diff --git a/infra/schema/src/main/java/com/evolveum/midpoint/schema/constants/ExpressionConstants.java b/infra/schema/src/main/java/com/evolveum/midpoint/schema/constants/ExpressionConstants.java
index db85c3146dc..991feb5e5d4 100644
--- a/infra/schema/src/main/java/com/evolveum/midpoint/schema/constants/ExpressionConstants.java
+++ b/infra/schema/src/main/java/com/evolveum/midpoint/schema/constants/ExpressionConstants.java
@@ -112,4 +112,8 @@ public class ExpressionConstants {
 
 	public static final QName VAR_OBJECT_DISPLAY_INFORMATION = new QName(SchemaConstants.NS_C, "objectDisplayInformation");
 	public static final QName VAR_TARGET_DISPLAY_INFORMATION = new QName(SchemaConstants.NS_C, "targetDisplayInformation");
+
+	public static final QName VAR_PERFORMER = new QName(SchemaConstants.NS_C, "performer");
+	public static final QName VAR_OUTPUT = new QName(SchemaConstants.NS_C, "output");
+	public static final QName VAR_EVENT = new QName(SchemaConstants.NS_C, "event");
 }
diff --git a/infra/schema/src/main/java/com/evolveum/midpoint/schema/constants/SchemaConstants.java b/infra/schema/src/main/java/com/evolveum/midpoint/schema/constants/SchemaConstants.java
index 85b02734c56..ac26ac3adf0 100644
--- a/infra/schema/src/main/java/com/evolveum/midpoint/schema/constants/SchemaConstants.java
+++ b/infra/schema/src/main/java/com/evolveum/midpoint/schema/constants/SchemaConstants.java
@@ -205,6 +205,8 @@ public abstract class SchemaConstants {
 	public static final ItemPath PATH_PASSWORD = new ItemPath(C_CREDENTIALS, CredentialsType.F_PASSWORD);
 	public static final ItemPath PATH_PASSWORD_VALUE = new ItemPath(C_CREDENTIALS, CredentialsType.F_PASSWORD,
 			PasswordType.F_VALUE);
+	public static final ItemPath PATH_PASSWORD_FORCE_CHANGE = new ItemPath(C_CREDENTIALS, CredentialsType.F_PASSWORD,
+			PasswordType.F_FORCE_CHANGE);
 	public static final ItemPath PATH_PASSWORD_METADATA = new ItemPath(C_CREDENTIALS, CredentialsType.F_PASSWORD,
 			PasswordType.F_METADATA);
 	public static final ItemPath PATH_NONCE = new ItemPath(C_CREDENTIALS, CredentialsType.F_NONCE);
diff --git a/infra/schema/src/main/java/com/evolveum/midpoint/schema/util/ObjectTypeUtil.java b/infra/schema/src/main/java/com/evolveum/midpoint/schema/util/ObjectTypeUtil.java
index 2f65631e5dd..9231a3b8eaa 100644
--- a/infra/schema/src/main/java/com/evolveum/midpoint/schema/util/ObjectTypeUtil.java
+++ b/infra/schema/src/main/java/com/evolveum/midpoint/schema/util/ObjectTypeUtil.java
@@ -615,6 +615,7 @@ public static <T> T getExtensionItemRealValue(@Nullable ExtensionType extension,
     	return item != null ? (T) item.getRealValue() : null;
 	}
 
+	@NotNull
 	public static QName normalizeRelation(QName name) {
     	if (name == null) {
     		return SchemaConstants.ORG_DEFAULT;
diff --git a/infra/schema/src/main/resources/xml/ns/public/common/common-certification-3.xsd b/infra/schema/src/main/resources/xml/ns/public/common/common-certification-3.xsd
index a944c508494..38e94e3c25b 100644
--- a/infra/schema/src/main/resources/xml/ns/public/common/common-certification-3.xsd
+++ b/infra/schema/src/main/resources/xml/ns/public/common/common-certification-3.xsd
@@ -1355,6 +1355,18 @@
                     </xsd:documentation>
                 </xsd:annotation>
             </xsd:element>
+            <xsd:element name="reviewerCommentsFormatting" minOccurs="0" type="tns:PerformerCommentsFormattingType">
+                <xsd:annotation>
+                    <xsd:documentation>
+                        Instructions how to format reviewers comments before storing them into metadata.
+                        EXPERIMENTAL
+                    </xsd:documentation>
+                    <xsd:appinfo>
+                        <a:experimental>true</a:experimental>
+                        <a:since>3.7.1</a:since>
+                    </xsd:appinfo>
+                </xsd:annotation>
+            </xsd:element>
         </xsd:sequence>
     </xsd:complexType>
 
diff --git a/infra/schema/src/main/resources/xml/ns/public/common/common-core-3.xsd b/infra/schema/src/main/resources/xml/ns/public/common/common-core-3.xsd
index c860a1b4f8b..d3fd3eb45af 100755
--- a/infra/schema/src/main/resources/xml/ns/public/common/common-core-3.xsd
+++ b/infra/schema/src/main/resources/xml/ns/public/common/common-core-3.xsd
@@ -3846,7 +3846,7 @@
             </xsd:appinfo>
         </xsd:annotation>
        	<xsd:sequence>
-       		<xsd:element name="order" type="xsd:int" minOccurs="0" maxOccurs="1" default="1">
+       		<xsd:element name="order" type="xsd:int" minOccurs="0" default="1">
 	   			<xsd:annotation>
     				<xsd:documentation>
     					Exact order to match. This is a short-hand for setting both
@@ -3854,7 +3854,7 @@
     				</xsd:documentation>
     			</xsd:annotation>
     		</xsd:element>
-   			<xsd:element name="orderMin" type="xsd:string" minOccurs="0" maxOccurs="1">
+   			<xsd:element name="orderMin" type="xsd:string" minOccurs="0">
 	   			<xsd:annotation>
     				<xsd:documentation>
     					Minimum matching order. Applicable only if "order" element is not set.
@@ -3862,7 +3862,7 @@
     				</xsd:documentation>
     			</xsd:annotation>
     		</xsd:element>
-   			<xsd:element name="orderMax" type="xsd:string" minOccurs="0" maxOccurs="1">
+   			<xsd:element name="orderMax" type="xsd:string" minOccurs="0">
 	   			<xsd:annotation>
     				<xsd:documentation>
     					Maximum matching order. Applicable only if "order" element is not set.
@@ -3870,7 +3870,7 @@
     				</xsd:documentation>
     			</xsd:annotation>
     		</xsd:element>
-			<xsd:element name="resetOrder" type="xsd:int" minOccurs="0" maxOccurs="1">
+			<xsd:element name="resetOrder" type="xsd:int" minOccurs="0">
 				<xsd:annotation>
 					<xsd:documentation>
 						The new value for order for this relation (or summary order), to be used when
@@ -3878,7 +3878,7 @@
 					</xsd:documentation>
 				</xsd:annotation>
 			</xsd:element>
-    		<xsd:element name="relation" type="xsd:QName" minOccurs="0" maxOccurs="1">
+    		<xsd:element name="relation" type="xsd:QName" minOccurs="0">
 	   			<xsd:annotation>
     				<xsd:documentation>
     					Relation to which the order constraints apply. If none present, summary (i.e. non-delegation) order is considered.
@@ -14575,7 +14575,15 @@
 			</xsd:appinfo>
 		</xsd:annotation>
 		<xsd:sequence>
-		<xsd:element name="name" type="xsd:string" minOccurs="0">
+			<xsd:element name="name" type="xsd:string" minOccurs="0">
+			</xsd:element>
+			<xsd:element name="forceChange" type="xsd:boolean" minOccurs="0" maxOccurs="1" default="false">
+			</xsd:element>
+			<xsd:element name="authenticationName" type="xsd:string" minOccurs="0">
+			</xsd:element>
+			<xsd:element name="deliveryType" type="tns:DeliveryType" minOccurs="0">
+			</xsd:element>
+			<xsd:element name="newCredentialSource" type="tns:CredentialSourceType" minOccurs="0">
 			</xsd:element>
 			<xsd:element name="securityQuestionReset" type="tns:SecurityQuestionsResetPolicyType" minOccurs="0">
 			</xsd:element>
@@ -14587,6 +14595,79 @@
 		</xsd:sequence>
 	</xsd:complexType>
 	
+	<xsd:complexType name="CredentialSourceType">
+		<xsd:annotation>
+			<xsd:documentation>
+			</xsd:documentation>
+			<xsd:appinfo>
+			<a:container/>
+		</xsd:appinfo>
+		</xsd:annotation>
+		<xsd:sequence>
+			<xsd:element name="credentialSource" type="tns:CredentialSourceTypeType" minOccurs="0" maxOccurs="1">
+			</xsd:element>
+		</xsd:sequence>
+	</xsd:complexType>
+	
+	<xsd:simpleType name="CredentialSourceTypeType">
+        <xsd:annotation>
+            <xsd:documentation>
+                TODO
+            </xsd:documentation>
+            <xsd:appinfo>
+                <jaxb:typesafeEnumClass/>
+            </xsd:appinfo>
+        </xsd:annotation>
+        <xsd:restriction base="xsd:string">
+            <xsd:enumeration value="generate">
+                <xsd:annotation>
+                    <xsd:appinfo>
+                        <jaxb:typesafeEnumMember name="GENERATE"/>
+                    </xsd:appinfo>
+                </xsd:annotation>
+            </xsd:enumeration>
+		</xsd:restriction>
+	</xsd:simpleType>
+	
+	
+	<xsd:simpleType name="DeliveryType">
+        <xsd:annotation>
+            <xsd:documentation>
+                TODO
+            </xsd:documentation>
+            <xsd:appinfo>
+                <jaxb:typesafeEnumClass/>
+            </xsd:appinfo>
+        </xsd:annotation>
+        <xsd:restriction base="xsd:string">
+            <xsd:enumeration value="gui">
+                <xsd:annotation>
+                    <xsd:appinfo>
+                        <jaxb:typesafeEnumMember name="GUI"/>
+                    </xsd:appinfo>
+                </xsd:annotation>
+            </xsd:enumeration>
+		</xsd:restriction>
+	</xsd:simpleType>
+	
+	<xsd:complexType name="CredentialResetResponseType">
+		<xsd:annotation>
+			<xsd:documentation>
+			</xsd:documentation>
+			<xsd:appinfo>
+				<a:container/>
+			</xsd:appinfo>
+		</xsd:annotation>
+		<xsd:sequence>
+			<xsd:element name="message" type="tns:LocalizableMessageType" minOccurs="0">
+			</xsd:element>
+			<xsd:element name="newCredential" type="xsd:string" minOccurs="0">
+			</xsd:element>
+		</xsd:sequence>
+	</xsd:complexType>
+	
+	
+	
 	<xsd:complexType name="AbstractAuthenticationPolicyType">
 		<xsd:annotation>
 			<xsd:documentation>
diff --git a/infra/schema/src/main/resources/xml/ns/public/common/common-policy-3.xsd b/infra/schema/src/main/resources/xml/ns/public/common/common-policy-3.xsd
index 8120dd5a675..de0e19c55ba 100644
--- a/infra/schema/src/main/resources/xml/ns/public/common/common-policy-3.xsd
+++ b/infra/schema/src/main/resources/xml/ns/public/common/common-policy-3.xsd
@@ -638,7 +638,39 @@
 					        </xsd:appinfo>
                         </xsd:annotation>
                     </xsd:element>
-                    <xsd:element name="policy" type="tns:ExclusionPolicyType" minOccurs="0">
+					<xsd:element name="orderConstraint" type="tns:OrderConstraintsType" minOccurs="0" maxOccurs="unbounded">
+						<xsd:annotation>
+							<xsd:documentation>
+								Specification of relation(s) when this exclusion constraint should be applied at the source side.
+								(I.e. this is evaluated against the object defining this exclusion constraint.)
+								The default is "order = 1".
+
+								EXPERIMENTAL. Currently it does not work with non-member relations because of assignment
+								evaluation optimizations (see TestSegregationOfDuties.test950JackSelfExclusion). So it can
+								be used only for default and manager relations.
+							</xsd:documentation>
+							<xsd:appinfo>
+								<a:since>3.7.1</a:since>
+							</xsd:appinfo>
+						</xsd:annotation>
+					</xsd:element>
+					<xsd:element name="targetOrderConstraint" type="tns:OrderConstraintsType" minOccurs="0" maxOccurs="unbounded">
+						<xsd:annotation>
+							<xsd:documentation>
+								Specification of relation(s) when this exclusion constraint should be applied at the target side.
+								(I.e. this is evaluated against the target object.)
+								The default is "order = 1".
+
+								EXPERIMENTAL. Currently it does not work with non-member relations because of assignment
+								evaluation optimizations (see TestSegregationOfDuties.test950JackSelfExclusion). So it can
+								be used only for default and manager relations.
+							</xsd:documentation>
+							<xsd:appinfo>
+								<a:since>3.7.1</a:since>
+							</xsd:appinfo>
+						</xsd:annotation>
+					</xsd:element>
+					<xsd:element name="policy" type="tns:ExclusionPolicyType" minOccurs="0">
                         <xsd:annotation>
                             <xsd:appinfo>
                                 <a:deprecated>true</a:deprecated>
diff --git a/infra/schema/src/main/resources/xml/ns/public/common/common-workflows-3.xsd b/infra/schema/src/main/resources/xml/ns/public/common/common-workflows-3.xsd
index 58265c9d566..6a3f275c0e1 100644
--- a/infra/schema/src/main/resources/xml/ns/public/common/common-workflows-3.xsd
+++ b/infra/schema/src/main/resources/xml/ns/public/common/common-workflows-3.xsd
@@ -647,11 +647,61 @@
 					</xsd:appinfo>
                 </xsd:annotation>
             </xsd:element>
+            <xsd:element name="approverCommentsFormatting" minOccurs="0" type="tns:PerformerCommentsFormattingType">
+                <xsd:annotation>
+                    <xsd:documentation>
+						Instructions how to format approvers comments before storing them into metadata.
+						EXPERIMENTAL
+                    </xsd:documentation>
+					<xsd:appinfo>
+						<a:experimental>true</a:experimental>
+						<a:since>3.7.1</a:since>
+					</xsd:appinfo>
+                </xsd:annotation>
+            </xsd:element>
             <xsd:element name="primaryChangeProcessor" minOccurs="0" type="tns:PrimaryChangeProcessorConfigurationType" />
             <xsd:element name="generalChangeProcessor" minOccurs="0" type="tns:GeneralChangeProcessorConfigurationType" />
         </xsd:sequence>
     </xsd:complexType>
 
+	<xsd:complexType name="PerformerCommentsFormattingType">
+		<xsd:annotation>
+			<xsd:documentation>
+				Instructions how to format approvers/reviewers comments before storing them into metadata.
+				Normally midPoint stores comments as they were entered by performers. However, each deployment can
+				tailor these e.g. by including performer name along with the comment.
+				EXPERIMENTAL
+			</xsd:documentation>
+			<xsd:appinfo>
+				<a:experimental>true</a:experimental>
+				<a:since>3.7.1</a:since>
+			</xsd:appinfo>
+		</xsd:annotation>
+		<xsd:sequence>
+			<xsd:element name="value" type="tns:ExpressionType" minOccurs="0">
+				<xsd:annotation>
+					<xsd:documentation>
+						How to construct the comment. For example: performer.fullName + ': ' + output.comment.
+
+						Available variables:
+						- performer (i.e. reviewer or approver),
+						- output (of AbstractWorkItemOutputType),
+						- workItem (of AbstractWorkItemType - only for certification),
+						- event (of WorkItemCompletionEventType - only for approvals).
+					</xsd:documentation>
+				</xsd:annotation>
+			</xsd:element>
+			<xsd:element name="condition" type="tns:ExpressionType" minOccurs="0">
+				<xsd:annotation>
+					<xsd:documentation>
+						Whether to include the particular output in comments. For example: output.comment != null.
+						Null or empty values are skipped regardless of the condition.
+					</xsd:documentation>
+				</xsd:annotation>
+			</xsd:element>
+		</xsd:sequence>
+	</xsd:complexType>
+
 	<xsd:complexType name="WfExecutionTasksConfigurationType">
 		<xsd:annotation>
 			<xsd:documentation>
diff --git a/model/certification-impl/pom.xml b/model/certification-impl/pom.xml
index b481b23e030..27916b7a254 100644
--- a/model/certification-impl/pom.xml
+++ b/model/certification-impl/pom.xml
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
-  ~ Copyright (c) 2010-2017 Evolveum
+  ~ Copyright (c) 2010-2018 Evolveum
   ~
   ~ Licensed under the Apache License, Version 2.0 (the "License");
   ~ you may not use this file except in compliance with the License.
@@ -67,6 +67,11 @@
             <artifactId>model-impl</artifactId>
             <version>3.8-SNAPSHOT</version>
         </dependency>
+        <dependency>
+            <groupId>com.evolveum.midpoint.model</groupId>
+            <artifactId>model-common</artifactId>
+            <version>3.8-SNAPSHOT</version>
+        </dependency>
         <dependency>
             <groupId>com.evolveum.midpoint.infra</groupId>
             <artifactId>common</artifactId>
diff --git a/model/certification-impl/src/main/java/com/evolveum/midpoint/certification/impl/AccessCertificationClosingTaskHandler.java b/model/certification-impl/src/main/java/com/evolveum/midpoint/certification/impl/AccessCertificationClosingTaskHandler.java
index 21e98febbee..447bd39613b 100644
--- a/model/certification-impl/src/main/java/com/evolveum/midpoint/certification/impl/AccessCertificationClosingTaskHandler.java
+++ b/model/certification-impl/src/main/java/com/evolveum/midpoint/certification/impl/AccessCertificationClosingTaskHandler.java
@@ -16,6 +16,7 @@
 package com.evolveum.midpoint.certification.impl;
 
 import com.evolveum.midpoint.certification.api.OutcomeUtils;
+import com.evolveum.midpoint.model.common.SystemObjectCache;
 import com.evolveum.midpoint.prism.PrismContext;
 import com.evolveum.midpoint.prism.PrismObject;
 import com.evolveum.midpoint.prism.delta.ItemDelta;
@@ -35,6 +36,8 @@
 import com.evolveum.midpoint.util.logging.LoggingUtils;
 import com.evolveum.midpoint.util.logging.Trace;
 import com.evolveum.midpoint.util.logging.TraceManager;
+import com.evolveum.midpoint.wf.api.WorkflowManager;
+import com.evolveum.midpoint.wf.util.PerformerCommentsFormatter;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.*;
 import com.evolveum.prism.xml.ns._public.types_3.PolyStringType;
 import org.apache.commons.lang.StringUtils;
@@ -67,6 +70,8 @@ public class AccessCertificationClosingTaskHandler implements TaskHandler {
     @Autowired private AccCertGeneralHelper helper;
     @Autowired private PrismContext prismContext;
     @Autowired private AccCertQueryHelper queryHelper;
+    @Autowired private SystemObjectCache objectCache;
+    @Autowired private WorkflowManager workflowManager;
     @Autowired @Qualifier("cacheRepositoryService") private RepositoryService repositoryService;
 
     private static final transient Trace LOGGER = TraceManager.getTrace(AccessCertificationClosingTaskHandler.class);
@@ -105,9 +110,11 @@ public TaskRunResult run(Task task) {
 
 		AccessCertificationCampaignType campaign;
 		List<AccessCertificationCaseType> caseList;
+		PrismObject<SystemConfigurationType> systemConfigurationObject;
 		try {
 			campaign = helper.getCampaign(campaignOid, null, task, opResult);
 			caseList = queryHelper.searchCases(campaignOid, null, null, opResult);
+			systemConfigurationObject = objectCache.getSystemConfiguration(opResult);
 		} catch (ObjectNotFoundException|SchemaException e) {
 			opResult.computeStatus();
 			runResult.setRunResultStatus(TaskRunResultStatus.PERMANENT_ERROR);
@@ -115,7 +122,11 @@ public TaskRunResult run(Task task) {
 			return runResult;
 		}
 
-		RunContext runContext = new RunContext(task);
+		PerformerCommentsFormattingType formatting = systemConfigurationObject != null &&
+				systemConfigurationObject.asObjectable().getAccessCertification() != null ?
+				systemConfigurationObject.asObjectable().getAccessCertification().getReviewerCommentsFormatting() : null;
+		PerformerCommentsFormatter commentsFormatter = workflowManager.createPerformerCommentsFormatter(formatting);
+		RunContext runContext = new RunContext(task, commentsFormatter);
 		caseList.forEach(aCase -> prepareMetadataDeltas(aCase, campaign, runContext, opResult));
 		runContext.objectContextMap.forEach((oid, ctx) -> applyMetadataDeltas(ctx, runContext, opResult));
 
@@ -193,14 +204,15 @@ private void prepareMetadataDeltas(AccessCertificationCaseType aCase, AccessCert
 		}
 
 		try {
-			objectCtx.modifications.addAll(createMetadataDeltas(aCase, campaign, objectCtx.object.getClass(), pathPrefix));
+			objectCtx.modifications.addAll(createMetadataDeltas(aCase, campaign, objectCtx.object.getClass(), pathPrefix, runContext, result));
 		} catch (SchemaException e) {
 			LoggingUtils.logUnexpectedException(LOGGER, "Couldn't create certification metadata for {} {}", e, toShortString(objectCtx.object));
 		}
 	}
 
-	private List<ItemDelta<?, ?>> createMetadataDeltas(AccessCertificationCaseType aCase, AccessCertificationCampaignType campaign,
-			Class<? extends ObjectType> objectClass, ItemPath pathPrefix) throws SchemaException {
+	private List<ItemDelta<?, ?>> createMetadataDeltas(AccessCertificationCaseType aCase,
+			AccessCertificationCampaignType campaign, Class<? extends ObjectType> objectClass, ItemPath pathPrefix,
+			RunContext runContext, OperationResult result) throws SchemaException {
 		String outcome = aCase.getOutcome();
 		if (OutcomeUtils.isNoneOrNotDecided(outcome)) {
 			return emptyList();
@@ -215,8 +227,9 @@ private void prepareMetadataDeltas(AccessCertificationCaseType aCase, AccessCert
 			boolean commentNotEmpty = StringUtils.isNotEmpty(output.getComment());
 			if (commentNotEmpty || !OutcomeUtils.isNoneOrNotDecided(output.getOutcome())) {
 				certifiers.add(workItem.getPerformerRef().clone());
-				if (commentNotEmpty) {
-					comments.add(output.getComment());
+				String formattedComment = runContext.commentsFormatter.formatComment(workItem, runContext.task, result);
+				if (StringUtils.isNotEmpty(formattedComment)) {
+					comments.add(formattedComment);
 				}
 			}
 		}
@@ -281,9 +294,11 @@ private class ObjectContext {
     private class RunContext {
 		final Task task;
 	    final Map<String, ObjectContext> objectContextMap = new HashMap<>();
+	    final PerformerCommentsFormatter commentsFormatter;
 
-	    RunContext(Task task) {
+	    RunContext(Task task, PerformerCommentsFormatter commentsFormatter) {
 		    this.task = task;
+		    this.commentsFormatter = commentsFormatter;
 	    }
     }
 }
diff --git a/model/certification-impl/src/test/java/com/evolveum/midpoint/certification/test/TestCertificationBasic.java b/model/certification-impl/src/test/java/com/evolveum/midpoint/certification/test/TestCertificationBasic.java
index 070499ba7c5..4729de60b27 100644
--- a/model/certification-impl/src/test/java/com/evolveum/midpoint/certification/test/TestCertificationBasic.java
+++ b/model/certification-impl/src/test/java/com/evolveum/midpoint/certification/test/TestCertificationBasic.java
@@ -918,7 +918,7 @@ public void test210CheckAfterClose() throws Exception {
         userAdministrator = getUser(USER_ADMINISTRATOR_OID).asObjectable();
         display("administrator", userAdministrator);
         AssignmentType assignment = findAssignmentByTargetRequired(userAdministrator.asPrismObject(), ROLE_SUPERUSER_OID);
-        assertCertificationMetadata(assignment.getMetadata(), SchemaConstants.MODEL_CERTIFICATION_OUTCOME_ACCEPT, singleton(USER_ADMINISTRATOR_OID), singleton("no comment"));
+        assertCertificationMetadata(assignment.getMetadata(), SchemaConstants.MODEL_CERTIFICATION_OUTCOME_ACCEPT, singleton(USER_ADMINISTRATOR_OID), singleton("administrator: no comment"));
     }
 
     @Test
diff --git a/model/certification-impl/src/test/java/com/evolveum/midpoint/certification/test/TestCriticalRolesCertification.java b/model/certification-impl/src/test/java/com/evolveum/midpoint/certification/test/TestCriticalRolesCertification.java
index f29996ccbb0..cd43d8a353a 100644
--- a/model/certification-impl/src/test/java/com/evolveum/midpoint/certification/test/TestCriticalRolesCertification.java
+++ b/model/certification-impl/src/test/java/com/evolveum/midpoint/certification/test/TestCriticalRolesCertification.java
@@ -1025,7 +1025,7 @@ public void test920CheckAfterClose() throws Exception {
         display("administrator", userAdministrator);
         AssignmentType assignment = findAssignmentByTargetRequired(userAdministrator.asPrismObject(), ROLE_COO_OID);
         assertCertificationMetadata(assignment.getMetadata(), SchemaConstants.MODEL_CERTIFICATION_OUTCOME_ACCEPT,
-                new HashSet<>(asList(USER_ADMINISTRATOR_OID, USER_ELAINE_OID, USER_CHEESE_OID)), singleton("ok"));
+                new HashSet<>(asList(USER_ADMINISTRATOR_OID, USER_ELAINE_OID, USER_CHEESE_OID)), singleton("administrator: ok"));
     }
 
 }
diff --git a/model/certification-impl/src/test/java/com/evolveum/midpoint/certification/test/TestRoleInducementCertification.java b/model/certification-impl/src/test/java/com/evolveum/midpoint/certification/test/TestRoleInducementCertification.java
index 0b967af89e4..943fb6ad5af 100644
--- a/model/certification-impl/src/test/java/com/evolveum/midpoint/certification/test/TestRoleInducementCertification.java
+++ b/model/certification-impl/src/test/java/com/evolveum/midpoint/certification/test/TestRoleInducementCertification.java
@@ -883,6 +883,6 @@ public void test320CheckAfterClose() throws Exception {
         roleCoo = getRole(ROLE_COO_OID).asObjectable();
         display("COO", roleCoo);
         AssignmentType inducement = findInducementByTarget(ROLE_COO_OID, ROLE_SUPERUSER_OID);
-        assertCertificationMetadata(inducement.getMetadata(), SchemaConstants.MODEL_CERTIFICATION_OUTCOME_ACCEPT, singleton(USER_ADMINISTRATOR_OID), singleton("I'm so procrastinative..."));
+        assertCertificationMetadata(inducement.getMetadata(), SchemaConstants.MODEL_CERTIFICATION_OUTCOME_ACCEPT, singleton(USER_ADMINISTRATOR_OID), singleton("administrator: I'm so procrastinative..."));
     }
 }
diff --git a/model/certification-impl/src/test/java/com/evolveum/midpoint/certification/test/TestSoDCertification.java b/model/certification-impl/src/test/java/com/evolveum/midpoint/certification/test/TestSoDCertification.java
index a3301aca8d8..53010036768 100644
--- a/model/certification-impl/src/test/java/com/evolveum/midpoint/certification/test/TestSoDCertification.java
+++ b/model/certification-impl/src/test/java/com/evolveum/midpoint/certification/test/TestSoDCertification.java
@@ -494,9 +494,9 @@ public void test210CheckAfterClose() throws Exception {
 		assertCertificationMetadata(findAssignmentByTargetRequired(userJack.asPrismObject(), roleATest2cOid).getMetadata(),
 				SchemaConstants.MODEL_CERTIFICATION_OUTCOME_ACCEPT, singleton(USER_JACK_OID), emptySet());
 		assertCertificationMetadata(findAssignmentByTargetRequired(userJack.asPrismObject(), roleATest3aOid).getMetadata(),
-				SchemaConstants.MODEL_CERTIFICATION_OUTCOME_ACCEPT, singleton(USER_JACK_OID), singleton("OK"));
+				SchemaConstants.MODEL_CERTIFICATION_OUTCOME_ACCEPT, singleton(USER_JACK_OID), singleton("jack: OK"));
 		assertCertificationMetadata(findAssignmentByTargetRequired(userJack.asPrismObject(), roleATest3bOid).getMetadata(),
-				SchemaConstants.MODEL_CERTIFICATION_OUTCOME_ACCEPT, singleton(USER_JACK_OID), singleton("dunno"));
+				SchemaConstants.MODEL_CERTIFICATION_OUTCOME_ACCEPT, singleton(USER_JACK_OID), singleton("jack: dunno"));
 	}
 
 }
diff --git a/model/certification-impl/src/test/java/com/evolveum/midpoint/certification/test/complex/TestPolicyDrivenRoleLifecycle.java b/model/certification-impl/src/test/java/com/evolveum/midpoint/certification/test/complex/TestPolicyDrivenRoleLifecycle.java
index a67378eaee6..665a5ed49b8 100644
--- a/model/certification-impl/src/test/java/com/evolveum/midpoint/certification/test/complex/TestPolicyDrivenRoleLifecycle.java
+++ b/model/certification-impl/src/test/java/com/evolveum/midpoint/certification/test/complex/TestPolicyDrivenRoleLifecycle.java
@@ -58,7 +58,7 @@
  *
  * @author mederly
  */
-@ContextConfiguration(locations = {"classpath:ctx-certification-test-with-workflows.xml"})
+@ContextConfiguration(locations = {"classpath:ctx-certification-test-main.xml"})
 @DirtiesContext(classMode = DirtiesContext.ClassMode.AFTER_CLASS)
 public class TestPolicyDrivenRoleLifecycle extends AbstractUninitializedCertificationTest {
 
diff --git a/model/certification-impl/src/test/resources/common/system-configuration.xml b/model/certification-impl/src/test/resources/common/system-configuration.xml
index d5ecbe90516..95dbf48ebdf 100644
--- a/model/certification-impl/src/test/resources/common/system-configuration.xml
+++ b/model/certification-impl/src/test/resources/common/system-configuration.xml
@@ -45,6 +45,23 @@
 			<redirectToFile>target/mail-notifications.log</redirectToFile>
 		</mail>
 	</notificationConfiguration>
+	<workflowConfiguration>
+		<modelHookEnabled>false</modelHookEnabled>
+	</workflowConfiguration>
+	<accessCertification>
+		<reviewerCommentsFormatting>
+			<value>
+				<script>
+					<code>performer.name + ': ' + output.comment</code>
+				</script>
+			</value>
+			<condition>
+				<script>
+					<code>output.comment != null &amp;&amp; !output.comment.isEmpty()</code>
+				</script>
+			</condition>
+		</reviewerCommentsFormatting>
+	</accessCertification>
 	<globalPolicyRule>
 		<name>sod-approval</name>
 		<policyConstraints>
@@ -63,5 +80,4 @@
 			<type>RoleType</type>
 		</targetSelector>
 	</globalPolicyRule>
-
 </systemConfiguration>
diff --git a/model/certification-impl/src/test/resources/ctx-certification-test-main.xml b/model/certification-impl/src/test/resources/ctx-certification-test-main.xml
index f115f379ac6..44d811562fe 100644
--- a/model/certification-impl/src/test/resources/ctx-certification-test-main.xml
+++ b/model/certification-impl/src/test/resources/ctx-certification-test-main.xml
@@ -38,6 +38,7 @@
     <import resource="ctx-model-common.xml"/>
     <import resource="ctx-certification.xml"/>
     <import resource="ctx-notifications.xml"/>
+    <import resource="ctx-workflow.xml"/>
     <import resource="classpath*:ctx-repository-test.xml"/>
     <import resource="ctx-repo-cache.xml"/>
     <import resource="ctx-repo-common.xml"/>
diff --git a/model/certification-impl/src/test/resources/ctx-certification-test-with-workflows.xml b/model/certification-impl/src/test/resources/ctx-certification-test-with-workflows.xml
deleted file mode 100644
index 626afb4d0f7..00000000000
--- a/model/certification-impl/src/test/resources/ctx-certification-test-with-workflows.xml
+++ /dev/null
@@ -1,51 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-
-<!--
-  ~ Copyright (c) 2010-2017 Evolveum
-  ~
-  ~ Licensed under the Apache License, Version 2.0 (the "License");
-  ~ you may not use this file except in compliance with the License.
-  ~ You may obtain a copy of the License at
-  ~
-  ~     http://www.apache.org/licenses/LICENSE-2.0
-  ~
-  ~ Unless required by applicable law or agreed to in writing, software
-  ~ distributed under the License is distributed on an "AS IS" BASIS,
-  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-  ~ See the License for the specific language governing permissions and
-  ~ limitations under the License.
-  -->
-<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:jee="http://www.springframework.org/schema/jee" xmlns:aop="http://www.springframework.org/schema/aop"
-	xmlns:context="http://www.springframework.org/schema/context" xmlns:ws="http://jax-ws.dev.java.net/spring/core"
-	xmlns:p="http://www.springframework.org/schema/p" xmlns:util="http://www.springframework.org/schema/util"
-	xsi:schemaLocation="
-     http://www.springframework.org/schema/jee
-     http://www.springframework.org/schema/jee/spring-jee-3.0.xsd
-     http://www.springframework.org/schema/beans
-     http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
-     http://www.springframework.org/schema/context
-     http://www.springframework.org/schema/context/spring-context-3.0.xsd
-     http://www.springframework.org/schema/aop
-     http://www.springframework.org/schema/aop/spring-aop-3.0.xsd
-     http://jax-ws.dev.java.net/spring/core
-     https://jax-ws.dev.java.net/spring/core.xsd
-     http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.0.xsd"
-	default-lazy-init="false" default-autowire="byName">
-
-    <import resource="ctx-model.xml"/>
-    <import resource="ctx-model-test.xml"/>
-    <import resource="ctx-model-common.xml"/>
-    <import resource="ctx-certification.xml"/>
-    <import resource="ctx-notifications.xml"/>
-    <import resource="ctx-workflow.xml"/>
-    <import resource="classpath*:ctx-repository-test.xml"/>
-    <import resource="ctx-repo-cache.xml"/>
-    <import resource="ctx-repo-common.xml"/>
-    <import resource="ctx-configuration-test.xml"/>
-    <import resource="ctx-provisioning.xml"/>
-    <import resource="ctx-common.xml"/>
-    <import resource="ctx-security.xml"/>
-    <import resource="ctx-task.xml"/>
-    <import resource="ctx-audit.xml"/>
-</beans>
diff --git a/model/model-api/src/main/java/com/evolveum/midpoint/model/api/ModelInteractionService.java b/model/model-api/src/main/java/com/evolveum/midpoint/model/api/ModelInteractionService.java
index 72289ebab0f..1889a4b1e57 100644
--- a/model/model-api/src/main/java/com/evolveum/midpoint/model/api/ModelInteractionService.java
+++ b/model/model-api/src/main/java/com/evolveum/midpoint/model/api/ModelInteractionService.java
@@ -326,4 +326,9 @@ LocalizableMessageType createLocalizableMessageType(LocalizableMessageTemplateTy
 			Map<QName, Object> variables, Task task, OperationResult result)
 			throws ObjectNotFoundException, SchemaException, ExpressionEvaluationException, CommunicationException,
 			ConfigurationException, SecurityViolationException;
+	
+	public CredentialResetResponseType requestCredentialsReset(PrismObject<UserType> focus, String credentialsId,
+			CredentialsResetPolicyType resetMethod, Task task, OperationResult result)
+			throws ObjectNotFoundException, SchemaException, CommunicationException, ConfigurationException,
+			SecurityViolationException, ExpressionEvaluationException, ObjectAlreadyExistsException, PolicyViolationException;
 }
diff --git a/model/model-api/src/main/java/com/evolveum/midpoint/model/api/context/AssignmentPath.java b/model/model-api/src/main/java/com/evolveum/midpoint/model/api/context/AssignmentPath.java
index 7b6f038bf3e..b6e2cd7b590 100644
--- a/model/model-api/src/main/java/com/evolveum/midpoint/model/api/context/AssignmentPath.java
+++ b/model/model-api/src/main/java/com/evolveum/midpoint/model/api/context/AssignmentPath.java
@@ -26,6 +26,7 @@
 import com.evolveum.midpoint.xml.ns._public.common.common_3.AssignmentPathType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ExtensionType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.OrderConstraintsType;
 import org.jetbrains.annotations.NotNull;
 
 import java.util.List;
@@ -89,6 +90,13 @@ public interface AssignmentPath extends DebugDumpable, ShortDumpable {
 	 */
 	ObjectType getProtoRole();
 
+	/**
+	 * Shallow clone.
+	 */
+	AssignmentPath clone();
+
+	AssignmentPath cloneFirst(int n);
+
 	AssignmentPathType toAssignmentPathType(boolean includeAssignmentsContent);
 
 	ExtensionType collectExtensions(int startAt) throws SchemaException;
@@ -104,4 +112,17 @@ default AssignmentPathSegment getAt(int index) {
 		return getSegment(index);
 	}
 
+	/**
+	 * Returns true if the path matches specified order constraints. All of them must match.
+	 * Although there are some defaults, it is recommended to specify constraints explicitly.
+	 * Currently not supported on empty paths.
+	 *
+	 * Not all parts of OrderConstraintsType are supported. Namely, resetOrder item has no meaning here.
+	 */
+	boolean matches(@NotNull List<OrderConstraintsType> orderConstraints);
+
+	/**
+	 * Preliminary (limited) implementation. To be used to compare paths pointing to the same target object. Use with care.
+	 */
+	boolean equivalent(AssignmentPath other);
 }
diff --git a/model/model-api/src/main/java/com/evolveum/midpoint/model/api/context/AssignmentPathSegment.java b/model/model-api/src/main/java/com/evolveum/midpoint/model/api/context/AssignmentPathSegment.java
index c92be33f1c5..e04d316d150 100644
--- a/model/model-api/src/main/java/com/evolveum/midpoint/model/api/context/AssignmentPathSegment.java
+++ b/model/model-api/src/main/java/com/evolveum/midpoint/model/api/context/AssignmentPathSegment.java
@@ -23,8 +23,11 @@
 import com.evolveum.midpoint.xml.ns._public.common.common_3.AssignmentPathSegmentType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.AssignmentType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.OrderConstraintsType;
 import org.jetbrains.annotations.NotNull;
 
+import java.util.List;
+
 /**
  * Single assignment in an assignment path. In addition to the AssignmentType, it contains resolved target:
  * full object, resolved from targetRef. If targetRef resolves to multiple objects, in the path segment
@@ -77,4 +80,13 @@ public interface AssignmentPathSegment extends DebugDumpable, ShortDumpable {
 
 	@NotNull
 	AssignmentPathSegmentType toAssignmentPathSegmentType(boolean includeAssignmentsContent);
+
+	/**
+	 * Returns true if the path segment matches specified order constraints. All of them must match.
+	 * Although there are some defaults, it is recommended to specify constraints explicitly.
+	 */
+	boolean matches(@NotNull List<OrderConstraintsType> orderConstraints);
+
+	// Preliminary limited implementation. Use with care.
+	boolean equivalent(AssignmentPathSegment otherSegment);
 }
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/controller/ModelInteractionServiceImpl.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/controller/ModelInteractionServiceImpl.java
index bbefdde8d25..0dd21f4b9f0 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/controller/ModelInteractionServiceImpl.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/controller/ModelInteractionServiceImpl.java
@@ -52,7 +52,9 @@
 import com.evolveum.midpoint.repo.common.expression.ObjectDeltaObject;
 import com.evolveum.midpoint.schema.*;
 import com.evolveum.midpoint.schema.constants.SchemaConstants;
+import com.evolveum.midpoint.schema.util.LocalizationUtil;
 import com.evolveum.midpoint.schema.util.ObjectTypeUtil;
+import com.evolveum.midpoint.schema.util.SecurityPolicyUtil;
 import com.evolveum.midpoint.security.api.MidPointPrincipal;
 import com.evolveum.midpoint.security.api.SecurityContextManager;
 import com.evolveum.midpoint.security.api.UserProfileService;
@@ -106,7 +108,11 @@
 import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.util.DebugUtil;
 import com.evolveum.midpoint.util.DisplayableValue;
+import com.evolveum.midpoint.util.LocalizableMessage;
+import com.evolveum.midpoint.util.LocalizableMessageBuilder;
+import com.evolveum.midpoint.util.MiscUtil;
 import com.evolveum.midpoint.util.QNameUtil;
+import com.evolveum.midpoint.util.SingleLocalizableMessage;
 import com.evolveum.midpoint.util.logging.Trace;
 import com.evolveum.midpoint.util.logging.TraceManager;
 import com.evolveum.prism.xml.ns._public.types_3.ItemPathType;
@@ -1464,4 +1470,72 @@ public LocalizableMessageType createLocalizableMessageType(LocalizableMessageTem
 		vars.addVariableDefinitions(variables);
 		return LensUtil.interpretLocalizableMessageTemplate(template, vars, expressionFactory, prismContext, task, result);
 	}
+
+	@Override
+	public CredentialResetResponseType requestCredentialsReset(PrismObject<UserType> user, String credentialsId,
+			CredentialsResetPolicyType resetMethod, Task task, OperationResult parentResult)
+			throws ObjectNotFoundException, SchemaException, CommunicationException, ConfigurationException,
+			SecurityViolationException, ExpressionEvaluationException, ObjectAlreadyExistsException, PolicyViolationException {
+	
+//		CredentialSourceType credentialSource = resetMethod.getNewCredentialSource();
+//		
+//		CredentialSourceTypeType credentialSourceType = null;
+//		if (credentialSource != null) {
+//		 credentialSourceType = credentialSource.getCredentialSource();
+//		}
+		
+//		SecurityPolicyType securityPolicyType = getSecurityPolicy(user, task, parentResult);
+//		
+//		String authenticationName = resetMethod.getAuthenticationName();
+//		if (authenticationName != null) {
+//			AbstractAuthenticationPolicyType authPolicy = SecurityPolicyUtil
+//					.getAuthenticationPolicy(authenticationName, securityPolicyType);
+//		}
+		
+		
+		ValuePolicyType valuePolicyType = getValuePolicy(user, task, parentResult);
+		String newPassword = generateValue(valuePolicyType, 8, false, user, "generate password for user", task, parentResult);		
+//		if (credentialSourceType == null) {
+//			ValuePolicyType valuePolicyType = getValuePolicy(user, task, parentResult);
+//			newPassword = generateValue(valuePolicyType, 8, false, user, "generate password for user", task, parentResult);			
+//		} else {
+//			switch(credentialSourceType) {
+//				case GENERATE: 
+//					ValuePolicyType valuePolicyType = getValuePolicy(user, task, parentResult);
+//					newPassword = generateValue(valuePolicyType, 8, false, user, "generate password for user", task, parentResult);
+//					break;
+//				default:
+//					valuePolicyType = getValuePolicy(user, task, parentResult);
+//					newPassword = generateValue(valuePolicyType, 8, false, user, "generate password for user", task, parentResult);
+//					break;
+//			}
+//		}
+		
+		ProtectedStringType newProtectedPassword = new ProtectedStringType();
+		newProtectedPassword.setClearValue(newPassword);
+		ObjectDelta<UserType> passwordObjectDelta = ObjectDelta.createModificationReplaceProperty(UserType.class, user.getOid(),
+				SchemaConstants.PATH_PASSWORD_VALUE, prismContext, newPassword);
+
+		if (BooleanUtils.isTrue(resetMethod.isForceChange())) {
+			passwordObjectDelta.addModificationReplaceProperty(SchemaConstants.PATH_PASSWORD_FORCE_CHANGE, Boolean.TRUE);
+		}
+
+		Collection<ObjectDeltaOperation<? extends ObjectType>> result = modelService.executeChanges(
+				MiscUtil.createCollection(passwordObjectDelta), ModelExecuteOptions.createRaw(), task, parentResult);
+
+		parentResult.recomputeStatus();
+
+		CredentialResetResponseType response = new CredentialResetResponseType();
+		response.setNewCredential(newPassword);
+		// TODO work with the result
+		LocalizableMessage message = LocalizableMessageBuilder.buildFallbackMessage("Reset password successfull.");
+
+		response.setMessage(LocalizationUtil.createLocalizableMessageType(message));
+		
+		
+		
+		
+//		cacheRepositoryService.modifyObject(type, oid, modifications, parentResult);
+		return response;
+	}
 }
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/AssignmentPathImpl.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/AssignmentPathImpl.java
index 0b59d0a6aa7..f995429fc01 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/AssignmentPathImpl.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/AssignmentPathImpl.java
@@ -30,6 +30,7 @@
 import com.evolveum.midpoint.xml.ns._public.common.common_3.AssignmentPathType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ExtensionType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.OrderConstraintsType;
 import org.jetbrains.annotations.NotNull;
 
 /**
@@ -149,12 +150,15 @@ public ObjectType getProtoRole() {
 		return protoRole;
 	}
 
-	/**
-	 * Shallow clone.
-	 */
+	@Override
 	public AssignmentPathImpl clone() {
+		return cloneFirst(size());
+	}
+
+	@Override
+	public AssignmentPathImpl cloneFirst(int n) {
 		AssignmentPathImpl clone = new AssignmentPathImpl(prismContext);
-		clone.segments.addAll(this.segments);
+		clone.segments.addAll(this.segments.subList(0, n));
 		return clone;
 	}
 
@@ -246,4 +250,28 @@ public PrismContext getPrismContext() {
 	public ExtensionType collectExtensions(int startAt) throws SchemaException {
 		return AssignmentPathUtil.collectExtensions(this, startAt, prismContext);
 	}
+
+	@Override
+	public boolean matches(@NotNull List<OrderConstraintsType> orderConstraints) {
+		if (isEmpty()) {
+			throw new UnsupportedOperationException("Checking order constraints on empty assignment path is not currently supported.");
+		} else {
+			return last().matches(orderConstraints);
+		}
+	}
+
+	@Override
+	public boolean equivalent(AssignmentPath other) {
+		if (size() != other.size()) {
+			return false;
+		}
+		for (int i = 0; i < segments.size(); i++) {
+			AssignmentPathSegment segment = segments.get(i);
+			AssignmentPathSegment otherSegment = other.getSegments().get(i);
+			if (!segment.equivalent(otherSegment)) {
+				return false;
+			}
+		}
+		return true;
+	}
 }
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/AssignmentPathSegmentImpl.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/AssignmentPathSegmentImpl.java
index a652ced5869..a3c462005f9 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/AssignmentPathSegmentImpl.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/AssignmentPathSegmentImpl.java
@@ -631,4 +631,25 @@ public Integer getLastEqualOrderSegmentIndex() {
 	public void setLastEqualOrderSegmentIndex(Integer lastEqualOrderSegmentIndex) {
 		this.lastEqualOrderSegmentIndex = lastEqualOrderSegmentIndex;
 	}
+
+	@Override
+	public boolean matches(@NotNull List<OrderConstraintsType> orderConstraints) {
+		return computeMatchingOrder(evaluationOrder, null, orderConstraints);
+	}
+
+	// preliminary implementation; use only to compare segments in paths (pointing to the same target OID)
+	// that are to be checked for equivalency
+	@Override
+	public boolean equivalent(AssignmentPathSegment otherSegment) {
+		if (!ObjectTypeUtil.relationsEquivalent(relation, otherSegment.getRelation())) {
+			return false;
+		}
+		if (target == null && otherSegment.getTarget() == null) {
+			return true;            // TODO reconsider this in general case
+		}
+		if (target == null || otherSegment.getTarget() == null) {
+			return false;
+		}
+		return java.util.Objects.equals(target.getOid(), otherSegment.getTarget().getOid());
+	}
 }
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/EvaluatedPolicyRuleImpl.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/EvaluatedPolicyRuleImpl.java
index 6dd956f9d0e..b7d07e70003 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/EvaluatedPolicyRuleImpl.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/EvaluatedPolicyRuleImpl.java
@@ -77,6 +77,8 @@ public class EvaluatedPolicyRuleImpl implements EvaluatedPolicyRule {
 	 * This is what assignmentPath (Engineer->Employee->(maybe some metarole)->rule) and directOwner (Employee) are for.
 	 *
 	 * For global policy rules, assignmentPath is the path to the target object that matched global policy rule.
+	 *
+	 * TODO When it can be null?
 	 */
 	@Nullable private final AssignmentPath assignmentPath;
 	@Nullable private final ObjectType directOwner;
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/EvaluationOrderImpl.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/EvaluationOrderImpl.java
index 9a0e63ff0f4..98bea9869ca 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/EvaluationOrderImpl.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/EvaluationOrderImpl.java
@@ -107,13 +107,16 @@ public EvaluationOrder decrease(MultiSet<QName> relations) {
 
 	// must always be private: public interface will not allow to modify object state!
 	private void advanceThis(QName relation, int amount) {
-		relation = ObjectTypeUtil.normalizeRelation(relation);
-		orderMap.put(relation, getMatchingRelationOrder(relation) + amount);
+		@NotNull QName normalizedRelation = ObjectTypeUtil.normalizeRelation(relation);
+		orderMap.put(normalizedRelation, getMatchingRelationOrder(normalizedRelation) + amount);
 	}
 
 	@Override
 	public int getMatchingRelationOrder(QName relation) {
 		checkConsistence();
+		if (relation == null) {
+			return getSummaryOrder();
+		}
 		return orderMap.getOrDefault(ObjectTypeUtil.normalizeRelation(relation), 0);
 	}
 
@@ -133,6 +136,7 @@ public Map<QName, Integer> diff(EvaluationOrder newState) {
 		@SuppressWarnings({"unchecked", "raw"})
 		Collection<QName> relations = CollectionUtils.union(getRelations(), newState.getRelations());
 		Map<QName, Integer> rv = new HashMap<>();
+		// relation is not null below
 		relations.forEach(relation -> rv.put(relation, newState.getMatchingRelationOrder(relation) - getMatchingRelationOrder(relation)));
 		return rv;
 	}
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/ConsolidationProcessor.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/ConsolidationProcessor.java
index 771bba6f33b..a9e6399e165 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/ConsolidationProcessor.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/ConsolidationProcessor.java
@@ -196,9 +196,11 @@ private <F extends FocusType> ObjectDelta<ShadowType> consolidateValuesToModifyD
         	LOGGER.trace("Object class definition for {} consolidation:\n{}", projCtx.getResourceShadowDiscriminator(), rOcDef.debugDump());
         }
 
-        consolidateAttributes(context, projCtx, addUnchangedValues, rOcDef, objectDelta, existingDelta, StrengthSelector.ALL_EXCEPT_WEAK);
+       
+        StrengthSelector strengthSelector = projCtx.isAdd() ? StrengthSelector.ALL : StrengthSelector.ALL_EXCEPT_WEAK;
+        consolidateAttributes(context, projCtx, addUnchangedValues, rOcDef, objectDelta, existingDelta, strengthSelector);
         
-        consolidateAssociations(context, projCtx, addUnchangedValues, rOcDef, objectDelta, existingDelta, StrengthSelector.ALL_EXCEPT_WEAK);
+        consolidateAssociations(context, projCtx, addUnchangedValues, rOcDef, objectDelta, existingDelta, strengthSelector);
 
         return objectDelta;
     }
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/policy/evaluators/ExclusionConstraintEvaluator.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/policy/evaluators/ExclusionConstraintEvaluator.java
index 5e0b511aa88..f1a48c588b8 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/policy/evaluators/ExclusionConstraintEvaluator.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/policy/evaluators/ExclusionConstraintEvaluator.java
@@ -17,10 +17,7 @@
 package com.evolveum.midpoint.model.impl.lens.projector.policy.evaluators;
 
 import com.evolveum.midpoint.common.LocalizationService;
-import com.evolveum.midpoint.model.api.context.AssignmentPath;
-import com.evolveum.midpoint.model.api.context.EvaluatedExclusionTrigger;
-import com.evolveum.midpoint.model.api.context.EvaluatedPolicyRule;
-import com.evolveum.midpoint.model.api.context.EvaluatedPolicyRuleTrigger;
+import com.evolveum.midpoint.model.api.context.*;
 import com.evolveum.midpoint.model.impl.lens.EvaluatedAssignmentImpl;
 import com.evolveum.midpoint.model.impl.lens.EvaluatedAssignmentTargetImpl;
 import com.evolveum.midpoint.model.impl.lens.LensContext;
@@ -45,10 +42,7 @@
 import com.evolveum.midpoint.util.exception.PolicyViolationException;
 import com.evolveum.midpoint.util.exception.SchemaException;
 import com.evolveum.midpoint.util.exception.SecurityViolationException;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.ExclusionPolicyConstraintType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.FocusType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectReferenceType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.*;
 import com.evolveum.prism.xml.ns._public.query_3.SearchFilterType;
 import com.evolveum.prism.xml.ns._public.types_3.EvaluationTimeType;
 import org.jetbrains.annotations.NotNull;
@@ -58,8 +52,8 @@
 import javax.xml.bind.JAXBElement;
 import javax.xml.namespace.QName;
 import java.util.Collection;
+import java.util.Collections;
 import java.util.List;
-import java.util.Set;
 import java.util.stream.Collectors;
 
 import static com.evolveum.midpoint.util.LocalizableMessageBuilder.buildFallbackMessage;
@@ -91,32 +85,87 @@ public <F extends FocusType> EvaluatedPolicyRuleTrigger evaluate(JAXBElement<Exc
 			return null;
 		}
 
+		List<OrderConstraintsType> sourceOrderConstraints = defaultIfEmpty(constraint.getValue().getOrderConstraint());
+		List<OrderConstraintsType> targetOrderConstraints = defaultIfEmpty(constraint.getValue().getTargetOrderConstraint());
+		if (ctx.policyRule.isGlobal()) {
+			if (!pathMatches(ctx.policyRule.getAssignmentPath(), sourceOrderConstraints)) {
+				System.out.println("[global] Source assignment path does not match: " + ctx.policyRule.getAssignmentPath());
+				return null;
+			}
+		} else {
+			// It is not clear how to match orderConstraint with assignment path of the constraint.
+			// Let us try the following test: we consider it matching if there's at least one segment
+			// on the path that matches the constraint.
+			boolean found = ctx.policyRule.getAssignmentPath().getSegments().stream()
+					.anyMatch(segment -> segment.matches(sourceOrderConstraints));
+			if (!found) {
+//				System.out.println("Source assignment path does not match: constraints=" + sourceOrderConstraints + ", whole path=" + ctx.policyRule.getAssignmentPath());
+				return null;
+			}
+		}
+
 		// We consider all policy rules, i.e. also from induced targets. (It is not possible to collect local
 		// rules for individual targets in the chain - rules are computed only for directly evaluated assignments.)
 
-		// In order to avoid false positives, we consider all targets from the current assignment as "allowed"
-		Set<String> allowedTargetOids = ctx.evaluatedAssignment.getNonNegativeTargets().stream()
-				.filter(t -> t.appliesToFocus())
-				.map(t -> t.getOid())
-				.collect(Collectors.toSet());
+//		// In order to avoid false positives, we consider all targets from the current assignment as "allowed"
+//		Set<String> allowedTargetOids = ctx.evaluatedAssignment.getNonNegativeTargets().stream()
+//				.filter(t -> t.appliesToFocus())
+//				.map(t -> t.getOid())
+//				.collect(Collectors.toSet());
+
+		List<EvaluatedAssignmentTargetImpl> nonNegativeTargetsA = ctx.evaluatedAssignment.getNonNegativeTargets();
 
 		for (EvaluatedAssignmentImpl<F> assignmentB : ctx.evaluatedAssignmentTriple.getNonNegativeValues()) {
-			for (EvaluatedAssignmentTargetImpl targetB : assignmentB.getNonNegativeTargets()) {
-				if (!targetB.appliesToFocus() || allowedTargetOids.contains(targetB.getOid())) {
+			if (assignmentB.equals(ctx.evaluatedAssignment)) {      // TODO (value instead of reference equality?)
+				continue;
+			}
+targetB:	for (EvaluatedAssignmentTargetImpl targetB : assignmentB.getNonNegativeTargets()) {
+				if (!pathMatches(targetB.getAssignmentPath(), targetOrderConstraints)) {
+//					System.out.println("Target assignment path does not match: constraints=" + targetOrderConstraints + ", whole path=" + targetB.getAssignmentPath());
 					continue;
 				}
-				if (matches(constraint.getValue().getTargetRef(), targetB, prismContext, matchingRuleRegistry, "exclusion constraint")) {
-					return createTrigger(ctx.evaluatedAssignment, assignmentB, targetB, constraint.getValue(), ctx.policyRule, ctx, result);
+				if (!oidMatches(constraint.getValue().getTargetRef(), targetB, prismContext, matchingRuleRegistry, "exclusion constraint")) {
+					continue;
+				}
+				// To avoid false positives let us check if this target is not already covered by assignment being evaluated
+				// (is this really needed?)
+				for (EvaluatedAssignmentTargetImpl targetA : nonNegativeTargetsA) {
+					if (targetA.appliesToFocusWithAnyRelation()
+							&& targetA.getOid() != null && targetA.getOid().equals(targetB.getOid())
+							&& targetA.getAssignmentPath().equivalent(targetB.getAssignmentPath())) {
+						continue targetB;
+					}
 				}
+				return createTrigger(ctx.evaluatedAssignment, assignmentB, targetB, constraint.getValue(), ctx.policyRule, ctx, result);
 			}
 		}
 		return null;
 	}
 
-	static boolean matches(ObjectReferenceType targetRef, EvaluatedAssignmentTargetImpl assignmentTarget,
+	@SuppressWarnings("BooleanMethodIsAlwaysInverted")
+	private boolean pathMatches(AssignmentPath assignmentPath, List<OrderConstraintsType> definedOrderConstraints) {
+		if (assignmentPath == null) {
+			throw new IllegalStateException("Check this. Assignment path is null.");
+		}
+		if (assignmentPath.isEmpty()) {
+			throw new IllegalStateException("Check this. Assignment path is empty.");
+		}
+		return assignmentPath.matches(definedOrderConstraints);
+	}
+
+	@NotNull
+	private List<OrderConstraintsType> defaultIfEmpty(List<OrderConstraintsType> definedOrderConstraints) {
+		return !definedOrderConstraints.isEmpty() ? definedOrderConstraints : defaultOrderConstraints();
+	}
+
+	private List<OrderConstraintsType> defaultOrderConstraints() {
+		return Collections.singletonList(new OrderConstraintsType(prismContext).order(1));
+	}
+
+	static boolean oidMatches(ObjectReferenceType targetRef, EvaluatedAssignmentTargetImpl assignmentTarget,
 			PrismContext prismContext, MatchingRuleRegistry matchingRuleRegistry, String context) throws SchemaException {
 		if (targetRef == null) {
-			throw new SchemaException("No targetRef in " + context);
+			return true;                        // this means we rely on comparing relations
 		}
 		if (assignmentTarget.getOid() == null) {
 			return false;		// shouldn't occur
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/policy/evaluators/HasAssignmentConstraintEvaluator.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/policy/evaluators/HasAssignmentConstraintEvaluator.java
index 76ddde3cd07..591330ff5af 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/policy/evaluators/HasAssignmentConstraintEvaluator.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/policy/evaluators/HasAssignmentConstraintEvaluator.java
@@ -111,7 +111,7 @@ public <F extends FocusType> EvaluatedPolicyRuleTrigger evaluate(JAXBElement<Has
 				if (!(allowPlus && isPlus || allowZero && isZero || allowMinus && isMinus)) {
 					continue;
 				}
-				if (ExclusionConstraintEvaluator.matches(constraint.getTargetRef(), target, prismContext, matchingRuleRegistry, "hasAssignment constraint")) {
+				if (ExclusionConstraintEvaluator.oidMatches(constraint.getTargetRef(), target, prismContext, matchingRuleRegistry, "hasAssignment constraint")) {
 					if (shouldExist) {
 						// TODO more specific trigger, containing information on matching assignment; see ExclusionConstraintEvaluator
 						return new EvaluatedHasAssignmentTrigger(PolicyConstraintKindType.HAS_ASSIGNMENT, constraint,
diff --git a/model/model-impl/src/test/java/com/evolveum/midpoint/model/impl/lens/TestAssignmentProcessor2.java b/model/model-impl/src/test/java/com/evolveum/midpoint/model/impl/lens/TestAssignmentProcessor2.java
index 8bb76e1a3c3..bd80a611e4e 100644
--- a/model/model-impl/src/test/java/com/evolveum/midpoint/model/impl/lens/TestAssignmentProcessor2.java
+++ b/model/model-impl/src/test/java/com/evolveum/midpoint/model/impl/lens/TestAssignmentProcessor2.java
@@ -50,6 +50,7 @@
 import org.apache.commons.collections4.bag.TreeBag;
 import org.apache.commons.collections4.multimap.ArrayListValuedHashMap;
 import org.apache.commons.lang3.StringUtils;
+import org.jetbrains.annotations.NotNull;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.testng.annotations.Test;
 
@@ -2351,7 +2352,7 @@ private String getStringRepresentation(AssignmentPathImpl path) {
 
 	private String getStringRepresentation(EvaluationOrder order) {
 		List<String> names = new ArrayList<>();
-		for (QName relation : order.getRelations()) {
+		for (@NotNull QName relation : order.getRelations()) {
 			int count = order.getMatchingRelationOrder(relation);
 			if (count == 0) {
 				continue;
diff --git a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/rbac/TestSegregationOfDuties.java b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/rbac/TestSegregationOfDuties.java
index 47323316036..9a1880131e2 100644
--- a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/rbac/TestSegregationOfDuties.java
+++ b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/rbac/TestSegregationOfDuties.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2017 Evolveum
+ * Copyright (c) 2010-2018 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -23,6 +23,7 @@
 import java.util.List;
 import java.util.function.Consumer;
 
+import com.evolveum.midpoint.model.api.ModelExecuteOptions;
 import org.springframework.test.annotation.DirtiesContext;
 import org.springframework.test.annotation.DirtiesContext.ClassMode;
 import org.springframework.test.context.ContextConfiguration;
@@ -40,6 +41,7 @@
 import com.evolveum.midpoint.prism.delta.ItemDelta;
 import com.evolveum.midpoint.prism.delta.ObjectDelta;
 import com.evolveum.midpoint.prism.util.PrismAsserts;
+import com.evolveum.midpoint.schema.constants.SchemaConstants;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.schema.util.MiscSchemaUtil;
 import com.evolveum.midpoint.task.api.Task;
@@ -139,6 +141,12 @@ public class TestSegregationOfDuties extends AbstractInitializedModelIntegration
 	protected static final File ROLE_CRIMINAL_FILE = new File(TEST_DIR, "role-criminal.xml");
 	protected static final String ROLE_CRIMINAL_OID = "f6deb182-55a3-11e7-b519-27bdcd6d9490";
 
+	protected static final File ROLE_SELF_EXCLUSION_FILE = new File(TEST_DIR, "role-self-exclusion.xml");
+	protected static final String ROLE_SELF_EXCLUSION_OID = "9577bd6c-dd5d-48e5-bbb1-554bba5db9be";
+
+	protected static final File ROLE_SELF_EXCLUSION_MANAGER_MEMBER_FILE = new File(TEST_DIR, "role-self-exclusion-manager-member.xml");
+	protected static final String ROLE_SELF_EXCLUSION_MANAGER_MEMBER_OID = "aeed4751-fad6-4c4e-9ece-c793128e0c13";
+
 	private static final File CONFIG_WITH_GLOBAL_RULES_EXCLUSION_FILE = new File(TEST_DIR, "global-policy-rules-exclusion.xml");
 	private static final File CONFIG_WITH_GLOBAL_RULES_SOD_APPROVAL_FILE = new File(TEST_DIR, "global-policy-rules-sod-approval.xml");
 
@@ -168,6 +176,8 @@ public void initSystem(Task initTask, OperationResult initResult) throws Excepti
 		repoAddObjectFromFile(ROLE_CITIZEN_US_FILE, initResult);
 		repoAddObjectFromFile(ROLE_MINISTER_FILE, initResult);
 		repoAddObjectFromFile(ROLE_CRIMINAL_FILE, initResult);
+		repoAddObjectFromFile(ROLE_SELF_EXCLUSION_FILE, initResult);
+		repoAddObjectFromFile(ROLE_SELF_EXCLUSION_MANAGER_MEMBER_FILE, initResult);
 	}
 
 	@Test
@@ -293,7 +303,6 @@ public void test130SimpleExclusionBoth1() throws Exception {
 		modifications.add((createAssignmentModification(ROLE_PIRATE_OID, RoleType.COMPLEX_TYPE, null, null, null, true)));
 		ObjectDelta<UserType> userDelta = ObjectDelta.createModifyDelta(USER_JACK_OID, modifications, UserType.class, prismContext);
 
-
         try {
         	modelService.executeChanges(MiscSchemaUtil.createCollection(userDelta), null, task, result);
 
@@ -318,7 +327,6 @@ public void test132SimpleExclusionBoth1Deprecated() throws Exception {
 		modifications.add((createAssignmentModification(ROLE_PIRATE_OID, RoleType.COMPLEX_TYPE, null, null, null, true)));
 		ObjectDelta<UserType> userDelta = ObjectDelta.createModifyDelta(USER_JACK_OID, modifications, UserType.class, prismContext);
 
-
         try {
         	modelService.executeChanges(MiscSchemaUtil.createCollection(userDelta), null, task, result);
 
@@ -343,7 +351,6 @@ public void test140SimpleExclusionBoth2() throws Exception {
 		modifications.add((createAssignmentModification(ROLE_JUDGE_OID, RoleType.COMPLEX_TYPE, null, null, null, true)));
 		ObjectDelta<UserType> userDelta = ObjectDelta.createModifyDelta(USER_JACK_OID, modifications, UserType.class, prismContext);
 
-
         try {
         	modelService.executeChanges(MiscSchemaUtil.createCollection(userDelta), null, task, result);
 
@@ -368,7 +375,6 @@ public void test142SimpleExclusionBoth2Deprecated() throws Exception {
 		modifications.add((createAssignmentModification(ROLE_JUDGE_DEPRECATED_OID, RoleType.COMPLEX_TYPE, null, null, null, true)));
 		ObjectDelta<UserType> userDelta = ObjectDelta.createModifyDelta(USER_JACK_OID, modifications, UserType.class, prismContext);
 
-
         try {
         	modelService.executeChanges(MiscSchemaUtil.createCollection(userDelta), null, task, result);
 
@@ -561,6 +567,125 @@ Consumer<AssignmentType> getJudgeExceptionBlock(String excludedRoleName) {
 		};
 	}
 
+	@Test
+	public void test190DifferentRelations() throws Exception {
+		final String TEST_NAME = "test190DifferentRelations";
+		displayTestTitle(TEST_NAME);
+
+		Task task = createTask(TEST_NAME);
+		OperationResult result = task.getResult();
+
+		Collection<ItemDelta<?,?>> modifications = new ArrayList<>();
+		modifications.add((createAssignmentModification(ROLE_JUDGE_OID, RoleType.COMPLEX_TYPE, SchemaConstants.ORG_APPROVER, null, null, true)));
+		modifications.add((createAssignmentModification(ROLE_PIRATE_OID, RoleType.COMPLEX_TYPE, null, null, null, true)));
+		ObjectDelta<UserType> userDelta = ObjectDelta.createModifyDelta(USER_JACK_OID, modifications, UserType.class, prismContext);
+
+		try {
+			modelService.executeChanges(MiscSchemaUtil.createCollection(userDelta), null, task, result);
+		} finally {
+			unassignRole(USER_JACK_OID, ROLE_JUDGE_OID, SchemaConstants.ORG_APPROVER, task, result);
+			unassignRole(USER_JACK_OID, ROLE_PIRATE_OID, task, result);
+		}
+
+		assertAssignedNoRole(USER_JACK_OID, task, result);
+	}
+
+	@Test
+	public void test191DifferentRelationsDeprecatedCase1() throws Exception {
+		final String TEST_NAME = "test191DifferentRelationsCase1";
+		displayTestTitle(TEST_NAME);
+
+		Task task = createTask(TEST_NAME);
+		OperationResult result = task.getResult();
+
+		Collection<ItemDelta<?,?>> modifications = new ArrayList<>();
+		modifications.add((createAssignmentModification(ROLE_JUDGE_DEPRECATED_OID, RoleType.COMPLEX_TYPE, SchemaConstants.ORG_APPROVER, null, true)));
+		modifications.add((createAssignmentModification(ROLE_PIRATE_OID, RoleType.COMPLEX_TYPE, null, null, null, true)));
+		ObjectDelta<UserType> userDelta = ObjectDelta.createModifyDelta(USER_JACK_OID, modifications, UserType.class, prismContext);
+
+		try {
+			modelService.executeChanges(MiscSchemaUtil.createCollection(userDelta), null, task, result);
+		} finally {
+			unassignRole(USER_JACK_OID, ROLE_JUDGE_DEPRECATED_OID, SchemaConstants.ORG_APPROVER, task, result);
+			unassignRole(USER_JACK_OID, ROLE_PIRATE_OID, task, result);
+		}
+
+		assertAssignedNoRole(USER_JACK_OID, task, result);
+	}
+
+	@Test
+	public void test192DifferentRelationsDeprecatedCase2() throws Exception {
+		final String TEST_NAME = "test191DifferentRelationsCase1";
+		displayTestTitle(TEST_NAME);
+
+		Task task = createTask(TEST_NAME);
+		OperationResult result = task.getResult();
+
+		Collection<ItemDelta<?,?>> modifications = new ArrayList<>();
+		modifications.add((createAssignmentModification(ROLE_JUDGE_DEPRECATED_OID, RoleType.COMPLEX_TYPE, null, null, true)));
+		modifications.add((createAssignmentModification(ROLE_PIRATE_OID, RoleType.COMPLEX_TYPE, SchemaConstants.ORG_APPROVER, null, null, true)));
+		ObjectDelta<UserType> userDelta = ObjectDelta.createModifyDelta(USER_JACK_OID, modifications, UserType.class, prismContext);
+
+		try {
+			modelService.executeChanges(MiscSchemaUtil.createCollection(userDelta), null, task, result);
+		} finally {
+			unassignRole(USER_JACK_OID, ROLE_JUDGE_DEPRECATED_OID, task, result);
+			unassignRole(USER_JACK_OID, ROLE_PIRATE_OID, SchemaConstants.ORG_APPROVER, task, result);
+		}
+
+		assertAssignedNoRole(USER_JACK_OID, task, result);
+	}
+
+	@Test
+	public void test193BothRelationsApprover() throws Exception {
+		final String TEST_NAME = "test193BothRelationsApprover";
+		displayTestTitle(TEST_NAME);
+
+		Task task = createTask(TEST_NAME);
+		OperationResult result = task.getResult();
+
+		Collection<ItemDelta<?,?>> modifications = new ArrayList<>();
+		modifications.add((createAssignmentModification(ROLE_JUDGE_OID, RoleType.COMPLEX_TYPE, SchemaConstants.ORG_APPROVER, null, null, true)));
+		modifications.add((createAssignmentModification(ROLE_PIRATE_OID, RoleType.COMPLEX_TYPE, SchemaConstants.ORG_APPROVER, null, null, true)));
+		ObjectDelta<UserType> userDelta = ObjectDelta.createModifyDelta(USER_JACK_OID, modifications, UserType.class, prismContext);
+
+		try {
+			modelService.executeChanges(MiscSchemaUtil.createCollection(userDelta), null, task, result);
+		} finally {
+			unassignRole(USER_JACK_OID, ROLE_JUDGE_OID, SchemaConstants.ORG_APPROVER, task, result);
+			unassignRole(USER_JACK_OID, ROLE_PIRATE_OID, SchemaConstants.ORG_APPROVER, task, result);
+		}
+
+		assertAssignedNoRole(USER_JACK_OID, task, result);
+	}
+
+	@Test
+	public void test194MemberAndManager() throws Exception {
+		final String TEST_NAME = "test194MemberAndManager";
+		displayTestTitle(TEST_NAME);
+
+		Task task = createTask(TEST_NAME);
+		OperationResult result = task.getResult();
+
+		Collection<ItemDelta<?,?>> modifications = new ArrayList<>();
+		modifications.add((createAssignmentModification(ROLE_JUDGE_OID, RoleType.COMPLEX_TYPE, SchemaConstants.ORG_MANAGER, null, null, true)));
+		modifications.add((createAssignmentModification(ROLE_PIRATE_OID, RoleType.COMPLEX_TYPE, SchemaConstants.ORG_DEFAULT, null, null, true)));
+		ObjectDelta<UserType> userDelta = ObjectDelta.createModifyDelta(USER_JACK_OID, modifications, UserType.class, prismContext);
+
+		try {
+			modelService.executeChanges(MiscSchemaUtil.createCollection(userDelta), null, task, result);
+
+			AssertJUnit.fail("Expected policy violation, but it went well");
+		} catch (PolicyViolationException e) {
+			System.out.println("Got expected exception: " + e.getMessage());
+		} finally {
+			unassignRole(USER_JACK_OID, ROLE_JUDGE_OID, SchemaConstants.ORG_MANAGER, task, result);
+			unassignRole(USER_JACK_OID, ROLE_PIRATE_OID, SchemaConstants.ORG_DEFAULT, task, result);
+		}
+
+		assertAssignedNoRole(USER_JACK_OID, task, result);
+	}
+
 	/**
 	 * MID-3685
 	 */
@@ -1548,6 +1673,75 @@ public void test929GuybrushUnassignRoleCriminal() throws Exception {
         assertNotAssignedRole(userAfter, ROLE_MINISTER_OID);
 	}
 
+	/**
+	 * This does not work because of current optimizations regarding non-default relations:
+	 * "2018-02-19 17:02:15,977 [main] DEBUG (c.e.m.model.impl.lens.AssignmentEvaluator): Skipping processing of assignment target 9577bd6c-dd5d-48e5-bbb1-554bba5db9be because
+	 *     relation {http://midpoint.evolveum.com/xml/ns/public/common/org-3}approver is configured for recompute skip (mode=ZERO)"
+	 *
+	 * i.e. it works only when evaluateAllAssignmentRelationsOnRecompute option is set
+	 */
+	@Test(enabled = false)
+	public void test950JackSelfExclusion() throws Exception {
+		final String TEST_NAME = "test950JackSelfExclusion";
+		displayTestTitle(TEST_NAME);
+
+		Task task = createTask(TEST_NAME);
+		OperationResult result = task.getResult();
+
+		// This should go well
+		assignRole(USER_JACK_OID, ROLE_SELF_EXCLUSION_OID, SchemaConstants.ORG_APPROVER, task, result);
+
+		assertSuccess(result);
+
+		try {
+			// This should die
+			ModelExecuteOptions options = new ModelExecuteOptions();
+//			options.setEvaluateAllAssignmentRelationsOnRecompute(true);
+			assignRole(USER_JACK_OID, ROLE_SELF_EXCLUSION_OID, SchemaConstants.ORG_OWNER, options, task, result);
+
+			fail("Expected policy violation after adding second self-exclusion role, but it went well");
+		} catch (PolicyViolationException e) {
+			System.out.println("Got expected exception: " + e.getMessage());
+			//assertMessage(e, "Violation of SoD policy: Role \"Judge\" excludes role \"Pirate\", they cannot be assigned at the same time");
+			result.computeStatus();
+			assertFailure(result);
+		}
+
+		unassignRole(USER_JACK_OID, ROLE_SELF_EXCLUSION_OID, SchemaConstants.ORG_APPROVER, task, result);
+
+		assertAssignedNoRole(USER_JACK_OID, task, result);
+	}
+
+	@Test
+	public void test952JackSelfExclusionManagerMember() throws Exception {
+		final String TEST_NAME = "test952JackSelfExclusionManagerMember";
+		displayTestTitle(TEST_NAME);
+
+		Task task = createTask(TEST_NAME);
+		OperationResult result = task.getResult();
+
+		// This should go well
+		assignRole(USER_JACK_OID, ROLE_SELF_EXCLUSION_MANAGER_MEMBER_OID, SchemaConstants.ORG_DEFAULT, task, result);
+
+		assertSuccess(result);
+
+		try {
+			// This should die
+			assignRole(USER_JACK_OID, ROLE_SELF_EXCLUSION_MANAGER_MEMBER_OID, SchemaConstants.ORG_MANAGER, task, result);
+
+			fail("Expected policy violation after adding second self-exclusion role, but it went well");
+		} catch (PolicyViolationException e) {
+			System.out.println("Got expected exception: " + e.getMessage());
+			//assertMessage(e, "Violation of SoD policy: Role \"Judge\" excludes role \"Pirate\", they cannot be assigned at the same time");
+			result.computeStatus();
+			assertFailure(result);
+		}
+
+		unassignRole(USER_JACK_OID, ROLE_SELF_EXCLUSION_MANAGER_MEMBER_OID, SchemaConstants.ORG_DEFAULT, task, result);
+
+		assertAssignedNoRole(USER_JACK_OID, task, result);
+	}
+
 	private PrismObject<UserType> assignRolePolicyFailure(String TEST_NAME, String userOid, String roleOid, Task task, OperationResult result) throws ObjectNotFoundException, SchemaException, ExpressionEvaluationException, CommunicationException, ConfigurationException, ObjectAlreadyExistsException, SecurityViolationException {
 		try {
 	        // WHEN
diff --git a/model/model-intest/src/test/resources/orgstruct/role-meta-piracy-org.xml b/model/model-intest/src/test/resources/orgstruct/role-meta-piracy-org.xml
index c9c682890f5..eaa12a1de24 100644
--- a/model/model-intest/src/test/resources/orgstruct/role-meta-piracy-org.xml
+++ b/model/model-intest/src/test/resources/orgstruct/role-meta-piracy-org.xml
@@ -39,7 +39,7 @@
         </orderConstraint>
         <orderConstraint>
         	<order>1</order>
-        	<!-- member -->
+			<relation>default</relation>
         </orderConstraint>
         <orderConstraint>
         	<order>0</order>
diff --git a/model/model-intest/src/test/resources/rbac/sod/role-self-exclusion-manager-member.xml b/model/model-intest/src/test/resources/rbac/sod/role-self-exclusion-manager-member.xml
new file mode 100644
index 00000000000..d0eeb04919a
--- /dev/null
+++ b/model/model-intest/src/test/resources/rbac/sod/role-self-exclusion-manager-member.xml
@@ -0,0 +1,69 @@
+<!--
+  ~ Copyright (c) 2010-2018 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<!--
+  ~ Copyright (c) 2010-2018 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+<role oid="aeed4751-fad6-4c4e-9ece-c793128e0c13"
+        xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
+    <name>self-exclusion-manager-member</name>
+    <assignment>
+    	<policyRule>
+    		<name>self exclusion: no manager and member at once</name>
+    		<policyConstraints>
+				<or>
+					<exclusion>
+						<!-- no targetRef meaning self -->
+						<orderConstraint>
+							<order>1</order>
+							<relation>manager</relation>
+						</orderConstraint>
+						<targetOrderConstraint>
+							<order>1</order>
+							<relation>default</relation>
+						</targetOrderConstraint>
+					</exclusion>
+					<exclusion>
+						<!-- no targetRef meaning self -->
+						<orderConstraint>
+							<order>1</order>
+							<relation>default</relation>
+						</orderConstraint>
+						<targetOrderConstraint>
+							<order>1</order>
+							<relation>manager</relation>
+						</targetOrderConstraint>
+					</exclusion>
+				</or>
+		    </policyConstraints>
+		    <policyActions>
+		    	<enforcement/>
+		    </policyActions>
+    	</policyRule>
+    </assignment>
+</role>
diff --git a/model/model-intest/src/test/resources/rbac/sod/role-self-exclusion.xml b/model/model-intest/src/test/resources/rbac/sod/role-self-exclusion.xml
new file mode 100644
index 00000000000..99a4778f06e
--- /dev/null
+++ b/model/model-intest/src/test/resources/rbac/sod/role-self-exclusion.xml
@@ -0,0 +1,69 @@
+<!--
+  ~ Copyright (c) 2010-2018 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<!--
+  ~ Copyright (c) 2010-2018 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+<role oid="9577bd6c-dd5d-48e5-bbb1-554bba5db9be"
+        xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
+    <name>self-exclusion</name>
+    <assignment>
+    	<policyRule>
+    		<name>self exclusion: no owner and approver at once</name>
+    		<policyConstraints>
+				<or>
+					<exclusion>
+						<!-- no targetRef meaning self -->
+						<orderConstraint>
+							<order>1</order>
+							<relation>approver</relation>
+						</orderConstraint>
+						<targetOrderConstraint>
+							<order>1</order>
+							<relation>owner</relation>
+						</targetOrderConstraint>
+					</exclusion>
+					<exclusion>
+						<!-- no targetRef meaning self -->
+						<orderConstraint>
+							<order>1</order>
+							<relation>owner</relation>
+						</orderConstraint>
+						<targetOrderConstraint>
+							<order>1</order>
+							<relation>approver</relation>
+						</targetOrderConstraint>
+					</exclusion>
+				</or>
+		    </policyConstraints>
+		    <policyActions>
+		    	<enforcement/>
+		    </policyActions>
+    	</policyRule>
+    </assignment>
+</role>
diff --git a/model/workflow-api/src/main/java/com/evolveum/midpoint/wf/api/WorkflowManager.java b/model/workflow-api/src/main/java/com/evolveum/midpoint/wf/api/WorkflowManager.java
index bec39248493..fdbbf9e7ad9 100644
--- a/model/workflow-api/src/main/java/com/evolveum/midpoint/wf/api/WorkflowManager.java
+++ b/model/workflow-api/src/main/java/com/evolveum/midpoint/wf/api/WorkflowManager.java
@@ -29,6 +29,7 @@
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.util.exception.*;
+import com.evolveum.midpoint.wf.util.PerformerCommentsFormatter;
 import com.evolveum.midpoint.wf.util.ChangesByState;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.*;
 
@@ -151,4 +152,6 @@ ApprovalSchemaExecutionInformationType getApprovalSchemaExecutionInformation(Str
 	List<ApprovalSchemaExecutionInformationType> getApprovalSchemaPreview(ModelContext<?> modelContext, Task opTask, OperationResult parentResult)
 			throws SchemaException, ConfigurationException, ObjectNotFoundException, CommunicationException,
 			SecurityViolationException, ExpressionEvaluationException;
+
+	PerformerCommentsFormatter createPerformerCommentsFormatter(PerformerCommentsFormattingType formatting);
 }
\ No newline at end of file
diff --git a/model/workflow-api/src/main/java/com/evolveum/midpoint/wf/util/PerformerCommentsFormatter.java b/model/workflow-api/src/main/java/com/evolveum/midpoint/wf/util/PerformerCommentsFormatter.java
new file mode 100644
index 00000000000..d8b496800c6
--- /dev/null
+++ b/model/workflow-api/src/main/java/com/evolveum/midpoint/wf/util/PerformerCommentsFormatter.java
@@ -0,0 +1,37 @@
+/*
+ * Copyright (c) 2010-2018 Evolveum
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.evolveum.midpoint.wf.util;
+
+import com.evolveum.midpoint.schema.result.OperationResult;
+import com.evolveum.midpoint.task.api.Task;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.AbstractWorkItemType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.WorkItemCompletionEventType;
+import org.jetbrains.annotations.NotNull;
+
+/**
+ * Ensures formatting of performers (approvers, reviewers) comments before storing them into metadata.
+ * May optimize repository accesses by caching performers information retrieved.
+ *
+ * @author mederly
+ */
+public interface PerformerCommentsFormatter {
+
+	String formatComment(@NotNull AbstractWorkItemType workItem, Task task, OperationResult result);
+
+	String formatComment(@NotNull WorkItemCompletionEventType event, Task task, OperationResult result);
+
+}
diff --git a/model/workflow-impl/src/main/java/com/evolveum/midpoint/wf/impl/WorkflowManagerImpl.java b/model/workflow-impl/src/main/java/com/evolveum/midpoint/wf/impl/WorkflowManagerImpl.java
index 9840a3c1e3d..1675481a6f2 100644
--- a/model/workflow-impl/src/main/java/com/evolveum/midpoint/wf/impl/WorkflowManagerImpl.java
+++ b/model/workflow-impl/src/main/java/com/evolveum/midpoint/wf/impl/WorkflowManagerImpl.java
@@ -18,12 +18,12 @@
 
 import com.evolveum.midpoint.model.api.ModelInteractionService;
 import com.evolveum.midpoint.model.api.context.ModelContext;
-import com.evolveum.midpoint.model.common.SystemObjectCache;
 import com.evolveum.midpoint.prism.Containerable;
 import com.evolveum.midpoint.prism.PrismContext;
 import com.evolveum.midpoint.prism.PrismObject;
 import com.evolveum.midpoint.prism.delta.ObjectDelta;
 import com.evolveum.midpoint.prism.query.ObjectQuery;
+import com.evolveum.midpoint.repo.api.RepositoryService;
 import com.evolveum.midpoint.schema.GetOperationOptions;
 import com.evolveum.midpoint.schema.SearchResultList;
 import com.evolveum.midpoint.schema.SelectorOptions;
@@ -41,9 +41,12 @@
 import com.evolveum.midpoint.wf.impl.activiti.dao.ProcessInstanceProvider;
 import com.evolveum.midpoint.wf.impl.activiti.dao.WorkItemManager;
 import com.evolveum.midpoint.wf.impl.activiti.dao.WorkItemProvider;
+import com.evolveum.midpoint.wf.impl.processes.common.WfExpressionEvaluationHelper;
 import com.evolveum.midpoint.wf.impl.tasks.WfTaskController;
 import com.evolveum.midpoint.wf.impl.tasks.WfTaskUtil;
+import com.evolveum.midpoint.wf.impl.util.PerformerCommentsFormatterImpl;
 import com.evolveum.midpoint.wf.impl.util.MiscDataUtil;
+import com.evolveum.midpoint.wf.util.PerformerCommentsFormatter;
 import com.evolveum.midpoint.wf.util.ApprovalUtils;
 import com.evolveum.midpoint.wf.util.ChangesByState;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.*;
@@ -74,8 +77,9 @@ public class WorkflowManagerImpl implements WorkflowManager, TaskDeletionListene
 	@Autowired private WfTaskUtil wfTaskUtil;
 	@Autowired private MiscDataUtil miscDataUtil;
 	@Autowired private ApprovalSchemaExecutionInformationHelper approvalSchemaExecutionInformationHelper;
-	@Autowired private SystemObjectCache systemObjectCache;
 	@Autowired private TaskManager taskManager;
+	@Autowired private RepositoryService repositoryService;
+	@Autowired private WfExpressionEvaluationHelper expressionEvaluationHelper;
 
     private static final String DOT_INTERFACE = WorkflowManager.class.getName() + ".";
 
@@ -310,4 +314,9 @@ public List<ApprovalSchemaExecutionInformationType> getApprovalSchemaPreview(Mod
 			result.recordSuccessIfUnknown();
 		}
 	}
+
+	@Override
+	public PerformerCommentsFormatter createPerformerCommentsFormatter(PerformerCommentsFormattingType formatting) {
+		return new PerformerCommentsFormatterImpl(formatting, repositoryService, expressionEvaluationHelper);
+	}
 }
diff --git a/model/workflow-impl/src/main/java/com/evolveum/midpoint/wf/impl/processes/common/WfExpressionEvaluationHelper.java b/model/workflow-impl/src/main/java/com/evolveum/midpoint/wf/impl/processes/common/WfExpressionEvaluationHelper.java
index c63c17b4d2e..0bcddd823e0 100644
--- a/model/workflow-impl/src/main/java/com/evolveum/midpoint/wf/impl/processes/common/WfExpressionEvaluationHelper.java
+++ b/model/workflow-impl/src/main/java/com/evolveum/midpoint/wf/impl/processes/common/WfExpressionEvaluationHelper.java
@@ -115,4 +115,12 @@ public boolean evaluateBooleanExpression(ExpressionType expressionType, Expressi
 				Boolean.class, DOMUtil.XSD_BOOLEAN, null, task, result);
 		return MiscUtil.getSingleValue(values, false, contextDescription);
 	}
+
+	public String evaluateStringExpression(ExpressionType expressionType, ExpressionVariables expressionVariables,
+			String contextDescription, Task task, OperationResult result)
+			throws ObjectNotFoundException, SchemaException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
+		Collection<String> values = evaluateExpression(expressionType, expressionVariables, contextDescription,
+				String.class, DOMUtil.XSD_STRING, null, task, result);
+		return MiscUtil.getSingleValue(values, null, contextDescription);
+	}
 }
diff --git a/model/workflow-impl/src/main/java/com/evolveum/midpoint/wf/impl/tasks/WfTaskUtil.java b/model/workflow-impl/src/main/java/com/evolveum/midpoint/wf/impl/tasks/WfTaskUtil.java
index 1246dedc8d1..3e23d698afe 100644
--- a/model/workflow-impl/src/main/java/com/evolveum/midpoint/wf/impl/tasks/WfTaskUtil.java
+++ b/model/workflow-impl/src/main/java/com/evolveum/midpoint/wf/impl/tasks/WfTaskUtil.java
@@ -16,6 +16,7 @@
 package com.evolveum.midpoint.wf.impl.tasks;
 
 import com.evolveum.midpoint.model.api.context.ModelContext;
+import com.evolveum.midpoint.model.common.SystemObjectCache;
 import com.evolveum.midpoint.model.impl.lens.LensContext;
 import com.evolveum.midpoint.prism.*;
 import com.evolveum.midpoint.prism.delta.ItemDelta;
@@ -27,14 +28,17 @@
 import com.evolveum.midpoint.schema.util.WfContextUtil;
 import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.task.api.TaskBinding;
+import com.evolveum.midpoint.task.api.TaskManager;
 import com.evolveum.midpoint.util.MiscUtil;
 import com.evolveum.midpoint.util.exception.*;
 import com.evolveum.midpoint.util.logging.Trace;
 import com.evolveum.midpoint.util.logging.TraceManager;
+import com.evolveum.midpoint.wf.api.WorkflowManager;
 import com.evolveum.midpoint.wf.impl.WfConfiguration;
 import com.evolveum.midpoint.wf.impl.processors.ChangeProcessor;
 import com.evolveum.midpoint.schema.ObjectTreeDeltas;
 import com.evolveum.midpoint.wf.impl.processors.primary.aspect.PrimaryChangeAspect;
+import com.evolveum.midpoint.wf.util.PerformerCommentsFormatter;
 import com.evolveum.midpoint.wf.util.ApprovalUtils;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.*;
 import org.apache.commons.lang3.StringUtils;
@@ -43,6 +47,7 @@
 import org.springframework.stereotype.Component;
 
 import java.util.*;
+import java.util.Objects;
 import java.util.stream.Collectors;
 
 import static com.evolveum.midpoint.schema.constants.ObjectTypes.TASK;
@@ -65,6 +70,9 @@ public class WfTaskUtil {
     @Autowired private WfConfiguration wfConfiguration;
     @Autowired private PrismContext prismContext;
     @Autowired private ProvisioningService provisioningService;
+    @Autowired private SystemObjectCache systemObjectCache;
+    @Autowired private TaskManager taskManager;
+    @Autowired private WorkflowManager workflowManager;
 
 	private static final Trace LOGGER = TraceManager.getTrace(WfTaskUtil.class);
 
@@ -192,7 +200,7 @@ public String getRootTaskOid(Task task) {
         return ref != null ? ref.getOid() : null;
     }
 
-    public void deleteModelOperationContext(Task task) throws SchemaException, ObjectNotFoundException {
+    public void deleteModelOperationContext(Task task) throws SchemaException {
         task.setModelOperationContext(null);
     }
 
@@ -210,11 +218,17 @@ public Collection<ObjectReferenceType> getApprovedByFromTaskTree(Task task, Oper
     }
 
     public Collection<String> getApproverCommentsFromTaskTree(Task task, OperationResult result) throws SchemaException {
+    	Task opTask = taskManager.createTaskInstance();
         Collection<String> rv = new HashSet<>();
+        PrismObject<SystemConfigurationType> systemConfiguration = systemObjectCache.getSystemConfiguration(result);
+        PerformerCommentsFormattingType formatting = systemConfiguration != null &&
+                systemConfiguration.asObjectable().getWorkflowConfiguration() != null ?
+                systemConfiguration.asObjectable().getWorkflowConfiguration().getApproverCommentsFormatting() : null;
+        PerformerCommentsFormatter formatter = workflowManager.createPerformerCommentsFormatter(formatting);
         List<Task> tasks = task.listSubtasksDeeply(result);
         tasks.add(task);
         for (Task aTask : tasks) {
-            rv.addAll(getApproverComments(WfContextUtil.getWorkflowContext(aTask.getTaskPrismObject())));
+            rv.addAll(getApproverComments(WfContextUtil.getWorkflowContext(aTask.getTaskPrismObject()), formatter, opTask, result));
         }
         return rv;
     }
@@ -229,15 +243,20 @@ private static List<ObjectReferenceType> getApprovedBy(WfContextType wfc) {
     }
 
     @NotNull
-    private static Collection<String> getApproverComments(WfContextType wfc) {
-        return wfc == null ? emptySet() : wfc.getEvent().stream()
+    private static Collection<String> getApproverComments(WfContextType wfc, PerformerCommentsFormatter formatter,
+		    Task opTask, OperationResult result) {
+        if (wfc == null) {
+            return emptySet();
+        }
+        return wfc.getEvent().stream()
                 .flatMap(MiscUtil.instancesOf(WorkItemCompletionEventType.class))
-                .filter(e -> ApprovalUtils.isApproved(e.getOutput()) && e.getInitiatorRef() != null && StringUtils.isNotEmpty(e.getOutput().getComment()))
-                .map(e -> e.getOutput().getComment())
+		        .filter(e -> ApprovalUtils.isApproved(e.getOutput()) && e.getInitiatorRef() != null)
+		        .map(e -> formatter.formatComment(e, opTask, result))
+		        .filter(Objects::nonNull)
                 .collect(Collectors.toSet());
     }
 
-    // handlers are stored in the list in the order they should be executed; so the last one has to be pushed first
+	// handlers are stored in the list in the order they should be executed; so the last one has to be pushed first
     void pushHandlers(Task task, List<UriStackEntry> handlers) {
         for (int i = handlers.size()-1; i >= 0; i--) {
             UriStackEntry entry = handlers.get(i);
diff --git a/model/workflow-impl/src/main/java/com/evolveum/midpoint/wf/impl/util/PerformerCommentsFormatterImpl.java b/model/workflow-impl/src/main/java/com/evolveum/midpoint/wf/impl/util/PerformerCommentsFormatterImpl.java
new file mode 100644
index 00000000000..a431d77a21c
--- /dev/null
+++ b/model/workflow-impl/src/main/java/com/evolveum/midpoint/wf/impl/util/PerformerCommentsFormatterImpl.java
@@ -0,0 +1,124 @@
+/*
+ * Copyright (c) 2010-2018 Evolveum
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.evolveum.midpoint.wf.impl.util;
+
+import com.evolveum.midpoint.repo.api.RepositoryService;
+import com.evolveum.midpoint.repo.common.expression.ExpressionVariables;
+import com.evolveum.midpoint.schema.constants.ExpressionConstants;
+import com.evolveum.midpoint.schema.result.OperationResult;
+import com.evolveum.midpoint.schema.util.ObjectTypeUtil;
+import com.evolveum.midpoint.task.api.Task;
+import com.evolveum.midpoint.util.exception.*;
+import com.evolveum.midpoint.util.logging.LoggingUtils;
+import com.evolveum.midpoint.util.logging.Trace;
+import com.evolveum.midpoint.util.logging.TraceManager;
+import com.evolveum.midpoint.wf.impl.processes.common.WfExpressionEvaluationHelper;
+import com.evolveum.midpoint.wf.util.PerformerCommentsFormatter;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.*;
+import org.jetbrains.annotations.NotNull;
+import org.jetbrains.annotations.Nullable;
+
+import java.util.HashMap;
+import java.util.Map;
+
+/**
+ * @author mederly
+ */
+public class PerformerCommentsFormatterImpl implements PerformerCommentsFormatter {
+
+	private static final Trace LOGGER = TraceManager.getTrace(PerformerCommentsFormatterImpl.class);
+
+	@Nullable private final PerformerCommentsFormattingType formatting;
+	@NotNull private final RepositoryService repositoryService;
+	@NotNull private final WfExpressionEvaluationHelper expressionEvaluationHelper;
+
+	private final Map<String, ObjectType> performersCache = new HashMap<>();
+
+	public PerformerCommentsFormatterImpl(@Nullable PerformerCommentsFormattingType formatting,
+			@NotNull RepositoryService repositoryService, @NotNull WfExpressionEvaluationHelper expressionEvaluationHelper) {
+		this.formatting = formatting;
+		this.repositoryService = repositoryService;
+		this.expressionEvaluationHelper = expressionEvaluationHelper;
+	}
+
+	@Override
+	public String formatComment(@NotNull AbstractWorkItemType workItem, Task task, OperationResult result) {
+		return formatComment(workItem.getPerformerRef(), workItem.getOutput(), workItem, null, task, result);
+	}
+
+	@Override
+	public String formatComment(@NotNull WorkItemCompletionEventType event, Task task, OperationResult result) {
+		return formatComment(event.getInitiatorRef(), event.getOutput(), null, event, task, result);
+	}
+
+	private String formatComment(ObjectReferenceType performerRef, AbstractWorkItemOutputType output, AbstractWorkItemType workItem,
+			WorkItemCompletionEventType event, Task task, OperationResult result) {
+		if (formatting == null || formatting.getCondition() == null && formatting.getValue() == null) {
+			return output.getComment();
+		}
+		ObjectType performer = getPerformer(performerRef, result);
+		ExpressionVariables variables = new ExpressionVariables();
+		variables.addVariableDefinition(ExpressionConstants.VAR_PERFORMER, performer);
+		variables.addVariableDefinition(ExpressionConstants.VAR_OUTPUT, output);
+		variables.addVariableDefinition(ExpressionConstants.VAR_WORK_ITEM, workItem);
+		variables.addVariableDefinition(ExpressionConstants.VAR_EVENT, event);
+		if (formatting.getCondition() != null) {
+			try {
+				boolean condition = expressionEvaluationHelper.evaluateBooleanExpression(formatting.getCondition(), variables,
+						"condition in performer comments formatter", task, result);
+				if (!condition) {
+					return null;
+				}
+			} catch (CommonException e) {
+				LoggingUtils.logUnexpectedException(LOGGER, "Couldn't evaluate condition expression in comments formatter - continuing as if it were true; "
+						+ "performer = {}, output = {}, workItem = {}, event = {}", e, performer, output, workItem, event);
+			}
+		}
+		if (formatting.getValue() != null) {
+			try {
+				return expressionEvaluationHelper.evaluateStringExpression(formatting.getValue(), variables,
+						"value in performer comments formatter", task, result);
+			} catch (CommonException e) {
+				LoggingUtils.logUnexpectedException(LOGGER, "Couldn't evaluate value expression in comments formatter - using plain comment value; "
+						+ "performer = {}, output = {}, workItem = {}, event = {}", e, performer, output, workItem, event);
+				return output.getComment();
+			}
+		} else {
+			return output.getComment();
+		}
+	}
+
+	@Nullable
+	private ObjectType getPerformer(ObjectReferenceType performerRef, OperationResult result) {
+		if (performerRef == null || performerRef.getOid() == null) {
+			return null;
+		}
+		String performerOid = performerRef.getOid();
+		if (performersCache.containsKey(performerOid)) {
+			return performersCache.get(performerOid); // potentially null (if performer was previously searched for but not found)
+		}
+		UserType performer;
+		try {
+			performer = repositoryService.getObject(UserType.class, performerOid, null, result).asObjectable(); // TODO other types when needed
+		} catch (ObjectNotFoundException | SchemaException e) {
+			LoggingUtils.logUnexpectedException(LOGGER, "Couldn't resolve performer {}", e, ObjectTypeUtil.toShortString(performerRef));
+			performer = null;
+		}
+		performersCache.put(performerOid, performer);
+		return performer;
+	}
+}
diff --git a/model/workflow-impl/src/test/java/com/evolveum/midpoint/wf/impl/policy/assignments/metarole/TestAssignmentsWithDifferentMetaroles.java b/model/workflow-impl/src/test/java/com/evolveum/midpoint/wf/impl/policy/assignments/metarole/TestAssignmentsWithDifferentMetaroles.java
index b84293cf98c..5c4eb308ad2 100644
--- a/model/workflow-impl/src/test/java/com/evolveum/midpoint/wf/impl/policy/assignments/metarole/TestAssignmentsWithDifferentMetaroles.java
+++ b/model/workflow-impl/src/test/java/com/evolveum/midpoint/wf/impl/policy/assignments/metarole/TestAssignmentsWithDifferentMetaroles.java
@@ -489,7 +489,7 @@ protected void afterFirstClockworkRun(Task rootTask, List<Task> subtasks, List<W
 		PrismObject<UserType> jackAfter = getUser(userJackOid);
 		display("jack after", jackAfter);
 		assertAssignedRoles(jackAfter, roleRole29Oid);
-		assertAssignmentMetadata(jackAfter, roleRole29Oid, emptySet(), emptySet(), singleton(USER_ADMINISTRATOR_OID), singleton("comment1"));
+		assertAssignmentMetadata(jackAfter, roleRole29Oid, emptySet(), emptySet(), singleton(USER_ADMINISTRATOR_OID), singleton("administrator :: comment1"));
 	}
 
 	private void assertAssignmentMetadata(PrismObject<? extends FocusType> object, String targetOid, Set<String> createApproverOids,
@@ -610,7 +610,7 @@ protected void afterFirstClockworkRun(Task rootTask, List<Task> subtasks, List<W
 		PrismObject<UserType> jackAfter = getUser(userJackOid);
 		display("jack after", jackAfter);
 		assertAssignedRoles(jackAfter, roleRole29Oid);
-		assertAssignmentMetadata(jackAfter, roleRole29Oid, emptySet(), emptySet(), singleton(USER_ADMINISTRATOR_OID), singleton("comment2"));
+		assertAssignmentMetadata(jackAfter, roleRole29Oid, emptySet(), emptySet(), singleton(USER_ADMINISTRATOR_OID), singleton("administrator :: comment2"));
 	}
 
 	@Test
@@ -742,7 +742,7 @@ protected void afterFirstClockworkRun(Task rootTask, List<Task> subtasks, List<W
 		PrismObject<UserType> jack = getUser(userJackOid);
 		display("jack", jack);
 		assertAssignedRoles(jack, roleRole28Oid);
-		assertAssignmentMetadata(jack, roleRole28Oid, singleton(USER_ADMINISTRATOR_OID), singleton("comment3"), emptySet(), emptySet());
+		assertAssignmentMetadata(jack, roleRole28Oid, singleton(USER_ADMINISTRATOR_OID), singleton("administrator :: comment3"), emptySet(), emptySet());
 	}
 
 	@Test
@@ -854,7 +854,7 @@ protected void afterFirstClockworkRun(Task rootTask, List<Task> subtasks, List<W
 		PrismObject<UserType> jackAfter = getUser(userJackOid);
 		display("jack after", jackAfter);
 		assertAssignedRoles(jackAfter, roleRole28Oid);
-		assertAssignmentMetadata(jackAfter, roleRole28Oid, singleton(USER_ADMINISTRATOR_OID), singleton("comment3"), singleton(USER_ADMINISTRATOR_OID), singleton("comment4"));
+		assertAssignmentMetadata(jackAfter, roleRole28Oid, singleton(USER_ADMINISTRATOR_OID), singleton("administrator :: comment3"), singleton(USER_ADMINISTRATOR_OID), singleton("administrator :: comment4"));
 	}
 
 	@Test
diff --git a/model/workflow-impl/src/test/java/com/evolveum/midpoint/wf/impl/policy/lifecycle/AbstractTestLifecycle.java b/model/workflow-impl/src/test/java/com/evolveum/midpoint/wf/impl/policy/lifecycle/AbstractTestLifecycle.java
index 5c87ed17d68..8fd1c7c2f10 100644
--- a/model/workflow-impl/src/test/java/com/evolveum/midpoint/wf/impl/policy/lifecycle/AbstractTestLifecycle.java
+++ b/model/workflow-impl/src/test/java/com/evolveum/midpoint/wf/impl/policy/lifecycle/AbstractTestLifecycle.java
@@ -117,7 +117,7 @@ public void test010CreateRolePirate() throws Exception {
 					singleton(ObjectTypeUtil.createObjectRef(userLead1Oid, ObjectTypes.USER).relation(SchemaConstants.ORG_DEFAULT)),
 					new HashSet<>(metadata.getCreateApproverRef()));
 			assertEquals("Wrong create approval comments",
-					singleton("creation comment"),
+					singleton("lead1 :: creation comment"),
 					new HashSet<>(metadata.getCreateApprovalComment()));
 		}
 	}
@@ -149,7 +149,7 @@ public void test100ModifyRolePirateDescription() throws Exception {
 				singleton(ObjectTypeUtil.createObjectRef(userPirateOwnerOid, ObjectTypes.USER).relation(SchemaConstants.ORG_DEFAULT)),
 				new HashSet<>(metadata.getModifyApproverRef()));
 		assertEquals("Wrong modify approval comments",
-				singleton("modification comment"),
+				singleton("pirate-owner :: modification comment"),
 				new HashSet<>(metadata.getModifyApprovalComment()));
 	}
 
diff --git a/model/workflow-impl/src/test/java/com/evolveum/midpoint/wf/impl/policy/sod/AbstractTestSoD.java b/model/workflow-impl/src/test/java/com/evolveum/midpoint/wf/impl/policy/sod/AbstractTestSoD.java
index ce75f7eb444..d1bcb70b502 100644
--- a/model/workflow-impl/src/test/java/com/evolveum/midpoint/wf/impl/policy/sod/AbstractTestSoD.java
+++ b/model/workflow-impl/src/test/java/com/evolveum/midpoint/wf/impl/policy/sod/AbstractTestSoD.java
@@ -172,7 +172,7 @@ protected String getObjectOid() {
 			@Override
 			protected List<ExpectedTask> getExpectedTasks() {
 				return Collections.singletonList(
-						new ExpectedTask(rolePirateOid, "Assigning role \"Pirate\" to user \"jack\""));
+						new ExpectedTask(rolePirateOid, "Role \"Pirate\" excludes role \"Judge\""));
 			}
 
 			@Override
@@ -286,7 +286,7 @@ protected String getObjectOid() {
 			@Override
 			protected List<ExpectedTask> getExpectedTasks() {
 				return Collections.singletonList(
-						new ExpectedTask(roleRespectableOid, "Assigning role \"Respectable\" to user \"jack\""));
+						new ExpectedTask(roleRespectableOid, "Role \"Thief\" (Respectable -> Thief) excludes role \"Judge\""));
 			}
 
 			@Override
diff --git a/model/workflow-impl/src/test/resources/common/system-configuration.xml b/model/workflow-impl/src/test/resources/common/system-configuration.xml
index 7aab5aa1eab..0878f1dd663 100644
--- a/model/workflow-impl/src/test/resources/common/system-configuration.xml
+++ b/model/workflow-impl/src/test/resources/common/system-configuration.xml
@@ -66,6 +66,18 @@
     </notificationConfiguration>
     <workflowConfiguration>
         <allowCompleteOthersItems>true</allowCompleteOthersItems>
+        <approverCommentsFormatting>
+            <value>
+                <script>
+                    <code>performer.name + ' :: ' + output.comment</code>
+                </script>
+            </value>
+            <condition>
+                <script>
+                    <code>output.comment != null &amp;&amp; !output.comment.isEmpty()</code>
+                </script>
+            </condition>
+        </approverCommentsFormatting>
         <primaryChangeProcessor>
             <enabled>true</enabled>
             <policyRuleBasedAspect>
diff --git a/model/workflow-impl/src/test/resources/policy/object/system-configuration.xml b/model/workflow-impl/src/test/resources/policy/object/system-configuration.xml
index 80a96de0acd..1f1365a235b 100644
--- a/model/workflow-impl/src/test/resources/policy/object/system-configuration.xml
+++ b/model/workflow-impl/src/test/resources/policy/object/system-configuration.xml
@@ -57,7 +57,19 @@
         <allowCompleteOthersItems>true</allowCompleteOthersItems>
 		<useLegacyApproversSpecification>never</useLegacyApproversSpecification>
 		<useDefaultApprovalPolicyRules>never</useDefaultApprovalPolicyRules>
-    </workflowConfiguration>
+		<approverCommentsFormatting>
+			<value>
+				<script>
+					<code>performer.name + ' :: ' + output.comment</code>
+				</script>
+			</value>
+			<condition>
+				<script>
+					<code>output.comment != null &amp;&amp; !output.comment.isEmpty()</code>
+				</script>
+			</condition>
+		</approverCommentsFormatting>
+	</workflowConfiguration>
 	<globalPolicyRule>
 		<name>approve-employee-role-add</name>
 		<policyConstraints>
diff --git a/model/workflow-impl/src/test/resources/policy/system-configuration-global.xml b/model/workflow-impl/src/test/resources/policy/system-configuration-global.xml
index 74b1b42425f..52a47f4aea2 100644
--- a/model/workflow-impl/src/test/resources/policy/system-configuration-global.xml
+++ b/model/workflow-impl/src/test/resources/policy/system-configuration-global.xml
@@ -57,7 +57,19 @@
         <allowCompleteOthersItems>true</allowCompleteOthersItems>
 		<useLegacyApproversSpecification>never</useLegacyApproversSpecification>
 		<useDefaultApprovalPolicyRules>never</useDefaultApprovalPolicyRules>
-    </workflowConfiguration>
+		<approverCommentsFormatting>
+			<value>
+				<script>
+					<code>performer.name + ' :: ' + output.comment</code>
+				</script>
+			</value>
+			<condition>
+				<script>
+					<code>output.comment != null &amp;&amp; !output.comment.isEmpty()</code>
+				</script>
+			</condition>
+		</approverCommentsFormatting>
+	</workflowConfiguration>
 	<globalPolicyRule>
 		<policyConstraints>
 			<assignment>
diff --git a/model/workflow-impl/src/test/resources/policy/system-configuration.xml b/model/workflow-impl/src/test/resources/policy/system-configuration.xml
index 17915a482e4..e08f5d38c11 100644
--- a/model/workflow-impl/src/test/resources/policy/system-configuration.xml
+++ b/model/workflow-impl/src/test/resources/policy/system-configuration.xml
@@ -71,7 +71,19 @@
 	</notificationConfiguration>
 	<workflowConfiguration>
         <allowCompleteOthersItems>true</allowCompleteOthersItems>
-        <primaryChangeProcessor>
+		<approverCommentsFormatting>
+			<value>
+				<script>
+					<code>performer.name + ' :: ' + output.comment</code>
+				</script>
+			</value>
+			<condition>
+				<script>
+					<code>output.comment != null &amp;&amp; !output.comment.isEmpty()</code>
+				</script>
+			</condition>
+		</approverCommentsFormatting>
+		<primaryChangeProcessor>
         </primaryChangeProcessor>
     </workflowConfiguration>
 </systemConfiguration>
diff --git a/samples/hogwarts/accounts.csv b/samples/hogwarts/accounts.csv
new file mode 100644
index 00000000000..247c4618676
--- /dev/null
+++ b/samples/hogwarts/accounts.csv
@@ -0,0 +1,70 @@
+login,firstname,lastname,memberOf,managerOf,disabled,password
+h.potter,Harry,Potter,Hogwarts/Students/Gryffindor,quiddich-griffindor,false,asd123
+h.granger,Hermione,Granger,Hogwarts/Students/Gryffindor,,false,huGHa
+r.weasley,Ron,Weasley,Hogwarts/Students/Gryffindor,,false,asd123
+f.weasley,Fred,Weasley,Hogwarts/Students/Gryffindor;quiddich-griffindor,,false,sLh5D
+ge.weasley,George,Weasley,Hogwarts/Students/Gryffindor;quiddich-griffindor,,false,Hhktd
+gi.weasley,Ginny,Weasley,Hogwarts/Students/Gryffindor,,false,HidpQ
+p.weasley,Percy,Weasley,Hogwarts/Students/Gryffindor,,false,BVzp7
+n.longbottom,Neville,Longbottom,Hogwarts/Students/Gryffindor,,false,4j91q
+s.finnigan,Seamus,Finnigan,Hogwarts/Students/Gryffindor,,false,X3rVs
+o.wood,Oliver,Wood,Hogwarts/Students/Gryffindor,quiddich-griffindor,false,He7jK
+k.bell,Katie,Bell,Hogwarts/Students/Gryffindor;quiddich-griffindor,,false,CStTz
+l.brown,Lavender,Brown,Hogwarts/Students/Gryffindor,,false,3PnNC
+c.creevey,Colin,Creevey,Hogwarts/Students/Gryffindor,,false,FxRQO
+d.creevey,Dennis,Creevey,Hogwarts/Students/Gryffindor,,false,O0Unq
+a.johnson,Angelina,Johnson,Hogwarts/Students/Gryffindor;quiddich-griffindor,,false,xwlPf
+l.jordan,Lee,Jordan,Hogwarts/Students/Gryffindor,,false,FeJKf
+c.mcLaggen,Cormac,McLaggen,Hogwarts/Students/Gryffindor,,false,WGV9Z
+p.patil,Parvati,Patil,Hogwarts/Students/Gryffindor,,false,L06xC
+a.spinnet,Alicia,Spinnet,Hogwarts/Students/Gryffindor;quiddich-griffindor,,false,3QyWK
+d.thomas,Dean,Thomas,Hogwarts/Students/Gryffindor;quiddich-griffindor,,false,7bUIs
+s.bones,Susan,Bones,Hogwarts/Students/Hufflepuff,,false,zzkzQ
+c.diggory,Cedric,Diggory,Hogwarts/Students/Hufflepuff,quiddich-hufflepuff,false,dDtXQ
+j.finchFletchley,Justin,Finch-Fletchley,Hogwarts/Students/Hufflepuff,,false,4hicr
+e.macmillan,Ernie,Macmillan,Hogwarts/Students/Hufflepuff,,false,o1vdP
+z.smith,Zacharias,Smith,Hogwarts/Students/Hufflepuff;quiddich-hufflepuff,,false,wWytb
+m.oflaherty,Maxine,O'Flaherty,Hogwarts/Students/Hufflepuff;quiddich-hufflepuff,,false,8zSQC
+a.rickett,Anthony,Rickett,Hogwarts/Students/Hufflepuff;quiddich-hufflepuff,,false,aR5Qz
+m.mcManus,Michael,McManus,Hogwarts/Students/Hufflepuff;quiddich-hufflepuff,,false,68oPS
+m.preece,Malcolm,Preece,Hogwarts/Students/Hufflepuff;quiddich-hufflepuff,,false,SjkHQ
+h.macavoy,Heidi,Macavoy,Hogwarts/Students/Hufflepuff;quiddich-hufflepuff,,false,jkxdA
+t.applebee,Tamsin,Applebee,Hogwarts/Students/Hufflepuff;quiddich-hufflepuff,,false,b5eaL
+l.lovegood,Luna,Lovegood,Hogwarts/Students/Ravenclaw,,false,gVpvc
+t.boot,Terry,Boot,Hogwarts/Students/Ravenclaw,,false,jMeJC
+ch.Chang,Cho,Chang,Hogwarts/Students/Ravenclaw;quiddich-ravenclaw,,false,MyNFI
+p.clearwater,Penelope,Clearwater,Hogwarts/Students/Ravenclaw,,false,beT2o
+m.corner,Michael,Corner,Hogwarts/Students/Ravenclaw,,false,SzZjR
+r.davies,Roger,Davies,Hogwarts/Students/Ravenclaw,quiddich-ravenclaw,false,1WPNp
+m.edgecombe,Marietta,Edgecombe,Hogwarts/Students/Ravenclaw,,false,9NXxc
+a.goldstein,Anthony,Goldstein,Hogwarts/Students/Ravenclaw,,false,QGLi0
+pa.patil,Padma,Patil,Hogwarts/Students/Ravenclaw,,false,L06xC
+j.stretton,Jeremy,Stretton,Hogwarts/Students/Ravenclaw;quiddich-ravenclaw,,false,Qo2kc
+r.burrow,Randolph,Burrow,Hogwarts/Students/Ravenclaw;quiddich-ravenclaw,,false,BtwrF
+d.inglebee,Duncan,Inglebee,Hogwarts/Students/Ravenclaw;quiddich-ravenclaw,,false,0hFEp
+d.malfoy,Draco,Malfoy,Hogwarts/Students/Slytherin;quiddich-slytherin,,false,lOBrZ
+m.bulstrode,Millicent,Bulstrode,Hogwarts/Students/Slytherin,,false,fzFmz
+v.crabbe,Vincent,Crabbe,Hogwarts/Students/Slytherin;quiddich-slytherin,,false,gFv53
+m.flint,Marcus,Flint,Hogwarts/Students/Slytherin,quiddich-slytherin,false,Iy6lp
+g.goyle,Gregory,Goyle,Hogwarts/Students/Slytherin;quiddich-slytherin,,false,wboNH
+g.montague,Graham,Montague,Hogwarts/Students/Slytherin;quiddich-slytherin,,false,H08hH
+t.nott,Theodore,Nott,Hogwarts/Students/Slytherin,,false,sOc81
+p.parkinson,Pansy,Parkinson,Hogwarts/Students/Slytherin,,false,wd7TU
+b.zabini,Blaise,Zabini,Hogwarts/Students/Slytherin,,false,bwdzH
+a.dumbledore,Albus,Dumbledore,Hogwarts/Staff/Professors,Hogwarts/Staff/Professors;Hogwarts/Staff/Auxiliary,false,asd123
+l.voldemort,Lord,Voldemort,Hogwarts/Staff/Professors,,false,w3Hn3
+m.mcGonagall,Minerva,McGonagall,Hogwarts/Staff/Professors,Hogwarts/Students/Gryffindor,false,LnwYb
+s.snape,Severus,Snape,Hogwarts/Staff/Professors,Hogwarts/Students/Slytherin,false,3p0AE
+p.sprout,Pomona,Sprout,Hogwarts/Staff/Professors,Hogwarts/Students/Hufflepuff,false,TPL2T
+f.flitwick,Filius,Flitwick,Hogwarts/Staff/Professors,Hogwarts/Students/Ravenclaw,false,3seVL
+s.trelawney,Sybill,Trelawney,Hogwarts/Staff/Professors,,false,irY4l
+ch.burbage,Charity,Burbage,Hogwarts/Staff/Professors,,false,JIZxz
+r.hooch,Rolanda,Hooch,Hogwarts/Staff/Professors,,false,VmbKi
+s.kettleburn,Silvanus,Kettleburn,Hogwarts/Staff/Professors,,false,tVxYS
+g.lockhart,Gilderoy,Lockhart,Hogwarts/Staff/Professors,,false,asd123
+a.sinistra,Aurora,Sinistra,Hogwarts/Staff/Professors,,false,top0f
+s.vector,Septima,Vector,Hogwarts/Staff/Professors,,false,NJFjE
+a.filch,Argus,Filch,Hogwarts/Staff/Auxiliary,,false,LUdDa
+r.hagrid,Rubeus,Hagrid,Hogwarts/Staff/Auxiliary;Hogwarts/Staff/Professors,,false,asd123
+i.pince,Irma,Pince,Hogwarts/Staff/Auxiliary,,false,ZnHa4
+p.pomfrey,Poppy,Pomfrey,Hogwarts/Staff/Auxiliary,,false,bvYIK
diff --git a/samples/hogwarts/groups.ldif b/samples/hogwarts/groups.ldif
new file mode 100644
index 00000000000..2dd974753ca
--- /dev/null
+++ b/samples/hogwarts/groups.ldif
@@ -0,0 +1,73 @@
+version: 1
+
+dn: ou=groups,dc=example,dc=com
+objectClass: organizationalUnit
+ou: groups
+
+dn: cn=hogwarts,ou=groups,dc=example,dc=com
+objectClass: groupOfNames
+cn: hogwarts
+member: uid=nobody,ou=People,dc=example,dc=com
+description: Hogwarts organization structure. Include all students, staff, t
+ eachers etc.
+
+dn: cn=Minister of magic,ou=groups,dc=example,dc=com
+objectClass: groupOfNames
+cn: Minister of magic
+member: uid=nobody,ou=People,dc=example,dc=com
+member: uid=c.fudge,ou=People,dc=example,dc=com
+
+dn: cn=quiddich-griffindor,ou=groups,dc=example,dc=com
+objectClass: groupOfNames
+cn: quiddich-griffindor
+member: uid=nobody,ou=People,dc=example,dc=com
+
+dn: cn=quiddich-ravenclaw,ou=groups,dc=example,dc=com
+objectClass: groupOfNames
+cn: quiddich-ravenclaw
+member: uid=nobody,ou=People,dc=example,dc=com
+
+dn: cn=quiddich-slytherin,ou=groups,dc=example,dc=com
+objectClass: groupOfNames
+cn: quiddich-slytherin
+member: uid=nobody,ou=People,dc=example,dc=com
+
+dn: cn=quiddich,ou=groups,dc=example,dc=com
+objectClass: groupOfNames
+cn: quiddich
+member: uid=nobody,ou=People,dc=example,dc=com
+
+dn: cn=quiddich-hufflepuff,ou=groups,dc=example,dc=com
+objectClass: groupOfNames
+cn: quiddich-hufflepuff
+member: uid=nobody,ou=People,dc=example,dc=com
+
+dn: cn=herbologyTeacher,ou=groups,dc=example,dc=com
+objectClass: top
+objectClass: groupOfNames
+cn: herbologyTeacher
+member: uid=nobody,dc=example,dc=com
+
+dn: cn=potionsTeacher,ou=groups,dc=example,dc=com
+objectClass: top
+objectClass: groupOfNames
+cn: potionsTeacher
+member: uid=nobody,dc=example,dc=com
+
+dn: cn=defenceAgainstDarkArts,ou=groups,dc=example,dc=com
+objectClass: top
+objectClass: groupOfNames
+cn: defenceAgainstDarkArts
+member: uid=nobody,dc=example,dc=com
+
+dn: cn=transfigurationTeacher,ou=groups,dc=example,dc=com
+objectClass: top
+objectClass: groupOfNames
+cn: transfigurationTeacher
+member: uid=nobody,dc=example,dc=com
+
+dn: cn=duellingClassroomAccess,ou=groups,dc=example,dc=com
+objectClass: top
+objectClass: groupOfNames
+cn: duellingClassroomAccess
+member: uid=nobody,dc=example,dc=com
diff --git a/samples/hogwarts/objects/accessCertificationDefinitions/access-certification-definition.xml b/samples/hogwarts/objects/accessCertificationDefinitions/access-certification-definition.xml
new file mode 100644
index 00000000000..0210c1ae646
--- /dev/null
+++ b/samples/hogwarts/objects/accessCertificationDefinitions/access-certification-definition.xml
@@ -0,0 +1,88 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright (c) 2014 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+<accessCertificationDefinition
+        xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+        xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+    <name>User's assignemnts according to the manager</name>
+    <description>Certifies all users' assignments. Everything is certified by the administrator.</description>
+    <handlerUri>http://midpoint.evolveum.com/xml/ns/public/certification/handlers-3#direct-assignment</handlerUri>
+    <stageDefinition>
+        <number>1</number>
+        <name>Manager's review</name>
+        <description>In this stage, the manager has to review all the assignments of users belonging to his org unit.</description>
+        <duration>P14D</duration>   <!-- 14 days -->
+        <notifyBeforeDeadline>PT48H</notifyBeforeDeadline> <!-- 48 hours -->
+        <notifyBeforeDeadline>PT12H</notifyBeforeDeadline>
+        <notifyOnlyWhenNoDecision>true</notifyOnlyWhenNoDecision>  <!-- this is the default -->
+        <reviewerSpecification>
+         <useObjectManager>
+            <allowSelf>false</allowSelf>
+         </useObjectManager>
+      </reviewerSpecification>
+        <timedActions>
+            <time>
+                <value>P7D</value>
+            </time>
+            <actions>
+                <escalate>
+                    <approverRef oid="00000000-0000-0000-0000-000000000002" type="UserType" />  <!-- administrator -->
+                    <delegationMethod>addAssignees</delegationMethod>
+                    <escalationLevelName>Level1</escalationLevelName>
+                </escalate>
+            </actions>
+        </timedActions>
+    </stageDefinition>
+    <scopeDefinition xsi:type="AccessCertificationAssignmentReviewScopeType">
+    <objectType>UserType</objectType>
+    <searchFilter>
+        <q:org>
+            <q:path>parentOrgRef</q:path>
+            <q:orgRef oid="00000000-0000-0org-0000-111111111111">      
+                <q:scope>SUBTREE</q:scope>
+            </q:orgRef>
+        </q:org>
+    </searchFilter>
+    <itemSelectionExpression>
+        <script>
+            <code>
+            	import com.evolveum.midpoint.xml.ns._public.common.common_3.OrgType
+            	
+            	log.info("####### assignment: " + assignment)
+            	if (assignment.targetRef.type.localPart.equals('RoleType')) {
+            		log.info("#### not a OrgType: " + assignment.targetRef.type.localPart)
+            		role = midpoint.resolveReferenceIfExists(assignment.targetRef)
+                	log.info("##### role: " + role)
+                	log.info("##### role type: " + role.roleType)
+                	return role != null &amp;&amp; role.requestable
+            	} 
+                org = midpoint.resolveReferenceIfExists(assignment.targetRef)
+                log.info("##### org: " + org)
+                log.info("##### org type: " + org.orgType)
+                return org != null &amp;&amp; org.orgType[0] == 'access' 
+               
+            </code>
+        </script>
+    </itemSelectionExpression>
+    <includeRoles>true</includeRoles>
+    <includeOrgs>true</includeOrgs>
+    <includeResources>false</includeResources>
+</scopeDefinition>
+    <remediationDefinition>
+        <style>automated</style>
+    </remediationDefinition>
+</accessCertificationDefinition>
\ No newline at end of file
diff --git a/samples/hogwarts/objects/objectTemplates/object-template-create-org-struct.xml b/samples/hogwarts/objects/objectTemplates/object-template-create-org-struct.xml
new file mode 100644
index 00000000000..dae2d6acb30
--- /dev/null
+++ b/samples/hogwarts/objects/objectTemplates/object-template-create-org-struct.xml
@@ -0,0 +1,128 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright (c) 2014 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+<objectTemplate oid="10000000-0000-0000-0000-000000000231"
+   xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
+   xmlns='http://midpoint.evolveum.com/xml/ns/public/common/common-3'
+   xmlns:c='http://midpoint.evolveum.com/xml/ns/public/common/common-3'
+   xmlns:t='http://prism.evolveum.com/xml/ns/public/types-3'
+   xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
+   xmlns:ext="http://midpoint.evolveum.com/xml/ns/story/orgsync/ext">
+    <name>Org Template</name>
+    
+    <mapping>
+    	<name>Org-org mapping</name>
+    	<authoritative>true</authoritative>
+		<strength>strong</strength>
+    	<source>
+    		<path>identifier</path>
+    		<name>orgpath</name>
+    	</source>
+    	<source>
+    		<path>orgType</path>
+    	</source>
+    	<expression>
+    		<assignmentTargetSearch>
+            	<targetType>c:OrgType</targetType>
+        		<filter>
+					<q:equal>
+						<q:path>c:name</q:path>
+						<q:matching>polyStringNorm</q:matching>
+						<expression>
+							<script>
+								<code>
+									parent = orgpath?.tokenize('/').reverse()[0]
+									return parent
+								</code>
+							</script>
+						</expression>
+					</q:equal>
+				</filter>
+				<createOnDemand>true</createOnDemand>
+				<populateObject>
+					<populateItem>
+						<expression>
+							<script>
+								<code>
+									orgpath.tokenize('/').reverse()[0]
+								</code>
+							</script>
+						</expression>
+						<target>
+							<path>name</path>
+						</target>
+					</populateItem>
+					<populateItem>
+						<expression>
+							<value>access</value>
+						</expression>
+						<target>
+							<path>orgType</path>
+						</target>
+					</populateItem>
+					<populateItem>
+						<expression>
+							<script>
+								<code>
+									orgpath.tokenize('/').reverse()[1..-1].join('/').tokenize('/').reverse()[0..-1].join('/')
+								</code>
+							</script>
+						</expression>
+						<target>
+							<path>identifier</path>
+						</target>
+					</populateItem>
+					<populateItem>
+						<expression>
+							<assignmentTargetSearch>
+								<targetType>RoleType</targetType>
+								<oid>12345678-d34d-b33f-f00d-111111111222</oid>
+							</assignmentTargetSearch>
+						</expression>
+						<target>
+							<path>assignment</path>
+						</target>
+					</populateItem>
+				</populateObject>
+            </assignmentTargetSearch>    	
+    	</expression>
+    	<target>
+    		<path>assignment</path>
+    	</target>
+    	<condition>
+    		<script>
+    			<code>orgType != null &amp;&amp; orgType == 'access'</code>
+    		</script>
+    	</condition>
+    </mapping>
+  
+  	
+  	<mapping>
+  		<name>Assign meta role</name>
+    	<authoritative>true</authoritative>
+		<strength>strong</strength>
+    	<expression>
+    		<assignmentTargetSearch>
+				<targetType>RoleType</targetType>
+				<oid>12345678-d34d-b33f-f00d-111111111222</oid>
+			</assignmentTargetSearch>
+		</expression>
+		<target>
+			<path>assignment</path>
+		</target>
+  	</mapping>
+  
+</objectTemplate>
diff --git a/samples/hogwarts/objects/objectTemplates/object-template-user.xml b/samples/hogwarts/objects/objectTemplates/object-template-user.xml
new file mode 100644
index 00000000000..6c58a083ffe
--- /dev/null
+++ b/samples/hogwarts/objects/objectTemplates/object-template-user.xml
@@ -0,0 +1,114 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright (c) 2010-2017 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+<objectTemplate oid="10000000-0000-0000-0000-000000000222"
+   xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
+   xmlns='http://midpoint.evolveum.com/xml/ns/public/common/common-3'
+   xmlns:c='http://midpoint.evolveum.com/xml/ns/public/common/common-3'
+   xmlns:t='http://prism.evolveum.com/xml/ns/public/types-3'
+   xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
+   xmlns:ext="http://midpoint.evolveum.com/xml/ns/story/orgsync/ext">
+    <name>User Template</name>
+    
+    <mapping>
+    	<!-- This mapping is NOT initial so if will in fact FORCE fullname consistency -->
+		<strength>strong</strength>
+    	<source>
+    		<path>$user/givenName</path>
+    	</source>
+    	<source>
+    		<path>$user/familyName</path>
+    	</source>
+    	<expression>
+			<script>
+				<code>
+					givenName + ' ' + familyName
+				</code>
+         	</script>
+		</expression>
+    	<target>
+    		<path>$user/fullName</path>
+    	</target>
+    	<condition>
+     		<script>
+    			<code>givenName != null &amp;&amp; familyName != null</code>
+    		</script>  
+    	</condition>
+    </mapping>
+    
+    <mapping>
+    	<name>end user role</name>
+		<strength>strong</strength>
+		<source>
+			<path>name</path>
+		</source>
+    	<expression>
+            <assignmentTargetSearch>
+            	<targetType>c:RoleType</targetType>
+            	<oid>00000000-0000-0000-0000-000000000008</oid>
+            </assignmentTargetSearch>    	
+    	</expression>
+    	<target>
+    		<path>assignment</path>
+    	</target>
+    	<condition>
+    		<script>
+    			<code>
+    				!name?.getOrig()?.equals("administrator")
+    			</code>
+    		</script>
+    	</condition>
+    </mapping>
+    
+    <mapping>
+    	<!-- This mapping is NOT initial so if will in fact FORCE fullname consistency -->
+		<strength>strong</strength>
+    	<expression>
+			<script>
+				<code>
+						orgs = midpoint.getParentOrgs(focus, "default", "access")
+					for (org in orgs) {
+					
+						if (org == null || org.name == null) {
+							continue
+						} 
+											
+						name = org.name.orig
+					
+						if (name.equals("Professors") || name.equals("Auxiliary")) {
+							return "employee";
+						}
+					
+						if (name.equals("Gryffindor") || name.equals("Hufflepuff") || name.equals("Ravenclaw") || name.equals("Slytherin")) {
+							return "student";
+						}
+					}
+				</code>
+         	</script>
+		</expression>
+    	<target>
+    		<path>employeeType</path>
+    	</target>
+    	<condition>
+    		<script>
+    			<code>
+    				focus != null
+    			</code>
+    		</script>
+    	</condition>
+    </mapping>
+    
+</objectTemplate>
diff --git a/samples/hogwarts/objects/orgs/org-hogwarts.xml b/samples/hogwarts/objects/orgs/org-hogwarts.xml
new file mode 100644
index 00000000000..21402a43178
--- /dev/null
+++ b/samples/hogwarts/objects/orgs/org-hogwarts.xml
@@ -0,0 +1,29 @@
+<!--
+  ~ Copyright (c) 2010-2017 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<org oid="00000000-0000-0org-0000-111111111111"
+        xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+        xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+        xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">
+    <name>hogwarts</name>
+<!--     <parentOrgRef oid="4e5dfba1-f208-4038-962f-668f25e1e370" type="OrgType" /> -->
+    <displayName>Hogwarts</displayName>
+    <description>
+    	Hogwarts organization structure. Include all students, staff, teachers etc.
+    </description>
+    <requestable>true</requestable>
+<!--     <orgType>access</orgType> -->
+</org>
diff --git a/samples/hogwarts/objects/orgs/org-minister-of-magic.xml b/samples/hogwarts/objects/orgs/org-minister-of-magic.xml
new file mode 100644
index 00000000000..68956d56697
--- /dev/null
+++ b/samples/hogwarts/objects/orgs/org-minister-of-magic.xml
@@ -0,0 +1,24 @@
+<!--
+  ~ Copyright (c) 2010-2017 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<org oid="00000000-0000-0org-0000-333111111111"
+        xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+        xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+        xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">
+    <name>Minister of magic</name>
+    <displayName>Minister of magic</displayName>
+    <requestable>true</requestable>
+</org>
diff --git a/samples/hogwarts/objects/orgs/org-quiddich-griffindor.xml b/samples/hogwarts/objects/orgs/org-quiddich-griffindor.xml
new file mode 100644
index 00000000000..a4a844c7fb2
--- /dev/null
+++ b/samples/hogwarts/objects/orgs/org-quiddich-griffindor.xml
@@ -0,0 +1,35 @@
+<!--
+  ~ Copyright (c) 2010-2017 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<org oid="00000000-team-0org-0000-111111111112"
+        xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+        xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+        xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">
+    <name>quiddich-griffindor</name>
+    <displayName>Griffindor</displayName>
+    <description>
+    	Griffindoch quiddich team members
+    </description>
+    <requestable>true</requestable>
+    <orgType>team</orgType>
+    <assignment>
+    	<targetRef oid="00000000-team-0org-0000-111111111111" type="OrgType"/>
+    </assignment>
+    <assignment>
+    	<targetRef oid="00000000-role-0000-0000-999111111112" type="RoleType"/>
+    </assignment>
+
+</org>
diff --git a/samples/hogwarts/objects/orgs/org-quiddich-hufflepuff.xml b/samples/hogwarts/objects/orgs/org-quiddich-hufflepuff.xml
new file mode 100644
index 00000000000..defc7061500
--- /dev/null
+++ b/samples/hogwarts/objects/orgs/org-quiddich-hufflepuff.xml
@@ -0,0 +1,35 @@
+<!--
+  ~ Copyright (c) 2010-2017 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<org oid="00000000-team-0org-0000-111111111115"
+        xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+        xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+        xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">
+    <name>quiddich-hufflepuff</name>
+    <displayName>Hufflepuff</displayName>
+    <description>
+    	Hufflepuff quiddich team members
+    </description>
+    <requestable>true</requestable>
+    <orgType>team</orgType>
+    <assignment>
+    	<targetRef oid="00000000-team-0org-0000-111111111111" type="OrgType"/>
+    </assignment>
+    <assignment>
+    	<targetRef oid="00000000-role-0000-0000-999111111112" type="RoleType"/>
+    </assignment>
+
+</org>
diff --git a/samples/hogwarts/objects/orgs/org-quiddich-ravenclaw.xml b/samples/hogwarts/objects/orgs/org-quiddich-ravenclaw.xml
new file mode 100644
index 00000000000..cff283e5b0d
--- /dev/null
+++ b/samples/hogwarts/objects/orgs/org-quiddich-ravenclaw.xml
@@ -0,0 +1,57 @@
+<!--
+  ~ Copyright (c) 2010-2017 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<org oid="00000000-team-0org-0000-111111111113"
+        xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+        xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+        xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">
+    <name>quiddich-ravenclaw</name>
+    <displayName>Ravenclaw</displayName>
+    <description>
+    	Ravenclaw quiddich team members
+    </description>
+    <requestable>true</requestable>
+    <orgType>team</orgType>
+    <assignment>
+    	<targetRef oid="00000000-team-0org-0000-111111111111" type="OrgType"/>
+    </assignment>
+    <assignment>
+    	<targetRef oid="00000000-role-0000-0000-999111111112" type="RoleType"/>
+    </assignment>
+
+<!-- <assignment> -->
+<!--         <policyRule> -->
+<!--             <name>excluded-role</name> -->
+<!--             <policyConstraints> -->
+<!--                 <exclusion> -->
+<!--                     <targetRef oid="00000000-team-0org-0000-111111111115" type="OrgType"/> -->
+<!--                 </exclusion> -->
+<!--                 <exclusion> -->
+<!--                     <targetRef oid="00000000-team-0org-0000-111111111112" type="OrgType"/> -->
+<!--                 </exclusion> -->
+<!--                 <exclusion> -->
+<!--                     <targetRef oid="00000000-team-0org-0000-111111111113" type="OrgType"/> -->
+<!--                 </exclusion> -->
+<!--                 <exclusion> -->
+<!--                     <targetRef oid="00000000-team-0org-0000-111111111114" type="OrgType"/> -->
+<!--                 </exclusion> -->
+<!--             </policyConstraints> -->
+<!--             <policyActions> -->
+<!--                 <enforcement/> -->
+<!--             </policyActions> -->
+<!--         </policyRule> -->
+<!--     </assignment> -->
+</org>
diff --git a/samples/hogwarts/objects/orgs/org-quiddich-slytherin.xml b/samples/hogwarts/objects/orgs/org-quiddich-slytherin.xml
new file mode 100644
index 00000000000..6fb1c347438
--- /dev/null
+++ b/samples/hogwarts/objects/orgs/org-quiddich-slytherin.xml
@@ -0,0 +1,57 @@
+<!--
+  ~ Copyright (c) 2010-2017 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<org oid="00000000-team-0org-0000-111111111114"
+        xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+        xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+        xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">
+    <name>quiddich-slytherin</name>
+    <displayName>Slytherin</displayName>
+    <description>
+    	Slytherin quiddich team members
+    </description>
+    <requestable>true</requestable>
+    <orgType>team</orgType>
+    <assignment>
+    	<targetRef oid="00000000-team-0org-0000-111111111111" type="OrgType"/>
+    </assignment>
+    <assignment>
+    	<targetRef oid="00000000-role-0000-0000-999111111112" type="RoleType"/>
+    </assignment>
+
+<!-- <assignment> -->
+<!--         <policyRule> -->
+<!--             <name>excluded-role</name> -->
+<!--             <policyConstraints> -->
+<!--                 <exclusion> -->
+<!--                     <targetRef oid="00000000-team-0org-0000-111111111115" type="OrgType"/> -->
+<!--                 </exclusion> -->
+<!--                 <exclusion> -->
+<!--                     <targetRef oid="00000000-team-0org-0000-111111111112" type="OrgType"/> -->
+<!--                 </exclusion> -->
+<!--                 <exclusion> -->
+<!--                     <targetRef oid="00000000-team-0org-0000-111111111113" type="OrgType"/> -->
+<!--                 </exclusion> -->
+<!--                 <exclusion> -->
+<!--                     <targetRef oid="00000000-team-0org-0000-111111111114" type="OrgType"/> -->
+<!--                 </exclusion> -->
+<!--             </policyConstraints> -->
+<!--             <policyActions> -->
+<!--                 <enforcement/> -->
+<!--             </policyActions> -->
+<!--         </policyRule> -->
+<!--     </assignment> -->
+</org>
diff --git a/samples/hogwarts/objects/orgs/org-quiddich-teams.xml b/samples/hogwarts/objects/orgs/org-quiddich-teams.xml
new file mode 100644
index 00000000000..1b0e5555cba
--- /dev/null
+++ b/samples/hogwarts/objects/orgs/org-quiddich-teams.xml
@@ -0,0 +1,28 @@
+<!--
+  ~ Copyright (c) 2010-2017 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<org oid="00000000-team-0org-0000-111111111111"
+        xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+        xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+        xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">
+    <name>quiddich</name>
+    <displayName>Quiddich Teams</displayName>
+    <description>
+    	Teams structure.
+    </description>
+    <requestable>true</requestable>
+    <orgType>team</orgType>
+</org>
diff --git a/samples/hogwarts/objects/resources/resource-csv.xml b/samples/hogwarts/objects/resources/resource-csv.xml
new file mode 100644
index 00000000000..60fcbfd45f8
--- /dev/null
+++ b/samples/hogwarts/objects/resources/resource-csv.xml
@@ -0,0 +1,442 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright (c) 2010-2017 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+
+<resource 	oid="ef2bc95b-76e0-48e2-86d6-3d4f02d3fafe"
+		xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+		xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" 
+		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		xmlns:xsd="http://www.w3.org/2001/XMLSchema"
+		xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
+		xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
+       	xmlns:icfc="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/connector-schema-3">
+
+	<name>HR</name>
+    <description>Source resource</description>
+     
+	<connectorRef type="ConnectorType">
+		<filter>
+	        <q:equal>
+			<q:path>c:connectorType</q:path>
+	          <q:value>com.evolveum.polygon.connector.csv.CsvConnector</q:value>
+	        </q:equal>
+	      </filter>
+	</connectorRef>
+
+	<connectorConfiguration xmlns:icfi="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/bundle/com.evolveum.polygon.connector-csv/com.evolveum.polygon.connector.csv.CsvConnector">
+		<icfc:configurationProperties>
+				<icfi:filePath>/opt.midpoint/csv/accounts.csv</icfi:filePath>
+				<icfi:encoding>utf-8</icfi:encoding>
+				<icfi:quote>"</icfi:quote>
+				<icfi:quoteMode>ALL</icfi:quoteMode>
+				<icfi:fieldDelimiter>,</icfi:fieldDelimiter>
+				<icfi:multivalueDelimiter>;</icfi:multivalueDelimiter>
+				<icfi:uniqueAttribute>login</icfi:uniqueAttribute>
+				<icfi:passwordAttribute>password</icfi:passwordAttribute>
+			</icfc:configurationProperties>
+		
+			<!-- Generic ICF configuration -->
+
+	</connectorConfiguration>
+
+        <!-- Resource Schema Handling definition.
+             This part defines how the schema defined above will be used by
+             midPoint. It defines expressions and limitations for individual
+             schema attributes.
+
+             The expressions that describe both inbound and outbound flow of
+             the attributes are defined in this section.
+
+             This is the part where most of the customization takes place.
+        -->
+		<schemaHandling>
+
+            <!-- Definition of default account type.
+                 This is now the only account type that midPoint can work with. -->
+			<objectType>
+                <!-- Readable name for the account type -->
+				<displayName>Default Account</displayName>
+				<default>true</default>
+                <!-- Reference to the Resource Schema (see above) specifying
+                     object class for this account type -->
+				<objectClass>ri:AccountObjectClass</objectClass>
+				<attribute>
+					<ref>ri:login</ref>
+
+					<displayName>Login</displayName>
+
+					<limitations>
+						<minOccurs>0</minOccurs>
+					</limitations>
+					<inbound>
+						<target>
+							<path>name</path>
+						</target>
+					</inbound>
+				</attribute>
+
+				<attribute>
+					<ref>ri:firstname</ref>
+					<displayName>First name</displayName>
+					<description>Definition of Firstname attribute handling.</description>
+					<inbound>
+						<target>
+							<path>givenName</path>
+						</target>
+					</inbound>
+				</attribute>
+				<attribute>
+					<ref>ri:lastname</ref>
+					<displayName>Last name</displayName>
+					<description>Definition of Lastname attribute handling.</description>
+					<inbound>
+						<target>
+							<path>$user/familyName</path>
+						</target>
+					</inbound>
+				</attribute>
+				<attribute>
+					<ref>ri:memberOf</ref>
+					<displayName>Member of specified organization unit/project</displayName>
+					<!-- CSV connector does not know about multivalue, so pretend this attribute is multivalue. -->
+					<limitations>
+						<minOccurs>0</minOccurs>
+						<maxOccurs>-1</maxOccurs>
+					</limitations>
+					<inbound>
+						<expression>
+							<assignmentTargetSearch>
+			            	<targetType>c:OrgType</targetType>
+			        		<filter>
+								<q:equal>
+									<q:path>c:name</q:path>
+									<q:matching>polyStringNorm</q:matching>
+									<expression>
+										<script>
+											<code>
+												parent = input.tokenize('/').reverse()[0]
+												if (!parent) {
+													return "hogwarts";
+												} else {
+													return parent;
+												} 
+												return "TOP"
+											</code>
+										</script>
+									</expression>
+								</q:equal>
+							</filter>
+							<createOnDemand>true</createOnDemand>
+							<populateObject>
+								<populateItem>
+									<expression>
+										<script>
+											<code>
+												input.tokenize('/').reverse()[0]
+											</code>
+										</script>
+									</expression>
+									<target>
+										<path>name</path>
+									</target>
+								</populateItem>
+								<populateItem>
+									<expression>
+										<value>access</value>
+									</expression>
+									<target>
+										<path>orgType</path>
+									</target>
+								</populateItem>
+								<populateItem>
+									<expression>
+										<script>
+											<code>
+												input.tokenize('/').reverse()[1..-1].join('/').tokenize('/').reverse()[0..-1].join('/')
+											</code>
+										</script>
+									</expression>
+									<target>
+										<path>identifier</path>
+									</target>
+								</populateItem>
+							</populateObject>
+			            </assignmentTargetSearch>    	
+						</expression>
+						<target>
+							<path>assignment</path>
+							<set>
+					            <condition>
+					                <script>
+					                    <code>
+					                         import com.evolveum.midpoint.schema.constants.*
+					                         import com.evolveum.midpoint.xml.ns._public.common.common_3.OrgType;
+					                         
+					                         
+					                         
+					                        if (assignment.target != null) {
+					                        	inRange = assignment.target.orgType?.contains('access')
+					                        	return inRange
+					                        }
+					                        
+					                        if (assignment.targetRef != null &amp;&amp; assignment.targetRef.type.localPart == "OrgType") {
+					                        	role = midpoint.getObject(OrgType.class, assignment.targetRef.oid)
+					                        	inRange = role.orgType?.contains('access') || role.orgType?.contains('team')
+					                        	return inRange
+					                        }
+					                    </code>
+					                </script>
+					            </condition>
+					        </set>
+						</target>
+					</inbound>
+					
+				</attribute>
+				
+				<attribute>
+					<ref>ri:managerOf</ref>
+					<displayName>Manager of specified organization unit/project</displayName>
+					<!-- CSV connector does not know about multivalue, so pretend this attribute is multivalue. -->
+					<limitations>
+						<minOccurs>0</minOccurs>
+						<maxOccurs>-1</maxOccurs>
+					</limitations>
+					<inbound>
+						<expression>
+							<assignmentTargetSearch>
+			            	<targetType>c:OrgType</targetType>
+			            	<relation>manager</relation>
+			        		<filter>
+								<q:equal>
+									<q:path>c:name</q:path>
+									<q:matching>polyStringNorm</q:matching>
+									<expression>
+										<script>
+											<code>
+											
+												parent = input.tokenize('/').reverse()[0]
+												if (!parent) {
+													return "hogwarts";
+												} else {
+													return parent;
+												} 
+
+											</code>
+										</script>
+									</expression>
+								</q:equal>
+							</filter>
+							<createOnDemand>true</createOnDemand>
+							<populateObject>
+								<populateItem>
+									<expression>
+										<script>
+											<code>
+											
+												input.tokenize('/').reverse()[0]
+											</code>
+										</script>
+									</expression>
+									<target>
+										<path>name</path>
+									</target>
+								</populateItem>
+								<populateItem>
+									<expression>
+										<value>access</value>
+									</expression>
+									<target>
+										<path>orgType</path>
+									</target>
+								</populateItem>
+								<populateItem>
+									<expression>
+										<script>
+											<code>
+												input.tokenize('/').reverse()[1..-1].join('/').tokenize('/').reverse()[0..-1].join('/')
+											</code>
+										</script>
+									</expression>
+									<target>
+										<path>identifier</path>
+									</target>
+								</populateItem>
+							</populateObject>
+			            </assignmentTargetSearch>    	
+						</expression>
+						<target>
+							<path>assignment</path>
+							<set>
+					            <condition>
+					                <script>
+					                    <code>
+					                         import com.evolveum.midpoint.schema.constants.*
+					                         import com.evolveum.midpoint.xml.ns._public.common.common_3.OrgType;
+					                         
+					                         
+					                         
+					                        if (assignment.target != null) {
+					                        	inRange = assignment.target.orgType?.contains('access')
+					                        	return inRange
+					                        }
+					                        
+					                        if (assignment.targetRef != null &amp;&amp; assignment.targetRef.type.localPart == "OrgType") {
+					                        	role = midpoint.getObject(OrgType.class, assignment.targetRef.oid)
+					                        	inRange = role.orgType?.contains('access') || role.orgType?.contains('team')
+					                        	return inRange
+					                        }
+					                    </code>
+					                </script>
+					            </condition>
+					        </set>
+						</target>
+					</inbound>
+					<inbound>
+						<expression>
+							<assignmentTargetSearch>
+			            	<targetType>c:RoleType</targetType>
+			            	<oid>e2c88fea-db21-11e5-80ba-d7b2f1155264</oid>
+			            </assignmentTargetSearch>    	
+						</expression>
+						<target>
+							<path>assignment</path>
+							<set>
+					            <condition>
+					                <script>
+					                    <code>
+					                         import com.evolveum.midpoint.schema.constants.*
+					                         import com.evolveum.midpoint.xml.ns._public.common.common_3.OrgType;
+					                         
+					                         
+					                         
+					                        if (assignment.target != null) {
+					                        	inRange = assignment.target.orgType?.contains('access')
+					                        	return inRange
+					                        }
+					                        
+					                        if (assignment.targetRef != null &amp;&amp; assignment.targetRef.type.localPart == "OrgType") {
+					                        	role = midpoint.getObject(OrgType.class, assignment.targetRef.oid)
+					                        	inRange = role.orgType.contains('access')
+					                        	return inRange
+					                        }
+					                    </code>
+					                </script>
+					            </condition>
+					        </set>
+						</target>
+					</inbound>
+				</attribute>
+				
+				<activation>
+					<administrativeStatus>
+						<inbound/>
+					</administrativeStatus>
+				</activation>
+				
+				<credentials>
+					<password>
+						<inbound>
+							 <strength>weak</strength>
+							 <expression>
+							 	<asIs/>
+							 </expression>
+						</inbound>
+						<outbound/>
+					</password>
+				</credentials>
+
+			</objectType>
+		</schemaHandling>
+
+		<!-- Resource capabilities. It defines a simulated enableDisable capability. -->
+		<capabilities xmlns:cap="http://midpoint.evolveum.com/xml/ns/public/resource/capabilities-3">
+			<configured>
+				<cap:activation>
+					<cap:status>
+						<cap:attribute>ri:disabled</cap:attribute>
+						<cap:enableValue>false</cap:enableValue>
+						<cap:disableValue>true</cap:disableValue>
+					</cap:status>
+				</cap:activation>
+				<cap:delete>
+					<cap:enabled>false</cap:enabled>
+				</cap:delete>
+			</configured>
+		</capabilities>
+		<synchronization>
+			<objectSynchronization>
+				<!--
+	                The synchronization for this resource is enabled.
+	                It will be used to correctly run discovery when account already exists.
+	                 -->
+				<enabled>true</enabled>
+
+				<correlation>
+					<q:description>
+	                    Correlation expression is a search query.
+	                    Following search query will look for users that have "name"
+	                    equal to the "login" attribute of the account. Simply speaking,
+	                    it will look for match in usernames in the IDM and the resource.
+	                    The correlation rule always looks for users, so it will not match
+	                    any other object type.
+					</q:description>
+					<q:equal>
+						<q:path>c:name</q:path>
+						<expression>
+							<path>$account/attributes/ri:login</path>
+						</expression>
+					</q:equal>
+				</correlation>
+
+				<!-- Confirmation rule may be here, but as the search above will
+	                 always return at most one match, the confirmation rule is not needed. -->
+
+				<!-- Following section describes reactions to a situations.
+	                 The setting here assumes that this resource is authoritative,
+	                 therefore all accounts created on the resource should be
+	                 reflected as new users in IDM.
+	                 See http://wiki.evolveum.com/display/midPoint/Synchronization+Situations
+	             -->
+				<reaction>
+					<situation>linked</situation>
+					<synchronize>true</synchronize>
+				</reaction>
+				<reaction>
+					<situation>deleted</situation>
+					<synchronize>true</synchronize>
+					<action>
+						<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#unlink</handlerUri>
+					</action>
+				</reaction>
+				<reaction>
+					<situation>unlinked</situation>
+					<synchronize>true</synchronize>
+					<action>
+						<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#link</handlerUri>
+					</action>
+				</reaction>
+				<reaction>
+					<situation>unmatched</situation>
+					<synchronize>true</synchronize>
+					<action>
+						<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#addFocus</handlerUri>
+					</action>
+				</reaction>
+			</objectSynchronization>
+		</synchronization>
+</resource>
+
diff --git a/samples/hogwarts/objects/resources/resource-openldap.xml b/samples/hogwarts/objects/resources/resource-openldap.xml
new file mode 100644
index 00000000000..d99b91172c6
--- /dev/null
+++ b/samples/hogwarts/objects/resources/resource-openldap.xml
@@ -0,0 +1,359 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright (c) 2010-2017 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+<resource oid="2a7c7130-7a34-11e4-bdf6-001e8c717e5b" 
+	xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+	xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+	xmlns:t='http://prism.evolveum.com/xml/ns/public/types-3'
+	xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
+	xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
+	xmlns:icfc="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/connector-schema-3"
+	xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
+	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xmlns:xsd="http://www.w3.org/2001/XMLSchema"
+	xmlns:enc="http://www.w3.org/2001/04/xmlenc#"
+	xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">
+	<name>Localhost OpenLDAP</name>
+	<connectorRef type="ConnectorType">
+	    <filter>
+			<q:and>
+				<q:equal>
+					<q:path>c:connectorType</q:path>
+					<q:value>com.evolveum.polygon.connector.ldap.LdapConnector</q:value>
+				</q:equal>
+			</q:and>
+		</filter>
+	</connectorRef>
+	<connectorConfiguration 
+			xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
+			xmlns:icfc="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/connector-schema-3"
+			xmlns:icfcldap="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/bundle/com.evolveum.polygon.connector-ldap/com.evolveum.polygon.connector.ldap.LdapConnector">
+		<icfc:configurationProperties>
+			<icfcldap:port>389</icfcldap:port>
+			<icfcldap:host>localhost</icfcldap:host>
+			<icfcldap:baseContext>dc=example,dc=com</icfcldap:baseContext>
+			<icfcldap:bindDn>cn=idm,ou=Administrators,dc=example,dc=com</icfcldap:bindDn>
+			<icfcldap:bindPassword><t:clearValue>secret</t:clearValue></icfcldap:bindPassword>
+			<icfcldap:usePermissiveModify>always</icfcldap:usePermissiveModify>
+			<icfcldap:pagingStrategy>auto</icfcldap:pagingStrategy>
+			<icfcldap:passwordHashAlgorithm>SSHA</icfcldap:passwordHashAlgorithm>
+			<icfcldap:vlvSortAttribute>uid,cn</icfcldap:vlvSortAttribute>
+			<icfcldap:vlvSortOrderingRule>2.5.13.3</icfcldap:vlvSortOrderingRule>
+			<icfcldap:operationalAttributes>memberOf</icfcldap:operationalAttributes>
+			<icfcldap:operationalAttributes>createTimestamp</icfcldap:operationalAttributes>
+		</icfc:configurationProperties>
+		<icfc:resultsHandlerConfiguration>
+			<icfc:enableNormalizingResultsHandler>false</icfc:enableNormalizingResultsHandler>
+			<icfc:enableFilteredResultsHandler>false</icfc:enableFilteredResultsHandler>
+			<icfc:enableAttributesToGetSearchResultsHandler>false</icfc:enableAttributesToGetSearchResultsHandler>
+		</icfc:resultsHandlerConfiguration>
+	</connectorConfiguration>
+
+	<schema>
+		<!-- workaround to MID-2723 -->
+		<generationConstraints>
+			<generateObjectClass>ri:inetOrgPerson</generateObjectClass>
+			<generateObjectClass>ri:groupOfUniqueNames</generateObjectClass>
+			<generateObjectClass>ri:groupOfNames</generateObjectClass>
+			<generateObjectClass>ri:organizationalUnit</generateObjectClass>
+		</generationConstraints>
+	</schema>
+	
+	<schemaHandling>
+		<objectType>
+			<intent>default</intent>
+			<displayName>Default Account</displayName>
+			<default>true</default>
+			<objectClass>ri:inetOrgPerson</objectClass>
+			<attribute>
+				<ref>ri:dn</ref>
+				<displayName>Distinguished Name</displayName>
+				<matchingRule>mr:distinguishedName</matchingRule>
+				<outbound>
+				    <source>
+				    	<path>$user/name</path>
+				    </source>
+					<expression>
+						<script>
+							<code>
+								'uid=' + name + iterationToken + ',ou=People,dc=example,dc=com'
+							</code>
+						</script>
+					</expression>
+				</outbound>
+			</attribute>
+			<attribute>
+				<ref>ri:entryUUID</ref>
+				<displayName>Entry UUID</displayName>
+				<matchingRule>mr:stringIgnoreCase</matchingRule>
+			</attribute>
+			<attribute>
+				<ref>ri:cn</ref>
+				<displayName>Common Name</displayName>
+				<limitations>
+					<maxOccurs>1</maxOccurs>
+				</limitations>
+				<outbound>
+					<source>
+						<path>fullName</path>
+					</source>
+				</outbound>
+				<inbound>
+					<target>
+						<path>fullName</path>
+					</target>
+				</inbound>
+			</attribute>
+			<attribute>
+				<ref>ri:sn</ref>
+				<displayName>Surname</displayName>
+				<outbound>
+					<source>
+						<path>familyName</path>
+					</source>
+				</outbound>
+				<inbound>
+					<target>
+						<path>familyName</path>
+					</target>
+				</inbound>
+			</attribute>
+			<attribute>
+				<ref>ri:givenName</ref>
+				<displayName>Given Name</displayName>
+				<outbound>
+					<source>
+						<path>givenName</path>
+					</source>
+				</outbound>
+				<inbound>
+					<target>
+						<path>givenName</path>
+					</target>
+				</inbound>
+			</attribute>
+			<attribute>
+				<ref>ri:uid</ref>
+				<displayName>Login Name</displayName>
+				<matchingRule>mr:stringIgnoreCase</matchingRule>
+				<outbound>
+					<strength>weak</strength>
+					<source>
+						<path>name</path>
+					</source>
+					<expression>
+						<script>
+							<code>
+								name + iterationToken
+							</code>
+						</script>
+					</expression>
+				</outbound>
+				<inbound>
+					<target>
+						<path>name</path>
+                    </target>
+				</inbound>
+			</attribute>
+			<attribute>
+				<ref>ri:memberOf</ref>
+				<matchingRule>mr:stringIgnoreCase</matchingRule>
+				<fetchStrategy>explicit</fetchStrategy>
+			</attribute>
+			
+			 <association>
+            	<ref>ri:group</ref>
+            	<displayName>LDAP Group Membership</displayName>
+            	<kind>entitlement</kind>
+            	<intent>ldapGroup</intent>
+            	<direction>objectToSubject</direction>
+            	<associationAttribute>ri:member</associationAttribute>
+            	<valueAttribute>ri:dn</valueAttribute>
+            	<explicitReferentialIntegrity>true</explicitReferentialIntegrity>
+            </association>
+            
+            <iteration>
+				<maxIterations>5</maxIterations>
+			</iteration>
+			
+			<protected>
+       			<filter>
+	       			<q:equal>
+	       				<q:matching>http://prism.evolveum.com/xml/ns/public/matching-rule-3#stringIgnoreCase</q:matching>
+		            	<q:path>attributes/ri:dn</q:path>
+		                <q:value>cn=idm,ou=Administrators,dc=example,dc=com</q:value>
+		            </q:equal>
+	            </filter>
+			</protected>
+			
+			<activation>
+				<administrativeStatus>
+					<outbound/>
+					<inbound/>
+				</administrativeStatus>
+			</activation>
+		</objectType>
+		
+		<objectType>
+        	<kind>entitlement</kind>
+            <intent>ldapGroup</intent>
+            <displayName>LDAP Group</displayName>
+            <objectClass>ri:groupOfNames</objectClass>
+            <attribute>
+				<ref>ri:dn</ref>
+				<matchingRule>mr:distinguishedName</matchingRule>
+				<outbound>
+					<!-- Name cannot be weak. Changes in name trigger object rename. -->
+					<source>
+						<path>$focus/name</path>
+					</source>
+					    <expression>
+					    	<script>
+							<code>
+								import javax.naming.ldap.Rdn
+								import javax.naming.ldap.LdapName
+								
+								dn = new LdapName('ou=groups,dc=example,dc=com')
+								dn.add(new Rdn('cn', name.toString()))
+								return dn.toString()
+							</code>
+						</script>
+					    </expression>
+				</outbound>
+			</attribute>
+			<attribute>
+				<ref>ri:member</ref>
+				<matchingRule>mr:distinguishedName</matchingRule>
+				<outbound>
+					<strength>weak</strength>
+					<expression>
+						<value>uid=nobody,ou=People,dc=example,dc=com</value>
+					</expression>
+				</outbound>
+			</attribute>
+			<attribute>
+				<ref>ri:cn</ref>
+				<matchingRule>mr:stringIgnoreCase</matchingRule>
+				<outbound>
+					<strength>weak</strength>
+					<source>
+						<path>$focus/name</path>
+					</source>
+				</outbound>
+				<inbound>
+					<target>
+						<path>name</path>
+					</target>
+				</inbound>
+			</attribute>
+			<attribute>
+				<ref>ri:description</ref>
+				<outbound>
+					<source>
+						<path>description</path>
+					</source>
+				</outbound>
+				<inbound>
+					<target>
+						<path>description</path>
+					</target>
+				</inbound>
+			</attribute>
+        </objectType>
+		
+	</schemaHandling>
+    
+	<synchronization>
+		<objectSynchronization>
+			<name>Account sync</name>
+			<objectClass>ri:inetOrgPerson</objectClass>
+			<kind>account</kind>
+			<intent>default</intent>
+			<focusType>UserType</focusType>
+			<enabled>true</enabled>
+			<correlation>
+				<q:and>
+					<q:equal>
+						<q:path>c:employeeNumber</q:path>
+						<expression>
+						<path>declare namespace ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance/10000000-0000-0000-0000-000000000003";
+                            $account/attributes/ri:employeeNumber</path>
+						</expression>
+					</q:equal>
+					<q:not>
+						<q:equal>
+							<q:path>c:employeeNumber</q:path>
+							<q:value/>
+						</q:equal>
+					</q:not>
+				</q:and>
+			</correlation>
+			
+			<reaction>
+	            <situation>linked</situation>
+	            <synchronize>true</synchronize>
+	        </reaction>
+	        <reaction>
+	            <situation>deleted</situation>
+	            <action ref="http://midpoint.evolveum.com/xml/ns/public/model/action-3#deleteFocus"/>
+	        </reaction>
+	        <reaction>
+	            <situation>unlinked</situation>
+	            <action ref="http://midpoint.evolveum.com/xml/ns/public/model/action-3#link"/>
+	        </reaction>
+	        <reaction>
+	            <situation>unmatched</situation>
+	            <action ref="http://midpoint.evolveum.com/xml/ns/public/model/action-3#addFocus"/>
+	        </reaction>
+
+		</objectSynchronization>
+		<objectSynchronization>
+			<name>Group sync</name>
+			<objectClass>ri:groupOfNames</objectClass>
+			<kind>entitlement</kind>
+			<intent>ldapGroup</intent>
+			<focusType>RoleType</focusType>
+			<enabled>true</enabled>
+			<correlation>
+				<q:equal>
+					<q:path>c:name</q:path>
+					<expression>
+					<path>$shadow/attributes/cn</path>
+					</expression>
+				</q:equal>
+			</correlation>
+			
+			<reaction>
+	            <situation>linked</situation>
+	            <synchronize>true</synchronize>
+	        </reaction>
+	        <reaction>
+	            <situation>deleted</situation>
+	            <action ref="http://midpoint.evolveum.com/xml/ns/public/model/action-3#deleteFocus"/>
+	        </reaction>
+	        <reaction>
+	            <situation>unlinked</situation>
+	            <action ref="http://midpoint.evolveum.com/xml/ns/public/model/action-3#link"/>
+	        </reaction>
+	        <reaction>
+	            <situation>unmatched</situation>
+	            <action ref="http://midpoint.evolveum.com/xml/ns/public/model/action-3#addFocus"/>
+	        </reaction>
+
+		</objectSynchronization>
+	</synchronization>
+</resource>
diff --git a/samples/hogwarts/objects/roles/role-approver.xml b/samples/hogwarts/objects/roles/role-approver.xml
new file mode 100644
index 00000000000..5758ab6d748
--- /dev/null
+++ b/samples/hogwarts/objects/roles/role-approver.xml
@@ -0,0 +1,129 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright (c) 2010-2017 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+<role xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+      xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
+      xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+      xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
+      xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
+      xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
+      xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
+      oid="00000000-0000-0000-0000-00000000000a"
+      version="1">
+   <name>Approver</name>
+   <description>Role authorizing users to make approval decisions on work items.</description>
+   <authorization id="1">
+      <name>gui-approver-access</name>
+      <description>
+    		Allow access to list of work items in GUI. Allow access to pages that show object details,
+    		so the approver may examine who is requesting and what is requesting.
+    	</description>
+      <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#workItem</action>
+      <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#myWorkItems</action>
+      <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#claimableWorkItems</action>
+      <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#userDetails</action>
+      <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#roleDetails</action>
+      <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#orgUnit</action>
+      <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#service</action>
+   </authorization>
+   <authorization id="2">
+      <name>workitems-delegate</name>
+      <description>
+			Allow delegation of own work items.
+		</description>
+      <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#delegateOwnWorkItems</action>
+   </authorization>
+   <authorization id="3">
+      <name>tasks-read</name>
+      <description>
+            Allow to see the requester of the operation that is being approved and the current delta.
+            In order for the approver to see other properties (e.g. history of the approvals) please allow read access
+            to other items as well, e.g. to the whole workflowContext.
+        </description>
+      <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
+      <object id="8">
+         <type>TaskType</type>
+      </object>
+      <c:item>workflowContext/requesterRef</c:item>
+      <c:item>workflowContext/processorSpecificState</c:item>
+   </authorization>
+   <authorization id="4">
+      <name>users-read</name>
+      <description>
+    		Allow to read basic user properties to be able to display requestor details in the
+    		approval forms.
+    	</description>
+      <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
+      <object id="9">
+         <type>UserType</type>
+      </object>
+      <c:item>name</c:item>
+      <c:item>givenName</c:item>
+      <c:item>familyName</c:item>
+      <c:item>fullName</c:item>
+      <c:item>employeeType</c:item>
+      <c:item>employeeNumber</c:item>
+   </authorization>
+   <authorization id="5">
+      <name>roles-read</name>
+      <description>
+    		Allow to read basic role properties to be able to display details of the requested role.
+    	</description>
+      <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
+      <object id="10">
+         <type>RoleType</type>
+      </object>
+      <c:item>name</c:item>
+      <c:item>displayName</c:item>
+      <c:item>identifier</c:item>
+      <c:item>description</c:item>
+      <c:item>riskLevel</c:item>
+      <c:item>roleType</c:item>
+   </authorization>
+   <authorization id="6">
+      <name>orgs-read</name>
+      <description>
+    		Allow to read basic org properties to be able to display details of the requested org.
+    	</description>
+      <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
+      <object id="11">
+         <type>OrgType</type>
+      </object>
+      <c:item>name</c:item>
+      <c:item>displayName</c:item>
+      <c:item>identifier</c:item>
+      <c:item>description</c:item>
+      <c:item>riskLevel</c:item>
+      <c:item>orgType</c:item>
+   </authorization>
+   <authorization id="7">
+      <name>services-read</name>
+      <description>
+    		Allow to read basic service properties to be able to display details of the requested service.
+    	</description>
+      <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
+      <object id="12">
+         <type>ServiceType</type>
+      </object>
+      <c:item>name</c:item>
+      <c:item>displayName</c:item>
+      <c:item>identifier</c:item>
+      <c:item>description</c:item>
+      <c:item>riskLevel</c:item>
+      <c:item>serviceType</c:item>
+   </authorization>
+   <roleType>system</roleType>
+</role>
\ No newline at end of file
diff --git a/samples/hogwarts/objects/roles/role-duelling-classromm-access.xml b/samples/hogwarts/objects/roles/role-duelling-classromm-access.xml
new file mode 100644
index 00000000000..21d9ca2451d
--- /dev/null
+++ b/samples/hogwarts/objects/roles/role-duelling-classromm-access.xml
@@ -0,0 +1,53 @@
+<!--
+  ~ Copyright (c) 2010-2017 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<role oid="00000000-role-0000-0000-111111111777"
+        xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+        xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+        xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
+        xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
+        xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">
+    <name>Duelling classroom access</name>
+    <description>
+    </description>
+    <inducement>
+    	<construction>
+    		<resourceRef oid="2a7c7130-7a34-11e4-bdf6-001e8c717e5b" type="c:ResourceType"/>
+    		<association>
+            	<ref>ri:group</ref>
+            	<outbound>
+            		<strength>strong</strength>
+                	<expression>
+						<associationTargetSearch>
+							<filter>
+								<q:equal>
+									<q:path>attributes/ri:cn</q:path>
+									<q:value>duellingClassroomAccess</q:value>
+								</q:equal>
+							</filter>
+							<searchStrategy>onResourceIfNeeded</searchStrategy>
+						</associationTargetSearch>
+					</expression>
+				</outbound>
+            </association>
+    	</construction>
+    	
+    </inducement>
+    <assignment>
+    	<targetRef oid="2dadd243-687d-4b4c-80cd-09ddfe4cbf59" type="RoleType" />
+    </assignment>
+    <requestable>true</requestable>
+</role>
\ No newline at end of file
diff --git a/samples/hogwarts/objects/roles/role-end-user.xml b/samples/hogwarts/objects/roles/role-end-user.xml
new file mode 100644
index 00000000000..22a34e591d9
--- /dev/null
+++ b/samples/hogwarts/objects/roles/role-end-user.xml
@@ -0,0 +1,232 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright (c) 2010-2017 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+<role xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+      xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
+      xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+      xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
+      xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
+      xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
+      xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
+      oid="00000000-0000-0000-0000-000000000008"
+      version="7">
+   <name>End user</name>
+   <description>Role authorizing end users to log in, change their passwords and review assigned accounts.</description>
+   <authorization id="1">
+      <name>gui-self-service-access</name>
+      <description>
+    		Allow access to all self-service operations in GUI.
+    	</description>
+      <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#selfAll</action>
+      <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#task</action>
+   </authorization>
+   <authorization id="2">
+      <name>self-read</name>
+      <description>
+    		Allow to read all the properties of "self" object. I.e. every logged-in user can read
+    		object that represent his own identity.
+    	</description>
+      <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
+      <object id="14">
+         <special>self</special>
+      </object>
+   </authorization>
+   <authorization id="3">
+      <name>self-shadow-read</name>
+      <description>
+    		Allow to read all the properties of all the shadows that belong to "self" object. 
+    		I.e. every logged-in user can read all his accounts.
+    	</description>
+      <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
+      <object id="15">
+         <type>ShadowType</type>
+         <owner>
+            <special>self</special>
+         </owner>
+      </object>
+   </authorization>
+   <authorization id="4">
+      <name>self-persona-read</name>
+      <description>
+    		Allow to read all the personas of currently logged-in user.
+    	</description>
+      <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
+      <object id="16">
+         <type>UserType</type>
+         <owner>
+            <special>self</special>
+         </owner>
+      </object>
+   </authorization>
+   <authorization id="5">
+      <name>self-credentials-request</name>
+      <description>
+    		Allow to modify user's own credentials.
+    		Note that this is a request phase authorization. It also requires corresponding execution-phase authorization.
+    	</description>
+      <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#changeCredentials</action>
+      <phase>request</phase>
+      <object id="17">
+         <special>self</special>
+      </object>
+      <c:item>credentials</c:item>
+   </authorization>
+   <authorization id="6">
+      <name>self-shadow-credentials-request</name>
+      <description>
+    		Allow to modify credentials of all users accounts.
+    		Note that this is a request phase authorization. It also requires corresponding execution-phase authorization.
+    	</description>
+      <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#changeCredentials</action>
+      <phase>request</phase>
+      <object id="18">
+         <type>ShadowType</type>
+         <owner>
+            <special>self</special>
+         </owner>
+      </object>
+      <c:item>credentials</c:item>
+   </authorization>
+   <authorization id="7">
+      <name>assign-requestable-roles</name>
+      <description>
+    		Allow to assign requestable roles. This allows to request roles in a request-and-approve process.
+    	    The requestable roles will be displayed in the role request dialog by default.
+    	    Please note that the roles also need an approved definition to go through the approval process.
+    	    Otherwise they will be assigned automatically wihout any approval. 
+    	</description>
+      <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#assign</action>
+      <object id="19">
+         <special>self</special>
+      </object>
+      <target id="20">
+         <type>RoleType</type>
+         <filter>
+            <q:equal>
+               <q:path>requestable</q:path>
+               <q:value>true</q:value>
+            </q:equal>
+         </filter>
+      </target>
+   </authorization>
+   <authorization id="8">
+      <name>self-execution-modify</name>
+      <description>
+    		Authorization that allows to self-modification of some properties, but only in execution phase. 
+    		The limitation real limitation of these operations is done in the request phase.
+    		E.g. the modification of assignments is controlled in the request phase by using the #assign
+    		authorization.
+    	</description>
+      <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</action>
+      <phase>execution</phase>
+      <object id="21">
+         <special>self</special>
+      </object>
+   </authorization>
+   <authorization id="9">
+      <name>self-shadow-execution-add-modify-delete</name>
+      <description>
+    		Authorization that allows to self-modification of user's accounts, but only in execution phase.
+    		The real limitation of these operations is done in the request phase.
+    	</description>
+      <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add</action>
+      <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</action>
+      <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#delete</action>
+      <phase>execution</phase>
+      <object id="22">
+         <type>ShadowType</type>
+         <owner>
+            <special>self</special>
+         </owner>
+      </object>
+   </authorization>
+   <authorization id="10">
+      <name>assignment-target-read</name>
+      <description>
+    		Authorization that allows to read all the object that are possible assignment targets. We want that
+    		to display the targets in the selection windows.
+    		Note that this authorization may be too broad for production use. Normally it should be limited to just
+    		selected properties such as name and description.
+    	</description>
+      <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
+      <object id="23">
+         <type>OrgType</type>
+      </object>
+      <object id="24">
+         <type>ResourceType</type>
+      </object>
+      <object id="25">
+         <type>RoleType</type>
+      </object>
+      <object id="26">
+         <type>ServiceType</type>
+      </object>
+      <object id="27">
+         <type>UserType</type>
+      </object>
+      <object id="32">
+         <type>TaskType</type>
+      </object>
+   </authorization>
+   <authorization id="11">
+      <name>assignment-target-read-task</name>
+      <description>
+    		Authorization that allows to read workflow status of tasks. This is used to display requests
+    		to the end users, especially in the "My Requests" box in user dashboard.
+    		This authorization is a temporary solution. It will be replaced by a finer-grained
+    		permissions in the future.
+    	</description>
+      <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
+      <object id="28">
+         <type>TaskType</type>
+      </object>
+      <c:item>workflowContext</c:item>
+   </authorization>
+   <authorization id="12">
+      <name>self-owned-task-read</name>
+      <description>
+    		Authorization that allows to see all tasks owned by a currently logged-in user.
+    	</description>
+      <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
+      <object id="29">
+         <type>TaskType</type>
+         <owner>
+            <special>self</special>
+         </owner>
+      </object>
+   </authorization>
+   <authorization id="13">
+      <name>self-owned-task-add-execute-changes</name>
+      <description>
+    		Authorization to create a new 'execute changes' task owned by a currently logged-in user.
+    		This is needed to execute asynchronous operations from the GUI.
+    	</description>
+      <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add</action>
+      <object id="30">
+         <type>TaskType</type>
+         <filter>
+            <q:equal>
+               <q:path>handlerUri</q:path>
+               <q:value>http://midpoint.evolveum.com/xml/ns/public/model/synchronization/task/execute/handler-3</q:value>
+            </q:equal>
+         </filter>
+         <owner>
+            <special>self</special>
+         </owner>
+      </object>
+   </authorization>
+   <roleType>system</roleType>
+</role>
\ No newline at end of file
diff --git a/samples/hogwarts/objects/roles/role-herbology-teacher.xml b/samples/hogwarts/objects/roles/role-herbology-teacher.xml
new file mode 100644
index 00000000000..147396572af
--- /dev/null
+++ b/samples/hogwarts/objects/roles/role-herbology-teacher.xml
@@ -0,0 +1,52 @@
+<!--
+  ~ Copyright (c) 2010-2017 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<role oid="00000000-role-0000-0000-111111111113"
+        xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+        xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+        xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
+        xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">
+    <name>Herbology Teacher</name>
+    <description>
+    </description>
+    <inducement>
+    	<construction>
+    		<resourceRef oid="2a7c7130-7a34-11e4-bdf6-001e8c717e5b" type="c:ResourceType"/>
+    		<association>
+            	<ref>ri:group</ref>
+            	<outbound>
+            		<strength>strong</strength>
+                	<expression>
+						<associationTargetSearch>
+							<filter>
+								<q:equal>
+									<q:path>attributes/ri:cn</q:path>
+									<q:value>herbologyTeacher</q:value>
+								</q:equal>
+							</filter>
+							<searchStrategy>onResourceIfNeeded</searchStrategy>
+						</associationTargetSearch>
+					</expression>
+				</outbound>
+            </association>
+    	</construction>
+    	
+    </inducement>
+    <assignment>
+    	<targetRef oid="2dadd243-687d-4b4c-80cd-09ddfe4cbf59" type="RoleType" />
+    </assignment>
+    <requestable>true</requestable>
+</role>
\ No newline at end of file
diff --git a/samples/hogwarts/objects/roles/role-ldap.xml b/samples/hogwarts/objects/roles/role-ldap.xml
new file mode 100644
index 00000000000..e1da72155ae
--- /dev/null
+++ b/samples/hogwarts/objects/roles/role-ldap.xml
@@ -0,0 +1,32 @@
+<!--
+  ~ Copyright (c) 2010-2017 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<role oid="12345678-d34d-b33f-f00d-111111111111"
+        xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+        xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+        xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">
+    <name>User OpenDJ</name>
+    <description>
+     A basic role, that specifies account on OpenDJ resource
+     
+    </description>
+    <inducement>
+    	<construction>
+    		<resourceRef oid="2a7c7130-7a34-11e4-bdf6-001e8c717e5b" type="c:ResourceType"/>
+    	</construction>
+    </inducement>
+    <requestable>true</requestable>
+</role>
diff --git a/samples/hogwarts/objects/roles/role-manager-full-control.xml b/samples/hogwarts/objects/roles/role-manager-full-control.xml
new file mode 100644
index 00000000000..1037c82debd
--- /dev/null
+++ b/samples/hogwarts/objects/roles/role-manager-full-control.xml
@@ -0,0 +1,151 @@
+<!--
+  ~ Copyright (c) 2017 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+<role oid="e2c88fea-db21-11e5-80ba-d7b2f1155264"
+        xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+        xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
+        xmlns:org='http://midpoint.evolveum.com/xml/ns/public/common/org-3'>
+    <name>Manager Full Control</name>    
+    <description>
+    	Role that gives access to the organizational units and objects stored
+    	there for organizational unit managers. A manager can read everything in
+    	the units that he is managing. And it can change all the contained objects.
+    </description>
+    <authorization>
+    	<name>gui</name>
+    	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#selfAll</action>
+    	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#orgAll</action>
+    	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#user</action>
+    	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#myWorkItems</action>
+    	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#workItem</action>
+    	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#certificationDecisions</action>
+    </authorization>
+    
+    <authorization>
+    	<name>approve-reject</name>
+    	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#completeAllWorkItems</action>
+    	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#delegateAllWorkItems</action>
+    	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#delegateOwnWorkItems</action>
+    	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#readAllWorkItems</action>
+    </authorization>
+    <authorization>
+    	<name>campaing management</name>
+    	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#openCertificationCampaignReviewStage</action>
+    	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#closeCertificationCampaignReviewStage</action>
+    	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#startCertificationRemediation</action>
+    	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#readOwnCertificationDecisions</action>
+    	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#recordCertificationDecision</action>
+    </authorization>
+    <authorization>
+    	<name>autz-read</name>
+    	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
+    	<object>
+    		<orgRelation>
+    			<subjectRelation>org:manager</subjectRelation>
+    			<scope>allDescendants</scope>
+    			<includeReferenceOrg>true</includeReferenceOrg>
+    		</orgRelation>
+    	</object>
+    </authorization>
+    <authorization>
+    	<name>autz-read</name>
+    	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
+    	<object>
+    		<orgRelation>
+    			<subjectRelation>org:manager</subjectRelation>
+    			<scope>allAncestors</scope>
+    			<includeReferenceOrg>true</includeReferenceOrg>
+    		</orgRelation>
+    	</object>
+    </authorization>
+    <authorization>
+    	<name>autz-write</name>
+    	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</action>
+    	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add</action>
+    	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#delete</action>
+		<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#assign</action>
+		<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#unassign</action>
+    	<object>
+    		<orgRelation>
+    			<subjectRelation>org:manager</subjectRelation>
+    		</orgRelation>
+    	</object>
+    </authorization>
+    <authorization>
+    	<name>autz-shadow</name>
+    	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
+    	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</action>
+    	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add</action>
+    	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#delete</action>
+    	<object>
+    		<type>ShadowType</type>
+    		<owner>
+    			<orgRelation>
+	    			<subjectRelation>org:manager</subjectRelation>
+	    		</orgRelation>
+    		</owner>
+    	</object>
+    </authorization>
+<!--     <authorization> -->
+<!--     	<name>autz-create-user</name> -->
+<!--     	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</action> -->
+<!--     	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add</action> -->
+<!--     	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#delete</action> -->
+<!--     	<object> -->
+<!--     		<type>UserType</type> -->
+<!--     	</object> -->
+<!--     	<phase>request</phase> -->
+<!--     	<item>name</item> -->
+<!--     	<item>givenName</item> -->
+<!--     	<item>familyName</item> -->
+<!--     	<item>assignment</item> -->
+<!--     	<item>parentOrgRef</item> -->
+<!--     </authorization> -->
+<!--     <authorization> -->
+<!--     	<name>autz-create-user</name> -->
+<!--     	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</action> -->
+<!--     	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add</action> -->
+<!--     	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#delete</action> -->
+<!--     	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#assign</action> -->
+<!--     	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#unassign</action> -->
+<!--     	<object> -->
+<!--     		<type>UserType</type> -->
+<!--     	</object> -->
+<!--     	<phase>execution</phase> -->
+<!--     	<item>name</item> -->
+<!--     	<item>givenName</item> -->
+<!--     	<item>familyName</item> -->
+<!--     	<item>assignment</item> -->
+<!--     	<item>parentOrgRef</item> -->
+<!--     	<item>roleMembershipRef</item> -->
+<!--     	<item>activation</item> -->
+<!--     </authorization> -->
+
+
+<requestable>true</requestable>
+     <assignment>
+        <policyRule>
+            <name>excluded-role</name>
+            <policyConstraints>
+                <exclusion>
+                    <targetRef oid="e2c88fea-db21-11e5-80ba-d7b2f1155288" type="RoleType"/>
+                </exclusion>
+            </policyConstraints>
+            <policyActions>
+                <enforcement/>
+            </policyActions>
+        </policyRule>
+    </assignment>
+</role>
diff --git a/samples/hogwarts/objects/roles/role-meta-ldap-group.xml b/samples/hogwarts/objects/roles/role-meta-ldap-group.xml
new file mode 100644
index 00000000000..f26c60c8202
--- /dev/null
+++ b/samples/hogwarts/objects/roles/role-meta-ldap-group.xml
@@ -0,0 +1,60 @@
+<!--
+  ~ Copyright (c) 2010-2017 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<role oid="12345678-d34d-b33f-f00d-111111111222"
+        xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+        xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+        xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">
+    <name>Meta OpenDJ</name>
+    <description>
+     A basic role, that specifies account on OpenDJ resource
+     
+    </description>
+    <inducement>
+    	<construction>
+    		<resourceRef oid="2a7c7130-7a34-11e4-bdf6-001e8c717e5b" type="c:ResourceType"/>
+    		<kind>entitlement</kind>
+            <intent>ldapGroup</intent>
+    	</construction>
+    	<focusType>OrgType</focusType>
+    	<order>1</order>
+    </inducement>
+    
+    <inducement>
+    	<construction>
+    		<resourceRef oid="2a7c7130-7a34-11e4-bdf6-001e8c717e5b" type="c:ResourceType"/>
+    		<kind>account</kind>
+            <intent>default</intent>
+    		<association>
+                	<ref>ri:group</ref>
+                	<outbound>
+                		<strength>strong</strength>
+                    	<expression>
+                    		<associationFromLink>
+                    			<projectionDiscriminator>
+	                    			<kind>entitlement</kind>
+	           						<intent>ldapGroup</intent>
+           						</projectionDiscriminator>
+                    		</associationFromLink>
+                		</expression>
+                	</outbound>
+                </association>
+    	</construction>
+    	<focusType>UserType</focusType>
+    	<order>2</order>
+    </inducement>
+    <requestable>false</requestable>
+</role>
diff --git a/samples/hogwarts/objects/roles/role-owner.xml b/samples/hogwarts/objects/roles/role-owner.xml
new file mode 100644
index 00000000000..91e617c3617
--- /dev/null
+++ b/samples/hogwarts/objects/roles/role-owner.xml
@@ -0,0 +1,56 @@
+<!--
+  ~ Copyright (c) 2017 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+<role oid="e2c88fea-db21-11e5-80ba-d7b2f1155288"
+        xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+        xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
+        xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
+        xmlns:org='http://midpoint.evolveum.com/xml/ns/public/common/org-3'>
+    <name>Owner Control</name>    
+    <description>
+    	Role that gives access to the organizational units and objects stored
+    	there for organizational unit managers. A manager can read everything in
+    	the units that he is managing. And it can change all the contained objects.
+    </description>
+    <authorization>
+    	<name>gui</name>
+    	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#selfAll</action>
+    	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#myWorkItems</action>
+    	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#workItem</action>
+    </authorization>
+    
+     <authorization>
+    	<name>approve-reject</name>
+    	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#completeAllWorkItems</action>
+    	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#delegateAllWorkItems</action>
+    	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#delegateOwnWorkItems</action>
+    	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#readAllWorkItems</action>
+    </authorization>
+  
+    <requestable>true</requestable>
+    <assignment>
+        <policyRule>
+            <name>excluded-role</name>
+            <policyConstraints>
+                <exclusion>
+                    <targetRef oid="e2c88fea-db21-11e5-80ba-d7b2f1155264" type="RoleType"/>
+                </exclusion>
+            </policyConstraints>
+            <policyActions>
+                <enforcement/>
+            </policyActions>
+        </policyRule>
+    </assignment>
+</role>
diff --git a/samples/hogwarts/objects/roles/role-policy-rule-sod.xml b/samples/hogwarts/objects/roles/role-policy-rule-sod.xml
new file mode 100644
index 00000000000..8225ec98d99
--- /dev/null
+++ b/samples/hogwarts/objects/roles/role-policy-rule-sod.xml
@@ -0,0 +1,43 @@
+<!--
+  ~ Copyright (c) 2010-2017 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<role oid="00000000-role-0000-0000-999111111112">
+    <name>Metarole exclude all</name>   
+    <inducement>
+        <policyRule>
+            <name>excluded-role</name>
+            <policyConstraints>
+            	<or>
+	                <exclusion>
+	                    <targetRef oid="00000000-team-0org-0000-111111111115" type="OrgType"/>
+	                </exclusion>
+	                <exclusion>
+	                    <targetRef oid="00000000-team-0org-0000-111111111112" type="OrgType"/>
+	                </exclusion>
+	                <exclusion>
+	                    <targetRef oid="00000000-team-0org-0000-111111111113" type="OrgType"/>
+	                </exclusion>
+	                <exclusion>
+	                    <targetRef oid="00000000-team-0org-0000-111111111114" type="OrgType"/>
+	                </exclusion>
+                </or>
+            </policyConstraints>
+            <policyActions>
+                <enforcement/>
+            </policyActions>
+        </policyRule>
+    </inducement>
+</role>
\ No newline at end of file
diff --git a/samples/hogwarts/objects/roles/role-policy-rule.xml b/samples/hogwarts/objects/roles/role-policy-rule.xml
new file mode 100644
index 00000000000..2b6b9b932de
--- /dev/null
+++ b/samples/hogwarts/objects/roles/role-policy-rule.xml
@@ -0,0 +1,58 @@
+<role oid="2dadd243-687d-4b4c-80cd-09ddfe4cbf59"
+    xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
+    <name>metarole-approval-role-approvers-all</name>
+    <description>Requests to assign role holding this metarole will be approved by the role approver(s) using "all must approve" method</description>
+    <displayName>Metarole: approval by the role approver(s) - all must approve</displayName>
+    <inducement>
+        <policyRule>
+            <policyConstraints>
+                <assignment>
+                	<operation>add</operation>
+                </assignment>
+            </policyConstraints>
+            <policyActions>
+                <approval>
+                    <compositionStrategy>
+                        <order>10</order>
+                    </compositionStrategy>
+                    <approvalSchema>
+                        <level>
+                            <name>User's manager</name>
+                            <approverExpression>
+                                <script>
+                                    <code>midpoint.getManagersOidsExceptUser(object)</code>
+                                </script>
+                            </approverExpression>
+                            <evaluationStrategy>allMustApprove</evaluationStrategy>
+                            <outcomeIfNoApprovers>reject</outcomeIfNoApprovers>
+                        </level>
+                    </approvalSchema>
+                </approval>
+            </policyActions>
+        </policyRule>
+    </inducement>
+    <inducement>
+        <policyRule>
+            <policyConstraints>
+                <assignment>
+                	<operation>add</operation>
+                </assignment>
+            </policyConstraints>
+            <policyActions>
+                <approval>
+                    <compositionStrategy>
+                        <order>20</order>
+                    </compositionStrategy>
+                    <approvalSchema>
+                        <level>
+                            <name>Role approvers (all)</name>
+                            <approverRelation>owner</approverRelation>
+                            <evaluationStrategy>allMustApprove</evaluationStrategy>
+                            <outcomeIfNoApprovers>reject</outcomeIfNoApprovers>
+                        </level>
+                    </approvalSchema>
+                </approval>
+            </policyActions>
+        </policyRule>
+    </inducement>
+</role> 
\ No newline at end of file
diff --git a/samples/hogwarts/objects/roles/role-potions-teacher.xml b/samples/hogwarts/objects/roles/role-potions-teacher.xml
new file mode 100644
index 00000000000..5548968af2a
--- /dev/null
+++ b/samples/hogwarts/objects/roles/role-potions-teacher.xml
@@ -0,0 +1,51 @@
+<!--
+  ~ Copyright (c) 2010-2017 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<role oid="00000000-role-0000-0000-111111111112"
+        xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+        xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+        xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
+        xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">
+    <name>Potions Teacher</name>
+    <description>
+    </description>
+    <inducement>
+    	<construction>
+    		<resourceRef oid="2a7c7130-7a34-11e4-bdf6-001e8c717e5b" type="c:ResourceType"/>
+    		<association>
+            	<ref>ri:group</ref>
+            	<outbound>
+            		<strength>strong</strength>
+                	<expression>
+						<associationTargetSearch>
+							<filter>
+								<q:equal>
+									<q:path>attributes/ri:cn</q:path>
+									<q:value>potionsTeacher</q:value>
+								</q:equal>
+							</filter>
+							<searchStrategy>onResourceIfNeeded</searchStrategy>
+						</associationTargetSearch>
+					</expression>
+				</outbound>
+            </association>
+    	</construction>
+    </inducement>
+    <assignment>
+    	<targetRef oid="2dadd243-687d-4b4c-80cd-09ddfe4cbf59" type="RoleType" />
+    </assignment>
+    <requestable>true</requestable>
+</role>
\ No newline at end of file
diff --git a/samples/hogwarts/objects/roles/role-transfiguration-defense-against-dark.xml b/samples/hogwarts/objects/roles/role-transfiguration-defense-against-dark.xml
new file mode 100644
index 00000000000..63be2a25d15
--- /dev/null
+++ b/samples/hogwarts/objects/roles/role-transfiguration-defense-against-dark.xml
@@ -0,0 +1,53 @@
+<!--
+  ~ Copyright (c) 2010-2017 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<role oid="00000000-role-0000-0000-111111111155"
+        xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+        xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+        xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
+        xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
+        xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">
+    <name>Defence Against the Dark Arts Teacher</name>
+    <description>
+    </description>
+    <inducement>
+    	<construction>
+    		<resourceRef oid="2a7c7130-7a34-11e4-bdf6-001e8c717e5b" type="c:ResourceType"/>
+    		<association>
+            	<ref>ri:group</ref>
+            	<outbound>
+            		<strength>strong</strength>
+                	<expression>
+						<associationTargetSearch>
+							<filter>
+								<q:equal>
+									<q:path>attributes/ri:cn</q:path>
+									<q:value>defenceAgainstDarkArts</q:value>
+								</q:equal>
+							</filter>
+							<searchStrategy>onResourceIfNeeded</searchStrategy>
+						</associationTargetSearch>
+					</expression>
+				</outbound>
+            </association>
+    	</construction>
+    	
+    </inducement>
+    <assignment>
+    	<targetRef oid="2dadd243-687d-4b4c-80cd-09ddfe4cbf59" type="RoleType" />
+    </assignment>
+    <requestable>true</requestable>
+</role>
\ No newline at end of file
diff --git a/samples/hogwarts/objects/roles/role-transfiguration-teacher.xml b/samples/hogwarts/objects/roles/role-transfiguration-teacher.xml
new file mode 100644
index 00000000000..03cf5b646ba
--- /dev/null
+++ b/samples/hogwarts/objects/roles/role-transfiguration-teacher.xml
@@ -0,0 +1,53 @@
+<!--
+  ~ Copyright (c) 2010-2017 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<role oid="00000000-role-0000-0000-111111111111"
+        xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+        xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+        xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
+        xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
+        xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">
+    <name>Transfiguration Teacher</name>
+    <description>
+    </description>
+    <inducement>
+    	<construction>
+    		<resourceRef oid="2a7c7130-7a34-11e4-bdf6-001e8c717e5b" type="c:ResourceType"/>
+    		<association>
+            	<ref>ri:group</ref>
+            	<outbound>
+            		<strength>strong</strength>
+                	<expression>
+						<associationTargetSearch>
+							<filter>
+								<q:equal>
+									<q:path>attributes/ri:cn</q:path>
+									<q:value>transfigurationTeacher</q:value>
+								</q:equal>
+							</filter>
+							<searchStrategy>onResourceIfNeeded</searchStrategy>
+						</associationTargetSearch>
+					</expression>
+				</outbound>
+            </association>
+    	</construction>
+    	
+    </inducement>
+    <assignment>
+    	<targetRef oid="2dadd243-687d-4b4c-80cd-09ddfe4cbf59" type="RoleType" />
+    </assignment>
+    <requestable>true</requestable>
+</role>
\ No newline at end of file
diff --git a/samples/hogwarts/objects/systemConfiguration/system-configuration.xml b/samples/hogwarts/objects/systemConfiguration/system-configuration.xml
new file mode 100644
index 00000000000..d3693b5aaa6
--- /dev/null
+++ b/samples/hogwarts/objects/systemConfiguration/system-configuration.xml
@@ -0,0 +1,213 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright (c) 2010-2017 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+<systemConfiguration xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+                     xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
+                     xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+                     xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
+                     xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
+                     xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
+                     xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
+                     oid="00000000-0000-0000-0000-000000000001"
+                     version="20">
+   <name>SystemConfiguration</name>
+   <globalSecurityPolicyRef xmlns:tns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+                            oid="00000000-0000-0000-0000-000000000120"
+                            relation="org:default"
+                            type="tns:SecurityPolicyType"><!-- Default Security Policy --></globalSecurityPolicyRef>
+   <logging>
+      <classLogger>
+         <level>INFO</level>
+         <package>com.evolveum.midpoint.model.impl.lens.Clockwork</package>
+      </classLogger>
+      <classLogger>
+         <level>INFO</level>
+         <package>com.evolveum.midpoint.model.impl.lens.projector.Projector</package>
+      </classLogger>
+      <classLogger>
+         <level>OFF</level>
+         <package>com.evolveum.midpoint.repo.sql.helpers.ObjectRetriever</package>
+      </classLogger>
+      <classLogger>
+         <level>INFO</level>
+         <package>com.evolveum.midpoint.security.enforcer.impl</package>
+      </classLogger>
+      <classLogger>
+         <level>OFF</level>
+         <package>net.sf.jasperreports.engine.fill.JRFillDataset</package>
+      </classLogger>
+      <classLogger>
+         <level>WARN</level>
+         <package>org.apache.wicket.resource.PropertiesFactory</package>
+      </classLogger>
+      <classLogger>
+         <level>WARN</level>
+         <package>org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl</package>
+      </classLogger>
+      <classLogger>
+         <level>OFF</level>
+         <package>org.hibernate.engine.jdbc.batch.internal.BatchingBatch</package>
+      </classLogger>
+      <classLogger>
+         <level>OFF</level>
+         <package>org.hibernate.engine.jdbc.spi.SqlExceptionHelper</package>
+      </classLogger>
+      <classLogger>
+         <level>ERROR</level>
+         <package>org.springframework.context.support.ResourceBundleMessageSource</package>
+      </classLogger>
+      <classLogger>
+         <level>ERROR</level>
+         <package>ro.isdc.wro.extensions.processor.css.Less4jProcessor</package>
+      </classLogger>
+      <appender xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                name="MIDPOINT_LOG"
+                xsi:type="c:FileAppenderConfigurationType">
+         <pattern>%date [%X{subsystem}] [%thread] %level \(%logger\): %msg%n</pattern>
+         <fileName>${midpoint.home}/log/midpoint.log</fileName>
+         <filePattern>${midpoint.home}/log/midpoint-%d{yyyy-MM-dd}.%i.log</filePattern>
+         <maxHistory>10</maxHistory>
+         <maxFileSize>100MB</maxFileSize>
+         <append>true</append>
+      </appender>
+      <appender xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                name="MIDPOINT_PROFILE_LOG"
+                xsi:type="c:FileAppenderConfigurationType">
+         <pattern>%date %level: %msg%n</pattern>
+         <fileName>${midpoint.home}/log/midpoint-profile.log</fileName>
+         <filePattern>${midpoint.home}/log/midpoint-profile-%d{yyyy-MM-dd}.%i.log</filePattern>
+         <maxHistory>10</maxHistory>
+         <maxFileSize>100MB</maxFileSize>
+         <append>true</append>
+      </appender>
+      <rootLoggerAppender>MIDPOINT_LOG</rootLoggerAppender>
+      <rootLoggerLevel>INFO</rootLoggerLevel>
+      <auditing>
+         <enabled>false</enabled>
+         <details>false</details>
+      </auditing>
+   </logging>
+   <defaultObjectPolicyConfiguration id="2">
+      <type>c:OrgType</type>
+      <objectTemplateRef oid="10000000-0000-0000-0000-000000000231"
+                         relation="org:default"
+                         type="c:ObjectTemplateType"><!-- Org Template --></objectTemplateRef>
+   </defaultObjectPolicyConfiguration>
+   <defaultObjectPolicyConfiguration id="5">
+      <type>c:UserType</type>
+      <objectTemplateRef oid="10000000-0000-0000-0000-000000000222"
+                         relation="org:default"
+                         type="c:ObjectTemplateType"><!-- User Template --></objectTemplateRef>
+   </defaultObjectPolicyConfiguration>
+   <defaultObjectPolicyConfiguration id="8">
+      <type>UserType</type>
+      <subtype>employee</subtype>
+      <lifecycleStateModel>
+         <state id="9">
+            <name>active</name>
+            <transition id="11">
+               <name>archival</name>
+               <targetState>archived</targetState>
+               <condition>
+                  <script xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                          xsi:type="c:ScriptExpressionEvaluatorType">
+                     <code>!midpoint.hasActiveAssignmentTargetSubtype('access')</code>
+                  </script>
+               </condition>
+            </transition>
+         </state>
+         <state id="10">
+            <name>archived</name>
+            <entryAction id="12">
+               <name>archival-data-reduction</name>
+               <dataReduction>
+                  <c:purgeItem>telephoneNumber</c:purgeItem>
+               </dataReduction>
+            </entryAction>
+         </state>
+      </lifecycleStateModel>
+   </defaultObjectPolicyConfiguration>
+   <notificationConfiguration>
+      <mail>
+         <debug>false</debug>
+      </mail>
+   </notificationConfiguration>
+   <profilingConfiguration>
+      <enabled>false</enabled>
+      <requestFilter>false</requestFilter>
+      <performanceStatistics>false</performanceStatistics>
+      <model>false</model>
+      <repository>false</repository>
+      <provisioning>false</provisioning>
+      <ucf>false</ucf>
+      <synchronizationService>false</synchronizationService>
+      <taskManager>false</taskManager>
+      <workflow>false</workflow>
+   </profilingConfiguration>
+   <cleanupPolicy>
+      <auditRecords>
+         <maxAge>P3M</maxAge>
+      </auditRecords>
+      <closedTasks>
+         <maxAge>P1M</maxAge>
+      </closedTasks>
+   </cleanupPolicy>
+   <internals>
+      <enableExperimentalCode>false</enableExperimentalCode>
+   </internals>
+   <adminGuiConfiguration>
+      <userDashboardLink>
+         <targetUrl>/self/profile</targetUrl>
+         <label>Profile</label>
+         <description>View/edit your profile</description>
+         <icon>
+            <cssClass>fa fa-user</cssClass>
+         </icon>
+         <color>green</color>
+         <authorization>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#selfProfile</authorization>
+         <authorization>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#selfAll</authorization>
+      </userDashboardLink>
+      <userDashboardLink>
+         <targetUrl>/self/credentials</targetUrl>
+         <label>Credentials</label>
+         <description>View/edit your credentials</description>
+         <icon>
+            <cssClass>fa fa-shield</cssClass>
+         </icon>
+         <color>blue</color>
+         <authorization>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#selfCredentials</authorization>
+         <authorization>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#selfAll</authorization>
+      </userDashboardLink>
+      <userDashboardLink>
+         <targetUrl>/admin/users</targetUrl>
+         <label>List users</label>
+         <icon>
+            <cssClass>fa fa-users</cssClass>
+         </icon>
+         <color>red</color>
+         <authorization>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#users</authorization>
+      </userDashboardLink>
+      <userDashboardLink>
+         <targetUrl>/admin/resources</targetUrl>
+         <label>List resources</label>
+         <icon>
+            <cssClass>fa fa-database</cssClass>
+         </icon>
+         <color>purple</color>
+         <authorization>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#resources</authorization>
+      </userDashboardLink>
+   </adminGuiConfiguration>
+</systemConfiguration>
\ No newline at end of file
diff --git a/samples/hogwarts/objects/users/user-fudge.xml b/samples/hogwarts/objects/users/user-fudge.xml
new file mode 100644
index 00000000000..bea38742654
--- /dev/null
+++ b/samples/hogwarts/objects/users/user-fudge.xml
@@ -0,0 +1,75 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright (c) 2010-2017 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+<user xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+      xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
+      xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+      xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
+      xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
+      xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
+      xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">
+   <name>c.fudge</name>
+   <assignment id="1">
+      <targetRef oid="d163d767-2467-4304-badf-aaae421f2171"
+                 relation="org:default"
+                 type="c:OrgType"><!-- Minister of magic --></targetRef>
+   </assignment>
+   <assignment id="2">
+      <targetRef oid="00000000-0000-0000-0000-000000000008"
+                 relation="org:default"
+                 type="c:RoleType"><!-- End user --></targetRef>
+   </assignment>
+   <assignment id="4">
+      <targetRef oid="00000000-role-0000-0000-111111111112"
+                 relation="org:owner"
+                 type="c:RoleType"><!-- Potions Teacher --></targetRef>
+   </assignment>
+   <assignment id="5">
+      <targetRef oid="00000000-role-0000-0000-111111111111"
+                 relation="org:owner"
+                 type="c:RoleType"><!-- Transfiguration Teacher --></targetRef>
+   </assignment>
+   <assignment id="6">
+      <targetRef oid="00000000-role-0000-0000-111111111113"
+                 relation="org:owner"
+                 type="c:RoleType"><!-- Herbology Teacher --></targetRef>
+   </assignment>
+   <assignment id="8">
+      <targetRef oid="00000000-0000-0000-0000-00000000000a"
+                 relation="org:default"
+                 type="c:RoleType"><!-- Approver --></targetRef>
+   </assignment>
+   <assignment id="10">
+      <targetRef oid="00000000-role-0000-0000-111111111155"
+                 relation="org:owner"
+                 type="c:RoleType"><!-- Defence Against the Dark Arts Teacher --></targetRef>
+   </assignment>
+   <assignment id="12">
+      <targetRef oid="00000000-role-0000-0000-111111111777"
+                 relation="org:owner"
+                 type="c:RoleType"><!-- Duelling classroom access --></targetRef>
+   </assignment>
+   <fullName>Cornelius Fudge</fullName>
+   <givenName>Cornelius</givenName>
+   <familyName>Fudge</familyName>
+   <credentials>
+      <password>
+         <value>
+            <t:clearValue>asd123</t:clearValue>
+         </value>
+      </password>
+   </credentials>
+</user>
\ No newline at end of file
diff --git a/testing/story/testng-integration.xml b/testing/story/testng-integration.xml
index e2351462896..49aec810d57 100644
--- a/testing/story/testng-integration.xml
+++ b/testing/story/testng-integration.xml
@@ -46,6 +46,7 @@
             <class name="com.evolveum.midpoint.testing.story.notorious.TestNotoriousOrg"/>
             <class name="com.evolveum.midpoint.testing.story.TestDelivery"/>
             <class name="com.evolveum.midpoint.testing.story.TestLdapVirtualGroup"/>
+            <class name="com.evolveum.midpoint.testing.story.TestMapleLeaf"/>
         </classes>
     </test>
 </suite>