Object Governance

Last modified 27 Aug 2024 13:19 +02:00
Object governance feature
This page describes Object governance midPoint feature. Please see the feature page for more details.
Work in progress

Object governance is a mechanism based on maintaining governance relations to objects, such as relations of ownership, management or approval. Complex governance rules can be built on top of the relations to implement business and regulatory compliance policies.

Assignment and Relation

Object governance starts with assignment and relation. Assignment provides ability to create relationship between objects, relation further specifies type of that relationship. Relations such as owner, manager and approver are commonly used for governance purposes. When specifying governance relationship of an object, assignment is created in an entity that is governing (usually user) to an entity that is governed (usually application, role or org), as shown in the following example.

<service oid="45bb3cea-fde9-4590-812a-e86b37492bcd">
    <name>Public Website</name>
    <assignment>
        <!-- Application archetype -->
        <targetRef oid="00000000-0000-0000-0000-000000000329" type="ArchetypeType" />
    </assignment>
    ...
</service>

<user oid="631009e9-f48e-4b04-80d6-d05ed6583370">
    <name>eevans</name>
    ...
    <assignment>
        <targetRef oid="45bb3cea-fde9-4590-812a-e86b37492bcd" type="ServiceType" relation="org:owner"/>
    </assignment>
</user>

Relations used for governance purposes are summarized in following table.

Relation Description Usually denotes

owner

Relation "is owner of". Specifies that the subject is a (business) owner of specified (abstract) role. The owner will be asked for decision if the role is modified, when the associated policy changes and so on. Owner is responsible for maintaining role definition and policies.

May be used to denote accountable persons as well, such as sponsor of a project, as opposed to a manager who is responsible for day-to-day operation.

Owner is NOT necessarily concerned with role use (e.g. assignment). The approver relation is meant for that purpose.

Business owner of a role or application.
Responsible person for a policy, e.g. person responsible for a classification scheme.
Sponsor of a project, or a stakeholder who is not involved in day-to-day operation.

manager

Relation "is manager of". Specifies that the subject is a manager of organizational unit. Managers are supposed to be operational leaders, involved in day-to-day operations.

Managers of organizational units, such as departments, teams and projects.

approver

Relation "is approver of". Specifies that the subject is a (general) approver of specified (abstract) role. The approver will be asked for decision if the role is assigned, if there is a rule conflict during assignment (e.g. SoD conflict) or if there is any similar situation. This is a generic approver used for all the situation. The system may be customized with more specific approver roles, e.g. technicalApprover, securityApprover, etc. This approver is responsible for the use of the role, which mostly means that he decides about role assignment. It is not meant to approve role changes. Role owner is meant for that purpose.

Person responsible for approval of assignment of roles in access request process.

There are other relations, some of them are quite commonly used. However, they are not closely related to object governance. Full list of pre-defined relations can be found on relation page.

Ownership relationship is perhaps the most common one, and also the most useful one. Ownership of roles and applications make sure there is always responsible person to take care of such role and application. Usually, every application and many roles should have specified owner.

Governance relations can be easily managed in midPoint administration user interface. Object detail pages have Governance panel, designed especially for setting up object governance relations.

Managing application owner in GUI

Authorizations

Approval Policies

Policy Rules

Processes and Procedures

Was this page helpful?
YES NO
Thanks for your feedback