MidPoint 3.5 and later
Full role catalog functionality is available since midPoint 3.5. MidPoint version prior to 3.5 have limited role catalog functionality.
One of the drawbacks of the general RBAC models is that there is usually a large number of roles to choose from. MidPoint advanced hybrid RBAC model can keep the number of roles at reasonable level. But even in that case there is usually hundreds or even thousands of roles if the organization is considerably complex. We need to keep this number of roles manageable for both the end users and administrators. Therefore midPoint implements a concept of role catalog to organize the roles into categories.
The role catalog has two purposes and therefore it is also presented in two slightly different ways.
Role Catalog for End Users
The first purpose of role catalog is to make role requests easy for end users. The role catalog is used to present the roles in a similar way as an e-shop presents the products. The roles are sorted into categories and sub-categories. The user may browse the role catalog and select the roles. Then the user can put the roles in a "shopping cart" and "buy" them. This catalog and e-shop paradigm is quite natural for most end users and it requires little to no training.
Role Catalog for Administrators
The second purpose of role catalog is to make role administration and management easy. Role catalog is essential just an organizational structure (see below). Therefore it can be used to set up fine-graned authorizations and delegated administration of the roles. For example the application roles may be sorted to categories that represent applications and application modules. In that case the management of the application roles can be delegated to application or module owners.
Role Catalog Implementation and Configuration
Simply speaking, role catalog is just an organizational structure structure. However, instead of divisions and sections the role catalog is composed of categories. And instead of member users there are roles. But apart from that the role catalog is just ordinary organizational structure. The categories are ordinary org objects. The roles are assigned to the categories in exactly the same way as users are assigned to organizational structure. Remember: MidPoint can have any number of organizational structures and the role catalog is just one of them. There may even be several role catalogs at the same time as any midPoint object can be assigned to any number of orgs. However, the current limitation is that only one role catalog will be presented to end users. And the root of this role catalog needs to be configured in the system configuration object like this:
The roleCatalogRef reference above points to the org which is the root of the role catalog.