[midPoint] How do you configure Midpoint to handle single identity to have several fixed-term employment contracts?

Fri Mar 28 13:56:51 CET 2025

Päivi,

In my opinion, a lot of people get their wires crossed trying to make access management about identity management.  Which in the end “makes sense in the language of the business”, but not in the technical sense of what you are trying to accomplish. So let me try to rephrase your question to try to help you see it from a pure access management perspective.

A person has multiple business roles at a company. Those roles imply ( either directly or indirectly)  needs for other access roles to allow them to do their job.

Think of two role hierarchies:
One that describes how the person relates to the business. ( departments, orgs, job titles/functions etc…)
Another independent chain that describes access to “things” at the company. ( buildings, rooms, computers, software, etc..)

“Business roles” should reflect your HR system.
“Access roles” should reflect your applications/services/physical access, etc..
Neither of the above role hierarchies are  part of a person’s individual “Identity”. But they can be seen ( I think often wrongly.) as part of their “Business identity”.

What you want is:
     When HR data comes and goes then you want the related Access roles to “come and go" too. But the relationship between the two types of roles needs to be defined before that automation can happen. And this mapping may be “fully automatic” or a mix of “automatic” and “manual” too. Often there are exceptions and exclusions that make all of the “fully automated” things almost correct, but not perfect too.

How to achieve all of that in midPoint…. I am not the best person to provide the details. But I think you should be looking at something like:
https://docs.evolveum.com/midpoint/reference/support-4.8/roles-policies/pdrbac/
https://docs.evolveum.com/midpoint/reference/support-4.9/roles-policies/pdrbac/

HTH.

--
Carey Matthew Black

From: midPoint <midpoint-bounces at lists.evolveum.com> On Behalf Of Päivi Lana via midPoint
Sent: Friday, March 28, 2025 3:50 AM
To: midpoint at lists.evolveum.com
Cc: Päivi Lana <paivi.lana at csit.fi>
Subject: [midPoint] How do you configure Midpoint to handle single identity to have several fixed-term employment contracts?

---- External Email: Use caution with attachments, links, or sharing data ----

Hi!

New to Midpoint and just started to investigate functionalities.

In Healthcare IAM solutions e.g. Doctor can have several fixed-term employment contracts, they can have shared AD Account, but different contracts can include Roles that are specific to individual contracts. Then when the individual contract is ending, corresponding Roles(Account and  access) will be deprovisioned as well.

How will you implement this into Midpoint technically? Do you have any documentation or other content to help with this?

Best Regards,Päivi Lana
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20250328/c2a1a447/attachment.htm>