Override incorrect attribute values

Last modified 27 Nov 2025 19:19 +01:00
Table of Contents

In this module, you will use midPoint to correct source resource attribute values and enable incorrectly disabled user accounts.

Imagine the following situation: The HR department creates a user in the HRIS with some errors, e.g., incorrect locality and status. You cannot wait until the user is fixed in the HRIS. The user is a new member of high management who needs to work, which he cannot because his account is kept inactive due to those errors.

What awaits you in this module

You will first act as an inattentive HR person adding a new employee with wrong data in the HR system. Then, as an administrator, you will take steps to rectify the mistakes and enable the employee to use his accounts. Lastly, you are going to fix the data issues in the HRIS and let the user reconcile "as usual".

In this exercise, you will learn how to use account marks when in need of overwriting the data coming from the authoritative resource.

1. Register new user in HRIS

First, you need to register the new hire in HRIS. You are going to make a few mistakes there, acting as the inattentive HR person.

  1. In the HRIS user interface, click Register user in the top bar.

  2. Fill in the form:

    • First name: John

    • Surname: Doe

    • Employee number: 9006

    • Locality: Fat Rover City

    • Job: 999#CXO

    • EmpType: FTE

    • Status: Long-term leave

  3. Click Register user

  4. Click Export users to csv file at the bottom of the user list.

2. Check the new user in midPoint

After the recurring HRIS reconciliation task runs:

  1. In Users > Personas, open John Doe (user jdoe) for editing.

  2. Check the user’s Lifecycle state: It is Disabled.

  3. Check the user’s AD account in Projections: It is disabled.

Obviously, this man cannot do his job when all his accounts are disabled.

User with wrong source data in midPoint
Figure 1. User with wrong source data in midPoint

3. How to fix it?

Changing the administrative status would not work in this case because currently, the administrative status can only be used to deactivate an active user. You cannot use it to force activation.

An attempt to blindly overwrite the lifecycle state would not work either. It would be reverted during the next scheduled HRIS reconciliation task run.

That means you need to create an exception. But how?

Use marks.

4. Mark the account as an exception

Similarly to what you did when reconciling the HRIS accounts with the AD accounts, you can use marks to "protect" an account in this case as well.

  1. In Resources > All resources, select the source HRIS resource.

  2. In Accounts, find the user in question: John Doe (jdoe) in our case.

  3. Click the drop-down menu button at the far right of the row and select Add Marks.

    Set marks on the account for which you need to correct data manually in midPoint
    Figure 2. Set marks on the account for which you need to correct data manually in midPoint

  4. In the modal dialog that appears, select Invalid data.

  5. Click Add.

The account is now "protected", i.e., the recurring HRIS reconciliation task won’t touch it and you can edit it manually in midPoint.

Account with invalid data marked for protection
Figure 3. Account with invalid data marked for protection

5. Correct the data manually

Still in the Accounts screen, click jdoe in the owner column to open the corresponding focal object of the account for editing.

Edit the following properties to correct the mistakes the HR department made:

  1. Locality: Fast River City

  2. Lifecycle state: Active

  3. Click Save.

The user (focal object) has now correct attribute values and the AD account is enabled immediately.

Wait for the next scheduled HRIS reconciliation task to see that your changes are not reverted. You can also test that any updates of HR data for 9006 are ignored

5.1. Use reports to get a quick overview of marked accounts

Dashboards and report are very useful in larger deployments to get an overview of irregularities, such as marked accounts, quickly. If you follow this guide along with the Docker images preconfigured for the guide, there is a dashboard ready for this situation.

In the main navigation menu, select Dashboards > Account marks:

Dashboard showing numbers of accounts with various object marks
Figure 4. Dashboard showing numbers of accounts with various object marks

If you prefer a report you can save on your computer:

  1. Select Reports in the main navigation menu.

  2. On the Account Marks Dashboard Report entry, click Run button at the far right.

    • This is a report directly connected to the dashboard.

  3. Click Show task in the notification that appears at top of the screen.

  4. Click Download report to save the HTML report to your computer.

You can access created reports at a later time via Reports > Created reports.

Refer to Introduction to dashboards in midPoint to learn more about dashboards and their relation to reports.

6. Correct the HRIS data to put the situation back to normal

You used emergency means to correct the incorrect attributes in midPoint while preventing the recurring HRIS reconciliation task from overwriting your adjustments. At some point, the HR personnel obtain the complaint regarding the wrong data in the HRIS and rectify it there. Additionally, they realize the correct locality is completely different than what they put there in the first place.

Fix the data in HRIS:

  1. In the HRIS user interface, find the user John Doe, employee number 9005.

  2. Click Modify at the right side of their row.

  3. Adjust the attributes of the user:

    • Locality: White Stone River

    • Status: In

  4. Click Modify user.

  5. Click Export users to csv file at the bottom of the user list.

The updates from HR are ignored for this user until you remove the Invalid data mark.

  1. In Resources > All resources, select the source HRIS resource.

  2. In Accounts, find the user in question: John Doe (jdoe) in our case.

  3. Click the drop-down menu button at the far right of the row and select Remove Marks.

  4. Select the Invalid data mark.

  5. Click Remove Marks.

In John Doe’s profile and his AD account, you can observe the locality changes to White Stone City after the scheduled reconciliation task runs, meaning the account can be managed by the usual means from now on.

Next steps

The last module in the series on overwriting incorrect source data focuses on usernames. You will learn why you might want to override the automation and how to do it correctly.

Was this page helpful?
YES NO
Thanks for your feedback