Rest Self Request rest http://midpoint.evolveum.com/xml/ns/public/security/authorization-rest-3#all read-requestable-roles Allow to read requestable roles. This allows to search for requestable roles in user interface. http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read RoleType requestable = true AND parentOrgRef matches (oid = "7878cf5d-9de2-486c-aeb7-41b438200a57") assign-requestable-roles Allow to assign requestable roles. This allows to request roles in a request-and-approve process. The requestable roles will be displayed in the role request dialog by default. Please note that the roles also need an approval definition to go through the approval process. Otherwise, they will be assigned automatically without any approval. http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#assign request self RoleType requestable = true AND parentOrgRef matches (oid = "7878cf5d-9de2-486c-aeb7-41b438200a57") org:default self-execution-modify Authorization that allows to self-modification of some properties, but only in execution phase. The real limitation of these operations is done in the request phase. E.g. the modification of assignments is controlled in the request phase by using the #assign authorization. http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify execution self assignment assignment-target-get Authorization that allows to read all the object that are possible assignment targets. Note that this authorization may be too broad for production use. Normally it should be limited to just selected properties such as name and description. http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#get OrgType RoleType ArchetypeType UserType assignment-target-read-case Authorization that allows to read approval status of cases. This is used to display requests to the end users, especially in the "My Requests" box in user dashboard. http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read CaseType self self-owned-task-read Authorization that allows to see all tasks owned by a currently logged-in user. http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read TaskType self