See Object Template page for more details about object template mechanism. The Expression page describes the details of
assignmentTargetSearch expression evaluator that is frequently used for this purpose.
Roles Within Roles
TODO: exclusion and pruningThere is sometimes a need to assign one role when another role is assigned. As midPoint has full support for role hierarchy this is easily done by nesting the roles inside. If there is additional condition when the nested role is to be applied then the conditional role approach can be used. There are many ways how to implement this functionality.
Sometimes there is a need to unassign a role when another role is assigned. Role exclusion mechanism may be used to implement this approach, as illustrated by Radio Button Roles example. However, care must be taken if this is to be combined with role autoassignment as it is easy to set up a conflicting policies. MidPoint is a thorough system and it does not like conflicting policies.