Page tree

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


Therefore to apply a "Approval by owner" policy to the role simply check the box next to the label. And the click Save button. The policies from the "Approval by owner" metarole will be automatically applied.



TODO: used for selective on/off on role-by-role basis. If there is a systemic distinction: use global policy rules.


TODO: listing metaroles


Obviously, the first step is to set up the metaroles themselves. The Using Metaroles for Policy Configuration page describes the basic principle and also provides some examples.

However, there is yet another configuration to be made. MidPoint user interface has to know which "applicable policies" to display. MidPoint cannot simply list all the metaroles in the system. Fisrtly, midPoint does not know which metaroles are applicable to this specific situation and therefore the list might be too long. Secondly, we want the "applicable policies" to be neatly organized into categories. And finally, there is no strict distinction between role and metarole in midPoint anyway. Therefore midPoint needs some mechanism to organize all the "applicable polices" meta-roles and categories. Fortunately, midPoint already has a mechanism for that, even though the mechanism may not be that obvious in this situation. The mechanism is organizational structure. This has additional benefit that the policy categories can be easily managed by using concepts of delegated administration which is common for organizational structures.

Therefore most of the work to set up applicable policies is to organize the metaroles into a simple organizational structure. On the Organization tree page you can see policy groups configured in the system configuration and their members (meta-roles with policy rules specified).

You can find Applicable policies tab on Role's, Service's or Organization's details page. There, all the policy groups with their members will be displayed. You can add or remove policy simply by checking/unchecking of the appropriate check box

There is one more thing to do for this setup to work and that is to set up the organizational unit in system configuration so midPoint user interface can find them.

Please see Applicable Policy Configuration page for configuration details and examples.


This mechanism is really useful and very convenient in case that the polices are applied on role-by-role basis. This means that some roles have the policies applied and other roles do not. And this is decided by system administrator and there is no systemic way how to distinguish when a policy should be applied and when it should not.

If there is indeed a systemic way to apply a policy then there is a better approach: global policy rules. Global policy rules can be used to apply the rules to all selected objects based on a filter. Therefore the policies can be applied in a systemic way.

See Also