Page tree
Skip to end of metadata
Go to start of metadata


Inbound mapping is a mapping that transforms data from a projection (e.g. an account) on the resource side to a focal object (e.g. a user) on the midPoint side. Therefore it maps data in the direction which points into midPoint. Hence inbound mapping. Inbound mappings are usually used to copy and transform data from authoritative sources to midPoint. E.g. inbound mappings are often used to populate new user object with data from HR system.

Please see the Synchronization page for a generic description of the synchronization process and the specific place where inbound mappings are used.


Value constructions are sometimes used in situations where an input of the construction is quite obvious. In such cases the input is placed into a variable named input for easier use. This is common practice e.g. in inbound expressions or in expressions describing synchronization of account activation and password.

Expression constructor using input variable
    concat('The Mighty Pirate ', $c:input)


Available since 3.7

This feature is available since 3.7

Since version 3.7 it is possible to manage group membership directly. There is no more need to define some user's extension attribute and manage the group membership indirectly using this attribute. The inbound mapping for association will do the work. As the example bellow shows, inbound can be defined in resource schema handling in the association part. All midpoint's expression can be used. In the following example the assignmentTargetSearch is used. According to the group in which user's take a membership the assignment will be constructed. The prerequisite is that each known group has it's corresponding role in midPoint. After applying search filter the role is found and it is assigned to the user. 

Inbound example for association
									return 'Auto' + entitlement?.getName()?.getNorm();
	                        import com.evolveum.midpoint.schema.constants.*
	                        import com.evolveum.midpoint.xml.ns._public.common.common_3.RoleType;

	                        if ( != null) {
	                        	return == 'auto'

	                        if (assignment.targetRef != null) {
	                        	role = midpoint.getObject(RoleType.class, assignment.targetRef.oid)
	                        	return ('auto')?.equals(role.roleType)

In the example bellow there is a script expression return 'Auto' + entitlement?.getName()?.getNorm(); which tells midPoint which role should be assigned to the user. The entitlement is a special variable pointing to the ShadowType representing group on resource. This variable is available only for script expression in the relativity mode relative. In other cases when there is a need to resolve ShadowType for a group there is a method in midpoint function library which can be used. This method is shown in example bellow.

Resolving ShadowAssociationForGroup
groupShadowType = midpoint.resolveEntitlement(input);


See Also

  • No labels