Role Lifecycle

Last modified 15 Nov 2021 11:25 +01:00
feature
This page describes midPoint feature. Please see the feature page for more details.
Since 3.5
This functionality is available since version 3.5.

MidPoint contains mechanisms that can be used to manage lifecycle of the roles and role-like objects (roles, orgs, services and even users). Lifecycle management means that midPoint can apply constraints and rules to various lifecycle events such as creation of a new role, change of role definition, deletion and so on. MidPoint can prohibit certain lifecycle transitions, require approval and so on.

The role lifecycle is implemented by combining approval process with policy rules. The policy rules are triggered when the role is created, modified or deleted. The rules specify approval as an action, therefore the change operation is suspended and it is driven through approval processes. Therefore configuration of role lifecycle management is a matter of specifying correct policy rules and setting up the approvers.

Role Lifecycle Management Rule Example

The following configuration causes that all role creation operations will be approved by defined user (administrator in this case).

<systemConfiguration>
    ...
    <globalPolicyRule>
        <name>New role approvals</name>
        <policyConstraints>
            <modification>
                <operation>add</operation>
            </modification>
        </policyConstraints>
        <policyActions>
            <approval>
                <approverRef oid="00000000-0000-0000-0000-000000000002" type="UserType"/>   <!-- approve by administrator -->
            </approval>
        </policyActions>
        <focusSelector>
            <type>RoleType</type>
        </focusSelector>
    </globalPolicyRule>
    ...
</systemConfiguration>

If needed, it would be possible to nominate administrator also as an approver for all other role operations (modification, removal) by simply adding corresponding operation names (modify, delete) into the policyConstraints/modification element or by removing the operation element altogether.

But default approvers for modification and removal of existing roles are users that have an assignment of relation owner pointing to the role. An example of such assignment:

<assignment>
    <targetRef oid="6035c4bd-01c0-4f4d-870c-d5635c67ed76" type="RoleType" relation="owner" />
</assignment>

So, for example, if user jack has the above assignment, all attempted modification and removal operations of role with OID 6035c4bd-01c0-4f4d-870c-d5635c67ed76 have to be approved by him.

Object Lifecycle Property

MidPoint contains a special property to control object lifecycle: lifecycleState. This property specifies current lifecycle state of the object. It specified whether the object represents a draft, proposed definition, whether it is active, deprecated, and so on. There are several pre-defined lifecycle states and new custom states can be used if needed. This property can be used to implement complex role lifecycle management. See Object Lifecycle page for more details.

Was this page helpful?
YES NO
Thanks for your feedback