[midPoint] Role "OrgUnit Manager"

[Ch. Olbricht]

Hello everybody,
I hope You understand my english ...

I'm starting with midPoint. The In- and Outbound-Ressources are now 
working well. Persons and Accounts are created and automatically 
assigned to some OrgUnits in an OrgTree (using <item>...</item> in 
Person Object Template). Inducement Mappings in the Org-Units do the 
Mapping of special Atributes to the Outbound-Ressource(s). This all 
works fine!

For some OrgUnits in the Tree the Assingment of Members should be made 
by hand by, let's call it, "OrgUnit Managers". So, I assigned a Person 
as Manager to a OrgUnit, give the Role "End User" to this Person to be 
able to login ... but nothing happens! A lot of Reading and Searching 
later now I know: I have to create a special Role which describes the 
permissions and tells the GUI which additional Elements to show. In my Case:


Role "OrgUnit Manager"

Permissions:

1. The "OrgUnit Manager" should be able to UNASSIGN Members from the 
OrgUnit where he is assigned as Manager

2. The "OrgUnit Manager" should be able to ASSIGN only Members of the 
Superior-OrgUnit as Members to the OrgUnit where he is assigned as Manager

3. The "OrgUnit Manager" should NOT be able to CREATE, MODIFY or DELETE 
Accounts / Persons

4. The "OrgUnit Manager" should NOT be able to CREATE, MODIFY or DELETE 
OrgUnits


GUI Elements:

5. The "OrgUnit Manager" should ONLY see the OrgUnit(s) where he is 
assigned as Manager in the Menu-Point "All organizations"

6. The "OrgUnit Manager" should NOT see the Menu-Points "Organization 
tree" and "New organization"


So I would be very happy if anyone could give me the XML-Code to 
implement this special Role!

Thanks,
Christian