This is a list of most important and unique features of midPoint:
- Common identity management data model
- Extensible object types:
- User objects to represent users, physical persons and personas
- Role objects to represent roles, privileges, jobs and so on
- Org objects to represent organizational units, teams, workgroups, etc.
- Service objects to represent servers, network devices, mobile devices, network services, etc.
- Numerous built-in properties (a.k.a. core identity schema)
- Extensibility by custom properties
- Completely schema-aware system
- Dynamic schema automatically retrieved from resource
- Support for primitive data types
- Native support of multi-value attributes
- Limited support for complex data types
- Processing and computation fully based on relative changes
- Off-the-shelf support for user password credentials
- Off-the-shelf support for activation (users, roles, orgs, services)
- Enabled/disabled states (extensible in the future)
- Support for user validity time constraints (valid from, valid to)
- Object template to define policies, default values, etc.
- Ability to use conditional mappings (e.g. to create RB-RBAC setup)
- Ability to include other object templates
- Global and resource-specific template setup
- Representation of all configuration and data objects in XML, JSON and YAML
- Annotation support (such as "experimental" and "deprecated" annotation to control data model evolution)
- Customizable PolyString normalization
- Extensible object types:
- Identity management
- Enabling and disabling accounts
- Support for mapping and expressions to determine account attributes
- Multi-layer attribute access limitations
- Provisioning dependencies
- Higher-order dependencies (enables partial support for circular provisioning dependencies)
- Provisioning robustness - ability to provision to non-accessible (offline) resources
- Provisioning consistency - ability to handle provisioning errors and compensate for inconsistencies
- Provisioning Propagation
- Support for tolerant attributes
- Ability to select tolerant and non-tolerant values using a pattern (regexp)
- Support for volatile attributes (attributes changed by the resource)
- Matching Rules
- Matching rules to support case insensitive attributes, DN and UUID attributes, XML attributes, etc. (extensible)
- Automatic matching rule discovery
- Provisioning scripts
- Ability to execute scripts before/after provisioning operations
- Ad-hoc provisioning script execution
- Import from file and resource
- Advanced support for account activation (enabled/disabled states)
- Standardized account activation that matches user activation schema for easy integration
- Ability to simulate activation capability if the connector does not provide it
- Support for account lock-out
- Support for account validity time constrains (valid from, valid to)
- Support easy activation existence mappings (e.g. easy configuration of "disables instead of delete" feature)
- Support for mapping time constraints in activation mappings that allow configuring time-related provisioning features such as deferred account delete or pre-provisioning.
- Ability to specify set of protected accounts that will not be affected by IDM system
- Support for base context searches for connectors that support object hierarchies (such as LDAP)
- Notifications
- Bulk actions
- Passive Attribute Caching (EXPERIMENTAL)
- Partial multi-tenancy support
- Synchronization
- Live synchronization
- Reconciliation
- Ability to execute scripts before/after reconciliation
- Correlation and confirmation expressions
- Conditional correlation expressions
- Concept of channel that can be used to adjust synchronization behavior in some situations
- Generic Synchronization allows synchronization of roles to groups to organizational units to ... anything
- Self-healing consistency mechanism
- Advanced RBAC
- Expressions in the roles
- Hierarchical roles
- Conditional roles and assignments/inducements
- Parametric roles (including ability to assign the same role several times with different parameters)
- Note: role parameters are only partially supported in midPoint user interface (hardcoded parameters only)
- Temporal constraints (validity dates: valid from, valid to)
- Metaroles
- Role catalog
- Role request based on shopping cart paradigm
- Several assignment enforcement modes
- Ability to specify global or resource-specific enforcement mode
- Ability to "legalize" assignment that violates the enforcement mode
- Rule-based RBAC (RB-RBAC) ability by using conditional mappings in user template and role autoassignment
- Entitlements and entitlement associations
- GUI support for entitlement listing, membership and editing
- Entitlement approval
- User-friendly entitlement association management
- Organizational and Identity governance
- Powerful organizational structure management
- Approvals
- Declarative policy-based multi-level approval process
- Visualization of approval process
- Access certification campaigns
- Ad-hoc recertificaiton
- Escalation in approval and certification processes
- Object history (time machine)
- Rich assignment meta-data
- User-friendly policy selection
- Deputy (ad-hoc privilege delegation)
- Object lifecycle property
- Policy Rules as a unified mechanism to define identity management, governance and compliance policies
- Policy-based approvals driven by policy rules
- Policy rules based on modification of objects, change in assignments and many other conditions
- Policy rules can set policy situation that can be used for basic compliance reports
- Segregation of Duties (SoD)
- Many options to define role exclusions
- SoD approvals
- SoD certification
- Assignment constraints for roles and organizational structure
- Basic role lifecycle management (role approvals)
- Personas
- Expressions, mappings and other dynamic features
- Sequences for reliable allocation of unique identifiers
- Customization expressions
- Groovy
- Python
- JavaScript (ECMAScript)
- Built-in libraries with a convenient set of functions
- PolyString support allows automatic conversion of strings in national alphabets
- Mechanism to iteratively determine unique usernames and other identifier
- Function libraries
- Web-based administration user interface
- Ability to execute identity management operations on users and accounts
- User-centric views
- Account-centric views (browse and search accounts directly)
- Resource wizard
- Layout automatically adapts to screen size
- Note: intended for desktop only. Small mobile screens may not be supported.
- Easily customizable look & feel
- Built-in XML/JSON/YAML editor for identity and configuration objects
- Identity merge
- Support for custom static web content
- Self-service
- User profile page
- Password management page
- Role selection and request dialog
- Self-registration
- Email-based password reset
- Connectors
- Integration of ConnId identity connector framework
- Support for Evolveum Polygon connectors
- Support for ConnId connectors
- Support for OpenICF connectors (limited)
- Automatic generation and caching of resource schema from the connector
- Local connector discovery
- Support for connector hosts and remote connectors, identity connector and connectors host type
- Remote connector discovery
- Manual Resource and ITSM Integration
- Integration of ConnId identity connector framework
- Flexible identity repository implementations and SQL repository implementation
- Identity repository based on relational databases
- Keeping metadata for all objects (creation, modification, approvals)
- Automatic repository cleanup to keep the data store size sustainable
- Security
- Flexible Authentication
- Service authentication
- Fine-grained authorization model
- Authorization expressions
- Limited power of attorney implementation
- Organizational structure and RBAC integration
- Delegated administration
- Password management
- Password distribution
- Password policies
- Password retention policy
- Password metadata
- Self-service password management
- Password storage options (encryption, hashing)
- Mail-based initialization of passwords for new accounts
- CSRF protection
- Flexible Authentication
- Auditing
- Auditing to file (logging)
- Auditing to SQL table
- Interactive audit log viewer
- Extensibility
- Custom schema extensibility
- Scripting Hooks
- Lookup Tables
- Support for overlay projects and deep customization
- Support for programmatic custom GUI forms (Apache Wicket components)
- Basic support for declarative custom forms
- API accessible using a REST, web services (SOAP) and local JAVA calls
- Reporting
- Scheduled reports
- Lightweight reporting (CSV export) built into user interface
- Comprehensive reporting based on Jasper Reports
- Post report script
- Internals
- Operations
- Lightweight deployment structure with two deployment options:
- Stand-alone deployment
- Deployment to web container (WAR)
- Multi-node task manager component with HA support
- Comprehensive logging designed to aid troubleshooting
- Enterprise class scalability (hundreds of thousands of users)
- Lightweight deployment structure with two deployment options:
- Documentation
- Administration documentation publicly available in the wiki
- Architectural documentation publicly available in the wiki
- Schema documentation automatically generated from the definition (schemadoc)
Following pages provide more information about the features:
- Openness
- Unique Features
- Common Data Model
- Assignment
- Synchronization
- Advanced Hybrid RBAC
- Relativity
- Prism Objects
- Mappings and Expressions
- Segregation of Duties
- PolyString
- Password Policy
- Provisioning Dependencies
- Consistency mechanism
- Deltas
- Notifications
- Authorization
- Other Features
- High Availability and Load Balancing
- REST API
- Generic Synchronization
- Entitlements
- Approach
- Access Certification
- Sequences
- Lookup Tables
- Iteration
- Services
- Auxiliary Object Classes
- Attribute Caching
- Deputy
- Approval
- Policy Rules
- Role Lifecycle
- Role Catalog
- Personas
- Manual Resource and ITSM Integration
- Multi-Connector Resource
- Bulk actions (midPoint scripting language)
- Constants
- Role Request and Shopping Cart
- Function Libraries
- Role Autoassignment
- Stand-Alone Deployment
- Provisioning Propagation
- User-Friendly Policy Selection
- Subtype
- Generic Objects
- Synergistic Features
- Multitenancy
- Thresholds
- Archetypes
- Service Account Management
- Expression Profiles
- Localization
- Object Collections and Views
- Metaroles
- Spring Boot Actuator Endpoints
- Sections (virtual containers) in object details
- Workflowless
- Planned Features
- Obsolete Features
- Flexible Authentication
- Repository Database Support
- Linked objects
- Resource Maintenance State
- Asynchronous (Messaging) Outbound Resources
- Asynchronous (Messaging) Inbound Resources
Planned Features
Those features are planned for future midPoint releases
- Archetype Improvements (Planned Feature)
- Case Management
- Complete Relativity
- Compliance
- Consent Management (GDPR)
- Customizable Dashboards
- Data Provenance
- Expression Profiles: Full Implementation
- Flexible Authentication Improvements
- Ideas for midPoint development
- Localization Improvements
- Management of Lawful Bases for Data Processing (GDPR)
- Manual Correlation
- Messaging API
- Messaging Resources
- MidPoint 5.0 Vision
- MidPoint Studio
- Object Collections and Views Improvements
- PolyString Improvements
- Power of Attorney
- Recent Errors
- Remediation
- Retirement of Roles
- Script Expression Sandboxing
- Service Account Management Improvements
- Workflow Integration
External links
- What is midPoint Open Source Identity & Access Management
- Evolveum - Team of IAM professionals who developed midPoint