Skip to end of metadata
Go to start of metadata

MidPoint 3.8 and later


MidPoint is very flexible system, especially when it comes to approval and other policies. But the flexibility comes at a cost. Policy definition can be quite complex. Some of this complexity is inherent and cannot really be avoided. But once the policies are created then it should be quite easy to apply them to individual objects such as users and roles. And starting from midPoint 3.8 there indeed is a simple way how to apply even a very complex policies.

The general idea of metarole-based configuration and the corresponding user interface is introduced on User-Friendly Policy Selection page. This page describes configuration details.


Applicable policies are defined as meta-roles. If the policy is applied (e.g. by checking a check-box) then corresponding meta-role is assigned. The policies are sorted into policy groups. Policy groups are just Orgs. Any meta-role which is a member of the org is considered to be part of the policy group. The policy groups (orgs) needs to be referred from system configuration. Therefore the complete configuration may look like this:

System Configuration
Policy group for approval
Policy group for security
Meta role for manager approval
Meta role for manager approval
Meta role for manager approval

See Using Metaroles for Policy Configuration page for a more specific examples of approval policy specification in a metarole.

Display names

Display names of roles and orgs are used by midPoint user interface whenever possible. In case that display names are not available, ordinary object names are used. So midPoint always has something to display to the user. However, it is recommended to use display names. Firstly, ordinary object names are required to be unique. This requirement usually leads to a very complex naming convention for roles that is not entirely user-friendly. There is no such requirement for display names. Therefore display names can be used almost freely to provide a meaningful information to the user.


See Also

  • No labels