[midPoint] Admin gui question(s)

Markus Calmius markus.calmius at proton.ch
Thu Sep 25 08:31:13 CEST 2025 

Hi Yakov,

Thanks for this suggestion, I will look into it/do some tests.

Kind regards,
Markus
On Thursday, 25 September 2025 at 07:16, Yakov Revyakin <yrevyakin at gmail.com> wrote:

> You know that a user is active if administrativeStatus is unknown. Let the HR resource leave administrativeStatus unknown for an active user, set administrativeStatus with Disable using standard Midpoint activation UI. In this case, HR still skips setting administrativeStatus explicitly and your hand made administrativeStatus won't be overwritten after reconciliation. If you'd like to make the user enabled again you simply set administrativeStatus in Unknown back. This delegates management for administrativeStatus to HR back again.
>
> You can add a condition in the HR resource status attribute to limit status calculation only by Disable case.
>
> On Fri, 19 Sept 2025 at 10:20, Markus Calmius <markus.calmius at proton.ch> wrote:
>
>> Yes, HR is source of truth.
>> However, sometimes a forced offboarding or onboarding can take place. Then we have an override status, based on this: https://evolveum.com/how-to-override-administrative-status/
>>
>> So we do have a way to do it, but the default buttons are not the way
>>
>> Markus
>> On Thursday, 18 September 2025 at 16:34, Yakov Revyakin <yrevyakin at gmail.com> wrote:
>>
>>> Do you mean sync with HR overrides Midpoint user's administrative status which Midpoint admin changed before?
>>>
>>> On Mon, 15 Sept 2025 at 17:35, Markus Calmius via midPoint <midpoint at lists.evolveum.com> wrote:
>>>
>>>> Hi,
>>>>
>>>> TL;DR
>>>> is it possible to either:
>>>>
>>>> -  hide the buttons for enable/disable users, or
>>>> - override the default action?
>>>>
>>>> To give some more background:
>>>> Our HR system is the sole authority for creating user accounts and assigning their administrative status.
>>>>
>>>> We have implemented an override mechanism that allows us to deactivate a user ahead of the HR‑initiated process when necessary.
>>>>
>>>> While the standard deactivation buttons function correctly, the change is only temporary. Any update to the user or the execution of the HR‑reconciliation task restores the status defined by HR.
>>>> Although we could restrict this capability entirely. it will result in an error message. I prefer to prevent the action silently rather than generate errors.
>>>> For example, a service‑desk technician who is authorised to disable accounts may use the default buttons and assume the operation succeeded. In reality, the modification is later undone by the HR reconciliation process.
>>>>
>>>> Kind regards,
>>>> Markus
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> https://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20250925/3e39b3fc/attachment.htm>

More information about the midPoint mailing list