Item Summary
Name	Type	Multiplicity	Description
name	property PolyStringType	[0,1]	Human-readable, mutable name of the object.
description	property string	[0,1]	Free-form textual description of the object.
fetchResult	property OperationResultType	[0,1]	Result of the operation that fetched this instance of the object.
extension	container ExtensionType	[0,1]	Container that provides generic extensibility mechanism.
parentOrgRef	reference ObjectReferenceType	[0,-1]	Set of the orgs (organizational units, projects, teams) that the object relates to.
trigger	container TriggerType	[0,-1]	Defines triggers for an object.
metadata	container MetadataType	[0,1]	Meta-data about object creation, modification, etc.
tenantRef	reference ObjectReferenceType	[0,1]	Reference to the tenant to which this object belongs.
linkRef	reference ObjectReferenceType	[0,-1]	Set of shadows linked to this focal object.
assignment	container AssignmentType	[0,-1]	Set of object's assignments.
activation	container ActivationType	[0,1]	Type that defines activation properties.
iteration	property int	[0,1]	Iteration number.
iterationToken	property string	[0,1]	Iteration token.
displayName	property PolyStringType	[0,1]	Human-readable name of the role or org.
identifier	property string	[0,1]	Identifier of the role or org.
inducement	container AssignmentType	[0,-1]	TODO
authorization	container AuthorizationType	[0,-1]	Set of role authorizations.
requestable	property boolean	[0,1]
exclusion	container ExclusionType	[0,-1]	Specification of excluded roles (part of Segregation of Duties policy).
approverRef	reference ObjectReferenceType	[0,-1]
approverExpression	property ExpressionType	[0,-1]
approvalSchema	container ApprovalSchemaType	[0,1]	More complex (multi-level) approval schema.
approvalProcess	property string	[0,1]
automaticallyApproved	property ExpressionType	[0,1]
condition	property MappingType	[0,1]
roleType	property string	[0,1]

Items
- name
  
  Flags: RAM
  
  Multiplicity: [0,1]
  
  Human-readable, mutable name of the object. It may also be an identifier (login name, group name). Should be unique in the respective context of interpretation. E.g. the name of the UserType subtype should be unique in the whole system. The name of the AccountType subtype should be unique in the scope of resource (target system) that it belongs to.
  
  This may not be human-readable in a sense to display to a common end-user. It is intended to be displayed to IDM system administrator. Therefore it may contain quite a "ugly" structures such as LDAP DN or URL.
  
  Name is considered to be ordinary property of the object. Therefore it can be changed by invoking usual modifyObject operations. However, change of the name may have side effects (rename process).
  
  Name is mutable. It can change any time. However, a special handling may be needed in some cases (e.g. "rename" provisioning flow).
  
  Although name is specified as optional by this schema, it is in fact mandatory for most object types. The reason for specifying the name as optional is that the name may be generated by the system instead of supplied by the clients. However, all objects stored in the repository must have a name.
- description
  
  Flags: RAM
  
  Multiplicity: [0,1]
  
  Free-form textual description of the object.
- fetchResult
  
  Flags: RAM
  
  Multiplicity: [0,1]
  
  Result of the operation that fetched this instance of the object. It is mostly used to indicate that the object is not complete or there is some problem with the object. This is used instead of exception if the object is part of larger structures (lists as in list/search operations or composite objets). If not present then the "SUCCESS" state is assumed.
  
  This field is TRANSIENT. It must only be used in runtime. It should never be stored in the repository.
- extension
  
  Flags: dyn,RAM,runtime
  
  Multiplicity: [0,1]
  
  Container that provides generic extensibility mechanism. Almost any extension property can be placed in this container. The extension is treated exactly the same as other object properties by the code (storage, modifications, etc), except that the system may not be able to understand their meaning.
- parentOrgRef
  
  Flags: RAM
  
  Multiplicity: [0,-1]
  
  Set of the orgs (organizational units, projects, teams) that the object relates to. This usually means that the object belongs to them but it may have other meanings as well (e.g. user manages an organizational unit).
- trigger
  
  Flags: RAM,runtime
  
  Multiplicity: [0,-1]
  
  Defines triggers for an object. Trigger is an action that should take place at specified time or under some other condition.
- metadata
  
  Flags: RAM,runtime
  
  Multiplicity: [0,1]
  
  Meta-data about object creation, modification, etc.
- tenantRef
  
  Flags: RAM
  
  Multiplicity: [0,1]
  
  Reference to the tenant to which this object belongs. It is a computed value set automatically by midPoint. It is determined from the organizational structure. Even though this value is compted it is also stored in the repository due to performance reasons.
- linkRef
  
  Flags: RAM
  
  Multiplicity: [0,-1]
  
  Set of shadows linked to this focal object. E.g. a set of accounts linked to a user. This is the set of shadows that belongs to the focal object in a sense that these shadows represents the focal object on the resource. E.g. The set of accounts that represent the same midPoint user (the same physical person, they are "analogous").
  
  Links define what the object HAS. The links reflect real state of things (cf. assignment).
- assignment
  
  Flags: RAM,runtime
  
  Multiplicity: [0,-1]
  
  Set of object's assignments. Assignments define the privileges and "features" that this object should have, that this object is entitled to. Typical assignment will point to a role or define a construction of an account.
  
  Assignments represent what the object SHOULD HAVE. The assignments represent a policy, a desired state of things (cf. linkRef).
- activation
  
  Flags: RAM,runtime
  
  Multiplicity: [0,1]
  
  Type that defines activation properties. Determines whether something is active (and working) or inactive (e.g. disabled). It applies to several object types. It may apply to user, account, assignement, etc. The data in this type define if the described concept is active, from when it is active and until when. The "active" means that it works. If something is not active, it should not work or not cause any effect. E.g. inactive user should not be able to log in or run any tasks, the non-active role should not be assigned and if assigned it should not be taken into account when computing the accounts.
- iteration
  
  Flags: RAM
  
  Multiplicity: [0,1]
  
  Iteration number. Starts with 0. It is used to iterativelly find unique identifier for the object.
- iterationToken
  
  Flags: RAM
  
  Multiplicity: [0,1]
  
  Iteration token. String value that is usualy a suffix to the identifier based on iteration number. E.g. ".007". It is used to iterativelly find unique identifier for the object.
- displayName
  
  Flags: RAM
  
  Multiplicity: [0,1]
  
  Human-readable name of the role or org. It may be quite long, container national characters and there is no uniqueness requirement.
- identifier
  
  Flags: RAM
  
  Multiplicity: [0,1]
  
  Identifier of the role or org. It should be a structured information usually used for refering to the role or org or correlating it in various systems. E.g. numeric organizational unit identifier, role code, etc. It should be unique in its "own" scope. E.g. an organizational unit identifier should be unique in the scope of all organizational units but it may conflict with an identifier of a project.
- inducement
  
  Flags: RAM,runtime
  
  Multiplicity: [0,-1]
  
  TODO
- authorization
  
  Flags: RAM,runtime
  
  Multiplicity: [0,-1]
  
  Set of role authorizations.
- requestable
  
  Flags: RAM
  
  Multiplicity: [0,1]
- exclusion
  
  Flags: RAM,runtime
  
  Multiplicity: [0,-1]
  
  Specification of excluded roles (part of Segregation of Duties policy).
- approverRef
  
  Flags: RAM
  
  Multiplicity: [0,-1]
- approverExpression
  
  Flags: RAM
  
  Multiplicity: [0,-1]
- approvalSchema
  
  Flags: RAM,runtime
  
  Multiplicity: [0,1]
  
  More complex (multi-level) approval schema. If used, it overrides both approverRef and approverExpression elements.
- approvalProcess
  
  Flags: RAM
  
  Multiplicity: [0,1]
- automaticallyApproved
  
  Flags: RAM
  
  Multiplicity: [0,1]
- condition
  
  Flags: RAM
  
  Multiplicity: [0,1]
- roleType
  
  Flags: RAM
  
  Multiplicity: [0,1]

RoleType (Complex Type)

Namespace: http://midpoint.evolveum.com/xml/ns/public/common/common-3

Items

name

description

fetchResult

extension

parentOrgRef

trigger

metadata

tenantRef

linkRef

assignment

activation

iteration

iterationToken

displayName

identifier

inducement

authorization

requestable

exclusion

approverRef

approverExpression

approvalSchema

approvalProcess

automaticallyApproved

condition

roleType