Connect the HR system

Last modified 10 Dec 2025 18:57 +01:00
Table of Contents

When starting an IGA deployment project, having covered the planning part, the first practical thing to do is to connect the authoritative source system to midPoint. When you are done with this step, you are going to have the user accounts in midPoint and can move forth with connecting a target system, such as an Active Directory.

In this guide, we are using an HR information system as the authoritative system.

What awaits you in this module

Connect the HR application to midPoint by creating a new resource, define an object type as the blueprint for HRIS user accounts, and filter out any HRIS accounts you do not wish to manage in midPoint.

1. Create a resource for the HR system

Our HR system exports accounts to CSV files. A CSV file can be a resource like any other. To get users from the CSV to midPoint, use the CSV connector and configure it according to the structure of the CSV file.

Follow this configuration guide: Create a New Resource in Resource Wizard

  1. Create a new resource from scratch.

  2. Use the CSV connector.

  3. Keep the lifecycle state set to Proposed until you finish the whole configuration of the resource.

  4. Get back here when you are done.

For the MID-301 training Docker containers, use:

  • /opt/midpoint/var/resources/export.csv as the CSV file path

  • empnum as the unique attribute name

2. Configure the HR resource object type

The next step is to configure the CSV resource object type. In the case of HR system, each resource object represents a user account in the system.

Follow this configuration guide: Resource wizard: Object type configuration

  1. Name the object type HR Person, for example.

  2. Make the object type of the Account kind, default (or empty) intent, and with the Default attribute set to True.

  3. Keep the rest of the settings to defaults.

  4. In the last screen, select the User type, and the Person archetype.

  5. Get back here when you are done.

Object type configuration screen with the type set to User and the archetype to Person
Figure 1. Object type configuration screen with the type set to User and the archetype to Person

After you save your object type, you can preview the resource data to see what you are getting from the resource.

3. Filter out irrelevant HR entries

When you preview the resource objects, you may realize that there are some accounts which you do not want or need to manage using midPoint.

These may be AC technicians or people who manage your office greenery. While their work is indispensable, they simply have no IT accounts to manage.

To prevent these accounts from being imported to midPoint:

  1. Find a common pattern these entries have in the HR system.
    It may be that their employee numbers start with a different digit or their employment type is different from others…

  2. Go back to the object type configuration and select the  Basic attributes tile.

  3. Edit the object type you’ve created for the accounts and set up a filtering query.
    For instance, to exclude employees whose number (empnum) starts with 8: attributes/empnum not startsWith "8".

    • If you are using the MID-301 training data, use exactly that filtering formula.

  4. Save the object.

    • Note that previewing will always list all the objects on the resource regardless of the object type filtering you set up.

  5. Reclassify the resource object shadows to reflect your changes in the account list.

The excluded accounts no longer appear among the accounts. MidPoint is aware of them but they are no longer considered an HR Person (they are of an undefined kind and intent, and not managed by midPoint).

Next steps

Now, you are ready to proceed further with preparations to import your HRIS users to midPoint.

Define mapping and synchronization rules

Was this page helpful?
YES NO
Thanks for your feedback