<systemConfiguration>
...
<defaultObjectPolicyConfiguration>
<type>RoleType</type>
<applicablePolicies>
<policyGroupRef oid="b1cb876e-23a2-11e8-bf14-ff36603a9ae0"/>
<policyGroupRef oid="b7e2f6f0-23a2-11e8-983a-b315ed2c30b3"/>
</applicablePolicies>
</defaultObjectPolicyConfiguration>
</systemConfiguration>Applicable Policy Configuration
This describes the configuration needed to be able to apply policies directly to individual roles and users in the application user interface.
This configuration is a prerequisite for User-Friendly Policy Selection.
Configuration
Applicable policies are defined as meta-roles. If a policy is applied (e.g. by selecting a check-box in the application interface), the corresponding policy is assigned. Policies are sorted into policy groups. Policy groups are, in fact, Orgs. Any meta-role which is a member of an org is considered to be a part of the policy group. Policy groups (orgs) need to be referred to from the system configuration.
Therefore, to make sure policies are accessible in the Applicable Policies section of roles and users in the midPoint user interface, you need to configure the following:
-
Create a system configuration that includes policy groups that you will be displaying.
-
Set up the groups that you will use to classify policies.
-
Add your policies to the created groups.
See examples of how you can implement such a configuration below.
Examples
System Configuration
Policy Groups
Policy group for approval
<org oid="b1cb876e-23a2-11e8-bf14-ff36603a9ae0">
<name>policy-meta-approval</name>
<displayName>Approval policies</displayName>
</org>Policy group for security
<org oid="b7e2f6f0-23a2-11e8-983a-b315ed2c30b3">
<name>policy-meta-security</name>
<displayName>Security policies</displayName>
</org>Individual Policies
Policy for manager approval
<policy oid="4798bd8e-23a3-11e8-a502-e32261e4ecff">
<name>policy-approval-manager</name>
<displayName>Approval by manager</displayName>
<assignment>
<!-- Assignment so this meta-role is part of the policy group -->
<targetRef oid="b1cb876e-23a2-11e8-bf14-ff36603a9ae0" type="OrgType"/>
</assignment>
<!-- inducements with policy rules for actual approval policy will be here -->
</policy>Policy for owner approval
<policy oid="a38b7eec-23a3-11e8-9f81-f7fb91a9d52a">
<name>policy-approval-role-owner</name>
<displayName>Approval by role owner</displayName>
<assignment>
<!-- Assignment so this meta-role is part of the policy group -->
<targetRef oid="b1cb876e-23a2-11e8-bf14-ff36603a9ae0" type="OrgType"/>
</assignment>
<!-- inducements with policy rules for actual approval policy will be here -->
</policy>Policy for SoD
<policy oid="d5d76b9a-23a3-11e8-be88-bb290240045b">
<name>policy-sod</name>
<displayName>Segregation of Duties Policy</displayName>
<assignment>
<!-- Assignment so this meta-role is part of the policy group -->
<targetRef oid="b7e2f6f0-23a2-11e8-983a-b315ed2c30b3" type="OrgType"/>
</assignment>
<!-- inducements with policy rules for actual SoD policy will be here -->
</policy>See Using Metaroles for Policy Configuration for more specific examples of an approval policy specification in a metarole.
|
Display names
Display names of roles and orgs are used by midPoint user interface whenever possible. In case that display names are not available, ordinary object names are used. So midPoint always has something to display to the user. However, it is recommended to use display names. Firstly, ordinary object names are required to be unique. This requirement usually leads to a very complex naming convention for roles that is not entirely user-friendly. There is no such requirement for display names. Therefore display names can be used almost freely to provide a meaningful information to the user. |
See Also
Was this page helpful?
YES
NO
Thanks for your feedback