complexType "tns:RoleType"
Namespace:
http://midpoint.evolveum.com/xml/ns/public/common/common-1.xsd
Content:
complex, 2 attributes, 4 elements
Defined:
globally in common-1.xsd; see XML source
Includes:
definition of 1 element
Used:
at 1 location
XML Representation Summary
<...
   
oid
 = 
 xsd:string
version
 = 
 xsd:string
    >
   
Content: 
 tns:name?, tns:description?, tns:extension?, tns:assignment*
</...>
Content Model Elements (4):
tns:assignment (type tns:AssignmentType), tns:description, tns:extension, tns:name
All Direct / Indirect Based Elements (1):
tns:role
Known Usage Locations
Annotation
A role that implies assignments. The role may "grant" accounts on resources, attributes and entitlements for such accounts. The role can also assign organizational units, other roles or various IDM objects that can be assigned directly to user. Role is in fact just a named set of assignments. The speicific roles are also called technical role or IT role, however this definition is an abstract definition of concept that can span wide area of intepretation. This is the basic building blog of role-based access contol (RBAC) in the provisioning system. It defines what rights (e.g. accounts) should be given to user, how they should look like (attributes) and what groups or native roles to assign to them (entitlements). This role definition is quite simplistic now. It does not support rule-derived values or any other advanced dynamics. Yet. It will be extended later in the development.
Type Definition Detail
Type Derivation Tree
tns:ObjectType (extension)
  tns:ExtensibleObjectType (extension)
      tns:RoleType
XML Source (see within schema source)
<xsd:complexType name="RoleType">
<xsd:annotation>
<xsd:documentation>
A role that implies assignments.
The role may "grant" accounts on resources, attributes and
entitlements for such accounts. The role can also assign
organizational units, other roles or various IDM objects
that can be assigned directly to user. Role is in fact just
a named set of assignments.

The speicific roles are also called technical role or IT role,
however this definition is an abstract definition of concept
that can span wide area of intepretation.

This is the basic building blog of role-based access
contol (RBAC) in the provisioning system. It defines what
rights (e.g. accounts) should be given to user, how they
should look like (attributes) and what groups or native
roles to assign to them (entitlements).

This role definition is quite simplistic now. It does not
support rule-derived values or any other advanced dynamics.
Yet. It will be extended later in the development.
</xsd:documentation>
</xsd:annotation>
<xsd:complexContent>
<xsd:extension base="tns:ExtensibleObjectType">
<xsd:sequence>
<xsd:element maxOccurs="unbounded" minOccurs="0" name="assignment" type="tns:AssignmentType">
<xsd:annotation>
<xsd:documentation>
Set of roles's assignments.
Represents objects (such as roles) or accounts assigned to the
role and therefore implied by the role.

The assignment may contain account construction. Such element
specified the account specified by this element should be
created when the role is assigned (unless such account already
exists). The account should be set up according to the definitions
contained in this element.

TODO: variables in the expressions:
$user
$role
$assignment
$account
$resource

If the role implying this account is unassigned
and no other role or assignment implies the account, the
account should be removed.
</xsd:documentation>
</xsd:annotation>
</xsd:element>
</xsd:sequence>
</xsd:extension>
</xsd:complexContent>
</xsd:complexType>
Attribute Detail (all declarations; 2/2)
oid
Type:
xsd:string
Use:
optional
Defined:
locally within tns:ObjectType complexType
System-wide immutable identifier for the object. Will be probably quite long and not human-readable. It should not be displayed to user. It has no meaning outside of IDM system and should not be directly passed to any third-party systems. This identifier must be unique in the entire system. This attribute is immutable. It cannot be changed. Any operation attempting to change this identifier must fail. OID is not property and therefore cannot be "addressed" in usual operations. OID must be provided for all objects that are persistently stored. There may be detached objects without OID. Such objects have the same structure as normal objects, they are just not stored in the repository. E.g. object that are only stored on resource and are not replicated in the repository. Such objects do not have OID therefore their XML representation cannot contain oid attribute. The OID should be unique in both time and space. That means that OIDs must be unique in the whole system in any moment and should not be re-used. If an object is deleted, the OID of that object should not be used by a new object. The reason is to avoid problems with stale links pointing to a wrong object and appearing valid. However, this is not a strict requirement. Some marginal probability of OID reuse is tolerated. The recommended practice is to add some randomness to the process of OID generation. This attribute is NOT (necessarily) ASN.1 OID and should not be confused with it. The attribute is named "oid" meaning object identifier. It is not named "id" to avoid confusion with xml:id attribute as it is easy to confuse these two if namespace prefix is omitted. The confusion with ASN.1 OID id not likely. The oid is XML attribute of this object instead of element because it has special purpose of identifying the object. It is also immutable, therefore we do not need to handle changes to it.
XML Source (see within schema source)
<xsd:attribute name="oid" type="xsd:string" use="optional">
<xsd:annotation>
<xsd:documentation>
System-wide immutable identifier for the object.
Will be probably quite long and not human-readable. It
should not be displayed to user. It has no meaning
outside of IDM system and should not be directly
passed to any third-party systems.

This identifier must be unique in the entire system.

This attribute is immutable.
It cannot be changed. Any operation attempting
to change this identifier must fail.

OID is not property and therefore cannot be "addressed"
in usual operations.

OID must be provided for all objects that are persistently
stored. There may be detached objects without OID.
Such objects have the same structure as normal objects,
they are just not stored in the repository. E.g.
object that are only stored on resource and are
not replicated in the repository. Such objects
do not have OID therefore their XML representation
cannot contain oid attribute.

The OID should be unique in both time and space. That
means that OIDs must be unique in the whole system
in any moment and should not be re-used. If an object is
deleted, the OID of that object should not be used by
a new object. The reason is to avoid problems with stale
links pointing to a wrong object and appearing valid.
However, this is not a strict requirement. Some marginal
probability of OID reuse is tolerated. The recommended
practice is to add some randomness to the process of
OID generation.

This attribute is NOT (necessarily) ASN.1 OID and should not
be confused with it.

The attribute is named "oid" meaning object identifier.
It is not named "id" to avoid confusion with xml:id
attribute as it is easy to confuse these two if
namespace prefix is omitted. The confusion with ASN.1
OID id not likely.

The oid is XML attribute of this object instead of
element because it has special purpose of identifying
the object. It is also immutable, therefore we do not
need to handle changes to it.
</xsd:documentation>
</xsd:annotation>
</xsd:attribute>
version
Type:
xsd:string
Use:
optional
Defined:
locally within tns:ObjectType complexType
Version for optimistic locking. Contains the version in which this object was read from the repository, fetched from the resource, etc. Type of the version attribute is string, not integer to provide flexibility for various versioning schemes in implementation (e.g. ETags). The type really does not matter, the only things that matters is if the version is the same or different.
XML Source (see within schema source)
<xsd:attribute name="version" type="xsd:string" use="optional">
<xsd:annotation>
<xsd:documentation>
Version for optimistic locking.

Contains the version in which this object was read from the
repository, fetched from the resource, etc.

Type of the version attribute is string, not integer to provide
flexibility for various versioning schemes in implementation
(e.g. ETags). The type really does not matter, the only
things that matters is if the version is the same or different.
</xsd:documentation>
</xsd:annotation>
</xsd:attribute>
Content Element Detail (all declarations; 4/4)
tns:assignment
Type:
tns:AssignmentType, complex content
Defined:
locally within (this) tns:RoleType complexType
Set of roles's assignments. Represents objects (such as roles) or accounts assigned to the role and therefore implied by the role. The assignment may contain account construction. Such element specified the account specified by this element should be created when the role is assigned (unless such account already exists). The account should be set up according to the definitions contained in this element. TODO: variables in the expressions: $user $role $assignment $account $resource If the role implying this account is unassigned and no other role or assignment implies the account, the account should be removed.
XML Source (see within schema source)
<xsd:element maxOccurs="unbounded" minOccurs="0" name="assignment" type="tns:AssignmentType">
<xsd:annotation>
<xsd:documentation>
Set of roles's assignments.
Represents objects (such as roles) or accounts assigned to the
role and therefore implied by the role.

The assignment may contain account construction. Such element
specified the account specified by this element should be
created when the role is assigned (unless such account already
exists). The account should be set up according to the definitions
contained in this element.

TODO: variables in the expressions:
$user
$role
$assignment
$account
$resource

If the role implying this account is unassigned
and no other role or assignment implies the account, the
account should be removed.
</xsd:documentation>
</xsd:annotation>
</xsd:element>
tns:description
Type:
xsd:string, simple content
Defined:
by reference within tns:ObjectType complexType
Free-form textual description of the object.
XML Source (see within schema source)
<xsd:element minOccurs="0" ref="tns:description">
<xsd:annotation>
<xsd:documentation>
Free-form textual description of the object.
</xsd:documentation>
</xsd:annotation>
</xsd:element>
tns:extension
Type:
anonymous complexType, complex content
Defined:
by reference within tns:ExtensibleObjectType complexType
XML Source (see within schema source)
<xsd:element maxOccurs="1" minOccurs="0" ref="tns:extension"/>
tns:name
Type:
xsd:string, simple content
Defined:
by reference within tns:ObjectType complexType
Human-readable, mutable name of the object. It may also be an identifier (login name, group name). Should be unique in the respective context of interpretation. E.g. the name of the UserType subtype should be unique in the whole system. The name of the AccountType subtype should be unique in the scope of resource (target system) that it belongs to. This may not be human-readable in a sense to display to a common end-user. It is intended to be displayed to IDM system administrator. Therefore it may contain quite a "ugly" structures such as LDAP DN or URL. Name is considered to be ordinary property of the object. Therefore it can be changed by invoking usual modifyObject operations. However, change of the name may have side effects (rename process). Although name is specified as optional by this schema, it is in fact mandatory for most object types. The reason for specifying the name as optional is that the name may be generated by the system instead of supplied by the clients. However, all objects stored in the repository must have a name.
XML Source (see within schema source)
<xsd:element minOccurs="0" ref="tns:name">
<xsd:annotation>
<xsd:documentation>
Human-readable, mutable name of the object. It
may also be an identifier (login name, group name).
Should be unique in the respective context of
interpretation. E.g. the name of the UserType subtype
should be unique in the whole system.
The name of the AccountType subtype should be unique in the
scope of resource (target system) that it belongs to.

This may not be human-readable in a sense to display
to a common end-user. It is intended to be displayed to
IDM system administrator. Therefore it may contain quite
a "ugly" structures such as LDAP DN or URL.

Name is considered to be ordinary property of the object.
Therefore it can be changed by invoking usual modifyObject
operations. However, change of the name may have side
effects (rename process).

Although name is specified as optional by this schema, it
is in fact mandatory for most object types. The reason for
specifying the name as optional is that the name may be
generated by the system instead of supplied by the clients.
However, all objects stored in the repository must have a name.
</xsd:documentation>
</xsd:annotation>
</xsd:element>
This XML schema documentation has been generated with DocFlex/XML RE 1.8.5 using DocFlex/XML XSDDoc 2.5.0 template set.
DocFlex/XML RE is a reduced edition of DocFlex/XML, which is a tool for programming and running highly sophisticated documentation and reports generators by the data obtained from any kind of XML files. The actual doc-generators are implemented in the form of special templates that are designed visually using a high-quality Template Designer GUI basing on the XML schema (or DTD) files describing the data source XML.
DocFlex/XML XSDDoc is a commercial template application of DocFlex/XML that implements a high-quality XML Schema documentation generator with simultaneous support of framed multi-file HTML, single-file HTML and RTF output formats. (More formats are planned in the future).
A commercial license for "DocFlex/XML XSDDoc" will allow you:
  • To configure the generated documentation so much as you want. Thanks to our template technology, it was possible to support > 400 template parameters, which work the same as "options" of ordinary doc-generators. The parameters are organized in nested groups, which form a parameter tree. Most of them have their default values calculated dynamically from a few primary parameters. So, you'll never need to specify all of them. That will give you swift and effective control over the generated content!
  • To use certain features disabled in the free mode (such as the full documenting of substitution groups).
  • To select only the initial, imported, included, redefined XML schemas to be documented or only those directly specified by name.
  • To include only XML schema components specified by name.
  • To document local element components both globally and locally (similar to attributes).
  • To allow/suppress unification of local elements by type.
  • To enable/disable reproducing of namespace prefixes.
  • To use PlainDoc.tpl main template to generate all the XML schema documentation in a signle-file form as both HTML and incredible quality RTF output.
  • To format your annotations with XHTML tags and reproduce that formatting both in HTML and RTF output.
  • To insert images in your annotations using XHTML <img> tags (supported both in HTML and RTF output).
  • To remove this very advertisement text!
Once having only such a license, you will be able to run the fully-featured XML schema documentation generator both with DocFlex/XML (Full Edition) and with DocFlex/XML RE, which is a reduced free edition containing only the template interpretor / output generator. No other licenses will be required!
But this is not all. In addition to it, a commercial license for "DocFlex/XML SDK" will allow you to modify the XSDDoc templates themselves as much as you want. You will be able to achieve whatever was impossible to do with the template parameters only. And, of course, you could develop any template applications by your own!
Please note that by purchasing a license for this software, you not only acquire a useful tool, you will also make an important investment in its future development, the results of which you could enjoy later by yourself. Every single your purchase matters and makes a difference for us!
To purchase a license, please follow this link: http://www.filigris.com/shop/