====== Role assignment - restrict assignable roles by role catalogues (for IdM 13.3.1+ and 14.2.2+) ======

In case you need to tell that some users can have assigned only restricted set of roles, you can use feature of restricting assignable roles to identity with given projection to roles from selected set of role catalogues.

On form projection page, you have menu item Role catalogues:

Here you can turn on restricting assignable role by checkbox:

If checked, table of allowed role catalogues is shown, here you can add role catalogues from which identity with this form projection can have roles assigned:

One of selectable catalogues is "– no catalogue –" which means "identity with this form projection can have assigned roles that are not in any role catalogue":

After this is set you cannot (even as admin) assign roles to identity with given form projection that doesn't belong to some of allowed role catalogues, which means:

  * in case you create role request for assigning roles directly to identity, in role select you will see only roles that meets restriction criteria
  * in case you assign roles by bulk action (from identity or role agenda), you can select combination that is not allowed, but concept role request is created with EXCEPTION state and in related long running task item log you will find reason why that assignment wasn't executed:

If you are using Business Roles (IdmRoleComposition), then the assignability of each business role and its subroles is determined by the business role alone, i.e. assigning a business role that is in an assignable catalogue with two subroles that aren't will assign all of them to the given identity.

Note that when synchronizing roles from an external system, if a synchronization tries to assign a role to an identity but the request is rejected due to assignability restrictions, this will NOT generate a provisioning that would remove the assigned group on the end system.