Classification Improvements

Last modified 20 Mar 2024 08:49 +01:00
Information classification feature
This page describes Information classification midPoint feature. Please see the feature page for more details.
Planned feature
This feature is planned feature. This feature is roughly designed and it was evaluated as feasible. However, there is currently no specific plan when it will be implemented, because there is no funding for this development yet. In case that you are interested in supporting development of this feature, please consider purchasing midPoint Platform subscription.
Table of Contents


Classification and clearance management is part of midPoint since 4.8.3. Current implementation is based solely on pre-existing concepts of meta-roles and policy rules. The basic functionality works, however it is not very convenient. Perhaps the most obvious problem is a lack of visibility and user-friendliness.


We need to improve:

  • There is no visibility, the classifications (labels) are not easy to see, even when they are assigned directly. We need to do:

    • Find a prominent place to display the classifications (labels), e.g. in object details header.

    • Display classifications in object details panels, perhaps as top-level item in the panel submenu.

    • Better visibility of pre-define "Privileged Access" classification - even if assigned indirectly. We want to highlight roles that include privileged access.

    • Compute classifications for roles, using inducements. See Compliance Design Notes for discussion.

  • Error messages and overall presentation of policy rule violations. Current error message looks like:

    No assignment exists for role 09360ff0-d506-4751-b13f-4e01422693ac (after operation)

    Overall, the presentation of policy rule violations should be re-thought and significantly improved.

  • Improve policy rule structure and operation. Currently, we are using hasNoAssignment policy constraint. It works, but the notation is not very intuitive. It should be changed to be more like exclusion, with similar behavior. Perhaps hasNoAssignment should be changed to requirement, or even better, new flexible requirement constraint should be added in addition to existing hasNoAssignment. Current hasNoAssignment constraint triggers too aggressively. E.g. even in case where both classified role and clearance are removed.the policy rule prohibits the operation even though it is legal.

Was this page helpful?
Thanks for your feedback