This feature was called "Account Synchronization Settings" in midPoint versions 2.1 and earlier.
There are several ways how accounts can be provisioned and managed:
There is a major difference between these two approaches from the policy point of view. The links describe actual situation (what is) while assignments describe the policy (what should be). This is discussed in detail in Assigning vs Linking.
There are many ways how to resolve the difference between the policy (assignments) and reality. Assignment enforcement modes are used to control this part of midPoint behaviour. The goal of enforcement modes is to determine account legality of projections. I.e. midPoint computes whether the specific account (or any other projection) is legal or illegal. An account is legal if there is a valid assignment for it or if an enforcement mode allows it. E.g. in FULL enforcement mode the account is legal only if there is a valid assignment. In NONE enforcement mode the account is legal anytime it exists regardless of the assignments.
The legality of the account is then used by the activation mechanism to determine what to do with the account. The activation usually deals with illegal accounts and determines whether to delete the account, disable it or do any other action.
The questionable part is what to do in reality (links) do not conform to the policy (assignments). Maybe the most obvious answer to that question would be to fix the reality: create missing accounts, delete surplus accounts, correct the links. That is usually expected from a working IDM system. But the IDM system that is just being deployed is quite different. The "business first" mantra usually applies when the system is being deployed. It means that the impact of the IDM deployment on the business should be minimized. Therefore the IDM system usually tolerates policy violations during its deployment and early life. Especially if the policies are just beginning to form and there are a lot of violations that need to be addressed manually one by one. In such early phases the system usually only reports the current situation, allows to fix it but it is not enforcing the policies.
The enforcement of assignments can be managed in system global configuration. This applies to the whole system (all resources and accounts). The individual enforcement options for resources will be provided later.
The options are:
If "legalize" is set to true then the illegal resource objects (e.g. accounts) will be made legal. Illegal resource object is a linked resource object for which there is no assignment. If this option is set to true then it will automatically add a (direct) assignment for this object. Default is false.
The projection policy can be configured at several layers:
The options can be set in System Configuration object as illustrated by following example:
<systemConfiguration oid="00000000-0000-0000-0000-000000000001"> <name>SystemConfiguration</name> <metadata>...</metadata> <globalAccountSynchronizationSettings> <assignmentPolicyEnforcement>full</assignmentPolicyEnforcement> </globalAccountSynchronizationSettings> </systemConfiguration>
The option can be set in resource definition:
<resource> ... <projection> <assignmentPolicyEnforcement>positive</assignmentPolicyEnforcement> <legalize>true</legalize> </projection> ... </resource>