Role assignment - restrict assignable roles by role catalogues

In case you need to tell that some users can have assigned only restricted set of roles, you can use feature of restricting assignable roles to identity with given projection to roles from selected set of role catalogues.

On form projection page, you have menu item Role catalogues:

Here you can turn on restricting assignable role by checkbox:

If checked, table of allowed role catalogues is shown, here you can add role catalogues from which identity with this form projection can have roles assigned:

One of selectable catalogues is "– no catalogue –" which means "identity with this form projection can have assigned roles that are not in any role catalogue":

After this is set you cannot (even as admin) assign roles to identity with given form projection that doesn't belong to some of allowed role catalogues, which means:

• in case you create role request for assigning roles directly to identity, in role select you will see only roles that meets restriction criteria
• in case you assign roles by bulk action (from identity or role agenda), you can select combination that is not allowed, but concept role request is created with EXCEPTION state and in related long running task item log you will find reason why that assignment wasn't executed: