It is a contract that defines the link between an identity and a tree structure. Also, a contract plays a significant part in assigning a role to an identity. Every identity has at least one contract, as a (manually assigned or automatic) role is always assigned to a contract, not directly to an identity.

  1. a default contract is established automatically once an identity has been created
  2. provided a default element of the organizational structure is pre-configured, an identity is placed in this position within the structure when creating a default contract
  3. if there is no selected default element of the structure, the identity is "placed" in a position titled "Default" WITHOUT being included in the organizational structure.

Managers can be looked up through:

  • tree structures - identity with a on the tree node above.
  • a direct contract manager - supervisors.

HR processes depend on the state of a contract and its validity.

A contract can be flagged as "main". There can be more than one contract flagged as main, or none at all.

Contracts can be:

  1. valid
  2. valid but EXCLUDED, provided the validFrom and validTill attributes are filled. Roles assigned to this contract are not removed - accounts on target systems remain intact. Roles assigned to this contract are not added to a logged identity
  3. invalid or with the DISABLED attribute
  4. in a "null" state, if no values are entered in the validFrom and validTill attributes


  • When a contract is terminated or invalidated, all the roles coupled with this contract will cease to exist as well.
  • Once terminated, all assigned roles for a given contract are removed.


  • When a contract is invalid, all assigned roles for this contract – be they automatic or manually assigned – are removed. No roles can be assigned to an invalid contract.
  • For a periodic review of invalid contracts, the IdentityContractExpirationTaskExecutor task can be used and scheduled.
  • Once a contract becomes valid again, then all automatic roles are assigned again.


  • When an identity’s last contract is removed or all contracts are invalid or excluded, then the identity is disabled. Once the contract becomes valid once again or a new valid contract is added, the identity is activated again.


  • Note that contracts cannot be modified or removed when they contain some time slices (i. e., are controlled by slices). Only when the last slice of the contract is deleted, can the contract be deleted, too. See more on time slices here.

- the process is executed as soon as an identity’s contract is changed (active operation)
- long running tasks are scheduled, mainly over night. So while the contract change is saved during the synchronization from a source system, the respective HR processes are executed separately afterwards

Other contractual positions which can be set are used just for the assignment of automatic roles by the tree structure.
Note: the filtering and evaluating of managers and subordinates through other contractual positions is not supported.

Linking a role to the organizational structure

Everyone authorized to edit a role can assign the role to a component of any organizational structure. Such an action, of assigning/removing a role to a structural component, is subject to the same approval as when an ordinary user is to be assigned a role. Once the approval is granted, this amounts to a sort of "pre-approval" for all the users incorporated within the organizational structure. From then on, assigning a role to a user does not require a special approval (it had been approved for the entire organizational unit in which a user is situated).

Displaying information about automatically assigned roles

The information about the roles linked to the organizational structure are displayed in these sections:

  • In the structure component detail, there is a list of roles which have been assigned to it
  • For every role, a list of structural components (the whole path in the tree), for which the role is automatically assigned to users, is displayed.
  • For every user, there is a list of assigned roles that they have been granted automatically.

All changes regarding roles coupled with organizational structures are audited. The log provides this information:

  • changes in roles, new automatic rules
  • references to the process through which changes had occurred: synchronization or via the web
  • by apeterova