Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.



Figure: Role Hierarchy

Parametric Roles


Roles in traditional identity management systems can only be simply assigned to a user or unassigned from a user. And that's all the flexibility. However this is not enough to efficiently model complex real-world scenarios. For example the role of Assistant can have some generic parts that are common to each assistant but there may be few parts that are specific for each sub-group of users or even for each individual user. For example identification of a building or department for which the assistant works, date of role activation and deactivation, the financial limit that an assistant is authorized to handle, etc. In traditional systems this leads to a necessity of creating roles such as AssistantNewYorkAssistantLondon and AssistantBratislava. This alone is quite difficult to manage because there is also need to ClerkNewYorkClerkLondon and ClerkBratislava and the same for office manager, purchasing manager, ... And when it comes to roles such as PurchasingManagerAssistant2013NewYork5000 it is quite sure that the solution got a severe role explosion problem.


This approach dramatically reduces the number of roles needed for the IDM solution and makes the entire RBAC deployment considerably more manageable.

titlePartially supported

 Parametric roles are fully supported by midPoint core (the "engine" or "IDM Model"). But user interface support for parametric roles is still missing. Parametric roles are inherently flexible and customizable thing. Therefore the user interface cannot be hardcoded to support them. User interface needs to adapt to parameters, that can be different for each and every role. Support for this method is feasible, but it is just not implemented yet because nobody had funded such development. In case that you are interested in funding user interface support for parametric roles please consider purchasing a subscription.



This feature is available in midPoint version 3.0 and later.