FocusType (Complex Type)

Items

• name

  Flags: RAM,runtime

  Multiplicity: [0,1]

  Human-readable, mutable name of the object. It may also be an identifier (login name, group name). It is usually unique in the respective context of interpretation. E.g. the name of the UserType subtype is usually unique in the whole system. The name of the ShadowType subtype is usually unique in the scope of resource (target system) that it belongs to.

  The name may not be human-readable in a sense to display to a common end-user. It is intended to be displayed to IDM system administrator. Therefore it may contain quite a "ugly" structures such as LDAP DN or URL.

  Name is mutable. It is considered to be ordinary property of the object. Therefore it can be changed by invoking usual modifyObject operations. However, change of the name may have side effects (rename process).

  Although name is specified as optional by this schema, it is in fact mandatory for most object types. The reason for specifying the name as optional is that the name may be generated by the system instead of supplied by the clients. However, all objects stored in the repository must have a name.

• description

  Flags: RAM,runtime

  Multiplicity: [0,1]

  Free-form textual description of the object. This is meant to be displayed in the user interface.

• subtype

  Flags: RAM,runtime

  Multiplicity: [0,-1]

  Type of the object. It is used to distinguish what a specific object represents. Whether it is a different kind of organizational unit, project, team, or different kind of user, etc.

• fetchResult

  Flags: RAM,runtime,oper

  Multiplicity: [0,1]

  Result of the operation that fetched this instance of the object. It is mostly used to indicate that the object is not complete or there is some problem with the object. This is used instead of exception if the object is part of larger structures (lists as in list/search operations or composite objects). If not present then the "SUCCESS" state is assumed.

  This field is TRANSIENT. It must only be used in runtime. It should never be stored in the repository.

• extension

  Flags: dyn,RAM,runtime

  Multiplicity: [0,1]

  Extension container that provides generic extensibility mechanism. Almost any extension property can be placed in this container. This mechanism is used to extend objects with new properties. The extension is treated exactly the same as other object properties by the code (storage, modifications, etc), except that the system may not be able to understand their meaning.

• parentOrgRef

  Flags: RAM,oper

  Multiplicity: [0,-1]

  Set of the orgs (organizational units, projects, teams) that the object relates to. This usually means that the object belongs to them but it may have other meanings as well (e.g. user manages an organizational unit).

• trigger

  Flags: RAM,runtime,oper

  Multiplicity: [0,-1]

  Triggers for this object. They drive invocations of corresponding trigger handlers at specified time.

• metadata

  Flags: RAM,runtime,oper

  Multiplicity: [0,1]

  Meta-data about object creation, modification, etc.

• tenantRef

  Flags: RAM

  Multiplicity: [0,1]

  Reference to the tenant to which this object belongs. It is a computed value set automatically by midPoint. It is determined from the organizational structure. Even though this value is computed it is also stored in the repository due to performance reasons.

• lifecycleState

  Flags: RAM,runtime

  Multiplicity: [0,1]

  Lifecycle state of the object. This property defines whether the object represents a draft, proposed definition, whether it is active, deprecated, and so on.

  There are few pre-defined lifecycle states. But custom lifecycle states may also be defined. Pre-defined lifecycle states are:

  • draft: Definition of the new object in progress. The object is NOT active. The definition may change at any moment. It is not ready yet.
  • proposed: Definition of a new object is ready for use, but there is still a review process to be applied (e.g. approval). The object is NOT active. However the definition should not change in this state.
  • active: Active and working definition. Ready to be used without any unusual limitations.
  • deprecated: Active definition which is being phased out. The definition is still fully operational. But it should not be used for new assignments. E.g. it should not be requested, it should not be approved, etc.
  • archived: Inactive historical definition. It is no longer used. It is maintained only for historical, auditing and sentimental reasons.
  • failed: Unexpected error has occurred during object lifecycle. Result of that event is that the object is rendered inactive. The situation cannot be automatically remedied. Manual action is needed.

• operationExecution

  Flags: RAM,runtime,oper

  Multiplicity: [0,-1]

  Description of recent operations executed on this object (or related objects, e.g. shadows in case of a focal object). The number of operations to be kept here is configurable.

• policySituation

  Flags: RAM,runtime,oper

  Multiplicity: [0,-1]

  The policy situation(s) of this object. The situations are result of evaluation of the policy rules. This property is recorded for each object and can be used for reporting, diagnostics, target selection in certification campaigns, etc.

• triggeredPolicyRule

  Flags: RAM,runtime,oper

  Multiplicity: [0,-1]

  Triggered policy rules for this assignment. (Not necessarily complete; subject to specified storage strategy.) This is EXPERIMENTAL functionality. It is possibly to change in the near future.

• policyException

  Flags: RAM,runtime

  Multiplicity: [0,-1]

  Recorded exception from a policy rule. The exceptions that are approved are recoded here to avoid re-evaluating and re-approving them all the time. This is EXPERIMENTAL functionality. It is likely to change in the near future.

• linkRef

  Flags: RAM

  Multiplicity: [0,-1]

  Set of shadows (projections) linked to this focal object. E.g. a set of accounts linked to a user. This is the set of shadows that belongs to the focal object in a sense that these shadows represents the focal object on the resource. E.g. The set of accounts that represent the same midPoint user (the same physical person, they are "analogous").

  Links define what the object HAS. The links reflect real state of things (cf. assignment).

• personaRef

  Flags: RAM

  Multiplicity: [0,-1]

  Set of personas linked to this focal object. E.g. a set of virtual identities linked to a user. This is the set of "secondary" focal objects that belongs to this focal object in a sense that the current focal object is in control over the linked focal objects. E.g. this reference can be used to link user object which specified a physical person with his virtual identities (personas) that specify his identity as an employee, system administrator, customer, etc. The default meaning is that the personas are "analogous", i.e. the represent different facets of the same physical person. However, this meaning may be theoretically overridden by using various relation parameters in this reference.

  This reference define what the object HAS. The links reflect real state of things (cf. assignment).

• assignment

  Flags: RAM,runtime

  Multiplicity: [0,-1]

  Set of object's assignments. Assignments define the privileges and "features" that this object should have, that this object is entitled to. Typical assignment will point to a role or define a construction of an account.

  Assignments represent what the object SHOULD HAVE. The assignments represent a policy, a desired state of things (cf. linkRef).

• activation

  Flags: RAM,runtime

  Multiplicity: [0,1]

  Type that defines activation properties. Determines whether something is active (and working) or inactive (e.g. disabled).

  It applies to several object types. It may apply to user, account, assignment, etc. The data in this type define if the described concept is active, from when it is active and until when. The "active" means that it works. If something is not active, it should not work or not cause any effect. E.g. inactive user should not be able to log in or run any tasks, the non-active role should not be assigned and if assigned it should not be taken into account when computing the accounts.

• iteration

  Flags: RAM,runtime,oper

  Multiplicity: [0,1]

  Iteration number. Starts with 0. It is used to iteratively find unique identifier for the object.

• iterationToken

  Flags: RAM,runtime,oper

  Multiplicity: [0,1]

  Iteration token. String value that is usually a suffix to the identifier based on iteration number. E.g. ".007". It is used to iteratively find unique identifier for the object.

• roleMembershipRef

  Flags: RAM,oper

  Multiplicity: [0,-1]

  References to abstract roles (roles, orgs, services) that this focus currently belongs to - directly or indirectly. This reference points to all the roles in the role hierarchy. It only points to the roles that were evaluated as active during last recompute (conditions were true, validity constraints not violated).

  Note: the value of this reference is only updated when a focal object is recomputed. Therefore if a role definition changes then all the affected focal objects must be recomputed for this reference to be consistent.

  Roles mentioned here are those that are NOT obtained via delegation, i.e. "deputy" relations. Relations acquired by delegation are listed in delegatedRef item.

  This is an operational property. It is set and managed by the system. It is used for efficient search of all current role members, e.g. for the purpose of displaying this information in the GUI.

• delegatedRef

  Flags: RAM,oper

  Multiplicity: [0,-1]

  References to objects (abstract roles as well as users) obtained via delegation. If A1 is a deputy of A, its delegatedRef contains a union of A, A.roleMembershipRef and A.delegatedRef.

  This is an operational property. It is set and managed by the system. It is used for efficient search of all current role members, e.g. for the purpose of displaying this information in the GUI.

• roleInfluenceRef

  Flags: RAM,oper

  Multiplicity: [0,-1]

  References to abstract roles (roles and orgs) that this focus may directly belong to. This reference only points to the next role in the hierarchy. However, it is backed by a "closure" index in the repository subsystem. Therefore it can efficiently support tree-like queries. This reference points to the roles for whose the condition is not true. Therefore it does not reliably show who actually has a role. It shows potential role members - all the object that are possibly influenced when a role definition changes.

  This is an operational property. It is set and managed by the system. It is used for efficient search of all possible role members, e.g. for the purpose of recomputing all role members after the role definition is changed.

  TODO. NOT IMPLEMENTED YET. EXPERIMENTAL. UNSTABLE.

• jpegPhoto

  Flags: RAM,runtime

  Multiplicity: [0,1]

  Photo corresponding to the user / org / role.

• costCenter

  Flags: RAM,runtime

  Multiplicity: [0,1]

  The name, identifier or code of the cost center to which the user belongs.

  Please note that organization objects (OrgType) also have a costCenter property. Therefore it is usual that if a user belongs to an organization the costCenter from the organization is used. Therefore this property is usually used only for users that do not belong to any organization or for users that have different cost center than the one defined by the organization.

• locality

  Flags: RAM,runtime

  Multiplicity: [0,1]

  Primary locality of the user, the place where the user usually works, the country, city or building that he belongs to. The specific meaning and form of this property is deployment-specific.

• preferredLanguage

  Flags: RAM,runtime

  Multiplicity: [0,1]

  Indicates user's preferred language, usually for the purpose of localizing user interfaces. The format is IETF language tag defined in BCP 47, where underscore is used as a subtag separator. This is usually a ISO 639-1 two-letter language code optionally followed by ISO 3166-1 two letter country code separated by underscore. The languages that do not have country-specific variants are usually specified by using a two-letter country code ("sk", "cs", "tr"). Languages with country-specific variants have country-specific subtags ("pt_BR", "zn_CN"). If no value is specified in this property then system default locale is assumed.

  Examples:

  • en_US
  • sk
  • cs
  • pt_BR

• locale

  Flags: RAM,runtime

  Multiplicity: [0,1]

  Defines user's preference in displaying currency, dates and other items related to location and culture. The format is IETF language tag defined in BCP 47, where underscore is used as a subtag separator. This is usually a ISO 639-1 two-letter language code optionally followed by ISO 3166-1 two letter country code separated by underscore. The languages that do not have country-specific variants are usually specified by using a two-letter country code ("sk", "cs", "tr"). Languages with country-specific variants have country-specific subtags ("pt_BR", "zn_CN"). If not specified then system default locale is assumed.

  Examples:

  • en_US
  • sk
  • cs
  • pt_BR

• timezone

  Flags: RAM,runtime

  Multiplicity: [0,1]

  User's preferred timezone. It is specified in the "tz database" (a.k.a "Olson") format. If not specified then system default timezone is assumed.

  Examples:

  • Europe/Bratislava

• emailAddress

  Flags: RAM,runtime

  Multiplicity: [0,1]

  E-Mail address of the user, org. unit, etc. This is the address supposed to be used for communication with the user, org. unit, etc. E.g. IDM system may send notifications to the e-mail address. It is NOT supposed to be full-featured e-mail address data structure e.g. for the purpose of complex address-book application.

• telephoneNumber

  Flags: RAM,runtime

  Multiplicity: [0,1]

  Primary telephone number of the user, org. unit, etc.