<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Hi,</p>
<p>regarding Add projection and attributes: I confirm that at the
moment of adding a new account (projection) there are no
attributes displayed. (I have even checked old midpoint 4.4 - it's
the same).</p>
<p>But if you have outbound mappings, they will be executed. So you
really should not specify your own values of attributes; they
should be computed by outbound mappings.</p>
<p>Also, you should consider using assigning roles. Roles can have
outbound mappings too - they can override/complement outbound
mappings in resource schema handling.</p>
<p>Whether the inability to enter attributes during account creation
is a bug or missing feature, I do not know from top of my head.
You can for sure create a new ticket in our support portal. But
keep one thing in mind: if you would have strong outbound mappings
and at the same time you would attempt to specify manual values
for the same attributes, you would have a conflict for
single-value attributes.</p>
<p>My recommendation: prepare outbound mappings in your resource
which take values from your user object (focus) and compute target
attribute values.</p>
<p>If some values should be e.g. constants representing groups,
roles etc., you can use midPoint roles which would specify their
own outbound mapping(s) providing such value(s).</p>
<p>Hope this helps.</p>
<p>Best regards,</p>
<p>Ivan</p>
<div class="moz-cite-prefix">On 11/6/25 12:50, Али Саад via midPoint
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAKeUUK_onnzF_EVhZU-mK_ZMwkDALxXLq-06FNa5yCH0jiczUQ@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">
<div dir="ltr">
<p>
Hi Evolveum team,
</p>
<p>I will try to explain the whole sequence of my actions
clearly, starting from the beginning.<br>
At work, we frequently perform integrations using <strong>midPoint
4.9</strong>.</p>
<p>The question is about <strong>creating resource accounts
(projections)</strong>, especially for REST resources.<br>
There is very little information in the official
documentation, for example here:<br>
👉 <a rel="noopener" class="gmail-decorated-link"
href="https://docs.evolveum.com/midpoint/guides/admin-gui-user-guide/#:~:text=The%20account%20form%20is%20dynamically,definition%20in%20the%20resource%20object"
moz-do-not-send="true">https://docs.evolveum.com/midpoint/guides/admin-gui-user-guide/#:~:text=The%20account%20form%20is%20dynamically,definition%20in%20the%20resource%20object<span
aria-hidden="true"
class="gmail-ms-0.5 gmail-inline-block gmail-align-middle gmail-leading-none"></span></a></p>
<p>It explains the process but doesn’t actually show <strong>how
to enter account attributes manually</strong> during
creation.<br>
Here’s the relevant part from the documentation:</p>
<blockquote>
<p>“To add one or more resource accounts to the user, click
on the Add projection button in the Projections pane...<br>
The account form is dynamically generated using the
resource schema definition in the resource object…<br>
</p>
<h3><font size="2">Example scenario</font></h3>
<p>
</p>
<p>Suppose I have a REST resource where the POST body looks
like this:<br>
{<br>
"username": "some name",<br>
"email": "some email",<br>
"number": "some number",<br>
"password": "some password",<br>
"roles": ["admin", "support"]<br>
}<br>
<br>
</p>
<p>Here, <code>username</code>, <code>email</code>, and <code>password</code>
are mandatory for account creation, while <code>number</code>
and <code>roles</code><b> are optional.</b> </p>
<h3>What happens in midPoint</h3>
<h3>
<p><font size="2"><span style="font-weight:normal">When I
open a user and go to the Projections tab, I click
“+ </span>New Projection<span
style="font-weight:normal">” → select the resource →
click the checkmark → then </span>Add<span
style="font-weight:normal">.</span><br>
<span style="font-weight:normal">
MidPoint creates a projection with the name null,
linked to the selected resource.</span></font></p>
<p><font size="2"><span style="font-weight:normal">When I
click on that projection, I see only a </span>Basic<span
style="font-weight:normal"> tab with </span>Cancel<span
style="font-weight:normal"> and </span>Done<span
style="font-weight:normal"> buttons — but no fields
appear for editing.</span></font></p>
<p><font size="2" style=""><span
style="font-weight:normal">If I click </span>Done<span
style="font-weight:normal">, midPoint </span>creates
the projection using outbound mappings (values coming
from the User object).<br>
This is not ideal, because we may have many different
resources and we can’t keep adding all external fields
to the User object.<br>
It would make much more sense to allow manual input of
account fields directly in the projection form during
creation.</font></p>
My question<br>
<p><font size="2"><span style="font-weight:normal">Do I
need to configure something in</span> <code><schemaHandling></code>
<span style="font-weight:normal">so that, when I click
</span><strong>“+ New Projection”</strong>, <span
style="font-weight:normal">midPoint displays the
attributes defined</span> in the connector schema (<code>setCreatable(true)</code>)?</font></p>
<p><font size="2">Currently, the projection appears empty
(“null”), even though I’ve marked all connector
attributes as creatable.<br>
</font></p>
<font size="2"><span style="font-weight:normal">How can I
make those attributes </span><strong style="">visible
and editable</strong><span style="font-weight:normal">
when creating a new projection manually?<br>
</span></font></h3>
<h3>Related: <code>setRequired</code>, <code>setCreatable</code>,
and <code>setReturnedByDefault</code> flags</h3>
<h3>
<p>I<font size="2">’d also like to clarify the meaning and
effect of these flags:</font></p>
<ul>
<li>
<p><font size="2"><span style="font-weight:normal">Does</span>
<code>setRequired(true)</code> mean that the
attribute <strong>must be included</strong> in
the <code>Set<Attribute></code> passed to<br>
<code>create(ObjectClass objectClass,
Set<Attribute> attributes,
OperationOptions options)</code>?</font></p>
</li>
<li>
<p><font size="2"><span style="font-weight:normal">Does</span>
<code>setCreatable(true)</code> mean that the
attribute <strong>can be entered in the UI</strong>
when creating an account (projection)?</font></p>
</li>
<li>
<p><font size="2">How does the combination of <code>setRequired</code>
and <code>setCreatable</code> affect midPoint’s
behavior?</font></p>
</li>
<li>
<p><font size="2">And finally — <span
style="font-weight:normal">what exactly does</span>
<code>setReturnedByDefault(true)</code> do?<br>
D<span style="font-weight:normal">oes it mean that
such an attribute is </span><strong>automatically
fetched</strong> <span
style="font-weight:normal">from the resource
even if not explicitly requested by the
framework?<br>
And does it also influence which attributes are
displayed in the projection form in midPoint?</span></font></p>
</li>
</ul>
<p><font size="2">From what I understand, <code>setRequired</code>
marks an attribute as mandatory during creation —<br>
but it’s not clear what happens in practice,
especially when there’s no visible UI form to fill in
the value.</font></p>
<p><font size="2">The only relevant comments I found are:</font></p>
<ul>
<li>
<p><font size="2"><a class="gmail-decorated-link"
rel="noopener"
href="https://docs.evolveum.com/connectors/connid/1.x/connector-development-guide/#:~:text=uidAib,build."
moz-do-not-send="true">ConnId 1.x Development
Guide<span aria-hidden="true"
class="gmail-ms-0.5 gmail-inline-block gmail-align-middle gmail-leading-none"></span></a>
—<br>
which says <code>// Must be optional. It is not
present for create operations</code>.</font></p>
</li>
<li>
<p><font size="2"><a class="gmail-decorated-link"
rel="noopener"
href="https://docs.oracle.com/cd/E21764_01/apirefs.1111/e24834/org/identityconnectors/framework/common/objects/AttributeInfo.html#isRequired__"
moz-do-not-send="true">Oracle ICF API docs<span
aria-hidden="true"
class="gmail-ms-0.5 gmail-inline-block gmail-align-middle gmail-leading-none"></span></a>
—<br>
which says “Determines whether this attribute is
required for creates.”</font></p>
</li>
</ul>
<p><font size="2">So far, it’s still not clear how these
flags influence what midPoint shows in the UI or
passes during <code>create()</code> and <code>get()</code>
operations.</font></p>
<hr>
</h3>
<h3>Summary</h3>
<h3>
<p><font size="2">Please help us understand:</font></p>
<ol>
<li>
<p><font size="2">How to configure <strong>account
creation fields</strong> for manual input during
projection creation.</font></p>
</li>
<li>
<p><font size="2">What exactly <code>setRequired</code>,
<code>setCreatable</code>, and <code>setReturnedByDefault</code>
mean in practice — and how they affect the <strong>UI
and connector behavior</strong>.</font></p>
</li>
<li>
<p><font size="2">Whether the projection form can be
generated dynamically from connector schema
attributes (like a “Create account” form) without
relying solely on outbound mappings.</font></p>
</li>
</ol>
<p><font size="2">This is very important for us, as
account creation often requires partial manual input
(some fields from the User, some entered by an
administrator).</font></p>
<p><font size="2">Thank you very much for your help, and
sorry for the long post.</font></p>
<p>Best regards,<br>
<strong>Ali</strong></p>
</h3>
</blockquote>
</div>
<div class="gmail_quote gmail_quote_container">
<div dir="ltr" class="gmail_attr">чт, 6 нояб. 2025 г. в 09:55,
David Klement <<a href="mailto:dakle@evolveum.com"
moz-do-not-send="true" class="moz-txt-link-freetext">dakle@evolveum.com</a>>:<br>
</div>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi
Али,<br>
<br>
regarding the most recent message in the thread, i.e., "make
account and record fields without outbound mappings" - if I
understand correctly, you wish to create an account on a
resource using midPoint without actually having the
corresponding account (i.e., its user object, shadow, etc.)
in midPoint? Or, in a narrower case, you want midPoint to
send account attributes to the resource without midPoint
actually having the attributes saved in its database? In
other words, you do not want midPoint to manage the accounts
or account attributes in question. If that is the case,
maybe it would be best to edit the data directly in the
target resource, would it not?<br>
<br>
Please let us know if I misunderstood your question. It is
indeed true that connectors work directly with the
resources, but they can only send them data that midPoint
gives them, i.e., is instructed to send to the resource via
the connector.<br>
<br>
Best regards,<br>
<br>
David Klement | Technical Writer<br>
Evolveum, s. r. o.<br>
<a href="mailto:dakle@evolveum.com" target="_blank"
moz-do-not-send="true" class="moz-txt-link-freetext">dakle@evolveum.com</a>
| <a href="http://www.evolveum.com" rel="noreferrer"
target="_blank" moz-do-not-send="true">www.evolveum.com</a><br>
<br>
----- Original Message -----<br>
From: "midPoint General Discussion" <<a
href="mailto:midpoint@lists.evolveum.com" target="_blank"
moz-do-not-send="true" class="moz-txt-link-freetext">midpoint@lists.evolveum.com</a>><br>
To: "midPoint General Discussion" <<a
href="mailto:midpoint@lists.evolveum.com" target="_blank"
moz-do-not-send="true" class="moz-txt-link-freetext">midpoint@lists.evolveum.com</a>><br>
Cc: "Али Саад" <<a href="mailto:gerardo.saad@gmail.com"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">gerardo.saad@gmail.com</a>><br>
Sent: Wednesday, November 5, 2025 7:36:05 PM<br>
Subject: [midPoint] Fwd: Some tricky questions about develop
connectors. Hello!<br>
<br>
Guys please tell me one thing. How i can make account and
record fields without outbound mappings. We use ur product
and all of us don't know how to do it. Please help. We wanna
create account, for example for REST Resource and also make
account by administrator. We know only one way to do it -
make outbound mapping and take some attributes, which we
record before, from UserType. I think this is a horrible and
wrong way. Please, tell me - how i can record fields by
administrator. Maybe i must add some layers in my
schemahandling on resources? But it doesn't work. <br>
<br>
---------- Forwarded message --------- <br>
От: Али Саад < [ mailto:<a
href="mailto:gerardo.saad@gmail.com" target="_blank"
moz-do-not-send="true" class="moz-txt-link-freetext">gerardo.saad@gmail.com</a>
| <a href="mailto:gerardo.saad@gmail.com" target="_blank"
moz-do-not-send="true" class="moz-txt-link-freetext">gerardo.saad@gmail.com</a>
] > <br>
Date: пн, 3 нояб. 2025 г. в 01:54 <br>
Subject: Fwd: Some tricky questions about develop
connectors. Hello! <br>
To: [ mailto:<a href="mailto:info@evolveum.com"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">info@evolveum.com</a> | <a
href="mailto:info@evolveum.com" target="_blank"
moz-do-not-send="true" class="moz-txt-link-freetext">info@evolveum.com</a>
] < [ mailto:<a href="mailto:info@evolveum.com"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">info@evolveum.com</a> | <a
href="mailto:info@evolveum.com" target="_blank"
moz-do-not-send="true" class="moz-txt-link-freetext">info@evolveum.com</a>
] > <br>
<br>
<br>
<br>
<br>
---------- Forwarded message --------- <br>
От: Али Саад < [ mailto:<a
href="mailto:gerardo.saad@gmail.com" target="_blank"
moz-do-not-send="true" class="moz-txt-link-freetext">gerardo.saad@gmail.com</a>
| <a href="mailto:gerardo.saad@gmail.com" target="_blank"
moz-do-not-send="true" class="moz-txt-link-freetext">gerardo.saad@gmail.com</a>
] > <br>
Date: сб, 1 нояб. 2025 г. в 19:46 <br>
Subject: Some tricky questions about develop connectors.
Hello! <br>
To: < [ mailto:<a
href="mailto:midpoint@lists.evolveum.com" target="_blank"
moz-do-not-send="true" class="moz-txt-link-freetext">midpoint@lists.evolveum.com</a>
| <a href="mailto:midpoint@lists.evolveum.com"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">midpoint@lists.evolveum.com</a>
] > <br>
<br>
<br>
Hello! Could you please explain the difference between the
setRequired(true) and setCreateable(true) flags when
defining ConnId attributes? 1. If the UID is generated by
the target system, should we set required=false and
createable=false? 2. For the Name attribute that midPoint
must send when creating an account — should both flags be
set to true? 3. If an attribute can be provided during
object creation but is not mandatory, should it be
required=false and createable=true? 4. Is it correct that we
should never use required=true together with
createable=false? Am I right that required=true means the
attribute must be included in the Set<Attribute>
passed to the create() method of the CreateOp interface? No
to other operations. Only for Create? I'm trying to
understand the practical meaning of these flags when
designing a connector schema. 5. Additionally, I’m still
confused about how account creation actually works in
practice. For example, if I want to manually set the UID or
other attributes when creating an account — how is this
done? Is it controlled by inbound/outbound mappings, or by
the connector schema itself? It’s quite hard to understand
how midPoint decides which attributes to send during account
creation on the first try. (I'm using midPoint 4.9.) 6. And
one last question: what is the purpose of
setReturnedByDefault(true)? Is it true that midPoint simply
won’t expect such attributes by default, but it will still
accept attributes marked with setReturnedByDefault(false) if
they are present in the resource response? 7. I would also
like to mention that I created an attribute on the diagram
as a string for locking and unlocking __ENABLE__. Am I
correct in understanding that Midpoint will still create it
on the diagram with the type that it defines and
recognizes—that is, as Boolean for special system
attributes? According to the Special-Purpose Attributes
table? Thank you very much in advance! <br>
<br>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank"
moz-do-not-send="true" class="moz-txt-link-freetext">midPoint@lists.evolveum.com</a><br>
<a
href="https://lists.evolveum.com/mailman/listinfo/midpoint"
rel="noreferrer" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
</blockquote>
</div>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre wrap="" class="moz-quote-pre">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="https://lists.evolveum.com/mailman/listinfo/midpoint">https://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<pre class="moz-signature" cols="72">--
Ivan Noris
Expert Identity Engineer
evolveum.com
</pre>
</body>
</html>