<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <p>Hi Nicolas,</p>
    <p>when I was working with parametric roles, I was using an approach
      which I described here:
      <a class="moz-txt-link-freetext" href="https://evolveum.com/blog/working-multi-tenant-roles/">https://evolveum.com/blog/working-multi-tenant-roles/</a></p>
    <p>(The screenshots are from old midpoint :-) but you should get the
      message.)</p>
    <p>By default you can assign roles with parameters: orgRef or
      tenantRef:</p>
    <p>- orgRef: you select (probably any) of the organizations in
      midPoint to be the parameter</p>
    <p>- tenantRef: you select any organization marked as tenant in
      midPoint to be the parameter</p>
    <p>This might help you as it is (we were / are using this in
      multiple deployments).<br>
    </p>
    <p>What we definitely want is to make this more configurable and
      extensible. But I'm sure Radovan will prove more on this topic.<br>
    </p>
    <p>I believe the feature is tracked here:
      <a class="moz-txt-link-freetext" href="https://jira.evolveum.com/browse/MID-3515">https://jira.evolveum.com/browse/MID-3515</a><br>
    </p>
    Best regards,<br>
    Ivan<br>
    <br>
    <div class="moz-cite-prefix">On 29.06.2018 00:11, Nicolas Rossi
      wrote:<br>
    </div>
    <blockquote type="cite"
cite="mid:CAAxX8chwQKLtefupsArPia+kGCVTEEwfJucrcmGObJyoM4KJMA@mail.gmail.com">
      <div dir="ltr">
        <div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">Hi
          guys, </div>
        <div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
        </div>
        <div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">We
          are working on a customer who needs to define some roles with
          parameters to prevent role explosion scenario. I have found
          lot of references to this issue on the wiki (<a
            href="https://wiki.evolveum.com/display/midPoint/Role+Explosion"
            moz-do-not-send="true">here</a>, <a
href="https://wiki.evolveum.com/display/midPoint/Advanced+Hybrid+RBAC#AdvancedHybridRBAC-ParametricRoles"
            moz-do-not-send="true">here</a> and <a
href="https://wiki.evolveum.com/display/midPoint/Assignment+Configuration#AssignmentConfiguration-ParametricAssignments"
            moz-do-not-send="true">here</a>). There were also <a
href="https://lists.evolveum.com/pipermail/midpoint/2013-July/000096.html"
            moz-do-not-send="true">similar question</a>s on the mailing
          list few years ago where Radovan explains that is was designed
          but not implemented.</div>
        <div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
        </div>
        <div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">Regarding
          the Radovan explanation I am not sure if we should extend the
          AssociationType to add custom parameters or if we should
          define role parameters (couldn't find any example on the
          documentation).</div>
        <div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
        </div>
        <div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">On
          the UI when and end-user request a new role, he can define
          properties on the assignment (parameters) for each role,
          but... is there any way to define that some properties /
          parameters are required so the user can't request the role
          without specifying some value for that parameter ?</div>
        <div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
        </div>
        <div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">I
          apologize in advance for the lengthy e-mail</div>
        <div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
        </div>
        <div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">Thanks,</div>
        <div>
          <div dir="ltr" class="gmail_signature">
            <div dir="ltr">
              <div>
                <div dir="ltr">
                  <div>
                    <div dir="ltr">
                      <div>
                        <div dir="ltr">
                          <div>
                            <div dir="ltr">
                              <div>
                                <div dir="ltr">
                                  <div>
                                    <div dir="ltr">
                                      <div>
                                        <div dir="ltr"><font
                                            face="arial, helvetica,
                                            sans-serif"><br>
                                            <br>
                                            <font color="#444444">Ing
                                              Nicolás Rossi</font><br>
                                            <font color="#999999">Identicum
                                              S.A.</font><br>
                                            <font color="#999999">Jorge
                                              Newbery 3226</font><br>
                                            <font color="#999999">Tel:
                                              +54 (11) 4552-3050</font><br>
                                            <font color="#999999"><a
                                                href="http://www.identicum.com"
                                                target="_blank"
                                                moz-do-not-send="true">www.identicum.com</a></font></font><br>
                                        </div>
                                      </div>
                                    </div>
                                  </div>
                                </div>
                              </div>
                            </div>
                          </div>
                        </div>
                      </div>
                    </div>
                  </div>
                </div>
              </div>
            </div>
          </div>
        </div>
      </div>
      <!--'"--><br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
    </blockquote>
    <br>
    <pre class="moz-signature" cols="72">-- 
Ivan Noris
Senior Identity Engineer
evolveum.com
</pre>
  </body>
</html>