Roles can naturally contain other roles therefore creating a role hierarchy. Role hierarchies can be quite complex both in their structure and embedded logic. As midPoint uses the relative change model it is quite easy to merge values from many roles and therefore it allows creation of very complex RBAC structures. Important parts of the hierarchy are exposed to the expressions in individual roles therefore the role hierarchies can be combined with parametric roles (see below) to support very complex and flexible RBAC-like models.
Roles in traditional identity management systems can only be simply assigned to a user or unassigned from a user. And that's all the flexibility. However this is not enough to efficiently model complex real-world scenarios. For example the role of
Assistant can have some generic parts that are common to each assistant but there may be few parts that are specific for each sub-group of users or even for each individual user. For example identification of a building or department for which the assistant works, date of role activation and deactivation, the financial limit that an assistant is authorized to handle, etc. In traditional systems this leads to a necessity of creating roles such as
AssistantBratislava. This alone is quite difficult to manage because there is also need to
ClerkBratislava and the same for office manager, purchasing manager, ... And when it comes to roles such as
PurchasingManagerAssistant2013NewYork5000 it is quite sure that the solution got a severe role explosion problem.