Role Autoassign Configuration

The policies of automatic role assignment can be specified in roles themselves. Each role can have a condition when it should be assigned:

The role above will be automatically assigned to any user that has property costCenter set to A001. As all midPoint mapping even this mapping is relativistic. If user cost center is set to A001 (the costCenter property is changed) then the role is automatically assigned. When the user cost center is changed to a different value, the role is unassigned. Of course, it also works with multivalued properties. Simply speaking, autoassignment is a proper well-mannered midPoint mapping.

Condition is all that is needed for simple cases. MidPoint takes care of all the rest.

Since midPoint 4.2 it is possible to restrict auto assignment evaluation to specific object using selector object. Using example below, autoassignment will be applied only for the user with archetype employee:

The example above implements a very simple case. There is just a source and a condition in the role autoassignment mapping. There is no expression. This is the way the role autoassignment mapping is designed. MidPoint prepares the assignment data structure, which is passed as a default source to the mapping. Therefore, all the mapping needs to do for the role to be assigned is to pass the default input on. The default asIs expression evaluator does that, therefore there is no need to specify the expression explicitly. All the mapping needs to do is to decide whether the assignment has to pass though or not. That decision is controlled by the condition.

This is very simple and efficient method. Yet, it can be quite powerful as well. The mapping expression is usually not needed. However, it can be specified when there is a need to modify or customize the default assignment. For example, the expression can specify assignment parameters, relation, activation and so on.

In fact the mapping is evaluated in exactly the same way as object template mappings. Therefore, it has all the powers of an object template mapping. Just the mapping source is populated with prepared assignment, and the target is pre-set to assignment container.

Role autoassignment is a very elegant mechanism. However, there are implications. If anything about the user is changed, midPoint has to decide whether any new roles have to be assigned or unassigned. To do that, midPoint has to evaluate all the autoassigment rules in all the roles - even those that are not assigned to the user yet. As some midPoint deployments use a large number of roles, evaluation of all roles can be a significant performance hit. Therefore, the role autoassignment mechanism is not enabled by default. There are two configuration steps that need to be taken to enable this mechanism. Firstly, role autoassignment need to be enabled in global system configuration:

Secondly, each role that has an autoassignment rules needs to be explicitly marked by using the autoassign/enabled flag:

This configuration limits the work that midPoint has to do for every operation. MidPoint will only process those roles that are explicitly marked for autoassignment processing. If the autoassingment mechanism is not used at all, MidPoint will entirely skip the lookup of the roles.

It perhaps goes without saying that the more autoassign roles are there the worse is the performance impact. The actual impact depends on the number of such roles, their complexity and overall complexity of the midPoint deployment. It is usually perfectly acceptable to have tens of autoassign roles. However, thousands of autoassign roles are usually not a good idea. The performance is usually not the worst issue there. Maintenance of thousands of autoassignment rules is very likely to be the real burden. In that case it may be better to consider a more systemic approach by using object template.