The second purpose of role catalog is to make role administration and management easy. Role catalog is essential just an organizational structure (see below). Therefore it can be used to set up fine-graned authorizations and delegated administration of the roles. For example the application roles may be sorted to categories that represent applications and application modules. In that case the management of the application roles can be delegated to application or module owners.
Role Catalog Implementation and Configuration
TODO: Simply speaking, role catalog is just an orgstruct
TODO: system configuration
organizational structure structure. However, instead of divisions and sections the role catalog is composed of categories. And instead of member users there are roles. But apart from that the role catalog is just ordinary organizational structure. The categories are ordinary org objects. The roles are assigned to the categories in exactly the same way as users are assigned to organizational structure. Remember: MidPoint can have any number of organizational structures and the role catalog is just one of them. There may even be several role catalogs at the same time as any midPoint object can be assigned to any number of orgs. However, the current limitation is that only one role catalog will be presented to end users. And the root of this role catalog needs to be configured in the system configuration object like this:
<systemConfiguration> ... <roleManagement> <roleCatalogRef oid="8fbbe7b4-f422-11e6-b00e-e3483e7a1051"/> </roleManagement> ... </systemConfiguration>
The roleCatalogRef reference above points to the org which is the root of the role catalog.