Automate target resource account creation for all Person accounts

Typically, resource provisioning is based on roles or organizations user has or belongs to. We do not manage any custom role membership yet. On the other hand, you automatically assign the Person archetype to every user who arrives from the HRIS. You will use the Person archetype to create target LDAP resource accounts as a birthright of every user imported from the HRIS.

To give user of the Person archetype this birthright, you will add a new inducement to the Person archetype that will cause ownership of an AD account.

Learn more about inducements, how they work and how they differ from other similar concepts in midPoint: Assignment × inducement × entitlement

You have added an entitlement to the Person archetype ensuring all Person-archetype users have an LDAP account. The next step is to wait for the scheduled HRIS reconciliation task you have created earlier to recompute all the users, find out that some users (the 900X series) do not have an LDAP projection, and fix that by provisioning them an account.

You can check the result in the user list under Users > Persons, or see the target resource directly.

With the steps above completed, you have automated provisioning target resource accounts for all people you manage in midPoint.

The next logical step is to have all new accounts automatically assigned to a default group in which all users are.