Merge branch 'master' into feature/role-mining

# Conflicts:
#	gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/impl/prism/panel/PrismContainerPanel.java
#	repo/repo-sqale/src/main/java/com/evolveum/midpoint/repo/sqale/SqaleRepositoryBeanConfig.java

config/sql/native/postgres-upgrade.sql

@@ -461,6 +461,15 @@ BEGIN
 END;
 $$;
 $aa$);
+
+-- Assignments have separate full object
+call apply_change(26, $aa$
+    ALTER TABLE m_assignment ADD COLUMN fullObject BYTEA;
+    ALTER TABLE m_operation_execution ADD COLUMN fullObject BYTEA;
+    ALTER TABLE m_ref_projection ADD COLUMN fullObject BYTEA;
+    ALTER TABLE m_ref_role_membership ADD COLUMN fullObject BYTEA;
+$aa$);
+
 ---
 -- WRITE CHANGES ABOVE ^^
 -- IMPORTANT: update apply_change number at the end of postgres-new.sql

config/sql/native/postgres.sql

@@ -498,6 +498,7 @@ CREATE TABLE m_ref_role_membership (
     ownerOid UUID NOT NULL REFERENCES m_object_oid(oid) ON DELETE CASCADE,
     referenceType ReferenceType GENERATED ALWAYS AS ('ROLE_MEMBERSHIP') STORED
         CHECK (referenceType = 'ROLE_MEMBERSHIP'),
+    fullObject BYTEA,
 
     PRIMARY KEY (ownerOid, relationId, targetOid)
 )
@@ -563,7 +564,7 @@ CREATE TABLE m_ref_projection (
     ownerOid UUID NOT NULL REFERENCES m_object_oid(oid) ON DELETE CASCADE,
     referenceType ReferenceType GENERATED ALWAYS AS ('PROJECTION') STORED
         CHECK (referenceType = 'PROJECTION'),
-
+    fullObject BYTEA,
     PRIMARY KEY (ownerOid, relationId, targetOid)
 )
     INHERITS (m_reference);
@@ -1941,6 +1942,7 @@ CREATE TABLE m_assignment (
     modifierRefRelationId INTEGER REFERENCES m_uri(id),
     modifyChannelId INTEGER REFERENCES m_uri(id),
     modifyTimestamp TIMESTAMPTZ,
+    fullObject BYTEA,
 
     PRIMARY KEY (ownerOid, cid)
 );
@@ -2030,6 +2032,7 @@ CREATE TABLE m_operation_execution (
     taskRefTargetType ObjectType,
     taskRefRelationId INTEGER REFERENCES m_uri(id),
     timestamp TIMESTAMPTZ,
+    fullObject BYTEA,
 
     PRIMARY KEY (ownerOid, cid)
 )
@@ -2241,8 +2244,10 @@ BEGIN
 END $$;
 -- endregion
 
+
+
 -- Initializing the last change number used in postgres-new-upgrade.sql.
 -- This is important to avoid applying any change more than once.
 -- Also update SqaleUtils.CURRENT_SCHEMA_CHANGE_NUMBER
 -- repo/repo-sqale/src/main/java/com/evolveum/midpoint/repo/sqale/SqaleUtils.java
-call apply_change(25, $$ SELECT 1 $$, true);
+call apply_change(26, $$ SELECT 1 $$, true);

docs/admin-gui/admin-gui-config/index.adoc

@@ -1925,7 +1925,7 @@ The property can be set in one of the following ways:
 * Using command line argument:
 ** You can use JVM argument like `-Dmidpoint.additionalPackagesToScan=my.package`.
 If using `midpoint.sh` or `start.sh`, this can be also provided with `JAVA_OPTS` environment variable.
-The variable can also be set in `setenv.sh` file (see xref:/midpoint/install/distribution/#post-installation[this] for more).
+The variable can also be set in `setenv.sh` file (see xref:/midpoint/install/bare-installation/distribution/#post-installation[this] for more).
 
 ** You can also use application argument `--midpoint.additionalPackagesToScan=my.package`,
 which can be provided as an argument to `midpoint.sh` or `start.sh` scripts.

docs/admin-gui/gui-user-profile/index.adoc

@@ -0,0 +1,34 @@
+= GUI User Profile
+:page-upkeep-status: orange
+:page-toc: top
+
+
+This page describes the possibilities of user profile configuration. For now, it contains only the documentation about saved filters and its usage.
+
+== Saved filters
+
+Saved filters feature is implemented on the pages throughout midPoint where the list of objects of some collection view is displayed (for more information about object collection views, please see xref:/midpoint/reference/admin-gui/collections-views/[Object Collections and Views]).
+This can be default object collection view list page (such All users page) or the configured one (e.g. Employees collection view configured for User type).
+
+This feature improves the search of objects in midPoint giving the possibility to save the most often used or the most complicated filters.
+Saved once the filter can be reused within multiple user sessions and can be spread among a group of users with the help of admin gui configuration merging mechanism.
+
+To save the filter the user can use the Save filter button on the Search panel (which is situated on the right side of the search panel, next to Search button).
+
+.Save filter button
+image::save-button.png[Save filter button, width=85%]
+
+After the user clicks Save filter button, Save filter popup is displayed where the user should specify the name of the filter and confirm the saving.
+The saved filter appears in the drop-down list.
+To apply the filter, just select it from the list.
+To delete the filter, click the delete icon next to the filter name in dropdown filter list.
+
+.Saved filters list
+image::saved-filters-list.png[Saved filters list, width=85%]
+
+*_Limitations_*
+
+Save filter functionality is supported on the object list pages which can be reached from the left-side menu (e.g. All users, All roles, etc. and other configured collection views for objects in midPoint).
+It is not available if the list of objects is a part of non-list page (e.g. list within user details page).
+It is also not supported for some special object types (e.g. certification campaigns, work items).
+

docs/admin-gui/request-access/configuration.adoc

@@ -180,12 +180,23 @@ It will represent new menu item with list of roles defined by collectionRef or c
         <allowOtherRelations>false</allowOtherRelations>
     </relationSelection>
     <roleCatalog>
-        <!-- we'll hide menu that allows user to search for roles in catalog based on roles of teammate -->
-        <showRolesOfTeammate>false</showRolesOfTeammate>
-        <!-- Org. unit structure to build menu for role catalog (up to 3 levels) -->
+        <defaultView>table</defaultView>
+        <rolesOfTeammate>
+            <autocompleteConfiguration>
+                <displayExpression>
+                    <script>
+                        <code>
+                            return "Teammate: " + object.givenName + " (" + object.name + ")"
+                        </code>
+                    </script>
+                </displayExpression>
+                <autocompleteMinChars>1</autocompleteMinChars>
+            </autocompleteConfiguration>
+        </rolesOfTeammate>
         <roleCatalogRef oid="8d4670a8-17db-4330-a753-8d3492b19ff8" relation="org:default" type="c:OrgType"/>
+        <roleCatalogDepth>2</roleCatalogDepth>
         <!-- Another menu item created using reference to ObjectCollectionType -->
-        <collection id="233">
+        <collection>
             <identifier>example-collection</identifier>
             <collectionRef oid="d4f124ed-9694-4a97-8e18-f9fc45563003" relation="org:default" type="c:ObjectCollectionType"/>
         </collection>

docs/admin-gui/request-access/index.adoc

@@ -1,10 +1,25 @@
 = Request access
 :page-toc: top
-:page-since: "4.6"
 
-Request access functionality is a complete rewrite and redesign of midPoint xref:../role-request/index.adoc[role requesting UI].
+Many traditional Role-Based Access Control (RBAC) theories seem to be based on assumption that there is some kind of all-knowing authority that knows which user should have which role.
+This approach works in some kind of organizations, but in reality such organizations are very rare.
+In practice the knowledge about roles and role policies is not centralized.
+It is rather distributed among many people in the organization: application owners have part of the knowledge, line managers have more bits of knowledge, other parts are maintained by security officers and other specialists.
+It is almost impossible to analyze this knowledge and specify it in a form of an algorithm that a machine can execute.
+In addition to that, such policy is constantly changing.
+Implementing this a fully-automated system is almost always infeasible.
 
-New UI takes form of proper wizard with up to four steps:
+Therefore, most identity management and governance systems come with an alternative approach: user are requesting role assignment.
+The request is then routed through an xref:/midpoint/reference/cases/approval/[approval process]. If the request is approved, then the requested roles are assigned.
+
+However, this approach requires _end users_ to take part in the interaction.
+End users are usually not experts on RBAC and they do not have comprehensive knowledge about role design and structures used in the organization.
+Therefore, midPoint has a simplified view of xref:/midpoint/reference/admin-gui/role-catalog/[role catalog] that is suitable for end users.
+The role catalog is used to present the roles in a similar way as an e-shop presents the products.
+The roles are sorted into categories and sub-categories.
+The user may browse the role catalog and select the roles.
+
+User interface takes form of proper wizard with up to four steps:
 
 * Person of interest
 * Relation
@@ -27,37 +42,43 @@ There are two type of tiles:
 * Group - defined by collection or query filter. Group allow to select one or more users via autocomplete text field or by clicking *Select manually* button.
 
 Autocomplete search withing group is done using `user/name` property with `norm` poly-string matcher by default.
+Autocomplete configuration can be customized using `group/autocompleteConfiguration` configuration option.
 
-Concrete search behaviour can be customized using `group/searchFilterTemplate` where filter with expression can be used.
-Search result labels can be also configured using expression defined in `group/userDisplayName`.
-Minimum number of characters needed to start autocomplete can be configured using `group/autocompleteMinChars`.
+Concrete search behaviour can be customized using `autocompleteConfiguration/searchFilterTemplate` where filter with expression can be used.
+Filter expression should contain `input` variable which will be replaced by user input.
+Such filter will be joined with group defined filter/collection using `and` operator.
 
-Search behaviour configuration was moved to `autoCompleteConfiguration` configuration option.
+Search result items can be also modified using expression defined in `autocompleteConfiguration/displayExpression`.
 
-In following example filter template will create substring search `givenName like '%King *<VALUE>*%'`.
+Minimum number of characters needed to start autocomplete can be configured using `group/autocompleteMinChars`.
+Default value is 2.
+
+In following example filter template will create substring search `givenName like '%King *<VALUE_FROM_AUTOCOMPLETE_TEXT>*%'`.
 Results will be displayed in format `<USER_NAME> (<USER_OID>)`
 
 [source, xml]
 ----
 <group>
-    <searchFilterTemplate>
-        <q:substring>
-            <q:path>givenName</q:path>
-            <expression>
-                <script>
-                    <code>
-                        return "King " + input
-                    </code>
-                </script>
-            </expression>
-        </q:substring>
-    </searchFilterTemplate>
-    <userDisplayName>
-        <script>
-            <code>return basic.stringify(object.name) + " (" + object.oid + ")"</code>
-        </script>
-    </userDisplayName>
-    <autocompleteMinChars>2</autocompleteMinChars>
+    <identifier>kings</identifier>
+    <display>
+        <label>Kings</label>
+    </display>
+    <collection>
+        <collectionRef oid="1324096e-3b16-4097-86b2-47c43b1d2ad5" type="ArchetypeType"/>
+    </collection>
+    <autocompleteConfiguration>
+        <searchFilterTemplate>
+            <q:text xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3">
+                givenName contains `"King " + input`
+            </q:text>
+        </searchFilterTemplate>
+        <displayExpression>
+            <script>
+                <code>return basic.stringify(object.name) + " (" + object.oid + ")"</code>
+            </script>
+        </displayExpression>
+        <autocompleteMinChars>1</autocompleteMinChars>
+    </autocompleteConfiguration>
 </group>
 ----
 
@@ -91,6 +112,8 @@ Set of relations, their label and icon can be configured, see xref:../../concept
 
 If there's only one relation to be selected, then this step is not visible (and skipped).
 
+List of available relations is based authorizations and first user that was added in `Person of interest` step.
+
 [NOTE]
 ====
 If relations are handled only implicitly via authorizations, then relation step will be visible at least when wizard is initialized.
@@ -140,7 +163,7 @@ Roles of teammate option can be disabled via configuration.
 
 Search for teammate will by default create filter using `user/name` property with `norm` poly-string matcher by default.
 
-Search behaviour can be customized using `autoCompleteConfiguration` configuration option.
+Search behaviour can be customized using `autoCompleteConfiguration` configuration option, similar to auto-complete in <<Person of interest>> step.
 
 .Roles of teammate
 image::step-3-roles-of-teammate.png[Roles of teammate,100%]
@@ -155,6 +178,10 @@ In this step user can finalize whole request, review and solve conflicts if nece
 If configuration allows comment for this request can be added also with custom validity period for requested items.
 This can be done either globally for whole cart or for each item separately.
 
+If there are items in the cart that has to be approved and items that don't need approval process, then submit behavior can be configured using `systemConfiguration/roleManagement/defaultExecuteAfterAllApprovals` configuration option.
+This boolean flag defines whether all changes are applied after all approvals or items can be assigned immediately if they don't need approval process.
+This flag is global and can't be overridden via `adminGuiConfiguration/accessRequest` configuration.
+
 === Conflict solver
 
 .List of conflicts

docs/admin-gui/resource-wizard/index.adoc

@@ -79,6 +79,9 @@ image::step-1-discovered-config.png[link=step-1-discovered-config.png, 100%, tit
 
 Click btn:[Next] to continue the resource configuration.
 
+WARNING: If you are using CSV connector and wizard fails in this step with error _"Connector initialization failed. Configuration error: Configuration error: Header in csv file doesn't contain unique attribute name as defined in configuration."_, it may be caused by presence of UTF-8 BOM characters in the file. See more xref:https://support.evolveum.com/work_packages/9497[here]. +
+To resolve the issue, remove the leading UTF-8 BOM characters from the csv file and start the wizard again. This can be done e.g. by copying the file content to a new file in text editor.
+
 Connector will return possible object types and their attributes (_schema_ and its _object classes_).
 Confirm the detected configuration.
 
@@ -158,6 +161,12 @@ Define the midPoint-specific configuration for this object type:
 * *Archetype* allows selection of archetype that will be automatically assigned for all midPoint objects created from this object type data on the resource. The same archetype will be also used as a part of correlation, i.e. enforced.
 +
 If unsure, keep Archetype empty.
++
+Panel for Archetype contains three possibilities:
+
+** _No archetype_,
+** _Use existing archetype_ - Use existing archetype means that you can choose from already created archetypes.
+** _Create new archetype_ - Create new archetype, with basic configuration. Created archetype will be added to configuration as reference.
 
 .See also the following pages for more information:
 * overview of xref:/midpoint/reference/schema/archetypes/[Archetypes]