Uploaded image for project: 'MidPoint'
  1. MidPoint
  2. MID-2483

Advanced Segregation of Duties

    Details

    • Type: New Feature
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: distant future
    • Component/s: None
    • Labels:

      Description

      Segregation of duties based on classes of mutually exclusive roles (e.g. "executive" roles and "audit" roles that cannot be assigned at the same time).

      Also support for maximum assignment of a class of role. E.g. only one role from the class of "orgstruct" can be assigned at the same time.

        Activity

        Hide
        martin.lizner Martin Lizner added a comment -

        Typical use cases that I solve with my customers include:

        • Role can only be assigned to users with particular attribute value
        • Role cannot be assigned to users with particular attribute value
        • Role is automatically assigned to users with particular attribute value
        • Role is automatically assigned to users with particular attribute value, role is unassigned when user does not meet attribute value anymore
        • User can only be assigned one (or n) roles from group of roles = SoD

        This mechanism may be valid for any user assignment (e.g. organization) and may not even be user-centric, but general (e.g. role-org).

        Still dont know MP in detail but this should probably require introducing new entity (Policy?) which then will be linked (assigned?) to other entities or be global.

        Show
        martin.lizner Martin Lizner added a comment - Typical use cases that I solve with my customers include: Role can only be assigned to users with particular attribute value Role cannot be assigned to users with particular attribute value Role is automatically assigned to users with particular attribute value Role is automatically assigned to users with particular attribute value, role is unassigned when user does not meet attribute value anymore User can only be assigned one (or n) roles from group of roles = SoD This mechanism may be valid for any user assignment (e.g. organization) and may not even be user-centric, but general (e.g. role-org). Still dont know MP in detail but this should probably require introducing new entity (Policy?) which then will be linked (assigned?) to other entities or be global.

          People

          • Assignee:
            Unassigned
            Reporter:
            semancik Radovan Semancik
          • Votes:
            1 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated: