provenance metadata now contains also object type name, association type name, and the shadow tag. See Mapping Maintenance Tasks, commit 0dd1c0, and commit 8557f5.

"<a:indexed/>" and "<a:indexOnly/>" annotations - when present but without any value - was interpreted as "false". This was now changed to a more intuitive interpretation (similar to a:object, a:container, etc), where annotation present but without value means "true". Also, "a:container" and other markers were interpreted as "true", even if the value was actually "false". This is now fixed as well.

Years-old ref-style schema annotations like <r:identifier ref="icfs:uid"/> are no longer supported. They are not used since midPoint 2.0. If you happen to use them in your manually configured resource XSD schemas, please replace them with the supported <r:identifier>icfs:uid</r:identifier> style.

Support for getting/setting objects embedded in references marked as a:objectReference directly, like LensElementContext.getObjectOld(). This feature was used only internally by midPoint.

The <xsd:documentation> element in resource schemas is now ignored. It was never used by ConnId connectors, but, in theory, it might be used for manually entered schemas.

Default target set for mappings emitting multivalue properties is based on provenance metadata, mapping can only remove values, it added.

Internal APIs were massively changed with regard to passing prismContext object between methods. This object has been statically available for quite a long time. Now it was definitely removed from methods' signatures.

Likewise, the internals of prism definitions were changed in 12808d. You should not be affected by this; however, if you use some of the unofficial/undocumented APIs, please check your code.