Object template is an object that holds a set of rules how a specific object type (e.g. user) should be constructed. It usually contains mappings that either compute user properties or assign accounts and roles to the user (usually with a condition).
User template can be used for a variety of very interesting identity management configuration. For example:
familyName(in this case).
You can check defined templates for a definition through GUI via Configuration->Repository objects->Object template (from List objects). Also advanced resources samples from midpoint development master branch (here) contain examples of templates used in a process of synchronization.
The user template object definition could look like this one:
<objectTemplate oid="c0c010c0-d34d-b33f-f00d-777222222333"> <name>User Template CSV sync</name> <description> Alternative User Template Object. This object is used when creating a new account, to set it up as needed. </description> <mapping> <description> Property mapping. Defines how properties of user object are set up. This specific definition sets a full name as a concatenation of givenName and familyName. </description> <strength>weak</strength> <source> <path>$user/givenName</path> </source> <source> <path>$user/familyName</path> </source> <expression> <script> <language>http://midpoint.evolveum.com/xml/ns/public/expression/language#Groovy</language> <code> givenName + ' ' + familyName </code> </script> </expression> <target> <path>$user/fullName</path> </target> </mapping> </objectTemplate>
TODO: configuration examples
A user template may be applied globally by including the following snippet in system configuration just after the "logging" element:
The system configuration object is accessible through GUI via Configuration->Repository objects->System configuration(from List objects). Templates available for use could be listed in similar way Configuration->Repository objects->Object template(from List objects).
Object template can include another object template. The include is a simple
includeRef clause at the beginning of a template definition.
<objectTemplate oid="10000000-0000-0000-0000-000000000222"> <name>Complex User Template</name> <includeRef oid="10000000-0000-0000-0000-000000000223"/> <mapping> ...
Object template works just with a single object which is typically a user. Therefore it only has the data from this object and no other objects. It means that variables such as
$account cannot be used in an object template. The reason for this is the separation of concerns principle. We try to design each component or mechanism in midPoint to do a single thing. This allows us a significant development advantage (debugging, testing) and also provides a better code reusability. The power of midPoint is to have simple principles (such as object template) that used over and over again and combined with other simple principles (such as inbound/outbound mappings) to create a flexible and comprehensive solution.
There is also another reason for not including account in object templates. The object template may be used even if the account is not available, e.g. when user is changed from the GUI. MidPoint is using relative changes therefore it is not always required to read all the accounts to process a change. And in fact the account may not even be available (e.g. because resource is temporarily down). Therefore it would be a very inconvenient and inefficient if account attributes are used in object templates.
Therefore if a property from an account (or other object) is needed in an object template there are several ways how to do it:
extensionpart of user object). Then use the extended properties as input in the user template. This works around the separation of concerns boundaries. And as the extended properties are stored with the user in midPoint repository they are always available without the need to read the account all the time. Inbound mappings will make sure that these data are as fresh as possible.