<role oid="6924fb9c-a184-11e9-840e-2feb476335f4">
<name>Account Manager</name>
<description>
This is business role that corresponds to account manager job.
</description>
<assignment>
<!-- Metarole assignment -->
<targetRef oid="a3065910-a183-11e9-835c-0b6edc3d44c3" type="ArchetypeType"/>
</assignment>
<inducement>
<!--
Privileges specific to account manager.
-->
</inducement>
</role>
<archetype oid="a3065910-a183-11e9-835c-0b6edc3d44c3">
<name>Business role</name>
<inducement>
<!--
Policies and constructions that should be applied to all
business roles.
-->
</inducement>
</archetype>Metaroles
|
Meta-role feature
This page is an introduction to Meta-role midPoint feature.
Please see the feature page for more details.
|
Introduction
MidPoint roles are usually applied to users. However, midPoint roles are quite universal things. The roles can be applied to almost any midPoint object. Roles can be applied to users, organizations, services - and even to roles themselves. Which creates metaroles.
Simply speaking, metaroles are roles applied to other roles. Ordinary role applies its characteristics to a user. Metarole applies its characteristics to another role or similar role-like object. This is perfectly possible in midPoint, as roles can be applied to almost any midPoint object. Applying roles to other roles may seem like a useless exercise but the truth is that metaroles are tremendously useful.
Repetition is extensive in almost all identity management deployments. For example, all business roles may have the same approval process. There may be role classes that have similar exclusion policies, as part of a global segregation of duties (SoD) policy. There may be roles that are tied to entitlements in a systematic way. Roles, organizational units, services, and other role-like objects tend to be quite similar. Therefore, defining the policy in one metarole and applying that metarole to multiple other roles can be very useful.
Archetypes and policy objects act as natural metaroles, which is clearly illustrated by using policy objects as classifications.
There are also other objects that can act as metaroles:
-
Abstract roles such as orgs and services
-
Applications can be quite useful when used as metaroles.
Mechanism
Metaroles are (abstract) roles that are assigned to other roles. In metaroles, policies are applied to target roles through inducement:
In this case, the archetype acts as a metarole. In fact, archetype is an archetype:abstract-role[abstract role] which means that it is just like a role, with some extra mechanisms that enrich objects, for example with icons and colors. In this example, the archetype acts as metarole, specifying common policies and characteristics for all objects that have the archetype assigned.
At first sight, metaroles may seem similar to the concept of role hierarchy. However, there is a crucial difference. Metaroles are applied to roles, not users. Inducements in metaroles often contain policies, such as approval policies. There may also be construction clauses that create groups or organizational units, which is often used in generic synchronization. We usually do not want to create a group for each user, but we often want to create a group for a role. That is what metaroles can do.
See Also
Compliance
This feature is related to the following compliance frameworks:
Was this page helpful?
YES
NO
Thanks for your feedback