[midPoint] Sun IdM vs Midpoint

Radovan Semancik radovan.semancik at evolveum.com
Tue Apr 9 20:40:42 CEST 2013 

Hi Mile,

Generally speaking midPoint does similar things to Sun IDM, sometimes 
even in a similar fashion than Sun IDM. But midPoint tries really hard 
to avoid the drawbacks of Sun IDM. Therefore some mechanisms may seem a 
bit strange to the Sun IDM user. But there is usually an equivalent to 
most Sun IDM features in midPoint.

Midpoint has a slightly different concept than Sun IDM "view". MidPoint 
works with "shadow" objects that almost transparently combine 
information from various sources (e.g. partially midPoint repository, 
partially resource). There can be combined and somehow "connected" to 
the associated user object to get something like Sun IDM view. We use 
such combination very often internally, but we have found that it has 
somehow limited value when used externally (e.g. using a SOAP API) as 
there is a significant overhead in composing such a Sun IDM view 
especially if more than 10 resources are connected. An the entire 
information is only seldom used, most of the view is composed only to be 
discarded few milliseconds later. Therefore in midPoint we usually 
expose well-documented objects and let the client to decide which 
specific parts to fetch.

We also do not have a special rename view (and enable/disable views 
either). We do not consider rename operation to be different in any 
significant way from an ordinary modify operation. The intricacies of 
rename is handled by a connector code and low-level provisioning layer. 
Therefore a special rename view is not needed (but please note that this 
is available only in version 2.2 which is still in development).

For similar reason we also do not have an identity template. We 
construct account identifier in the very same way as we construct any 
other attribute. We call that mechanism "mapping" and it is very 
flexible to support the use case of identity template and even more.

Strictly speaking there is no current equivalent for Sun IDM rules. We 
are using snippets of scripting code directly in the mappings and it 
seems to be feasible for vast majority of cases. The structure of 
mappings requires expressions that are much less complex than those 
usually needed in Sun IDM. However, we will consider implementing 
separate objects for something similar to Sun IDM rules if there will be 
a demand for it.

The "xpress alternatives" are standard Groovy, JavaScript or XPath2 
scripting snippets. As far as we can compare these are at least as good 
as xpress (especially Groovy) and unlike xpress they are not proprietary.

Actually, midPoint LiveSync (Sun ActiveSync equivalent) is not different 
from any other midPoint synchronization method. LiveSync events are 
processed in exactly the same way as changes detected by reconciliation, 
discovery or resource imports. This makes the policies consistent, 
elegant and easy to maintain. Therefore it actually depends quite a lot 
on the connector how it processes input data and what events it creates. 
For example the CSVFile connector implements previous/current difference 
mechanism. But I don't know of any direct ETL equivalent for that. 
Anyway, as the CSVFile connector source code is open it should not be 
that difficult to create such connector by looking at the existing code.

-- 

                                            Radovan Semancik
                                           Software Architect
                                              evolveum.com



On 04/09/2013 03:32 PM, Navrsale Mile wrote:
> Hi all,
>
> I am interested to find out more about the differences between 
> midpoint and Sun IdM / waveset. For example, is Sun IdM view 
> functionality supported in midpoint, in particular Rename view for 
> moving identities, using both identity template override as well as 
> identity template. Also what is the midpoint equivalent of Sun IdM 
> rules and forms (I understand bpel is to be used for workflow), how 
> good xpress alternatives are compared to xpress, are legacy etl load 
> interfaces via ActiveSync file adaptor supported, is there previous 
> day / current day load comparison functionality, etc.
>
> Best regards,
> --mile
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20130409/8cd9d861/attachment.htm>

More information about the midPoint mailing list