
User-Friendly Policy Selection
Applicable policies feature
This page is an introduction to Applicable policies midPoint feature.
Please see the feature page for more details.
|
This describes how to apply policies directly to individual objects, such as users and roles, in GUI.
If you want to apply policies more systematically instead, as opposed to on a role-by-role basis, use global policy rules that enable you to apply policies to multiple objects based on filters.
Introduction
In midPoint, policies are expressed in the form similar to that of metaroles.
The difference is that while metaroles use the role
data type, policies use the policy
type.
For example, a policy that drives role assignment through an approval will be expressed as an "approval by manager" policy object (see the schema below). This policy object will contain all policy rules necessary to implement the approval policy. As those policy rules may be quite complex, they are all conveniently packed into a policy object.
Once you have the policy object defined, you need to assign it to an object to which it should apply - which is usually a role.

The schema above illustrates an application of an approval policy to a Supervisor
role.
Supervisor is an ordinary business or application role to which we want to apply our approval policy.
The approval policy is specified in the "Approval by manager" policy object.
This policy object specifies all the necessary policy rules.
However, as those rules are specified inside an inducement, the policy rules do not apply to the role which contains them, i.e. the rules do not apply to the "Approval by manager" policy object.
Those policy rules will apply to any object that has the policy assigned.
In this case, it is the Supervisor
role.
The Supervisor
role will be affected by the policy rules.
And that is exactly what we want here.
Therefore, if the "Approval by manager" policy is assigned to the Supervisor
role, then the approval policy applies to the Supervisor
role.
And all assignments of the Supervisor
role must be approved by the respective user’s manager.
If there is no assignment between the policy and the Supervisor
role, the policy is not applied.
The (non)existence of an assignment then functions as a on/off switch for the policy.
And this is the mechanism that is used in the midPoint user interface to enable you to apply policies. The user interface simply manages the assignments between (ordinary) roles and policies.
Configuration
-
Set up policies.
-
Set up which policies should be displayed in midPoint for the purposes of assigning. MidPoint user interface needs to be told which "applicable policies" to display. MidPoint cannot simply list all the policies in the system as it does not know which policies are applicable to specific situations. The list could be considerably long. Also, we want the "applicable policies" to be neatly organized into categories. And finally, since there is no strict distinction between roles and policies in midPoint (besides their data type), midPoint needs some mechanism to organize all "applicable polices" policies and categories.
This organization is done through the organizational structure. This enables you to manage policy categories using the concept of delegated administration which is common for organizational structures.
Most of the work in setting up applicable policies is in organizing your policies into a simple organizational structure. You can see policy groups that are configured in the system, and their members (policies with policy rules specified) on the Organization tree page.
Make sure that you select Policy or All in the Type drop-down menu to see the available policies.
See Applicable Policy Configuration for configuration details and examples.
User Interface
For the purposes of this guide, we are applying policies to a role. However, you can apply policies also to users.
To apply a policy to a role:
-
Go to Roles > All roles > role.
-
Click Applicable Policies.
-
Assign policies that you want to apply to your role by selecting their check-boxes.
-
Click Save.
You can check that the policies have been assigned in the Assignments section by clicking Assignments > All:
Compliance
This feature is related to the following compliance frameworks: