Using Metaroles for Policy Configuration

Last modified 30 Nov 2021 14:50 +01:00

Introduction

MidPoint is very flexible system, especially when it comes to approval and other policies. But the flexibility comes at a cost. Policy definition can be quite complex. Some of this complexity is inherent and cannot really be avoided. But once the policies are created then it should be quite easy to apply them to individual objects such as users and roles. Fortunately, the mechanism of metaroles can be used exactly for this purpose.

The basic idea is to express the policies in a form of metaroles. For example the policy that drives role assignment through an approval will be expressed in "approval by manager" metarole. This metarole will contain all the policy rules necessary to express the approval policy. Those policy rules may be quite complex, but they are all conveniently packed into the metarole. All that remains is to assign the metarole to an object to which it should apply - which is usually a role. So, we end up with a role with an assignment to a another role. And that is what we call metarole. The situation looks like this:

assignments rbac policy metarole

The picture above illustrates application of approval policy to a Supervisor role. Supervisor is ordinary business or application role. It was perhaps just created. And now we want to apply the usual approval policy to this role. The usual approval policy is specified in the "Approval by manager metarole". This metarole specifies all the necessary policy rules. But those rules are specified inside inducement. Therefore the policy rules do not apply to the role which contains them, i.e. the rules do not apply to the "Approval by manager metarole". Those policy rules will apply to any object that has the metarole assigned. In this case it is the Supervisor role. The Supervisor role will be affected by the policy rules.

Examples

Approval By Manager

Following metarole contains "manager" approval policy. When this metaroles is applied to ordinary role then the approval policy is applied to that ordinary role. When that ordinary role is assigned to a user, the request is driven through an approval process. In this case the approval will be requested from user’s manager. The getManagersOidsExceptUser(…​) function from MidPoint Script Library is used to get the manager.

Approval by manager
<role oid="834bf178-30fc-11e8-addd-1fc1464266f5">
        <name>meta-role-policy-assignment-approval-manager</name>
        <subtype>policy</subtype>
        <displayName>Assignment approval by user's manager</displayName>
        <!-- assignment of this metarole to the appropriate org would probably be here -->
        <inducement>
            <policyRule>
                <policyConstraints>
                    <assignment>
                        <operation>add</operation>
                    </assignment>
                </policyConstraints>
                <policyActions>
                    <approval>
                        <compositionStrategy>
                            <order>100</order>
                        </compositionStrategy>
                        <approvalSchema>
                            <stage>
                                <name>User's manager</name>
                                <approverExpression>
                                    <script>
                                        <code>midpoint.getManagersOidsExceptUser(object)</code>
                                    </script>
                                </approverExpression>
                                <evaluationStrategy>firstDecides</evaluationStrategy>
                                <outcomeIfNoApprovers>reject</outcomeIfNoApprovers>
                            </stage>
                        </approvalSchema>
                    </approval>
                </policyActions>
            </policyRule>
        </inducement>
</role>

Approval By Approver

Following metarole contains "approver" approval policy. When this metaroles is applied to ordinary role then the approval policy is applied to that ordinary role. When that ordinary role is assigned to a user, the request is driven through an approval process. In this case the approval will be requested from the person that is designated as role approver.

Approval by approver
<role oid="0851dd7a-30fc-11e8-88fe-3796232f0574">
        <name>meta-role-policy-assignment-approval-role-approver</name>
        <subtype>policy</subtype>
        <displayName>Assignment approval by any role approver</displayName>
        <!-- assignment of this metarole to the appropriate org would probably be here -->
        <inducement>
            <policyRule>
                <policyConstraints>
                    <assignment>
                        <operation>add</operation>
                    </assignment>
                </policyConstraints>
                <policyActions>
                    <approval>
                        <compositionStrategy>
                            <order>200</order>
                        </compositionStrategy>
                        <approvalSchema>
                            <stage>
                                <name>Role approver</name>
                                <approverRelation>approver</approverRelation>
                                <evaluationStrategy>firstDecides</evaluationStrategy>
                                <outcomeIfNoApprovers>reject</outcomeIfNoApprovers>
                            </stage>
                        </approvalSchema>
                    </approval>
                </policyActions>
            </policyRule>
        </inducement>
</role>

The policy rule above will drive the role through an approval of a role approver. Role approver is determined by examining all the users that have this role assigned with a special-purpose approver relation. Please see the description of the approval mechanism for more details.

Was this page helpful?
YES NO
Thanks for your feedback