<systemConfiguration oid="00000000-0000-0000-0000-000000000001" xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3" xmlns:piracy="http://midpoint.evolveum.com/xml/ns/samples/piracy"> ... <roleManagement> <relations> <relation> <ref>piracy:captain</ref> <description>This is completely new relation</description> <display> <label>Captain</label> </display> <category>organization</category> <category>governance</category> </relation> <relation> <ref>org:owner</ref> <description>This is redefined default relation. EXPERIMENTAL</description> <display> <label>Master</label> </display> <category>policy</category> <category>governance</category> <defaultFor>owner</defaultFor> </relation> </relations> </roleManagement> </systemConfiguration>
There is a handful of relations that are hardcoded in midPoint:
|Relation||Meaning||Is a default for||Is also of kind|
Default relation, usually meaning "has" or "is member of". Specifies that the subject is a member of organization, or that the subject has been assigned a role in a way that he gets authorizations and other content provided by that role.
Relation "is manager of". Specifies that the subject is a manager of organizational unit.
Relation used for metarole assignments. Sometimes it is important to distinguish metarole and member assignments. This relation is used for that purpose.
Relation "is deputy of". Specifies that the subject is a deputy of another user.
Relation "is approver of". Specifies that the subject is a (general) approver of specified (abstract) role. The approver will be asked for decision if the role is assigned, if there is a rule conflict during assignment (e.g. SoD conflict) or if there is any similar situation.
This is a generic approver used for all the situation. The system may be customized with more specific approver roles, e.g. technicalApprover, securityApprover, etc.
This approver is responsible for the use of the role, which mostly means that he decides about role assignment. It is NOT meant to approve role changes. Role owner is meant for that purpose.
Relation "is owner of". Specifies that the subject is a (business) owner of specified (abstract) role. The owner will be asked for decision if the role is modified, when the associated policy changes and so on.
This owner is responsible for maintaining role definition and policies. It is NOT necessarily concerned with role use (e.g. assignment). The approver relation is meant for that purpose.
Relation "is consent for". Specifies that the subject gave a consent for using personnel information related to this role.
Meaning of these statically defined relation are defined directly within midPoint code. Before midPoint 3.9 this set of relations relations was effectively fixed. Since midPoint 3.9 this can be extended and even changed. Just please note that currently relation configuration is supposed to be used only to add completely new relations. Changing existing (hardcoded) relations is experimental functionality.