<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Aptos;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:12.0pt;
font-family:"Aptos",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#467886;
text-decoration:underline;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Aptos",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#467886" vlink="#96607D" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal">Päivi,<o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">In my opinion, a lot of people get their wires crossed trying to make access management about identity management. Which in the end “makes sense in the language of the businessâ€, but not in the technical
sense of what you are trying to accomplish. So let me try to rephrase your question to try to help you see it from a pure access management perspective.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">A person has multiple business roles at a company. Those roles imply ( either directly or indirectly) needs for other access roles to allow them to do their job.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Think of two role hierarchies:<o:p></o:p></span></p>
<p class="MsoNormal" style="text-indent:.5in"><span style="font-size:11.0pt">One that describes how the person relates to the business. ( departments, orgs, job titles/functions etc…)<o:p></o:p></span></p>
<p class="MsoNormal" style="text-indent:.5in"><span style="font-size:11.0pt">Another independent chain that describes access to “things†at the company. ( buildings, rooms, computers, software, etc..)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">“Business roles†should reflect your HR system.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">“Access roles†should reflect your applications/services/physical access, etc..<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Neither of the above role hierarchies are part of a person’s individual “Identityâ€. But they can be seen ( I think often wrongly.) as part of their “Business identityâ€.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">What you want is: <br>
When HR data comes and goes then you want the related Access roles to “come and go" too. But the relationship between the two types of roles needs to be defined before that automation can happen. And this mapping may be “fully automatic†or a mix of “automaticâ€
and “manual†too. Often there are exceptions and exclusions that make all of the “fully automated†things almost correct, but not perfect too.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">How to achieve all of that in midPoint…. I am not the best person to provide the details. But I think you should be looking at something like:<br>
<a href="https://docs.evolveum.com/midpoint/reference/support-4.8/roles-policies/pdrbac/">https://docs.evolveum.com/midpoint/reference/support-4.8/roles-policies/pdrbac/</a><br>
<a href="https://docs.evolveum.com/midpoint/reference/support-4.9/roles-policies/pdrbac/">https://docs.evolveum.com/midpoint/reference/support-4.9/roles-policies/pdrbac/</a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">HTH.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span style="mso-ligatures:standardcontextual">--</span><span style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-ligatures:standardcontextual">Carey Matthew Black<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> midPoint <midpoint-bounces@lists.evolveum.com>
<b>On Behalf Of </b>Päivi Lana via midPoint<br>
<b>Sent:</b> Friday, March 28, 2025 3:50 AM<br>
<b>To:</b> midpoint@lists.evolveum.com<br>
<b>Cc:</b> Päivi Lana <paivi.lana@csit.fi><br>
<b>Subject:</b> [midPoint] How do you configure Midpoint to handle single identity to have several fixed-term employment contracts?<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<table class="MsoNormalTable" border="0" cellpadding="0" width="100%" style="width:100.0%;background:#FFF0A0">
<tbody>
<tr>
<td style="padding:3.75pt 3.75pt 3.75pt 3.75pt">
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;color:black">----
<b>External Email</b>: Use caution with attachments, links, or sharing data ----<o:p></o:p></span></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">Hi! <o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">New to Midpoint and just started to investigate functionalities.<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">In Healthcare IAM solutions e.g. Doctor can have several fixed-term employment contracts, they can have shared AD Account, but different contracts can include Roles that are specific to individual contracts. Then when the individual contract
is ending, corresponding Roles(Account and access) will be deprovisioned as well. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">How will you implement this into Midpoint technically? Do you have any documentation or other content to help with this?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Best Regards,Päivi Lana<o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
</body>
</html>