This page describes a feature planned for future midPoint versions.
This feature is roughly designed and it was evaluated as feasible. However, there is currently no specific plan when it will be implemented because there is no funding for this development yet. In case that you are interested in supporting development of this feature, please consider activating midPoint Platform subscription.
There are many motivations for this feature, each of them looking at the feature from a slightly different angle.
Firstly, there are lists of objects that are used quite frequently, such as list of all employees, list of all contractors, list of all business roles and so on. It would be nice to have such lists pre-defined and then reuse that definition in many places:
- Menu: It would be nice to have a menu item to quickly list all employees or business roles. Just click on that and there is a user list that contains just the employees.
- Dashboard: Having a custom dashboard widget that displays object collection and works as a quick access to see the collection would be nice as well.
- Search: Global search field may be extended with a control that allows searching in specific collection (e.g. employees, business roles, ...)
In addition to that, there may be specific views defined for a collection. E.g. we would like to see different columns when we list employees than the columns that we see for business roles. Similar approach may be applied to ordering, default items present in the search box and other details of user interface presentation.
As midPoint already has ability to export results of a search operation as CSV this can be used to create quick ad-hoc reporting capability. Just define frequently-used filter as object collection. Then click on that collection in menu, click on the CSV export button and import that to your favorite spreadsheet processor.
The idea of object collections may look simple, but there is unexpected strength in it. Object collections can be slightly extended to support simple compliance reporting. Simply speaking, the collection itself provides already some form of compliance reporting. E.g. even a simple filter can be used to show disabled users or active roles. If we add ability to use expressions in filters then this feature gets more interesting as we would be able to show all the users that are about to expire in next two weeks. If we add a little bit of metadata (e.g. timestamp of last lifecycle transition) then the things may be get even more interesting, e.g. we can get ability to show all the roles in
proposed lifecycle state that are stuck in this state for more than a month. Or we could show all the orphaned accounts that were detected in last 24 hours.
This will give us very basic compliance reporting. But this can be extended even further. We can extend object collection with the definition of the domain. In other words the collection may know what is the set of all the objects from which the collection is filtered out. For example the collection of disabled employees may know that it is in fact selected from list of all employees. Then the collection can evaluate percentages. For example, the disabled employees collection may show that there are 5 disabled employees, which is 0.2% of all employees.
TODO: It would be nice to use just "employees" as a criterion in authorizations instead of copying the search filter everywhere. And also policy rules.
TODO: scanner task that looks for users to expire and send notifications ... and showing the same information on a dashboard.
New Policy Rules
TODO: Policy rules that triggers on collections, e.g. percentage of a collection more than 5%, count less that 1, etc.
Phase 1: List and Views
TODO: definition (system config)
TODO: use in GUI (filter, columns, maybe search box)
Phase 2: Compliance
TODO: allow expressions in filters (e.g. all users about to expire in two weeks)
TODO: more metadata (e.g. timestamp of last lifecycle transition, timestamp of sync situation change, timestamp of policy situation change)
TODO: Collection "domain" and percentages
Phase 3: Use in Authorizations and Policy Rules
- Selection for global search to search in specific collection (employees, business roles, ...)
- Integrate with reporting, e.g. ability to schedule a report based on object collection that will produce CSV or a spreadsheet and send it by mail.
- New Policy rules that triggers on collections, e.g. percentage of a collection more than 5%, count less that 1, etc.
- - MID-3408Getting issue details... STATUS
- - MID-3517Getting issue details... STATUS
- Policy Rules