MidPoint 3.5 and later
MidPoint has implemented role request and approval functionality almost from the beginning of the project. However the functionality took the user-friendly form described in this page only in midPoint 3.5. It was further improved in midPoint 3.6.
Role Catalog Configuration
The prerequisite for a good user experience is usually proper configuration of role catalog and authorizations. The end-user role selection page will display only those roles that the currently-logged-in user can assign to himself. Therefore especially the proper use of
assign authorization is crucial for proper functioning of this page.
Role Catalog Collections
MidPoint 3.6 and later
This functionality is available since midPoint 3.6.
The role catalog has several views or collections that control the way what the end-user role catalog page displays the role catalog content. The specific view can be selected in the role request page. By default all the available views are displayed. But this may be too confusing for deployments that do not use all the midPoint capabilities. Therefore there is a way how to configure only a subset of the views. This can be controlled in the system configuration object like this:
The configuration above will enable only the "Role catalog" and "All roles" views.
|http://midpoint.evolveum.com/xml/ns/public/common/object-collections-3#roleCatalog||Role catalog view|
|http://midpoint.evolveum.com/xml/ns/public/common/object-collections-3#allRoles||All roles view|
|http://midpoint.evolveum.com/xml/ns/public/common/object-collections-3#allOrgs||All organizations view|
|http://midpoint.evolveum.com/xml/ns/public/common/object-collections-3#allServices||All services view|
|http://midpoint.evolveum.com/xml/ns/public/common/object-collections-3#userAssignments||User's assignments view|
Object collections feature
This configuration is just a very simple way how to configure object collections feature. The object collections feature is a planned feature that will enable grouping objects in an arbitrary way and then reuse the groupings in role catalog, menu, dashboards and so on. This feature currently waits for a sponsor ( MID-3517 - Object collections Open ). If you are interested in sponsoring this feature please contact Evolveum.
Assignment constraints are often used to constraint role assignment multiplicity, e.g. whether it is possible to request the same role several times. Default assignment constraints are specified in system configuration object. These constraints are applied globally to the entire system. The constraint is composed from two boolean flags:
allowSameTarget: Constraint all assignments that have the same target. I.e. multiple assignments of the same (abstract) role. If allowSameTarget=true then multiple assignments of the same role are allowed. If allowSameTarget=false then multiple assignments of the same role are prohibited (but see also below).
allowSameRelation: Constraint all assignments that have the same relation. E.g. if allowSameTarget=true and allowSameRelation=false then multiple assignments of the same role are allowed as long as they have different relation.
The constraints can be used to enforce single-assignment role policy like this: