<service oid="45bb3cea-fde9-4590-812a-e86b37492bcd">
<name>Public Website</name>
<assignment>
<!-- Application archetype -->
<targetRef oid="00000000-0000-0000-0000-000000000329" type="ArchetypeType" />
</assignment>
...
</service>
<user oid="631009e9-f48e-4b04-80d6-d05ed6583370">
<name>eevans</name>
...
<assignment>
<targetRef oid="45bb3cea-fde9-4590-812a-e86b37492bcd" type="ServiceType" relation="org:owner"/>
</assignment>
</user>Object Governance
|
Object governance feature
This page describes Object governance midPoint feature.
Please see the feature page for more details.
|
| Work in progress |
Object governance is a mechanism based on maintaining governance relations to objects, such as relations of ownership, management or approval. Complex governance rules can be built on top of the relations to implement business and regulatory compliance policies.
Assignment and Relation
Object governance starts with assignment and relation.
Assignment provides the ability to create relationships between objects, while relation further specifies the type of that relationship.
Relations such as owner, manager and approver are commonly used for governance purposes.
When specifying the governance relationship of an object, an assignment is created in an entity that is governing (usually a user) to an entity that is governed (usually application, role or org), as shown in the following example.
Relations used for governance purposes are summarized in the following table.
| Relation | Description | Usually denotes |
|---|---|---|
|
Relation "is owner of". Specifies that the subject is a (business) owner of a specified (abstract) role. The owner will be asked for a decision if the role is modified, when the associated policy changes and so on. The owner is responsible for maintaining the role definition and policies. May be used to denote accountable persons as well, such as sponsor of a project, as opposed to a manager who is responsible for day-to-day operation. The owner is NOT necessarily concerned with the role use (e.g. assignment).
The |
Business owner of a role or application. |
|
Relation "is manager of". Specifies that the subject is a manager of organizational unit. Managers are supposed to be operational leaders, involved in day-to-day operations. |
Managers of organizational units, such as departments, teams and projects. |
|
Relation "is approver of".
Specifies that the subject is a (general) approver of a specified (abstract) role.
The approver will be asked to decide if the role is assigned, if there is a rule conflict during assignment (e.g. SoD conflict) or any similar situation.
This is a generic approver used for all situations.
The system may be customized with a more specialized approver roles, e.g. |
The person responsible for approval of assigning roles in the access request process. |
| There are other relations, some of them are quite commonly used. However, they are not closely related to object governance. The full list of pre-defined relations can be found in Relation. |
Ownership is perhaps the most common and useful relationship. By setting ownership for roles and applications, you make sure there is always a responsible person to take care of those roles and applications. Usually, every application and many roles should have a specified owner.
Governance relations can be easily managed in the midPoint administration user interface.
Object detail pages have Governance panel, designed especially for setting up object governance relations.
Authorizations
Approval Policies
Policy Rules
Processes and Procedures
See Also
Compliance
This feature is related to the following compliance frameworks:
-
ISO/IEC 27001 5.2: Information security roles and responsibilities
-
ISO/IEC 27001 5.9: Inventory of information and other associated assets
-
ISO/IEC 27001 5.23: Information security for use of cloud services
-
ISO/IEC 27001 5.31: Legal, statutory, regulatory and contractual requirements
-
ISO/IEC 27001 5.36: Compliance with policies, rules and standards for information security
Was this page helpful?
YES
NO
Thanks for your feedback