[midPoint] Role explosion prevention

[Wojciech Staszewski]

Hello!

Today I have a concept problem.

How to say... my company has fragmented structure. There's about 200 laboratories across the country, almost every laboratory has its own system.
Each system is exactly the same. In each system are users, roles, access rights and so. This gives about 30 or more different roles per single system (resource).

That's why I wanted so much the Role Catalog working. And it is working now, thanks a lot Pavol!

But now I think: We have 200 identical resources with 30 roles each... that gives 6 000 roles in MidPoint. A lot. Too much.
And I have read that roles in MidPoint can have logic - expressions. Can I use it somehow to reduce roles amount?

I think of something like this: I have 200 systems and so 200 basic roles with account inducement (strong construction), and 30 meta roles which I could assign to any of these 200 systems. These meta roles extend basic roles of required privileges only (weak construction). Effect: 230 roles that I can use as a combination in user assignments.
Every change of user rights definition in resource systems causes modification only 30 roles instead 6000...

But I cannot set attributes and entitlements in the role itself. It must be provided specified resource as inducement...
Is there any solution?

Thanks,
Best regards,
Wojciech Staszewski
www.skygge.com