Assignment of orgs and roles is one the fundamental midPoint functionalities. Common requirement is automatic assignment of some roles based on expressions and conditions. The object template is the right place to implement such automatic assignment.
Easiest case is an assign of a specific role to all the users. This is easy to implement using an object template mapping with a static (literal) value:
Most roles are assigned only if a specific condition is true. This approach is sometimes called Rule-Based RBAC (RB-RBAC). This is also easy to implement. Simply combine the static mapping with appropriate condition:
MidPoint will take care that the condition is evaluated an appropriate action is taken. When the condition becomes
true then the role is assigned. When the condition becomes
false the role is unassgined (remebmer, midPoint is relativistic and that also applies to conditions).
The third option is fully dynamic assignment of roles, orgs and services. It is often infeasible to define a condition for every role. One big expression that decides role assignment is usually a better approach. MidPoint has special
assignmentTargetSearch expression evaluator designed especially for this purpose. This evaluator can be used to dynamically look up assignment targets:
This is an example of a dynamic assignment of roles based on the value of user's employeeType property. If the property has a value of
executive, then role
Employee:executive will be automatically assigned. If the property has a value of
superlative, then role
Employee:superlative will be automatically assigned. And so on. The
employeeType property is multi-valued, therefore the expression will be evaluated for each value. If the
employeeType property has two values then two roles will be assigned. The role assignment follows changes in the source properties. Therefore when
employeeType values are deleted then corresponding roles are automatically unassigned.
MidPoint mappings are automatically merged. Therefore you can have as many mappings for automatic assignment as you want and you can combine all these techniques as needed. MidPoint will take care that all of them are evaluated and that the results are properly merged.
There are more tricks that can be used for role assignment. E.g. the target (role or org) can be dynamically created on demand (see OrgSync Story Test). Mapping domain and range can be used for more complex cases. And so on.