[midPoint] How to config options for application-role per a service

InformationSecurity information.security at chl.lu
Fri Mar 6 16:04:42 CET 2026 

Hello Bao,

I think that indeed a dedicated bloc in the role catalog is a good idea for both end-users and admins. You can also look at object collections and archetypes to help you classify and filter objects.
Here is the description of how to implement a custom role catalog.

Role Catalog Implementation
Simply speaking, role catalog is just an organizational structure structure. However, instead of divisions and sections the role catalog is composed of categories. And instead of member users there are roles. But apart from that the role catalog is just ordinary organizational structure. The categories are ordinary org objects. The roles are assigned to the categories in exactly the same way as users are assigned to organizational structure. Remember: MidPoint can have any number of organizational structures and the role catalog is just one of them. There may even be several role catalogs at the same time as any midPoint object can be assigned to any number of orgs. However, the current limitation is that only one role catalog will be presented to end users.

This comes from here : https://docs.evolveum.com/midpoint/reference/before-4.8/admin-gui/role-catalog/configuration/

You can also look at these pages for object collections and archetypes:
https://docs.evolveum.com/midpoint/reference/master/admin-gui/collections-views/configuration/
https://docs.evolveum.com/midpoint/reference/master/schema/archetypes/configuration/

I hope this helps!
Kind regards,
Thomas LARCHER

IT SecOps
Phone : +352 4411 4869
Centre Hospitalier de Luxembourg
4, rue Ernest Barblé
L-1210 Luxembourg

From: midPoint <midpoint-bounces at lists.evolveum.com> On Behalf Of Bao Tran via midPoint
Sent: 06 March 2026 10:47
To: midpoint at lists.evolveum.com
Cc: Bao Tran <bao.tran at csit.fi>
Subject: [midPoint] How to config options for application-role per a service

Hi all,
We are implementing a Service + Application Role structure in midPoint and are struggling with the GUI presentation. We reviewed the official documentation and the sample configurations but have not been able to find a clear answer.

Service :

  *   VPN

Roles (application-role):

  *   VPN-access     -> induce VPN.Printer
  *   VPN-manager  -> induce VPN.Printer
  *   VPN-admin       -> induce VPN.Printer



Our goal is for the GUI to present these three roles as selectable options when request/assign service-VPN access — specifically:

1. When an end-user requests access to the VPN service, they should be shown the three application roles and be able to select one.
2. When an administrator opens a user's profile and assigns the VPN service, the same three options should be presented.

We understand this may involve role catalog configuration or a specific relation between the service and its application roles, but we are unsure of the correct approach.

Any guidance or pointers to relevant documentation or examples would be greatly appreciated.
--
Bao Tran
Software developer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20260306/c442fc9c/attachment.htm>

More information about the midPoint mailing list