[midPoint] Automatic Assignment of Business Roles

[Bao Tran]

Hi all,
We are implementing MidPoint with HR source. Workday exports job codes
(selected from a predefined list) and job titles (free text). Multiple job
codes can share the same application entitlement collection.

*Name    | JobCode | JobCodeName                    | Title               |
OrgName | IsManager*
John     | job01           | General Practitioner (GP)     | Junior Doctor
| ER                                 | True
Jack      | job02          | Surgeon                               |
Doctor            | Surgery Department      | True
Jill         | job03          | Radiologist                          |
Radiologist     | ER                                 | false
Bob       | job01          | General Practitioner (GP)     | Junior Doctor
| ER                                 | True

JobCode is selected from list in HR system
title is freeText

In traditional IGA, we fall into role explosion due to the role-condition :
Job01-ER; Job02-ER ; job03-ER ,... And we manage via a flat file
(RoleLookup.csv)

*Firstly*, as documents recommend, we create businessrole , eg:
     Doctor
           condition: jobcode is in (job01, job02, job03)
      Nurse:
            condition: jobcode is in (job11, job12, job13)
      .....

However, once conditions grown (both number of roles and complexity of
conditions) as below :
   Doctor:
      *condition*:
              jobcode in (job01, job02)
                      OR
              Org in (Org001, Org003)
                       OR
              ( jobcode = job01 AND Org =  Org001)

   Surgeon doctor:
       *condition*: jobcode in (job02) and org(Surgery Department)

Secondly, then our question is how to effectively manage the
role-logic-conditions ? We are evaluating two modeling approaches to
centralize the mangement  the auto-assign rules logic but we are confused
how to implement in Midpoint


*Option 1:* Import one jobcode as a role (job01 -> RoleType)

NameofRole ; assignmentsOrder2
job01  ; Doctor
job02  ;  Doctor, Surgery

- Pro: Role catalog is fully visible and manageable via a flat CSV via
generic import
- Con: Potential we will fall into role explosion again (hundreds of job
codes to hundred of roles).


*Option 2*: put the logic inside the user objectTemplate condition
   Condition: jobcode in ("job01","job02", "job03")
   Target: Doctor

- Pro: Fewer roles, cleaner hierarchy
- Con: Assignment logic is hidden inside object templates,  rules are not
really easy to read and analyzed (like in flat file)


Question: What is the recommended MidPoint pattern for this scenario? Is
there a third option we are missing,

Thanks
-- 
Bao Tran
Software developer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20260416/609210ee/attachment.htm>