MidPoint 4.0 and later
MidPoint provides powerful mechanism to synchronize data among different resources. Usually, there is a resource which is authoritative and midPoint should take appropriate actions to keep the data consistent according to the authoritative resource. In most cases, authoritative resource is represented by HR system. However, there are situations when the data in HR are not 100% correct and midPoint should not propagate such data to other resources.
For example, imagine that by the mistake, thousands of accounts was disabled in the HR system and there is a reconciliation task in midPoint scheduled to run every night. If no one noticed the mistake before the reconciliation run it would end up with disabling users across all connected systems. To prevent such situations midPoint has to know which changes are critical and what to do in the case they occur.
For now, it is possible to set up thresholds for different tasks (reconciliation, recomputation, synchronization,...). It is done by assigning role with defined policy rules to the task. Following is the example for setting thresholds for reconciliation task.
Policy rule above specifies that midPoint should monitor creation of new users (specified by policyConstraints) and when the limit is reached (count=4), task execution is stopped (policyAction=stop). After defining such a role with policy rules, midPoint has to know that such a role should be taken into account. Therefore, it is needed to assign this role to the task as in the example bellow.
In the example above, important part is assignment. According to this assignment midPoint knows that there could be applicable roles and policies during executing such a task. One additional setting in the example above is the extension property simulateBeforeExecute. When set to true, midPoint will first run reconciliation in the simulation mode - midPoint will compute all changes, apply all policy rules and so on, but nothing is executed. Only after the simulation mode ends successfully, there is a second round of reconciliation in the full mode. If the simulation mode ends with errors and the limit was reached, the full reconciliation is not run. The default value for simulateBeforeExecute property is false.