Name | Type | Multiplicity | Description |
---|---|---|---|
name |
property PolyStringType |
[0,1] | Human-readable, mutable name of the object. |
description |
property string |
[0,1] | Free-form textual description of the object. |
documentation |
property string |
[0,1] | AsciiDoc-formatted technical documentation of the object. |
subtype |
property string |
[0,-1] | Type of the object. |
fetchResult |
property OperationResultType |
[0,1] | Result of the operation that fetched this instance of the object. |
extension |
container ExtensionType |
[0,1] | Extension container that provides generic extensibility mechanism. |
parentOrgRef |
reference ObjectReferenceType |
[0,-1] | Set of the orgs (organizational units, projects, teams) that the object relates to. |
trigger |
container TriggerType |
[0,-1] | Triggers for this object. |
metadata |
container MetadataType |
[0,1] | Meta-data about object creation, modification, etc. |
tenantRef |
reference ObjectReferenceType |
[0,1] | Reference to the tenant to which this object belongs. |
lifecycleState |
property string |
[0,1] | Lifecycle state of the object. |
operationExecution |
container OperationExecutionType |
[0,-1] | Description of recent operations executed on this object (or related objects in special cases). |
lensContext |
container LensContextType |
[0,1] | Model context describing executed operation |
policySituation |
property anyURI |
[0,-1] | The policy situation(s) of this object. |
triggeredPolicyRule |
property EvaluatedPolicyRuleType |
[0,-1] | Triggered policy rules for this object. |
policyException |
container PolicyExceptionType |
[0,-1] | Recorded exception from a policy rule. |
diagnosticInformation |
property DiagnosticInformationType |
[0,-1] | Diagnostic information attached to this object. |
indestructible |
property boolean |
[0,1] | Protection against accidental deletion. |
effectiveMarkRef |
reference ObjectReferenceType |
[0,-1] | Effective object marks for this object. |
policyStatement |
container PolicyStatementType |
[0,-1] | Policy statements to manually add or exclude effective marks of shadow. |
effectiveOperationPolicy |
container ObjectOperationPolicyType |
[0,1] | Effective provisioning policy derived from Shadow marks and resource configuration. |
assignment |
container AssignmentType |
[0,-1] | Set of object's assignments. |
iteration |
property int |
[0,1] | Iteration number. |
iterationToken |
property string |
[0,1] | Iteration token. |
archetypeRef |
reference ObjectReferenceType |
[0,-1] | References to all applicable archetypes, including "indirect" archetypes such as archetype supertypes. |
roleMembershipRef |
reference ObjectReferenceType |
[0,-1] | References to abstract roles (roles, orgs, services) that this focus currently belongs to - directly or indirectly. |
delegatedRef |
reference ObjectReferenceType |
[0,-1] | References to objects (abstract roles as well as users) obtained via delegation. |
roleInfluenceRef |
reference ObjectReferenceType |
[0,-1] | References to abstract roles (roles and orgs) that this focus may directly belong to. |
identities |
container FocusIdentitiesType |
[0,1] | (Alternative?) identities of this focus object. |
linkRef |
reference ObjectReferenceType |
[0,-1] | Set of shadows (projections) linked to this focal object. |
personaRef |
reference ObjectReferenceType |
[0,-1] | Set of personas linked to this focal object. |
activation |
container ActivationType |
[0,1] | Type that defines activation properties. |
jpegPhoto |
property base64Binary |
[0,1] | Photo corresponding to the user / org / role. |
costCenter |
property string |
[0,1] | The name, identifier or code of the cost center to which the user belongs. |
locality |
property PolyStringType |
[0,1] | Primary locality of the user, the place where the user usually works, the country, city or building that he belongs to. |
preferredLanguage |
property string |
[0,1] | Indicates user's preferred language, usually for the purpose of localizing user interfaces. |
locale |
property string |
[0,1] | Defines user's preference in displaying currency, dates and other items related to location and culture. |
timezone |
property string |
[0,1] | User's preferred timezone. |
emailAddress |
property string |
[0,1] | E-Mail address of the user, org. |
telephoneNumber |
property string |
[0,1] | Primary telephone number of the user, org. |
credentials |
container CredentialsType |
[0,1] | The set of focus's credentials (such as passwords). |
behavior |
container BehaviorType |
[0,1] | General-purpose behavioral data. |
fullName |
property PolyStringType |
[0,1] | Full name of the user with all the decorations, middle name initials, honorific title and any other structure that is usual in the cultural environment that the system operates in. |
givenName |
property PolyStringType |
[0,1] | Given name of the user. |
familyName |
property PolyStringType |
[0,1] | Family name of the user. |
additionalName |
property PolyStringType |
[0,1] | Middle name, patronymic, matronymic or any other name of a person. |
nickName |
property PolyStringType |
[0,1] | Familiar or otherwise informal way to address a person. |
honorificPrefix |
property PolyStringType |
[0,1] | Honorific titles that go before the name. |
honorificSuffix |
property PolyStringType |
[0,1] | Honorific titles that go after the name. |
title |
property PolyStringType |
[0,1] | User's title defining a work position or a primary role in the organization. |
employeeNumber |
property string |
[0,1] | Unique, business-oriented identifier of the employee. |
organization |
property PolyStringType |
[0,-1] | Name or (preferably) immutable identifier of organization that the user belongs to. |
organizationalUnit |
property PolyStringType |
[0,-1] | Name or (preferably) immutable identifier of organizational unit that the user belongs to. |
adminGuiConfiguration |
container AdminGuiConfigurationType |
[0,1] | Specifies the admin GUI configuration that should be used by this user. |
personalNumber |
property string |
[0,1] | Unique, business-oriented identifier of the user. |
Flags: RAM,runtime
Multiplicity: [0,1]
Display order: 0
Human-readable, mutable name of the object. It
may also be an identifier (login name, group name).
It is usually unique in the respective context of
interpretation. E.g. the name of the UserType subtype
is usually unique in the whole system.
The name of the ShadowType subtype is usually unique in the
scope of resource (target system) that it belongs to.
The name may not be human-readable in a sense to display
to a common end-user. It is intended to be displayed to
IDM system administrator. Therefore it may contain quite
a "ugly" structures such as LDAP DN or URL.
Name is mutable. It is considered to be ordinary property
of the object. Therefore it can be changed by invoking
usual modifyObject operations. However, change of the name
may have side effects (rename process).
Although name is specified as optional by this schema, it
is in fact mandatory for most object types. The reason for
specifying the name as optional is that the name may be
generated by the system instead of supplied by the clients.
However, all objects stored in the repository must have a name.
Flags: RAM,runtime
Multiplicity: [0,1]
Display order: 10
Free-form textual description of the object. This is meant to
be displayed in the user interface.
Flags: RAM,runtime
Multiplicity: [0,1]
Display order: 11
AsciiDoc-formatted technical documentation of the object.
Flags: RAM,runtime
Multiplicity: [0,-1]
Display order: 15
Type of the object. It is used to distinguish what a specific object
represents. Whether it is a different kind of organizational unit, project,
team, or different kind of user, etc.
Flags: RAM,runtime,oper
Multiplicity: [0,1]
Display order:
Result of the operation that fetched this instance of the object.
It is mostly used to indicate that the object is not complete or
there is some problem with the object. This is used instead of
exception if the object is part of larger structures (lists as in
list/search operations or composite objects). If not present then
the "SUCCESS" state is assumed.
This field is TRANSIENT. It must only be used in runtime. It should
never be stored in the repository.
Flags: RAM,runtime
Multiplicity: [0,1]
Display order: 1000
Extension container that provides generic extensibility mechanism.
Almost any extension property can be placed in this container.
This mechanism is used to extend objects with new properties.
The extension is treated exactly the same as other object
properties by the code (storage, modifications, etc), except
that the system may not be able to understand their meaning.
Flags: RAM,oper
Multiplicity: [0,-1]
Display order: 240
Set of the orgs (organizational units, projects, teams) that the object relates to.
This usually means that the object belongs to them but it may have other meanings as well
(e.g. user manages an organizational unit).
Flags: RAM,runtime,oper
Multiplicity: [0,-1]
Display order:
Triggers for this object. They drive invocations of corresponding trigger handlers
at specified time.
Flags: RAM,runtime,oper
Multiplicity: [0,1]
Display order:
Meta-data about object creation, modification, etc.
Flags: RAM,oper
Multiplicity: [0,1]
Display order: 250
Reference to the tenant to which this object belongs. It is a computed value set automatically
by midPoint. It is determined from the organizational structure. Even though this value is
computed it is also stored in the repository due to performance reasons.
Flags: RAM,runtime
Multiplicity: [0,1]
Display order: 20
Lifecycle state of the object. This property defines whether the
object represents a draft, proposed definition, whether it is active,
deprecated, archived, and so on. See "Object Lifecycle" in the documentation.
Flags: RAM,runtime,oper
Multiplicity: [0,-1]
Display order:
Description of recent operations executed on this object (or related objects in special
cases). The number of operations to be kept here is configurable.
Flags: RAM,runtime
Multiplicity: [0,1]
Display order:
Flags: RAM,runtime,oper
Multiplicity: [0,-1]
Display order:
Flags: RAM,runtime,oper
Multiplicity: [0,-1]
Display order:
Flags: RAM,runtime
Multiplicity: [0,-1]
Display order:
Flags: RAM,runtime
Multiplicity: [0,-1]
Display order:
Flags: RAM,runtime
Multiplicity: [0,1]
Display order:
Flags: RAM
Multiplicity: [0,-1]
Display order:
Flags: RAM,runtime
Multiplicity: [0,-1]
Display order:
Flags: RAM,runtime
Multiplicity: [0,1]
Display order:
Flags: RAM,runtime
Multiplicity: [0,-1]
Display order:
Set of object's assignments.
Assignments define the privileges and "features" that this object should have, that
this object is entitled to. Typical assignment will point to a role or define
a construction of an account.
Assignments represent what the object SHOULD HAVE. The assignments represent a policy,
a desired state of things (cf. linkRef, roleMembershipRef).
Flags: RAM,runtime,oper
Multiplicity: [0,1]
Display order:
Flags: RAM,runtime,oper
Multiplicity: [0,1]
Display order:
Flags: RAM,oper
Multiplicity: [0,-1]
Display order:
References to all applicable archetypes, including "indirect" archetypes such as archetype supertypes.
Contains references to active archetypes only.
Note: the value of this reference is only updated when object is recomputed.
Therefore if a role definition changes then all the affected objects must be recomputed
for this reference to be consistent.
This is an operational property. It is set and managed by the system. It is used
for efficient use of archetypes.
Flags: RAM,oper
Multiplicity: [0,-1]
Display order:
References to abstract roles (roles, orgs, services) that this focus currently belongs to - directly
or indirectly. This reference points to all the roles in the role hierarchy. It only points to
the roles that were evaluated as active during last recompute (conditions were true, validity
constraints not violated).
Note: the value of this reference is only updated when a focal object is recomputed.
Therefore if a role definition changes then all the affected focal objects must be recomputed
for this reference to be consistent.
Roles mentioned here are those that are NOT obtained via delegation, i.e. "deputy" relations.
Relations acquired by delegation are listed in delegatedRef item.
This is an operational property. It is set and managed by the system. It is used
for efficient search of all current role members, e.g. for the purpose of displaying this
information in the GUI.
Note: roleMembershipRef will be probably renamed to something like linkRef or
outboundLinkRef. We need to generalize it to contain information on generic links
between objects (e.g. between child and its parents).
Flags: RAM,oper
Multiplicity: [0,-1]
Display order:
References to objects (abstract roles as well as users) obtained via delegation.
If A1 is a deputy of A, its delegatedRef contains a union of A, A.roleMembershipRef and
A.delegatedRef.
This is an operational property. It is set and managed by the system. It is used
for efficient search of all current role members, e.g. for the purpose of displaying this
information in the GUI.
Flags: RAM,oper
Multiplicity: [0,-1]
Display order:
References to abstract roles (roles and orgs) that this focus may directly belong to.
This reference only points to the next role in the hierarchy. However, it is backed by
a "closure" index in the repository subsystem. Therefore it can efficiently support tree-like
queries. This reference points to the roles for whose the condition is not true.
Therefore it does not reliably show
who actually has a role. It shows potential role members - all the object that are possibly
influenced when a role definition changes.
This is an operational property. It is set and managed by the system. It is used
for efficient search of all possible role members, e.g. for the purpose of recomputing
all role members after the role definition is changed.
TODO. NOT IMPLEMENTED YET. EXPERIMENTAL. UNSTABLE.
Flags: RAM,runtime
Multiplicity: [0,1]
Display order:
Flags: RAM
Multiplicity: [0,-1]
Display order:
Set of shadows (projections) linked to this focal object.
E.g. a set of accounts linked to a user. This is the set of
shadows that belongs to the focal object in a sense
that these shadows represents the focal object on the resource.
E.g. The set of accounts that represent the same midPoint user (the
same physical person, they are "analogous").
Links define what the object HAS. The links reflect real state of things
(cf. assignment).
The relation in linkRef has the following meaning: org:default means that
the shadow the link is pointing to is "live", i.e. the corresponding
object exists on the resource. On the other hand, org:related means that
the shadow exists in repo, but with dead = true, i.e. the corresponding
object is not existing on the resource anymore.
Especially, when the shadow is in the Reaping state (see
https://docs.evolveum.com/midpoint/reference/resources/shadow/dead/), the
relation should be still org:default.
Note: linkRef will be probably renamed to projectionRef or projectionLinkRef.
There are more kinds of links between objects than focus - projection links
(cf. roleMembershipRef).
Flags: RAM
Multiplicity: [0,-1]
Display order:
Set of personas linked to this focal object.
E.g. a set of virtual identities linked to a user. This is the set of
"secondary" focal objects that belongs to this focal object in a sense
that the current focal object is in control over the linked focal objects.
E.g. this reference can be used to link user object which specified a physical
person with his virtual identities (personas) that specify his identity as an
employee, system administrator, customer, etc.
The default meaning is that the personas are "analogous", i.e. the represent
different facets of the same physical person. However, this meaning may be
theoretically overridden by using various relation parameters in this reference.
This reference define what the object HAS. The links reflect real state of
things (cf. assignment).
Flags: RAM,runtime
Multiplicity: [0,1]
Display order:
Type that defines activation properties. Determines whether something is active
(and working) or inactive (e.g. disabled).
It applies to several object types. It may apply to user, account, assignment, etc.
The data in this type define if the described concept is active, from when it is active
and until when. The "active" means that it works. If something is not active, it should
not work or not cause any effect. E.g. inactive user should not be able to log in or run
any tasks, the non-active role should not be assigned and if assigned it should not be
taken into account when computing the accounts.
Flags: RAM,runtime
Multiplicity: [0,1]
Display order:
Photo corresponding to the user / org / role.
Flags: RAM,runtime
Multiplicity: [0,1]
Display order: 420
The name, identifier or code of the cost center to which the user belongs.
Please note that organization objects (OrgType) also have a costCenter property.
Therefore it is usual that if a user belongs to an organization the costCenter from
the organization is used. Therefore this property is usually used only for users that
do not belong to any organization or for users that have different cost center than
the one defined by the organization.
Flags: RAM,runtime
Multiplicity: [0,1]
Display order: 450
Primary locality of the user, the place where
the user usually works, the country, city or
building that he belongs to. The specific meaning
and form of this property is deployment-specific.
Flags: RAM,runtime
Multiplicity: [0,1]
Display order: 200
Indicates user's preferred language, usually for the purpose of localizing
user interfaces. The format is IETF language tag defined in BCP 47, where
underscore is used as a subtag separator. This is usually a ISO 639-1 two-letter
language code optionally followed by ISO 3166-1 two letter country code
separated by underscore. The languages that do not have country-specific
variants are usually specified by using a two-letter country code ("sk",
"cs", "tr"). Languages with country-specific variants have country-specific
subtags ("pt_BR", "zn_CN").
If no value is specified in this property then system default locale is assumed.
Examples:
Flags: RAM,runtime
Multiplicity: [0,1]
Display order: 210
Defines user's preference in displaying currency, dates and other items
related to location and culture. The format is IETF language tag defined in BCP 47, where
underscore is used as a subtag separator. This is usually a ISO 639-1 two-letter
language code optionally followed by ISO 3166-1 two letter country code
separated by underscore. The languages that do not have country-specific
variants are usually specified by using a two-letter country code ("sk",
"cs", "tr"). Languages with country-specific variants have country-specific
subtags ("pt_BR", "zn_CN").
If not specified then system default locale is assumed.
Examples:
Flags: RAM,runtime
Multiplicity: [0,1]
Display order: 220
User's preferred timezone. It is specified in the "tz database" (a.k.a "Olson")
format. If not specified then system default timezone is assumed.
Examples:
Flags: RAM,runtime
Multiplicity: [0,1]
Display order: 300
E-Mail address of the user, org. unit, etc. This is the address
supposed to be used for communication with the
user, org. unit, etc. E.g. IDM system may send notifications
to the e-mail address. It is NOT supposed to be
full-featured e-mail address data structure
e.g. for the purpose of complex address-book application.
Flags: RAM,runtime
Multiplicity: [0,1]
Display order: 310
Primary telephone number of the user, org. unit, etc.
Flags: RAM,runtime
Multiplicity: [0,1]
Display order:
Flags: RAM,runtime
Multiplicity: [0,1]
Display order:
Flags: RAM,runtime
Multiplicity: [0,1]
Display order: 100
Full name of the user with all the decorations,
middle name initials, honorific title and any
other structure that is usual in the cultural
environment that the system operates in. This
element is intended to be displayed to
a common user of the system.
Examples:
Flags: RAM,runtime
Multiplicity: [0,1]
Display order: 110
Given name of the user. It is usually the first
name of the user, but the order of names may
differ in various cultural environments. This
element will always contain the name that was
given to the user at birth or was chosen
by the user.
Examples:
Flags: RAM,runtime
Multiplicity: [0,1]
Display order: 120
Family name of the user. It is usually the last
name of the user, but the order of names may
differ in various cultural environments. This
element will always contain the name that was
inherited from the family or was assigned
to a user by some other means.
Examples:
Flags: RAM,runtime
Multiplicity: [0,1]
Display order: 130
Middle name, patronymic, matronymic or any other name of a person. It is usually the
middle component of the name, however that may be culture-dependent.
Examples:
Flags: RAM,runtime
Multiplicity: [0,1]
Display order: 140
Familiar or otherwise informal way to address a person.
Examples:
The meaning of this property is to take part in the formatted full name of the person, e.g. William "Bootstrap" Turner. It is not intended to be used as a username or login name. This value is usually changeable by the user itself and it defines how the user wants other to address him. Therefore it is not ideal for use as an identifier.
Flags: RAM,runtime
Multiplicity: [0,1]
Display order: 150
Honorific titles that go before the name.
Examples:
This property is single-valued. If more than one title is applicable, they have to be represented in a single string (concatenated) form in the correct order.
Flags: RAM,runtime
Multiplicity: [0,1]
Display order: 160
Honorific titles that go after the name.
Examples:
This property is single-valued. If more than one title is applicable, they have to be represented in a single string (concatenated) form in the correct order.
Flags: RAM,runtime
Multiplicity: [0,1]
Display order: 170
User's title defining a work position or a primary role in the
organization.
Examples:
Flags: RAM,runtime
Multiplicity: [0,1]
Display order: 400
Unique, business-oriented identifier of the employee.
Typically used as correlation identifier and for
auditing purposes. Should be immutable, but the
specific properties and usage are deployment-specific.
DEPRECATED, use personalNumber instead.
Flags: RAM,runtime
Multiplicity: [0,-1]
Display order: 430
Name or (preferably) immutable identifier of organization that the user belongs to.
The format is deployment-specific. This property together with organizationalUnit
may be used to provide easy-to-use data about organizational membership of the user.
This is multi-valued property to allow membership of a user to several
organizations. Please note that midPoint does not maintain ordering in
multi-value properties therefore this is not usable to model a complex
organization hierarchies. Use OrgType instead.
Flags: RAM,runtime
Multiplicity: [0,-1]
Display order: 440
Name or (preferably) immutable identifier of organizational unit that the user belongs to.
The format is deployment-specific. This property together with organization
may be used to provide easy-to-use data about organizational membership of the user.
This is multi-valued property to allow membership of a user to several
organizational units. Please note that midPoint does not maintain ordering in
multi-value properties therefore this is not usable to model a complex
organization hierarchies. Use OrgType instead.
Flags: RAM,runtime
Multiplicity: [0,1]
Display order:
Specifies the admin GUI configuration that should be used
by this user.
Flags: RAM,runtime
Multiplicity: [0,1]
Display order: 400
Unique, business-oriented identifier of the user.
Typically used as correlation identifier and for
auditing purposes. Should be immutable, but the
specific properties and usage are deployment-specific.