This is a list of most important and unique features of midPoint:

Common identity management data model
- Extensible object types:
  - User objects to represent users, physical persons and personas
  - Role objects to represent roles, privileges, jobs and so on
  - Org objects to represent organizational units, teams, workgroups, etc.
  - Service objects to represent servers, network devices, mobile devices, network services, etc.
- Numerous built-in properties (a.k.a. core identity schema)
- Extensibility by custom properties
- Completely schema-aware system
  - Dynamic schema automatically retrieved from resource
  - Support for primitive data types
  - Native support of multi-value attributes
  - Limited support for complex data types
- Processing and computation fully based on relative changes
- Off-the-shelf support for user password credentials
- Off-the-shelf support for activation (users, roles, orgs, services)
  - Enabled/disabled states (extensible in the future)
  - Support for user validity time constraints (valid from, valid to)
- Object template to define policies, default values, etc.
  - Ability to use conditional mappings (e.g. to create RB-RBAC setup)
  - Ability to include other object templates
  - Global and resource-specific template setup
- Representation of all configuration and data objects in XML, JSON and YAML
- Annotation support (such as "experimental" and "deprecated" annotation to control data model evolution)
- Customizable PolyString normalization
Identity management
- Enabling and disabling accounts
- Support for mapping and expressions to determine account attributes
- Multi-layer attribute access limitations
- Provisioning dependencies
  - Higher-order dependencies (enables partial support for circular provisioning dependencies)
- Provisioning robustness - ability to provision to non-accessible (offline) resources
- Provisioning consistency - ability to handle provisioning errors and compensate for inconsistencies
- Provisioning Propagation
- Support for tolerant attributes
  - Ability to select tolerant and non-tolerant values using a pattern (regexp)
- Support for volatile attributes (attributes changed by the resource)
- Matching Rules
  - Matching rules to support case insensitive attributes, DN and UUID attributes, XML attributes, etc. (extensible)
  - Automatic matching rule discovery
- Provisioning scripts
  - Ability to execute scripts before/after provisioning operations
  - Ad-hoc provisioning script execution
- Import from file and resource
  - Object schema validation during import (can be switched off)
  - Smart references between objects based on search filters
- Advanced support for account activation (enabled/disabled states)
  - Standardized account activation that matches user activation schema for easy integration
  - Ability to simulate activation capability if the connector does not provide it
  - Support for account lock-out
  - Support for account validity time constrains (valid from, valid to)
  - Support easy activation existence mappings (e.g. easy configuration of "disables instead of delete" feature)
  - Support for mapping time constraints in activation mappings that allow configuring time-related provisioning features such as deferred account delete or pre-provisioning.
- Ability to specify set of protected accounts that will not be affected by IDM system
- Support for base context searches for connectors that support object hierarchies (such as LDAP)
- Notifications
- Bulk actions
- Passive Attribute Caching (EXPERIMENTAL)
- Partial multi-tenancy support
Synchronization
- Live synchronization
- Reconciliation
  - Ability to execute scripts before/after reconciliation
- Correlation and confirmation expressions
  - Conditional correlation expressions
- Concept of channel that can be used to adjust synchronization behavior in some situations
- Generic Synchronization allows synchronization of roles to groups to organizational units to ... anything
- Self-healing consistency mechanism
Advanced RBAC
- Expressions in the roles
- Hierarchical roles
- Conditional roles and assignments/inducements
- Parametric roles (including ability to assign the same role several times with different parameters)
  - Note: role parameters are only partially supported in midPoint user interface (hardcoded parameters only)
- Temporal constraints (validity dates: valid from, valid to)
- Metaroles
- Role catalog
- Role request based on shopping cart paradigm
- Several assignment enforcement modes
  - Ability to specify global or resource-specific enforcement mode
  - Ability to "legalize" assignment that violates the enforcement mode
- Rule-based RBAC (RB-RBAC) ability by using conditional mappings in user template and role autoassignment
Entitlements and entitlement associations
- GUI support for entitlement listing, membership and editing
- Entitlement approval
- User-friendly entitlement association management
Organizational and Identity governance
- Powerful organizational structure management
- Approvals
  - Declarative policy-based multi-level approval process
  - Visualization of approval process
- Access certification campaigns
  - Ad-hoc recertificaiton
- Escalation in approval and certification processes
- Object history (time machine)
- Rich assignment meta-data
- User-friendly policy selection
- Deputy (ad-hoc privilege delegation)
- Object lifecycle property
- Policy Rules as a unified mechanism to define identity management, governance and compliance policies
  - Policy-based approvals driven by policy rules
  - Policy rules based on modification of objects, change in assignments and many other conditions
  - Policy rules can set policy situation that can be used for basic compliance reports
- Segregation of Duties (SoD)
  - Many options to define role exclusions
  - SoD approvals
  - SoD certification
- Assignment constraints for roles and organizational structure
- Basic role lifecycle management (role approvals)
- Personas
Expressions, mappings and other dynamic features
- Sequences for reliable allocation of unique identifiers
- Customization expressions
  - Groovy
  - Python
  - JavaScript (ECMAScript)
  - Built-in libraries with a convenient set of functions
- PolyString support allows automatic conversion of strings in national alphabets
- Mechanism to iteratively determine unique usernames and other identifier
- Function libraries
Web-based administration user interface
- Ability to execute identity management operations on users and accounts
- User-centric views
- Account-centric views (browse and search accounts directly)
- Resource wizard
- Layout automatically adapts to screen size
  - Note: intended for desktop only. Small mobile screens may not be supported.
- Easily customizable look & feel
- Built-in XML/JSON/YAML editor for identity and configuration objects
- Identity merge
- Support for custom static web content
Self-service
- User profile page
- Password management page
- Role selection and request dialog
- Self-registration
- Email-based password reset
Connectors
- Integration of ConnId identity connector framework
  - Support for Evolveum Polygon connectors
  - Support for ConnId connectors
  - Support for OpenICF connectors (limited)
- Automatic generation and caching of resource schema from the connector
- Local connector discovery
- Support for connector hosts and remote connectors, identity connector and connectors host type
- Remote connector discovery
- Manual Resource and ITSM Integration
Flexible identity repository implementations and SQL repository implementation
- Identity repository based on relational databases
- Keeping metadata for all objects (creation, modification, approvals)
- Automatic repository cleanup to keep the data store size sustainable
Security
- Flexible Authentication
  - Service authentication
- Fine-grained authorization model
  - Authorization expressions
  - Limited power of attorney implementation
- Organizational structure and RBAC integration
- Delegated administration
- Password management
  - Password distribution
  - Password policies
  - Password retention policy
  - Password metadata
  - Self-service password management
  - Password storage options (encryption, hashing)
  - Mail-based initialization of passwords for new accounts
- CSRF protection
Auditing
- Auditing to file (logging)
- Auditing to SQL table
- Interactive audit log viewer
Extensibility
- Custom schema extensibility
- Scripting Hooks
- Lookup Tables
- Support for overlay projects and deep customization
- Support for programmatic custom GUI forms (Apache Wicket components)
- Basic support for declarative custom forms
- API accessible using a REST, web services (SOAP) and local JAVA calls
Reporting
- Scheduled reports
- Lightweight reporting (CSV export) built into user interface
- Comprehensive reporting based on Jasper Reports
- Post report script
Internals
- Task management
Operations
- Lightweight deployment structure with two deployment options:
  - Stand-alone deployment
  - Deployment to web container (WAR)
- Multi-node task manager component with HA support
- Comprehensive logging designed to aid troubleshooting
- Enterprise class scalability (hundreds of thousands of users)
Documentation
- Administration documentation publicly available in the wiki
- Architectural documentation publicly available in the wiki
- Schema documentation automatically generated from the definition (schemadoc)

Following pages provide more information about the features:

Planned Features

Those features are planned for future midPoint releases

External links

What is midPoint Open Source Identity & Access Management
Evolveum - Team of IAM professionals who developed midPoint

Page tree

Features

Planned Features

External links