MidPoint Roles and Policies
This section describes two different object types in midPoint: Roles, and Policies.
While Policies extend from Roles, they serve a distinct purpose, and are designed to address more advanced business and governance needs. Roles are ideal for defining what access or entitlements a user should receive, while Policies control how, when, and under which conditions that access is granted.
-
Roles grant access or responsibilities to users.
They are applied to objects, mainly users, and they are typically used to represent job functions or access rights, such as "HR Manager" or "read access to Project XYZ". See Roles.
-
Policies control how access is granted, reviewed or approved.
They are applied to objects (typically roles and services) to which you want to apply some defined behavior, and they are used to enforce business logic and compliance.
While some policies may be quite simple and may only "mark" objects with properties that indicate, for example, a passed training, others may be more complex and may contain policy rules that define more comprehensive conditions and behaviors based on how those conditions evaluate. See Policies.
In the application, these two concepts are represented by separate sections:
This is a part of the MidPoint Configuration Reference which focuses on providing detailed information rather than seamless readability. New midPoint users may find this information harder to follow.
If you are new to midPoint, we recommend starting with the MidPoint Book or video tutorials on the Evolveum YouTube channel.
Was this page helpful?
YES
NO
Thanks for your feedback