Relation

Last modified 15 Nov 2021 11:25 +01:00
Since 2.x
This functionality is available since version 2.x. The functionality was further improved in versions 3.5, 3.9.

Relation is a mechanism that specifies meaning or purpose of object references. The relation is frequently used to specify the relation of object references of assignment/inducement targets and in the organizational structure management. For example a relation specifies whether a user is an ordinary member of the organizational unit or whether he is a manager of that unit.

Built-in Relations

There are several relations that are built into midPoint. Some of them have a special purpose and behavior, but others are just pre-defined conventions. All the built-in relations have the same namespace:

Currently, this namespace is also used by default for all unqualified relation names. (This behavior might change in the future.)

Following table summarizes the built-in relations.

relation description since

default or null

The default relation. It specifies that the reference is of the ordinary type. E.g. a default-relation reference to org means that the user is an ordinary member of the org (not manager). The default-relation assignment to the role means that the user simply has this role (it is neither approver nor owner of the role).

2.x / 3.6 [1]

manager

Relation "is manager of". Used as a relation value in object references. Specifies that the subject is a manager of organizational unit.

3.x

meta

Relation used for metarole assignments. Sometimes it is important to distinguish metarole and member assignments. This relation is used for that purpose.

3.5

deputy

Relation "is deputy of". Used as a relation value in object references. Specifies that the subject is a deputy of another user.

3.5

approver

Relation "is approver of". Used as a relation value in object references. Specifies that the subject is a (general) approver of specified (abstract) role. The approver will be asked for decision if the role is assigned, if there is a rule conflict during assignment (e.g. SoD conflict) or if there is any similar situation.This is a generic approver used for all the situation. The system may be customized with more specific approver roles, e.g. technicalApprover, securityApprover, etc.This approver is responsible for the use of the role, which mostly means that he decides about role assignment. It is NOT meant to approve role changes. Role owner is meant for that purpose.

3.5

owner

Relation "is owner of". Used as a relation value in object references. Specifies that the subject is a (business) owner of specified (abstract) role. The owner will be asked for decision if the role is modified, when the associated policy changes and so on.This owner is responsible for maintaining role definition and policies. It is NOT necessarily concerned with role use (e.g. assignment). The approver relation is meant for that purpose.

3.5

There is also special pseudo-relation any. This pseudo-relation cannot be used in object references. But it can be used in search filters for searches that look for references of all relations.

Configurable Relations

Since 3.9
This functionality is available since version 3.9.

Since midPoint 3.9 new relations can be configured. Those new relations should behave in the same way as pre-configured relations.

Please see Relation Configuration page for more details.


1. In 3.5.x and earlier versions, the null relation is used. In 3.6, default was introduced, and null was deprecated.
Was this page helpful?
YES NO
Thanks for your feedback