Applicable Policy Configuration

Last modified 01 Feb 2022 09:42 +01:00
Since 3.8
This functionality is available since version 3.8.
Table of Contents

MidPoint is very flexible system, especially when it comes to approval and other policies. But the flexibility comes at a cost. Policy definition can be quite complex. Some of this complexity is inherent and cannot really be avoided. But once the policies are created then it should be quite easy to apply them to individual objects such as users and roles. And starting from midPoint 3.8 there indeed is a simple way how to apply even a very complex policies.

The general idea of metarole-based configuration and the corresponding user interface is introduced on User-Friendly Policy Selection page. This page describes configuration details.

Configuration

Applicable policies are defined as meta-roles. If the policy is applied (e.g. by checking a check-box) then corresponding meta-role is assigned. The policies are sorted into policy groups. Policy groups are just Orgs. Any meta-role which is a member of the org is considered to be part of the policy group. The policy groups (orgs) needs to be referred from system configuration. Therefore the complete configuration may look like this:

System Configuration
<systemConfiguration>
    ...
    <defaultObjectPolicyConfiguration>
        <type>RoleType</type>
        <applicablePolicies>
            <policyGroupRef oid="b1cb876e-23a2-11e8-bf14-ff36603a9ae0"/>
            <policyGroupRef oid="b7e2f6f0-23a2-11e8-983a-b315ed2c30b3"/>
        </applicablePolicies>
    </defaultObjectPolicyConfiguration>
</systemConfiguration>
Policy group for approval
<org oid="b1cb876e-23a2-11e8-bf14-ff36603a9ae0">
    <name>policy-meta-approval</name>
    <subtype>policy</subtype>
    <displayName>Approval policies</displayName>
</org>
Policy group for security
<org oid="b7e2f6f0-23a2-11e8-983a-b315ed2c30b3">
    <name>policy-meta-security</name>
    <subtype>policy</subtype>
    <displayName>Security policies</displayName>
</org>
Meta role for manager approval
<role oid="4798bd8e-23a3-11e8-a502-e32261e4ecff">
    <name>meta-role-policy-approval-manager</name>
    <subtype>policy</subtype>
    <displayName>Approval by manager</displayName>
    <assignment>
        <!-- Assignment so this meta-role is part of the policy group -->
        <targetRef oid="b1cb876e-23a2-11e8-bf14-ff36603a9ae0" type="OrgType"/>
    </assignment>
    <!-- inducements with policy rules for actual approval policy will be here -->
</role>
Meta role for owner approval
<role oid="a38b7eec-23a3-11e8-9f81-f7fb91a9d52a">
    <name>meta-role-policy-approval-role-owner</name>
    <subtype>policy</subtype>
    <displayName>Approval by role owner</displayName>
    <assignment>
        <!-- Assignment so this meta-role is part of the policy group -->
        <targetRef oid="b1cb876e-23a2-11e8-bf14-ff36603a9ae0" type="OrgType"/>
    </assignment>
    <!-- inducements with policy rules for actual approval policy will be here -->
</role>
Meta role for SoD policy
<role oid="d5d76b9a-23a3-11e8-be88-bb290240045b">
    <name>meta-role-policy-sod</name>
    <subtype>policy</subtype>
    <displayName>Segregation of Duties Policy</displayName>
    <assignment>
        <!-- Assignment so this meta-role is part of the policy group -->
        <targetRef oid="b7e2f6f0-23a2-11e8-983a-b315ed2c30b3" type="OrgType"/>
    </assignment>
    <!-- inducements with policy rules for actual SoD policy will be here -->
</role>

See Using Metaroles for Policy Configuration page for a more specific examples of approval policy specification in a metarole.

Display names

Display names of roles and orgs are used by midPoint user interface whenever possible. In case that display names are not available, ordinary object names are used. So midPoint always has something to display to the user. However, it is recommended to use display names. Firstly, ordinary object names are required to be unique. This requirement usually leads to a very complex naming convention for roles that is not entirely user-friendly. There is no such requirement for display names. Therefore display names can be used almost freely to provide a meaningful information to the user.

Was this page helpful?
YES NO
Thanks for your feedback