MidPoint 4.9 "Verne"
Release 4.9 is a sixtieth midPoint release, code-named Verne. The 4.9 release brings improvements in role engineering, certification, approvals, stability and miscellaneous improvements.
Release date | 18 October 2024 |
---|---|
Release type | Feature release |
End of support | 18 October 2026 |
Jules Gabriel Verne (1828-1905) was a French novelist, poet, and playwright. His best-selling novels, always well-researched according to the scientific knowledge then available, taking into account the technological advances of the time. Verne, considered to be one of the fathers of science-fiction genre, inspired several generations of readers. Similarly to Verne's novels, midPoint 4.9 brings several technological advancements, bringing them from the drawing board to real life. Shadow caching and value metadata were prototyped a long time ago, they became production-quality reality in midPoint 4.9. Improvements in role mining and brand-new outlier detection functionality are reaching up to the boundaries of science fiction. The new access certification look and feel is reminiscent of the colorful worlds that Verne has described. Other features and improvements of this release make midPoint more complete, easier to use and much more sophisticated. Overall, midPoint 4.9 is a major step from the past into the future. |
Changes With Respect To Version 4.8
New Features and Major Improvements
-
Shadow caching was significantly improved and is now a regular midPoint feature.
-
Shadow caching is enabled by default on new deployments and needs to be explicitly enabled on existing ones.
-
-
Native Repository Support for
searchContainersIteratively
for all container types-
Removed upper record limit for reports for assignments, certification cases, certification work items and others.
-
Changed transaction isolation from READ_COMMITED to REPEATABLE_READ.
-
Changed storage strategy for complex container types - actual data stored inside their own table instead of parent object JSON.
-
-
Added support for external data in protected strings, that can be resolved via secrets providers. This allows to store secrets in external systems, such as HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, etc. For more information see Secrets providers.
-
Adding support for GUI of passwords in connector configuration and password of focus (visible only when it is configured in xml)
-
-
Improvements regarding shadow associations:
-
Support for native object references in ConnId (1.6.0.0-RC1).
-
A new style of configuring simulated object references (via capabilities).
-
A new style of configuring associations handling: mapping from associations to assignments using specific correlation and synchronization rules.
-
Added wizard support for association configuration in resources.
-
-
Value metadata (
@metadata
) are default storage for object and assignment metadata replacing previousmetadata
container.-
Query Support for searching in value metadata of objects
-
Native Repository: Object metadata stored in
metadata
property ofMetadataType
are also indexed and searchable as value metadata. Eg. originalmetadata/creatorRef
is@metadata/storage/creatorRef
as value metadata path. -
Value metadata
storage
andprocess
are indexed for assignments and available for search usingassignment/@metadata/storage
. -
Provenance metadata are enabled by default for multivalue properties, containers and assignments.
-
-
-
Default range for mappings emitting multivalued properties is based on provenance metadata. Such mappings will automatically remove values added by them in the past which are no longer produced by them.
-
If value has multiple provenances (user entry, or multiple mappings), the mapping removes only it’s provenance section, value still remains.
-
-
Ninja
-
Added support for new verification categories:
MULTI_VALUE_REF_WITHOUT_OID
,MISSING_NATURAL_KEY
,MULTIVALUE_BYTE_ARRAY
,PROTECTED_DATA_NOT_EXTERNAL
. For more information see Verify.
-
-
-
Added support for attribute group by/clustering rule.
-
Added support for analyze attribute functionality.
-
Added predefined role mining modes.
-
Added support for assignment filters.
-
Added support for indirect access right clustering (experimental).
-
Support for monitoring overall system access assignment reduction by applying role suggestions.
-
Role suggestion migration improvements.
-
Performance and GUI Enhancements:
-
Significant performance optimizations improve system efficiency and reduce load times.
-
UI improvements to enhance the overall user experience with intuitive interface for role mining activities.
-
New initial role analysis page with widgets related to role analysis activities and system information.
-
-
User Permission Table Enhancements:
-
New operational panel simplifies the role mining process.
-
Direct interaction with role suggestions and candidate roles within the table.
-
Added control options for table settings and role management processes.
-
Allow administrators to detect and explore access patterns directly in the user permission table.
-
-
-
-
Introduces a feature that helps uncover potential security risks by identifying users with unusual access rights.
-
For more information, see the Outlier Detection documentation.
-
-
Request access
-
Role catalog (tree) now has a search filter with the scope and type selectable. Tree node search is now the same for all nodes. (Previously it was scope=one for non leaf nodes).
-
-
Schema extension
-
Adding a new SchemaType that is supported in native repository. SchemaType contains an attribute that contains xsd schema.
-
SchemaType can be configured by GUI. Configuration via GUI contains some limitations that related with schema lifecycle.
-
For more information can see Custom Schema Extension.
-
-
Object marks
-
Supported for all object types including assignments when executed via policy rules
-
GUI support for adding/removing marks for focus objects and shadows
-
GUI Support to show mark in the focus and shadow tables
-
-
Regulatory compliance
-
Built-in support for information classification and clearances.
-
Support for
requirement
policy constraint in policy rules. -
Built-in classifications for privileged access.
-
-
Spring Boot/hibernate upgrade
-
Spring Boot was upgraded to 3.3.2 and Hibernate ORM to 6.5
-
-
Shadow table Partitioning in Native PostgreSQL Repository
-
Midpoint automatically partitions shadow tables based on the resource and object class of shadow. Partitioning is enabled by default on new deployments and needs to be explicitly enabled on existing deployments. See Repository → Native → Shadow Partitioning for details.
-
-
Native Repository uses splitted full-object model for data storage:
operationExecution
,assignment
,linkRef
androleMembershipRef
in their separate tables outside of objectfullObject
columns-
Added support and options to optimize queries and not retrieve these items in code and groovy scripts.
-
-
Support for H2 database was removed. Clean midPoint will fail to start with embedded H2 database. The preferred option to start simple midPoint instance is via docker compose. For more information see here. Otherwise,
config.xml
in midPoint home directory needs to be populated with database connection information. -
Access Certification new UI.
-
New UI with improved user experience and performance was implemented for Access Certification feature.
-
Campaigns list representation is available in the tile and table views. Tiles view provides a quick overview of the campaigns.
-
Campaign details page provides a detailed view of the certification cases and its outcomes. There is also Statistics panel which gives an overview of the reviewers progress and campaign related tasks.
-
Certification items can be also viewed in the tiles view (Active campaigns page). Certification items table itself can be now configured with the help of collection view configuration. This means that table’s columns and actions can be configured for certification items.
-
-
Please, see Access Certification for more information.
-
-
Deployment Methodology
-
As a part of midPoint 4.9 release, we have released also a new midPoint deployment methodology. Please refer to Methodology: Group Synchronization for more information.
-
Other Improvements
-
The indication of official vs. unofficial build was added to the About page. See MidPoint JAR Signature Status for details.
-
We have added a new algorithm to detect which users are in the production-like environment. It would have the following impact, depending on your subscription status.
-
active subscribers: none
-
subscribers who are in the renewal period: none during the grace period of 90 days
-
non-subscribers: disabled cluster communication; if a generic repository is used, the GUI would be disabled and the only option would be to set a subscription ID
-
For more information, feel free to read this blog post.
-
-
Duplication function of object or container showed in table.
-
Adding panel in gui, that support of creating new archetype for reference in resource object type.
-
Changing of input field for documentation element to multi-line text field.
-
Adding possibility for use 'Preview' button with development configuration on page details.
-
Adding 'Shadow reclassification' task as a new separate activity of the task type.
-
Adding button for creating simulated/production 'Reclassification' task on unrecognized resource objects panel.
-
-
New implementation and look of date time picker.
-
Support for item deltas targeting value metadata only (without the need to replace whole container value)
-
Resolving the issue for creating a new member object with predefined by archetype options on members panel.
-
Resolving several issues for Self Credentials page. Now password propagation to resource takes into account the script, defined in resource for credentials, in case of the appropriate configuration.
-
Notification sending strategy was added to the general notifier configuration. It is possible to configure now if the notification message should be generated once and sent to all recipients in the same form or if the message should be generated for each recipient separately. More details can be found in the Basic structure of the notification definition.
-
Role wizard is now supported also for children of application and business roles (archetypes).
-
Dedicated data type for policy objects (PolicyType)
-
Implementation of new task activities for opening next stage of certification campaign and certification remediation. More details can be found in the Work Definition (Types of Activities).
-
Add a confirmation dialogue after changing the resource lifecycle state. See MID-9315.
-
Added the ability to modify selected object classes for resources via the Resource Schema panel. See MID-8476.
-
Renamed "Bulk actions" to "Actions" in GUI. See MID-9619.
-
Added the ability to configure UI form of the authentication sequence module with a label, description and external link. More information can be found in the Authentication Sequence Module. The sample is located by the link Example of the default GUI sequence with configured login form.
-
'Resource object types' panel identifier changed from 'schemaHandling' to 'resourceObjectTypes' and panel was moved from top level menu item to submenu of new top level menu item 'Schema handling'. The 'schemaHandling' identifier is now used for the top level menu item.
-
Added missing indexes for extension poly-string properties and shadow attributes for generic repositories (Oracle, MS SQL Server). For more info see SQL upgrade scripts.
-
Fixed closing multi-node tasks when some nodes are not available. See MID-10021.
-
Updated caniuse-lite (javascript). See MID-9926.
-
Updated and clarified documentation regarding compilation of admin GUI profile during login. See MID-9776.
-
Added support for new subscription types, see MID-9640.
-
Fixed upload/download of files (eg. jpegPhoto) where download didn’t return proper Content-Type and file extension. See MID-9990.
-
Fixed stylesheets for saved searches menu in case name of search is too long. See MID-10078.
-
Fixed Internal error 500 in Preview Changes - serialization exception. See MID-10028.
-
Fixed resolving of authentication sequence when request contains 'Authorization' header. See MID-10068.
-
Fixed removal of value in form field on details panel (e.g. assignment or projection) when using custom expression validation. See MID-10091.
-
Fixed removal of unused authentication filters created by the rest authentication module invoked from the browser. See MID-9580.
-
Use the username from the identification authentication module in the LDAP authentication module. See MID-10104.
-
Small improvements and fixed bugs in resource wizard. See MID-9311, MID-9320 and MID-9397.
-
Fixed the issue with unassign member action to process only selected relation members. See MID-9936.
-
Fixed the issue with incorrect password strength check against the password policy. See MID-10067.
-
Fixed encoding of objects display name on user assignments details panel. See MID-10056.
-
Fixed displaying of the "Name" column header in the Projections table. See MID-10093.
-
Fixed assignments count issue to display the number of the just existing assignments. See MID-10099.
-
Fixed warning message translation during password change. See MID-10108.
-
Fixed Out of memory error during bulk action on the work items panel. See MID-9671.
-
Fixed the issue with DateTime parameters during report configuration. See MID-9828.
-
Fixed the issue with manual user unlock. See MID-9856.
-
Fixed the issue of the assignment details panel in the shopping cart. See MID-9858.
-
Fixed the issue with saving a filter on the Tasks list page. See MID-9751.
-
Saved filter uses now midPoint query language form (not xml). See MID-9568.
-
Fixed archetype reference item of parent archetype for object with
archived
lifecycle state. See MID-10101. -
Fixed handling archetype-related authorizations when creating new objects. See MID-9268.
-
Fixed fuzzy searches for string values having an apostrophe. See MID-9405.
-
Fixed displaying correlation properties. See MID-9408, MID-9411, and MID-9412.
-
Fixed resource-level auditing with expressions. See MID-9382.
-
Fixed delayed deletion of already disabled shadows. See MID-9220.
-
Fixed creating org objects in draft lifecycle state. See MID-9264.
-
Fixed handling of tasks without
taskIdentifier
property. See MID-9423. -
Fixed previewing changes with some objects created on demand. See MID-9426.
-
Fixed searching by properties of referenced objects on the generic repository. See MID-9427.
-
Fixed a security issue by checking authorizations (in a preliminary mode) right at the operation start. See the security advisory #22 and MID-9459.
-
Fixed a security issue by adding authorization checks to selected REST methods that did not have them. As part of this, authorizations for individual REST operations were added. See the security advisory #23, Service Authorizations, and MID-9460.
-
Added a shadow reclassification task. See MID-9514.
-
Association and assignment search expressions can now have multiple filters. See commit 554eb0.
-
Fixed
associationTargetSearch
expressions when the association has multiple intents. See MID-9561 and MID-9565. -
Fixed
associationFromLink
expressions when there are dead shadows. See MID-9468 and MID-9487. -
Fixed executing changes without the focus (e.g., changing a shadow) when partial processing option is set. See MID-9477.
-
Fixed fetching associations defined only on selected object types, when expression-based classification is in use. See MID-9591.
-
Fixed editing additional connector configuration. See MID-7918.
-
Improved authorizations for filter items. See MID-9638.
-
Added a simple method for setting extension property values to
basic
functions object. Extension-related methods were also grouped together and documented. See MID-9554. -
Treating accidentally removed cases for manual resource operations (add, modify, delete account) gracefully. See MID-9286.
-
Fixed simulated activation specific to a single object class. See MID-9765.
-
Improved optimizing trigger creator to avoid creating duplicate triggers e.g. in clustered environment. See MID-9368.
-
Fixed unlinking/deleting dead shadows (with some limitations for the deletion case). See MID-9668.
-
Added
midpoint.isFocusDeleted()
method that can be used in conditions for mappings that control attributes that have to be kept intact on user deletion. See MID-9669. -
Fixed displaying indirect roles in "All direct/indirect assignments" view, when non-member relations (e.g.,
approver
orowner
) are present. See MID-9467. -
Treating blank mail recipients correctly by skipping them. See MID-9791.
-
Removed a fixed limit of 10 logfiles. See MID-9833.
-
Fixed showing
Save
button for execution-phase#modify
authorization. See MID-9898. -
Fixed (obsolete)
defaultAssignee
configuration parameter for manual connector + updated docs to use the supportedbusiness/operatorRef
item instead. See MID-9870. -
Various issues related to preview changes were fixed by switching the operation to use the new "simulations" feature. See, e.g., MID-9853.
-
Policy statements can now have a lifecycle state. See commit c22830.
-
Fixed an error when reviewer without read rights for
AccessCertificationCampaignType
opened "My work items" for certifications. See MID-9331. -
Fixed statistics about the shadows deleted by the reconciliation. See MID-9217.
-
No longer adding a dangling
personaRef
items during simulation. See MID-10080. -
Fixed localization for visualization of modify assignment delta. See MID-10091.
Releases Of Other Components
-
New version (1.5.2.0) of DatabaseTable Connector was released and bundled with midPoint. The connector suggest all names of columns for configuration properties related with name of column.
-
New version (2.8) of CSV Connector was released and bundled with midPoint. The connector suggest all names of columns for configuration properties related with name of column.
-
New version (3.8) of AD/LDAP Connector was released and bundled with midPoint. The connector suggest all names of columns for configuration properties related with name of column.
-
Native association support.
-
Possibility to choose attributes that should not be returned by default.
-
Possibility to choose to encode string values in case of the presence of non standard ASCII characters.
-
Workaround for open-ldap mandatory member attribute.
-
Possibility to specify used auxiliary object classes in connector configuration.
-
Allow to send the LDAP_DIRSYNC_OBJECT_SECURITY flag in Active Directory sync request control.
-
Purpose and Quality
Release 4.9 (Verne) is intended for full production use. It belongs to a feature release family, supported only for a reduced time period. Therefore it is intended for users that prefer new features over long-term stability.
All features are stable and well tested - except the features that are explicitly marked as experimental or partially implemented. Those features are supported only with special subscription contract.
Limitations
Following list provides summary of limitation of this midPoint release.
-
Functionality that is marked as Experimental Functionality is not supported for general use (yet). Such features are not covered by midPoint support. They are supported only for those subscribers that funded the development of this feature by the means of subscriptions and sponsoring or for those that explicitly negotiated such support in their support contracts.
-
MidPoint comes with bundled LDAP Connector. Support for LDAP connector is included in standard midPoint support service, but there are limitations. This "bundled" support only includes operations of LDAP connector that 100% compliant with LDAP standards. Any non-standard functionality is explicitly excluded from the bundled support. We strongly recommend to explicitly negotiate support for a specific LDAP server in your midPoint support contract. Otherwise, only standard LDAP functionality is covered by the support. See LDAP Connector page for more details.
-
MidPoint comes with bundled Active Directory Connector (LDAP). Support for AD connector is included in standard midPoint support service, but there are limitations. Only some versions of Active Directory deployments are supported. Basic AD operations are supported, but advanced operations may not be supported at all. The connector does not claim to be feature-complete. See Active Directory Connector (LDAP) page for more details.
-
MidPoint user interface has flexible (responsive) design, it is able to adapt to various screen sizes, including screen sizes used by some mobile devices. However, midPoint administration interface is also quite complex, and it would be very difficult to correctly support all midPoint functionality on very small screens. Therefore, midPoint often works well on larger mobile devices (tablets), but it is very likely to be problematic on small screens (mobile phones). Even though midPoint may work well on mobile devices, the support for small screens is not included in standard midPoint subscription. Partial support for small screens (e.g. only for self-service purposes) may be provided, but it has to be explicitly negotiated in a subscription contract.
-
There are several add-ons and extensions for midPoint that are not explicitly distributed with midPoint. This includes Java client library, various samples, scripts, connectors and other non-bundled items. Support for these non-bundled items is limited. Generally speaking, those non-bundled items are supported only for platform subscribers and those that explicitly negotiated the support in their contract.
-
MidPoint contains a basic case management user interface. This part of midPoint user interface is not finished. The only supported parts of this user interface are those that are used to process requests, approvals, and manual correlation. Other parts of case management user interface are considered to be experimental, especially the parts dealing with manual provisioning cases.
This list is just an overview, it may not be complete. Please see the documentation regarding detailed limitations of individual features.
Platforms
MidPoint is known to work well in the following deployment environment. The following list is list of tested platforms, i.e. platforms that midPoint team or reliable partners personally tested with this release. The version numbers in parentheses are the actual version numbers used for the tests.
It is very likely that midPoint will also work in similar environments. But only the versions specified below are supported as part of midPoint subscription and support programs - unless a different version is explicitly agreed in the contract.
Operating System
MidPoint is likely to work on any operating system that supports the Java platform. However, for production deployment, only some operating systems are supported:
-
Linux (x86_64)
-
Windows Server (2022)
We are positive that midPoint can be successfully installed on other operating systems, especially macOS and Microsoft Windows desktop. Such installations can be used to for evaluation, demonstration or development purposes. However, we do not support these operating systems for production environments. The tooling for production use is not maintained, such as various run control (start/stop) scripts, low-level administration and migration tools, backup and recovery support and so on. Please see Supported Platforms for MidPoint Deployment for details.
Note that production deployments in Windows environments are supported only for LTS releases.
Java
Following Java platform versions are supported:
-
Java 21. This is a recommended platform.
-
Java 17.
OpenJDK 21 is the recommended Java platform to run midPoint.
Support for Oracle builds of JDK is provided only for the period in which Oracle provides public support (free updates) for their builds.
MidPoint is an open source project, and as such it relies on open source components. We cannot provide support for platform that do not have public updates as we would not have access to those updates, and therefore we cannot reproduce and fix issues. Use of open source OpenJDK builds with public support is recommended instead of proprietary builds.
Databases
Since midPoint 4.4, midPoint comes with two repository implementations: native and generic. Native PostgreSQL repository implementation is strongly recommended for all production deployments.
See Repository Database Support for more details.
Since midPoint 4.0, PostgreSQL is the recommended database for midPoint deployments. Our strategy is to officially support the latest stable version of PostgreSQL database (to the practically possible extent). PostgreSQL database is the only database with clear long-term support plan in midPoint. We make no commitments for future support of any other database engines. See Repository Database Support page for the details. Only a direct connection from midPoint to the database engine is supported. Database and/or SQL proxies, database load balancers or any other devices (e.g. firewalls) that alter the communication are not supported.
Native Database Support
Native PostgreSQL repository implementation is developed and tuned specially for PostgreSQL database, taking advantage of native database features, providing improved performance and scalability.
This is now the primary and recommended repository for midPoint deployments. Following database engines are supported:
-
PostgreSQL 16, 15, 14
PostgreSQL 16 is recommended.
Generic Database Support (deprecated)
Generic repository implementation is based on object-relational mapping abstraction (Hibernate), supporting several database engines with the same code. Following database engines are supported with this implementation:
-
Oracle 21c
-
Microsoft SQL Server 2019
Support for generic repository implementation together with all the database engines supported by this implementation is deprecated. It is strongly recommended to migrate to native PostgreSQL repository implementation as soon as possible. See Repository Database Support for more details.
Supported Browsers
-
Firefox
-
Safari
-
Chrome
-
Edge
-
Opera
Any recent version of the browsers is supported. That means any stable stock version of the browser released in the last two years. We formally support only stock, non-customized versions of the browsers without any extensions or other add-ons. According to the experience most extensions should work fine with midPoint. However, it is not possible to test midPoint with all of them and support all of them. Therefore, if you chose to use extensions or customize the browser in any non-standard way you are doing that on your own risk. We reserve the right not to support customized web browsers.
Important Bundled Components
Component | Version | Description |
---|---|---|
Tomcat |
10.1.28 |
Web container |
ConnId |
1.6.0.0-RC1 |
ConnId Connector Framework |
3.8 |
LDAP and Active Directory |
|
2.8 |
Connector for CSV files |
|
1.5.2.0 |
Connector for simple database tables |
Download and Install
Release Form | Download | Install Instructions |
---|---|---|
Binary |
https://evolveum.com/downloads/midpoint/4.9/midpoint-4.9-dist.zip |
|
Source |
||
Java API JavaDoc |
https://evolveum.com/downloads/midpoint/4.9/midpoint-api-4.9-javadoc/ |
|
SchemaDoc |
https://evolveum.com/downloads/midpoint/4.9/midpoint-4.9-schemadoc/ |
Upgrade
MidPoint is a software designed with easy upgradeability in mind. We do our best to maintain strong backward compatibility of midPoint data model, configuration and system behavior. However, midPoint is also very flexible and comprehensive software system with a very rich data model. It is not humanly possible to test all the potential upgrade paths and scenarios. Also, some changes in midPoint behavior are inevitable to maintain midPoint development pace. Therefore, there may be some manual actions and configuration changes that need to be done during upgrades, mostly related to feature lifecycle.
This section provides overall overview of the changes and upgrade procedures. Although we try to our best, it is not possible to foresee all possible uses of midPoint. Therefore, the information provided in this section are for information purposes only without any guarantees of completeness. In case of any doubts about upgrade or behavior changes please use services associated with midPoint subscription programs.
Please refer to the MidPoint Upgrade Guide for general instructions and description of the upgrade process. The guide describes the steps applicable for upgrades of all midPoint releases. Following sections provide details regarding release 4.9.
Upgrade From MidPoint 4.8
MidPoint 4.9 data model is backwards compatible with previous midPoint version. Please follow our Upgrade guide carefully.
Be sure to be on the latest maintenance version for 4.8, otherwise you will not be warned about all the necessary schema changes and other possible incompatibilities. |
Note that:
-
There are database schema changes (see Database schema upgrade).
-
Version numbers of some bundled connectors have changed. Connector references from the resource definitions that are using the bundled connectors need to be updated.
-
See also the Actions required information below.
Upgrade From Other MidPoint Versions
Upgrade from midPoint versions other than 4.8.x to midPoint 4.9 is not supported directly. Please upgrade to 4.8.5 first.
Deprecation, Feature Removal And Major Incompatible Changes Since 4.8
This section is relevant to the majority of midPoint deployments. It refers to the most significant functionality removals and changes in this version. |
Changes In Initial Objects Since 4.8
This section is relevant to the majority of midPoint deployments. |
MidPoint has a built-in set of "initial objects" that it will automatically create in the database if they are not present.
This includes vital objects for the system to be configured (e.g., the role Superuser
and the user administrator
).
These objects may change in some midPoint releases.
However, midPoint is conservative and avoids overwriting customized configuration objects.
Therefore, midPoint does not overwrite existing objects when they are already in the database.
This may result in upgrade problems if the existing object contains configuration that is no longer supported in a new version.
The following list contains a description of changes to the initial objects in this midPoint release.
The complete new set of initial objects is in the config/initial-objects
directory in both the source and binary distributions.
Actions required: Please review the changes and apply them appropriately to your configuration. Ninja can help with updating existing initial objects during upgrade procedure using initial-objects
command.
For more information see here.
-
040-role-enduser.xml: The
End user
role was updated with a hidden visibility formyCertificationItems
dashboard widget. -
042-role-enduser.xml: The
Reviewer
role was extended withmyActiveCertificationCampaigns
UI authorization for active campaigns page and with more items of the certification campaign object to be read. -
000-system-configuration.xml: The
SystemConfiguration
object was extended with a new dashboard widget configuration for certification items. -
250-object-collection-resource.xml: The
All resources
object collection was updated with a filter to exclude resource templates. -
251-object-collection-resource-up.xml: The
Resources up
object collection was updated with a filter to exclude resource templates. -
520-archetype-task-certification.xml: Changes for proper functioning of certification related tasks.
-
534-archetype-task-certification-campaign-open-next-stage.xml: Archetype for campaign open next stage (start campaign) related task.
-
535-archetype-task-certification-remediation.xml: Archetype for campaign remediation related task.
-
A set of initial objects was updated to extend polystring type elements with translation keys configuration. The full set of changed objects you can see in the commit with some further changes in the next commits: archetype correlation case label fix, fixes in system configuration object, archetype and report objects fixes, application label fix.
-
029-archetype-application.xml: updated panels for application archetype.
-
700-archetype-event-mark.xml: updated admin gui configuration - hidden object operation policy panel.
-
800-804 marks: updated object operation policy membership.
-
030-role-superuser.xml: updated policy.
Please review source code history for detailed list of changes.
Copies of initial object files are located in config/initial-objects directory of midPoint distribution packages. These files can be used as a reference during upgrades.
On-line version can be found in midPoint source code.
|
Schema Changes Since 4.8
This section is relevant to the majority of midPoint deployments.
It describes what data items were marked as deprecated, or removed altogether from the schema.
You should at least scan through it - or use the ninja tool to check the deprecations for you.
|
Type |
Item or value |
Note |
|
|
Configure actions in the cert. items collection view instead. |
|
|
Use |
|
|
Use association types (in schemaHandling) instead. |
|
|
Use "marking" instead. |
|
|
Legacy associations of this shadow. Not used anymore. |
|
|
Use |
The synchronize/membership
container was added to the object operation policy object, present in object marks (like the Protected
one).
It controls the handling of the membership of entitlements possessing given object mark.
Actions required:
-
Inspect your configuration for deprecated items, and replace them by their suggested equivalents. Make sure you don’t use any removed items. You can use
ninja
tool for this. -
Be sure to apply the changes to initial objects 800-804 (object marks), as well as to your custom object marks to handle the membership in the expected way.
Behavior Changes Since 4.8
This section describes changes in the behavior that existed before this release. New behavior is not mentioned here. Plain bugfixes (correcting incorrect behavior) are skipped too. Only things that cannot be described as simple "fixing" something are described here. The changes since 4.8 are of interest probably for "advanced" midPoint deployments only. You should at least scan through them, though. |
-
Checking for conflicts for single-valued items was fixed (strengthened). In 4.8.3 and before, there were situations that two strong mappings produced different values for a given single-valued item, yet no error was produced. (If the item contained the same value that was produced by one of these mappings.) Such configurations are in principle unstable, so this kind of errors should be identified and fixed. Please see MID-9621 and this commit.
-
The default configuration for caching was changed. Currently, only the attributes defined in
schemaHandling
are cached by default. (Except for the situation when the caching is enabled bycachingOnly
property in the read capability.) -
When processing live sync changes that contain only the object identifiers, a more aggressive approach to fetching actual objects was adopted: We now always fetch the actual object, if possible. The reason is that the cached version may be incomplete or outdated.
-
The behavior of
disableTimestamp
anddisableReason
in the shadow activation container was changed. Before 4.9/4.8.1, these properties were updated only if there was an actual change in the administrative status from something toDISABLED
. Since 4.9/4.8.1, both of these properties are updated even if the administrative status is alreadyDISABLED
: thedisableReason
is determined anew, and thedisableTimestamp
is updated if the status and/or the reason are modified. See MID-9220. -
Automatic caching of association binding attributes (the "value" side, i.e.
valueAttribute
in the association definition) is no longer provided. It is recommended to mark them as secondary identifiers. -
The filtering of associations was changed slightly. In particular, even if the required auxiliary object class is not present for the subject, the association values are still shown - if they exist on the resource. (They were hidden before.)
-
To address MID-9638 and MID-9670 (leaking data via searching objects by filters), the handling of items allowed for search operations was changed.
It is now evaluated not only for the type we are searching for (like RoleType
), but for all types whose items are to be used for the search (like UserType
for a filter like "give me RoleType
referencedBy
UserType
via `assignment/targetRef`").
The checks are "yes/no" style only, based on the presence or absence of authorizations against specified type and item(s), with appropriate action URIs (read, search, and the new searchBy).
No detailed checking for the values is done. E.g. if the search for UserType:name
is allowed even for potentially a single user object (via an authorization clause that can provide any number of matching objects, even zero), then the name
item can be used for any search concerning UserType
or even FocusType
objects.
Effects on existing deployments:
-
Some queries allowed previously may now fail because of missing item-searching authorizations. As a quick fix, new (experimental, temporary)
searchBy
authorization is available to give search access to these items without providing any additional access to data values. -
Some queries denied previously may now be allowed. This should be quite rare, but possible. It can happen if the original authorization was not applied because of some specific limitations (like
roleRelation
with no explicit role information), and hence theitem
/exceptItem
part of it was skipped. This is no longer the case.
See commit 609286.
-
The
effectiveMarkRef
item now has value metadata to determine the values' origin. See commit 351d7e. -
The mapping specification in provenance metadata now contains also object type name, association type name, and the shadow tag. See Mapping Maintenance Tasks, commit 0dd1c0, and commit 8557f5.
-
"<a:indexed/>" and "<a:indexOnly/>" annotations - when present but without any value - was interpreted as "false". This was now changed to a more intuitive interpretation (similar to a:object, a:container, etc), where annotation present but without value means "true". Also, "a:container" and other markers were interpreted as "true", even if the value was actually "false". This is now fixed as well.
-
Years-old ref-style schema annotations like <r:identifier ref="icfs:uid"/> are no longer supported. They are not used since midPoint 2.0. If you happen to use them in your manually configured resource XSD schemas, please replace them with the supported <r:identifier>icfs:uid</r:identifier> style.
-
Support for getting/setting objects embedded in references marked as
a:objectReference
directly, likeLensElementContext.getObjectOld()
. This feature was used only internally by midPoint. -
The
<xsd:documentation>
element in resource schemas is now ignored. It was never used by ConnId connectors, but, in theory, it might be used for manually entered schemas. -
Default target set for mappings emitting multivalue properties is based on provenance metadata, mapping can only remove values, it added.
-
If value has multiple provenances (user entry, or multiple mappings), the mapping removes only its provenance section, value still remains.
-
The addition of the value metadata at various places of objects means that the objects are larger than in previous versions of midPoint. In a similar way, the shadow caching feature - enabled by default for new installations - will probably increase the size of shadow objects further. All this will probably have an impact on the database size as well as on the runtime performance. (The exact proportions depend on specifics of the deployment.) All these features can be configured - or even turned off in the extreme case - so you can do your own tradeoff between functionality and performance. Moreover, we plan to improve the performance in the forthcoming releases. |
Java and REST API Changes Since 4.8
As for the Java API, this section describes changes in midpoint and basic function libraries.
(MidPoint does not have explicitly defined Java API, yet.
But these two objects are something that can be unofficially considered to be the API of midPoint, usable e.g. from scripts.)
|
Internal Changes Since 4.8
These changes should not influence people that use midPoint "as is". They should also not influence the XML/JSON/YAML-based customizations or scripting expressions that rely just on the provided library classes. These changes will influence midPoint forks and deployments that are heavily customized using the Java components. |
-
Internal APIs were massively changed with regard to passing
prismContext
object between methods. This object has been statically available for quite a long time. Now it was definitely removed from methods' signatures.The official APIs (like
midpoint
andbasic
objects) were not touched by this change. However, if you use some of the unofficial or undocumented APIs, please make sure you migrate your code appropriately.The change itself is very simple: basically, the
PrismContext
parameter was removed from methods' signatures. -
Likewise, the internals of prism definitions were changed in 12808d. You should not be affected by this; however, if you use some of the unofficial/undocumented APIs, please check your code.
Known Issues and Limitations
As all real-world software midPoint 4.9 has some known issues. Full list of the issues is maintained in bug tracking system. As far as we know at the time of the release there was no known critical or security issue.
There is currently no plan to fix the known issues of midPoint 4.9 en masse. These issues will be fixed in future maintenance versions of midPoint only if the fix is covered by a support agreement or subscription. No other issues will be fixed - except for severe security issues that may be found in the future.
The known issues of midPoint 4.9 may or may not be fixed in following releases. This depends on the available time, issue severity and many variables that are currently difficult to predict. The only reliable way how to make sure that an issue is fixed is to purchase midPoint support. Or you can fix the bug yourself. MidPoint is always open to contributions.
This may seem a little bit harsh at a first sight. But there are very good reasons for this policy. And in fact it is no worse than what you get with most commercial software. We are just saying that with plain language instead of scrambling it into a legal mumbo-jumbo.
Credits
Majority of the work on the Verne release was done by the Evolveum team. However, this release would not be possible without the help of our partners, customers, contributors, friends and families. We would like to express our thanks to all the people that contributed to the midPoint project both by providing financial support, their own time or those that maintain a pleasant and creative environment for midPoint team. However, midPoint project would not exist without proper funding. Therefore we would like to express our deepest gratitude to all midPoint subscribers that made midPoint project possible.
Disclaimer
Planned release dates are just that: they are planned. We do not promise or guarantee release dates. Software development is a creative activity that includes a lot of inherent risk. We are trying really hard to provide the best estimates. We are not able to provide precise dates for releases or deliveries. Do not rely on midPoint release dates. Plan your project properly to address the risk of delayed midPoint releases.
Planned scope of midPoint releases is also an estimate. MidPoint development process always includes the balancing of the iron triangle. Therefore planned release scope may change at any time. There is a method to make sure that midPoint releases will work well for your project and that method is platform subscription.
We do not make any claims that midPoint is perfect. Quite the contrary. MidPoint is a practical software, developed by living and breathing developers and deployed in a real world. There are both known and unknown issues in midPoint. Also, midPoint is not feature-complete. New features are introduced in midPoint all the time. But not all of them are completed. There are always some limitations. As the license states, midPoint is provided "AS IS". Please do not rely on midPoint functionality that you have not tested to make sure that it works. MidPoint support and subscription programs are a way how to handle those issues. But even with support service, do not rely on functionality that is not documented. If you plan to use undocumented or non-existing functionality, platform subscription is the right service for you.