|Table of Contents|
midPoint is using a (very) extended version of Role-Based Access Control (RBAC) mechanism. RBAC is originally defined as mostly static structure of users and roles. The original RBAC defines that user assigned to the role gets all the rights implied by the role. If two users have the same role, they have the same rights. However, this leads to the problem of Role Explosion. We hope to solve that problem by enhancing RBAC model with logic. We add ability to specify expressions in role definitions that determine how and when the role is used. Therefore the role can adapt to the attributes of user that has the role or even the role assignment itself can be parametrized. This allows to construct RBAC structures that are using fewer roles and that are much more manageable.
Things may get really complicated when IDM solution is meant to synchronize much more than just users and accounts. And midPoint is designed to be very generic about what it synchronizes. E.g. an IDM solution may want to create groups on resource as an representation of midPoint roles. But how does midPoint know on which resources the groups should be created? And how they should look like? This is both easy and complex but there is a very elegant solution. MidPoint already has a mechanism for this: RBAC. And by following midPoint approach we try to apply existing mechanisms as much as possible and practical. Therefore we have applied the mechanism or roles to the roles themselves. Thus creating a concept of meta-roles (and meta-meta-roles and meta-meta-meta-roles, ...) This may sound crazy but it in fact a very elegant and powerful mechanism. See Role Roles and Policies Configuration and Generic Synchronization for more details.