Different Naming Conventions For Different User Types

The user naming attribute “name” is a string attribute and can be defined manually. MidPoint will ensure that the value of this attribute is unique. Although for small setups there is no problem with entering this attribute value manually, it can be usually defined by an expression based on various UserType object properties (attributes). In this example I would like to show you how to define different user “types” and different but unique naming conventions for them.
Let’s start with a simple assumption: all users in midPoint should have “givenName” and “familyName” attributes filled with data. We will generate the “name” attribute as a simple concatenation: “givenName.familyName” and make sure that the value is unique using the iterators.
We need an objectTemplate object for this, with a iteration configuration and one mapping. First, the explanation:

• the “name” attribute will be generated as a concatenation of “givenName”, a dot, “familyName” and iterationToken, if the name would not be unique
• as the “givenName” and/or “familyName” can contain diacritics, we use normalized values and replace all spaces with another dot. This is because basic.norm() function returns spaces; and because the names can contain spaces.
• the iterator is configured to generate random 3-digit number, zero-padded
• user must have both “givenName” and “familyName” attributes filled (not empty)

The object template must be made default for “UserType” objects – this can be done in Configuration – Basics menu in GUI.

Some examples of the behaviour:

• givenName: John, familyName: Smith, name: john.smith
• givenName: John, familyName: Smith, name: john.smith409
• givenName: Leonardo, familyName: Da Vinci, name: leonardo.da.vinci

Now imagine that you have more than just ordinary users in midPoint. You can have administrators, vendors, technical users, testing users, external users etc. Their naming conventions would be probably different and you will need to define different naming conventions for different user types. This was my case. All I needed to do was to extend the configuration in the object template and make the generator use an additional attribute: “employeeType”. I’ve defined a set of usable values, such as:

• EMP
• ADM
• TST
• SYS
• EXT

The modified fragment of the object template is below. I’ve updated the iteration configuration to generate the previously used 3-digit random number for “EMP” and “EXT” values of “employeeType” attribute, and a simple number starting from “2″ for all other types.

More mappings for generating “name” were added, see the conditions using “employeeType”. “givenName” is no more used in some of the mappings.

Some examples of the behaviour:

• employeeType: EMP, givenName: John, familyName: Smith, name: john.smith
• employeeType: EXT, givenName: John, familyName: Smith, name: john.smith409
• employeeType: SYS, givenName: whatever, familyName: XYReporter, name: sys_xyreporter
• employeeType: SYS, givenName: whatever or nothing, familyName: XYReporter, name: sys_xyreporter2
• employeeType: TST, givenName: Jack, familyName: Sparrow, name: t_jack.sparrow

Similarly you can add a mapping for “ADM” users or any other that you need. Of course, there are still things you need to decide and configure later:

• if you wish to use the “name” attribute as a target system login, you may need to make sure that it’s not too long; or you can shorten the name while generating it in midPoint (in the object template mappings above)
• you may need more attributes to decide how the generated “name” attribute should look like, not only “employeeType”
• different types of users may need different types of accounts in the target systems. E.g. in directory system, there may be different containers for different account types and you may need either to generate the “DN” attribute with the “employeeType” attribute value in mind, or to make different account intents in the resource schema handling