[midPoint] Set midPoint User attribute when Role assigned

[Brad Firestone]

Hi All,

I would like to set an attribute value for a midPoint User when they 
have been assigned a given role.  This attribute value will not be 
synced to any resource.  I just want to be able to display it in the 
midPoint GUI.  I am using the organizationalUnit attribute since it's 
multi-valued.

My reason for doing this is that I've created "Departmental User 
Managers".  These people can create new Users, edit existing Users and 
(un)assign Roles that "belong" to their department.  (I'm using subtype 
to define role ownership.)  They can only see their department's Roles 
in the GUI, which serves two purposes:  It restricts which Roles they 
can (un)assign, and it hides a large number of Roles which makes things 
quicker and less confusing.  Since all Roles are not visible in the 
Roles section, I would like to use the organizationalUnit attribute 
(renamed) to display ALL roles that a User has.  This is helpful to let 
a departmental User Manager see what other Roles (from other 
departments) a certain User has been assigned.

Ideally, this attribute value assignment would be part of the Role 
definition.  But I can't find a way to do that.  It seems to me all 
mapping in Roles is limited to Resource construction mapping.  Is there 
a way to map or construct a midPoint attribute value directly from the Role?

I could do it from the User Template, but that means I would have to 
edit the User Template every time I add a new Role.  I also need to 
figure out the conditional structure to evaluate whether a User has a 
given Role assigned.

I may be going about this the wrong way and I'm open to any suggestions 
about the best way to do this.  Thanks for any ideas!
Brad