midPoint
Page tree
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

Description

A role in the extended Role-Based Access Control (RBAC) sense. The roles specify privileges that the user (or other object) should have.

The role may "grant" accounts on resources, attributes and entitlements for such accounts. The role can also assign organizational units, other roles or various IDM objects that can be assigned directly to user. From this point of view the role is in fact just a named set of assignments.

The roles form the basic building block of midPoint's extended role-based access control (RBAC) mechanism. It defines what rights (e.g. accounts) should be given to user, how they should look like (attributes) and what groups or native roles to assign to them (entitlements).

Roles can also specify user authorizations to access specific parts of midPoint. This is used to implement fine-grained authorization mechanism. When combined with organizational structure it forms a delegated administration mechanism.

Roles can also be conditional, i.e. applicable only if a specific condition is true. Roles can be parametric, e.g. the expressions inside the role can use parameters that were specified at the time when the role was assigned (as opposed to parameters defined when the role was defined).

RoleType, as all the midPoint objects, is a subtype of ObjectType. Therefore it has all the basic properties such as name and description.

RoleType is also a focal type. Therefore it can behave as a "focus" (authoritative object) in midPoint synchronization. If this mechanism is used to apply a role to another roles (or other non-user object) then it becomes a meta-role.

SchemaDoc

Following links can be used to get full an authoritative description of the role object schema:

Relase 
Latest stableRoleType
DevelopmentRoleType

Important Items

User object contains following frequently used items:

TODO TODO TODO

 

Property

Type

Description

fullName

PolyString
optional

Full name of the user with all the decorations, middle name initials, honorific title and any other structure that is usual in the cultural environment that the system operates in. This element is intended to be displayed to a common user of the system.
Examples: cpt. Jack Sparrow, William "Bootstrap" Turner, James W. Random, PhD., Vladimir Iljic Lenin, Josip Broz Tito, Chuck Norris

givenName

PolyString
optional

Given name of the user. It is usually the first name of the user, but the order of names may differ in various cultural environments. This element will always contain the name that was given to the user at birth or was chosen by the user.
Examples: Jack, Chuck

familyName

PolyString
optional

Family name of the user. It is usually the last name of the user, but the order of names may differ in various cultural environments. This element will always contain the name that was inherited from the family or was assigned to a user by some other means.
Examples: Sparrow, Norris

additionalName

PolyString
optional

Middle name, patronymic, matronymic or any other name of a person. It is usually the middle component of the name, however that may be culture-dependent.
Examples: Walker, John, Iljic

See Also

  • No labels

Copyright © 2011-2020 Evolveum s.r.o. and Contributors, CC BY-NC-ND