User object represents a physical user of the system. It differs from the account, as "account" represents a data structure in a target system while "user" represents data structure in midPoint. One user typically haves many accounts. Properties of User object typically describe the user as a physical person. Therefore the user obect defines handful of properties that are commonly used to describe users in the IDM solutions (employees, customers, partners, etc.) Custom extensions are possible by utilizing the "extension" container.
UserType, as all the midPoint objects, is a subtype of ObjectType. Therefore it has all the basic properties such as
UserType is also a focal type. Therefore it can behave as a "focus" (authoritative object) in midPoint synchronization.
Following links can be used to get full an authoritative description of the user object schema:
User object contains following frequently used items:
Full name of the user with all the decorations, middle name initials, honorific title and any other structure that is usual in the cultural environment that the system operates in. This element is intended to be displayed to a common user of the system.
Given name of the user. It is usually the first name of the user, but the order of names may differ in various cultural environments. This element will always contain the name that was given to the user at birth or was chosen by the user.
Family name of the user. It is usually the last name of the user, but the order of names may differ in various cultural environments. This element will always contain the name that was inherited from the family or was assigned to a user by some other means.
Middle name, patronymic, matronymic or any other name of a person. It is usually the middle component of the name, however that may be culture-dependent.
Familiar or otherwise informal way to address a person. The meaning of this property is to take part in the formatted full name of the person, e.g. William "Bootstrap" Turner. It is not intended to be used as a username or login name. This value is usually changable by the user itself and it defines how the user wants other to address him.
Honorific titles that go before the name.
Honorific titles that go after the name.
User's title defining a work position or a primary role in the organization.
Indicates user's preferred language, usually for the purpose of localizing user interfaces. The format is IETF language tag defined in BCP 47, where underscore is used as a subtag separator. This is usually a ISO 639-1 two-letter language code optionally followed by ISO 3166-1 two letter country code separated by underscore. The languages that do not have coutry-specific variants are usually specified by using a two-letter coutry code ("sk","cs", "tr"). Languages with coutry-specific variants have country-specific subtags ("pt_BR", "zn_CN"). If no value is specified in this property then system default locale is assumed.
Defines user's preference in displaying currency, dates and other items related to location and culture. The format is IETF language tag defined in BCP 47, where underscore is used as a subtag separator. This is usually a ISO 639-1 two-letter language code optionally followed by ISO 3166-1 two letter country code separated by underscore. The languages that do not have coutry-specific variants are usually specified by using a two-letter coutry code ("sk","cs", "tr"). Languages with coutry-specific variants have country-specific subtags ("pt_BR", "zn_CN"). If not specified then system default locale is assumed.
User's preferred timezone. It is specified in the "tz database" (a.k.a "Olson") format. If not specified then system default timezone is assumed.
E-Mail address of the user. This is the address supposed to be used for communication with the user. E.g. IDM system may send notifications to the e-mail address.
Primary telephone number of the user.
Unique, business-oriented identifier of the employee. Typically used as correlation identifier and for auditing purposes. Should be immutable, but the specific properties and usage are deployment-specific.
Employee type specification such as internal employee, external or partner. The specific values are deployment-specific. However it is generally assumed that this will be enumeration of several type names or codes that define "classes" of users.
The name, identifier or code of the cost center to which the user belongs.
Name or (preferably) immutable identifier of organization that the user belongs to. The format is deployment-specific. This property together with organizationalUnit may be used to provide easy-to-use data about organizational membership of the user.
Name or (preferrably) immutable identifier of organizational unit that the user belongs to. The format is deployment-specific. This property together with organization may be used to provide easy-to-use data about organizational membership of the user.
Primary locality of the user, the place where the user usually works, the country, city or building that he belongs to. Deployment-specific.
The set of user's credentials (such as passwords). This is a container type for various credentials types: passwords, public keys, one-time password scheme identifiers, etc. However, we expect that a password will be the most widely used credential type and that's actually also the only supported type.
User's activation. e.g. enable/disable status, start and end dates, etc. The content of this property determines if user should be regarded as active or inactive (e.g. disabled)
Set of user's assignments. Represents objects (such as roles) or accounts directly assigned to a user. Represents a that the user should have something. See Assignment.
Reference to accounts that this user owns or embedded account object (see Object References). This property specifies the linked accounts, that means account that midPoint thinks the user really has. It may be different from what he should have as represented by assignments (see above).
Full list of items can be found by using the SchemaDoc links above.
<user> <name>jack</name> <fullName>Jack Sparrow</fullName> <givenName>Jack</givenName> <familyName>Sparrow</familyName> </user>
<user> <name>morgan</name> <fullName>Admiral Sir Henry Morgan</fullName> <givenName>Henry</givenName> <familyName>Morgan</familyName> <nickName>Barbadosed</nickName> <honorificPrefix>Admiral Sir</honorificPrefix> <title>Privateer</title> <preferredLanguage>en_UK</preferredLanguage> <locale>en_UK.UTF-8</locale> <timezone>America/Jamaica</timezone> <emailAddress>email@example.com</emailAddress> <telephoneNumber>+1 876 555 5555</telephoneNumber> <employeeNumber>1</employeeNumber> <employeeType>FTE</employeeType> <organizationalUnit>Government</organizationalUnit> <organizationalUnit>Navy</organizationalUnit> <locality>Jamaica</locality> <credentials> <password> <protectedString> <clearValue>shiverM3t1mb3rz</clearValue> </protectedString> </password> </credentials> <activation> <enabled>true</enabled> </activation> </user>
Please see Assignment and Assigning vs Linking pages.