<service oid="45bb3cea-fde9-4590-812a-e86b37492bcd">
<name>Public Website</name>
<assignment>
<!-- Application archetype -->
<targetRef oid="00000000-0000-0000-0000-000000000329" type="ArchetypeType" />
</assignment>
...
</service>
<user oid="631009e9-f48e-4b04-80d6-d05ed6583370">
<name>eevans</name>
...
<assignment>
<targetRef oid="45bb3cea-fde9-4590-812a-e86b37492bcd" type="ServiceType" relation="org:owner"/>
</assignment>
</user>Object Governance
|
Object governance feature
This page describes Object governance midPoint feature.
Please see the feature page for more details.
|
| Work in progress |
Object governance is a mechanism based on maintaining governance relations to objects, such as relations of ownership, management or approval. Complex governance rules can be built on top of the relations to implement business and regulatory compliance policies.
Assignment and Relation
Object governance starts with assignment and relation.
Assignment provides ability to create relationship between objects, relation further specifies type of that relationship.
Relations such as owner, manager and approver are commonly used for governance purposes.
When specifying governance relationship of an object, assignment is created in an entity that is governing (usually user) to an entity that is governed (usually application, role or org), as shown in the following example.
Relations used for governance purposes are summarized in following table.
| Relation | Description | Usually denotes |
|---|---|---|
|
Relation "is owner of". Specifies that the subject is a (business) owner of specified (abstract) role. The owner will be asked for decision if the role is modified, when the associated policy changes and so on. Owner is responsible for maintaining role definition and policies. May be used to denote accountable persons as well, such as sponsor of a project, as opposed to a manager who is responsible for day-to-day operation. Owner is NOT necessarily concerned with role use (e.g. assignment).
The |
Business owner of a role or application. |
|
Relation "is manager of". Specifies that the subject is a manager of organizational unit. Managers are supposed to be operational leaders, involved in day-to-day operations. |
Managers of organizational units, such as departments, teams and projects. |
|
Relation "is approver of".
Specifies that the subject is a (general) approver of specified (abstract) role.
The approver will be asked for decision if the role is assigned, if there is a rule conflict during assignment (e.g. SoD conflict) or if there is any similar situation.
This is a generic approver used for all the situation.
The system may be customized with more specific approver roles, e.g. |
Person responsible for approval of assignment of roles in access request process. |
| There are other relations, some of them are quite commonly used. However, they are not closely related to object governance. Full list of pre-defined relations can be found on relation page. |
Ownership relationship is perhaps the most common one, and also the most useful one. Ownership of roles and applications make sure there is always responsible person to take care of such role and application. Usually, every application and many roles should have specified owner.
Governance relations can be easily managed in midPoint administration user interface.
Object detail pages have Governance panel, designed especially for setting up object governance relations.
Authorizations
Approval Policies
Policy Rules
Processes and Procedures
See Also
Compliance
This feature is related to the following compliance frameworks:
-
ISO/IEC 27001 5.2: Information security roles and responsibilities
-
ISO/IEC 27001 5.9: Inventory of information and other associated assets
-
ISO/IEC 27001 5.23: Information security for use of cloud services
-
ISO/IEC 27001 5.31: Legal, statutory, regulatory and contractual requirements
-
ISO/IEC 27001 5.36: Compliance with policies, rules and standards for information security
Was this page helpful?
YES
NO
Thanks for your feedback