[midPoint] Why expose 2 ways of associating a Focus with Resource Objects: either through a "direct link" and/or through an "assignment"?

[pierre.sion at free.fr]

Hello,

As far as I understand midPoint, there are roughly two ways to associate a Focus (e.g. a User) with target Resource Objects (Account or Entitlement):

* either by defining a "direct link" in an Object Policy, for example (borrowed from https://wiki.evolveum.com/display/midPoint/ResourceType):
        <accountConstruction>
            <description>
                Defines what accounts should be assigned to a user when it is created.
            </description>
            <resourceRef oid="ef2bc95b-76e0-48e2-86d6-3d4f02d3e1a2" type="c:ResourceType"/>
            <intent>default</intent>
        </accountConstruction>

* either by configuring an "Assignment" (or "Role Inducements") that enforces the list of Accounts the User is supposed to have

I am well aware of the Wiki page describing the difference between "assigning" and "linking" (https://wiki.evolveum.com/display/midPoint/Assigning+vs+Linking), but I would like to clarify something about it.
Logically speaking, it seems to me that these two approaches should not be applied simultaneously to the same User, even if it technically possible to do so.
When a User has Assignments, those always prevail, and other "illegal" Accounts are removed if they are not within the Assignments scope.

So this leads to question: why offer the possibility to associate Accounts outside the "Assignment jurisdiction"? Why not have a single way of doing things, i.e. always use Assignments when defining Account associations?

I understand that links are automatically created when a reconciliation occurs (that's a technical necessity), but that does not explain the possibility to configure user templates so that Accounts are associated outside Assignments.

Thank you in advance for your enlightenments,
Best regards,
Pierre