Capabilities are definitions of a specific things that a resource can do. There is plethora of various resource types and configuration. Some resources can enable/disable an account, while others cannot. Some resource can provide live feed of changes, some can not. The
capabilities section list the features that the resource has.
There are two sections of capabilities definition:
- Native capabilities are native to the resource. There are the things that resource can do all by itself without any help from midPoint. The list of native capabilities is provided by the connector and does not need to be configured. It is stored in the resource object for performance reasons. If this section is not present in the resource configuration it will be automatically fetched from the resource before its first use.
- Configured capabilities are decision of an administrator how to use native capabilities. This section can be used to disable native capabilities or add capabilities. Some capabilities can be simulated by midPoint. E.g. A resource does not support account enable/disable directly. But administrator know that the enable/disable may be done by flipping a boolean value of a specific attribute. Such simulated capability can be configured in this section. MidPoint will then pretend that the resource has the enable/disable ability. But each time the ability us used it will transparently convert the operation to modification of the special attribute. That's how midPoint simulates some capabilities.
These two sections are added together to form presented capabilities (or just "capabilities"). These are all the features that the resource can do by itself (native capabilities), minus the capabilities that were disabled, plus the capabilities that are simulated. GUI, IDM model and business logic will all work only with presented capabilities, whether the capability is native or simulated does not matter for such upper system layers.
The following example shows a configuration for a simulated activation capability using OpenDJ "ri:ds-pwp-account-disabled" attribute (the value "true" means, the OpenDJ account is disabled; empty value means, the OpenDJ account is enabled) and a configuration for disabling "liveSync" capability. The resource would ignore tha "liveSync" capability as if it would not be supported by the connector.
The capabilities can be used also to disable provisioning operations on the resource, e.g. during imports, reconciliation etc. The following example shows a configuration for a resource, where no "create" or "delete" operations are possible, only "update". Attempt to create or delet any object on the resource would fail with an error.