Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


  1. Navigate to the Roles menu and examine the list of roles. Their description should be helpful.
  2. The Full Time Employee and Contractor roles are assigned automatically using a user template. The user that was created in the previous steps should have one of them already. Therefore there will not be much fun with this user any more ...
  3. Create a new user without any account or role.
  4. Assign one of the roles to the user by clicking on the Assign Role button. Then click "Save".
  5. The role is now assigned. All the accounts that the role specified should be provisioned automatically. You can check that by opening a user and looking into Accounts section. What you see there are account shadows (see here). They persist even in case a resource is down. Then you can verify on the resource, that an account exist there. If you check LDAP server (, you may need press "refresh" button to see up to date changes.
  6. Unassign the role by clicking the checkbox next to the role name, clicking the Unassign button and then clicking Save.
  7. If user has no role all the accounts should be gone.


titleUnder construction

Governance demo is under construction 


Following scenario demonstrates governance over the requests to assign Patron role to users. Requests are approved in the workflow.


Approval workflow is enabled on one specific role - Patron. Workflow is set to have 2 steps, first is manager (if target user has onedoes not have manager, step is skipped), second step is any member of Council of Patrons organization. These steps are enforced because Patron role is assigned to two meta roles, which each induce policyRule object:


Certification campaign Certify all user-role assignments is set to iterate over all user objects in midPoint. Each user assignment is checked in itemSelectionExpression and only roles that match certain OID are advanced to the actual campaign scope. You may trying try playing around with stage case outcomeStrategy and e.g. set it to allMustAccept - so ALL reviewers must approve (instead of ANY).