IGA Objects and midPoint

Last modified 17 Jul 2022 19:52 +02:00

Following basic components are used in modelling access in IGA:

Application

Applications are basic building blocks for defining access. These objects contain business information. Application is an administrative object describing application as a business target that the access relates to. In normal language: Application is "where" in definition of Where the user has access.

The application in IGA relates to application or information system in application inventory of the organization (IT Asset inventory according to ITIL). It may represent application, information system or some data repository where access must be managed. IGA should not be the source for applications. It should be connected to the application inventory and read the application objects from it.

Application is represented by object service in midPoint.

Application resource

Some applications may have more components where access should be managed. These components are represented by application resources. The application resources can be used to manage dynamically created components in some systems - e.g. shares on file-share server, spaces in confluence.

Instead of applications, the application resources are not linked directly to application inventory, but rather, to application in IGA. Their lifecycle doesn’t need to be formalized outside IGA.

Application resources are components of parametric access. Level of the user access (e.g. reader / editor / manager) is defined by the relation in assignment.

Application resource is represented by object service in midPoint with specific archetype to distinguish from application.

Application role

Application roles are basic roles. They are related to applications. The application roles are integrating technical components for creation of user access with business description of the access. Business users are working with business description from the application roles, IDM system and IDM administrators are working with technical definitions.

The information in application role will be displayed to different audience. To business audience it should be displayed as easy as possible - in business structure. For example, like on the picture below:

Application role design

Please take this picture just as inspiration, not all attributes are shown.

Details for content of an application role are described here.

Business role

Technically, business roles are collections of application and other business roles. It can contain also assignments of application resources or even applications where necessary.

The information in Business role will be displayed to different audience. To business audience it should be displayed as easy as possible - in business structure. For example, like on the picture below:

Business role design

Please take this picture just as inspiration, not all attributes are shown.

Details for content of a business role are described here.