This configuration is just a very simple way how to configure object collections feature. The object collections feature is a planned feature that will enable grouping objects in an arbitrary way and then reuse the groupings in role catalog, menu, dashboards and so on. This feature currently waits for a sponsor (
Assignment constraints are often used to constraint role assignment multiplicity, e.g. whether it is possible to request the same role several times. Default assignment constraints are specified in system configuration object. These constraints are applied globally to the entire system. The constraint is composed from two boolean flags:
allowSameTarget: Constraint all assignments that have the same target. I.e. multiple assignments of the same (abstract) role. If allowSameTarget=true then multiple assignments of the same role are allowed. If allowSameTarget=false then multiple assignments of the same role are prohibited (but see also below).
allowSameRelation: Constraint all assignments that have the same relation. E.g. if allowSameTarget=true and allowSameRelation=false then multiple assignments of the same role are allowed as long as they have different relation.
The constraints can be used to enforce single-assignment role policy like this:
<systemConfiguration> ... <roleManagement> <defaultAssignmentConstraints> <allowSameTarget>false</allowSameTarget> <allowSameRelation>false</allowSameRelation> </defaultAssignmentConstraints> </roleManagement> ... </systemConfiguration>