diff --git a/gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/api/page/PageBase.java b/gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/api/page/PageBase.java
index 2da734a05f0..01460f1bb58 100644
--- a/gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/api/page/PageBase.java
+++ b/gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/api/page/PageBase.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2018 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -59,6 +59,7 @@
 import com.evolveum.midpoint.schema.internals.InternalsConfig;
 import com.evolveum.midpoint.schema.result.OperationConstants;
 import com.evolveum.midpoint.schema.result.OperationResult;
+import com.evolveum.midpoint.schema.util.MiscSchemaUtil;
 import com.evolveum.midpoint.security.api.AuthorizationConstants;
 import com.evolveum.midpoint.security.api.MidPointPrincipal;
 import com.evolveum.midpoint.security.api.OwnerResolver;
@@ -1347,13 +1348,13 @@ private OperationResult executeResultScriptHook(OperationResult result) {
             ExpressionFactory factory = getExpressionFactory();
             PrismPropertyDefinition<OperationResultType> outputDefinition = getPrismContext().definitionFactory().createPropertyDefinition(
                     ExpressionConstants.OUTPUT_ELEMENT_NAME, OperationResultType.COMPLEX_TYPE);
-            Expression<PrismPropertyValue<OperationResultType>, PrismPropertyDefinition<OperationResultType>> expression = factory.makeExpression(expressionType, outputDefinition, contextDesc, task, topResult);
+            Expression<PrismPropertyValue<OperationResultType>, PrismPropertyDefinition<OperationResultType>> expression = factory.makeExpression(expressionType, outputDefinition, MiscSchemaUtil.getExpressionProfile(), contextDesc, task, topResult);
 
             ExpressionVariables variables = new ExpressionVariables();
 
             OperationResultType resultType = result.createOperationResultType();
 
-            variables.addVariableDefinition(ExpressionConstants.VAR_INPUT, resultType);
+            variables.put(ExpressionConstants.VAR_INPUT, resultType, OperationResultType.class);
 
             ExpressionEvaluationContext context = new ExpressionEvaluationContext(null, variables, contextDesc, task, topResult);
             PrismValueDeltaSetTriple<PrismPropertyValue<OperationResultType>> outputTriple = expression.evaluate(context);
diff --git a/gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/impl/model/FlexibleLabelModel.java b/gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/impl/model/FlexibleLabelModel.java
index 5ada17fd371..5465272d03b 100644
--- a/gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/impl/model/FlexibleLabelModel.java
+++ b/gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/impl/model/FlexibleLabelModel.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2017 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -28,6 +28,7 @@
 import com.evolveum.midpoint.schema.constants.ExpressionConstants;
 import com.evolveum.midpoint.schema.internals.InternalsConfig;
 import com.evolveum.midpoint.schema.result.OperationResult;
+import com.evolveum.midpoint.schema.util.MiscSchemaUtil;
 import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.util.DOMUtil;
 import com.evolveum.midpoint.util.exception.CommunicationException;
@@ -131,9 +132,9 @@ private String getExpressionValue(ExpressionType expressionType, String contextD
 	    PrismContext prismContext = object.asPrismContainerValue().getPrismContext();
 	    PrismPropertyDefinition<String> outputDefinition = prismContext.definitionFactory().createPropertyDefinition(ExpressionConstants.OUTPUT_ELEMENT_NAME,
     			DOMUtil.XSD_STRING);
-		Expression<PrismPropertyValue<String>,PrismPropertyDefinition<String>> expression = expressionFactory.makeExpression(expressionType, outputDefinition, contextDesc, task, result);
+		Expression<PrismPropertyValue<String>,PrismPropertyDefinition<String>> expression = expressionFactory.makeExpression(expressionType, outputDefinition, MiscSchemaUtil.getExpressionProfile(), contextDesc, task, result);
 		ExpressionVariables variables = new ExpressionVariables();
-		variables.addVariableDefinition(ExpressionConstants.VAR_OBJECT, object);
+		variables.put(ExpressionConstants.VAR_OBJECT, object, object.asPrismContainerValue().getDefinition());
 		addAdditionalExpressionVariables(variables);
 		ExpressionEvaluationContext context = new ExpressionEvaluationContext(null, variables, contextDesc, task, result);
 		PrismValueDeltaSetTriple<PrismPropertyValue<String>> outputTriple = expression.evaluate(context);
diff --git a/gui/admin-gui/src/main/java/com/evolveum/midpoint/init/PostInitialDataImport.java b/gui/admin-gui/src/main/java/com/evolveum/midpoint/init/PostInitialDataImport.java
index 986fa3d7b36..a78b7c5b265 100644
--- a/gui/admin-gui/src/main/java/com/evolveum/midpoint/init/PostInitialDataImport.java
+++ b/gui/admin-gui/src/main/java/com/evolveum/midpoint/init/PostInitialDataImport.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2018 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,16 +16,21 @@
 
 package com.evolveum.midpoint.init;
 
+import java.io.File;
+import java.util.Arrays;
+
+import org.apache.commons.io.FilenameUtils;
+import org.apache.commons.lang.ArrayUtils;
+import org.apache.commons.lang.Validate;
+import org.springframework.security.core.context.SecurityContext;
+
 import com.evolveum.midpoint.model.api.ScriptExecutionResult;
 import com.evolveum.midpoint.model.api.ScriptingService;
 import com.evolveum.midpoint.prism.Item;
-import com.evolveum.midpoint.prism.PrismContainer;
-import com.evolveum.midpoint.prism.PrismObject;
 import com.evolveum.midpoint.prism.PrismProperty;
-import com.evolveum.midpoint.prism.delta.ObjectDelta;
 import com.evolveum.midpoint.schema.constants.SchemaConstants;
+import com.evolveum.midpoint.schema.expression.VariablesMap;
 import com.evolveum.midpoint.schema.result.OperationResult;
-import com.evolveum.midpoint.schema.util.ReportTypeUtil;
 import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.util.exception.SchemaException;
 import com.evolveum.midpoint.util.exception.SystemException;
@@ -34,16 +39,8 @@
 import com.evolveum.midpoint.util.logging.TraceManager;
 import com.evolveum.midpoint.xml.ns._public.common.api_types_3.ImportOptionsType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.ReportType;
 import com.evolveum.midpoint.xml.ns._public.model.scripting_3.ExecuteScriptType;
 import com.evolveum.midpoint.xml.ns._public.model.scripting_3.ScriptingExpressionType;
-import org.apache.commons.io.FilenameUtils;
-import org.apache.commons.lang.ArrayUtils;
-import org.apache.commons.lang.Validate;
-import org.springframework.security.core.context.SecurityContext;
-
-import java.io.File;
-import java.util.*;
 
 /**
  * @author lazyman
@@ -170,7 +167,7 @@ private <O extends ObjectType> Boolean executeScript(PrismProperty<Object> expre
         	Object parsed = expression.getAnyValue().getValue();
         	ScriptExecutionResult executionResult =
                 parsed instanceof ExecuteScriptType ?
-                        scripting.evaluateExpression((ExecuteScriptType) parsed, Collections.emptyMap(),
+                        scripting.evaluateExpression((ExecuteScriptType) parsed, VariablesMap.emptyMap(),
                                 false, task, result) :
                         scripting.evaluateExpression((ScriptingExpressionType) parsed, task, result);
             result.recordSuccess();
diff --git a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/component/FocusSummaryPanel.java b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/component/FocusSummaryPanel.java
index e5ef4fe6f5b..2a5066c64e4 100644
--- a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/component/FocusSummaryPanel.java
+++ b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/component/FocusSummaryPanel.java
@@ -1,5 +1,5 @@
 /**
- * Copyright (c) 2015-2017 Evolveum
+ * Copyright (c) 2015-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -141,7 +141,7 @@ protected IModel<String> getDefaltParentOrgModel() {
 	@Override
 	protected void addAdditionalExpressionVariables(ExpressionVariables variables) {
 		List<OrgType> parentOrgs = getModelObject().getParentOrg();
-		variables.addVariableDefinition(ExpressionConstants.VAR_ORGS, parentOrgs);
+		variables.putList(ExpressionConstants.VAR_ORGS, parentOrgs);
 	}
 
 	@Override
diff --git a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/component/assignment/ApplicablePolicyConfigPanel.java b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/component/assignment/ApplicablePolicyConfigPanel.java
index b62dfb07a86..2c3f50fe792 100644
--- a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/component/assignment/ApplicablePolicyConfigPanel.java
+++ b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/component/assignment/ApplicablePolicyConfigPanel.java
@@ -17,10 +17,6 @@
 
 import com.evolveum.midpoint.gui.api.component.BasePanel;
 import com.evolveum.midpoint.gui.api.model.LoadableModel;
-import com.evolveum.midpoint.gui.api.util.WebModelServiceUtils;
-import com.evolveum.midpoint.model.api.AssignmentCandidatesSpecification;
-import com.evolveum.midpoint.model.api.util.ModelContextUtil;
-import com.evolveum.midpoint.model.api.util.ModelUtils;
 import com.evolveum.midpoint.prism.PrismObject;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.util.logging.LoggingUtils;
diff --git a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/component/form/ValueChoosePanel.java b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/component/form/ValueChoosePanel.java
index 50d947e974d..e067bfb07e2 100644
--- a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/component/form/ValueChoosePanel.java
+++ b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/component/form/ValueChoosePanel.java
@@ -192,6 +192,9 @@ public String getObject() {
 
 				if (ort instanceof PrismReferenceValue) {
 					PrismReferenceValue prv = (PrismReferenceValue) ort;
+					if (StringUtils.isEmpty(prv.getOid())){
+						return createStringResource("ValueChoosePanel.undefined").getString();
+					}
 					ObjectReferenceType objectReferenceType = new ObjectReferenceType();
 					objectReferenceType.setupReferenceValue((PrismReferenceValue) ort);
 					String targetObjectName = WebComponentUtil.getName(objectReferenceType,
@@ -201,6 +204,9 @@ public String getObject() {
 									: prv.getOid();
 				} else if (ort instanceof ObjectReferenceType) {
 					ObjectReferenceType prv = (ObjectReferenceType) ort;
+					if (StringUtils.isEmpty(prv.getOid())){
+						return createStringResource("ValueChoosePanel.undefined").getString();
+					}
 					String targetObjectName = WebComponentUtil.getName(prv,
 							ValueChoosePanel.this.getPageBase(), OPERATION_LOAD_REFERENCE_OBJECT_DISPLAY_NAME);
 
diff --git a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/component/prism/ContainerWrapper.java b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/component/prism/ContainerWrapper.java
index e910e07023b..2517903b859 100644
--- a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/component/prism/ContainerWrapper.java
+++ b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/component/prism/ContainerWrapper.java
@@ -235,6 +235,12 @@ static String getDisplayNameFromItem(Item item) {
 			PrismValue val = item.getParent();
 			if (val != null && val.getTypeName() != null) {
 				displayName = val.getTypeName().getLocalPart() + "." + displayName;
+				//try to localize display name with newly built key
+				//if no localized value if found, just take the name
+				String localizedDisplayName = localizeName(displayName);
+				if (StringUtils.isEmpty(localizedDisplayName) || localizedDisplayName.equals(displayName)){
+					displayName = name.getLocalPart();
+				}
 			}
 		} else {
 			displayName = item.getDefinition().getTypeName().getLocalPart();
diff --git a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/component/wizard/resource/SchemaHandlingStep.java b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/component/wizard/resource/SchemaHandlingStep.java
index 89a2c601163..ca76db2c840 100644
--- a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/component/wizard/resource/SchemaHandlingStep.java
+++ b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/component/wizard/resource/SchemaHandlingStep.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2017 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
diff --git a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/component/wizard/resource/component/schemahandling/ResourceActivationEditor.java b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/component/wizard/resource/component/schemahandling/ResourceActivationEditor.java
index f4080e387f3..68c5f4d1fd2 100644
--- a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/component/wizard/resource/component/schemahandling/ResourceActivationEditor.java
+++ b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/component/wizard/resource/component/schemahandling/ResourceActivationEditor.java
@@ -74,19 +74,19 @@ public class ResourceActivationEditor extends BasePanel<ResourceActivationDefini
     private static final String ID_T_VALID_T_IN = "validToInboundTooltip";
 
     //Default mapping inbound/outbound sources/targets
-    public static final String EXISTENCE_DEFAULT_SOURCE = "&" + ExpressionConstants.VAR_LEGAL.getLocalPart();
-    public static final String ADM_STATUS_OUT_SOURCE_DEFAULT = "&" + ExpressionConstants.VAR_FOCUS.getLocalPart() + "/activation/administrativeStatus";
-    public static final String ADM_STATUS_OUT_TARGET_DEFAULT = "&" + ExpressionConstants.VAR_PROJECTION.getLocalPart() + "/activation/administrativeStatus";
-    public static final String ADM_STATUS_IN_SOURCE_DEFAULT = "&" + ExpressionConstants.VAR_PROJECTION.getLocalPart() + "/activation/administrativeStatus";
-    public static final String ADM_STATUS_IN_TARGET_DEFAULT = "&" + ExpressionConstants.VAR_FOCUS.getLocalPart() + "/activation/administrativeStatus";
-    public static final String VALID_TO_OUT_SOURCE_DEFAULT = "&" + ExpressionConstants.VAR_FOCUS.getLocalPart() + "/activation/validTo";
-    public static final String VALID_TO_OUT_TARGET_DEFAULT = "&" + ExpressionConstants.VAR_PROJECTION.getLocalPart() + "/activation/validTo";
-    public static final String VALID_TO_IN_SOURCE_DEFAULT = "&" + ExpressionConstants.VAR_PROJECTION.getLocalPart() + "/activation/validTo";
-    public static final String VALID_TO_IN_TARGET_DEFAULT = "&" + ExpressionConstants.VAR_FOCUS.getLocalPart() + "/activation/validTo";
-    public static final String VALID_FROM_OUT_SOURCE_DEFAULT = "&" + ExpressionConstants.VAR_FOCUS.getLocalPart() + "/activation/validFrom";
-    public static final String VALID_FROM_OUT_TARGET_DEFAULT = "&" + ExpressionConstants.VAR_PROJECTION.getLocalPart() + "/activation/validFrom";
-    public static final String VALID_FROM_IN_SOURCE_DEFAULT = "&" + ExpressionConstants.VAR_PROJECTION.getLocalPart() + "/activation/validFrom";
-    public static final String VALID_FROM_IN_TARGET_DEFAULT = "&" + ExpressionConstants.VAR_FOCUS.getLocalPart() + "/activation/validFrom";
+    public static final String EXISTENCE_DEFAULT_SOURCE = "&" + ExpressionConstants.VAR_LEGAL;
+    public static final String ADM_STATUS_OUT_SOURCE_DEFAULT = "&" + ExpressionConstants.VAR_FOCUS + "/activation/administrativeStatus";
+    public static final String ADM_STATUS_OUT_TARGET_DEFAULT = "&" + ExpressionConstants.VAR_PROJECTION + "/activation/administrativeStatus";
+    public static final String ADM_STATUS_IN_SOURCE_DEFAULT = "&" + ExpressionConstants.VAR_PROJECTION + "/activation/administrativeStatus";
+    public static final String ADM_STATUS_IN_TARGET_DEFAULT = "&" + ExpressionConstants.VAR_FOCUS + "/activation/administrativeStatus";
+    public static final String VALID_TO_OUT_SOURCE_DEFAULT = "&" + ExpressionConstants.VAR_FOCUS + "/activation/validTo";
+    public static final String VALID_TO_OUT_TARGET_DEFAULT = "&" + ExpressionConstants.VAR_PROJECTION + "/activation/validTo";
+    public static final String VALID_TO_IN_SOURCE_DEFAULT = "&" + ExpressionConstants.VAR_PROJECTION + "/activation/validTo";
+    public static final String VALID_TO_IN_TARGET_DEFAULT = "&" + ExpressionConstants.VAR_FOCUS + "/activation/validTo";
+    public static final String VALID_FROM_OUT_SOURCE_DEFAULT = "&" + ExpressionConstants.VAR_FOCUS + "/activation/validFrom";
+    public static final String VALID_FROM_OUT_TARGET_DEFAULT = "&" + ExpressionConstants.VAR_PROJECTION + "/activation/validFrom";
+    public static final String VALID_FROM_IN_SOURCE_DEFAULT = "&" + ExpressionConstants.VAR_PROJECTION + "/activation/validFrom";
+    public static final String VALID_FROM_IN_TARGET_DEFAULT = "&" + ExpressionConstants.VAR_FOCUS + "/activation/validFrom";
 
     private boolean isInitialized = false;
 
diff --git a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/configuration/PageBulkAction.java b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/configuration/PageBulkAction.java
index 432ad4d8287..23c5d2bdc5a 100644
--- a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/configuration/PageBulkAction.java
+++ b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/configuration/PageBulkAction.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2017 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -18,6 +18,7 @@
 
 import com.evolveum.midpoint.model.api.ScriptExecutionException;
 import com.evolveum.midpoint.model.api.ScriptExecutionResult;
+import com.evolveum.midpoint.schema.expression.VariablesMap;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.schema.result.OperationResultStatus;
 import com.evolveum.midpoint.security.api.AuthorizationConstants;
@@ -46,8 +47,6 @@
 import org.apache.wicket.model.Model;
 import org.apache.wicket.model.PropertyModel;
 
-import java.util.Collections;
-
 /**
  * @author lazyman
  */
@@ -144,7 +143,7 @@ private void startPerformed(AjaxRequestTarget target) {
                     //noinspection ConstantConditions
                     ScriptExecutionResult executionResult =
                             parsed instanceof ExecuteScriptType ?
-                                    getScriptingService().evaluateExpression((ExecuteScriptType) parsed, Collections.emptyMap(),
+                                    getScriptingService().evaluateExpression((ExecuteScriptType) parsed, VariablesMap.emptyMap(),
                                             false, task, result) :
                                     getScriptingService().evaluateExpression((ScriptingExpressionType) parsed, task, result);
                     result.recordStatus(OperationResultStatus.SUCCESS, createStringResource("PageBulkAction.message.startPerformed.success", executionResult.getDataOutput().size()).getString());
diff --git a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/configuration/PageRepositoryQuery.java b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/configuration/PageRepositoryQuery.java
index 620df1b2cdb..05211dc332a 100644
--- a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/configuration/PageRepositoryQuery.java
+++ b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/configuration/PageRepositoryQuery.java
@@ -28,6 +28,7 @@
 import com.evolveum.midpoint.schema.*;
 import com.evolveum.midpoint.schema.constants.SchemaConstants;
 import com.evolveum.midpoint.schema.result.OperationResult;
+import com.evolveum.midpoint.schema.util.MiscSchemaUtil;
 import com.evolveum.midpoint.security.api.AuthorizationConstants;
 import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.util.exception.CommonException;
@@ -513,7 +514,7 @@ private void updateRequestWithMidpointQuery(RepositoryQueryDiagRequest request,
 		request.setType(clazz);
 		ObjectQuery objectQuery = prismContext.getQueryConverter().createObjectQuery(clazz, queryType);
 		ObjectQuery queryWithExprEvaluated = ExpressionUtil.evaluateQueryExpressions(objectQuery, new ExpressionVariables(),
-				getExpressionFactory(), getPrismContext(), "evaluate query expressions", task, result);
+				MiscSchemaUtil.getExpressionProfile(), getExpressionFactory(), getPrismContext(), "evaluate query expressions", task, result);
 		request.setQuery(queryWithExprEvaluated);
 
 		Collection<SelectorOptions<GetOperationOptions>> options = distinct ? createCollection(createDistinct()) : null;
diff --git a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/orgs/OrgTreePanel.java b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/orgs/OrgTreePanel.java
index 06d553372c7..915674de1dd 100644
--- a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/orgs/OrgTreePanel.java
+++ b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/orgs/OrgTreePanel.java
@@ -279,7 +279,7 @@ protected void onModelChanged() {
 
 				TreeStateSet<SelectableBean<OrgType>> items = (TreeStateSet) getModelObject();
 				boolean isInverse = getOrgTreeStateStorage() != null ? getOrgTreeStateStorage().isInverse() : items.isInverse();
-				if (isInverse) {
+				if (!isInverse) {
 					OrgTreePanel.this.setExpandedItems(items, getOrgTreeStateStorage());
 				}
 			}
diff --git a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/MidPointGuiAuthorizationEvaluator.java b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/MidPointGuiAuthorizationEvaluator.java
index 423a155c447..d2fd18f0ddc 100644
--- a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/MidPointGuiAuthorizationEvaluator.java
+++ b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/MidPointGuiAuthorizationEvaluator.java
@@ -23,9 +23,9 @@
 import com.evolveum.midpoint.prism.delta.PlusMinusZero;
 import com.evolveum.midpoint.prism.path.ItemPath;
 import com.evolveum.midpoint.prism.query.ObjectFilter;
+import com.evolveum.midpoint.schema.AccessDecision;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.security.api.*;
-import com.evolveum.midpoint.security.enforcer.api.AccessDecision;
 import com.evolveum.midpoint.security.enforcer.api.AuthorizationParameters;
 import com.evolveum.midpoint.security.enforcer.api.ItemSecurityConstraints;
 import com.evolveum.midpoint.security.enforcer.api.ObjectSecurityConstraints;
diff --git a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/util/ExpressionValidator.java b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/util/ExpressionValidator.java
index 6eb022c359a..f1584315ac3 100644
--- a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/util/ExpressionValidator.java
+++ b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/util/ExpressionValidator.java
@@ -1,3 +1,18 @@
+/*
+ * Copyright (c) 2010-2019 Evolveum
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package com.evolveum.midpoint.web.util;
 
 import java.util.Collection;
@@ -18,6 +33,7 @@
 import com.evolveum.midpoint.repo.common.expression.ExpressionVariables;
 import com.evolveum.midpoint.schema.constants.ExpressionConstants;
 import com.evolveum.midpoint.schema.result.OperationResult;
+import com.evolveum.midpoint.schema.util.MiscSchemaUtil;
 import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.util.exception.CommunicationException;
 import com.evolveum.midpoint.util.exception.ConfigurationException;
@@ -130,8 +146,8 @@ public void validate(IValidatable<T> validatable) {
 		Expression<PrismPropertyValue<OperationResultType>, PrismPropertyDefinition<OperationResultType>> expression;
 		try {
 			expression = expressionFactory
-					.makeExpression(expressionType, outputDefinition, contextDesc, task, result);
-		} catch (SchemaException | ObjectNotFoundException e) {
+					.makeExpression(expressionType, outputDefinition, MiscSchemaUtil.getExpressionProfile(), contextDesc, task, result);
+		} catch (SchemaException | ObjectNotFoundException | SecurityViolationException e) {
 			ValidationError error = new ValidationError();
 			error.setMessage("Cannot make expression: " + e.getMessage());
 			validatable.error(error);
@@ -139,8 +155,8 @@ public void validate(IValidatable<T> validatable) {
 			return;
 		}
 		ExpressionVariables variables = new ExpressionVariables();
-		variables.addVariableDefinition(ExpressionConstants.VAR_INPUT, valueToValidate);
-		variables.addVariableDefinition(ExpressionConstants.VAR_OBJECT, getObjectType());
+		variables.put(ExpressionConstants.VAR_INPUT, valueToValidate, valueToValidate.getClass());
+		variables.putObject(ExpressionConstants.VAR_OBJECT, (ObjectType)getObjectType(), ObjectType.class);
 //		addAdditionalExpressionVariables(variables);
 		ExpressionEvaluationContext context = new ExpressionEvaluationContext(null, variables, contextDesc, task, result);
 		PrismValueDeltaSetTriple<PrismPropertyValue<OperationResultType>> outputTriple;
diff --git a/infra/prism-api/src/main/java/com/evolveum/midpoint/prism/Definition.java b/infra/prism-api/src/main/java/com/evolveum/midpoint/prism/Definition.java
index 996a14395ec..c9f11d5842e 100644
--- a/infra/prism-api/src/main/java/com/evolveum/midpoint/prism/Definition.java
+++ b/infra/prism-api/src/main/java/com/evolveum/midpoint/prism/Definition.java
@@ -174,7 +174,10 @@ default SchemaRegistry getSchemaRegistry() {
 	// TODO fix this!
 	Class getTypeClassIfKnown();
 
-	// todo suspicious, please investigate and document
+	/**
+	 * Returns a compile-time class that is used to represent items.
+	 * E.g. returns String, Integer, sublcasses of Objectable and Containerable and so on. 
+	 */
 	Class getTypeClass();
 	
 	/**
diff --git a/infra/prism-api/src/main/java/com/evolveum/midpoint/prism/PrimitiveType.java b/infra/prism-api/src/main/java/com/evolveum/midpoint/prism/PrimitiveType.java
new file mode 100644
index 00000000000..7024338e5ed
--- /dev/null
+++ b/infra/prism-api/src/main/java/com/evolveum/midpoint/prism/PrimitiveType.java
@@ -0,0 +1,73 @@
+/**
+ * Copyright (c) 2019 Evolveum
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.evolveum.midpoint.prism;
+
+import static javax.xml.XMLConstants.W3C_XML_SCHEMA_NS_URI;
+import static com.evolveum.midpoint.util.DOMUtil.NS_W3C_XML_SCHEMA_PREFIX;
+
+import javax.xml.namespace.QName;
+
+/**
+ * @author semancik
+ *
+ */
+public enum PrimitiveType {
+	
+	STRING("string"),
+	DECIMAL("decimal"),
+	INTEGER("integer"),
+	INT("int"),
+	LONG("long"),
+	SHORT("short"),
+	FLOAT("float"),
+	DOUBLE("double"),
+	BOOLEAN("boolean"),
+	BASE64BINARY("base64binary"),
+	DATETIME("dateTime"),
+	DURATION("duration"),
+	BYTE("byte"),
+	QNAME("qname"),
+	ANYURI("anyURI");
+	
+	private final String localName;
+	private final QName qname;
+	
+	private PrimitiveType(String localName) {
+		this.localName = localName;
+		this.qname = new QName(W3C_XML_SCHEMA_NS_URI, localName, NS_W3C_XML_SCHEMA_PREFIX);
+	}
+
+	public QName getQname() {
+		return qname;
+	}
+
+	public static final QName XSD_STRING = STRING.getQname();
+	public static final QName XSD_DECIMAL = DECIMAL.getQname();
+	public static final QName XSD_INTEGER = INTEGER.getQname();
+	public static final QName XSD_INT = INT.getQname();
+	public static final QName XSD_LONG = LONG.getQname();
+	public static final QName XSD_SHORT = SHORT.getQname();
+	public static final QName XSD_FLOAT = FLOAT.getQname();
+	public static final QName XSD_DOUBLE = DOUBLE.getQname();
+	public static final QName XSD_BOOLEAN = BOOLEAN.getQname();
+	public static final QName XSD_BASE64BINARY = BASE64BINARY.getQname();
+	public static final QName XSD_DATETIME = DATETIME.getQname();
+	public static final QName XSD_DURATION = DURATION.getQname();
+	public static final QName XSD_BYTE = BYTE.getQname();
+	public static final QName XSD_QNAME = QNAME.getQname();
+	public static final QName XSD_ANYURI = ANYURI.getQname();
+
+}
diff --git a/infra/prism-api/src/main/java/com/evolveum/midpoint/prism/PrismContainerDefinition.java b/infra/prism-api/src/main/java/com/evolveum/midpoint/prism/PrismContainerDefinition.java
index 8841a1ddf59..6812d66fb09 100644
--- a/infra/prism-api/src/main/java/com/evolveum/midpoint/prism/PrismContainerDefinition.java
+++ b/infra/prism-api/src/main/java/com/evolveum/midpoint/prism/PrismContainerDefinition.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2018 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -62,4 +62,7 @@ public interface PrismContainerDefinition<C extends Containerable> extends ItemD
 
 	@Override
 	MutablePrismContainerDefinition<C> toMutable();
+	
+	@Override
+	Class<C> getTypeClass();
 }
diff --git a/infra/prism-api/src/main/java/com/evolveum/midpoint/prism/Structured.java b/infra/prism-api/src/main/java/com/evolveum/midpoint/prism/Structured.java
index ab7fbbdc738..aff9a804f49 100644
--- a/infra/prism-api/src/main/java/com/evolveum/midpoint/prism/Structured.java
+++ b/infra/prism-api/src/main/java/com/evolveum/midpoint/prism/Structured.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2013 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -18,8 +18,14 @@
 import com.evolveum.midpoint.prism.path.ItemPath;
 
 /**
- * @author semancik
- *
+ * Interface for properties that have inner structur, such as PolyString.
+ * This was created due to a limitation that we cannot make every structured
+ * data into a container (yet).
+ * 
+ * This is a temporary solution in 3.x and 4.x. It should be gone in 5.x.
+ * Do not realy on this with any new development.
+ * 
+ * @author Radovan Semancik
  */
 @FunctionalInterface
 public interface Structured {
diff --git a/infra/prism-api/src/main/java/com/evolveum/midpoint/prism/extensions/AbstractDelegatedPrismValueDeltaSetTriple.java b/infra/prism-api/src/main/java/com/evolveum/midpoint/prism/extensions/AbstractDelegatedPrismValueDeltaSetTriple.java
index a14c363b7c7..4e76dd8bfdb 100644
--- a/infra/prism-api/src/main/java/com/evolveum/midpoint/prism/extensions/AbstractDelegatedPrismValueDeltaSetTriple.java
+++ b/infra/prism-api/src/main/java/com/evolveum/midpoint/prism/extensions/AbstractDelegatedPrismValueDeltaSetTriple.java
@@ -307,38 +307,14 @@ public String toHumanReadableString() {
 		return inner.toHumanReadableString();
 	}
 
-	@Override
-	public String debugDump() {
-		return inner.debugDump();
-	}
-
 	@Override
 	public String debugDump(int indent) {
 		return inner.debugDump(indent);
 	}
 
-	@Override
-	public Object debugDumpLazily() {
-		return inner.debugDumpLazily();
-	}
-
-	@Override
-	public Object debugDumpLazily(int index) {
-		return inner.debugDumpLazily(index);
-	}
-
 	@Override
 	public void shortDump(StringBuilder sb) {
 		inner.shortDump(sb);
 	}
 
-	@Override
-	public String shortDump() {
-		return inner.shortDump();
-	}
-
-	@Override
-	public Object shortDumpLazily() {
-		return inner.shortDumpLazily();
-	}
 }
diff --git a/infra/prism-api/src/main/java/com/evolveum/midpoint/prism/util/ItemDeltaItem.java b/infra/prism-api/src/main/java/com/evolveum/midpoint/prism/util/ItemDeltaItem.java
index e4388ffcdf4..13365784d85 100644
--- a/infra/prism-api/src/main/java/com/evolveum/midpoint/prism/util/ItemDeltaItem.java
+++ b/infra/prism-api/src/main/java/com/evolveum/midpoint/prism/util/ItemDeltaItem.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2018 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -43,7 +43,14 @@ public class ItemDeltaItem<V extends PrismValue,D extends ItemDefinition> implem
 	private Item<V,D> itemOld;
 	private ItemDelta<V,D> delta;
 	private Item<V,D> itemNew;
+	// We need explicit definition, because source may be completely null.
+	// No item, no delta, nothing. In that case we won't be able to crete properly-typed
+	// variable from the source.
+	private D definition;
 	private ItemPath resolvePath = ItemPath.EMPTY_PATH;
+	
+	// Residual path is a temporary solution to Structured attriebutes in 3.x and 4.x.
+	// It should disappear in 5.x.
 	private ItemPath residualPath = null;
 
 	// The deltas in sub-items. E.g. if this object represents "ContainerDeltaContainer"
@@ -52,25 +59,57 @@ public class ItemDeltaItem<V extends PrismValue,D extends ItemDefinition> implem
 
 	public ItemDeltaItem() { }
 
-	public ItemDeltaItem(Item<V,D> itemOld, ItemDelta<V,D> delta, Item<V,D> itemNew) {
+	public ItemDeltaItem(Item<V,D> itemOld, ItemDelta<V,D> delta, Item<V,D> itemNew, D definition) {
 		super();
+		validate(itemOld, "itemOld");
+		validate(delta);
+		validate(itemNew, "itemNew");
 		this.itemOld = itemOld;
 		this.delta = delta;
 		this.itemNew = itemNew;
+		if (definition == null) {
+			// Try to automatically determine definition from content.
+			this.definition = determineDefinition();
+			if (this.definition == null) {
+				throw new IllegalArgumentException("Cannot determine definition from content in "+this);
+			}
+		} else {
+			this.definition = definition;
+		}
+
+	}
+
+	private D determineDefinition() {
+		if (itemNew != null && itemNew.getDefinition() != null) {
+			return itemNew.getDefinition();
+		}
+		if (itemOld != null && itemOld.getDefinition() != null) {
+			return itemOld.getDefinition();
+		}
+		if (delta != null && delta.getDefinition() != null) {
+			return delta.getDefinition();
+		}
+		return null;
 	}
 
 	public ItemDeltaItem(ItemDeltaItem<V,D> idi) {
 		super();
 		this.itemOld = idi.getItemOld();
+		validate(itemOld, "itemOld");
 		this.itemNew = idi.getItemNew();
+		validate(itemNew, "itemNew");
 		this.delta = idi.getDelta();
+		validate(delta);
+		this.definition = idi.getDefinition();
 	}
 
 	public ItemDeltaItem(Item<V,D> item) {
 		super();
 		this.itemOld = item;
 		this.itemNew = item;
+		validate(itemOld, "item");
 		this.delta = null;
+		this.definition = item.getDefinition();
 	}
 
 	public Item<V,D> getItemOld() {
@@ -143,15 +182,12 @@ public QName getElementName() {
 		return null;
 	}
 
-	public ItemDefinition getDefinition() {
-		Item<V,D> anyItem = getAnyItem();
-		if (anyItem != null) {
-			return anyItem.getDefinition();
-		}
-		if (delta != null) {
-			return delta.getDefinition();
-		}
-		return null;
+	public D getDefinition() {
+		return definition;
+	}
+	
+	public void setDefinition(D definition) {
+		this.definition = definition;
 	}
 
 	public void recompute() throws SchemaException {
@@ -170,7 +206,7 @@ public void recompute() throws SchemaException {
 		}
 	}
 
-	public <IV extends PrismValue, ID extends ItemDefinition> ItemDeltaItem<IV,ID> findIdi(ItemPath path) {
+	public <IV extends PrismValue, ID extends ItemDefinition> ItemDeltaItem<IV,ID> findIdi(ItemPath path) throws SchemaException {
 		if (path.isEmpty()) {
 			return (ItemDeltaItem<IV,ID>) this;
 		}
@@ -205,7 +241,15 @@ public <IV extends PrismValue, ID extends ItemDefinition> ItemDeltaItem<IV,ID> f
 				}
 			}
 		}
-		ItemDeltaItem<IV,ID> subIdi = new ItemDeltaItem<>(subItemOld, subDelta, subItemNew);
+		ID subDefinition = null;
+		if (definition != null) {
+			if (definition instanceof PrismContainerDefinition<?>) {
+				subDefinition = ((PrismContainerDefinition<?>)definition).findItemDefinition(path);
+			} else {
+				throw new IllegalArgumentException("Attempt to resolve definition on non-container " + definition);
+			}
+		}
+		ItemDeltaItem<IV,ID> subIdi = new ItemDeltaItem<>(subItemOld, subDelta, subItemNew, subDefinition);
 		subIdi.setResidualPath(subResidualPath);
 		subIdi.resolvePath = newResolvePath;
 
@@ -291,7 +335,7 @@ public <X> ItemDeltaItem<PrismPropertyValue<X>,PrismPropertyDefinition<X>> resol
 		PrismProperty<X> outputPropertyNew = resolveStructuredPropertyItem((PrismProperty<Structured>) thisIdi.getItemNew(), resolvePath, outputDefinition);
 		PrismProperty<X> outputPropertyOld = resolveStructuredPropertyItem((PrismProperty<Structured>) thisIdi.getItemOld(), resolvePath, outputDefinition);
 		PropertyDelta<X> outputDelta = resolveStructuredPropertyDelta((PropertyDelta<Structured>) thisIdi.getDelta(), resolvePath, outputDefinition, outputPath, prismContext);
-		return new ItemDeltaItem<>(outputPropertyOld, outputDelta, outputPropertyNew);
+		return new ItemDeltaItem<>(outputPropertyOld, outputDelta, outputPropertyNew, outputDefinition);
 	}
 
 	private <X> PrismProperty<X> resolveStructuredPropertyItem(PrismProperty<Structured> sourceProperty, ItemPath resolvePath, PrismPropertyDefinition outputDefinition) {
@@ -371,6 +415,7 @@ protected void copyValues(ItemDeltaItem<V,D> clone) {
 		if (this.itemOld != null) {
 			clone.itemOld = this.itemOld.clone();
 		}
+		clone.definition = this.definition;
 		clone.residualPath = this.residualPath;
 		clone.resolvePath = this.resolvePath;
 		if (this.subItemDeltas != null) {
@@ -427,6 +472,7 @@ public String debugDump(int indent) {
 		DebugUtil.debugDumpWithLabelLn(sb, "itemOld", itemOld, indent + 1);
 		DebugUtil.debugDumpWithLabelLn(sb, "delta", delta, indent + 1);
 		DebugUtil.debugDumpWithLabelLn(sb, "itemNew", itemNew, indent + 1);
+		DebugUtil.debugDumpWithLabelLn(sb, "definition", definition, indent + 1);
 		DebugUtil.debugDumpWithLabelToStringLn(sb, "resolvePath", resolvePath, indent + 1);
 		DebugUtil.debugDumpWithLabelToString(sb, "residualPath", residualPath, indent + 1);
 		return sb.toString();
@@ -445,4 +491,16 @@ private V getSingleValue(Item<V, D> item) {
 	public V getSingleValue(boolean evaluateOld) {
 		return getSingleValue(evaluateOld ? itemOld : itemNew);
 	}
+	
+	private void validate(Item<V, D> item, String desc) {
+		if (item != null && item.getDefinition() == null) {
+			throw new IllegalArgumentException("Attempt to set "+desc+" without definition");
+		}
+	}
+
+	private void validate(ItemDelta<V, D> delta) {
+		if (delta != null && delta.getDefinition() == null) {
+			throw new IllegalArgumentException("Attempt to set delta without definition");
+		}
+	}
 }
diff --git a/infra/prism-api/src/main/java/com/evolveum/midpoint/prism/util/ObjectDeltaObject.java b/infra/prism-api/src/main/java/com/evolveum/midpoint/prism/util/ObjectDeltaObject.java
index f944bb67ab9..3a5427ed60e 100644
--- a/infra/prism-api/src/main/java/com/evolveum/midpoint/prism/util/ObjectDeltaObject.java
+++ b/infra/prism-api/src/main/java/com/evolveum/midpoint/prism/util/ObjectDeltaObject.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2018 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -19,13 +19,25 @@
 import java.util.Collection;
 import java.util.List;
 
-import com.evolveum.midpoint.prism.*;
-import com.evolveum.midpoint.prism.delta.*;
+import org.apache.commons.collections4.CollectionUtils;
+import org.jetbrains.annotations.NotNull;
+
+import com.evolveum.midpoint.prism.Item;
+import com.evolveum.midpoint.prism.ItemDefinition;
+import com.evolveum.midpoint.prism.Objectable;
+import com.evolveum.midpoint.prism.PartiallyResolvedItem;
+import com.evolveum.midpoint.prism.PrismContainer;
+import com.evolveum.midpoint.prism.PrismContainerValue;
+import com.evolveum.midpoint.prism.PrismObject;
+import com.evolveum.midpoint.prism.PrismObjectDefinition;
+import com.evolveum.midpoint.prism.PrismValue;
+import com.evolveum.midpoint.prism.delta.ChangeType;
+import com.evolveum.midpoint.prism.delta.ItemDelta;
+import com.evolveum.midpoint.prism.delta.ObjectDelta;
 import com.evolveum.midpoint.prism.path.ItemPath;
 import com.evolveum.midpoint.util.DebugDumpable;
 import com.evolveum.midpoint.util.DebugUtil;
 import com.evolveum.midpoint.util.exception.SchemaException;
-import org.apache.commons.collections4.CollectionUtils;
 
 /**
  * A class defining old object state (before change), delta (change) and new object state (after change).
@@ -42,12 +54,34 @@ public class ObjectDeltaObject<O extends Objectable> extends ItemDeltaItem<Prism
 	private PrismObject<O> oldObject;
 	private ObjectDelta<O> delta;
 	private PrismObject<O> newObject;
+	// We need explicit definition, because source may be completely null.
+	// No item, no delta, nothing. In that case we won't be able to crete properly-typed
+	// variable from the source.
+	private PrismObjectDefinition<O> definition;
 
-	public ObjectDeltaObject(PrismObject<O> oldObject, ObjectDelta<O> delta, PrismObject<O> newObject) {
+	public ObjectDeltaObject(PrismObject<O> oldObject, ObjectDelta<O> delta, PrismObject<O> newObject, PrismObjectDefinition<O> definition) {
 		super();
 		this.oldObject = oldObject;
 		this.delta = delta;
 		this.newObject = newObject;
+		if (definition == null) {
+			this.definition = determineDefinition();
+			if (this.definition == null) {
+				throw new IllegalArgumentException("Cannot determine definition from content in "+this);
+			}
+		} else {
+			this.definition = definition;
+		}
+	}
+	
+	private PrismObjectDefinition<O> determineDefinition() {
+		if (newObject != null && newObject.getDefinition() != null) {
+			return newObject.getDefinition();
+		}
+		if (oldObject != null && oldObject.getDefinition() != null) {
+			return oldObject.getDefinition();
+		}
+		return null;
 	}
 
 	public PrismObject<O> getOldObject() {
@@ -84,7 +118,7 @@ public PrismObject<O> getAnyObject() {
 		}
 		return oldObject;
 	}
-
+	
 	@Override
 	public ItemDelta<PrismContainerValue<O>,PrismObjectDefinition<O>> getDelta() {
 		throw new UnsupportedOperationException("You probably wanted to call getObjectDelta()");
@@ -102,6 +136,9 @@ public boolean isContainer() {
 
 	@Override
 	public PrismObjectDefinition<O> getDefinition() {
+		if (definition != null) {
+			return definition;
+		}
 		PrismObject<O> anyObject = getAnyObject();
 		if (anyObject != null) {
 			return anyObject.getDefinition();
@@ -111,9 +148,20 @@ public PrismObjectDefinition<O> getDefinition() {
 		}
 		return null;
 	}
+	
+	public Class<O> getObjectCompileTimeClass() {
+		PrismObject<O> anyObject = getAnyObject();
+		if (anyObject != null) {
+			return anyObject.getCompileTimeClass();
+		}
+		if (delta != null) {
+			return delta.getObjectTypeClass();
+		}
+		return null;
+	}
 
 	@Override
-	public <IV extends PrismValue,ID extends ItemDefinition> ItemDeltaItem<IV,ID> findIdi(ItemPath path) {
+	public <IV extends PrismValue,ID extends ItemDefinition> ItemDeltaItem<IV,ID> findIdi(@NotNull ItemPath path) throws SchemaException {
 		Item<IV,ID> subItemOld = null;
 		ItemPath subResidualPath = null;
 		if (oldObject != null) {
@@ -180,7 +228,24 @@ public <IV extends PrismValue,ID extends ItemDefinition> ItemDeltaItem<IV,ID> fi
 	        	}
 			}
 		}
-		ItemDeltaItem<IV,ID> subIdi = new ItemDeltaItem<>(subItemOld, itemDelta, subItemNew);
+		ID subDefinition = null;
+		if (definition != null) {
+			subDefinition = definition.findItemDefinition(path);
+		}
+		if (subDefinition == null) {
+			// This may be a bit redundant, because IDI constructor does similar logic.
+			// But we want to know the situation here, so we can provide better error message.
+			if (subItemNew != null && subItemNew.getDefinition() != null) {
+				subDefinition = subItemNew.getDefinition();
+			} else if (subItemOld != null && subItemOld.getDefinition() != null) {
+				subDefinition = subItemOld.getDefinition();
+			} else if (itemDelta != null && itemDelta.getDefinition() != null) {
+				subDefinition = itemDelta.getDefinition();
+			} else {
+				throw new SchemaException("Cannot find definition of a subitem "+path+" of "+this);
+			}
+		}
+		ItemDeltaItem<IV,ID> subIdi = new ItemDeltaItem<>(subItemOld, itemDelta, subItemNew, subDefinition);
 		subIdi.setSubItemDeltas(subSubItemDeltas);
 		subIdi.setResolvePath(path);
 		subIdi.setResidualPath(subResidualPath);
@@ -242,7 +307,7 @@ public void recomputeIfNeeded(boolean deep) throws SchemaException {
 	public static <T extends Objectable> ObjectDeltaObject<T> create(PrismObject<T> oldObject, ObjectDelta<T> delta) throws SchemaException {
 		PrismObject<T> newObject = oldObject.clone();
 		delta.applyTo(newObject);
-		return new ObjectDeltaObject<>(oldObject, delta, newObject);
+		return new ObjectDeltaObject<>(oldObject, delta, newObject, oldObject.getDefinition());
 	}
 
 	public static <T extends Objectable> ObjectDeltaObject<T> create(PrismObject<T> oldObject, ItemDelta<?,?>... itemDeltas) throws SchemaException {
@@ -306,6 +371,7 @@ public String debugDump(int indent) {
 			}
 		}
 		dumpObject(sb, newObject, "new", indent +1);
+		DebugUtil.debugDumpWithLabelLn(sb, "definition", definition, indent + 1);
 		return sb.toString();
 	}
 
@@ -330,7 +396,8 @@ public ObjectDeltaObject<O> clone() {
 		ObjectDeltaObject<O> clone = new ObjectDeltaObject<>(
 				CloneUtil.clone(oldObject),
 				CloneUtil.clone(delta),
-				CloneUtil.clone(newObject));
+				CloneUtil.clone(newObject),
+				definition);
 		// TODO what about the internals?
 		return clone;
 	}
diff --git a/infra/prism-api/src/main/java/com/evolveum/midpoint/prism/util/PrismUtil.java b/infra/prism-api/src/main/java/com/evolveum/midpoint/prism/util/PrismUtil.java
index 2a4e979bf67..29a051a76b8 100644
--- a/infra/prism-api/src/main/java/com/evolveum/midpoint/prism/util/PrismUtil.java
+++ b/infra/prism-api/src/main/java/com/evolveum/midpoint/prism/util/PrismUtil.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2018 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -22,6 +22,7 @@
 import com.evolveum.midpoint.prism.xml.XsdTypeMapper;
 import com.evolveum.midpoint.util.DebugDumpable;
 import com.evolveum.midpoint.util.DebugUtil;
+import com.evolveum.midpoint.util.QNameUtil;
 import com.evolveum.midpoint.util.exception.SchemaException;
 import com.evolveum.prism.xml.ns._public.types_3.PolyStringType;
 import org.apache.commons.lang.StringUtils;
@@ -236,4 +237,8 @@ public static void debugDumpWithLabelLn(StringBuilder sb, String label, Containe
 		debugDumpWithLabel(sb, label, cc, indent);
 		sb.append("\n");
 	}
+
+	public static boolean isStructuredType(QName typeName) {
+		return QNameUtil.match(PolyStringType.COMPLEX_TYPE, typeName);
+	}
 }
diff --git a/infra/prism-api/src/main/java/com/evolveum/prism/xml/ns/_public/types_3/PolyStringType.java b/infra/prism-api/src/main/java/com/evolveum/prism/xml/ns/_public/types_3/PolyStringType.java
index 0e37116ffc8..8b7f59d8db3 100644
--- a/infra/prism-api/src/main/java/com/evolveum/prism/xml/ns/_public/types_3/PolyStringType.java
+++ b/infra/prism-api/src/main/java/com/evolveum/prism/xml/ns/_public/types_3/PolyStringType.java
@@ -546,11 +546,12 @@ private static JAXBElement<String> copyOfStringElement(final JAXBElement<String>
         return null;
     }
 
+	// !!! Do NOT autogenerate this method without preserving custom changes !!!
 	@Override
 	public int hashCode() {
 		final int prime = 31;
 		int result = 1;
-		result = prime * result + ((any == null) ? 0 : any.hashCode());
+		result = prime * result + ((any == null || any.isEmpty()) ? 0 : any.hashCode());
 		result = prime * result + ((lang == null) ? 0 : lang.hashCode());
 		result = prime * result + ((norm == null) ? 0 : norm.hashCode());
 		result = prime * result + ((orig == null) ? 0 : orig.hashCode());
@@ -558,6 +559,7 @@ public int hashCode() {
 		return result;
 	}
 
+	// !!! Do NOT autogenerate this method without preserving custom changes !!!
 	@Override
 	public boolean equals(Object obj) {
 		if (this == obj) {
@@ -570,8 +572,8 @@ public boolean equals(Object obj) {
 			return false;
 		}
 		PolyStringType other = (PolyStringType) obj;
-		if (any == null) {
-			if (other.any != null) {
+		if (any == null || any.isEmpty()) {     // because any is instantiated on get (so null and empty should be considered equivalent)
+			if (other.any != null && !other.any.isEmpty()) {
 				return false;
 			}
 		} else if (!any.equals(other.any)) {
diff --git a/infra/prism-impl/src/main/java/com/evolveum/midpoint/prism/impl/ItemDefinitionImpl.java b/infra/prism-impl/src/main/java/com/evolveum/midpoint/prism/impl/ItemDefinitionImpl.java
index d667fc6d605..b556c0dbda5 100644
--- a/infra/prism-impl/src/main/java/com/evolveum/midpoint/prism/impl/ItemDefinitionImpl.java
+++ b/infra/prism-impl/src/main/java/com/evolveum/midpoint/prism/impl/ItemDefinitionImpl.java
@@ -322,7 +322,7 @@ public <T extends ItemDefinition> T findItemDefinition(@NotNull ItemPath path, @
         		throw new IllegalArgumentException("Looking for definition of class " + clazz + " but found " + this);
         	}
         } else {
-            throw new IllegalArgumentException("No definition for path " + path + " in " + this);
+            return null;
         }
     }
     
diff --git a/infra/prism-impl/src/main/java/com/evolveum/midpoint/prism/impl/PrismContainerDefinitionImpl.java b/infra/prism-impl/src/main/java/com/evolveum/midpoint/prism/impl/PrismContainerDefinitionImpl.java
index e51a09a2fef..27cca19563c 100644
--- a/infra/prism-impl/src/main/java/com/evolveum/midpoint/prism/impl/PrismContainerDefinitionImpl.java
+++ b/infra/prism-impl/src/main/java/com/evolveum/midpoint/prism/impl/PrismContainerDefinitionImpl.java
@@ -112,6 +112,11 @@ public Class<C> getCompileTimeClass() {
 	public void setCompileTimeClass(Class<C> compileTimeClass) {
 		this.compileTimeClass = compileTimeClass;
 	}
+	
+	@Override
+	public Class<C> getTypeClass() {
+		return compileTimeClass;
+	}
 
     protected String getSchemaNamespace() {
         return getName().getNamespaceURI();
diff --git a/infra/prism-impl/src/main/java/com/evolveum/midpoint/prism/impl/PrismReferenceDefinitionImpl.java b/infra/prism-impl/src/main/java/com/evolveum/midpoint/prism/impl/PrismReferenceDefinitionImpl.java
index 6d4a83074f7..dbd0823530a 100644
--- a/infra/prism-impl/src/main/java/com/evolveum/midpoint/prism/impl/PrismReferenceDefinitionImpl.java
+++ b/infra/prism-impl/src/main/java/com/evolveum/midpoint/prism/impl/PrismReferenceDefinitionImpl.java
@@ -24,6 +24,8 @@
 import com.evolveum.midpoint.prism.path.ItemPath;
 import com.evolveum.midpoint.prism.util.DefinitionUtil;
 import com.evolveum.midpoint.util.QNameUtil;
+import com.evolveum.prism.xml.ns._public.types_3.ObjectReferenceType;
+
 import org.jetbrains.annotations.NotNull;
 
 /**
@@ -149,6 +151,11 @@ public boolean canBeDefinitionOf(PrismValue pvalue) {
 			return true;
 		}
 	}
+	
+	@Override
+	public Class getTypeClass() {
+		return ObjectReferenceType.class;
+	}
 
 	@Override
 	public MutablePrismReferenceDefinition toMutable() {
diff --git a/infra/prism-impl/src/main/java/com/evolveum/midpoint/prism/impl/xjc/PrismForJAXBUtil.java b/infra/prism-impl/src/main/java/com/evolveum/midpoint/prism/impl/xjc/PrismForJAXBUtil.java
index 6ba1cb99491..22310a4ad03 100644
--- a/infra/prism-impl/src/main/java/com/evolveum/midpoint/prism/impl/xjc/PrismForJAXBUtil.java
+++ b/infra/prism-impl/src/main/java/com/evolveum/midpoint/prism/impl/xjc/PrismForJAXBUtil.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2018 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -38,10 +38,13 @@
 
 /**
  * @author lazyman
+ * @author semancik
  */
 public final class PrismForJAXBUtil {
 
-    private PrismForJAXBUtil() {
+    private static final Object JAXB_CLASS_MANGLED = "clazz";
+
+	private PrismForJAXBUtil() {
     }
 
     public static <T> T getPropertyValue(PrismContainerValue container, QName name, Class<T> clazz) {
@@ -163,6 +166,11 @@ public static <T extends Containerable> T getFieldSingleContainerable(PrismConta
     public static <T extends PrismContainer<?>> T getContainer(PrismContainerValue parentValue, QName name) {
         Validate.notNull(parentValue, "Parent container value must not be null.");
         Validate.notNull(name, "QName must not be null.");
+        
+        // This is how JAXB compiler handles elements of name "class".
+        if (JAXB_CLASS_MANGLED.equals(name.getLocalPart())) {
+        	name = new QName(name.getNamespaceURI(), "class");
+        }
 
         try {
 			PrismContainer container = parentValue.findContainer(name);
diff --git a/repo/security-enforcer-api/src/main/java/com/evolveum/midpoint/security/enforcer/api/AccessDecision.java b/infra/schema/src/main/java/com/evolveum/midpoint/schema/AccessDecision.java
similarity index 72%
rename from repo/security-enforcer-api/src/main/java/com/evolveum/midpoint/security/enforcer/api/AccessDecision.java
rename to infra/schema/src/main/java/com/evolveum/midpoint/schema/AccessDecision.java
index f8e4e457683..e24f0ecc1f8 100644
--- a/repo/security-enforcer-api/src/main/java/com/evolveum/midpoint/security/enforcer/api/AccessDecision.java
+++ b/infra/schema/src/main/java/com/evolveum/midpoint/schema/AccessDecision.java
@@ -1,5 +1,5 @@
 /**
- * Copyright (c) 2017 Evolveum
+ * Copyright (c) 2017-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -13,29 +13,42 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package com.evolveum.midpoint.security.enforcer.api;
+package com.evolveum.midpoint.schema;
 
 import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationDecisionType;
 
 /**
- * @author semancik
- *
+ * Decision about access to something. Used as an output of authorization processing code. But may be also used
+ * for other things, such as decisions to access classes and methods in sandboxes.
+ * 
+ * @author Radovan Semancik
  */
 public enum AccessDecision {
+	
 	/**
 	 * Access explicitly allowed.
 	 */
-	ALLOW,
+	ALLOW(AuthorizationDecisionType.ALLOW),
 	
 	/**
 	 * Access explicitly denied.
 	 */
-	DENY,
+	DENY(AuthorizationDecisionType.DENY),
 	
 	/**
 	 * Means "no decision" or "not allowed yet".
 	 */
-	DEFAULT;
+	DEFAULT(null);
+
+	private final AuthorizationDecisionType authorizationDecisionType;
+
+	private AccessDecision(AuthorizationDecisionType authorizationDecisionType) {
+		this.authorizationDecisionType = authorizationDecisionType;
+	}
+
+	public AuthorizationDecisionType getAuthorizationDecisionType() {
+		return authorizationDecisionType;
+	}
 	
 	public static AccessDecision combine(AccessDecision oldDecision, AccessDecision newDecision) {
 		if (oldDecision == null && newDecision == null) {
@@ -72,4 +85,5 @@ public static AccessDecision translate(AuthorizationDecisionType authorizationDe
 				throw new IllegalStateException("Unknown AuthorizationDecisionType "+authorizationDecisionType);
 		}
 	}
+	
 }
diff --git a/infra/schema/src/main/java/com/evolveum/midpoint/schema/constants/ExpressionConstants.java b/infra/schema/src/main/java/com/evolveum/midpoint/schema/constants/ExpressionConstants.java
index cffd3c8f5d1..9641da94f90 100644
--- a/infra/schema/src/main/java/com/evolveum/midpoint/schema/constants/ExpressionConstants.java
+++ b/infra/schema/src/main/java/com/evolveum/midpoint/schema/constants/ExpressionConstants.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2017 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -17,112 +17,152 @@
 
 import com.evolveum.midpoint.prism.path.ItemName;
 
-import javax.xml.namespace.QName;
-
 /**
- * @author semancik
- *
+ * Constants for all names of the variables in the system.
+ * 
+ * It is good to have all the names gathered in one place. It is better when a new
+ * variable is introduced. If all the names are in the same place, it is better to
+ * see if the variable is redundant (already used eslewhere). Or if new variable is
+ * really needed, seeing all the other names will make it easier to keep the same
+ * convention through the system.
+ * 
+ * @author Radovan Semancik
  */
 public class ExpressionConstants {
 
 	// Generic variables
-	public static final QName VAR_INPUT = new QName(SchemaConstants.NS_C, "input");
-	public static final QName VAR_OBJECT = new QName(SchemaConstants.NS_C, "object");
+	public static final String VAR_INPUT = "input";
+	public static final ItemName VAR_INPUT_QNAME = new ItemName(SchemaConstants.NS_C, VAR_INPUT);
+	public static final String VAR_OBJECT =  "object";
 
 	// Variables used in various mappings
-	public static final QName VAR_FOCUS = new QName(SchemaConstants.NS_C, "focus");
-	public static final QName VAR_PROJECTION = new QName(SchemaConstants.NS_C, "projection");
-	public static final QName VAR_SOURCE = new QName(SchemaConstants.NS_C, "source");
-	public static final QName VAR_ASSIGNMENT = new QName(SchemaConstants.NS_C, "assignment");
-	public static final QName VAR_EVALUATED_ASSIGNMENT = new QName(SchemaConstants.NS_C, "evaluatedAssignment");
-	public static final QName VAR_ASSIGNMENT_PATH = new QName(SchemaConstants.NS_C, "assignmentPath");
-	public static final QName VAR_IMMEDIATE_ASSIGNMENT = new QName(SchemaConstants.NS_C, "immediateAssignment");
-	public static final QName VAR_THIS_ASSIGNMENT = new QName(SchemaConstants.NS_C, "thisAssignment");
-	public static final QName VAR_FOCUS_ASSIGNMENT = new QName(SchemaConstants.NS_C, "focusAssignment");
-	public static final QName VAR_IMMEDIATE_ROLE = new QName(SchemaConstants.NS_C, "immediateRole");
-	public static final QName VAR_CONTAINING_OBJECT = new QName(SchemaConstants.NS_C, "containingObject");
-	public static final QName VAR_ORDER_ONE_OBJECT = new QName(SchemaConstants.NS_C, "thisObject");
-	public static final QName VAR_OPERATION = new QName(SchemaConstants.NS_C, "operation");
-	public static final QName VAR_RESOURCE = new QName(SchemaConstants.NS_C, "resource");
-	public static final QName VAR_DELTA = new QName(SchemaConstants.NS_C, "delta");
-	public static final QName VAR_MODEL_CONTEXT = new QName(SchemaConstants.NS_C, "modelContext");
-	public static final QName VAR_PRISM_CONTEXT = new QName(SchemaConstants.NS_C, "prismContext");
-	public static final QName VAR_CONFIGURATION = new QName(SchemaConstants.NS_C, "configuration");
-	public static final QName VAR_ENTITLEMENT = new QName(SchemaConstants.NS_C, "entitlement");
-	public static final QName VAR_FILE = new QName(SchemaConstants.NS_C, "file");
+	public static final String VAR_FOCUS = "focus";
+	public static final String VAR_PROJECTION = "projection";
+	public static final String VAR_SOURCE = "source";
+	public static final String VAR_ASSIGNMENT = "assignment";
+	public static final String VAR_EVALUATED_ASSIGNMENT = "evaluatedAssignment";
+	public static final String VAR_ASSIGNMENT_PATH = "assignmentPath";
+	public static final String VAR_IMMEDIATE_ASSIGNMENT = "immediateAssignment";
+	public static final String VAR_THIS_ASSIGNMENT = "thisAssignment";
+	public static final String VAR_FOCUS_ASSIGNMENT = "focusAssignment";
+	public static final String VAR_IMMEDIATE_ROLE = "immediateRole";
+	public static final String VAR_CONTAINING_OBJECT = "containingObject";
+	public static final String VAR_ORDER_ONE_OBJECT = "thisObject";
+	public static final String VAR_OPERATION = "operation";
+	public static final String VAR_RESOURCE = "resource";
+	public static final String VAR_DELTA = "delta";
+	public static final String VAR_MODEL_CONTEXT = "modelContext";
+	public static final String VAR_PRISM_CONTEXT = "prismContext";
+	public static final String VAR_CONFIGURATION = "configuration";
+	public static final String VAR_ENTITLEMENT = "entitlement";
+	public static final String VAR_FILE = "file";
 	
 	/**
 	 * User that is currently executing the operation.
 	 */
-    public static final QName VAR_ACTOR = new QName(SchemaConstants.NS_C, "actor");
+    public static final String VAR_ACTOR = "actor";
     
     /**
      * Subject of an authorization. This is usually the same as actor. But it may be different
      * in some exotic use cases (e.g. if administrator needs to evaluate authorizations of
      * a different user.
      */
-    public static final QName VAR_SUBJECT = new QName(SchemaConstants.NS_C, "subject");
+    public static final String VAR_SUBJECT = "subject";
     
-	public static final QName VAR_VALUE = new QName(SchemaConstants.NS_C, "value");
-	public static final QName VAR_ORGS = new QName(SchemaConstants.NS_C, "orgs");
+	public static final String VAR_VALUE = "value";
+	public static final String VAR_ORGS = "orgs";
 
-	public static final QName VAR_TARGET = new QName(SchemaConstants.NS_C, "target");
+	public static final String VAR_TARGET = "target";
 
 	// DEPRECATED variables, just for compatibility
-	public static final QName VAR_USER = new QName(SchemaConstants.NS_C, "user");
-	public static final QName VAR_ACCOUNT = new QName(SchemaConstants.NS_C, "account");
-	public static final QName VAR_SHADOW = new QName(SchemaConstants.NS_C, "shadow");
+	public static final String VAR_USER = "user";
+	public static final String VAR_ACCOUNT = "account";
+	public static final String VAR_SHADOW = "shadow";
 
 	// existence mapping variables
-	public static final QName VAR_LEGAL = new QName(SchemaConstants.NS_C, "legal");
-    public static final QName VAR_ASSIGNED = new QName(SchemaConstants.NS_C, "assigned");
-	public static final QName VAR_FOCUS_EXISTS = new QName(SchemaConstants.NS_C, "focusExists");
-	public static final QName VAR_ADMINISTRATIVE_STATUS = new QName(SchemaConstants.NS_C, "administrativeStatus");
+	public static final String VAR_LEGAL = "legal";
+	public static final ItemName VAR_LEGAL_QNAME = new ItemName(SchemaConstants.NS_C, VAR_LEGAL);
+	
+    public static final String VAR_ASSIGNED = "assigned";
+    public static final ItemName VAR_ASSIGNED_QNAME = new ItemName(SchemaConstants.NS_C, VAR_ASSIGNED);
+    
+	public static final String VAR_FOCUS_EXISTS = "focusExists";
+	public static final ItemName VAR_FOCUS_EXISTS_QNAME = new ItemName(SchemaConstants.NS_C, VAR_FOCUS_EXISTS);
+	
+	public static final String VAR_ADMINISTRATIVE_STATUS = "administrativeStatus";
+	public static final ItemName VAR_ADMINISTRATIVE_STATUS_QNAME = new ItemName(SchemaConstants.NS_C, VAR_ADMINISTRATIVE_STATUS);
 
-	public static final QName VAR_ASSOCIATION_TARGET_OBJECT_CLASS_DEFINITION = new QName(SchemaConstants.NS_C, "associationTargetObjectClassDefinition");
+	public static final String VAR_ASSOCIATION_TARGET_OBJECT_CLASS_DEFINITION = "associationTargetObjectClassDefinition";
 
 	/**
 	 * Numeric value describing the current iteration. It starts with 0 and increments on every iteration.
 	 * Iterations are used to find unique values for an account, to resolve naming conflicts, etc.
 	 */
-	public static final ItemName VAR_ITERATION = new ItemName(SchemaConstants.NS_C, "iteration");
+	public static final String VAR_ITERATION = "iteration";
+	public static final ItemName VAR_ITERATION_QNAME = new ItemName(SchemaConstants.NS_C, VAR_ITERATION);
 
 	/**
 	 * String value describing the current iteration. It is usually suffix that is appended to the username
 	 * or a similar "extension" of the value. It should have different value for every iteration. The actual
 	 * value is determined by the iteration settings.
 	 */
-	public static final ItemName VAR_ITERATION_TOKEN = new ItemName(SchemaConstants.NS_C, "iterationToken");
+	public static final String VAR_ITERATION_TOKEN = "iterationToken";
+	public static final ItemName VAR_ITERATION_TOKEN_QNAME = new ItemName(SchemaConstants.NS_C, VAR_ITERATION_TOKEN);
 
 	// Variables used in object merging expressions
-	public static final QName VAR_SIDE = new QName(SchemaConstants.NS_C, "side");
-	public static final QName VAR_OBJECT_LEFT = new QName(SchemaConstants.NS_C, "objectLeft");
-	public static final QName VAR_OBJECT_RIGHT = new QName(SchemaConstants.NS_C, "objectRight");
+	public static final String VAR_SIDE = "side";
+	public static final String VAR_OBJECT_LEFT = "objectLeft";
+	public static final String VAR_OBJECT_RIGHT = "objectRight";
 
-	public static final QName OUTPUT_ELEMENT_NAME = new QName(SchemaConstants.NS_C, "output");
+	public static final ItemName OUTPUT_ELEMENT_NAME = new ItemName(SchemaConstants.NS_C, "output");
 
 	// "case" would collide with java keyword
-	public static final QName VAR_WORK_ITEM = new QName(SchemaConstants.NS_C, "workItem");
-	public static final QName VAR_CERTIFICATION_CASE = new QName(SchemaConstants.NS_C, "certificationCase");
-	public static final QName VAR_CAMPAIGN = new QName(SchemaConstants.NS_C, "campaign");
-	public static final QName VAR_REVIEWER_SPECIFICATION = new QName(SchemaConstants.NS_C, "reviewerSpecification");
-
-	public static final QName VAR_CHANNEL = new QName(SchemaConstants.NS_C, "channel");
-	public static final QName VAR_WORKFLOW_CONTEXT = new QName(SchemaConstants.NS_C, "workflowContext");
-	public static final QName VAR_TASK = new QName(SchemaConstants.NS_C, "task");
-	public static final QName VAR_RULE_EVALUATION_CONTEXT = new QName(SchemaConstants.NS_C, "ruleEvaluationContext");
-	public static final QName VAR_STAGE_DEFINITION = new QName(SchemaConstants.NS_C, "stageDefinition");
-
-	public static final QName VAR_OBJECT_DISPLAY_INFORMATION = new QName(SchemaConstants.NS_C, "objectDisplayInformation");
-	public static final QName VAR_TARGET_DISPLAY_INFORMATION = new QName(SchemaConstants.NS_C, "targetDisplayInformation");
-
-	public static final QName VAR_PERFORMER = new QName(SchemaConstants.NS_C, "performer");
-	public static final QName VAR_OUTPUT = new QName(SchemaConstants.NS_C, "output");
-	public static final QName VAR_EVENT = new QName(SchemaConstants.NS_C, "event");
-
-	public static final QName VAR_POLICY_RULE = new QName(SchemaConstants.NS_C, "policyRule");
-	public static final QName VAR_POLICY_ACTION = new QName(SchemaConstants.NS_C, "policyAction");
-	public static final QName VAR_LOGIN_MODE = new QName(SchemaConstants.NS_C, "loginMode");
-
-	public static final QName VAR_MESSAGE = new QName(SchemaConstants.NS_C, "message");
+	public static final String VAR_WORK_ITEM = "workItem";
+	public static final String VAR_CERTIFICATION_CASE = "certificationCase";
+	public static final String VAR_CAMPAIGN = "campaign";
+	public static final String VAR_REVIEWER_SPECIFICATION = "reviewerSpecification";
+
+	public static final String VAR_CHANNEL = "channel";
+	public static final String VAR_WORKFLOW_CONTEXT = "workflowContext";
+	public static final String VAR_TASK = "task";
+	public static final String VAR_RULE_EVALUATION_CONTEXT = "ruleEvaluationContext";
+	public static final String VAR_STAGE_DEFINITION = "stageDefinition";
+	public static final String VAR_ITEM_TO_APPROVE = "itemToApprove";
+
+	public static final String VAR_OBJECT_DISPLAY_INFORMATION = "objectDisplayInformation";
+	public static final String VAR_TARGET_DISPLAY_INFORMATION = "targetDisplayInformation";
+
+	public static final String VAR_PERFORMER = "performer";
+	public static final String VAR_OUTPUT = "output";
+	public static final String VAR_EVENT = "event";
+	public static final String VAR_REQUESTER = "requester";
+	public static final String VAR_REQUESTEE = "requestee";
+	public static final String VAR_ASSIGNEE = "assignee";
+	public static final String VAR_ASSOCIATION = "association";
+	public static final String VAR_SHADOW_DISCRIMINATOR = "shadowDiscriminator";
+
+	public static final String VAR_POLICY_RULE = "policyRule";
+	public static final String VAR_POLICY_ACTION = "policyAction";
+	public static final String VAR_LOGIN_MODE = "loginMode";
+	
+	// Notification variables
+	public static final String VAR_TRANSPORT_NAME = "transportName";
+	public static final String VAR_FROM = "from";
+	public static final String VAR_ENCODED_FROM = "encodedFrom";
+	public static final String VAR_TO = "to";
+	public static final String VAR_TO_LIST = "toList";
+	public static final String VAR_ENCODED_TO = "encodedTo";
+	public static final String VAR_ENCODED_TO_LIST = "encodedToList";
+	public static final String VAR_MESSAGE_TEXT = "messageText";
+	public static final String VAR_ENCODED_MESSAGE_TEXT = "encodedMessageText";
+	public static final String VAR_MESSAGE = "message";
+	public static final String VAR_TEXT_FORMATTER = "textFormatter";
+	public static final String VAR_NOTIFICATION_FUNCTIONS = "notificationFunctions";
+	
+	// Do we need those?
+	public static final String VAR_OBJECT_DELTA = "objectDelta";
+	
+	// Too vague. modelContext or prismConext should be used instead.
+	@Deprecated
+	public static final String VAR_CONTEXT = "context";
 }
diff --git a/infra/schema/src/main/java/com/evolveum/midpoint/schema/constants/SchemaConstants.java b/infra/schema/src/main/java/com/evolveum/midpoint/schema/constants/SchemaConstants.java
index 203c6b2cc8d..0820b7b4a44 100644
--- a/infra/schema/src/main/java/com/evolveum/midpoint/schema/constants/SchemaConstants.java
+++ b/infra/schema/src/main/java/com/evolveum/midpoint/schema/constants/SchemaConstants.java
@@ -87,9 +87,6 @@ public abstract class SchemaConstants {
 	public static final ItemName C_RESOURCE = new ItemName(NS_C, "resource");
 	public static final ItemName C_RESULT = new ItemName(NS_C, "result");
 	public static final ItemName C_USER = new ItemName(NS_C, "user");
-	public static final ItemName C_REQUESTER = new ItemName(NS_C, "requester");
-	public static final ItemName C_REQUESTEE = new ItemName(NS_C, "requestee");
-	public static final ItemName C_ASSIGNEE = new ItemName(NS_C, "assignee");
 	public static final ItemName C_OBJECT_TEMPLATE = new ItemName(NS_C, "objectTemplate");
 	public static final ItemName C_OBJECT_TEMPLATE_REF = new ItemName(NS_C, "objectTemplateRef");
 	public static final QName C_OBJECT_TEMPLATE_TYPE = new QName(NS_C, "ObjectTemplateType");
@@ -470,24 +467,6 @@ public abstract class SchemaConstants {
 
 	public static final ItemName S_PIPELINE_DATA = new ItemName(NS_SCRIPTING, "pipelineData");
 
-	public static final ItemName C_EVENT = new ItemName(NS_C, "event");
-	public static final ItemName C_EVENT_HANDLER = new ItemName(NS_C, "eventHandler");			// TODO: no such element in common-3 - is it OK?
-	public static final ItemName C_TEXT_FORMATTER = new ItemName(NS_C, "textFormatter");
-	public static final ItemName C_NOTIFICATION_FUNCTIONS = new ItemName(NS_C, "notificationFunctions");
-
-	public static final ItemName C_TRANSPORT_NAME = new ItemName(NS_C, "transportName");
-	public static final ItemName C_FROM = new ItemName(NS_C, "from");
-	public static final ItemName C_ENCODED_FROM = new ItemName(NS_C, "encodedFrom");
-	public static final ItemName C_TO = new ItemName(NS_C, "to");
-	public static final ItemName C_TO_LIST = new ItemName(NS_C, "toList");
-	public static final ItemName C_ENCODED_TO = new ItemName(NS_C, "encodedTo");
-	public static final ItemName C_ENCODED_TO_LIST = new ItemName(NS_C, "encodedToList");
-	public static final ItemName C_MESSAGE_TEXT = new ItemName(NS_C, "messageText");
-	public static final ItemName C_ENCODED_MESSAGE_TEXT = new ItemName(NS_C, "encodedMessageText");
-	public static final ItemName C_MESSAGE = new ItemName(NS_C, "message");
-	public static final ItemName C_WORK_ITEM = new ItemName(NS_C, "workItem");
-	public static final ItemName C_WF_PROCESS_INSTANCE = new ItemName(NS_C, "wfProcessInstance");
-
 	public static final ItemName APIT_ITEM_LIST = new ItemName(SchemaConstants.NS_API_TYPES, "itemList");
 	public static final ItemName C_ASSIGNMENT = new ItemName(SchemaConstants.NS_C, "assignment");
 
@@ -495,8 +474,6 @@ public abstract class SchemaConstants {
 
 	public static final ItemName FAULT_MESSAGE_ELEMENT_NAME = new ItemName(NS_FAULT, "fault");
 	public static final ItemName C_MODEL_CONTEXT = new ItemName(NS_C, "modelContext");
-	public static final ItemName C_ITEM_TO_APPROVE = new ItemName(NS_C, "itemToApprove");
-	public static final ItemName C_SHADOW_DISCRIMINATOR = new ItemName(NS_C, "shadowDiscriminator");
 
 	// Lifecycle
 
diff --git a/infra/schema/src/main/java/com/evolveum/midpoint/schema/expression/ExpressionEvaluatorProfile.java b/infra/schema/src/main/java/com/evolveum/midpoint/schema/expression/ExpressionEvaluatorProfile.java
new file mode 100644
index 00000000000..0942c7d9181
--- /dev/null
+++ b/infra/schema/src/main/java/com/evolveum/midpoint/schema/expression/ExpressionEvaluatorProfile.java
@@ -0,0 +1,65 @@
+/**
+ * Copyright (c) 2019 Evolveum
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.evolveum.midpoint.schema.expression;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import javax.xml.namespace.QName;
+
+import com.evolveum.midpoint.schema.AccessDecision;
+
+/**
+ * @author Radovan Semancik
+ *
+ */
+public class ExpressionEvaluatorProfile {
+	
+	private final QName type;
+	private AccessDecision decision;
+	private final List<ScriptExpressionProfile> scritpProfiles = new ArrayList<>();
+
+	public ExpressionEvaluatorProfile(QName type) {
+		this.type = type;
+	}
+
+	public QName getType() {
+		return type;
+	}
+
+	public AccessDecision getDecision() {
+		return decision;
+	}
+
+	public void setDecision(AccessDecision decision) {
+		this.decision = decision;
+	}
+	
+	public void add(ScriptExpressionProfile scriptProfile) {
+		scritpProfiles.add(scriptProfile);
+	}
+	
+	public ScriptExpressionProfile getScriptExpressionProfile(String language) {
+		for(ScriptExpressionProfile scritpProfile : scritpProfiles) {
+			if (language.equals(scritpProfile.getLanguage())) {
+				return scritpProfile;
+			}
+		}
+		return null;
+	}
+	
+
+}
diff --git a/infra/schema/src/main/java/com/evolveum/midpoint/schema/expression/ExpressionPermissionProfile.java b/infra/schema/src/main/java/com/evolveum/midpoint/schema/expression/ExpressionPermissionProfile.java
new file mode 100644
index 00000000000..ff002e810d7
--- /dev/null
+++ b/infra/schema/src/main/java/com/evolveum/midpoint/schema/expression/ExpressionPermissionProfile.java
@@ -0,0 +1,164 @@
+/**
+ * Copyright (c) 2019 Evolveum
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.evolveum.midpoint.schema.expression;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import com.evolveum.midpoint.schema.AccessDecision;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ExpressionPermissionClassProfileType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ExpressionPermissionMethodProfileType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ExpressionPermissionPackageProfileType;
+
+/**
+ * Compiled expression permission profile.
+ * Compiled from ExpressionPermissionProfileType.
+ * 
+ * @author Radovan Semancik
+ */
+public class ExpressionPermissionProfile {
+	
+	private final String identifier;
+	private AccessDecision decision;
+	private final List<ExpressionPermissionPackageProfileType> packageProfiles = new ArrayList<>();
+	private final List<ExpressionPermissionClassProfileType> classProfiles = new ArrayList<>();
+
+	public ExpressionPermissionProfile(String identifier) {
+		super();
+		this.identifier = identifier;
+	}
+
+	public String getIdentifier() {
+		return identifier;
+	}
+
+	public AccessDecision getDecision() {
+		return decision;
+	}
+
+	public void setDecision(AccessDecision decision) {
+		this.decision = decision; 
+	}
+	
+	public List<ExpressionPermissionPackageProfileType> getPackageProfiles() {
+		return packageProfiles;
+	}
+
+	public List<ExpressionPermissionClassProfileType> getClassProfiles() {
+		return classProfiles;
+	}
+
+	public boolean hasRestrictions() {
+		return !classProfiles.isEmpty() || !packageProfiles.isEmpty() || decision != AccessDecision.ALLOW;
+	}
+
+	public AccessDecision decideClassAccess(String className, String methodName) {
+		ExpressionPermissionClassProfileType classProfile = getClassProfile(className);
+		if (classProfile == null) {
+			ExpressionPermissionPackageProfileType packageProfile = getPackageProfileByClassName(className);
+			if (packageProfile == null) {
+				return decision;
+			} else {
+				return AccessDecision.translate(packageProfile.getDecision());
+			}
+		}
+		ExpressionPermissionMethodProfileType methodProfile = getMethodProfile(classProfile, methodName);
+		if (methodProfile == null) {
+			return AccessDecision.translate(classProfile.getDecision());
+		} else {
+			return AccessDecision.translate(methodProfile.getDecision());
+		}
+	}
+	
+	private ExpressionPermissionPackageProfileType getPackageProfileByClassName(String className) {
+		for (ExpressionPermissionPackageProfileType packageProfile : packageProfiles) {
+			if (isMemeberClass(packageProfile, className)) {
+				return packageProfile;
+			}
+		}
+		return null;
+	}
+	
+	
+
+	private boolean isMemeberClass(ExpressionPermissionPackageProfileType packageProfile, String className) {
+		// TODO Maybe too simple. But this will do for now.
+		return className.startsWith(packageProfile.getName());
+	}
+
+	private ExpressionPermissionClassProfileType getClassProfile(String className) {
+		for (ExpressionPermissionClassProfileType classProfile : classProfiles) {
+			if (className.equals(classProfile.getName())) {
+				return classProfile;
+			}
+		}
+		return null;
+	}
+	
+	private void add(ExpressionPermissionClassProfileType classProfile) {
+		classProfiles.add(classProfile);
+	}
+	
+	private ExpressionPermissionMethodProfileType getMethodProfile(ExpressionPermissionClassProfileType classProfile, String methodName) {
+		if (methodName == null) {
+			return null;
+		}
+		for (ExpressionPermissionMethodProfileType methodProfile : classProfile.getMethod()) {
+			if (methodName.equals(methodProfile.getName())) {
+				return methodProfile;
+			}
+		}
+		return null;
+	}
+	
+	/**
+	 * Used to easily set up access for built-in class access rules.
+	 */
+	public void addClassAccessRule(String className, String methodName, AccessDecision decision) {
+		ExpressionPermissionClassProfileType classProfile = getClassProfile(className);
+		if (classProfile == null) {
+			classProfile = new ExpressionPermissionClassProfileType();
+			classProfile.setName(className);
+			add(classProfile);
+		}
+		if (methodName == null) {
+			classProfile.setDecision(decision.getAuthorizationDecisionType());
+		} else {
+			ExpressionPermissionMethodProfileType methodProfile = getMethodProfile(classProfile, methodName);
+			if (methodProfile == null) {
+				methodProfile = new ExpressionPermissionMethodProfileType();
+				methodProfile.setName(methodName);
+				methodProfile.setDecision(decision.getAuthorizationDecisionType());
+				classProfile.getMethod().add(methodProfile);
+			} else {
+				methodProfile.setDecision(decision.getAuthorizationDecisionType());
+			}
+		}
+
+	}
+	
+
+	/**
+	 * Used to easily set up access for built-in class access rules (convenience).
+	 */
+	public void addClassAccessRule(Class<?> clazz, String methodName, AccessDecision decision) {
+		addClassAccessRule(clazz.getName(), methodName, decision);
+	}
+	
+	public void addClassAccessRule(Class<?> clazz, AccessDecision decision) {
+		addClassAccessRule(clazz.getName(), null, decision);
+	}
+}
diff --git a/infra/schema/src/main/java/com/evolveum/midpoint/schema/expression/ExpressionProfile.java b/infra/schema/src/main/java/com/evolveum/midpoint/schema/expression/ExpressionProfile.java
new file mode 100644
index 00000000000..b4080ca526d
--- /dev/null
+++ b/infra/schema/src/main/java/com/evolveum/midpoint/schema/expression/ExpressionProfile.java
@@ -0,0 +1,75 @@
+/**
+ * Copyright (c) 2019 Evolveum
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.evolveum.midpoint.schema.expression;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import javax.xml.namespace.QName;
+
+import com.evolveum.midpoint.schema.AccessDecision;
+import com.evolveum.midpoint.util.QNameUtil;
+
+/**
+ * NOTE: This is pretty much throw-away implementation. Just the interface is important now.
+ * 
+ * @author Radovan Semancik
+ *
+ */
+public class ExpressionProfile { // TODO: DebugDumpable
+	
+	private final String identifier;
+	private AccessDecision decision;
+	private final List<ExpressionEvaluatorProfile> evaluatorProfiles = new ArrayList<>();
+	
+	public ExpressionProfile(String identifier) {
+		super();
+		this.identifier = identifier;
+	}
+
+	public String getIdentifier() {
+		return identifier;
+	}
+	
+	public AccessDecision getDecision() {
+		return decision;
+	}
+
+	public void setDecision(AccessDecision defaultDecision) {
+		this.decision = defaultDecision;
+	}
+	
+	public void add(ExpressionEvaluatorProfile evaluatorProfile) {
+		evaluatorProfiles.add(evaluatorProfile);
+	}
+	
+	public ExpressionEvaluatorProfile getEvaluatorProfile(QName type) {
+		for (ExpressionEvaluatorProfile evaluatorProfile : evaluatorProfiles) {
+			if (QNameUtil.match(evaluatorProfile.getType(), type)) {
+				return evaluatorProfile;
+			}
+		}
+		return null;
+	}
+	
+	@Override
+	public String toString() {
+		return "ExpressionProfile(" + identifier + ")";
+	}
+
+
+
+}
diff --git a/infra/schema/src/main/java/com/evolveum/midpoint/schema/expression/ExpressionProfiles.java b/infra/schema/src/main/java/com/evolveum/midpoint/schema/expression/ExpressionProfiles.java
new file mode 100644
index 00000000000..7b730e8d2c9
--- /dev/null
+++ b/infra/schema/src/main/java/com/evolveum/midpoint/schema/expression/ExpressionProfiles.java
@@ -0,0 +1,36 @@
+/**
+ * Copyright (c) 2019 Evolveum
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.evolveum.midpoint.schema.expression;
+
+import java.util.HashMap;
+import java.util.Map;
+
+/**
+ * @author semancik
+ *
+ */
+public class ExpressionProfiles {
+	
+	private Map<String,ExpressionProfile> profiles = new HashMap<>();
+
+	public ExpressionProfile getProfile(String identifier) {
+		return profiles.get(identifier);
+	}
+	
+	public void add(ExpressionProfile profile) {
+		profiles.put(profile.getIdentifier(), profile);
+	}
+}
diff --git a/infra/schema/src/main/java/com/evolveum/midpoint/schema/expression/ScriptExpressionProfile.java b/infra/schema/src/main/java/com/evolveum/midpoint/schema/expression/ScriptExpressionProfile.java
new file mode 100644
index 00000000000..33ad114bc61
--- /dev/null
+++ b/infra/schema/src/main/java/com/evolveum/midpoint/schema/expression/ScriptExpressionProfile.java
@@ -0,0 +1,83 @@
+/**
+ * Copyright (c) 2019 Evolveum
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.evolveum.midpoint.schema.expression;
+
+import com.evolveum.midpoint.schema.AccessDecision;
+
+/**
+ * @author semancik
+ *
+ */
+public class ScriptExpressionProfile {
+	
+	private final String language;
+	private AccessDecision decision;
+	private Boolean typeChecking;
+	private ExpressionPermissionProfile permissionProfile;
+	
+	public ScriptExpressionProfile(String language) {
+		super();
+		this.language = language;
+	}
+	
+	public String getLanguage() {
+		return language;
+	}
+
+	public AccessDecision getDecision() {
+		return decision;
+	}
+	
+	public void setDecision(AccessDecision decision) {
+		this.decision = decision;
+	}
+	
+	public Boolean isTypeChecking() {
+		return typeChecking;
+	}
+
+	public void setTypeChecking(Boolean typeChecking) {
+		this.typeChecking = typeChecking;
+	}
+
+	public ExpressionPermissionProfile getPermissionProfile() {
+		return permissionProfile;
+	}
+
+	public void setPermissionProfile(ExpressionPermissionProfile permissionProfile) {
+		this.permissionProfile = permissionProfile;
+	}
+
+	public boolean hasRestrictions() {
+		if (permissionProfile == null) {
+			return false;
+		}
+		return permissionProfile.hasRestrictions();
+	}
+
+	public AccessDecision decideClassAccess(String className, String methodName) {
+		if (permissionProfile == null) {
+			return decision;
+		}
+		AccessDecision permissionDecision = permissionProfile.decideClassAccess(className, methodName);
+		if (permissionDecision == null || permissionDecision == AccessDecision.DEFAULT) {
+			return decision;
+		}
+		return permissionDecision;
+	}
+
+	
+}
diff --git a/infra/schema/src/main/java/com/evolveum/midpoint/schema/expression/TypedValue.java b/infra/schema/src/main/java/com/evolveum/midpoint/schema/expression/TypedValue.java
new file mode 100644
index 00000000000..40d87c8dc5a
--- /dev/null
+++ b/infra/schema/src/main/java/com/evolveum/midpoint/schema/expression/TypedValue.java
@@ -0,0 +1,238 @@
+/**
+ * Copyright (c) 2019 Evolveum
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.evolveum.midpoint.schema.expression;
+
+import com.evolveum.midpoint.prism.Item;
+import com.evolveum.midpoint.prism.ItemDefinition;
+import com.evolveum.midpoint.prism.PrismReferenceDefinition;
+import com.evolveum.midpoint.util.ShortDumpable;
+import com.evolveum.midpoint.util.exception.SchemaException;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectReferenceType;
+
+/**
+ * Value and definition pair. E.g. used in expression variable maps.
+ * We need to have explicit type here. It may happen that there will be
+ * variables without any value. But we need to know the type of the
+ * variable to compile the scripts properly.
+ * 
+ * The definition, typeClass and the T parameter of this class refer to the
+ * type of the value as it should appear in the expression. The actual
+ * value may be different when TypedValue is created. The value may
+ * get converted as it is passing down the stack.
+ * 
+ * E.g. if we want script variable to contain a user, the type should be
+ * declared as UserType, not as object reference - even though the value
+ * is object reference when the TypedValue is created. But the reference
+ * is resolved down the way to place user in the value. 
+ * 
+ * @author Radovan Semancik
+ */
+public class TypedValue<T> implements ShortDumpable {
+	
+	/**
+	 * Value may be null. This means variable without a value.
+	 * But even in that case definition should be provided.
+	 * The value is not T, it is Object. The value may not be in its
+	 * final form yet. It may get converted later.
+	 */
+	private Object value;
+	
+	/**
+	 * Definition should be filled in for all value that can be described using Prism definitions.
+	 */
+	private ItemDefinition<?> definition;
+	
+	/**
+	 * Type class. Should be filled in for values that are not prism values.
+	 */
+	private Class<T> typeClass;
+	
+	public TypedValue() {
+		super();
+	}
+
+	public TypedValue(Item<?, ?> prismItem) {
+		super();
+		this.value = (T) prismItem;
+		this.definition = prismItem.getDefinition();
+		if (definition == null) {
+			throw new IllegalArgumentException("No definition when setting variable value to "+prismItem);
+		}
+	}
+	
+	public TypedValue(Object value, ItemDefinition<?> definition) {
+		super();
+		validateValue(value);
+		this.value = value;
+		this.definition = definition;
+	}
+	
+	public TypedValue(Object value, Class<T> typeClass) {
+		super();
+		validateValue(value);
+		this.value = value;
+		this.typeClass = typeClass;
+	}
+	
+	public TypedValue(Object value, ItemDefinition<?> definition, Class<T> typeClass) {
+		super();
+		validateValue(value);
+		this.value = value;
+		this.definition = definition;
+		this.typeClass = typeClass;
+	}
+
+	public Object getValue() {
+		return value;
+	}
+
+	public void setValue(Object value) {
+		validateValue(value);
+		this.value = value;
+	}
+
+	private void validateValue(Object value) {
+		if (value == null) {
+			return;
+		}
+		if (value instanceof TypedValue) {
+			throw new IllegalArgumentException("TypedValue in TypedValue in "+this);
+		}
+	}
+
+	@SuppressWarnings({ "unchecked", "rawtypes" })
+	public <D extends ItemDefinition> D getDefinition() {
+		return (D) definition;
+	}
+
+	public void setDefinition(ItemDefinition<?> definition) {
+		this.definition = definition;
+	}
+
+	public Class<T> getTypeClass() {
+		return typeClass;
+	}
+
+	public void setTypeClass(Class<T> typeClass) {
+		this.typeClass = typeClass;
+	}
+
+	public boolean canDetermineType() {
+		return definition != null || typeClass != null;
+	}
+	
+	public Class<T> determineClass() throws SchemaException {
+		if (definition == null) {
+			if (typeClass == null) {
+				throw new SchemaException("Cannot determine class for variable, neither definition nor class specified");
+			} else {
+				return typeClass;
+			}
+		} else {
+			Class determinedClass;
+			if (definition instanceof PrismReferenceDefinition) {
+				// Stock prism reference would return ObjectReferenceType from prism schema.
+				// But we have exteded type for this.
+				// TODO: how to make this more elegant?
+				determinedClass = ObjectReferenceType.class;
+			} else {
+				determinedClass = definition.getTypeClass();
+			}
+			if (determinedClass == null) {
+				throw new SchemaException("Cannot determine class from definition "+definition);
+			}
+			return determinedClass;
+		}
+	}
+	
+	/**
+	 * Returns new TypedValue that has a new (transformed) value, but has the same definition.
+	 */
+	public TypedValue<T> createTransformed(Object newValue) {
+		return new TypedValue(newValue, definition, typeClass);
+	}
+
+	@Override
+	public int hashCode() {
+		final int prime = 31;
+		int result = 1;
+		result = prime * result + ((definition == null) ? 0 : definition.hashCode());
+		result = prime * result + ((typeClass == null) ? 0 : typeClass.hashCode());
+		result = prime * result + ((value == null) ? 0 : value.hashCode());
+		return result;
+	}
+
+	@Override
+	public boolean equals(Object obj) {
+		if (this == obj) {
+			return true;
+		}
+		if (obj == null) {
+			return false;
+		}
+		if (getClass() != obj.getClass()) {
+			return false;
+		}
+		TypedValue other = (TypedValue) obj;
+		if (definition == null) {
+			if (other.definition != null) {
+				return false;
+			}
+		} else if (!definition.equals(other.definition)) {
+			return false;
+		}
+		if (typeClass == null) {
+			if (other.typeClass != null) {
+				return false;
+			}
+		} else if (!typeClass.equals(other.typeClass)) {
+			return false;
+		}
+		if (value == null) {
+			if (other.value != null) {
+				return false;
+			}
+		} else if (!value.equals(other.value)) {
+			return false;
+		}
+		return true;
+	}
+
+	@Override
+	public String toString() {
+		StringBuilder sb = new StringBuilder("TypedValue(");
+		shortDump(sb);
+		sb.append(")");
+		return sb.toString();
+	}
+
+	@Override
+	public void shortDump(StringBuilder sb) {
+		sb.append(value);
+		if (definition != null) {
+			sb.append(", definition=");
+			definition.debugDumpShortToString(sb);
+		}
+		if (typeClass != null) {
+			sb.append(", class=").append(typeClass.getSimpleName());
+		}
+		if (definition == null && typeClass == null) {
+			sb.append(", definition/class=null");
+		}
+	}
+	
+	
+}
diff --git a/infra/schema/src/main/java/com/evolveum/midpoint/schema/expression/VariablesMap.java b/infra/schema/src/main/java/com/evolveum/midpoint/schema/expression/VariablesMap.java
new file mode 100644
index 00000000000..4ce41594dbe
--- /dev/null
+++ b/infra/schema/src/main/java/com/evolveum/midpoint/schema/expression/VariablesMap.java
@@ -0,0 +1,289 @@
+/**
+ * Copyright (c) 2019 Evolveum
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.evolveum.midpoint.schema.expression;
+
+import java.util.Collection;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+import javax.xml.namespace.QName;
+
+import org.w3c.dom.Element;
+
+import com.evolveum.midpoint.prism.Definition;
+import com.evolveum.midpoint.prism.ItemDefinition;
+import com.evolveum.midpoint.prism.PrimitiveType;
+import com.evolveum.midpoint.prism.PrismContext;
+import com.evolveum.midpoint.prism.PrismObject;
+import com.evolveum.midpoint.schema.constants.SchemaConstants;
+import com.evolveum.midpoint.schema.util.SchemaDebugUtil;
+import com.evolveum.midpoint.util.DOMUtil;
+import com.evolveum.midpoint.util.DebugDumpable;
+import com.evolveum.midpoint.util.DebugUtil;
+import com.evolveum.midpoint.util.PrettyPrinter;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
+
+/**
+ * @author semancik
+ *
+ */
+public class VariablesMap implements Map<String,TypedValue>, DebugDumpable {
+
+	private Map<String,TypedValue> variables;
+	
+	public VariablesMap() {
+		variables = new HashMap<>();
+	}
+
+	private VariablesMap(Map<String, TypedValue> variablesMap) {
+		super();
+		this.variables = variablesMap;
+	}
+
+	public int size() {
+		return variables.size();
+	}
+
+	public boolean isEmpty() {
+		return variables.isEmpty();
+	}
+
+	public boolean containsKey(Object key) {
+		return variables.containsKey(key);
+	}
+
+	public boolean containsValue(Object value) {
+		return variables.containsValue(value);
+	}
+
+	public TypedValue get(Object key) {
+		return variables.get(key);
+	}
+
+	public TypedValue put(String key, TypedValue typedValue) {
+		if (typedValue == null) {
+			throw new IllegalArgumentException("Attempt to set variable '"+key+"' with null typed value: "+typedValue);
+		}
+		if (!typedValue.canDetermineType()) {
+			throw new IllegalArgumentException("Attempt to set variable '"+key+"' without determinable type: "+typedValue);
+		}
+		return variables.put(key, typedValue);
+	}
+	
+	@SuppressWarnings("rawtypes")
+	public <D extends ItemDefinition> TypedValue put(String key, Object value, D definition) {
+		if (definition == null) {
+			throw new IllegalArgumentException("Attempt to set variable '"+key+"' without definition: " + value);
+		}
+		return variables.put(key, new TypedValue<>(value, definition));
+	}
+	
+	/**
+	 * Note: Type of the value should really be Object and not T. The value may be quite complicated,
+	 * e.g. it may be ItemDeltaItem of the actual real value. However, the class defines the real type
+	 * of the value precisely. 
+	 */
+	public <T> TypedValue put(String key, Object value, Class<T> typeClass) {
+		if (typeClass == null) {
+			throw new IllegalArgumentException("Attempt to set variable '"+key+"' without class specification: " + value);
+		}
+		return variables.put(key, new TypedValue<>(value, typeClass));
+	}
+	
+	/**
+	 * Convenience method to put objects with definition.
+	 * Maybe later improve by looking up full definition.
+	 */
+	@SuppressWarnings("unchecked")
+	public <O extends ObjectType> TypedValue<O> putObject(String key, O objectType, Class<O> expectedClass) {
+		if (objectType == null) {
+			return put(key, null, expectedClass);
+		} else {
+			return put(key, objectType, objectType.asPrismObject().getDefinition());
+		}
+	}
+	
+	/**
+	 * Convenience method to put objects with definition.
+	 * Maybe later improve by looking up full definition.
+	 */
+	@SuppressWarnings("unchecked")
+	public <O extends ObjectType> TypedValue<O> putObject(String key, PrismObject<O> object, Class<O> expectedClass) {
+		if (object == null) {
+			return put(key, null, expectedClass);
+		} else {
+			return put(key, object, object.getDefinition());
+		}
+	}
+	
+	/**
+	 * Convenience method to put multivalue variables (lists).
+	 * This is very simple now. But later on we may need to declare generics.
+	 * Therefore dedicated method would be easier to find all usages and fix them.
+	 */
+	@SuppressWarnings("unchecked")
+	public <T> TypedValue<List<T>> putList(String key, List<T> list) {
+		return put(key, list, List.class);
+	}
+
+	public TypedValue remove(Object key) {
+		return variables.remove(key);
+	}
+
+	public void putAll(Map<? extends String, ? extends TypedValue> m) {
+		variables.putAll(m);
+	}
+
+	public void clear() {
+		variables.clear();
+	}
+
+	public Set<String> keySet() {
+		return variables.keySet();
+	}
+
+	public Collection<TypedValue> values() {
+		return variables.values();
+	}
+
+	public Set<Entry<String, TypedValue>> entrySet() {
+		return variables.entrySet();
+	}
+	
+	
+	/**
+     * Expects name-value-definition triples.
+     * Definition can be just a type QName.
+     *
+     * E.g.
+     * create(var1name, var1value, var1type, var2name, var2value, var2type, ...)
+     *
+     * Mostly for testing. Use at your own risk.
+     */
+    public static VariablesMap create(PrismContext prismContext, Object... parameters) {
+    	VariablesMap vars = new VariablesMap();
+    	vars.fillIn(prismContext, parameters);
+    	return vars;
+    }
+	
+    /**
+     * Expects name-value-definition triples.
+     * Definition can be just a type QName.
+     *
+     * E.g.
+     * create(var1name, var1value, var1type, var2name, var2value, var2type, ...)
+     *
+     * Mostly for testing. Use at your own risk.
+     */
+    protected void fillIn(PrismContext prismContext, Object... parameters) {
+    	for (int i = 0; i < parameters.length; i += 3) {
+    		Object nameObj = parameters[i];
+    		String name = null;
+    		if (nameObj instanceof String) {
+    			name = (String)nameObj;
+    		} else if (nameObj instanceof QName) {
+    			name = ((QName)nameObj).getLocalPart();
+    		}
+    		Object value = parameters[i+1];
+    		Object defObj = parameters[i+2];
+    		ItemDefinition def = null;
+    		if (defObj instanceof QName) {
+    			def = prismContext.definitionFactory().createPropertyDefinition(
+    					new QName(SchemaConstants.NS_C, name), (QName)defObj, null, null);
+    			put(name, value, def);
+    		} else if (defObj instanceof PrimitiveType) {
+    			def = prismContext.definitionFactory().createPropertyDefinition(
+    					new QName(SchemaConstants.NS_C, name), ((PrimitiveType)defObj).getQname(), null, null);
+    			put(name, value, def);
+    		} else if (defObj instanceof ItemDefinition) {
+    			def = (ItemDefinition)defObj;
+    			put(name, value, def);
+    		} else if (defObj instanceof Class) {
+    			put(name, value, (Class)defObj);
+    		} else {
+    			throw new IllegalArgumentException("Unexpected def "+defObj);
+    		}
+    		
+    	}
+    }
+    
+    public static VariablesMap emptyMap() {
+    	return new VariablesMap(Collections.emptyMap());
+    }
+
+	public boolean equals(Object o) {
+		return variables.equals(o);
+	}
+
+	public int hashCode() {
+		return variables.hashCode();
+	}
+
+	@Override
+	public String toString() {
+		return variables.toString();
+	}
+	
+	public String formatVariables() {
+        StringBuilder sb = new StringBuilder();
+        Iterator<Entry<String, TypedValue>> i = entrySet().iterator();
+        while (i.hasNext()) {
+            Entry<String, TypedValue> entry = i.next();
+            SchemaDebugUtil.indentDebugDump(sb, 1);
+            sb.append(entry.getKey()).append(": ");
+            TypedValue valueDef = entry.getValue();
+            Object value = valueDef.getValue();
+            // TODO: dump definitions?
+            if (value instanceof DebugDumpable) {
+            	sb.append("\n");
+            	sb.append(((DebugDumpable)value).debugDump(2));
+            } else if (value instanceof Element) {
+            	sb.append("\n");
+            	sb.append(DOMUtil.serializeDOMToString(((Element)value)));
+            } else {
+            	sb.append(SchemaDebugUtil.prettyPrint(value));
+            }
+            if (i.hasNext()) {
+                sb.append("\n");
+            }
+        }
+        return sb.toString();
+    }
+	
+	public String dumpSingleLine() {
+		StringBuilder sb = new StringBuilder();
+		for (Entry<String, TypedValue> entry: variables.entrySet()) {
+			sb.append(entry.getKey());
+			sb.append("=");
+			sb.append(PrettyPrinter.prettyPrint(entry.getValue().getValue()));
+			sb.append("; ");
+		}
+		return sb.toString();
+	}
+
+	// TODO: dump definitions?
+	@Override
+	public String debugDump(int indent) {
+		StringBuilder sb = new StringBuilder();
+		DebugUtil.debugDumpMapMultiLine(sb, variables, 1);
+		return sb.toString();
+	}
+
+}
diff --git a/infra/schema/src/main/java/com/evolveum/midpoint/schema/util/MiscSchemaUtil.java b/infra/schema/src/main/java/com/evolveum/midpoint/schema/util/MiscSchemaUtil.java
index f337e0d37af..03a3878992f 100644
--- a/infra/schema/src/main/java/com/evolveum/midpoint/schema/util/MiscSchemaUtil.java
+++ b/infra/schema/src/main/java/com/evolveum/midpoint/schema/util/MiscSchemaUtil.java
@@ -24,6 +24,7 @@
 import com.evolveum.midpoint.schema.*;
 import com.evolveum.midpoint.schema.constants.ObjectTypes;
 import com.evolveum.midpoint.schema.constants.SchemaConstants;
+import com.evolveum.midpoint.schema.expression.ExpressionProfile;
 import com.evolveum.midpoint.util.MiscUtil;
 import com.evolveum.midpoint.util.QNameUtil;
 import com.evolveum.midpoint.util.exception.SchemaException;
@@ -488,6 +489,14 @@ public static <O extends ObjectType> boolean canBeAssignedFrom(QName requiredTyp
 		Class<? extends ObjectType> requiredTypeClass = ObjectTypes.getObjectTypeFromTypeQName(requiredTypeQName).getClassDefinition();
 		return requiredTypeClass.isAssignableFrom(providedTypeClass);
 	}
+	
+	/**
+	 * This is NOT A REAL METHOD. It just returns null. It is here to mark all the places
+	 * where proper handling of expression profiles should be later added. 
+	 */
+	public static ExpressionProfile getExpressionProfile() {
+		return null;
+	}
 
 	public static void mergeDisplay(DisplayType viewDisplay, DisplayType archetypeDisplay) {
 		if (viewDisplay.getLabel() == null) {
diff --git a/infra/schema/src/main/java/com/evolveum/midpoint/schema/util/ReportTypeUtil.java b/infra/schema/src/main/java/com/evolveum/midpoint/schema/util/ReportTypeUtil.java
index 2174fc25381..cca49b1e7d9 100644
--- a/infra/schema/src/main/java/com/evolveum/midpoint/schema/util/ReportTypeUtil.java
+++ b/infra/schema/src/main/java/com/evolveum/midpoint/schema/util/ReportTypeUtil.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2014 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -22,18 +22,8 @@
 
 import javax.xml.namespace.QName;
 
-import com.evolveum.midpoint.prism.impl.schema.PrismSchemaImpl;
-import net.sf.jasperreports.engine.JRException;
-import net.sf.jasperreports.engine.JRTemplate;
-import net.sf.jasperreports.engine.JasperCompileManager;
-import net.sf.jasperreports.engine.JasperReport;
-import net.sf.jasperreports.engine.design.JRDesignExpression;
-import net.sf.jasperreports.engine.design.JRDesignParameter;
-import net.sf.jasperreports.engine.design.JRDesignReportTemplate;
-import net.sf.jasperreports.engine.design.JasperDesign;
-import net.sf.jasperreports.engine.xml.JRXmlLoader;
-
 import org.apache.commons.codec.binary.Base64;
+import org.jfree.data.gantt.Task;
 import org.w3c.dom.Element;
 
 import com.evolveum.midpoint.prism.ItemDefinition;
@@ -43,11 +33,25 @@
 import com.evolveum.midpoint.prism.PrismObject;
 import com.evolveum.midpoint.prism.delta.ItemDelta;
 import com.evolveum.midpoint.prism.delta.ObjectDelta;
+import com.evolveum.midpoint.prism.impl.schema.PrismSchemaImpl;
 import com.evolveum.midpoint.prism.schema.PrismSchema;
+import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.util.exception.SchemaException;
+import com.evolveum.midpoint.util.logging.Trace;
+import com.evolveum.midpoint.util.logging.TraceManager;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ReportConfigurationType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ReportType;
 
+import net.sf.jasperreports.engine.JRException;
+import net.sf.jasperreports.engine.JRTemplate;
+import net.sf.jasperreports.engine.JasperCompileManager;
+import net.sf.jasperreports.engine.JasperReport;
+import net.sf.jasperreports.engine.design.JRDesignExpression;
+import net.sf.jasperreports.engine.design.JRDesignParameter;
+import net.sf.jasperreports.engine.design.JRDesignReportTemplate;
+import net.sf.jasperreports.engine.design.JasperDesign;
+import net.sf.jasperreports.engine.xml.JRXmlLoader;
+
 /**
  * @author lazyman
  */
@@ -57,10 +61,18 @@ public class ReportTypeUtil {
 	public static final String HEADER_USERAGENT = "mp-cluster-peer-client";
 	public static String URLENCODING = "UTF-8";
 	
+	public static final String REPORT_LANGUAGE = "midPoint";
+	
+	
+	public static final String PARAMETER_TEMPLATE_STYLES = "baseTemplateStyles";
+	public static final String PARAMETER_REPORT_OID = "midpointReportOid";
+	public static final String PARAMETER_REPORT_OBJECT = "midpointReportObject";
+	public static final String PARAMETER_TASK = "midpointTask";
+	public static final String PARAMETER_OPERATION_RESULT = "midpointOperationResult";
+	
+	private static final Trace LOGGER = TraceManager.getTrace(ReportTypeUtil.class);
+	
 	
-	private static String PARAMETER_TEMPLATE_STYLES = "baseTemplateStyles";
-
-
 	 public static JasperDesign loadJasperDesign(byte[] template) throws SchemaException{
 	    	try	 {
 	    	byte[] reportTemplate = Base64.decodeBase64(template);
@@ -74,46 +86,6 @@ public static JasperDesign loadJasperDesign(byte[] template) throws SchemaExcept
 	    	}
 	    }
 
-
-	public static JasperReport loadJasperReport(ReportType reportType) throws SchemaException{
-
-		if (reportType.getTemplate() == null) {
-			throw new IllegalStateException("Could not create report. No jasper template defined.");
-		}
-		try	 {
-//	    	 	byte[] reportTemplate = Base64.decodeBase64(reportType.getTemplate());
-//	    	
-//	    	 	InputStream inputStreamJRXML = new ByteArrayInputStream(reportTemplate);
-	    	 	JasperDesign jasperDesign = loadJasperDesign(reportType.getTemplate());//JRXmlLoader.load(inputStreamJRXML);
-//	    	 	LOGGER.trace("load jasper design : {}", jasperDesign);
-
-			 if (reportType.getTemplateStyle() != null){
-				JRDesignReportTemplate templateStyle = new JRDesignReportTemplate(new JRDesignExpression("$P{" + PARAMETER_TEMPLATE_STYLES + "}"));
-				jasperDesign.addTemplate(templateStyle);
-				JRDesignParameter parameter = new JRDesignParameter();
-				parameter.setName(PARAMETER_TEMPLATE_STYLES);
-				parameter.setValueClass(JRTemplate.class);
-				parameter.setForPrompting(false);
-				jasperDesign.addParameter(parameter);
-			 }
-
-//			 if (StringUtils.isNotEmpty(finalQuery)){
-				 JRDesignParameter parameter = new JRDesignParameter();
-					parameter.setName("finalQuery");
-					parameter.setValueClass(Object.class);
-					parameter.setForPrompting(false);
-					jasperDesign.addParameter(parameter);
-//			 }
-			 JasperReport jasperReport = JasperCompileManager.compileReport(jasperDesign);
-			 return jasperReport;
-		 } catch (JRException ex){
-//			 LOGGER.error("Couldn't create jasper report design {}", ex.getMessage());
-			 throw new SchemaException(ex.getMessage(), ex.getCause());
-		 }
-
-
-}
-
     public static PrismSchema parseReportConfigurationSchema(PrismObject<ReportType> report, PrismContext context)
             throws SchemaException {
 
diff --git a/infra/schema/src/main/resources/xml/ns/public/common/common-core-3.xsd b/infra/schema/src/main/resources/xml/ns/public/common/common-core-3.xsd
index 5e443c7dbe0..868522216f3 100755
--- a/infra/schema/src/main/resources/xml/ns/public/common/common-core-3.xsd
+++ b/infra/schema/src/main/resources/xml/ns/public/common/common-core-3.xsd
@@ -14304,12 +14304,13 @@
 					</xsd:appinfo>
 				</xsd:annotation>
 			</xsd:element>
-			<xsd:element name="expressionExecutionRestriction" type="tns:ExpressionExecutionRestrictionType" minOccurs="0">
+			<xsd:element name="expressionProfile" type="xsd:string" minOccurs="0">
 				<xsd:annotation>
 					<xsd:documentation>
 						<p>
-							Specifies restrictions for execution of expressions and scripts. This applies
-							to expressions in archetyped objects.
+							Specifies a profile for expression execution. 
+							The profile mostly specifies restrictions for execution of expressions
+							and scripts. This applies to expressions in archetyped objects.
 							Please note that no expression execution restriction means that all evaluators
 							and scripting langages are allowed and there are no restrictions for evaluation
 							of expressions.
@@ -14323,173 +14324,13 @@
 					</xsd:documentation>
 					<xsd:appinfo>
 						<a:since>4.0</a:since>
-						<a:displayName>ArchetypePolicyType.expressionExecutionRestriction</a:displayName>
+						<a:displayName>ArchetypePolicyType.expressionProfile</a:displayName>
 					</xsd:appinfo>
 				</xsd:annotation>
 			</xsd:element>
 		</xsd:sequence>
 	</xsd:complexType>
 	
-	<xsd:complexType name="ExpressionExecutionRestrictionType">
-		<xsd:annotation>
-			<xsd:documentation>
-				Specifies restrictions for execution of expressions and scripts.
-				Please note that no expression execution restriction means that all evaluators
-				and scripting langages are allowed and there are no restrictions for evaluation
-				of expressions.
-			</xsd:documentation>
-			<xsd:appinfo>
-				<a:container/>
-            	<a:since>4.0</a:since>
-			</xsd:appinfo>
-		</xsd:annotation>
-		<xsd:sequence>
-			<xsd:element name="expressionEvaluatorStrategy" type="tns:ExpressionExecutionStrategy" minOccurs="0" maxOccurs="1" default="safe">
-			    <xsd:annotation>
-			        <xsd:documentation>
-			            Strategy to evaluate allowed expression evaluators.
-			        </xsd:documentation>
-			        <xsd:appinfo>
-						<a:displayName>ExpressionExecutionRestrictionType.expressionEvaluatorStrategy</a:displayName>
-					</xsd:appinfo>
-			    </xsd:annotation>
-			</xsd:element>
-			<xsd:element name="allowedExpressionEvaluator" type="xsd:string" minOccurs="0" maxOccurs="unbounded">
-			    <xsd:annotation>
-			        <xsd:documentation>
-			            List of expression evaluators that are allowed. It is only applied if evaluator strategy is
-			            set to manual. 
-			            Empty lists means that no evaluators are allowed.
-			        </xsd:documentation>
-			        <xsd:appinfo>
-						<a:displayName>ExpressionExecutionRestrictionType.allowedEvaluator</a:displayName>
-					</xsd:appinfo>
-			    </xsd:annotation>
-			</xsd:element>
-			<xsd:element name="scriptLanguageStrategy" type="tns:ExpressionExecutionStrategy" minOccurs="0" maxOccurs="1" default="safe">
-			    <xsd:annotation>
-			        <xsd:documentation>
-			            Strategy to evaluate allowed script languages.
-			        </xsd:documentation>
-			        <xsd:appinfo>
-						<a:displayName>ExpressionExecutionRestrictionType.expressionEvaluatorStrategy</a:displayName>
-					</xsd:appinfo>
-			    </xsd:annotation>
-			</xsd:element>
-			<xsd:element name="allowedScriptLanguage" type="xsd:string" minOccurs="0" maxOccurs="unbounded">
-			    <xsd:annotation>
-			        <xsd:documentation>
-			            List of script languages that are allowed. It is only applied if script language strategy is
-			            set to manual. 
-			            Empty lists means that no script languages are allowed.
-			        </xsd:documentation>
-			        <xsd:appinfo>
-						<a:displayName>ExpressionExecutionRestrictionType.allowedScriptLanguage</a:displayName>
-					</xsd:appinfo>
-			    </xsd:annotation>
-			</xsd:element>
-			<xsd:element name="scriptClassesStrategy" type="tns:ExpressionExecutionStrategy" minOccurs="0" maxOccurs="1" default="safe">
-			    <xsd:annotation>
-			        <xsd:documentation>
-			            Strategy to evaluate allowed classes that script evaluators are allowed to access.
-			        </xsd:documentation>
-			        <xsd:appinfo>
-						<a:displayName>ExpressionExecutionRestrictionType.scriptClassesStrategy</a:displayName>
-					</xsd:appinfo>
-			    </xsd:annotation>
-			</xsd:element>
-			<xsd:element name="allowedScriptClasses" type="xsd:string" minOccurs="0" maxOccurs="unbounded">
-			    <xsd:annotation>
-			        <xsd:documentation>
-			            List of script classes that are allowed. It is only applied if script classes strategy is
-			            set to manual. 
-			            Empty lists means that no script classes are allowed.
-			        </xsd:documentation>
-			        <xsd:appinfo>
-						<a:displayName>ExpressionExecutionRestrictionType.allowedScriptClasses</a:displayName>
-					</xsd:appinfo>
-			    </xsd:annotation>
-			</xsd:element>
-			<!-- TODO: restrict runAs option -->
-			<!-- TODO: later: sandboxing, allowed operations -->
-		</xsd:sequence>
-	</xsd:complexType>
-	
-	<xsd:simpleType name="ExpressionExecutionStrategy">
-        <xsd:annotation>
-            <xsd:documentation>
-                TODO
-            </xsd:documentation>
-            <xsd:appinfo>
-                <jaxb:typesafeEnumClass/>
-                <a:since>4.0</a:since>
-            </xsd:appinfo>
-        </xsd:annotation>
-        <xsd:restriction base="xsd:string">
-            <xsd:enumeration value="nothingAllowed">
-                <xsd:annotation>
-                	<xsd:documentation>
-                		<p>
-                			Nothing is allowed.
-                			E.g. no expression evaluators or scripting languages are allowed.
-                			However, other definitions can still allow this.
-                		</p>
-                	</xsd:documentation>
-                    <xsd:appinfo>
-                        <jaxb:typesafeEnumMember name="NOTHING_ALLOWED"/>
-                    </xsd:appinfo>
-                </xsd:annotation>
-            </xsd:enumeration>
-            <xsd:enumeration value="safe">
-                <xsd:annotation>
-                	<xsd:documentation>
-                		<p>
-                			Only "safe" options are allowed. This is similar to "automatic" protection mode.
-                			E.g. only those expression evaluators or scripting languages that are considered
-                			"safe" are allowed. The definition of safe is quite vague here. Anything that has
-                			low risk of being abused for unintended action is considered "safe". However, this
-                			is still expression evaluation and some evaluators and scripting languages may be
-                			Turing-complete. The behaviour also depeds on midPoint configuration and customization.
-                			Therefore it is very hard to safeguard execution without completely sandboxing it.
-                			Appropriate care should be applied when using this option. It may be useful for
-                			a common case. But in some cases it may be needed to avoid this option and set up
-                			the restrictions manually.
-                		</p>
-                	</xsd:documentation>
-                    <xsd:appinfo>
-                        <jaxb:typesafeEnumMember name="SAFE"/>
-                    </xsd:appinfo>
-                </xsd:annotation>
-            </xsd:enumeration>
-            <xsd:enumeration value="manual">
-                <xsd:annotation>
-                	<xsd:documentation>
-                		<p>
-                			Manual whitelist should be apllied.
-                			E.g. only those evaluators or scripting languages that are explicitly enumerated
-                			are allowed.
-                		</p>
-                	</xsd:documentation>
-                    <xsd:appinfo>
-                        <jaxb:typesafeEnumMember name="MANUAL"/>
-                    </xsd:appinfo>
-                </xsd:annotation>
-            </xsd:enumeration>
-            <xsd:enumeration value="allAllowed">
-                <xsd:annotation>
-                	<xsd:documentation>
-                		<p>
-	                		Everything is allowed.
-	                		E.g. all expression evaluators or scripting languages are allowed.
-                		</p> 
-                	</xsd:documentation>
-                    <xsd:appinfo>
-                        <jaxb:typesafeEnumMember name="ALL_ALLOWED"/>
-                    </xsd:appinfo>
-                </xsd:annotation>
-            </xsd:enumeration>
-        </xsd:restriction>
-    </xsd:simpleType>
 	    
     <xsd:complexType name="LookupTableType">
         <xsd:annotation>
@@ -15469,6 +15310,19 @@
                         </xsd:annotation>
                     </xsd:element>
                     
+                    <xsd:element name="expressions" type="tns:SystemConfigurationExpressionsType" minOccurs="0" maxOccurs="1">
+                        <xsd:annotation>
+                            <xsd:documentation>
+                                Specifies profile for expression evaluations, execution, restrictions, etc.
+                            </xsd:documentation>
+                            <xsd:appinfo>
+								<a:displayName>SystemConfigurationType.expressions</a:displayName>
+                            	<a:since>4.0</a:since>
+                            	<a:experimental>true</a:experimental>
+                            </xsd:appinfo>
+                        </xsd:annotation>
+                    </xsd:element>
+                    
                     <!-- TODO(maybe): objectCollectionRef -->
                 </xsd:sequence>
             </xsd:extension>
@@ -15476,6 +15330,8 @@
     </xsd:complexType>
     <xsd:element name="systemConfiguration" type="tns:SystemConfigurationType"/>
 
+
+
 	<xsd:complexType name="FullTextSearchConfigurationType">
 		<xsd:annotation>
 			<xsd:documentation>
@@ -15544,6 +15400,462 @@
 		</xsd:sequence>
 	</xsd:complexType>
 	
+	<xsd:complexType name="SystemConfigurationExpressionsType">
+		<xsd:annotation>
+			<xsd:documentation>
+				Specifies profile for expression evaluations, execution, restrictions, etc.
+			</xsd:documentation>
+			<xsd:appinfo>
+				<a:container/>
+            	<a:since>4.0</a:since>
+            	<a:experimental>true</a:experimental>
+			</xsd:appinfo>
+		</xsd:annotation>
+		<xsd:sequence>
+			<xsd:element name="description" type="xsd:string" minOccurs="0" maxOccurs="1">
+			    <xsd:annotation>
+			        <xsd:documentation>
+			            Free-form description (comment).
+			        </xsd:documentation>
+			        <xsd:appinfo>
+						<a:displayName>SystemConfigurationExpressionsType.name</a:displayName>
+					</xsd:appinfo>
+			    </xsd:annotation>
+			</xsd:element>
+			<xsd:element name="expressionProfile" type="tns:ExpressionProfileType" minOccurs="0" maxOccurs="unbounded">
+			    <xsd:annotation>
+			        <xsd:documentation>
+			            TODO
+			        </xsd:documentation>
+			        <xsd:appinfo>
+						<a:displayName>SystemConfigurationExpressionsType.expressionProfile</a:displayName>
+					</xsd:appinfo>
+			    </xsd:annotation>
+			</xsd:element>
+			<xsd:element name="permissionProfile" type="tns:ExpressionPermissionProfileType" minOccurs="0" maxOccurs="unbounded">
+			    <xsd:annotation>
+			        <xsd:documentation>
+			            TODO
+			        </xsd:documentation>
+			        <xsd:appinfo>
+						<a:displayName>SystemConfigurationExpressionsType.permissionProfile</a:displayName>
+					</xsd:appinfo>
+			    </xsd:annotation>
+			</xsd:element>
+		</xsd:sequence>
+	</xsd:complexType>
+	
+	<xsd:complexType name="ExpressionProfileType">
+		<xsd:annotation>
+			<xsd:documentation>
+				Specifies restrictions for execution of expressions and scripts.
+			</xsd:documentation>
+			<xsd:appinfo>
+				<a:container/>
+            	<a:since>4.0</a:since>
+            	<a:experimental>true</a:experimental>
+			</xsd:appinfo>
+		</xsd:annotation>
+		<xsd:sequence>
+			<xsd:element name="identifier" type="xsd:string" minOccurs="1" maxOccurs="1">
+			    <xsd:annotation>
+			        <xsd:documentation>
+			            Profile identifier. Usually short string, essentialy a simple profile name.
+			            Custom profiles should consider using URIs instead of simple names to avoid
+			            conflicts with built-in profiles that may be provided in later versions.
+			        </xsd:documentation>
+			        <xsd:appinfo>
+						<a:displayName>ExpressionProfileType.identifier</a:displayName>
+					</xsd:appinfo>
+			    </xsd:annotation>
+			</xsd:element>
+			<xsd:element name="description" type="xsd:string" minOccurs="0" maxOccurs="1">
+			    <xsd:annotation>
+			        <xsd:documentation>
+			            Free-form description (comment).
+			        </xsd:documentation>
+			        <xsd:appinfo>
+						<a:displayName>ExpressionProfileType.name</a:displayName>
+					</xsd:appinfo>
+			    </xsd:annotation>
+			</xsd:element>
+			<xsd:element name="decision" type="tns:AuthorizationDecisionType" minOccurs="1" maxOccurs="1">
+			    <xsd:annotation>
+			        <xsd:documentation>
+			            Default decision for the profile. I.e. decision of those evaluators that are not explicitly enumerated.
+			        </xsd:documentation>
+			        <xsd:appinfo>
+						<a:displayName>ExpressionProfileType.decision</a:displayName>
+					</xsd:appinfo>
+			    </xsd:annotation>
+			</xsd:element>
+			<xsd:element name="evaluator" type="tns:ExpressionEvaluatorProfileType" minOccurs="0" maxOccurs="unbounded">
+			    <xsd:annotation>
+			        <xsd:documentation>
+			            Detailed specification of expression evaluator profile.
+			        </xsd:documentation>
+			        <xsd:appinfo>
+						<a:displayName>ExpressionProfileType.evaluator</a:displayName>
+					</xsd:appinfo>
+			    </xsd:annotation>
+			</xsd:element>
+		</xsd:sequence>
+	</xsd:complexType>
+	
+	<xsd:complexType name="ExpressionEvaluatorProfileType">
+		<xsd:annotation>
+			<xsd:documentation>
+				Specifies restrictions for execution of specific expression evaluators.
+			</xsd:documentation>
+			<xsd:appinfo>
+				<a:container/>
+            	<a:since>4.0</a:since>
+            	<a:experimental>true</a:experimental>
+			</xsd:appinfo>
+		</xsd:annotation>
+		<xsd:sequence>
+			<xsd:element name="type" type="xsd:QName" minOccurs="1" maxOccurs="1">
+			    <xsd:annotation>
+			        <xsd:documentation>
+			            Evaluator type. This should correspond to the name of evaluator element.
+			        </xsd:documentation>
+			        <xsd:appinfo>
+						<a:displayName>ExpressionEvaluatorProfileType.type</a:displayName>
+					</xsd:appinfo>
+			    </xsd:annotation>
+			</xsd:element>
+			<xsd:element name="description" type="xsd:string" minOccurs="0" maxOccurs="1">
+			    <xsd:annotation>
+			        <xsd:documentation>
+			            Free-form description (comment).
+			        </xsd:documentation>
+			        <xsd:appinfo>
+						<a:displayName>ExpressionEvaluatorProfileType.name</a:displayName>
+					</xsd:appinfo>
+			    </xsd:annotation>
+			</xsd:element>
+			<xsd:element name="decision" type="tns:AuthorizationDecisionType" minOccurs="1" maxOccurs="1">
+			    <xsd:annotation>
+			        <xsd:documentation>
+			            Default decision for the evaluator. I.e. decision of those aspects of the evaluator use
+			            (e.g. script languages) that are not explicitly enumerated.
+			        </xsd:documentation>
+			        <xsd:appinfo>
+						<a:displayName>ExpressionEvaluatorProfileType.decision</a:displayName>
+					</xsd:appinfo>
+			    </xsd:annotation>
+			</xsd:element>
+			<xsd:element name="script" type="tns:ScriptExpressionProfileType" minOccurs="0" maxOccurs="unbounded">
+			    <xsd:annotation>
+			        <xsd:documentation>
+			            Detailed specification for script expressions.
+			        </xsd:documentation>
+			        <xsd:appinfo>
+						<a:displayName>ExpressionEvaluatorProfileType.script</a:displayName>
+					</xsd:appinfo>
+			    </xsd:annotation>
+			</xsd:element>
+			<!-- TODO: restrict runAs option -->
+		</xsd:sequence>
+	</xsd:complexType>
+
+	<xsd:complexType name="ScriptExpressionProfileType">
+		<xsd:annotation>
+			<xsd:documentation>
+				Specifies restrictions for execution of script expressions.
+			</xsd:documentation>
+			<xsd:appinfo>
+				<a:container/>
+            	<a:since>4.0</a:since>
+            	<a:experimental>true</a:experimental>
+			</xsd:appinfo>
+		</xsd:annotation>
+		<xsd:sequence>
+			<xsd:element name="language" type="xsd:anyURI" minOccurs="1">
+                <xsd:annotation>
+                    <xsd:documentation>
+                        Language of the expression.
+                    </xsd:documentation>
+                    <xsd:appinfo>
+						<a:displayName>ScriptExpressionProfileType.language</a:displayName>
+					</xsd:appinfo>
+                </xsd:annotation>
+            </xsd:element>
+            <xsd:element name="description" type="xsd:string" minOccurs="0" maxOccurs="1">
+			    <xsd:annotation>
+			        <xsd:documentation>
+			            Free-form description (comment).
+			        </xsd:documentation>
+			        <xsd:appinfo>
+						<a:displayName>ScriptExpressionProfileType.name</a:displayName>
+					</xsd:appinfo>
+			    </xsd:annotation>
+			</xsd:element>
+			<xsd:element name="decision" type="tns:AuthorizationDecisionType" minOccurs="1" maxOccurs="1">
+			    <xsd:annotation>
+			        <xsd:documentation>
+			            Default decision for the scripting language. I.e. decision whether the language can
+			            be used at all.
+			        </xsd:documentation>
+			        <xsd:appinfo>
+						<a:displayName>ScriptExpressionProfileType.decision</a:displayName>
+					</xsd:appinfo>
+			    </xsd:annotation>
+			</xsd:element>
+			<xsd:element name="typeChecking" type="xsd:boolean" minOccurs="0" maxOccurs="1">
+			    <xsd:annotation>
+			        <xsd:documentation>
+			            Switch controlling whether strict type checking is enabled.
+			            There is no global default for this. Each language may default to
+			            a different value. Some languages may not support this switch at all.
+			        </xsd:documentation>
+			        <xsd:appinfo>
+						<a:displayName>ScriptExpressionProfileType.typeChecking</a:displayName>
+					</xsd:appinfo>
+			    </xsd:annotation>
+			</xsd:element>
+			<xsd:element name="permissionProfile" type="xsd:string" minOccurs="0" maxOccurs="1">
+			    <xsd:annotation>
+			        <xsd:documentation>
+			            Identifier of a permission profile that should be applied to this
+			            script language. If no profile is specified, then no profile will be
+			            applied and all language features will be allowed.
+			        </xsd:documentation>
+			        <xsd:appinfo>
+						<a:displayName>ScriptExpressionProfileType.permissionProfile</a:displayName>
+					</xsd:appinfo>
+			    </xsd:annotation>
+			</xsd:element>
+		</xsd:sequence>
+	</xsd:complexType>
+
+	<xsd:complexType name="ExpressionPermissionProfileType">
+		<xsd:annotation>
+			<xsd:documentation>
+				Specifies restrictions and permissions for various evaluators, especially for
+				scripting expressions.
+				The permission profile configuration is a separate container with its own identifier
+				as it is expected that the same setting will be applied to many evaluators and/or
+				scripting languages. And the definition of a profile can be quite long and extensive.
+			</xsd:documentation>
+			<xsd:appinfo>
+				<a:container/>
+            	<a:since>4.0</a:since>
+            	<a:experimental>true</a:experimental>
+			</xsd:appinfo>
+		</xsd:annotation>
+		<xsd:sequence>
+			<xsd:element name="identifier" type="xsd:string" minOccurs="1" maxOccurs="1">
+			    <xsd:annotation>
+			        <xsd:documentation>
+			            Profile identifier. Usually short string, essentialy a simple profile name.
+			            Custom profiles should consider using URIs instead of simple names to avoid
+			            conflicts with built-in profiles that may be provided in later versions.
+			        </xsd:documentation>
+			        <xsd:appinfo>
+						<a:displayName>ExpressionPermissionProfileType.identifier</a:displayName>
+					</xsd:appinfo>
+			    </xsd:annotation>
+			</xsd:element>
+			<xsd:element name="description" type="xsd:string" minOccurs="0" maxOccurs="1">
+			    <xsd:annotation>
+			        <xsd:documentation>
+			            Free-form description (comment).
+			        </xsd:documentation>
+			        <xsd:appinfo>
+						<a:displayName>ExpressionPermissionProfileType.name</a:displayName>
+					</xsd:appinfo>
+			    </xsd:annotation>
+			</xsd:element>
+			<xsd:element name="decision" type="tns:AuthorizationDecisionType" minOccurs="1" maxOccurs="1">
+			    <xsd:annotation>
+			        <xsd:documentation>
+			            Default decision for the profile. I.e. decision of those aspects of the profile
+			            (e.g. classes, permissions) that are not explicitly enumerated.
+			        </xsd:documentation>
+			        <xsd:appinfo>
+						<a:displayName>ExpressionPermissionProfileType.decision</a:displayName>
+					</xsd:appinfo>
+			    </xsd:annotation>
+			</xsd:element>
+			<xsd:element name="package" type="tns:ExpressionPermissionPackageProfileType" minOccurs="0" maxOccurs="unbounded">
+			    <xsd:annotation>
+			        <xsd:documentation>
+			            Detailed specification for access to a class.
+			        </xsd:documentation>
+			        <xsd:appinfo>
+						<a:displayName>ExpressionPermissionProfileType.class</a:displayName>
+					</xsd:appinfo>
+			    </xsd:annotation>
+			</xsd:element>
+			<xsd:element name="class" type="tns:ExpressionPermissionClassProfileType" minOccurs="0" maxOccurs="unbounded">
+			    <xsd:annotation>
+			        <xsd:documentation>
+			            Detailed specification for access to a class.
+			        </xsd:documentation>
+			        <xsd:appinfo>
+						<a:displayName>ExpressionPermissionProfileType.class</a:displayName>
+					</xsd:appinfo>
+			    </xsd:annotation>
+			</xsd:element>
+			<!-- TODO: later: sandboxing, allowed operations -->
+		</xsd:sequence>
+	</xsd:complexType>
+
+	<xsd:complexType name="ExpressionPermissionPackageProfileType">
+		<xsd:annotation>
+			<xsd:documentation>
+				Specifies restrictions and permissions for a package.
+				For now package definitions MUST NOT OVERLAP. Therefore there must not be
+				a definiton of a superpackage and subpackage at the same time.
+			</xsd:documentation>
+			<xsd:appinfo>
+				<a:container/>
+            	<a:since>4.0</a:since>
+            	<a:experimental>true</a:experimental>
+			</xsd:appinfo>
+		</xsd:annotation>
+		<xsd:sequence>
+			<xsd:element name="name" type="xsd:string" minOccurs="1" maxOccurs="1">
+			    <xsd:annotation>
+			        <xsd:documentation>
+			            Full name of the class (including package).
+			        </xsd:documentation>
+			        <xsd:appinfo>
+						<a:displayName>ExpressionPermissionPackageProfileType.name</a:displayName>
+					</xsd:appinfo>
+			    </xsd:annotation>
+			</xsd:element>
+			<xsd:element name="description" type="xsd:string" minOccurs="0" maxOccurs="1">
+			    <xsd:annotation>
+			        <xsd:documentation>
+			            Free-form description (comment).
+			        </xsd:documentation>
+			        <xsd:appinfo>
+						<a:displayName>ExpressionPermissionPackageProfileType.name</a:displayName>
+					</xsd:appinfo>
+			    </xsd:annotation>
+			</xsd:element>
+			<xsd:element name="decision" type="tns:AuthorizationDecisionType" minOccurs="1" maxOccurs="1">
+			    <xsd:annotation>
+			        <xsd:documentation>
+			            Default decision for the profile. I.e. decision of those aspects of the profile
+			            (e.g. classes, permissions) that are not explicitly enumerated.
+			        </xsd:documentation>
+			        <xsd:appinfo>
+						<a:displayName>ExpressionPermissionPackageProfileType.decision</a:displayName>
+					</xsd:appinfo>
+			    </xsd:annotation>
+			</xsd:element>
+			<!-- TODO: classes within a package? -->
+		</xsd:sequence>
+	</xsd:complexType>
+	
+	<xsd:complexType name="ExpressionPermissionClassProfileType">
+		<xsd:annotation>
+			<xsd:documentation>
+				Specifies restrictions and permissions for a specific class.
+			</xsd:documentation>
+			<xsd:appinfo>
+				<a:container/>
+            	<a:since>4.0</a:since>
+            	<a:experimental>true</a:experimental>
+			</xsd:appinfo>
+		</xsd:annotation>
+		<xsd:sequence>
+			<xsd:element name="name" type="xsd:string" minOccurs="1" maxOccurs="1">
+			    <xsd:annotation>
+			        <xsd:documentation>
+			            Full name of the class (including package).
+			        </xsd:documentation>
+			        <xsd:appinfo>
+						<a:displayName>ExpressionPermissionClassProfileType.name</a:displayName>
+					</xsd:appinfo>
+			    </xsd:annotation>
+			</xsd:element>
+			<xsd:element name="description" type="xsd:string" minOccurs="0" maxOccurs="1">
+			    <xsd:annotation>
+			        <xsd:documentation>
+			            Free-form description (comment).
+			        </xsd:documentation>
+			        <xsd:appinfo>
+						<a:displayName>ExpressionPermissionClassProfileType.name</a:displayName>
+					</xsd:appinfo>
+			    </xsd:annotation>
+			</xsd:element>
+			<xsd:element name="decision" type="tns:AuthorizationDecisionType" minOccurs="1" maxOccurs="1">
+			    <xsd:annotation>
+			        <xsd:documentation>
+			            Default decision for the profile. I.e. decision of those aspects of the profile
+			            (e.g. classes, permissions) that are not explicitly enumerated.
+			        </xsd:documentation>
+			        <xsd:appinfo>
+						<a:displayName>ExpressionPermissionClassProfileType.decision</a:displayName>
+					</xsd:appinfo>
+			    </xsd:annotation>
+			</xsd:element>
+			<xsd:element name="method" type="tns:ExpressionPermissionMethodProfileType" minOccurs="0" maxOccurs="unbounded">
+			    <xsd:annotation>
+			        <xsd:documentation>
+			            Detailed specification for access to a method.
+			        </xsd:documentation>
+			        <xsd:appinfo>
+						<a:displayName>ExpressionPermissionClassProfileType.method</a:displayName>
+					</xsd:appinfo>
+			    </xsd:annotation>
+			</xsd:element>
+		</xsd:sequence>
+	</xsd:complexType>
+	
+	<xsd:complexType name="ExpressionPermissionMethodProfileType">
+		<xsd:annotation>
+			<xsd:documentation>
+				Specifies restrictions and permissions for a specific method.
+			</xsd:documentation>
+			<xsd:appinfo>
+				<a:container/>
+            	<a:since>4.0</a:since>
+            	<a:experimental>true</a:experimental>
+			</xsd:appinfo>
+		</xsd:annotation>
+		<xsd:sequence>
+			<xsd:element name="name" type="xsd:string" minOccurs="1" maxOccurs="1">
+			    <xsd:annotation>
+			        <xsd:documentation>
+			            Name of the method.
+			        </xsd:documentation>
+			        <xsd:appinfo>
+						<a:displayName>ExpressionPermissionClassProfileType.name</a:displayName>
+					</xsd:appinfo>
+			    </xsd:annotation>
+			</xsd:element>
+			<xsd:element name="description" type="xsd:string" minOccurs="0" maxOccurs="1">
+			    <xsd:annotation>
+			        <xsd:documentation>
+			            Free-form description (comment).
+			        </xsd:documentation>
+			        <xsd:appinfo>
+						<a:displayName>"ExpressionPermissionMethodProfileType".name</a:displayName>
+					</xsd:appinfo>
+			    </xsd:annotation>
+			</xsd:element>
+			<xsd:element name="decision" type="tns:AuthorizationDecisionType" minOccurs="1" maxOccurs="1">
+			    <xsd:annotation>
+			        <xsd:documentation>
+			            Default decision for the profile. I.e. decision of those aspects of the profile
+			            (e.g. classes, permissions) that are not explicitly enumerated.
+			        </xsd:documentation>
+			        <xsd:appinfo>
+						<a:displayName>ExpressionPermissionClassProfileType.decision</a:displayName>
+					</xsd:appinfo>
+			    </xsd:annotation>
+			</xsd:element>
+			<!-- TODO: later: parameter specification -->
+		</xsd:sequence>
+	</xsd:complexType>
+	
+	
+	
 	<xsd:complexType name="FunctionLibraryType">
 		<xsd:annotation>
 			<xsd:documentation>
diff --git a/infra/schema/src/main/resources/xml/ns/public/report/report-3.wsdl b/infra/schema/src/main/resources/xml/ns/public/report/report-3.wsdl
index 86b463feb98..1a58e7ba925 100644
--- a/infra/schema/src/main/resources/xml/ns/public/report/report-3.wsdl
+++ b/infra/schema/src/main/resources/xml/ns/public/report/report-3.wsdl
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!--
-  ~ Copyright (c) 2010-2014 Evolveum
+  ~ Copyright (c) 2010-2019 Evolveum
   ~
   ~ Licensed under the Apache License, Version 2.0 (the "License");
   ~ you may not use this file except in compliance with the License.
@@ -51,6 +51,13 @@
      
         <xsd:complexType name="ProcessReportType">
           <xsd:sequence>
+          	<xsd:element name="reportOid" type="xsd:string" minOccurs="0">
+                <xsd:annotation>
+                    <xsd:documentation>
+                        OID of an report to process
+                    </xsd:documentation>
+                </xsd:annotation>
+            </xsd:element>
             <xsd:element name="query" type="xsd:string"/>
             <xsd:element name="parameters" type="tns:RemoteReportParametersType"/>
             <xsd:element name="options" type="c:SelectorQualifiedGetOptionsType" minOccurs="0"/>
@@ -79,7 +86,13 @@
                     </xsd:documentation>
                 </xsd:annotation>
                 <xsd:sequence>
-                    
+                    <xsd:element name="reportOid" type="xsd:string" minOccurs="0">
+                        <xsd:annotation>
+                            <xsd:documentation>
+                                OID of an report to process
+                            </xsd:documentation>
+                        </xsd:annotation>
+                    </xsd:element>
                     <xsd:element name="script" type="xsd:string" minOccurs="0">
                         <xsd:annotation>
                             <xsd:documentation>
@@ -124,7 +137,13 @@
                     </xsd:documentation>
                 </xsd:annotation>
                 <xsd:sequence>
-                    
+                    <xsd:element name="reportOid" type="xsd:string" minOccurs="0">
+                        <xsd:annotation>
+                            <xsd:documentation>
+                                OID of an report to process
+                            </xsd:documentation>
+                        </xsd:annotation>
+                    </xsd:element>
                     <xsd:element name="script" type="xsd:string" minOccurs="0">
                         <xsd:annotation>
                             <xsd:documentation>
@@ -209,6 +228,14 @@
                             </xsd:documentation>
                         </xsd:annotation>
                     </xsd:element>
+                        
+                    <xsd:element name="parameterType" type="xsd:QName">
+                        <xsd:annotation>
+                            <xsd:documentation>
+                                Type of the parameter, as XSD primitive type or midPoint static type.
+                            </xsd:documentation>
+                        </xsd:annotation>
+                    </xsd:element>
                            
                 </xsd:sequence>
             </xsd:complexType>
diff --git a/infra/test-util/src/main/java/com/evolveum/midpoint/test/ldap/OpenDJController.java b/infra/test-util/src/main/java/com/evolveum/midpoint/test/ldap/OpenDJController.java
index 12c81a7e4bf..72e74b8d208 100755
--- a/infra/test-util/src/main/java/com/evolveum/midpoint/test/ldap/OpenDJController.java
+++ b/infra/test-util/src/main/java/com/evolveum/midpoint/test/ldap/OpenDJController.java
@@ -736,6 +736,10 @@ public static void assertNoAttribute(Entry response, String name) {
 	public static void assertAttributeLang(Entry entry, String attributeName, String expectedOrigValue, String... params) {
 		List<Attribute> attrs = entry.getAttribute(attributeName.toLowerCase());
 		if (attrs == null || attrs.size() == 0) {
+			if (expectedOrigValue == null && params.length == 0) {
+				// everything is as it should be
+				return;
+			}
 			AssertJUnit.fail("Attribute "+attributeName+" does not have any value");
 		}
 		Map<String,String> expectedLangs = MiscUtil.paramsToMap(params);
diff --git a/infra/test-util/src/main/java/com/evolveum/midpoint/test/util/TestUtil.java b/infra/test-util/src/main/java/com/evolveum/midpoint/test/util/TestUtil.java
index 08a7a3a597b..b8ca72ecc9a 100644
--- a/infra/test-util/src/main/java/com/evolveum/midpoint/test/util/TestUtil.java
+++ b/infra/test-util/src/main/java/com/evolveum/midpoint/test/util/TestUtil.java
@@ -17,10 +17,13 @@
 package com.evolveum.midpoint.test.util;
 
 import com.evolveum.midpoint.prism.Containerable;
+import com.evolveum.midpoint.prism.ItemDefinition;
+import com.evolveum.midpoint.prism.PrimitiveType;
 import com.evolveum.midpoint.prism.PrismContainer;
 import com.evolveum.midpoint.prism.PrismContext;
 import com.evolveum.midpoint.prism.PrismObject;
 import com.evolveum.midpoint.prism.PrismPropertyValue;
+import com.evolveum.midpoint.prism.path.ItemName;
 import com.evolveum.midpoint.schema.constants.SchemaConstants;
 import com.evolveum.midpoint.schema.processor.ObjectFactory;
 import com.evolveum.midpoint.schema.processor.ResourceAttribute;
@@ -708,4 +711,8 @@ public static void waitForThreads(ParallelTestThread[] threads, long timeout) th
 			}
 		}
 	}
+
+	public static ItemDefinition createPrimitivePropertyDefinition(PrismContext prismContext, String name, PrimitiveType pType) {
+		return prismContext.definitionFactory().createPropertyDefinition(new ItemName(SchemaConstants.NS_C, name), pType.getQname());
+	}
 }
diff --git a/model/certification-impl/src/main/java/com/evolveum/midpoint/certification/impl/AccCertCaseOperationsHelper.java b/model/certification-impl/src/main/java/com/evolveum/midpoint/certification/impl/AccCertCaseOperationsHelper.java
index 20f647e495c..5618ac4fd8c 100644
--- a/model/certification-impl/src/main/java/com/evolveum/midpoint/certification/impl/AccCertCaseOperationsHelper.java
+++ b/model/certification-impl/src/main/java/com/evolveum/midpoint/certification/impl/AccCertCaseOperationsHelper.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2017 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -323,9 +323,9 @@ private List<ObjectReferenceType> computeDelegateTo(DelegateWorkItemActionType d
 		List<ObjectReferenceType> rv = CloneUtil.cloneCollectionMembers(delegateAction.getApproverRef());
 		if (!delegateAction.getApproverExpression().isEmpty()) {
 			ExpressionVariables variables = new ExpressionVariables();
-			variables.addVariableDefinition(ExpressionConstants.VAR_WORK_ITEM, workItem);
-			variables.addVariableDefinition(ExpressionConstants.VAR_CERTIFICATION_CASE, aCase);
-			variables.addVariableDefinition(ExpressionConstants.VAR_CAMPAIGN, campaign);
+			variables.put(ExpressionConstants.VAR_WORK_ITEM, workItem, AccessCertificationWorkItemType.class);
+			variables.put(ExpressionConstants.VAR_CERTIFICATION_CASE, aCase, aCase.asPrismContainerValue().getDefinition());
+			variables.putObject(ExpressionConstants.VAR_CAMPAIGN, campaign, AccessCertificationCampaignType.class);
 			for (ExpressionType expression : delegateAction.getApproverExpression()) {
 				rv.addAll(expressionHelper.evaluateRefExpressionChecked(expression, variables, "computing delegates", task, result));
 			}
diff --git a/model/certification-impl/src/main/java/com/evolveum/midpoint/certification/impl/AccCertExpressionHelper.java b/model/certification-impl/src/main/java/com/evolveum/midpoint/certification/impl/AccCertExpressionHelper.java
index 5ad387aba99..be356999e2d 100644
--- a/model/certification-impl/src/main/java/com/evolveum/midpoint/certification/impl/AccCertExpressionHelper.java
+++ b/model/certification-impl/src/main/java/com/evolveum/midpoint/certification/impl/AccCertExpressionHelper.java
@@ -27,6 +27,7 @@
 import com.evolveum.midpoint.repo.common.expression.ExpressionVariables;
 import com.evolveum.midpoint.schema.constants.SchemaConstants;
 import com.evolveum.midpoint.schema.result.OperationResult;
+import com.evolveum.midpoint.schema.util.MiscSchemaUtil;
 import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.util.exception.*;
 import com.evolveum.midpoint.util.logging.LoggingUtils;
@@ -74,7 +75,7 @@ private <T> List<T> evaluateExpression(Class<T> resultClass, ExpressionType expr
         QName resultName = new QName(SchemaConstants.NS_C, "result");
         PrismPropertyDefinition<T> resultDef = prismContext.definitionFactory().createPropertyDefinition(resultName, xsdType);
 
-        Expression<PrismPropertyValue<T>,PrismPropertyDefinition<T>> expression = expressionFactory.makeExpression(expressionType, resultDef, shortDesc, task, result);
+        Expression<PrismPropertyValue<T>,PrismPropertyDefinition<T>> expression = expressionFactory.makeExpression(expressionType, resultDef, MiscSchemaUtil.getExpressionProfile(), shortDesc, task, result);
         ExpressionEvaluationContext params = new ExpressionEvaluationContext(null, expressionVariables, shortDesc, task, result);
 
         PrismValueDeltaSetTriple<PrismPropertyValue<T>> exprResult = ModelExpressionThreadLocalHolder.evaluateExpressionInContext(expression, params, task, result);
@@ -104,7 +105,7 @@ private List<ObjectReferenceType> evaluateRefExpression(ExpressionType expressio
         QName resultName = new QName(SchemaConstants.NS_C, "result");
         PrismReferenceDefinition resultDef = prismContext.definitionFactory().createReferenceDefinition(resultName, ObjectReferenceType.COMPLEX_TYPE);
 
-        Expression<PrismReferenceValue,PrismReferenceDefinition> expression = expressionFactory.makeExpression(expressionType, resultDef, shortDesc, task, result);
+        Expression<PrismReferenceValue,PrismReferenceDefinition> expression = expressionFactory.makeExpression(expressionType, resultDef, MiscSchemaUtil.getExpressionProfile(), shortDesc, task, result);
         ExpressionEvaluationContext context = new ExpressionEvaluationContext(null, expressionVariables, shortDesc, task, result);
 		context.setAdditionalConvertor(ExpressionUtil.createRefConvertor(UserType.COMPLEX_TYPE));
         PrismValueDeltaSetTriple<PrismReferenceValue> exprResult =
diff --git a/model/certification-impl/src/main/java/com/evolveum/midpoint/certification/impl/AccCertReviewersHelper.java b/model/certification-impl/src/main/java/com/evolveum/midpoint/certification/impl/AccCertReviewersHelper.java
index 5a70d4a7e03..b1ddb2288f8 100644
--- a/model/certification-impl/src/main/java/com/evolveum/midpoint/certification/impl/AccCertReviewersHelper.java
+++ b/model/certification-impl/src/main/java/com/evolveum/midpoint/certification/impl/AccCertReviewersHelper.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2017 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -93,9 +93,9 @@ List<ObjectReferenceType> getReviewersForCase(AccessCertificationCaseType _case,
         }
         for (ExpressionType reviewerExpression : reviewerSpec.getReviewerExpression()) {
 			ExpressionVariables variables = new ExpressionVariables();
-			variables.addVariableDefinition(ExpressionConstants.VAR_CERTIFICATION_CASE, _case);
-			variables.addVariableDefinition(ExpressionConstants.VAR_CAMPAIGN, campaign);
-			variables.addVariableDefinition(ExpressionConstants.VAR_REVIEWER_SPECIFICATION, reviewerSpec);
+			variables.put(ExpressionConstants.VAR_CERTIFICATION_CASE, _case, _case.asPrismContainerValue().getDefinition());
+			variables.putObject(ExpressionConstants.VAR_CAMPAIGN, campaign, AccessCertificationCampaignType.class);
+			variables.put(ExpressionConstants.VAR_REVIEWER_SPECIFICATION, reviewerSpec, AccessCertificationReviewerSpecificationType.class);
 			List<ObjectReferenceType> refList = expressionHelper
 					.evaluateRefExpressionChecked(reviewerExpression, variables, "reviewer expression", task, result);
 			cloneAndMerge(reviewers, refList);
diff --git a/model/certification-impl/src/main/java/com/evolveum/midpoint/certification/impl/handlers/DirectAssignmentCertificationHandler.java b/model/certification-impl/src/main/java/com/evolveum/midpoint/certification/impl/handlers/DirectAssignmentCertificationHandler.java
index 2cf11b01747..005d6d21182 100644
--- a/model/certification-impl/src/main/java/com/evolveum/midpoint/certification/impl/handlers/DirectAssignmentCertificationHandler.java
+++ b/model/certification-impl/src/main/java/com/evolveum/midpoint/certification/impl/handlers/DirectAssignmentCertificationHandler.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2015 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -143,12 +143,12 @@ private boolean itemSelectionExpressionAccepts(AssignmentType assignment, boolea
         }
         ExpressionType selectionExpression = scope.getItemSelectionExpression();
         ExpressionVariables variables = new ExpressionVariables();
-        variables.addVariableDefinition(ExpressionConstants.VAR_ASSIGNMENT, assignment);
+        variables.put(ExpressionConstants.VAR_ASSIGNMENT, assignment, AssignmentType.class);
         if (object instanceof FocusType) {
-            variables.addVariableDefinition(ExpressionConstants.VAR_FOCUS, object);
+            variables.putObject(ExpressionConstants.VAR_FOCUS, (FocusType)object, FocusType.class);
         }
         if (object instanceof UserType) {
-            variables.addVariableDefinition(ExpressionConstants.VAR_USER, object);
+            variables.putObject(ExpressionConstants.VAR_USER, (UserType)object, UserType.class);
         }
         return expressionHelper.evaluateBooleanExpression(selectionExpression, variables,
                 "item selection for assignment " + ObjectTypeUtil.toShortString(assignment), task, result);
diff --git a/model/model-api/src/main/java/com/evolveum/midpoint/model/api/ModelAuthorizationAction.java b/model/model-api/src/main/java/com/evolveum/midpoint/model/api/ModelAuthorizationAction.java
index 141e7f7dfac..1f30de87556 100644
--- a/model/model-api/src/main/java/com/evolveum/midpoint/model/api/ModelAuthorizationAction.java
+++ b/model/model-api/src/main/java/com/evolveum/midpoint/model/api/ModelAuthorizationAction.java
@@ -88,7 +88,8 @@ public enum ModelAuthorizationAction implements DisplayableValue<String> {
 	AUDIT_MANAGE("auditManage", "Audit Manage", "AUDIT_MANAGE_HELP"),
 	
 	RAW_OPERATION("rawOperation", "Raw operation", "RAW_OPERATION_HELP"),
-	PARTIAL_EXECUTION("partialExecution", "Partial execution", "PARTIAL_EXECUTION_HELP");
+	PARTIAL_EXECUTION("partialExecution", "Partial execution", "PARTIAL_EXECUTION_HELP"),
+	GET_EXTENSION_SCHEMA("getExtensionSchema", "Get extension schema", "GET_EXTENSION_SCHEMA_HELP");
 	
 	public static final String[] AUTZ_ACTIONS_URLS_SEARCH = new String[] { READ.getUrl(),  SEARCH.getUrl() };
 	public static final String[] AUTZ_ACTIONS_URLS_GET = new String[] { READ.getUrl(),  GET.getUrl() };
diff --git a/model/model-api/src/main/java/com/evolveum/midpoint/model/api/ModelInteractionService.java b/model/model-api/src/main/java/com/evolveum/midpoint/model/api/ModelInteractionService.java
index 8b967224861..6aff796a8a7 100644
--- a/model/model-api/src/main/java/com/evolveum/midpoint/model/api/ModelInteractionService.java
+++ b/model/model-api/src/main/java/com/evolveum/midpoint/model/api/ModelInteractionService.java
@@ -29,6 +29,7 @@
 import com.evolveum.midpoint.prism.query.ObjectFilter;
 import com.evolveum.midpoint.prism.query.ObjectQuery;
 import com.evolveum.midpoint.schema.ResourceShadowDiscriminator;
+import com.evolveum.midpoint.schema.expression.VariablesMap;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.schema.statistics.ConnectorOperationalStatus;
 import com.evolveum.midpoint.security.api.AuthorizationTransformer;
@@ -353,7 +354,7 @@ MidPointPrincipal dropPowerOfAttorney(Task task, OperationResult result)
 	// Maybe a bit of hack: used to deduplicate processing of localizable message templates
 	@NotNull
 	LocalizableMessageType createLocalizableMessageType(LocalizableMessageTemplateType template,
-			Map<QName, Object> variables, Task task, OperationResult result)
+			VariablesMap variables, Task task, OperationResult result)
 			throws ObjectNotFoundException, SchemaException, ExpressionEvaluationException, CommunicationException,
 			ConfigurationException, SecurityViolationException;
 	
diff --git a/model/model-api/src/main/java/com/evolveum/midpoint/model/api/PipelineItem.java b/model/model-api/src/main/java/com/evolveum/midpoint/model/api/PipelineItem.java
index 1930695fc54..9339decda23 100644
--- a/model/model-api/src/main/java/com/evolveum/midpoint/model/api/PipelineItem.java
+++ b/model/model-api/src/main/java/com/evolveum/midpoint/model/api/PipelineItem.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2017 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -17,14 +17,13 @@
 package com.evolveum.midpoint.model.api;
 
 import com.evolveum.midpoint.prism.PrismValue;
+import com.evolveum.midpoint.schema.expression.VariablesMap;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.util.DebugDumpable;
 import com.evolveum.midpoint.util.DebugUtil;
 import org.jetbrains.annotations.NotNull;
 
 import java.io.Serializable;
-import java.util.HashMap;
-import java.util.Map;
 
 /**
  * @author mederly
@@ -34,14 +33,14 @@ public class PipelineItem implements DebugDumpable, Serializable {
 	@NotNull private PrismValue value;
 	@NotNull private OperationResult result;
 	// variables here are to be cloned-on-use (if they are not immutable)
-	@NotNull private final Map<String,Object> variables = new HashMap<>();
+	@NotNull private final VariablesMap variables = new VariablesMap();
 
 	public PipelineItem(@NotNull PrismValue value, @NotNull OperationResult result) {
 		this.value = value;
 		this.result = result;
 	}
 
-	public PipelineItem(@NotNull PrismValue value, @NotNull OperationResult result, @NotNull Map<String, Object> variables) {
+	public PipelineItem(@NotNull PrismValue value, @NotNull OperationResult result, @NotNull VariablesMap variables) {
 		this.value = value;
 		this.result = result;
 		this.variables.putAll(variables);
@@ -66,7 +65,7 @@ public void setResult(@NotNull OperationResult result) {
 	}
 
 	@NotNull
-	public Map<String, Object> getVariables() {
+	public VariablesMap getVariables() {
 		return variables;
 	}
 
diff --git a/model/model-api/src/main/java/com/evolveum/midpoint/model/api/ScriptingService.java b/model/model-api/src/main/java/com/evolveum/midpoint/model/api/ScriptingService.java
index 017c8e1477a..48962daa236 100644
--- a/model/model-api/src/main/java/com/evolveum/midpoint/model/api/ScriptingService.java
+++ b/model/model-api/src/main/java/com/evolveum/midpoint/model/api/ScriptingService.java
@@ -17,6 +17,7 @@
 package com.evolveum.midpoint.model.api;
 
 import com.evolveum.midpoint.prism.query.ObjectFilter;
+import com.evolveum.midpoint.schema.expression.VariablesMap;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.util.exception.CommunicationException;
@@ -30,7 +31,6 @@
 import org.jetbrains.annotations.NotNull;
 
 import javax.xml.namespace.QName;
-import java.util.Map;
 
 /**
  * Interface of the Model subsystem that provides scripting (bulk actions) operations.
@@ -88,7 +88,7 @@ ScriptExecutionResult evaluateExpression(ScriptingExpressionType expression, Tas
 			throws ScriptExecutionException, SchemaException, SecurityViolationException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException;
 
 	ScriptExecutionResult evaluateExpression(@NotNull ExecuteScriptType executeScriptCommand,
-			@NotNull Map<String, Object> initialVariables, boolean recordProgressAndIterationStatistics, @NotNull Task task,
+			@NotNull VariablesMap initialVariables, boolean recordProgressAndIterationStatistics, @NotNull Task task,
 			@NotNull OperationResult result)
 			throws ScriptExecutionException, SchemaException, SecurityViolationException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException;
 
diff --git a/model/model-api/src/main/java/com/evolveum/midpoint/model/api/util/ModelUtils.java b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/ArchetypeManager.java
similarity index 53%
rename from model/model-api/src/main/java/com/evolveum/midpoint/model/api/util/ModelUtils.java
rename to model/model-common/src/main/java/com/evolveum/midpoint/model/common/ArchetypeManager.java
index e2c81b3243f..e287edecb55 100644
--- a/model/model-api/src/main/java/com/evolveum/midpoint/model/api/util/ModelUtils.java
+++ b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/ArchetypeManager.java
@@ -1,5 +1,5 @@
 /**
- * Copyright (c) 2010-2018 Evolveum
+ * Copyright (c) 2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -13,17 +13,28 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package com.evolveum.midpoint.model.api.util;
+package com.evolveum.midpoint.model.common;
 
-import java.util.ArrayList;
 import java.util.List;
 
 import javax.xml.namespace.QName;
 
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Component;
+
 import com.evolveum.midpoint.prism.PrismObject;
 import com.evolveum.midpoint.schema.constants.ObjectTypes;
+import com.evolveum.midpoint.schema.expression.ExpressionProfile;
+import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.schema.util.FocusTypeUtil;
 import com.evolveum.midpoint.util.exception.ConfigurationException;
+import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
+import com.evolveum.midpoint.util.exception.SchemaException;
+import com.evolveum.midpoint.util.logging.Trace;
+import com.evolveum.midpoint.util.logging.TraceManager;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ArchetypePolicyType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ArchetypeType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.AssignmentHolderType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.LifecycleStateModelType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectPolicyConfigurationType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectReferenceType;
@@ -32,11 +43,87 @@
 import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType;
 
 /**
- * @author semancik
- *
+ * Component that can efficiently determine archetypes for objects.
+ * It is backed by caches, therefore this is supposed to be a low-overhead service that can be
+ * used in many places.
+ * 
+ * @author Radovan Semancik
  */
-public class ModelUtils {
+@Component
+public class ArchetypeManager {
+	
+	private static final Trace LOGGER = TraceManager.getTrace(ArchetypeManager.class);
+	
+	@Autowired private SystemObjectCache systemObjectCache;
+	
+	public PrismObject<ArchetypeType> getArchetype(String oid, OperationResult result) throws ObjectNotFoundException, SchemaException {
+		// TODO: make this efficient (use cache)
+		return systemObjectCache.getArchetype(oid, result);
+	}
+	
+	public <O extends AssignmentHolderType> PrismObject<ArchetypeType> determineArchetype(PrismObject<O> assignmentHolder, OperationResult result) throws SchemaException, ConfigurationException {
+		if (assignmentHolder == null) {
+			return null;
+		}
+		if (!assignmentHolder.canRepresent(AssignmentHolderType.class)) {
+			return null;
+		}
+		List<ObjectReferenceType> archetypeRefs = ((AssignmentHolderType)assignmentHolder.asObjectable()).getArchetypeRef();
+		if (archetypeRefs == null || archetypeRefs.isEmpty()) {
+			return null;
+		}
+		if (archetypeRefs.size() > 1) {
+			throw new SchemaException("Only a single archetype for an object is supported: "+assignmentHolder);
+		}
+		ObjectReferenceType archetypeRef = archetypeRefs.get(0);
+
+		PrismObject<ArchetypeType> archetype;
+		try {
+			archetype = systemObjectCache.getArchetype(archetypeRef.getOid(), result);
+		} catch (ObjectNotFoundException e) {
+			LOGGER.warn("Archetype {} for object {} cannot be found", archetypeRef.getOid(), assignmentHolder);
+			return null;
+		}
+		return archetype;
+	}
+
+	public <O extends ObjectType> ArchetypePolicyType determineArchetypePolicy(PrismObject<O> object, OperationResult result) throws SchemaException, ConfigurationException {
+		if (object == null) {
+			return null;
+		}
+		if (object.canRepresent(AssignmentHolderType.class)) {
+			PrismObject<ArchetypeType> archetype = determineArchetype((PrismObject<? extends AssignmentHolderType>) object, result);
+			if (archetype != null) {
+				return archetype.asObjectable().getArchetypePolicy();
+			}
+		}
+		// No archetype for this object. Try to find appropriate system configuration section for this object.
+		return determineObjectPolicyConfiguration(object, result);
+	}
+	
+	public <O extends ObjectType> ObjectPolicyConfigurationType determineObjectPolicyConfiguration(PrismObject<O> object, OperationResult result) throws SchemaException, ConfigurationException {
+		if (object == null) {
+			return null;
+		}
+		PrismObject<SystemConfigurationType> systemConfiguration = systemObjectCache.getSystemConfiguration(result);
+		if (systemConfiguration == null) {
+			return null;
+		}
+		return determineObjectPolicyConfiguration(object, systemConfiguration.asObjectable());
+	}
 	
+	public <O extends ObjectType> ExpressionProfile determineExpressionProfile(PrismObject<O> object, OperationResult result) throws SchemaException, ConfigurationException {
+		ArchetypePolicyType archetypePolicy = determineArchetypePolicy(object, result);
+		if (archetypePolicy == null) {
+			return null;
+		}
+		String expressionProfileId = archetypePolicy.getExpressionProfile();
+		return systemObjectCache.getExpressionProfile(expressionProfileId, result);
+	}
+	
+	/**
+	 * This has to remain static due to use from LensContext. Hopefully it will get refactored later.
+	 */
 	public static <O extends ObjectType> ObjectPolicyConfigurationType determineObjectPolicyConfiguration(PrismObject<O> object, SystemConfigurationType systemConfigurationType) throws ConfigurationException {
 		List<String> subTypes = FocusTypeUtil.determineSubTypes(object);
 		return determineObjectPolicyConfiguration(object.getCompileTimeClass(), subTypes, systemConfigurationType);
@@ -111,5 +198,4 @@ public static <O extends ObjectType> LifecycleStateModelType determineLifecycleM
 		}
 		return objectPolicyConfiguration.getLifecycleStateModel();
 	}
-
 }
diff --git a/model/model-common/src/main/java/com/evolveum/midpoint/model/common/SystemObjectCache.java b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/SystemObjectCache.java
index 56833771f98..edbd20e66fd 100644
--- a/model/model-common/src/main/java/com/evolveum/midpoint/model/common/SystemObjectCache.java
+++ b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/SystemObjectCache.java
@@ -15,17 +15,21 @@
  */
 package com.evolveum.midpoint.model.common;
 
+import com.evolveum.midpoint.model.common.expression.ExpressionProfileCompiler;
 import com.evolveum.midpoint.prism.PrismObject;
 import com.evolveum.midpoint.repo.api.RepositoryService;
 import com.evolveum.midpoint.schema.GetOperationOptions;
 import com.evolveum.midpoint.schema.SearchResultList;
 import com.evolveum.midpoint.schema.SelectorOptions;
+import com.evolveum.midpoint.schema.expression.ExpressionProfile;
+import com.evolveum.midpoint.schema.expression.ExpressionProfiles;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
 import com.evolveum.midpoint.util.exception.SchemaException;
 import com.evolveum.midpoint.util.logging.Trace;
 import com.evolveum.midpoint.util.logging.TraceManager;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ArchetypeType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.SystemConfigurationExpressionsType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.SystemConfigurationType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.SystemObjectsType;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -63,6 +67,8 @@ public class SystemObjectCache {
 
 	private PrismObject<SystemConfigurationType> systemConfiguration;
 	private Long systemConfigurationCheckTimestamp;
+	
+	private ExpressionProfiles expressionProfiles;
 
 	private long getSystemConfigurationExpirationMillis() {
 		return 1000;
@@ -112,6 +118,7 @@ private void loadSystemConfiguration(OperationResult result) throws ObjectNotFou
 		Collection<SelectorOptions<GetOperationOptions>> options = SelectorOptions.createCollection(GetOperationOptions.createReadOnly());
 		systemConfiguration = cacheRepositoryService.getObject(SystemConfigurationType.class, SystemObjectsType.SYSTEM_CONFIGURATION.value(),
 				options, result);
+		expressionProfiles = null;
 		systemConfigurationCheckTimestamp = System.currentTimeMillis();
 		if (systemConfiguration != null && systemConfiguration.getVersion() == null) {
 			LOGGER.warn("Retrieved system configuration with null version");
@@ -120,6 +127,7 @@ private void loadSystemConfiguration(OperationResult result) throws ObjectNotFou
 
 	public synchronized void invalidateCaches() {
 		systemConfiguration = null;
+		expressionProfiles = null;
 	}
 
 	public PrismObject<ArchetypeType> getArchetype(String oid, OperationResult result) throws ObjectNotFoundException, SchemaException {
@@ -131,4 +139,31 @@ public SearchResultList<PrismObject<ArchetypeType>> getAllArchetypes(OperationRe
 		// TODO: make this efficient (use cache)
 		return cacheRepositoryService.searchObjects(ArchetypeType.class, null, null, result);
 	}
+	
+	public ExpressionProfile getExpressionProfile(String identifier, OperationResult result) throws SchemaException {
+		if (identifier == null) {
+			return null;
+		}
+		if (expressionProfiles == null) {
+			compileExpressionProfiles(result);
+		}
+		return expressionProfiles.getProfile(identifier);
+	}
+
+	private void compileExpressionProfiles(OperationResult result) throws SchemaException {
+		PrismObject<SystemConfigurationType> systemConfiguration = getSystemConfiguration(result);
+		if (systemConfiguration == null) {
+			// This should only happen in tests - if ever. Empty expression profiles are just fine.
+			expressionProfiles = new ExpressionProfiles();
+			return;
+		}
+		SystemConfigurationExpressionsType expressions = systemConfiguration.asObjectable().getExpressions();
+		if (expressions == null) {
+			// Mark that there is no need to recompile. There are no profiles.
+			expressionProfiles = new ExpressionProfiles();
+			return;
+		}
+		ExpressionProfileCompiler compiler = new ExpressionProfileCompiler();
+		expressionProfiles = compiler.compile(expressions);
+	}
 }
diff --git a/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/ExpressionProfileCompiler.java b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/ExpressionProfileCompiler.java
new file mode 100644
index 00000000000..c3523cc4624
--- /dev/null
+++ b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/ExpressionProfileCompiler.java
@@ -0,0 +1,121 @@
+/**
+ * Copyright (c) 2019 Evolveum
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.evolveum.midpoint.model.common.expression;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import org.springframework.stereotype.Component;
+
+import com.evolveum.midpoint.schema.AccessDecision;
+import com.evolveum.midpoint.schema.expression.ExpressionEvaluatorProfile;
+import com.evolveum.midpoint.schema.expression.ExpressionPermissionProfile;
+import com.evolveum.midpoint.schema.expression.ExpressionProfile;
+import com.evolveum.midpoint.schema.expression.ExpressionProfiles;
+import com.evolveum.midpoint.schema.expression.ScriptExpressionProfile;
+import com.evolveum.midpoint.util.exception.SchemaException;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ExpressionEvaluatorProfileType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ExpressionPermissionProfileType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ExpressionProfileType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ScriptExpressionProfileType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.SystemConfigurationExpressionsType;
+
+/**
+ * @author Radovan Semancik
+ */
+@Component
+public class ExpressionProfileCompiler {
+	
+	public ExpressionProfiles compile(SystemConfigurationExpressionsType expressionsType) throws SchemaException {
+		List<ExpressionPermissionProfile> permissionProfiles = compilePermissionProfiles(expressionsType.getPermissionProfile());
+		ExpressionProfiles expressionProfiles = compileExpressionProfiles(expressionsType.getExpressionProfile(), permissionProfiles);
+		return expressionProfiles;
+	}
+
+	private List<ExpressionPermissionProfile> compilePermissionProfiles(List<ExpressionPermissionProfileType> permissionProfileTypes) {
+		List<ExpressionPermissionProfile> permissionProfiles = new ArrayList<>();
+		for (ExpressionPermissionProfileType permissionProfileType : permissionProfileTypes) {
+			permissionProfiles.add(compilePermissionProfile(permissionProfileType));
+		}
+		return permissionProfiles;
+	}
+
+	private ExpressionPermissionProfile compilePermissionProfile(ExpressionPermissionProfileType permissionProfileType) {
+		ExpressionPermissionProfile profile = new ExpressionPermissionProfile(permissionProfileType.getIdentifier());
+		
+		profile.setDecision(AccessDecision.translate(permissionProfileType.getDecision()));
+		profile.getPackageProfiles().addAll(permissionProfileType.getPackage());
+		profile.getClassProfiles().addAll(permissionProfileType.getClazz());
+		
+		return profile;
+	}
+	
+	private ExpressionProfiles compileExpressionProfiles(List<ExpressionProfileType> expressionProfileTypes, List<ExpressionPermissionProfile> permissionProfiles) throws SchemaException {
+		ExpressionProfiles expressionProfiles = new ExpressionProfiles();
+		for(ExpressionProfileType expressionProfileType : expressionProfileTypes) {
+			expressionProfiles.add(compileExpressionProfile(expressionProfileType, permissionProfiles));
+		}
+		return expressionProfiles;
+	}
+
+	private ExpressionProfile compileExpressionProfile(ExpressionProfileType expressionProfileType, List<ExpressionPermissionProfile> permissionProfiles) throws SchemaException {
+		ExpressionProfile profile = new ExpressionProfile(expressionProfileType.getIdentifier());
+		
+		profile.setDecision(AccessDecision.translate(expressionProfileType.getDecision()));
+		
+		for(ExpressionEvaluatorProfileType evaluatorType : expressionProfileType.getEvaluator()) {
+			profile.add(compileEvaluatorProfile(evaluatorType, permissionProfiles));
+		}
+		
+		return profile;
+	}
+
+	private ExpressionEvaluatorProfile compileEvaluatorProfile(ExpressionEvaluatorProfileType evaluatorType, List<ExpressionPermissionProfile> permissionProfiles) throws SchemaException {
+		ExpressionEvaluatorProfile profile = new ExpressionEvaluatorProfile(evaluatorType.getType());
+		
+		profile.setDecision(AccessDecision.translate(evaluatorType.getDecision()));
+		
+		for (ScriptExpressionProfileType scriptType : evaluatorType.getScript()) {
+			profile.add(compileScriptProfile(scriptType, permissionProfiles));
+		}
+		
+		return profile;
+	}
+
+	private ScriptExpressionProfile compileScriptProfile(ScriptExpressionProfileType scriptType, List<ExpressionPermissionProfile> permissionProfiles) throws SchemaException {
+		ScriptExpressionProfile profile = new ScriptExpressionProfile(scriptType.getLanguage());
+		
+		profile.setDecision(AccessDecision.translate(scriptType.getDecision()));
+		profile.setTypeChecking(scriptType.isTypeChecking());
+		
+		profile.setPermissionProfile(findPermissionProfile(permissionProfiles, scriptType.getPermissionProfile()));
+		
+		return profile;
+	}
+
+	private ExpressionPermissionProfile findPermissionProfile(List<ExpressionPermissionProfile> permissionProfiles, String profileIdentifier) throws SchemaException {
+		if (profileIdentifier == null) {
+			return null;
+		}
+		for (ExpressionPermissionProfile permissionProfile : permissionProfiles) {
+			if (profileIdentifier.equals(permissionProfile.getIdentifier())) {
+				return permissionProfile;
+			}
+		}
+		throw new SchemaException("Permission profile '"+profileIdentifier+"' not found");
+	}
+
+}
diff --git a/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/evaluator/AbstractSearchExpressionEvaluator.java b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/evaluator/AbstractSearchExpressionEvaluator.java
index 4c174efdee3..1eb69a14e85 100644
--- a/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/evaluator/AbstractSearchExpressionEvaluator.java
+++ b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/evaluator/AbstractSearchExpressionEvaluator.java
@@ -48,6 +48,7 @@
 import com.evolveum.midpoint.schema.ResultHandler;
 import com.evolveum.midpoint.schema.SelectorOptions;
 import com.evolveum.midpoint.schema.constants.ObjectTypes;
+import com.evolveum.midpoint.schema.expression.ExpressionProfile;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.schema.util.MiscSchemaUtil;
 import com.evolveum.midpoint.security.api.SecurityContextManager;
@@ -84,41 +85,22 @@ public abstract class AbstractSearchExpressionEvaluator<V extends PrismValue,D e
 
 	private static final Trace LOGGER = TraceManager.getTrace(AbstractSearchExpressionEvaluator.class);
 
-	private PrismContext prismContext;
-	private D outputDefinition;
-	private Protector protector;
 	private ObjectResolver objectResolver;
 	private ModelService modelService;
 
-	protected AbstractSearchExpressionEvaluator(SearchObjectExpressionEvaluatorType expressionEvaluatorType,
-			D outputDefinition, Protector protector, ObjectResolver objectResolver,
-			ModelService modelService, PrismContext prismContext, SecurityContextManager securityContextManager,
-			LocalizationService localizationService) {
-		super(expressionEvaluatorType, securityContextManager, localizationService, prismContext);
-		this.outputDefinition = outputDefinition;
-		this.prismContext = prismContext;
-		this.protector = protector;
+	protected AbstractSearchExpressionEvaluator(QName elementName, SearchObjectExpressionEvaluatorType expressionEvaluatorType,
+			D outputDefinition, Protector protector, PrismContext prismContext,
+			ObjectResolver objectResolver, ModelService modelService, SecurityContextManager securityContextManager, LocalizationService localizationService) {
+		super(elementName, expressionEvaluatorType, outputDefinition, protector, prismContext, securityContextManager, localizationService);
 		this.objectResolver = objectResolver;
 		this.modelService = modelService;
 	}
 
-	public PrismContext getPrismContext() {
-		return prismContext;
-	}
-
-	public ItemDefinition getOutputDefinition() {
-		return outputDefinition;
-	}
-
-	public Protector getProtector() {
-		return protector;
-	}
-
-	public ObjectResolver getObjectResolver() {
+	protected ObjectResolver getObjectResolver() {
 		return objectResolver;
 	}
 
-	public ModelService getModelService() {
+	protected ModelService getModelService() {
 		return modelService;
 	}
 
@@ -177,7 +159,7 @@ protected List<V> transformSingleValue(ExpressionVariables variables, PlusMinusZ
 			if (LOGGER.isTraceEnabled()){
 				LOGGER.trace("XML query converted to: {}", query.debugDump());
 			}
-			query = ExpressionUtil.evaluateQueryExpressions(query, variables, context.getExpressionFactory(),
+			query = ExpressionUtil.evaluateQueryExpressions(query, variables, context.getExpressionProfile(), context.getExpressionFactory(),
 					prismContext, context.getContextDescription(), task, result);
 			if (LOGGER.isTraceEnabled()){
 				LOGGER.trace("Expression in query evaluated to: {}", query.debugDump());
diff --git a/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/evaluator/AbstractValueTransformationExpressionEvaluator.java b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/evaluator/AbstractValueTransformationExpressionEvaluator.java
index 9ebc7ba6efd..eb74a2d8cbc 100644
--- a/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/evaluator/AbstractValueTransformationExpressionEvaluator.java
+++ b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/evaluator/AbstractValueTransformationExpressionEvaluator.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2017 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -22,13 +22,17 @@
 
 import com.evolveum.midpoint.common.LocalizationService;
 import com.evolveum.midpoint.prism.*;
+import com.evolveum.midpoint.prism.crypto.Protector;
 import com.evolveum.midpoint.prism.delta.*;
 import com.evolveum.midpoint.prism.path.ItemPath;
 import com.evolveum.midpoint.prism.polystring.PolyString;
 import com.evolveum.midpoint.prism.util.ItemDeltaItem;
 import com.evolveum.midpoint.prism.util.ObjectDeltaObject;
 import com.evolveum.midpoint.repo.common.expression.*;
+import com.evolveum.midpoint.repo.common.expression.evaluator.AbstractExpressionEvaluator;
 import com.evolveum.midpoint.schema.constants.ExpressionConstants;
+import com.evolveum.midpoint.schema.expression.ExpressionProfile;
+import com.evolveum.midpoint.schema.expression.TypedValue;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.schema.util.ExceptionUtil;
 import com.evolveum.midpoint.security.api.SecurityContextManager;
@@ -52,29 +56,20 @@
  * @author Radovan Semancik
  */
 public abstract class AbstractValueTransformationExpressionEvaluator<V extends PrismValue, D extends ItemDefinition, E extends TransformExpressionEvaluatorType>
-						implements ExpressionEvaluator<V,D> {
+						extends AbstractExpressionEvaluator<V, D, E> {
 
-	protected SecurityContextManager securityContextManager;
-    protected LocalizationService localizationService;
-	protected PrismContext prismContext;
-
-	private E expressionEvaluatorType;
+	protected final SecurityContextManager securityContextManager;
+    protected final LocalizationService localizationService;
 
 	private static final Trace LOGGER = TraceManager.getTrace(AbstractValueTransformationExpressionEvaluator.class);
 
-    protected AbstractValueTransformationExpressionEvaluator(E expressionEvaluatorType,
-		    SecurityContextManager securityContextManager, LocalizationService localizationService,
-		    PrismContext prismContext) {
-    	this.expressionEvaluatorType = expressionEvaluatorType;
+    protected AbstractValueTransformationExpressionEvaluator(QName elementName, E expressionEvaluatorType, D outputDefinition, Protector protector, PrismContext prismContext,
+		    SecurityContextManager securityContextManager, LocalizationService localizationService) {
+    	super(elementName, expressionEvaluatorType, outputDefinition, protector, prismContext);
         this.securityContextManager = securityContextManager;
         this.localizationService = localizationService;
-        this.prismContext = prismContext;
     }
 
-    public E getExpressionEvaluatorType() {
-		return expressionEvaluatorType;
-	}
-
 	public LocalizationService getLocalizationService() {
 		return localizationService;
 	}
@@ -85,10 +80,11 @@ public LocalizationService getLocalizationService() {
 	@Override
 	public PrismValueDeltaSetTriple<V> evaluate(ExpressionEvaluationContext context) throws SchemaException,
             ExpressionEvaluationException, ObjectNotFoundException, CommunicationException, ConfigurationException, SecurityViolationException {
+		checkEvaluatorProfile(context);
 
         PrismValueDeltaSetTriple<V> outputTriple;
 
-        if (expressionEvaluatorType.getRelativityMode() == TransformExpressionRelativityModeType.ABSOLUTE) {
+        if (getExpressionEvaluatorType().getRelativityMode() == TransformExpressionRelativityModeType.ABSOLUTE) {
 
         	outputTriple = evaluateAbsoluteExpression(context.getSources(), context.getVariables(), context,
         			context.getContextDescription(), context.getTask(), context.getResult());
@@ -96,7 +92,7 @@ public PrismValueDeltaSetTriple<V> evaluate(ExpressionEvaluationContext context)
         		LOGGER.trace("Evaluated absolute expression {}, output triple:\n{}", context.getContextDescription(), outputTriple==null?null:outputTriple.debugDump(1));
         	}
 
-        } else if (expressionEvaluatorType.getRelativityMode() == null || expressionEvaluatorType.getRelativityMode() == TransformExpressionRelativityModeType.RELATIVE) {
+        } else if (getExpressionEvaluatorType().getRelativityMode() == null || getExpressionEvaluatorType().getRelativityMode() == TransformExpressionRelativityModeType.RELATIVE) {
 
         	if (context.getSources() == null || context.getSources().isEmpty()) {
         		// Special case. No sources, so there will be no input variables and no combinations. Everything goes to zero set.
@@ -111,7 +107,7 @@ public PrismValueDeltaSetTriple<V> evaluate(ExpressionEvaluationContext context)
         	}
 
         } else {
-        	throw new IllegalArgumentException("Unknown relativity mode "+expressionEvaluatorType.getRelativityMode());
+        	throw new IllegalArgumentException("Unknown relativity mode "+getExpressionEvaluatorType().getRelativityMode());
         }
 
 
@@ -119,7 +115,7 @@ public PrismValueDeltaSetTriple<V> evaluate(ExpressionEvaluationContext context)
     }
 
 	protected boolean isIncludeNullInputs() {
-		Boolean includeNullInputs = expressionEvaluatorType.isIncludeNullInputs();
+		Boolean includeNullInputs = getExpressionEvaluatorType().isIncludeNullInputs();
 		if (includeNullInputs == null) {
 			return true;
 		}
@@ -127,7 +123,7 @@ protected boolean isIncludeNullInputs() {
 	}
 
 	protected boolean isRelative() {
-		return expressionEvaluatorType.getRelativityMode() != TransformExpressionRelativityModeType.ABSOLUTE;
+		return getExpressionEvaluatorType().getRelativityMode() != TransformExpressionRelativityModeType.ABSOLUTE;
 	}
 
 	private List<SourceTriple<?,?>> processSources(Collection<Source<?,?>> sources,
@@ -222,8 +218,11 @@ private boolean hasDeltas(Collection<Source<?,?>> sources) {
 	}
 
 	private boolean hasDeltas(ExpressionVariables variables) {
-		for (Entry<QName,Object> entry: variables.entrySet()) {
-			Object value = entry.getValue();
+		for (Entry<String, TypedValue> entry: variables.entrySet()) {
+			if (entry.getValue() == null) {
+				continue;
+			}
+			Object value = entry.getValue().getValue();
 			if (value instanceof ObjectDeltaObject<?>) {
 				if (((ObjectDeltaObject<?>)value).getObjectDelta() != null && !((ObjectDeltaObject<?>)value).getObjectDelta().isEmpty()) {
 					return true;
@@ -252,7 +251,7 @@ private Collection<V> evaluateScriptExpression(Collection<Source<?,?>> sources,
 			// Add sources to variables
 			for (Source<?,?> source: sources) {
 				LOGGER.trace("source: {}", source);
-				QName name = source.getName();
+				String name = source.getName().getLocalPart();
 				if (name == null) {
 					if (sources.size() == 1) {
 						name = ExpressionConstants.VAR_INPUT;
@@ -267,7 +266,7 @@ private Collection<V> evaluateScriptExpression(Collection<Source<?,?>> sources,
 				} else {
 					value = getRealContent(source.getItemOld(), source.getResidualPath());
 				}
-				scriptVariables.addVariableDefinition(name, value);
+				scriptVariables.addVariableDefinition(name, value, source.getDefinition());
 			}
 		}
 
@@ -346,8 +345,8 @@ private PrismValueDeltaSetTriple<V> evaluateRelativeExpression(final List<Source
 		final PrismValueDeltaSetTriple<V> outputTriple = prismContext.deltaFactory().createPrismValueDeltaSetTriple();
 
 		Expression<PrismPropertyValue<Boolean>, PrismPropertyDefinition<Boolean>> conditionExpression;
-		if (expressionEvaluatorType.getCondition() != null) {
-			conditionExpression = ExpressionUtil.createCondition(expressionEvaluatorType.getCondition(),
+		if (getExpressionEvaluatorType().getCondition() != null) {
+			conditionExpression = ExpressionUtil.createCondition(getExpressionEvaluatorType().getCondition(), evaluationContext.getExpressionProfile(),
 					evaluationContext.getExpressionFactory(), "condition in " + contextDescription, task, result);
 		} else {
 			conditionExpression = null;
@@ -361,7 +360,7 @@ private PrismValueDeltaSetTriple<V> evaluateRelativeExpression(final List<Source
 				// The case that all the sources are null. There is no point executing the expression.
 				return;
 			}
-			Map<QName, Object> sourceVariables = new HashMap<>();
+			ExpressionVariables scriptVariables = new ExpressionVariables();
 			Iterator<SourceTriple<PrismValue,?>> sourceTriplesIterator = (Iterator)sourceTriples.iterator();
 			boolean hasMinus = false;
 			boolean hasZero = false;
@@ -374,8 +373,13 @@ private PrismValueDeltaSetTriple<V> evaluateRelativeExpression(final List<Source
 				// Therefore this strange construction will match the value with the source that it came from
 				// TODO: maybe refactor for readibility
 				SourceTriple<PrismValue,?> sourceTriple = sourceTriplesIterator.next();
-				QName name = sourceTriple.getName();
-				sourceVariables.put(name, getRealContent(pval, sourceTriple.getResidualPath()));
+				String name = sourceTriple.getName().getLocalPart();
+				ItemDefinition definition = sourceTriple.getSource().getDefinition();
+				if (definition == null) {
+					LOGGER.error("Source '{}' without a definition; came from a source triple: {}", name, sourceTriple);
+					throw new IllegalArgumentException("Source '"+name+"' without a definition");
+				}
+				scriptVariables.put(name, getRealContent(pval, sourceTriple.getResidualPath()), definition);
 				// Note: a value may be both in plus and minus sets, e.g. in case that the value is replaced
 				// with the same value. We pretend that this is the same as ADD case.
 				// TODO: maybe we will need better handling in the future. Maybe we would need
@@ -423,8 +427,6 @@ private PrismValueDeltaSetTriple<V> evaluateRelativeExpression(final List<Source
 				return;
 			}
 
-			ExpressionVariables scriptVariables = new ExpressionVariables();
-			scriptVariables.addVariableDefinitions(sourceVariables);
 			PlusMinusZero valueDestination;
 			boolean useNew = false;
 			if (hasPlus) {
@@ -462,30 +464,33 @@ private PrismValueDeltaSetTriple<V> evaluateRelativeExpression(final List<Source
 					scriptResults = Collections.emptyList();
 				}
 			} catch (ExpressionEvaluationException e) {
-				throw new TunnelException(
-						localizationService.translate(
-								new ExpressionEvaluationException(
-										e.getMessage() + "("+dumpSourceValues(sourceVariables)+") in "+contextDescription,
-										e,
-										ExceptionUtil.getUserFriendlyMessage(e))));
+				ExpressionEvaluationException exex = new ExpressionEvaluationException(
+						e.getMessage() + "("+scriptVariables.dumpSingleLine()+") in "+contextDescription,
+						e,
+						ExceptionUtil.getUserFriendlyMessage(e));
+				if (localizationService != null) {
+					localizationService.translate(exex);
+				}
+				throw new TunnelException(exex);
+						
 			} catch (ObjectNotFoundException e) {
 				throw new TunnelException(new ObjectNotFoundException(e.getMessage()+
-						"("+dumpSourceValues(sourceVariables)+") in "+contextDescription,e));
+						"("+scriptVariables.dumpSingleLine()+") in "+contextDescription,e));
 			} catch (SchemaException e) {
 				throw new TunnelException(new SchemaException(e.getMessage()+
-						"("+dumpSourceValues(sourceVariables)+") in "+contextDescription,e));
+						"("+scriptVariables.dumpSingleLine()+") in "+contextDescription,e));
 			} catch (RuntimeException e) {
 				throw new TunnelException(new RuntimeException(e.getMessage()+
-						"("+dumpSourceValues(sourceVariables)+") in "+contextDescription,e));
+						"("+scriptVariables.dumpSingleLine()+") in "+contextDescription,e));
 			} catch (CommunicationException e) {
 				throw new TunnelException(new CommunicationException(e.getMessage()+
-						"("+dumpSourceValues(sourceVariables)+") in "+contextDescription,e));
+						"("+scriptVariables.dumpSingleLine()+") in "+contextDescription,e));
 			} catch (ConfigurationException e) {
 				throw new TunnelException(new ConfigurationException(e.getMessage()+
-						"("+dumpSourceValues(sourceVariables)+") in "+contextDescription,e));
+						"("+scriptVariables.dumpSingleLine()+") in "+contextDescription,e));
 			} catch (SecurityViolationException e) {
 				throw new TunnelException(new SecurityViolationException(e.getMessage()+
-						"("+dumpSourceValues(sourceVariables)+") in "+contextDescription,e));
+						"("+scriptVariables.dumpSingleLine()+") in "+contextDescription,e));
 			}
 
 			if (LOGGER.isTraceEnabled()) {
@@ -561,17 +566,6 @@ private void cleanupTriple(PrismValueDeltaSetTriple<V> triple) {
 		}
 	}
 
-	private String dumpSourceValues(Map<QName, Object> variables) {
-		StringBuilder sb = new StringBuilder();
-		for (Entry<QName, Object> entry: variables.entrySet()) {
-			sb.append(PrettyPrinter.prettyPrint(entry.getKey()));
-			sb.append("=");
-			sb.append(PrettyPrinter.prettyPrint(entry.getValue()));
-			sb.append("; ");
-		}
-		return sb.toString();
-	}
-
 	/* (non-Javadoc)
 	 * @see com.evolveum.midpoint.common.expression.ExpressionEvaluator#shortDebugDump()
 	 */
diff --git a/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/evaluator/AssignmentTargetSearchExpressionEvaluator.java b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/evaluator/AssignmentTargetSearchExpressionEvaluator.java
index affcb9a02f1..f5ad9de97ec 100644
--- a/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/evaluator/AssignmentTargetSearchExpressionEvaluator.java
+++ b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/evaluator/AssignmentTargetSearchExpressionEvaluator.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2017 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -29,6 +29,7 @@
 import com.evolveum.midpoint.prism.delta.ItemDeltaCollectionsUtil;
 import com.evolveum.midpoint.repo.common.ObjectResolver;
 import com.evolveum.midpoint.repo.common.expression.ExpressionEvaluationContext;
+import com.evolveum.midpoint.schema.expression.ExpressionProfile;
 import com.evolveum.midpoint.schema.internals.InternalsConfig;
 import com.evolveum.midpoint.security.api.SecurityContextManager;
 import com.evolveum.midpoint.util.exception.SchemaException;
@@ -48,11 +49,10 @@ public class AssignmentTargetSearchExpressionEvaluator
 
 	private static final Trace LOGGER = TraceManager.getTrace(AssignmentTargetSearchExpressionEvaluator.class);
 
-	public AssignmentTargetSearchExpressionEvaluator(AssignmentTargetSearchExpressionEvaluatorType expressionEvaluatorType,
-			PrismContainerDefinition<AssignmentType> outputDefinition, Protector protector, ObjectResolver objectResolver,
-			ModelService modelService, PrismContext prismContext, SecurityContextManager securityContextManager,
-			LocalizationService localizationService) {
-		super(expressionEvaluatorType, outputDefinition, protector, objectResolver, modelService, prismContext, securityContextManager, localizationService);
+	public AssignmentTargetSearchExpressionEvaluator(QName elementName, AssignmentTargetSearchExpressionEvaluatorType expressionEvaluatorType,
+			PrismContainerDefinition<AssignmentType> outputDefinition, Protector protector, PrismContext prismContext,
+			ObjectResolver objectResolver, ModelService modelService, SecurityContextManager securityContextManager, LocalizationService localizationService) {
+		super(elementName, expressionEvaluatorType, outputDefinition, protector, prismContext, objectResolver, modelService, securityContextManager, localizationService);
 	}
 
 	protected PrismContainerValue<AssignmentType> createPrismValue(String oid, QName targetTypeQName, List<ItemDelta<PrismContainerValue<AssignmentType>, PrismContainerDefinition<AssignmentType>>> additionalAttributeDeltas, ExpressionEvaluationContext params) {
diff --git a/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/evaluator/AssignmentTargetSearchExpressionEvaluatorFactory.java b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/evaluator/AssignmentTargetSearchExpressionEvaluatorFactory.java
index 0d47d31dbb7..4cf277f31fc 100644
--- a/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/evaluator/AssignmentTargetSearchExpressionEvaluatorFactory.java
+++ b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/evaluator/AssignmentTargetSearchExpressionEvaluatorFactory.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2014-2017 Evolveum
+ * Copyright (c) 2014-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -29,6 +29,7 @@
 import com.evolveum.midpoint.repo.common.expression.AbstractObjectResolvableExpressionEvaluatorFactory;
 import com.evolveum.midpoint.repo.common.expression.ExpressionEvaluator;
 import com.evolveum.midpoint.repo.common.expression.ExpressionFactory;
+import com.evolveum.midpoint.schema.expression.ExpressionProfile;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.security.api.SecurityContextManager;
 import com.evolveum.midpoint.task.api.Task;
@@ -44,6 +45,8 @@
  *
  */
 public class AssignmentTargetSearchExpressionEvaluatorFactory extends AbstractObjectResolvableExpressionEvaluatorFactory {
+	
+	private static final QName ELEMENT_NAME = new ObjectFactory().createAssignmentTargetSearch(new AssignmentTargetSearchExpressionEvaluatorType()).getName();
 
 	private final PrismContext prismContext;
 	private final Protector protector;
@@ -64,15 +67,19 @@ public AssignmentTargetSearchExpressionEvaluatorFactory(ExpressionFactory expres
 	 */
 	@Override
 	public QName getElementName() {
-		return new ObjectFactory().createAssignmentTargetSearch(new AssignmentTargetSearchExpressionEvaluatorType()).getName();
+		return ELEMENT_NAME;
 	}
 
 	/* (non-Javadoc)
 	 * @see com.evolveum.midpoint.common.expression.ExpressionEvaluatorFactory#createEvaluator(javax.xml.bind.JAXBElement)
 	 */
 	@Override
-	public <V extends PrismValue,D extends ItemDefinition> ExpressionEvaluator<V,D> createEvaluator(Collection<JAXBElement<?>> evaluatorElements,
-																									D outputDefinition, ExpressionFactory factory, String contextDescription, Task task, OperationResult result) throws SchemaException {
+	public <V extends PrismValue,D extends ItemDefinition> ExpressionEvaluator<V,D> createEvaluator(
+			Collection<JAXBElement<?>> evaluatorElements,
+			D outputDefinition, 
+			ExpressionProfile expressionProfile,
+			ExpressionFactory factory,
+			String contextDescription, Task task, OperationResult result) throws SchemaException {
 
         Validate.notNull(outputDefinition, "output definition must be specified for assignmentTargetSearch expression evaluator");
 
@@ -91,8 +98,8 @@ public <V extends PrismValue,D extends ItemDefinition> ExpressionEvaluator<V,D>
         if (evaluatorTypeObject != null && !(evaluatorTypeObject instanceof AssignmentTargetSearchExpressionEvaluatorType)) {
             throw new SchemaException("assignment expression evaluator cannot handle elements of type " + evaluatorTypeObject.getClass().getName()+" in "+contextDescription);
         }
-        AssignmentTargetSearchExpressionEvaluator expressionEvaluator = new AssignmentTargetSearchExpressionEvaluator((AssignmentTargetSearchExpressionEvaluatorType)evaluatorTypeObject,
-        		(PrismContainerDefinition<AssignmentType>) outputDefinition, protector, getObjectResolver(), modelService, prismContext, securityContextManager, getLocalizationService());
+        AssignmentTargetSearchExpressionEvaluator expressionEvaluator = new AssignmentTargetSearchExpressionEvaluator(ELEMENT_NAME, (AssignmentTargetSearchExpressionEvaluatorType)evaluatorTypeObject,
+        		(PrismContainerDefinition<AssignmentType>) outputDefinition, protector, prismContext, getObjectResolver(), modelService, securityContextManager, getLocalizationService());
         return (ExpressionEvaluator<V,D>) expressionEvaluator;
 	}
 
diff --git a/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/evaluator/AssociationFromLinkExpressionEvaluator.java b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/evaluator/AssociationFromLinkExpressionEvaluator.java
index 91032fbbf15..5e2a1c8a217 100644
--- a/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/evaluator/AssociationFromLinkExpressionEvaluator.java
+++ b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/evaluator/AssociationFromLinkExpressionEvaluator.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2014-2018 Evolveum
+ * Copyright (c) 2014-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -29,6 +29,7 @@
 import com.evolveum.midpoint.prism.PrismContainerValue;
 import com.evolveum.midpoint.prism.PrismContext;
 import com.evolveum.midpoint.prism.PrismObject;
+import com.evolveum.midpoint.prism.crypto.Protector;
 import com.evolveum.midpoint.prism.delta.ItemDeltaUtil;
 import com.evolveum.midpoint.prism.delta.PrismValueDeltaSetTriple;
 import com.evolveum.midpoint.prism.query.ObjectQuery;
@@ -36,10 +37,12 @@
 import com.evolveum.midpoint.repo.common.ObjectResolver;
 import com.evolveum.midpoint.repo.common.expression.ExpressionEvaluationContext;
 import com.evolveum.midpoint.repo.common.expression.ExpressionEvaluator;
+import com.evolveum.midpoint.repo.common.expression.evaluator.AbstractExpressionEvaluator;
 import com.evolveum.midpoint.schema.GetOperationOptions;
 import com.evolveum.midpoint.schema.ResultHandler;
 import com.evolveum.midpoint.schema.SelectorOptions;
 import com.evolveum.midpoint.schema.constants.ExpressionConstants;
+import com.evolveum.midpoint.schema.expression.TypedValue;
 import com.evolveum.midpoint.schema.processor.ObjectFactory;
 import com.evolveum.midpoint.schema.processor.ResourceAttribute;
 import com.evolveum.midpoint.schema.processor.ResourceAttributeContainer;
@@ -64,43 +67,40 @@
  * @author Radovan Semancik
  *
  */
-public class AssociationFromLinkExpressionEvaluator
-						implements ExpressionEvaluator<PrismContainerValue<ShadowAssociationType>,
-						                               PrismContainerDefinition<ShadowAssociationType>> {
+public class AssociationFromLinkExpressionEvaluator 
+	extends AbstractExpressionEvaluator<PrismContainerValue<ShadowAssociationType>,PrismContainerDefinition<ShadowAssociationType>, AssociationFromLinkExpressionEvaluatorType> {
 
 	private static final Trace LOGGER = TraceManager.getTrace(AssociationFromLinkExpressionEvaluator.class);
 
-	private AssociationFromLinkExpressionEvaluatorType evaluatorType;
-	private PrismContainerDefinition<ShadowAssociationType> outputDefinition;
 	private ObjectResolver objectResolver;
-	private PrismContext prismContext;
 
-	AssociationFromLinkExpressionEvaluator(AssociationFromLinkExpressionEvaluatorType evaluatorType,
-			PrismContainerDefinition<ShadowAssociationType> outputDefinition, ObjectResolver objectResolver, PrismContext prismContext) {
-		this.evaluatorType = evaluatorType;
-		this.outputDefinition = outputDefinition;
+	AssociationFromLinkExpressionEvaluator(QName elementName, AssociationFromLinkExpressionEvaluatorType evaluatorType,
+			PrismContainerDefinition<ShadowAssociationType> outputDefinition, Protector protector, PrismContext prismContext, ObjectResolver objectResolver) {
+		super(elementName, evaluatorType, outputDefinition, protector, prismContext);
 		this.objectResolver = objectResolver;
-		this.prismContext = prismContext;
 	}
 
 	/* (non-Javadoc)
 	 * @see com.evolveum.midpoint.common.expression.ExpressionEvaluator#evaluate(java.util.Collection, java.util.Map, boolean, java.lang.String, com.evolveum.midpoint.schema.result.OperationResult)
 	 */
 	@Override
-	public PrismValueDeltaSetTriple<PrismContainerValue<ShadowAssociationType>> evaluate(ExpressionEvaluationContext context) throws SchemaException,
-			ExpressionEvaluationException, ObjectNotFoundException, CommunicationException, ConfigurationException, SecurityViolationException {
+	public PrismValueDeltaSetTriple<PrismContainerValue<ShadowAssociationType>> evaluate(ExpressionEvaluationContext context) 
+			throws SchemaException, ExpressionEvaluationException, ObjectNotFoundException, CommunicationException, ConfigurationException, SecurityViolationException {
+		checkEvaluatorProfile(context);
 
 		String desc = context.getContextDescription();
 		
 		AbstractRoleType thisRole;
 		
-		Integer assignmentPathIndex = evaluatorType.getAssignmentPathIndex();
+		Integer assignmentPathIndex = getExpressionEvaluatorType().getAssignmentPathIndex();
 		if (assignmentPathIndex == null) {
 			// Legacy ... or default in simple cases
-			Object orderOneObject = context.getVariables().get(ExpressionConstants.VAR_ORDER_ONE_OBJECT);
-			if (orderOneObject == null) {
+			@SuppressWarnings("unchecked")
+			TypedValue<AbstractRoleType> orderOneObjectTypedValue = context.getVariables().get(ExpressionConstants.VAR_ORDER_ONE_OBJECT);
+			if (orderOneObjectTypedValue == null || orderOneObjectTypedValue.getValue() == null) {
 				throw new ExpressionEvaluationException("No order one object variable in "+desc+"; the expression may be used in a wrong place. It is only supposed to work in a role.");
 			}
+			Object orderOneObject = orderOneObjectTypedValue.getValue();
 			if (!(orderOneObject instanceof AbstractRoleType)) {
 				throw new ExpressionEvaluationException("Order one object variable in "+desc+" is not a role, it is "+orderOneObject.getClass().getName()
 						+"; the expression may be used in a wrong place. It is only supposed to work in a role.");
@@ -110,16 +110,18 @@ public PrismValueDeltaSetTriple<PrismContainerValue<ShadowAssociationType>> eval
 			
 		} else {
 			
-			AssignmentPath assignmentPath = (AssignmentPath) context.getVariables().get(ExpressionConstants.VAR_ASSIGNMENT_PATH);
-			if (assignmentPath == null) {
+			@SuppressWarnings("unchecked")
+			TypedValue<AssignmentPath> assignmentPathTypedValue = context.getVariables().get(ExpressionConstants.VAR_ASSIGNMENT_PATH);
+			if (assignmentPathTypedValue == null || assignmentPathTypedValue.getValue() == null) {
 				throw new ExpressionEvaluationException("No assignment path variable in "+desc+"; the expression may be used in a wrong place. It is only supposed to work in a role.");
 			}
 			
+			AssignmentPath assignmentPath = (AssignmentPath) assignmentPathTypedValue.getValue();
 			if (assignmentPath.isEmpty()) {
 				throw new ExpressionEvaluationException("Empty assignment path variable in "+desc+"; the expression may be used in a wrong place. It is only supposed to work in a role.");
 			}
 
-			LOGGER.trace("ASSPATH {}:\n{}", evaluatorType.getDescription(), assignmentPath.debugDumpLazily(1));
+			LOGGER.trace("assignmentPath {}:\n{}", getExpressionEvaluatorType().getDescription(), assignmentPath.debugDumpLazily(1));
 			
 			AssignmentPathSegment segment;
 			try {
@@ -131,16 +133,17 @@ public PrismValueDeltaSetTriple<PrismContainerValue<ShadowAssociationType>> eval
 			thisRole = (AbstractRoleType) segment.getSource();
 		}
 		
-		LOGGER.trace("thisRole {}: {}", evaluatorType.getDescription(), thisRole);
+		LOGGER.trace("thisRole {}: {}", getExpressionEvaluatorType().getDescription(), thisRole);
 
 		LOGGER.trace("Evaluating association from link on: {}", thisRole);
 
-		RefinedObjectClassDefinition rAssocTargetDef = (RefinedObjectClassDefinition) context.getVariables().get(ExpressionConstants.VAR_ASSOCIATION_TARGET_OBJECT_CLASS_DEFINITION);
-		if (rAssocTargetDef == null) {
+		TypedValue<RefinedObjectClassDefinition> rAssocTargetDefTypedValue = context.getVariables().get(ExpressionConstants.VAR_ASSOCIATION_TARGET_OBJECT_CLASS_DEFINITION);
+		if (rAssocTargetDefTypedValue == null || rAssocTargetDefTypedValue.getValue() == null) {
 			throw new ExpressionEvaluationException("No association target object class definition variable in "+desc+"; the expression may be used in a wrong place. It is only supposed to create an association.");
 		}
+		RefinedObjectClassDefinition rAssocTargetDef = (RefinedObjectClassDefinition) rAssocTargetDefTypedValue.getValue();
 
-		ShadowDiscriminatorType projectionDiscriminator = evaluatorType.getProjectionDiscriminator();
+		ShadowDiscriminatorType projectionDiscriminator = getExpressionEvaluatorType().getProjectionDiscriminator();
 		if (projectionDiscriminator == null) {
 			throw new ExpressionEvaluationException("No projectionDiscriminator in "+desc);
 		}
@@ -240,7 +243,7 @@ private void gatherCandidateShadowsFromAbstractRoleRecurse(OrgType thisOrg,
 	}
 
 	private boolean matchesForRecursion(OrgType thisOrg) {
-		for (String recurseUpOrgType: evaluatorType.getRecurseUpOrgType()) {
+		for (String recurseUpOrgType: getExpressionEvaluatorType().getRecurseUpOrgType()) {
 			if (FocusTypeUtil.determineSubTypes(thisOrg).contains(recurseUpOrgType)) {
 				return true;
 			}
diff --git a/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/evaluator/AssociationFromLinkExpressionEvaluatorFactory.java b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/evaluator/AssociationFromLinkExpressionEvaluatorFactory.java
index 7b5ad9f66d7..760b6a19e0f 100644
--- a/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/evaluator/AssociationFromLinkExpressionEvaluatorFactory.java
+++ b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/evaluator/AssociationFromLinkExpressionEvaluatorFactory.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2014-2017 Evolveum
+ * Copyright (c) 2014-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -29,6 +29,7 @@
 import com.evolveum.midpoint.repo.common.expression.AbstractObjectResolvableExpressionEvaluatorFactory;
 import com.evolveum.midpoint.repo.common.expression.ExpressionEvaluator;
 import com.evolveum.midpoint.repo.common.expression.ExpressionFactory;
+import com.evolveum.midpoint.schema.expression.ExpressionProfile;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.util.exception.SchemaException;
@@ -42,6 +43,8 @@
  *
  */
 public class AssociationFromLinkExpressionEvaluatorFactory extends AbstractObjectResolvableExpressionEvaluatorFactory {
+	
+	private static final QName ELEMENT_NAME = new ObjectFactory().createAssociationFromLink(new AssociationFromLinkExpressionEvaluatorType()).getName();
 
 	private final PrismContext prismContext;
 	private final Protector protector;
@@ -60,15 +63,19 @@ public AssociationFromLinkExpressionEvaluatorFactory(ExpressionFactory expressio
 	 */
 	@Override
 	public QName getElementName() {
-		return new ObjectFactory().createAssociationFromLink(new AssociationFromLinkExpressionEvaluatorType()).getName();
+		return ELEMENT_NAME;
 	}
 
 	/* (non-Javadoc)
 	 * @see com.evolveum.midpoint.common.expression.ExpressionEvaluatorFactory#createEvaluator(javax.xml.bind.JAXBElement)
 	 */
 	@Override
-	public <V extends PrismValue,D extends ItemDefinition> ExpressionEvaluator<V,D> createEvaluator(Collection<JAXBElement<?>> evaluatorElements,
-																									D outputDefinition, ExpressionFactory factory, String contextDescription, Task task, OperationResult result) throws SchemaException {
+	public <V extends PrismValue,D extends ItemDefinition> ExpressionEvaluator<V,D> createEvaluator(
+			Collection<JAXBElement<?>> evaluatorElements,
+			D outputDefinition,
+			ExpressionProfile expressionProfile,
+			ExpressionFactory factory,
+			String contextDescription, Task task, OperationResult result) throws SchemaException {
 
         Validate.notNull(outputDefinition, "output definition must be specified for associationFromLink expression evaluator");
 
@@ -87,9 +94,9 @@ public <V extends PrismValue,D extends ItemDefinition> ExpressionEvaluator<V,D>
         if (evaluatorTypeObject != null && !(evaluatorTypeObject instanceof AssociationFromLinkExpressionEvaluatorType)) {
             throw new SchemaException("Association expression evaluator cannot handle elements of type " + evaluatorTypeObject.getClass().getName()+" in "+contextDescription);
         }
-        AssociationFromLinkExpressionEvaluator evaluator = new AssociationFromLinkExpressionEvaluator(
+        AssociationFromLinkExpressionEvaluator evaluator = new AssociationFromLinkExpressionEvaluator(ELEMENT_NAME,
         		(AssociationFromLinkExpressionEvaluatorType)evaluatorTypeObject,
-        		(PrismContainerDefinition<ShadowAssociationType>) outputDefinition, getObjectResolver(), prismContext);
+        		(PrismContainerDefinition<ShadowAssociationType>) outputDefinition, protector, prismContext, getObjectResolver());
         return (ExpressionEvaluator<V,D>) evaluator;
 	}
 
diff --git a/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/evaluator/AssociationTargetSearchExpressionEvaluator.java b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/evaluator/AssociationTargetSearchExpressionEvaluator.java
index 41655f8d5e3..64aec75f5af 100644
--- a/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/evaluator/AssociationTargetSearchExpressionEvaluator.java
+++ b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/evaluator/AssociationTargetSearchExpressionEvaluator.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2017 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -38,6 +38,8 @@
 import com.evolveum.midpoint.schema.GetOperationOptions;
 import com.evolveum.midpoint.schema.SelectorOptions;
 import com.evolveum.midpoint.schema.constants.ExpressionConstants;
+import com.evolveum.midpoint.schema.expression.ExpressionProfile;
+import com.evolveum.midpoint.schema.expression.TypedValue;
 import com.evolveum.midpoint.schema.internals.InternalsConfig;
 import com.evolveum.midpoint.schema.util.ObjectQueryUtil;
 import com.evolveum.midpoint.security.api.SecurityContextManager;
@@ -60,12 +62,11 @@ public class AssociationTargetSearchExpressionEvaluator
 
 	private static final Trace LOGGER = TraceManager.getTrace(AssociationTargetSearchExpressionEvaluator.class);
 
-	public AssociationTargetSearchExpressionEvaluator(SearchObjectExpressionEvaluatorType expressionEvaluatorType,
-			PrismContainerDefinition<ShadowAssociationType> outputDefinition, Protector protector, ObjectResolver objectResolver,
-			ModelService modelService, PrismContext prismContext, SecurityContextManager securityContextManager,
+	public AssociationTargetSearchExpressionEvaluator(QName elementName, SearchObjectExpressionEvaluatorType expressionEvaluatorType,
+			PrismContainerDefinition<ShadowAssociationType> outputDefinition, Protector protector, PrismContext prismContext, ObjectResolver objectResolver,
+			ModelService modelService, SecurityContextManager securityContextManager,
 			LocalizationService localizationService) {
-		super(expressionEvaluatorType, outputDefinition, protector, objectResolver, modelService, prismContext,
-				securityContextManager, localizationService);
+		super(elementName, expressionEvaluatorType, outputDefinition, protector, prismContext, objectResolver, modelService, securityContextManager, localizationService);
 	}
 
 	@Override
@@ -75,11 +76,13 @@ protected AbstractSearchExpressionEvaluatorCache getCache() {
 
 	@Override
 	protected ObjectQuery extendQuery(ObjectQuery query, ExpressionEvaluationContext params) throws SchemaException, ExpressionEvaluationException {
-		RefinedObjectClassDefinition rAssocTargetDef = (RefinedObjectClassDefinition) params.getVariables().get(ExpressionConstants.VAR_ASSOCIATION_TARGET_OBJECT_CLASS_DEFINITION);
-		if (rAssocTargetDef == null) {
+		@SuppressWarnings("unchecked")
+		TypedValue<RefinedObjectClassDefinition> rAssocTargetDefTypedValue = params.getVariables().get(ExpressionConstants.VAR_ASSOCIATION_TARGET_OBJECT_CLASS_DEFINITION);
+		if (rAssocTargetDefTypedValue == null || rAssocTargetDefTypedValue.getValue() == null) {
 			throw new ExpressionEvaluationException("No association target object class definition variable in "+
 					params.getContextDescription()+"; the expression may be used in a wrong place. It is only supposed to create an association.");
 		}
+		RefinedObjectClassDefinition rAssocTargetDef = (RefinedObjectClassDefinition) rAssocTargetDefTypedValue.getValue();
 		ObjectFilter resourceFilter = ObjectQueryUtil.createResourceFilter(rAssocTargetDef.getResourceOid(), getPrismContext());
 		ObjectFilter objectClassFilter = ObjectQueryUtil.createObjectClassFilter(rAssocTargetDef.getObjectClassDefinition().getTypeName(),
 				getPrismContext());
diff --git a/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/evaluator/AssociationTargetSearchExpressionEvaluatorFactory.java b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/evaluator/AssociationTargetSearchExpressionEvaluatorFactory.java
index b1af100816d..eb0334b1fcf 100644
--- a/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/evaluator/AssociationTargetSearchExpressionEvaluatorFactory.java
+++ b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/evaluator/AssociationTargetSearchExpressionEvaluatorFactory.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2014-2017 Evolveum
+ * Copyright (c) 2014-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -29,6 +29,7 @@
 import com.evolveum.midpoint.repo.common.expression.AbstractObjectResolvableExpressionEvaluatorFactory;
 import com.evolveum.midpoint.repo.common.expression.ExpressionEvaluator;
 import com.evolveum.midpoint.repo.common.expression.ExpressionFactory;
+import com.evolveum.midpoint.schema.expression.ExpressionProfile;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.security.api.SecurityContextManager;
 import com.evolveum.midpoint.task.api.Task;
@@ -44,6 +45,8 @@
  *
  */
 public class AssociationTargetSearchExpressionEvaluatorFactory extends AbstractObjectResolvableExpressionEvaluatorFactory {
+	
+	private static final QName ELEMENT_NAME = new ObjectFactory().createAssociationTargetSearch(new SearchObjectExpressionEvaluatorType()).getName();
 
 	private final PrismContext prismContext;
 	private final Protector protector;
@@ -63,15 +66,19 @@ public AssociationTargetSearchExpressionEvaluatorFactory(ExpressionFactory expre
 	 */
 	@Override
 	public QName getElementName() {
-		return new ObjectFactory().createAssociationTargetSearch(new SearchObjectExpressionEvaluatorType()).getName();
+		return ELEMENT_NAME;
 	}
 
 	/* (non-Javadoc)
 	 * @see com.evolveum.midpoint.common.expression.ExpressionEvaluatorFactory#createEvaluator(javax.xml.bind.JAXBElement)
 	 */
 	@Override
-	public <V extends PrismValue,D extends ItemDefinition> ExpressionEvaluator<V,D> createEvaluator(Collection<JAXBElement<?>> evaluatorElements,
-																									D outputDefinition, ExpressionFactory factory, String contextDescription, Task task, OperationResult result) throws SchemaException {
+	public <V extends PrismValue,D extends ItemDefinition> ExpressionEvaluator<V,D> createEvaluator(
+			Collection<JAXBElement<?>> evaluatorElements,
+			D outputDefinition,
+			ExpressionProfile expressionProfile,
+			ExpressionFactory factory,
+			String contextDescription, Task task, OperationResult result) throws SchemaException {
 
         Validate.notNull(outputDefinition, "output definition must be specified for associationTargetSearch expression evaluator");
 
@@ -90,8 +97,8 @@ public <V extends PrismValue,D extends ItemDefinition> ExpressionEvaluator<V,D>
         if (evaluatorTypeObject != null && !(evaluatorTypeObject instanceof SearchObjectExpressionEvaluatorType)) {
             throw new SchemaException("Association expression evaluator cannot handle elements of type " + evaluatorTypeObject.getClass().getName()+" in "+contextDescription);
         }
-        AssociationTargetSearchExpressionEvaluator evaluator = new AssociationTargetSearchExpressionEvaluator((SearchObjectExpressionEvaluatorType)evaluatorTypeObject,
-        		(PrismContainerDefinition<ShadowAssociationType>) outputDefinition, protector, getObjectResolver(), modelService, prismContext, securityContextManager, getLocalizationService());
+        AssociationTargetSearchExpressionEvaluator evaluator = new AssociationTargetSearchExpressionEvaluator(ELEMENT_NAME, (SearchObjectExpressionEvaluatorType)evaluatorTypeObject,
+        		(PrismContainerDefinition<ShadowAssociationType>) outputDefinition, protector, prismContext, getObjectResolver(), modelService, securityContextManager, getLocalizationService());
         return (ExpressionEvaluator<V,D>) evaluator;
 	}
 
diff --git a/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/evaluator/ConstExpressionEvaluator.java b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/evaluator/ConstExpressionEvaluator.java
index 8a0ed6478ab..b227d3dfb39 100644
--- a/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/evaluator/ConstExpressionEvaluator.java
+++ b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/evaluator/ConstExpressionEvaluator.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2017 Evolveum
+ * Copyright (c) 2017-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -15,6 +15,8 @@
  */
 package com.evolveum.midpoint.model.common.expression.evaluator;
 
+import javax.xml.namespace.QName;
+
 import com.evolveum.midpoint.model.common.ConstantsManager;
 import com.evolveum.midpoint.prism.*;
 import com.evolveum.midpoint.prism.crypto.Protector;
@@ -23,31 +25,25 @@
 import com.evolveum.midpoint.repo.common.expression.ExpressionEvaluationContext;
 import com.evolveum.midpoint.repo.common.expression.ExpressionEvaluator;
 import com.evolveum.midpoint.repo.common.expression.ExpressionUtil;
+import com.evolveum.midpoint.repo.common.expression.evaluator.AbstractExpressionEvaluator;
 import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
 import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
 import com.evolveum.midpoint.util.exception.SchemaException;
+import com.evolveum.midpoint.util.exception.SecurityViolationException;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ConstExpressionEvaluatorType;
 
 /**
  * @author semancik
  *
  */
-public class ConstExpressionEvaluator<V extends PrismValue, D extends ItemDefinition>
-		implements ExpressionEvaluator<V, D> {
+public class ConstExpressionEvaluator<V extends PrismValue, D extends ItemDefinition> extends AbstractExpressionEvaluator<V, D, ConstExpressionEvaluatorType> {
 
-	private ConstExpressionEvaluatorType constEvaluatorType;
-	private D outputDefinition;
-	private Protector protector;
 	private ConstantsManager constantsManager;
-	private PrismContext prismContext;
 
-	ConstExpressionEvaluator(ConstExpressionEvaluatorType evaluatorType, D outputDefinition,
+	ConstExpressionEvaluator(QName elementName, ConstExpressionEvaluatorType evaluatorType, D outputDefinition,
 			Protector protector, ConstantsManager constantsManager, PrismContext prismContext) {
-		this.constEvaluatorType = evaluatorType;
-		this.outputDefinition = outputDefinition;
-		this.protector = protector;
+		super(elementName, evaluatorType, outputDefinition, protector, prismContext);
 		this.constantsManager = constantsManager;
-		this.prismContext = prismContext;
 	}
 
 	/*
@@ -60,9 +56,10 @@ public class ConstExpressionEvaluator<V extends PrismValue, D extends ItemDefini
 	 */
 	@Override
 	public PrismValueDeltaSetTriple<V> evaluate(ExpressionEvaluationContext context)
-			throws SchemaException, ExpressionEvaluationException, ObjectNotFoundException {
+			throws SchemaException, ExpressionEvaluationException, ObjectNotFoundException, SecurityViolationException {
+		checkEvaluatorProfile(context);
 
-		String constName = constEvaluatorType.getValue();
+		String constName = getExpressionEvaluatorType().getValue();
 		String stringValue = constantsManager.getConstantValue(constName);
 
 		Item<V, D> output = outputDefinition.instantiate();
@@ -87,7 +84,7 @@ public PrismValueDeltaSetTriple<V> evaluate(ExpressionEvaluationContext context)
 	 */
 	@Override
 	public String shortDebugDump() {
-		return "const:"+constEvaluatorType.getValue();
+		return "const:"+getExpressionEvaluatorType().getValue();
 	}
 
 
diff --git a/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/evaluator/ConstExpressionEvaluatorFactory.java b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/evaluator/ConstExpressionEvaluatorFactory.java
index 26e64220203..60035ff2c44 100644
--- a/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/evaluator/ConstExpressionEvaluatorFactory.java
+++ b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/evaluator/ConstExpressionEvaluatorFactory.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2017 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -32,6 +32,7 @@
 import com.evolveum.midpoint.repo.common.expression.AbstractAutowiredExpressionEvaluatorFactory;
 import com.evolveum.midpoint.repo.common.expression.ExpressionEvaluator;
 import com.evolveum.midpoint.repo.common.expression.ExpressionFactory;
+import com.evolveum.midpoint.schema.expression.ExpressionProfile;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
@@ -45,6 +46,8 @@
  */
 @Component
 public class ConstExpressionEvaluatorFactory extends AbstractAutowiredExpressionEvaluatorFactory {
+	
+	private static final QName ELEMENT_NAME = new ObjectFactory().createConst(new ConstExpressionEvaluatorType()).getName();
 
 	@Autowired private Protector protector;
 	@Autowired private ConstantsManager constantsManager;
@@ -66,15 +69,19 @@ public ConstExpressionEvaluatorFactory(Protector protector, ConstantsManager con
 
 	@Override
 	public QName getElementName() {
-		return new ObjectFactory().createConst(new ConstExpressionEvaluatorType()).getName();
+		return ELEMENT_NAME;
 	}
 
 	/* (non-Javadoc)
 	 * @see com.evolveum.midpoint.common.expression.ExpressionEvaluatorFactory#createEvaluator(javax.xml.bind.JAXBElement, com.evolveum.midpoint.prism.PrismContext)
 	 */
 	@Override
-	public <V extends PrismValue,D extends ItemDefinition> ExpressionEvaluator<V,D> createEvaluator(Collection<JAXBElement<?>> evaluatorElements,
-																									D outputDefinition, ExpressionFactory factory, String contextDescription, Task task, OperationResult result)
+	public <V extends PrismValue,D extends ItemDefinition> ExpressionEvaluator<V,D> createEvaluator(
+			Collection<JAXBElement<?>> evaluatorElements,
+			D outputDefinition,
+			ExpressionProfile expressionProfile,
+			ExpressionFactory factory,
+			String contextDescription, Task task, OperationResult result)
 					throws SchemaException, ObjectNotFoundException {
 
         Validate.notNull(outputDefinition, "output definition must be specified for 'generate' expression evaluator");
@@ -92,7 +99,7 @@ public <V extends PrismValue,D extends ItemDefinition> ExpressionEvaluator<V,D>
 		        		+ evaluatorElementObject.getClass().getName()+" in "+contextDescription);
 		}
 
-		return new ConstExpressionEvaluator<>((ConstExpressionEvaluatorType) evaluatorElementObject, outputDefinition, protector, constantsManager, prismContext);
+		return new ConstExpressionEvaluator<>(ELEMENT_NAME, (ConstExpressionEvaluatorType) evaluatorElementObject, outputDefinition, protector, constantsManager, prismContext);
 	}
 
 }
diff --git a/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/evaluator/FunctionExpressionEvaluator.java b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/evaluator/FunctionExpressionEvaluator.java
index 27a0b67ec8d..a132b7dc738 100644
--- a/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/evaluator/FunctionExpressionEvaluator.java
+++ b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/evaluator/FunctionExpressionEvaluator.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2017 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -35,8 +35,11 @@
 import com.evolveum.midpoint.repo.common.expression.ExpressionFactory;
 import com.evolveum.midpoint.repo.common.expression.ExpressionUtil;
 import com.evolveum.midpoint.repo.common.expression.ExpressionVariables;
+import com.evolveum.midpoint.repo.common.expression.evaluator.AbstractExpressionEvaluator;
 import com.evolveum.midpoint.schema.SchemaConstantsGenerated;
+import com.evolveum.midpoint.schema.expression.ExpressionProfile;
 import com.evolveum.midpoint.schema.result.OperationResult;
+import com.evolveum.midpoint.schema.util.MiscSchemaUtil;
 import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.util.exception.CommunicationException;
 import com.evolveum.midpoint.util.exception.ConfigurationException;
@@ -57,24 +60,16 @@
  * @author katkav
  * @author semancik
  */
-public class FunctionExpressionEvaluator<V extends PrismValue, D extends ItemDefinition>
-		implements ExpressionEvaluator<V, D> {
+public class FunctionExpressionEvaluator<V extends PrismValue, D extends ItemDefinition> extends AbstractExpressionEvaluator<V, D, FunctionExpressionEvaluatorType> {
 	
 	private static final transient Trace LOGGER = TraceManager.getTrace(FunctionExpressionEvaluator.class); 
 
-	private FunctionExpressionEvaluatorType functionEvaluatorType;
-	private D outputDefinition;
-	private Protector protector;
-	private PrismContext prismContext;
 	private ObjectResolver objectResolver;
 
-	FunctionExpressionEvaluator(FunctionExpressionEvaluatorType generateEvaluatorType, D outputDefinition,
+	FunctionExpressionEvaluator(QName elementName, FunctionExpressionEvaluatorType functionEvaluatorType, D outputDefinition,
 			Protector protector, ObjectResolver objectResolver, PrismContext prismContext) {
-		this.functionEvaluatorType = generateEvaluatorType;
-		this.outputDefinition = outputDefinition;
-		this.protector = protector;
+		super(elementName, functionEvaluatorType, outputDefinition, protector, prismContext);
 		this.objectResolver = objectResolver;
-		this.prismContext = prismContext;
 	}
 
 
@@ -89,14 +84,14 @@ public class FunctionExpressionEvaluator<V extends PrismValue, D extends ItemDef
 	@Override
 	public PrismValueDeltaSetTriple<V> evaluate(ExpressionEvaluationContext context) 
 			throws SchemaException, ExpressionEvaluationException, ObjectNotFoundException, CommunicationException, ConfigurationException, SecurityViolationException {
-
+		checkEvaluatorProfile(context);
 
 		List<ExpressionType> expressions;
 
-		ObjectReferenceType functionLibraryRef = functionEvaluatorType.getLibraryRef();
+		ObjectReferenceType functionLibraryRef = getExpressionEvaluatorType().getLibraryRef();
 		
 		if (functionLibraryRef == null) {
-			throw new SchemaException("No functions library defined");
+			throw new SchemaException("No functions library defined in "+context.getContextDescription());
 		}
 		
 		OperationResult result = context.getResult().createMinorSubresult(FunctionExpressionEvaluator.class.getSimpleName() + ".resolveFunctionLibrary");
@@ -107,14 +102,16 @@ public PrismValueDeltaSetTriple<V> evaluate(ExpressionEvaluationContext context)
 				expressions = functionLibraryType.getFunction();
 	    
 		if (CollectionUtils.isEmpty(expressions)) {
-			throw new ObjectNotFoundException("No functions defined in referenced function library: " + functionLibraryType);
+			throw new ObjectNotFoundException("No functions defined in referenced function library: " + functionLibraryType + " used in "+context.getContextDescription());
 		}
 
+		// TODO: this has to be determined from the library archetype
+		ExpressionProfile expressionProfile = MiscSchemaUtil.getExpressionProfile();
 		
-		String functionName = functionEvaluatorType.getName();
+		String functionName = getExpressionEvaluatorType().getName();
 		
 		if (StringUtils.isEmpty(functionName)) {
-			throw new SchemaException("Missing function name in " + functionEvaluatorType);
+			throw new SchemaException("Missing function name in " + shortDebugDump() + " in "+context.getContextDescription());
 		}
 		
 		List<ExpressionType> filteredExpressions = expressions.stream().filter(expression -> functionName.equals(expression.getName())).collect(Collectors.toList());
@@ -124,7 +121,8 @@ public PrismValueDeltaSetTriple<V> evaluate(ExpressionEvaluationContext context)
 				possibleFunctions += expression.getName() + ", ";
 			}
 			possibleFunctions = possibleFunctions.substring(0, possibleFunctions.lastIndexOf(","));
-			throw new ObjectNotFoundException("No function with name " + functionName + " found in " + functionEvaluatorType + ". Function defined are: " + possibleFunctions);
+			throw new ObjectNotFoundException("No function with name " + functionName + " found in " + shortDebugDump() 
+			+ ". Function defined are: " + possibleFunctions + ". In "+context.getContextDescription());
 		}
 		
 		ExpressionType functionToExecute = determineFunctionToExecute(filteredExpressions);
@@ -132,9 +130,10 @@ public PrismValueDeltaSetTriple<V> evaluate(ExpressionEvaluationContext context)
 		OperationResult functionExpressionResult = result.createMinorSubresult(FunctionExpressionEvaluator.class.getSimpleName() + ".makeExpression");
 		ExpressionFactory factory = context.getExpressionFactory();
 		
+		// TODO: expression profile should be determined from the function library archetype
 		Expression<V, D> expression;
 		try {
-			expression = factory.makeExpression(functionToExecute, outputDefinition, "function execution", task, functionExpressionResult);
+			expression = factory.makeExpression(functionToExecute, outputDefinition, MiscSchemaUtil.getExpressionProfile(), "function execution", task, functionExpressionResult);
 			functionExpressionResult.recordSuccess();
 		} catch (SchemaException | ObjectNotFoundException e) {
 			functionExpressionResult.recordFatalError("Cannot make expression for " + functionToExecute + ". Reason: " + e.getMessage(), e);
@@ -146,13 +145,13 @@ public PrismValueDeltaSetTriple<V> evaluate(ExpressionEvaluationContext context)
 		ExpressionEvaluationContext functionContext = context.shallowClone();
 		ExpressionVariables functionVariables = new ExpressionVariables();
 		
-		for (ExpressionParameterType param : functionEvaluatorType.getParameter()) {
+		for (ExpressionParameterType param : getExpressionEvaluatorType().getParameter()) {
 			ExpressionType valueExpression = param.getExpression();
 			OperationResult variableResult = result.createMinorSubresult(FunctionExpressionEvaluator.class.getSimpleName() + ".resolveVariable");
 			try {
 				variableResult.addArbitraryObjectAsParam("valueExpression", valueExpression);
 				D variableOutputDefinition = determineVariableOutputDefinition(functionToExecute, param.getName(), context);
-				ExpressionUtil.evaluateExpression(originVariables, variableOutputDefinition, valueExpression, context.getExpressionFactory(), "resolve variable", task, variableResult);
+				ExpressionUtil.evaluateExpression(originVariables, variableOutputDefinition, valueExpression, expressionProfile, context.getExpressionFactory(), "resolve variable", task, variableResult);
 				variableResult.recordSuccess();
 			} catch (SchemaException | ExpressionEvaluationException | ObjectNotFoundException | CommunicationException
 					| ConfigurationException | SecurityViolationException e) {
@@ -172,7 +171,7 @@ private ExpressionType determineFunctionToExecute(List<ExpressionType> filteredE
 			return filteredExpressions.iterator().next();
 		}
 		
-		List<ExpressionParameterType> functionParams = functionEvaluatorType.getParameter();
+		List<ExpressionParameterType> functionParams = getExpressionEvaluatorType().getParameter();
 		
 		for (ExpressionType filteredExpression : filteredExpressions) {
 			List<ExpressionParameterType> filteredExpressionParameters = filteredExpression.getParameter();
@@ -235,21 +234,6 @@ private D determineVariableOutputDefinition(ExpressionType functionToExecute, St
 		
 	
 	}
-	
-//	private D determineParamDefinitionFromSource(Collection<Source<?,?>> sources, String paramName) throws SchemaException {
-//		List<Source<?,?>> sourceParam = sources.stream().filter(s -> QNameUtil.match(s.getName(), new QName(paramName))).collect(Collectors.toList());
-//		
-//		if (sourceParam.size() == 0) {
-//			throw new SchemaException("Cannot find variable definition with name: " + paramName);
-//		}
-//		
-//		if (sourceParam.size() > 1) {
-//			throw new SchemaException("Found more than one variable with name: " + paramName);
-//		}
-//		
-//		Source<?,?> source = sourceParam.iterator().next();
-//		return (D) source.getDefinition();
-//	}
 
 	/*
 	 * (non-Javadoc)
@@ -259,7 +243,7 @@ private D determineVariableOutputDefinition(ExpressionType functionToExecute, St
 	 */
 	@Override
 	public String shortDebugDump() {
-		return "function: " + functionEvaluatorType.getName();
+		return "function: " + getExpressionEvaluatorType().getName();
 	}
 
 }
diff --git a/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/evaluator/FunctionExpressionEvaluatorFactory.java b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/evaluator/FunctionExpressionEvaluatorFactory.java
index bd2b1039e75..cf522bd2ca4 100644
--- a/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/evaluator/FunctionExpressionEvaluatorFactory.java
+++ b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/evaluator/FunctionExpressionEvaluatorFactory.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2017 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -30,6 +30,7 @@
 import com.evolveum.midpoint.repo.common.expression.AbstractObjectResolvableExpressionEvaluatorFactory;
 import com.evolveum.midpoint.repo.common.expression.ExpressionEvaluator;
 import com.evolveum.midpoint.repo.common.expression.ExpressionFactory;
+import com.evolveum.midpoint.schema.expression.ExpressionProfile;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
 import com.evolveum.midpoint.util.exception.SchemaException;
@@ -43,6 +44,8 @@
  *
  */
 public class FunctionExpressionEvaluatorFactory extends AbstractObjectResolvableExpressionEvaluatorFactory {
+	
+	private static final QName ELEMENT_NAME = new ObjectFactory().createFunction(new FunctionExpressionEvaluatorType()).getName();
 
 	private final Protector protector;
 	private final PrismContext prismContext;
@@ -55,15 +58,19 @@ public FunctionExpressionEvaluatorFactory(ExpressionFactory expressionFactory, P
 	
 	@Override
 	public QName getElementName() {
-		return new ObjectFactory().createFunction(new FunctionExpressionEvaluatorType()).getName();
+		return ELEMENT_NAME;
 	}
 
 	/* (non-Javadoc)
 	 * @see com.evolveum.midpoint.common.expression.ExpressionEvaluatorFactory#createEvaluator(javax.xml.bind.JAXBElement, com.evolveum.midpoint.prism.PrismContext)
 	 */
 	@Override
-	public <V extends PrismValue,D extends ItemDefinition> ExpressionEvaluator<V,D> createEvaluator(Collection<JAXBElement<?>> evaluatorElements,
-																									D outputDefinition, ExpressionFactory factory, String contextDescription, Task task, OperationResult result)
+	public <V extends PrismValue,D extends ItemDefinition> ExpressionEvaluator<V,D> createEvaluator(
+			Collection<JAXBElement<?>> evaluatorElements,
+			D outputDefinition,
+			ExpressionProfile expressionProfile,
+			ExpressionFactory factory, 
+			String contextDescription, Task task, OperationResult result)
 					throws SchemaException, ObjectNotFoundException {
 
         Validate.notNull(outputDefinition, "output definition must be specified for 'generate' expression evaluator");
@@ -83,7 +90,7 @@ public <V extends PrismValue,D extends ItemDefinition> ExpressionEvaluator<V,D>
 
         FunctionExpressionEvaluatorType functionEvaluatorType = (FunctionExpressionEvaluatorType)evaluatorTypeObject;
 
-		return new FunctionExpressionEvaluator(functionEvaluatorType, outputDefinition, protector, getObjectResolver(), prismContext);
+		return new FunctionExpressionEvaluator(ELEMENT_NAME, functionEvaluatorType, outputDefinition, protector, getObjectResolver(), prismContext);
 	}
 
 }
diff --git a/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/evaluator/GenerateExpressionEvaluator.java b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/evaluator/GenerateExpressionEvaluator.java
index 23b1b2debe8..9dbf8cf5db2 100644
--- a/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/evaluator/GenerateExpressionEvaluator.java
+++ b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/evaluator/GenerateExpressionEvaluator.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2017 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -17,6 +17,8 @@
 
 import java.util.UUID;
 
+import javax.xml.namespace.QName;
+
 import com.evolveum.midpoint.model.common.stringpolicy.AbstractValuePolicyOriginResolver;
 import com.evolveum.midpoint.model.common.stringpolicy.ShadowValuePolicyOriginResolver;
 import com.evolveum.midpoint.model.common.stringpolicy.UserValuePolicyOriginResolver;
@@ -31,6 +33,7 @@
 import com.evolveum.midpoint.repo.common.expression.ExpressionUtil;
 import com.evolveum.midpoint.repo.common.expression.ExpressionVariables;
 import com.evolveum.midpoint.repo.common.expression.ValuePolicyResolver;
+import com.evolveum.midpoint.repo.common.expression.evaluator.AbstractExpressionEvaluator;
 import com.evolveum.midpoint.schema.constants.ExpressionConstants;
 import com.evolveum.midpoint.util.RandomString;
 import com.evolveum.midpoint.util.exception.CommunicationException;
@@ -52,27 +55,19 @@
  * @author semancik
  *
  */
-public class GenerateExpressionEvaluator<V extends PrismValue, D extends ItemDefinition>
-		implements ExpressionEvaluator<V, D> {
+public class GenerateExpressionEvaluator<V extends PrismValue, D extends ItemDefinition> extends AbstractExpressionEvaluator<V, D, GenerateExpressionEvaluatorType> {
 
 	public static final int DEFAULT_LENGTH = 8;
 
-	private GenerateExpressionEvaluatorType generateEvaluatorType;
-	private D outputDefinition;
-	private Protector protector;
-	private PrismContext prismContext;
 	private ObjectResolver objectResolver;
 	private ValuePolicyProcessor valuePolicyGenerator;
 	private ValuePolicyType elementValuePolicy;
 
-	GenerateExpressionEvaluator(GenerateExpressionEvaluatorType generateEvaluatorType, D outputDefinition,
+	GenerateExpressionEvaluator(QName elementName, GenerateExpressionEvaluatorType generateEvaluatorType, D outputDefinition,
 			Protector protector, ObjectResolver objectResolver, ValuePolicyProcessor valuePolicyGenerator, PrismContext prismContext) {
-		this.generateEvaluatorType = generateEvaluatorType;
-		this.outputDefinition = outputDefinition;
-		this.protector = protector;
+		super(elementName, generateEvaluatorType, outputDefinition, protector, prismContext);
 		this.objectResolver = objectResolver;
 		this.valuePolicyGenerator = valuePolicyGenerator;
-		this.prismContext = prismContext;
 	}
 
 	private boolean isNotEmptyMinLength(ValuePolicyType policy) {
@@ -101,13 +96,14 @@ private boolean isNotEmptyMinLength(ValuePolicyType policy) {
 	@Override
 	public PrismValueDeltaSetTriple<V> evaluate(ExpressionEvaluationContext context)
 			throws SchemaException, ExpressionEvaluationException, ObjectNotFoundException, CommunicationException, ConfigurationException, SecurityViolationException {
+		checkEvaluatorProfile(context);
 
 		ValuePolicyType valuePolicyType = null;
 
 
-		ObjectReferenceType generateEvaluatorValuePolicyRef = generateEvaluatorType.getValuePolicyRef();
+		ObjectReferenceType generateEvaluatorValuePolicyRef = getExpressionEvaluatorType().getValuePolicyRef();
 		if (generateEvaluatorValuePolicyRef != null) {
-			if (generateEvaluatorType.getValuePolicyRef() != null) {
+			if (getExpressionEvaluatorType().getValuePolicyRef() != null) {
 	        	ValuePolicyType resolvedValuePolicyType = objectResolver.resolve(generateEvaluatorValuePolicyRef, ValuePolicyType.class,
 	        			null, "resolving value policy reference in generateExpressionEvaluator", context.getTask(), context.getResult());
 	        	valuePolicyType = resolvedValuePolicyType;
@@ -134,7 +130,7 @@ public PrismValueDeltaSetTriple<V> evaluate(ExpressionEvaluationContext context)
 
 		//
 		String stringValue = null;
-		GenerateExpressionEvaluatorModeType mode = generateEvaluatorType.getMode();
+		GenerateExpressionEvaluatorModeType mode = getExpressionEvaluatorType().getMode();
 		Item<V, D> output = outputDefinition.instantiate();
 		if (mode == null || mode == GenerateExpressionEvaluatorModeType.POLICY) {
 
@@ -190,11 +186,11 @@ private <O extends ObjectType> AbstractValuePolicyOriginResolver<O> getOriginRes
 		if (variables == null) {
 			return null;
 		}
-		PrismObject<O> object = variables.getObjectNew(ExpressionConstants.VAR_PROJECTION);
+		PrismObject<O> object = variables.getValueNew(ExpressionConstants.VAR_PROJECTION);
 		if (object != null) {
 			return (AbstractValuePolicyOriginResolver<O>) new ShadowValuePolicyOriginResolver((PrismObject<ShadowType>) object, objectResolver);
 		}
-		object = variables.getObjectNew(ExpressionConstants.VAR_FOCUS);
+		object = variables.getValueNew(ExpressionConstants.VAR_FOCUS);
 		return (AbstractValuePolicyOriginResolver<O>) new UserValuePolicyOriginResolver((PrismObject<UserType>) object, objectResolver);
 	}
 
diff --git a/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/evaluator/GenerateExpressionEvaluatorFactory.java b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/evaluator/GenerateExpressionEvaluatorFactory.java
index aad813214ff..e3db86d039d 100644
--- a/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/evaluator/GenerateExpressionEvaluatorFactory.java
+++ b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/evaluator/GenerateExpressionEvaluatorFactory.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2017 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -31,6 +31,7 @@
 import com.evolveum.midpoint.repo.common.expression.AbstractObjectResolvableExpressionEvaluatorFactory;
 import com.evolveum.midpoint.repo.common.expression.ExpressionEvaluator;
 import com.evolveum.midpoint.repo.common.expression.ExpressionFactory;
+import com.evolveum.midpoint.schema.expression.ExpressionProfile;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
 import com.evolveum.midpoint.util.exception.SchemaException;
@@ -44,6 +45,8 @@
  *
  */
 public class GenerateExpressionEvaluatorFactory extends AbstractObjectResolvableExpressionEvaluatorFactory {
+	
+	private static final QName ELEMENT_NAME = new ObjectFactory().createGenerate(new GenerateExpressionEvaluatorType()).getName();
 
 	private final Protector protector;
 	private final PrismContext prismContext;
@@ -58,15 +61,19 @@ public GenerateExpressionEvaluatorFactory(ExpressionFactory expressionFactory, P
 	
 	@Override
 	public QName getElementName() {
-		return new ObjectFactory().createGenerate(new GenerateExpressionEvaluatorType()).getName();
+		return ELEMENT_NAME;
 	}
 
 	/* (non-Javadoc)
 	 * @see com.evolveum.midpoint.common.expression.ExpressionEvaluatorFactory#createEvaluator(javax.xml.bind.JAXBElement, com.evolveum.midpoint.prism.PrismContext)
 	 */
 	@Override
-	public <V extends PrismValue,D extends ItemDefinition> ExpressionEvaluator<V,D> createEvaluator(Collection<JAXBElement<?>> evaluatorElements,
-																									D outputDefinition, ExpressionFactory factory, String contextDescription, Task task, OperationResult result)
+	public <V extends PrismValue,D extends ItemDefinition> ExpressionEvaluator<V,D> createEvaluator(
+			Collection<JAXBElement<?>> evaluatorElements,
+			D outputDefinition, 
+			ExpressionProfile expressionProfile,
+			ExpressionFactory factory,
+			String contextDescription, Task task, OperationResult result)
 					throws SchemaException, ObjectNotFoundException {
 
         Validate.notNull(outputDefinition, "output definition must be specified for 'generate' expression evaluator");
@@ -86,7 +93,7 @@ public <V extends PrismValue,D extends ItemDefinition> ExpressionEvaluator<V,D>
 
         GenerateExpressionEvaluatorType generateEvaluatorType = (GenerateExpressionEvaluatorType)evaluatorTypeObject;
 
-		return new GenerateExpressionEvaluator<>(generateEvaluatorType, outputDefinition, protector, getObjectResolver(), valuePolicyGenerator, prismContext);
+		return new GenerateExpressionEvaluator<>(ELEMENT_NAME, generateEvaluatorType, outputDefinition, protector, getObjectResolver(), valuePolicyGenerator, prismContext);
 	}
 
 }
diff --git a/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/evaluator/PathExpressionEvaluator.java b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/evaluator/PathExpressionEvaluator.java
index ebf68b425f8..a1e57532a74 100644
--- a/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/evaluator/PathExpressionEvaluator.java
+++ b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/evaluator/PathExpressionEvaluator.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2017 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -36,24 +36,29 @@
 import com.evolveum.midpoint.repo.common.expression.ExpressionEvaluator;
 import com.evolveum.midpoint.repo.common.expression.ExpressionUtil;
 import com.evolveum.midpoint.repo.common.expression.Source;
+import com.evolveum.midpoint.schema.expression.TypedValue;
 import com.evolveum.midpoint.util.QNameUtil;
 import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
 import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
 import com.evolveum.midpoint.util.exception.SchemaException;
+import com.evolveum.midpoint.util.exception.SecurityViolationException;
 
 /**
  * @author Radovan Semancik
  */
 public class PathExpressionEvaluator<V extends PrismValue, D extends ItemDefinition> implements ExpressionEvaluator<V,D> {
 
-	private ItemPath path;
-	private ObjectResolver objectResolver;
-	private PrismContext prismContext;
-	private D outputDefinition;
-	private Protector protector;
+	private final QName elementName;
+	private final ItemPath path;
+	private final ObjectResolver objectResolver;
+	private final PrismContext prismContext;
+	private final D outputDefinition;
+	private final Protector protector;
+	
 
-    public PathExpressionEvaluator(ItemPath path, ObjectResolver objectResolver,
+    public PathExpressionEvaluator(QName elementName, ItemPath path, ObjectResolver objectResolver,
     		D outputDefinition, Protector protector, PrismContext prismContext) {
+    	this.elementName = elementName;
     	this.path = path;
 		this.objectResolver = objectResolver;
 		this.outputDefinition = outputDefinition;
@@ -61,12 +66,18 @@ public PathExpressionEvaluator(ItemPath path, ObjectResolver objectResolver,
 		this.protector = protector;
 	}
 
+    @Override
+	public QName getElementName() {
+		return elementName;
+	}
+    
     /* (non-Javadoc)
 	 * @see com.evolveum.midpoint.common.expression.ExpressionEvaluator#evaluate(java.util.Collection, java.util.Map, boolean, java.lang.String, com.evolveum.midpoint.schema.result.OperationResult)
 	 */
 	@Override
-	public PrismValueDeltaSetTriple<V> evaluate(ExpressionEvaluationContext context) throws SchemaException,
-			ExpressionEvaluationException, ObjectNotFoundException {
+	public PrismValueDeltaSetTriple<V> evaluate(ExpressionEvaluationContext context) 
+			throws SchemaException, ExpressionEvaluationException, ObjectNotFoundException, SecurityViolationException {
+		ExpressionUtil.checkEvaluatorProfileSimple(this, context);
 
 		ItemDeltaItem<?,?> resolveContext = null;
 
@@ -79,21 +90,17 @@ public PrismValueDeltaSetTriple<V> evaluate(ExpressionEvaluationContext context)
 			resolveContext = source;
 		}
 
-        Map<QName, Object> variablesAndSources = ExpressionUtil.compileVariablesAndSources(context);
+        Map<String, TypedValue> variablesAndSources = ExpressionUtil.compileVariablesAndSources(context);
 
         ItemPath resolvePath = path;
         Object first = path.first();
         if (ItemPath.isVariable(first)) {
-			QName variableName = ItemPath.toVariableName(first);
-			Object variableValue;
-        	if (variablesAndSources.containsKey(variableName)) {
-        		variableValue = variablesAndSources.get(variableName);
-        	} else if (QNameUtil.matchAny(variableName, variablesAndSources.keySet())){
-				QName fullVariableName = QNameUtil.resolveNs(variableName, variablesAndSources.keySet());
-				variableValue = variablesAndSources.get(fullVariableName);
-			} else {
+			String variableName = ItemPath.toVariableName(first).getLocalPart();
+			TypedValue variableValueAndDefinition = variablesAndSources.get(variableName);
+			if (variableValueAndDefinition == null) {
 				throw new ExpressionEvaluationException("No variable with name "+variableName+" in "+ context.getContextDescription());
 			}
+			Object variableValue = variableValueAndDefinition.getValue();
 
         	if (variableValue == null) {
     			return null;
@@ -154,5 +161,7 @@ public String shortDebugDump() {
 		return "path: "+path;
 	}
 
+	
+
 
 }
diff --git a/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/evaluator/PathExpressionEvaluatorFactory.java b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/evaluator/PathExpressionEvaluatorFactory.java
index 3c631f2dd73..bd527d203a4 100644
--- a/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/evaluator/PathExpressionEvaluatorFactory.java
+++ b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/evaluator/PathExpressionEvaluatorFactory.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2017 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -31,6 +31,7 @@
 import com.evolveum.midpoint.repo.common.expression.AbstractObjectResolvableExpressionEvaluatorFactory;
 import com.evolveum.midpoint.repo.common.expression.ExpressionEvaluator;
 import com.evolveum.midpoint.repo.common.expression.ExpressionFactory;
+import com.evolveum.midpoint.schema.expression.ExpressionProfile;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.util.exception.SchemaException;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectFactory;
@@ -42,6 +43,8 @@
  * @author semancik
  */
 public class PathExpressionEvaluatorFactory extends AbstractObjectResolvableExpressionEvaluatorFactory {
+	
+	private static final QName ELEMENT_NAME = new ObjectFactory().createPath(null).getName();
 
 	private final PrismContext prismContext;
 	private final Protector protector;
@@ -54,15 +57,19 @@ public PathExpressionEvaluatorFactory(ExpressionFactory expressionFactory, Prism
 	
 	@Override
 	public QName getElementName() {
-		return new ObjectFactory().createPath(null).getName();
+		return ELEMENT_NAME;
 	}
 
 	/* (non-Javadoc)
 	 * @see com.evolveum.midpoint.common.expression.ExpressionEvaluatorFactory#createEvaluator(javax.xml.bind.JAXBElement, com.evolveum.midpoint.prism.ItemDefinition, com.evolveum.midpoint.prism.PrismContext)
 	 */
 	@Override
-	public <V extends PrismValue, D extends ItemDefinition> ExpressionEvaluator<V,D> createEvaluator(Collection<JAXBElement<?>> evaluatorElements,
-			D outputDefinition, ExpressionFactory factory, String contextDescription, Task task, OperationResult result) throws SchemaException {
+	public <V extends PrismValue, D extends ItemDefinition> ExpressionEvaluator<V,D> createEvaluator(
+			Collection<JAXBElement<?>> evaluatorElements,
+			D outputDefinition,
+			ExpressionProfile expressionProfile,
+			ExpressionFactory factory,
+			String contextDescription, Task task, OperationResult result) throws SchemaException {
 
         Validate.notNull(outputDefinition, "output definition must be specified for path expression evaluator");
 
@@ -77,7 +84,7 @@ public <V extends PrismValue, D extends ItemDefinition> ExpressionEvaluator<V,D>
 					+ evaluatorElementObject.getClass().getName()+" in "+contextDescription);
 		}
         ItemPath path = ((ItemPathType)evaluatorElementObject).getItemPath();
-        return new PathExpressionEvaluator<>(path, getObjectResolver(), outputDefinition, protector, prismContext);
+        return new PathExpressionEvaluator<>(ELEMENT_NAME, path, getObjectResolver(), outputDefinition, protector, prismContext);
 	}
 
 }
diff --git a/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/evaluator/ReferenceSearchExpressionEvaluator.java b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/evaluator/ReferenceSearchExpressionEvaluator.java
index 8aad7d9d40a..74cf0c20059 100644
--- a/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/evaluator/ReferenceSearchExpressionEvaluator.java
+++ b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/evaluator/ReferenceSearchExpressionEvaluator.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2017 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -28,6 +28,7 @@
 import com.evolveum.midpoint.prism.delta.ItemDelta;
 import com.evolveum.midpoint.repo.common.ObjectResolver;
 import com.evolveum.midpoint.repo.common.expression.ExpressionEvaluationContext;
+import com.evolveum.midpoint.schema.expression.ExpressionProfile;
 import com.evolveum.midpoint.security.api.SecurityContextManager;
 import com.evolveum.midpoint.util.logging.Trace;
 import com.evolveum.midpoint.util.logging.TraceManager;
@@ -41,12 +42,10 @@ public class ReferenceSearchExpressionEvaluator
 
 	private static final Trace LOGGER = TraceManager.getTrace(ReferenceSearchExpressionEvaluator.class);
 
-	public ReferenceSearchExpressionEvaluator(ReferenceSearchExpressionEvaluatorType expressionEvaluatorType,
-			PrismReferenceDefinition outputDefinition, Protector protector, ObjectResolver objectResolver,
-			ModelService modelService, PrismContext prismContext, SecurityContextManager securityContextManager,
-			LocalizationService localizationService) {
-		super(expressionEvaluatorType, outputDefinition, protector, objectResolver, modelService, prismContext, securityContextManager,
-				localizationService);
+	public ReferenceSearchExpressionEvaluator(QName elementName, ReferenceSearchExpressionEvaluatorType expressionEvaluatorType,
+			PrismReferenceDefinition outputDefinition, Protector protector, PrismContext prismContext,
+			ObjectResolver objectResolver, ModelService modelService, SecurityContextManager securityContextManager, LocalizationService localizationService) {
+		super(elementName, expressionEvaluatorType, outputDefinition, protector, prismContext, objectResolver, modelService, securityContextManager, localizationService);
 	}
 
 	protected PrismReferenceValue createPrismValue(String oid, QName targetTypeQName, List<ItemDelta<PrismReferenceValue, PrismReferenceDefinition>> additionalAttributeValues, ExpressionEvaluationContext params) {
diff --git a/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/evaluator/ReferenceSearchExpressionEvaluatorFactory.java b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/evaluator/ReferenceSearchExpressionEvaluatorFactory.java
index d7aa2d04394..9a7e5dae954 100644
--- a/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/evaluator/ReferenceSearchExpressionEvaluatorFactory.java
+++ b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/evaluator/ReferenceSearchExpressionEvaluatorFactory.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2014-2017 Evolveum
+ * Copyright (c) 2014-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -29,6 +29,7 @@
 import com.evolveum.midpoint.repo.common.expression.AbstractObjectResolvableExpressionEvaluatorFactory;
 import com.evolveum.midpoint.repo.common.expression.ExpressionEvaluator;
 import com.evolveum.midpoint.repo.common.expression.ExpressionFactory;
+import com.evolveum.midpoint.schema.expression.ExpressionProfile;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.security.api.SecurityContextManager;
 import com.evolveum.midpoint.task.api.Task;
@@ -43,6 +44,8 @@
  *
  */
 public class ReferenceSearchExpressionEvaluatorFactory extends AbstractObjectResolvableExpressionEvaluatorFactory {
+	
+	private static final QName ELEMENT_NAME = new ObjectFactory().createReferenceSearch(new ReferenceSearchExpressionEvaluatorType()).getName();
 
 	private final PrismContext prismContext;
 	private final Protector protector;
@@ -62,15 +65,19 @@ public ReferenceSearchExpressionEvaluatorFactory(ExpressionFactory expressionFac
 	 */
 	@Override
 	public QName getElementName() {
-		return new ObjectFactory().createReferenceSearch(new ReferenceSearchExpressionEvaluatorType()).getName();
+		return ELEMENT_NAME;
 	}
 
 	/* (non-Javadoc)
 	 * @see com.evolveum.midpoint.common.expression.ExpressionEvaluatorFactory#createEvaluator(javax.xml.bind.JAXBElement)
 	 */
 	@Override
-	public <V extends PrismValue,D extends ItemDefinition> ExpressionEvaluator<V,D> createEvaluator(Collection<JAXBElement<?>> evaluatorElements,
-																									D outputDefinition, ExpressionFactory factory, String contextDescription, Task task, OperationResult result) throws SchemaException {
+	public <V extends PrismValue,D extends ItemDefinition> ExpressionEvaluator<V,D> createEvaluator(
+			Collection<JAXBElement<?>> evaluatorElements,
+			D outputDefinition,
+			ExpressionProfile expressionProfile,
+			ExpressionFactory factory,
+			String contextDescription, Task task, OperationResult result) throws SchemaException {
 
         Validate.notNull(outputDefinition, "output definition must be specified for referenceSearch expression evaluator");
 
@@ -89,8 +96,8 @@ public <V extends PrismValue,D extends ItemDefinition> ExpressionEvaluator<V,D>
         if (evaluatorTypeObject != null && !(evaluatorTypeObject instanceof ReferenceSearchExpressionEvaluatorType)) {
             throw new SchemaException("reference search expression evaluator cannot handle elements of type " + evaluatorTypeObject.getClass().getName()+" in "+contextDescription);
         }
-        ReferenceSearchExpressionEvaluator expressionEvaluator = new ReferenceSearchExpressionEvaluator((ReferenceSearchExpressionEvaluatorType)evaluatorTypeObject,
-        		(PrismReferenceDefinition) outputDefinition, protector, getObjectResolver(), modelService, prismContext, securityContextManager, getLocalizationService());
+        ReferenceSearchExpressionEvaluator expressionEvaluator = new ReferenceSearchExpressionEvaluator(ELEMENT_NAME, (ReferenceSearchExpressionEvaluatorType)evaluatorTypeObject,
+        		(PrismReferenceDefinition) outputDefinition, protector, prismContext, getObjectResolver(), modelService, securityContextManager, getLocalizationService());
         return (ExpressionEvaluator<V,D>) expressionEvaluator;
 	}
 
diff --git a/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/functions/CustomFunctions.java b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/functions/CustomFunctions.java
index 86a9b97807a..adcdab78485 100644
--- a/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/functions/CustomFunctions.java
+++ b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/functions/CustomFunctions.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2017 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -34,6 +34,8 @@
 import com.evolveum.midpoint.repo.common.expression.ExpressionUtil;
 import com.evolveum.midpoint.repo.common.expression.ExpressionVariables;
 import com.evolveum.midpoint.schema.SchemaConstantsGenerated;
+import com.evolveum.midpoint.schema.expression.ExpressionProfile;
+import com.evolveum.midpoint.schema.expression.TypedValue;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.util.DOMUtil;
@@ -57,18 +59,25 @@ public class CustomFunctions {
 	
 	private ExpressionFactory expressionFactory;
 	private FunctionLibraryType library;
+	private ExpressionProfile expressionProfile;
 	private OperationResult result;
 	private Task task;
 	private PrismContext prismContext;
+
 	
-	public CustomFunctions(FunctionLibraryType library, ExpressionFactory expressionFactory, OperationResult result, Task task) {
+	public CustomFunctions(FunctionLibraryType library, ExpressionFactory expressionFactory, ExpressionProfile expressionProfile, OperationResult result, Task task) {
 		this.library = library;
 		this.expressionFactory = expressionFactory;
+		this.expressionProfile = expressionProfile;
 		this.prismContext = expressionFactory.getPrismContext();
 		this.result = result;
 		this.task = task;
 	}
 	
+	/**
+	 * This method is invoked by the scripts. It is supposed to be only public method exposed
+	 * by this class.
+	 */
 	public <V extends PrismValue, D extends ItemDefinition> Object execute(String functionName, Map<String, Object> params) throws ExpressionEvaluationException {
 		Validate.notNull(functionName, "Function name must be specified");
 		
@@ -83,7 +92,7 @@ public <V extends PrismValue, D extends ItemDefinition> Object execute(String fu
 			ExpressionVariables variables = new ExpressionVariables();
 			if (MapUtils.isNotEmpty(params)) {
 				for (Map.Entry<String, Object> entry : params.entrySet()) {
-					variables.addVariableDefinition(new QName(entry.getKey()), convertInput(entry, expressionType));
+					variables.put(entry.getKey(), convertInput(entry, expressionType));
 				};
 			}
 			
@@ -102,7 +111,7 @@ public <V extends PrismValue, D extends ItemDefinition> Object execute(String fu
 				outputDefinition.toMutable().setMaxOccurs(1);
 			}
 			String shortDesc = "custom function execute";
-			Expression<V, D> expression = expressionFactory.makeExpression(expressionType, outputDefinition,
+			Expression<V, D> expression = expressionFactory.makeExpression(expressionType, outputDefinition, expressionProfile,
 					shortDesc, task, result);
 
 			ExpressionEvaluationContext context = new ExpressionEvaluationContext(null, variables, shortDesc, task,
@@ -140,31 +149,28 @@ public <V extends PrismValue, D extends ItemDefinition> Object execute(String fu
 		
 	}
 
-	private Object convertInput(Map.Entry<String, Object> entry, ExpressionType expression) throws SchemaException {
+	private TypedValue convertInput(Map.Entry<String, Object> entry, ExpressionType expression) throws SchemaException {
 	
 		ExpressionParameterType expressionParam = expression.getParameter().stream().filter(param -> param.getName().equals(entry.getKey())).findAny().orElseThrow(SchemaException :: new);
 		
 		QName paramType = expressionParam.getType();
 		Class<?> expressionParameterClass = prismContext.getSchemaRegistry().determineClassForType(paramType);
 			
+		Object value = entry.getValue();
 		if (expressionParameterClass != null && !DOMUtil.XSD_ANYTYPE.equals(paramType) && XmlTypeConverter.canConvert(expressionParameterClass)) {
-			return ExpressionUtil.convertValue(expressionParameterClass, null, entry.getValue(), prismContext.getDefaultProtector(), prismContext);
+			value = ExpressionUtil.convertValue(expressionParameterClass, null, entry.getValue(), prismContext.getDefaultProtector(), prismContext);
 		}
 		
-		return entry.getValue();
-		
-		// FIXME: awful hack
-//		if (String.class.equals(expressioNParameterClass) && entry.getValue() instanceof PolyString) {
-//			return ((PolyString) entry.getValue()).getOrig();
-//		}
-		
-		//if (expressioNParameterClass != null && !expressioNParameterClass.isAssignableFrom(entry.getValue().getClass())) {
-//		if (expressioNParameterClass != null && !expressioNParameterClass.equals(entry.getValue().getClass())){
-//			throw new SchemaException("Unexpected type of value, expecting " + expressioNParameterClass.getSimpleName() + " but the actual value is " + entry.getValue().getClass().getSimpleName());
-//		}
+		Class<?> valueClass;
+		if (value == null) {
+			valueClass = expressionParameterClass;
+		} else {
+			valueClass = value.getClass();
+		}
 		
-//		return entry.getValue();
+		ItemDefinition def = ExpressionUtil.determineDefinitionFromValueClass(prismContext, entry.getKey(), valueClass, paramType);
 		
+		return new TypedValue(value, def);
 	}
 
 }
diff --git a/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/script/AbstractCachingScriptEvaluator.java b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/script/AbstractCachingScriptEvaluator.java
index 6b10914a348..510ecdf2339 100644
--- a/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/script/AbstractCachingScriptEvaluator.java
+++ b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/script/AbstractCachingScriptEvaluator.java
@@ -18,131 +18,103 @@
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.List;
-import java.util.Map;
-import java.util.concurrent.ConcurrentHashMap;
-import java.util.function.Function;
-
-import javax.script.Bindings;
-import javax.script.Compilable;
-import javax.script.CompiledScript;
-import javax.script.ScriptEngine;
-import javax.script.ScriptEngineManager;
-import javax.script.ScriptException;
+
 import javax.xml.namespace.QName;
 
 import com.evolveum.midpoint.common.LocalizationService;
-import com.evolveum.midpoint.model.common.expression.functions.FunctionLibrary;
-import com.evolveum.midpoint.model.common.expression.script.ScriptEvaluator;
-import com.evolveum.midpoint.model.common.expression.script.ScriptExpressionUtil;
-import com.evolveum.midpoint.prism.*;
+import com.evolveum.midpoint.prism.PrismContainerDefinition;
+import com.evolveum.midpoint.prism.PrismContainerValue;
+import com.evolveum.midpoint.prism.PrismContext;
+import com.evolveum.midpoint.prism.PrismProperty;
+import com.evolveum.midpoint.prism.PrismValue;
+import com.evolveum.midpoint.prism.PrismValueCollectionsUtil;
 import com.evolveum.midpoint.prism.crypto.Protector;
 import com.evolveum.midpoint.prism.xml.XsdTypeMapper;
-import com.evolveum.midpoint.repo.common.ObjectResolver;
 import com.evolveum.midpoint.repo.common.expression.ExpressionSyntaxException;
 import com.evolveum.midpoint.repo.common.expression.ExpressionUtil;
-import com.evolveum.midpoint.repo.common.expression.ExpressionVariables;
-import com.evolveum.midpoint.schema.constants.MidPointConstants;
+import com.evolveum.midpoint.schema.expression.ScriptExpressionProfile;
 import com.evolveum.midpoint.schema.internals.InternalCounters;
 import com.evolveum.midpoint.schema.internals.InternalMonitor;
-import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.schema.util.ExceptionUtil;
-import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.util.exception.CommunicationException;
 import com.evolveum.midpoint.util.exception.ConfigurationException;
 import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
 import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
 import com.evolveum.midpoint.util.exception.SecurityViolationException;
-import com.evolveum.midpoint.util.exception.SystemException;
 import com.evolveum.midpoint.util.logging.Trace;
 import com.evolveum.midpoint.util.logging.TraceManager;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.ScriptExpressionEvaluatorType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.ScriptExpressionReturnTypeType;
 
 /**
  * Expression evaluator that is using javax.script (JSR-223) engine.
  *
- * @author Radovan Semancik
+ * @param <I> script interpreter/compiler
  * @param <C> compiled code
- *
+ * @author Radovan Semancik
  */
-public abstract class AbstractCachingScriptEvaluator<C> implements ScriptEvaluator {
+public abstract class AbstractCachingScriptEvaluator<I,C> extends AbstractScriptEvaluator {
 
 	private static final Trace LOGGER = TraceManager.getTrace(AbstractCachingScriptEvaluator.class);
 
-	private final PrismContext prismContext;
-	private final Protector protector;
-	private final LocalizationService localizationService;
+	private final ScriptCache<I,C> scriptCache;
 
-	private final Map<String, C> scriptCache;
-
-	public AbstractCachingScriptEvaluator(PrismContext prismContext, Protector protector,
-			LocalizationService localizationService) {
-		this.prismContext = prismContext;
-		this.protector = protector;
-		this.scriptCache = new ConcurrentHashMap<>();
-		this.localizationService = localizationService;
+	public AbstractCachingScriptEvaluator(PrismContext prismContext, Protector protector, LocalizationService localizationService) {
+		super(prismContext, protector, localizationService);
+		this.scriptCache = new ScriptCache<>();
 	}
 	
-	public PrismContext getPrismContext() {
-		return prismContext;
-	}
-
-	public Protector getProtector() {
-		return protector;
-	}
-
-	public LocalizationService getLocalizationService() {
-		return localizationService;
-	}
-
-	public Map<String, C> getScriptCache() {
+	protected ScriptCache<I,C> getScriptCache() {
 		return scriptCache;
 	}
 
 	@Override
-	public <T, V extends PrismValue> List<V> evaluate(ScriptExpressionEvaluatorType expressionType,
-			ExpressionVariables variables, ItemDefinition outputDefinition,
-			Function<Object, Object> additionalConvertor,
-			ScriptExpressionReturnTypeType suggestedReturnType,
-			ObjectResolver objectResolver, Collection<FunctionLibrary> functions,
-			String contextDescription, Task task, OperationResult result) throws ExpressionEvaluationException,
+	public <T, V extends PrismValue> List<V> evaluate(ScriptExpressionEvaluationContext context) throws ExpressionEvaluationException,
 			ObjectNotFoundException, ExpressionSyntaxException, CommunicationException, ConfigurationException, SecurityViolationException {
+		checkRestrictions(context);
 
-		String codeString = expressionType.getCode();
+		String codeString = context.getExpressionType().getCode();
 		if (codeString == null) {
-			throw new ExpressionEvaluationException("No script code in " + contextDescription);
+			throw new ExpressionEvaluationException("No script code in " + context.getContextDescription());
 		}
 
 		boolean allowEmptyValues = false;
-		if (expressionType.isAllowEmptyValues() != null) {
-			allowEmptyValues = expressionType.isAllowEmptyValues();
+		if (context.getExpressionType().isAllowEmptyValues() != null) {
+			allowEmptyValues = context.getExpressionType().isAllowEmptyValues();
 		}
 
-		C compiledScript = getCompiledScript(codeString, contextDescription);
+		C compiledScript = getCompiledScript(codeString, context);
 
 		Object evalRawResult;
 		try {
 			InternalMonitor.recordCount(InternalCounters.SCRIPT_EXECUTION_COUNT);
-			evalRawResult = evaluateScript(compiledScript, variables, objectResolver, functions, contextDescription, task, result);
+			
+			evalRawResult = evaluateScript(compiledScript, context);
+			
+		} catch (ExpressionEvaluationException | ObjectNotFoundException | ExpressionSyntaxException | CommunicationException | ConfigurationException | SecurityViolationException e) {
+			// Exception already processed by the underlying code.
+			throw e;
 		} catch (Throwable e) {
-			throw localizationService.translate(
-					new ExpressionEvaluationException(e.getMessage() + " in " + contextDescription,
+			throw getLocalizationService().translate(
+					new ExpressionEvaluationException(e.getMessage() + " in " + context.getContextDescription(),
 							e, ExceptionUtil.getUserFriendlyMessage(e)));
 		}
 
-		if (outputDefinition == null) {
-			// No outputDefinition means "void" return type, we can return right now
-			return null;
+		if (context.getOutputDefinition() == null) {
+			// No outputDefinition may mean "void" return type
+			// or it can mean that we do not have definition, because this is something non-prism (e.g. report template)
+			// Either way we can return immediately, without any value conversion. Just wrap the value in fake PrismPropertyValue
+			List<V> evalPrismValues = new ArrayList<>(1);
+			evalPrismValues.add((V) getPrismContext().itemFactory().createPropertyValue(evalRawResult));
+			return evalPrismValues;
 		}
 
-		QName xsdReturnType = outputDefinition.getTypeName();
+		QName xsdReturnType = context.getOutputDefinition().getTypeName();
 
 		Class<T> javaReturnType = XsdTypeMapper.toJavaType(xsdReturnType);
 		if (javaReturnType == null) {
-			javaReturnType = prismContext.getSchemaRegistry().getCompileTimeClass(xsdReturnType);
+			javaReturnType = getPrismContext().getSchemaRegistry().getCompileTimeClass(xsdReturnType);
 		}
 		
-		if (javaReturnType == null && (outputDefinition instanceof PrismContainerDefinition<?>)) {
+		if (javaReturnType == null && (context.getOutputDefinition() instanceof PrismContainerDefinition<?>)) {
 			// This is the case when we need a container, but we do not have compile-time class for that
 			// E.g. this may be container in object extension (MID-5080)
 			javaReturnType = (Class<T>) PrismContainerValue.class;
@@ -162,56 +134,51 @@ public <T, V extends PrismValue> List<V> evaluate(ScriptExpressionEvaluatorType
 		// PrismProperty?
 		if (evalRawResult instanceof Collection) {
 			for (Object evalRawResultElement : (Collection)evalRawResult) {
-				T evalResult = convertScalarResult(javaReturnType, additionalConvertor, evalRawResultElement, contextDescription);
+				T evalResult = convertScalarResult(javaReturnType, evalRawResultElement, context);
 				if (allowEmptyValues || !ExpressionUtil.isEmpty(evalResult)) {
-					pvals.add((V) ExpressionUtil.convertToPrismValue(evalResult, outputDefinition, contextDescription, prismContext));
+					pvals.add((V) ExpressionUtil.convertToPrismValue(evalResult, context.getOutputDefinition(), context.getContextDescription(), getPrismContext()));
 				}
 			}
 		} else if (evalRawResult instanceof PrismProperty<?>) {
 			pvals.addAll((Collection<? extends V>) PrismValueCollectionsUtil.cloneCollection(((PrismProperty<T>)evalRawResult).getValues()));
 		} else {
-			T evalResult = convertScalarResult(javaReturnType, additionalConvertor, evalRawResult, contextDescription);
+			T evalResult = convertScalarResult(javaReturnType, evalRawResult, context);
 			if (allowEmptyValues || !ExpressionUtil.isEmpty(evalResult)) {
-				pvals.add((V) ExpressionUtil.convertToPrismValue(evalResult, outputDefinition, contextDescription, prismContext));
+				pvals.add((V) ExpressionUtil.convertToPrismValue(evalResult, context.getOutputDefinition(), context.getContextDescription(), getPrismContext()));
 			}
 		}
 
 		return pvals;
 	}
 
-	protected C getCompiledScript(String codeString, String contextDescription) throws ExpressionEvaluationException {
-		C compiledScript = scriptCache.get(codeString);
+	protected C getCompiledScript(String codeString, ScriptExpressionEvaluationContext context) throws ExpressionEvaluationException, SecurityViolationException {
+		C compiledScript = scriptCache.getCode(context.getExpressionProfile(), codeString);
 		if (compiledScript != null) {
 			return compiledScript;
 		}
 		InternalMonitor.recordCount(InternalCounters.SCRIPT_COMPILE_COUNT);
 		try {
-			compiledScript = compileScript(codeString, contextDescription);
+			compiledScript = compileScript(codeString, context);
+		} catch (ExpressionEvaluationException | SecurityViolationException e) {
+			throw e;
 		} catch (Exception e) {
-			throw new ExpressionEvaluationException(e.getMessage() + " while compiling " + contextDescription, e);
+			throw new ExpressionEvaluationException(e.getMessage() + " while compiling " + context.getContextDescription(), e);
 		}
-		scriptCache.put(codeString, compiledScript);
+		scriptCache.putCode(context.getExpressionProfile(), codeString, compiledScript);
 		return compiledScript;
 	}
+
+	protected abstract C compileScript(String codeString, ScriptExpressionEvaluationContext context) throws Exception;
 	
-	protected abstract C compileScript(String codeString, String contextDescription) throws Exception;
-	
-	protected abstract Object evaluateScript(C compiledScript, ExpressionVariables variables,
-			ObjectResolver objectResolver, Collection<FunctionLibrary> functions, String contextDescription,
-			Task task, OperationResult result)
+	protected abstract Object evaluateScript(C compiledScript, ScriptExpressionEvaluationContext context)
 				throws Exception;
-
-	protected Map<String,Object> getVariablesMap(ExpressionVariables variables, ObjectResolver objectResolver,
-			   Collection<FunctionLibrary> functions, String contextDescription, Task task, OperationResult result) throws ExpressionSyntaxException, ObjectNotFoundException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
-		return ScriptExpressionUtil.prepareScriptVariables(variables, objectResolver, functions, contextDescription, getPrismContext(), task, result);
-	}
 	
-	private <T> T convertScalarResult(Class<T> expectedType, Function<Object, Object> additionalConvertor, Object rawValue, String contextDescription) throws ExpressionEvaluationException {
+	private <T> T convertScalarResult(Class<T> expectedType, Object rawValue, ScriptExpressionEvaluationContext context) throws ExpressionEvaluationException {
 		try {
-			T convertedValue = ExpressionUtil.convertValue(expectedType, additionalConvertor, rawValue, protector, prismContext);
+			T convertedValue = ExpressionUtil.convertValue(expectedType, context.getAdditionalConvertor(), rawValue, getProtector(), getPrismContext());
 			return convertedValue;
 		} catch (IllegalArgumentException e) {
-			throw new ExpressionEvaluationException(e.getMessage() + " in " + contextDescription, e);
+			throw new ExpressionEvaluationException(e.getMessage() + " in " + context.getContextDescription(), e);
 		}
 	}
 
diff --git a/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/script/AbstractScriptEvaluator.java b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/script/AbstractScriptEvaluator.java
new file mode 100644
index 00000000000..0d1ce518226
--- /dev/null
+++ b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/script/AbstractScriptEvaluator.java
@@ -0,0 +1,125 @@
+/*
+ * Copyright (c) 2010-2019 Evolveum
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.evolveum.midpoint.model.common.expression.script;
+
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Map.Entry;
+
+import com.evolveum.midpoint.common.LocalizationService;
+import com.evolveum.midpoint.model.common.expression.functions.FunctionLibrary;
+import com.evolveum.midpoint.prism.PrismContext;
+import com.evolveum.midpoint.prism.crypto.Protector;
+import com.evolveum.midpoint.repo.common.expression.ExpressionSyntaxException;
+import com.evolveum.midpoint.repo.common.expression.ExpressionUtil;
+import com.evolveum.midpoint.schema.AccessDecision;
+import com.evolveum.midpoint.schema.constants.ExpressionConstants;
+import com.evolveum.midpoint.schema.expression.ScriptExpressionProfile;
+import com.evolveum.midpoint.schema.expression.TypedValue;
+import com.evolveum.midpoint.util.exception.CommunicationException;
+import com.evolveum.midpoint.util.exception.ConfigurationException;
+import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
+import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
+import com.evolveum.midpoint.util.exception.SecurityViolationException;
+import com.evolveum.midpoint.util.logging.Trace;
+import com.evolveum.midpoint.util.logging.TraceManager;
+
+/**
+ * Expression evaluator that is using javax.script (JSR-223) engine.
+ *
+ * @author Radovan Semancik
+ * @param <C> compiled code
+ *
+ */
+public abstract class AbstractScriptEvaluator implements ScriptEvaluator {
+
+	private static final Trace LOGGER = TraceManager.getTrace(AbstractScriptEvaluator.class);
+
+	private final PrismContext prismContext;
+	private final Protector protector;
+	private final LocalizationService localizationService;
+
+	public AbstractScriptEvaluator(PrismContext prismContext, Protector protector,
+			LocalizationService localizationService) {
+		this.prismContext = prismContext;
+		this.protector = protector;
+		this.localizationService = localizationService;
+	}
+	
+	public PrismContext getPrismContext() {
+		return prismContext;
+	}
+
+	public Protector getProtector() {
+		return protector;
+	}
+
+	public LocalizationService getLocalizationService() {
+		return localizationService;
+	}
+	
+	protected void checkRestrictions(ScriptExpressionEvaluationContext context) throws SecurityViolationException {
+		ScriptExpressionProfile scriptExpressionProfile = context.getScriptExpressionProfile();
+		if (scriptExpressionProfile == null) {
+			// no restrictions
+			return;
+		}
+		if (scriptExpressionProfile.hasRestrictions()) {
+			throw new SecurityViolationException("Script intepreter for language "+getLanguageName()
+				+" does not support restrictions as imposed by expression profile "+context.getExpressionProfile().getIdentifier()
+				+"; script execution prohibited in "+context.getContextDescription());
+		}
+		if (scriptExpressionProfile.getDecision() != AccessDecision.ALLOW) {
+			throw new SecurityViolationException("Script intepreter for language "+getLanguageName()
+			+" is not allowed in expression profile "+context.getExpressionProfile().getIdentifier()
+			+"; script execution prohibited in "+context.getContextDescription());			
+		}
+	}
+
+	/**
+	 * Returns simple variable map: name -> value.
+	 */
+	protected Map<String,Object> prepareScriptVariablesValueMap(ScriptExpressionEvaluationContext context) 
+					throws ExpressionSyntaxException, ObjectNotFoundException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
+		Map<String,Object> scriptVariableMap = new HashMap<>();
+		// Functions
+		if (context.getFunctions() != null) {
+			for (FunctionLibrary funcLib: context.getFunctions()) {
+				scriptVariableMap.put(funcLib.getVariableName(), funcLib.getGenericFunctions());
+			}
+		}
+		
+		// Variables
+		if (context.getVariables() != null) {
+			for (Entry<String, TypedValue> variableEntry: context.getVariables().entrySet()) {
+				if (variableEntry.getKey() == null) {
+					// This is the "root" node. We have no use for it in script expressions, just skip it
+					continue;
+				}
+				String variableName = variableEntry.getKey();
+				TypedValue variableTypedValue = ExpressionUtil.convertVariableValue(variableEntry.getValue(), variableName, context.getObjectResolver(), context.getContextDescription(), prismContext, context.getTask(), context.getResult());
+				scriptVariableMap.put(variableName, variableTypedValue.getValue());
+			}
+		}
+
+		String prismContextName = ExpressionConstants.VAR_PRISM_CONTEXT;
+		if (!scriptVariableMap.containsKey(prismContextName)) {
+			scriptVariableMap.put(prismContextName, prismContext);
+		}
+		return scriptVariableMap;
+	}
+
+}
diff --git a/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/script/GroovyScriptEvaluator.java b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/script/GroovyScriptEvaluator.java
deleted file mode 100644
index 72357d49dcd..00000000000
--- a/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/script/GroovyScriptEvaluator.java
+++ /dev/null
@@ -1,133 +0,0 @@
-/*
- * Copyright (c) 2010-2019 Evolveum
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package com.evolveum.midpoint.model.common.expression.script;
-
-import java.util.ArrayList;
-import java.util.Collection;
-import java.util.List;
-import java.util.Map;
-import java.util.concurrent.ConcurrentHashMap;
-import java.util.function.Function;
-
-import javax.script.Bindings;
-import javax.script.Compilable;
-import javax.script.CompiledScript;
-import javax.script.ScriptEngine;
-import javax.script.ScriptEngineManager;
-import javax.script.ScriptException;
-import javax.xml.namespace.QName;
-
-import org.codehaus.groovy.control.CompilationFailedException;
-import org.codehaus.groovy.control.CompilationUnit;
-import org.codehaus.groovy.control.CompilerConfiguration;
-import org.codehaus.groovy.runtime.InvokerHelper;
-
-import com.evolveum.midpoint.common.LocalizationService;
-import com.evolveum.midpoint.model.common.expression.functions.FunctionLibrary;
-import com.evolveum.midpoint.model.common.expression.script.ScriptEvaluator;
-import com.evolveum.midpoint.model.common.expression.script.ScriptExpressionUtil;
-import com.evolveum.midpoint.prism.*;
-import com.evolveum.midpoint.prism.crypto.Protector;
-import com.evolveum.midpoint.prism.xml.XsdTypeMapper;
-import com.evolveum.midpoint.repo.common.ObjectResolver;
-import com.evolveum.midpoint.repo.common.expression.ExpressionSyntaxException;
-import com.evolveum.midpoint.repo.common.expression.ExpressionUtil;
-import com.evolveum.midpoint.repo.common.expression.ExpressionVariables;
-import com.evolveum.midpoint.schema.constants.MidPointConstants;
-import com.evolveum.midpoint.schema.internals.InternalCounters;
-import com.evolveum.midpoint.schema.internals.InternalMonitor;
-import com.evolveum.midpoint.schema.result.OperationResult;
-import com.evolveum.midpoint.schema.util.ExceptionUtil;
-import com.evolveum.midpoint.task.api.Task;
-import com.evolveum.midpoint.util.exception.CommunicationException;
-import com.evolveum.midpoint.util.exception.ConfigurationException;
-import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
-import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
-import com.evolveum.midpoint.util.exception.SecurityViolationException;
-import com.evolveum.midpoint.util.exception.SystemException;
-import com.evolveum.midpoint.util.logging.Trace;
-import com.evolveum.midpoint.util.logging.TraceManager;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.ScriptExpressionEvaluatorType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.ScriptExpressionReturnTypeType;
-
-import groovy.lang.Binding;
-import groovy.lang.GroovyClassLoader;
-import groovy.lang.Script;
-
-/**
- * Expression evaluator that is using javax.script (JSR-223) engine.
- *
- * @author Radovan Semancik
- *
- */
-public class GroovyScriptEvaluator extends AbstractCachingScriptEvaluator<Class> {
-
-	public static final String LANGUAGE_NAME = "Groovy";
-	public static final String LANGUAGE_URL = MidPointConstants.EXPRESSION_LANGUAGE_URL_BASE + LANGUAGE_NAME;
-	
-	private static final Trace LOGGER = TraceManager.getTrace(GroovyScriptEvaluator.class);
-	
-	private GroovyClassLoader groovyLoader;
-
-	public GroovyScriptEvaluator(PrismContext prismContext, Protector protector,
-			LocalizationService localizationService) {
-		super(prismContext, protector, localizationService);
-		
-		CompilerConfiguration compilerConfiguration = new CompilerConfiguration(CompilerConfiguration.DEFAULT);
-		groovyLoader = new GroovyClassLoader(GroovyScriptEvaluator.class.getClassLoader(), compilerConfiguration);
-	}
-
-	/* (non-Javadoc)
-	 * @see com.evolveum.midpoint.common.expression.ExpressionEvaluator#getLanguageName()
-	 */
-	@Override
-	public String getLanguageName() {
-		return LANGUAGE_NAME;
-	}
-
-	/* (non-Javadoc)
-	 * @see com.evolveum.midpoint.common.expression.ExpressionEvaluator#getLanguageUrl()
-	 */
-	@Override
-	public String getLanguageUrl() {
-		return LANGUAGE_URL;
-	}
-
-
-	@Override
-	protected Class compileScript(String codeString, String contextDescription)
-			throws ExpressionEvaluationException {
-		return groovyLoader.parseClass(codeString, contextDescription);
-	}
-
-
-	@Override
-	protected Object evaluateScript(Class compiledScriptClass, ExpressionVariables variables,
-			ObjectResolver objectResolver, Collection functions, String contextDescription, Task task,
-			OperationResult result) throws Exception {
-		
-		if (!Script.class.isAssignableFrom(compiledScriptClass)) {
-            throw new ExpressionEvaluationException("Expected groovy script class, but got "+compiledScriptClass);
-		}
-		
-		Binding binding = new Binding(getVariablesMap(variables, objectResolver, functions, contextDescription, task, result));
-		
-		Script scriptObject = InvokerHelper.createScript(compiledScriptClass, binding);
-		
-		return scriptObject.run();
-	}
-
-}
diff --git a/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/script/ScriptCache.java b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/script/ScriptCache.java
new file mode 100644
index 00000000000..003e497e821
--- /dev/null
+++ b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/script/ScriptCache.java
@@ -0,0 +1,73 @@
+/**
+ * Copyright (c) 2019 Evolveum
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.evolveum.midpoint.model.common.expression.script;
+
+import java.util.HashMap;
+import java.util.Map;
+
+import com.evolveum.midpoint.schema.expression.ExpressionProfile;
+
+/**
+ * Cache for compiled scripts and interpreters, aware of expression profiles.
+ * 
+ * @param <C> compiled code
+ * @author Radovan Semancik
+ */
+public class ScriptCache<I,C> {
+
+	private final Map<String, I> interpreterCache = new HashMap<>();
+	private final Map<String, Map<String, C>> codeCache = new HashMap<>();
+	
+	public synchronized I getInterpreter(ExpressionProfile profile) {
+		return interpreterCache.get(getProfileKey(profile));
+	}
+	
+	public synchronized void putInterpreter(ExpressionProfile profile, I interpreter) {
+		interpreterCache.put(getProfileKey(profile), interpreter);
+	}
+	
+	public synchronized C getCode(ExpressionProfile profile, String sourceCodeKey) {
+		String profileKey = getProfileKey(profile);
+		Map<String, C> profileCache = codeCache.get(profileKey);
+		if (profileCache == null) {
+			return null;
+		}
+		return profileCache.get(sourceCodeKey);
+	}
+	
+	public synchronized void putCode(ExpressionProfile profile, String sourceCodeKey, C compiledCode) {
+		String profileKey = getProfileKey(profile);
+		Map<String, C> profileCache = codeCache.get(profileKey);
+		if (profileCache == null) {
+			profileCache = new HashMap<>();
+			codeCache.put(profileKey, profileCache);
+		}
+		profileCache.put(sourceCodeKey, compiledCode);
+	}
+	
+	private String getProfileKey(ExpressionProfile profile) {
+		if (profile == null) {
+			return null;
+		} else {
+			return profile.getIdentifier();
+		}
+	}
+
+	public synchronized void clear() {
+		codeCache.clear();
+	}
+	
+}
diff --git a/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/script/ScriptEvaluator.java b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/script/ScriptEvaluator.java
index 6d89b5a216d..1321967281c 100644
--- a/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/script/ScriptEvaluator.java
+++ b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/script/ScriptEvaluator.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2018 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -15,35 +15,22 @@
  */
 package com.evolveum.midpoint.model.common.expression.script;
 
-import com.evolveum.midpoint.model.common.expression.functions.FunctionLibrary;
-import com.evolveum.midpoint.prism.ItemDefinition;
+import java.util.List;
+
 import com.evolveum.midpoint.prism.PrismValue;
-import com.evolveum.midpoint.repo.common.ObjectResolver;
 import com.evolveum.midpoint.repo.common.expression.ExpressionSyntaxException;
-import com.evolveum.midpoint.repo.common.expression.ExpressionVariables;
-import com.evolveum.midpoint.schema.result.OperationResult;
-import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.util.exception.CommunicationException;
 import com.evolveum.midpoint.util.exception.ConfigurationException;
 import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
 import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
 import com.evolveum.midpoint.util.exception.SecurityViolationException;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.ScriptExpressionEvaluatorType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.ScriptExpressionReturnTypeType;
-
-import java.util.Collection;
-import java.util.List;
-import java.util.function.Function;
 
 /**
  * @author Radovan Semancik
  */
 public interface ScriptEvaluator {
 
-	<T, V extends PrismValue> List<V> evaluate(ScriptExpressionEvaluatorType expressionType, ExpressionVariables variables,
-			ItemDefinition outputDefinition, Function<Object, Object> additionalConvertor,
-			ScriptExpressionReturnTypeType suggestedReturnType, ObjectResolver objectResolver,
-			Collection<FunctionLibrary> functions, String contextDescription, Task task, OperationResult result)
+	<T, V extends PrismValue> List<V> evaluate(ScriptExpressionEvaluationContext context)
             throws ExpressionEvaluationException, ObjectNotFoundException, ExpressionSyntaxException, CommunicationException, ConfigurationException, SecurityViolationException;
 
     /**
diff --git a/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/script/ScriptExpression.java b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/script/ScriptExpression.java
index dc0d16bc8d0..0b2ce55df33 100644
--- a/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/script/ScriptExpression.java
+++ b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/script/ScriptExpression.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2018 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -24,6 +24,9 @@
 import com.evolveum.midpoint.prism.PrismValue;
 import com.evolveum.midpoint.repo.common.ObjectResolver;
 import com.evolveum.midpoint.repo.common.expression.ExpressionVariables;
+import com.evolveum.midpoint.schema.expression.ExpressionPermissionProfile;
+import com.evolveum.midpoint.schema.expression.ExpressionProfile;
+import com.evolveum.midpoint.schema.expression.ScriptExpressionProfile;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.schema.util.SchemaDebugUtil;
 import com.evolveum.midpoint.task.api.Task;
@@ -53,6 +56,8 @@ public class ScriptExpression {
 	private Function<Object, Object> additionalConvertor;
     private ObjectResolver objectResolver;
     private Collection<FunctionLibrary> functions;
+    private ExpressionProfile expressionProfile;
+    private ScriptExpressionProfile scriptExpressionProfile;
     
     private static final Trace LOGGER = TraceManager.getTrace(ScriptExpression.class);
 	private static final int MAX_CODE_CHARS = 42;
@@ -86,6 +91,22 @@ public void setFunctions(Collection<FunctionLibrary> functions) {
 		this.functions = functions;
 	}
 
+	public ExpressionProfile getExpressionProfile() {
+		return expressionProfile;
+	}
+
+	public void setExpressionProfile(ExpressionProfile expressionProfile) {
+		this.expressionProfile = expressionProfile;
+	}
+	
+	public ScriptExpressionProfile getScriptExpressionProfile() {
+		return scriptExpressionProfile;
+	}
+
+	public void setScriptExpressionProfile(ScriptExpressionProfile scriptExpressionProfile) {
+		this.scriptExpressionProfile = scriptExpressionProfile;
+	}
+
 	public Function<Object, Object> getAdditionalConvertor() {
 		return additionalConvertor;
 	}
@@ -94,30 +115,72 @@ public void setAdditionalConvertor(Function<Object, Object> additionalConvertor)
 		this.additionalConvertor = additionalConvertor;
 	}
 	
+	@Deprecated
 	public <V extends PrismValue> List<V> evaluate(ExpressionVariables variables, ScriptExpressionReturnTypeType suggestedReturnType,
 			boolean useNew, String contextDescription, Task task, OperationResult result)
 			throws ExpressionEvaluationException, ObjectNotFoundException, SchemaException, CommunicationException, ConfigurationException, SecurityViolationException {
 
-		ScriptExpressionEvaluationContext context = new ScriptExpressionEvaluationContext(variables, contextDescription, result, task, this);
+		ScriptExpressionEvaluationContext context = new ScriptExpressionEvaluationContext();
+		context.setExpressionType(scriptType);
+		context.setVariables(variables);
+		context.setFunctions(functions);
+		context.setExpressionProfile(expressionProfile);
+		context.setScriptExpressionProfile(scriptExpressionProfile);
+		context.setOutputDefinition(outputDefinition);
+		context.setAdditionalConvertor(additionalConvertor);
+		context.setSuggestedReturnType(suggestedReturnType);
+		context.setObjectResolver(objectResolver);
 		context.setEvaluateNew(useNew);
+		context.setScriptExpression(this);
+		context.setContextDescription(contextDescription);
+		context.setTask(task);
+		context.setResult(result);
+		
+		return evaluate(context);
+	}
+		
+	public <V extends PrismValue> List<V> evaluate(ScriptExpressionEvaluationContext context)
+			throws ExpressionEvaluationException, ObjectNotFoundException, SchemaException, CommunicationException, ConfigurationException, SecurityViolationException {
 
+		if (context.getExpressionType() == null) {
+			context.setExpressionType(scriptType);
+		}
+		if (context.getFunctions() == null) {
+			context.setFunctions(functions);
+		}
+		if (context.getExpressionProfile() == null) {
+			context.setExpressionProfile(expressionProfile);
+		}
+		if (context.getScriptExpressionProfile() == null) {
+			context.setScriptExpressionProfile(scriptExpressionProfile);
+		}
+		if (context.getOutputDefinition() == null) {
+			context.setOutputDefinition(outputDefinition);
+		}
+		if (context.getAdditionalConvertor() == null) {
+			context.setAdditionalConvertor(additionalConvertor);
+		}
+		if (context.getObjectResolver() == null) {
+			context.setObjectResolver(objectResolver);
+		}
+		
 		try {
 			context.setupThreadLocal();
 
-			List<V> expressionResult = evaluator.evaluate(scriptType, variables, outputDefinition, additionalConvertor, suggestedReturnType, objectResolver, functions, contextDescription, task, result);
+			List<V> expressionResult = evaluator.evaluate(context);
 
-			traceExpressionSuccess(variables, contextDescription, expressionResult);
+			traceExpressionSuccess(context, expressionResult);
 	        return expressionResult;
 
 		} catch (ExpressionEvaluationException | ObjectNotFoundException | SchemaException | CommunicationException | ConfigurationException | SecurityViolationException | RuntimeException | Error ex) {
-			traceExpressionFailure(variables, contextDescription, ex);
+			traceExpressionFailure(context, ex);
 			throw ex;
 		} finally {
 			context.cleanupThreadLocal();
 		}
 	}
 
-    private void traceExpressionSuccess(ExpressionVariables variables, String shortDesc, Object returnValue) {
+    private void traceExpressionSuccess(ScriptExpressionEvaluationContext context, Object returnValue) {
     	if (!isTrace()) {
     		return;
     	}
@@ -126,12 +189,13 @@ private void traceExpressionSuccess(ExpressionVariables variables, String shortD
         		"Language: {}\n"+
         		"Relativity mode: {}\n"+
         		"Variables:\n{}\n"+
+        		"Profile: {}\n" +
         		"Code:\n{}\n"+
-        		"Result: {}", shortDesc, evaluator.getLanguageName(), scriptType.getRelativityMode(), formatVariables(variables),
-				formatCode(), SchemaDebugUtil.prettyPrint(returnValue));
+        		"Result: {}", context.getContextDescription(), evaluator.getLanguageName(), scriptType.getRelativityMode(), formatVariables(context.getVariables()),
+				formatProfile(), formatCode(), SchemaDebugUtil.prettyPrint(returnValue));
     }
 
-    private void traceExpressionFailure(ExpressionVariables variables, String shortDesc, Throwable exception) {
+    private void traceExpressionFailure(ScriptExpressionEvaluationContext context, Throwable exception) {
         LOGGER.error("Expression error: {}", exception.getMessage(), exception);
         if (!isTrace()) {
     		return;
@@ -141,9 +205,10 @@ private void traceExpressionFailure(ExpressionVariables variables, String shortD
         		"Language: {}\n"+
         		"Relativity mode: {}\n"+
         		"Variables:\n{}\n"+
+        		"Profile: {}\n" +
         		"Code:\n{}\n"+
-        		"Error: {}", shortDesc, evaluator.getLanguageName(), scriptType.getRelativityMode(), formatVariables(variables),
-				formatCode(), SchemaDebugUtil.prettyPrint(exception));
+        		"Error: {}", context.getContextDescription(), evaluator.getLanguageName(), scriptType.getRelativityMode(), formatVariables(context.getVariables()),
+        		formatProfile(),formatCode(), SchemaDebugUtil.prettyPrint(exception));
     }
 
     private boolean isTrace() {
@@ -164,6 +229,23 @@ private String formatVariables(ExpressionVariables variables) {
 		}
 		return variables.formatVariables();
 	}
+	
+	private String formatProfile() {
+		StringBuilder sb = new StringBuilder();
+		if (expressionProfile != null) {
+			sb.append(expressionProfile.getIdentifier());
+		} else {
+			sb.append("null (no profile)");
+		}
+		if (scriptExpressionProfile != null) {
+			sb.append("; ");
+			ExpressionPermissionProfile permissionProfile = scriptExpressionProfile.getPermissionProfile();
+			if (permissionProfile != null) {
+				sb.append("permission=").append(permissionProfile.getIdentifier());
+			}
+		}
+		return sb.toString();
+    }
 
 	private String formatCode() {
 		return DebugUtil.excerpt(scriptType.getCode().replaceAll("[\\s\\r\\n]+", " "), MAX_CODE_CHARS);
diff --git a/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/script/ScriptExpressionEvaluationContext.java b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/script/ScriptExpressionEvaluationContext.java
index 93e41d1b2c4..a472a7c9e0d 100644
--- a/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/script/ScriptExpressionEvaluationContext.java
+++ b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/script/ScriptExpressionEvaluationContext.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2017 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -15,9 +15,19 @@
  */
 package com.evolveum.midpoint.model.common.expression.script;
 
+import java.util.Collection;
+import java.util.function.Function;
+
+import com.evolveum.midpoint.model.common.expression.functions.FunctionLibrary;
+import com.evolveum.midpoint.prism.ItemDefinition;
+import com.evolveum.midpoint.repo.common.ObjectResolver;
 import com.evolveum.midpoint.repo.common.expression.ExpressionVariables;
+import com.evolveum.midpoint.schema.expression.ExpressionProfile;
+import com.evolveum.midpoint.schema.expression.ScriptExpressionProfile;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.task.api.Task;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ScriptExpressionEvaluatorType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ScriptExpressionReturnTypeType;
 
 /**
  * @author semancik
@@ -26,44 +36,104 @@
 public class ScriptExpressionEvaluationContext {
 
 	private static final ThreadLocal<ScriptExpressionEvaluationContext> threadLocalContext = new ThreadLocal<>();
-
-	private final ExpressionVariables variables;
-	private final String contextDescription;
-	private final OperationResult result;
-	private final Task task;
-	private final ScriptExpression scriptExpression;
+	
+	private ScriptExpressionEvaluatorType expressionType;
+	private ExpressionVariables variables;
+	private ItemDefinition outputDefinition;
+	private Function<Object, Object> additionalConvertor;
+	private ScriptExpressionReturnTypeType suggestedReturnType;
+	private ObjectResolver objectResolver;
+	private Collection<FunctionLibrary> functions;
+	private ExpressionProfile expressionProfile;
+	private ScriptExpressionProfile scriptExpressionProfile;
+	
+	private ScriptExpression scriptExpression;
 	private boolean evaluateNew = false;
+	
+	private String contextDescription;
+	private Task task;
+	private OperationResult result;
 
-	ScriptExpressionEvaluationContext(ExpressionVariables variables, String contextDescription,
-			OperationResult result, Task task, ScriptExpression scriptExpression) {
-		super();
-		this.variables = variables;
-		this.contextDescription = contextDescription;
-		this.result = result;
-		this.task = task;
-		this.scriptExpression = scriptExpression;
+	public ScriptExpressionEvaluatorType getExpressionType() {
+		return expressionType;
+	}
+
+	public void setExpressionType(ScriptExpressionEvaluatorType expressionType) {
+		this.expressionType = expressionType;
 	}
 
 	public ExpressionVariables getVariables() {
 		return variables;
 	}
 
-	public String getContextDescription() {
-		return contextDescription;
+	public void setVariables(ExpressionVariables variables) {
+		this.variables = variables;
 	}
 
-	public OperationResult getResult() {
-		return result;
+	public ItemDefinition getOutputDefinition() {
+		return outputDefinition;
 	}
 
-	public Task getTask() {
-		return task;
+	public void setOutputDefinition(ItemDefinition outputDefinition) {
+		this.outputDefinition = outputDefinition;
+	}
+
+	public Function<Object, Object> getAdditionalConvertor() {
+		return additionalConvertor;
+	}
+
+	public void setAdditionalConvertor(Function<Object, Object> additionalConvertor) {
+		this.additionalConvertor = additionalConvertor;
+	}
+
+	public ScriptExpressionReturnTypeType getSuggestedReturnType() {
+		return suggestedReturnType;
+	}
+
+	public void setSuggestedReturnType(ScriptExpressionReturnTypeType suggestedReturnType) {
+		this.suggestedReturnType = suggestedReturnType;
+	}
+
+	public ObjectResolver getObjectResolver() {
+		return objectResolver;
+	}
+
+	public void setObjectResolver(ObjectResolver objectResolver) {
+		this.objectResolver = objectResolver;
+	}
+
+	public Collection<FunctionLibrary> getFunctions() {
+		return functions;
+	}
+
+	public void setFunctions(Collection<FunctionLibrary> functions) {
+		this.functions = functions;
+	}
+	
+	public ExpressionProfile getExpressionProfile() {
+		return expressionProfile;
+	}
+
+	public void setExpressionProfile(ExpressionProfile expressionProfile) {
+		this.expressionProfile = expressionProfile;
+	}
+
+	public ScriptExpressionProfile getScriptExpressionProfile() {
+		return scriptExpressionProfile;
+	}
+
+	public void setScriptExpressionProfile(ScriptExpressionProfile scriptExpressionProfile) {
+		this.scriptExpressionProfile = scriptExpressionProfile;
 	}
 
 	public ScriptExpression getScriptExpression() {
 		return scriptExpression;
 	}
 
+	public void setScriptExpression(ScriptExpression scriptExpression) {
+		this.scriptExpression = scriptExpression;
+	}
+
 	public boolean isEvaluateNew() {
 		return evaluateNew;
 	}
@@ -72,6 +142,34 @@ public void setEvaluateNew(boolean evaluateNew) {
 		this.evaluateNew = evaluateNew;
 	}
 
+	public String getContextDescription() {
+		return contextDescription;
+	}
+
+	public void setContextDescription(String contextDescription) {
+		this.contextDescription = contextDescription;
+	}
+
+	public Task getTask() {
+		return task;
+	}
+
+	public void setTask(Task task) {
+		this.task = task;
+	}
+
+	public OperationResult getResult() {
+		return result;
+	}
+
+	public void setResult(OperationResult result) {
+		this.result = result;
+	}
+
+	public static ThreadLocal<ScriptExpressionEvaluationContext> getThreadlocalcontext() {
+		return threadLocalContext;
+	}
+
 	public void setupThreadLocal() {
 		threadLocalContext.set(this);
 	}
diff --git a/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/script/ScriptExpressionEvaluator.java b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/script/ScriptExpressionEvaluator.java
index 3a7f0fdd7d6..271301cd93b 100644
--- a/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/script/ScriptExpressionEvaluator.java
+++ b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/script/ScriptExpressionEvaluator.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2018 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -17,11 +17,14 @@
 
 import java.util.List;
 
+import javax.xml.namespace.QName;
+
 import com.evolveum.midpoint.common.LocalizationService;
 import com.evolveum.midpoint.model.common.expression.evaluator.AbstractValueTransformationExpressionEvaluator;
 import com.evolveum.midpoint.prism.ItemDefinition;
 import com.evolveum.midpoint.prism.PrismContext;
 import com.evolveum.midpoint.prism.PrismValue;
+import com.evolveum.midpoint.prism.crypto.Protector;
 import com.evolveum.midpoint.prism.delta.PlusMinusZero;
 import com.evolveum.midpoint.repo.common.expression.ExpressionEvaluationContext;
 import com.evolveum.midpoint.repo.common.expression.ExpressionVariables;
@@ -49,23 +52,37 @@ public class ScriptExpressionEvaluator<V extends PrismValue,D extends ItemDefini
 
 	private static final Trace LOGGER = TraceManager.getTrace(ScriptExpressionEvaluator.class);
 
-    ScriptExpressionEvaluator(ScriptExpressionEvaluatorType scriptType, ScriptExpression scriptExpression,
-		    SecurityContextManager securityContextManager, LocalizationService localizationService,
-		    PrismContext prismContext) {
-    	super(scriptType, securityContextManager, localizationService, prismContext);
+    ScriptExpressionEvaluator(QName elementName, ScriptExpressionEvaluatorType scriptType, D outputDefinition, Protector protector, PrismContext prismContext, 
+    		ScriptExpression scriptExpression,
+    		SecurityContextManager securityContextManager, LocalizationService localizationService) {
+    	super(elementName, scriptType, outputDefinition, protector, prismContext, securityContextManager, localizationService);
         this.scriptExpression = scriptExpression;
     }
-
+    
     @Override
+	protected void checkEvaluatorProfile(ExpressionEvaluationContext context) throws SecurityViolationException {
+    	// Do nothing here. The profile will be checked inside ScriptExpression.
+	}
+
+	@Override
 	protected List<V> transformSingleValue(ExpressionVariables variables, PlusMinusZero valueDestination, boolean useNew,
-			ExpressionEvaluationContext context, String contextDescription, Task task, OperationResult result)
+			ExpressionEvaluationContext eCtx, String contextDescription, Task task, OperationResult result)
 					throws ExpressionEvaluationException, ObjectNotFoundException, SchemaException, CommunicationException, ConfigurationException, SecurityViolationException {
 		ScriptExpressionReturnTypeType returnType = getExpressionEvaluatorType().getReturnType();
 		if (returnType == null && isRelative()) {
 			returnType = ScriptExpressionReturnTypeType.SCALAR;
 		}
-		scriptExpression.setAdditionalConvertor(context.getAdditionalConvertor());
-		return (List<V>) scriptExpression.evaluate(variables, returnType, useNew, contextDescription, task, result);
+		scriptExpression.setAdditionalConvertor(eCtx.getAdditionalConvertor());
+		ScriptExpressionEvaluationContext sCtx = new ScriptExpressionEvaluationContext();
+		sCtx.setVariables(variables);
+		sCtx.setSuggestedReturnType(returnType);
+		sCtx.setEvaluateNew(useNew);
+		sCtx.setContextDescription(contextDescription);
+		sCtx.setAdditionalConvertor(eCtx.getAdditionalConvertor());
+		sCtx.setTask(task);
+		sCtx.setResult(result);
+		
+		return (List<V>) scriptExpression.evaluate(sCtx);
 	}
 
 	/* (non-Javadoc)
diff --git a/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/script/ScriptExpressionEvaluatorFactory.java b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/script/ScriptExpressionEvaluatorFactory.java
index df3033b9b92..76d09d7b427 100644
--- a/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/script/ScriptExpressionEvaluatorFactory.java
+++ b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/script/ScriptExpressionEvaluatorFactory.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2017 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -27,13 +27,16 @@
 
 import com.evolveum.midpoint.prism.ItemDefinition;
 import com.evolveum.midpoint.prism.PrismValue;
+import com.evolveum.midpoint.prism.crypto.Protector;
 import com.evolveum.midpoint.repo.common.expression.AbstractAutowiredExpressionEvaluatorFactory;
 import com.evolveum.midpoint.repo.common.expression.ExpressionEvaluator;
 import com.evolveum.midpoint.repo.common.expression.ExpressionFactory;
+import com.evolveum.midpoint.schema.expression.ExpressionProfile;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.security.api.SecurityContextManager;
 import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.util.exception.SchemaException;
+import com.evolveum.midpoint.util.exception.SecurityViolationException;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectFactory;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ScriptExpressionEvaluatorType;
 
@@ -43,10 +46,13 @@
  */
 @Component
 public class ScriptExpressionEvaluatorFactory extends AbstractAutowiredExpressionEvaluatorFactory {
+	
+	public static final QName ELEMENT_NAME = new ObjectFactory().createScript(new ScriptExpressionEvaluatorType()).getName();
 
 	@Autowired private ScriptExpressionFactory scriptExpressionFactory;
 	@Autowired private SecurityContextManager securityContextManager;
 	@Autowired private LocalizationService localizationService;
+	@Autowired private Protector protector;
 	@Autowired private PrismContext prismContext;
 
 	public ScriptExpressionEvaluatorFactory() {
@@ -64,7 +70,7 @@ public ScriptExpressionEvaluatorFactory(ScriptExpressionFactory scriptExpression
 
 	@Override
 	public QName getElementName() {
-		return new ObjectFactory().createScript(new ScriptExpressionEvaluatorType()).getName();
+		return ELEMENT_NAME;
 	}
 
 	/* (non-Javadoc)
@@ -72,7 +78,7 @@ public QName getElementName() {
 	 */
 	@Override
 	public <V extends PrismValue,D extends ItemDefinition> ExpressionEvaluator<V,D> createEvaluator(Collection<JAXBElement<?>> evaluatorElements,
-			D outputDefinition, ExpressionFactory factory, String contextDescription, Task task, OperationResult result) throws SchemaException {
+			D outputDefinition, ExpressionProfile expressionProfile, ExpressionFactory factory, String contextDescription, Task task, OperationResult result) throws SchemaException, SecurityViolationException {
 
 		if (evaluatorElements.size() > 1) {
 			throw new SchemaException("More than one evaluator specified in "+contextDescription);
@@ -85,9 +91,9 @@ public <V extends PrismValue,D extends ItemDefinition> ExpressionEvaluator<V,D>
         }
         ScriptExpressionEvaluatorType scriptType = (ScriptExpressionEvaluatorType) evaluatorElementObject;
 
-        ScriptExpression scriptExpression = scriptExpressionFactory.createScriptExpression(scriptType, outputDefinition, factory, contextDescription, task, result);
+		ScriptExpression scriptExpression = scriptExpressionFactory.createScriptExpression(scriptType, outputDefinition, expressionProfile, factory, contextDescription, task, result);
 
-        return new ScriptExpressionEvaluator<>(scriptType, scriptExpression, securityContextManager, localizationService, prismContext);
+        return new ScriptExpressionEvaluator<V,D>(ELEMENT_NAME, scriptType, outputDefinition, protector, prismContext, scriptExpression, securityContextManager, localizationService);
 
 	}
 
diff --git a/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/script/ScriptExpressionFactory.java b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/script/ScriptExpressionFactory.java
index b6c08f88528..d871e641e38 100644
--- a/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/script/ScriptExpressionFactory.java
+++ b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/script/ScriptExpressionFactory.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2017 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -30,13 +30,19 @@
 import com.evolveum.midpoint.repo.common.ObjectResolver;
 import com.evolveum.midpoint.repo.common.expression.ExpressionFactory;
 import com.evolveum.midpoint.repo.common.expression.ExpressionSyntaxException;
+import com.evolveum.midpoint.schema.AccessDecision;
 import com.evolveum.midpoint.schema.GetOperationOptions;
 import com.evolveum.midpoint.schema.ResultHandler;
 import com.evolveum.midpoint.schema.SelectorOptions;
 import com.evolveum.midpoint.schema.constants.MidPointConstants;
+import com.evolveum.midpoint.schema.expression.ExpressionEvaluatorProfile;
+import com.evolveum.midpoint.schema.expression.ExpressionProfile;
+import com.evolveum.midpoint.schema.expression.ScriptExpressionProfile;
 import com.evolveum.midpoint.schema.result.OperationResult;
+import com.evolveum.midpoint.schema.util.MiscSchemaUtil;
 import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.util.exception.SchemaException;
+import com.evolveum.midpoint.util.exception.SecurityViolationException;
 import com.evolveum.midpoint.util.logging.Trace;
 import com.evolveum.midpoint.util.logging.TraceManager;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.FunctionLibraryType;
@@ -109,21 +115,57 @@ public void setCacheRegistry(CacheRegistry registry) {
 		this.cacheRegistry = registry;
 	}
 
-	public ScriptExpression createScriptExpression(ScriptExpressionEvaluatorType expressionType, ItemDefinition outputDefinition,
-			ExpressionFactory expressionFactory, String shortDesc, Task task, OperationResult result) throws ExpressionSyntaxException {
+	public ScriptExpression createScriptExpression(ScriptExpressionEvaluatorType expressionType, ItemDefinition outputDefinition, 
+			ExpressionProfile expressionProfile, ExpressionFactory expressionFactory, String shortDesc, Task task, OperationResult result)
+					throws ExpressionSyntaxException, SecurityViolationException {
 
 		initializeCustomFunctionsLibraryCache(expressionFactory, task, result);
 		//cache cleanup method
 
-		ScriptExpression expression = new ScriptExpression(getEvaluator(getLanguage(expressionType), shortDesc), expressionType);
+		String language = getLanguage(expressionType);
+		ScriptExpression expression = new ScriptExpression(getEvaluator(language, shortDesc), expressionType);
 		expression.setOutputDefinition(outputDefinition);
 		expression.setObjectResolver(objectResolver);
 		Collection<FunctionLibrary> functionsToUse = new ArrayList<>(functions);
 		functionsToUse.addAll(customFunctionLibraryCache.values());
 		expression.setFunctions(functionsToUse);
+		
+		// It is not very elegant to process expression profile and script expression profile here.
+		// It is somehow redundant, as it was already pre-processed in the expression evaluator/factory
+		// We are throwing that out and we are processing it again. But maybe this is consequence of having
+		// the duality of Expression and ScriptExpression ... maybe the ScriptExpression is unnecessary abstraction
+		// and it should be removed.
+		expression.setExpressionProfile(expressionProfile);
+		expression.setScriptExpressionProfile(processScriptExpressionProfile(expressionProfile, language, shortDesc));
+		
 		return expression;
 	}
 
+	private ScriptExpressionProfile processScriptExpressionProfile(ExpressionProfile expressionProfile, String language, String shortDesc) throws SecurityViolationException {
+		if (expressionProfile == null) {
+			return null;
+		}
+		ExpressionEvaluatorProfile evaluatorProfile = expressionProfile.getEvaluatorProfile(ScriptExpressionEvaluatorFactory.ELEMENT_NAME);
+		if (evaluatorProfile == null) {
+			if (expressionProfile.getDecision() == AccessDecision.ALLOW) {
+				return null;
+			} else {
+				throw new SecurityViolationException("Access to script expression evaluator " +
+						" not allowed (expression profile: "+expressionProfile.getIdentifier()+") in "+shortDesc);
+			}
+		}
+		ScriptExpressionProfile scriptProfile = evaluatorProfile.getScriptExpressionProfile(language);
+		if (scriptProfile == null) {
+			if (evaluatorProfile.getDecision() == AccessDecision.ALLOW) {
+				return null;
+			} else {
+				throw new SecurityViolationException("Access to script language " + language +
+						" not allowed (expression profile: "+expressionProfile.getIdentifier()+") in "+shortDesc);
+			}
+		}
+		return scriptProfile;
+	}
+
 	// if performance becomes an issue, replace 'synchronized' with something more elaborate
 	private synchronized void initializeCustomFunctionsLibraryCache(ExpressionFactory expressionFactory, Task task,
 			OperationResult result) throws ExpressionSyntaxException {
@@ -137,12 +179,14 @@ private synchronized void initializeCustomFunctionsLibraryCache(ExpressionFactor
 			return;
 		}
 		OperationResult subResult = result
-				.createMinorSubresult(ScriptExpressionUtil.class.getName() + ".searchCustomFunctions");
+				.createMinorSubresult(ScriptExpressionFactory.class.getName() + ".searchCustomFunctions");
 		ResultHandler<FunctionLibraryType> functionLibraryHandler = (object, parentResult) -> {
+			// TODO: determine profile from function library archetype
+			ExpressionProfile expressionProfile = MiscSchemaUtil.getExpressionProfile(); 
 			FunctionLibrary customLibrary = new FunctionLibrary();
 			customLibrary.setVariableName(object.getName().getOrig());
-			customLibrary
-					.setGenericFunctions(new CustomFunctions(object.asObjectable(), expressionFactory, result, task));
+			customLibrary.setGenericFunctions(
+					new CustomFunctions(object.asObjectable(), expressionFactory, expressionProfile, result, task));
 			customLibrary.setNamespace(MidPointConstants.NS_FUNC_CUSTOM);
 			customFunctionLibraryCache.put(object.getName().getOrig(), customLibrary);
 			return true;
diff --git a/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/script/ScriptExpressionUtil.java b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/script/ScriptExpressionUtil.java
deleted file mode 100644
index b5a527e7b5b..00000000000
--- a/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/script/ScriptExpressionUtil.java
+++ /dev/null
@@ -1,77 +0,0 @@
-/**
- * Copyright (c) 2010-2018 Evolveum
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package com.evolveum.midpoint.model.common.expression.script;
-
-import java.util.Collection;
-import java.util.HashMap;
-import java.util.Map;
-import java.util.Map.Entry;
-
-import javax.xml.namespace.QName;
-
-import com.evolveum.midpoint.model.common.expression.functions.FunctionLibrary;
-import com.evolveum.midpoint.prism.PrismContext;
-import com.evolveum.midpoint.repo.common.ObjectResolver;
-import com.evolveum.midpoint.repo.common.expression.ExpressionSyntaxException;
-import com.evolveum.midpoint.repo.common.expression.ExpressionUtil;
-import com.evolveum.midpoint.repo.common.expression.ExpressionVariables;
-import com.evolveum.midpoint.schema.constants.ExpressionConstants;
-import com.evolveum.midpoint.schema.result.OperationResult;
-import com.evolveum.midpoint.task.api.Task;
-import com.evolveum.midpoint.util.exception.CommunicationException;
-import com.evolveum.midpoint.util.exception.ConfigurationException;
-import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
-import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
-import com.evolveum.midpoint.util.exception.SecurityViolationException;
-
-/**
- * @author semancik
- *
- */
-public class ScriptExpressionUtil {
-
-	public static Map<String,Object> prepareScriptVariables(ExpressionVariables variables, ObjectResolver objectResolver,
-			Collection<FunctionLibrary> functions,
-			String contextDescription, PrismContext prismContext, Task task, OperationResult result) throws ExpressionSyntaxException, ObjectNotFoundException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
-		Map<String,Object> scriptVariables = new HashMap<>();
-		// Functions
-		if (functions != null) {
-			for (FunctionLibrary funcLib: functions) {
-				scriptVariables.put(funcLib.getVariableName(), funcLib.getGenericFunctions());
-			}
-		}
-		
-		// Variables
-		if (variables != null) {
-			for (Entry<QName, Object> variableEntry: variables.entrySet()) {
-				if (variableEntry.getKey() == null) {
-					// This is the "root" node. We have no use for it in JSR223, just skip it
-					continue;
-				}
-				String variableName = variableEntry.getKey().getLocalPart();
-				Object variableValue = ExpressionUtil.convertVariableValue(variableEntry.getValue(), variableName, objectResolver, contextDescription, prismContext, task, result);
-				scriptVariables.put(variableName, variableValue);
-			}
-		}
-
-		String prismContextName = ExpressionConstants.VAR_PRISM_CONTEXT.getLocalPart();
-		if (!scriptVariables.containsKey(prismContextName)) {
-			scriptVariables.put(prismContextName, prismContext);
-		}
-		return scriptVariables;
-	}
-
-}
diff --git a/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/script/groovy/GroovyScriptEvaluator.java b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/script/groovy/GroovyScriptEvaluator.java
new file mode 100644
index 00000000000..99f6b1343e2
--- /dev/null
+++ b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/script/groovy/GroovyScriptEvaluator.java
@@ -0,0 +1,237 @@
+/*
+ * Copyright (c) 2010-2019 Evolveum
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.evolveum.midpoint.model.common.expression.script.groovy;
+
+
+import java.lang.reflect.Method;
+import java.util.Collections;
+import java.util.List;
+
+import org.apache.commons.lang3.BooleanUtils;
+import org.codehaus.groovy.control.CompilerConfiguration;
+import org.codehaus.groovy.control.MultipleCompilationErrorsException;
+import org.codehaus.groovy.control.customizers.ASTTransformationCustomizer;
+import org.codehaus.groovy.control.customizers.SecureASTCustomizer;
+import org.codehaus.groovy.control.messages.SyntaxErrorMessage;
+import org.codehaus.groovy.runtime.InvokerHelper;
+import org.codehaus.groovy.syntax.SyntaxException;
+
+import com.evolveum.midpoint.common.LocalizationService;
+import com.evolveum.midpoint.model.common.expression.script.AbstractCachingScriptEvaluator;
+import com.evolveum.midpoint.model.common.expression.script.ScriptExpressionEvaluationContext;
+import com.evolveum.midpoint.prism.PrismContext;
+import com.evolveum.midpoint.prism.crypto.Protector;
+import com.evolveum.midpoint.schema.AccessDecision;
+import com.evolveum.midpoint.schema.constants.MidPointConstants;
+import com.evolveum.midpoint.schema.expression.ExpressionPermissionProfile;
+import com.evolveum.midpoint.schema.expression.ExpressionProfile;
+import com.evolveum.midpoint.schema.expression.ScriptExpressionProfile;
+import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
+import com.evolveum.midpoint.util.exception.SecurityViolationException;
+import com.evolveum.midpoint.util.logging.Trace;
+import com.evolveum.midpoint.util.logging.TraceManager;
+
+import groovy.lang.Binding;
+import groovy.lang.GroovyClassLoader;
+import groovy.lang.Script;
+import groovy.transform.CompileStatic;
+
+/**
+ * Expression evaluator that is using Groovy scripting engine.
+ *
+ * @author Radovan Semancik
+ * "Sandboxing" based on type checking inspired by work of Cédric Champeau (http://melix.github.io/blog/2015/03/sandboxing.html)
+ */
+public class GroovyScriptEvaluator extends AbstractCachingScriptEvaluator<GroovyClassLoader,Class> {
+
+	public static final String LANGUAGE_NAME = "Groovy";
+	public static final String LANGUAGE_URL = MidPointConstants.EXPRESSION_LANGUAGE_URL_BASE + LANGUAGE_NAME;
+	
+	static final String SANDBOX_ERROR_PREFIX = "[SANDBOX] ";
+	
+	/**
+	 * The name is not really used for anything serious. Maybe just for diagnostics.
+	 * But setting it to non-null to avoid confusing with the "null" profile.
+	 */
+	public static final String BUILTIN_EXPRESSION_PROFILE_NAME = "_groovyBuiltIn";
+	
+	/**
+	 * Expression profile for built-in groovy functions that always needs to be allowed
+	 * or denied.
+	 */
+	private static final ScriptExpressionProfile BUILTIN_SCRIPT_EXPRESSION_PROFILE = new ScriptExpressionProfile(BUILTIN_EXPRESSION_PROFILE_NAME);
+	
+	private static final Trace LOGGER = TraceManager.getTrace(GroovyScriptEvaluator.class);
+	
+//	private GroovyClassLoader allmightyGroovyLoader;
+
+	public GroovyScriptEvaluator(PrismContext prismContext, Protector protector, LocalizationService localizationService) {
+		super(prismContext, protector, localizationService);
+		
+		// No initialization here. Compilers/interpreters are initialized on demand.
+	}
+
+	/* (non-Javadoc)
+	 * @see com.evolveum.midpoint.common.expression.ExpressionEvaluator#getLanguageName()
+	 */
+	@Override
+	public String getLanguageName() {
+		return LANGUAGE_NAME;
+	}
+
+	/* (non-Javadoc)
+	 * @see com.evolveum.midpoint.common.expression.ExpressionEvaluator#getLanguageUrl()
+	 */
+	@Override
+	public String getLanguageUrl() {
+		return LANGUAGE_URL;
+	}
+
+	@Override
+	protected void checkRestrictions(ScriptExpressionEvaluationContext context) throws SecurityViolationException {
+		ScriptExpressionProfile scriptExpressionProfile = context.getScriptExpressionProfile();
+		if (scriptExpressionProfile == null) {
+			// no restrictions
+			return;
+		}
+		if (!scriptExpressionProfile.hasRestrictions() && scriptExpressionProfile.getDecision() != AccessDecision.ALLOW) {
+			throw new SecurityViolationException("Script intepreter for language "+getLanguageName()
+			+" is not allowed in expression profile "+context.getExpressionProfile().getIdentifier()
+			+"; script execution prohibited in "+context.getContextDescription());
+		}
+	}
+
+	@Override
+	protected Class compileScript(String codeString, ScriptExpressionEvaluationContext context) throws ExpressionEvaluationException, SecurityViolationException {
+		try {
+			return getGroovyLoader(context).parseClass(codeString, context.getContextDescription());
+		} catch (MultipleCompilationErrorsException e) {
+			String sandboxErrorMessage = getSandboxError(e);
+			if (sandboxErrorMessage == null) {
+				throw new ExpressionEvaluationException("Compilation error in " + context.getContextDescription() + ": " + e.getMessage(), e);
+			} else {
+				throw new SecurityViolationException("Denied access to functionality of script " + context.getContextDescription() + ": "+sandboxErrorMessage, e);
+			}
+		} catch (Throwable e) {
+			throw new ExpressionEvaluationException("Unexpected error during compilation of script in " + context.getContextDescription() + ": " + e.getMessage(), e);
+		}
+	}
+
+
+	private GroovyClassLoader getGroovyLoader(ScriptExpressionEvaluationContext context) throws SecurityViolationException {
+		GroovyClassLoader groovyClassLoader = getScriptCache().getInterpreter(context.getExpressionProfile());
+		if (groovyClassLoader != null) {
+			return groovyClassLoader;
+		}
+		ScriptExpressionProfile scriptExpressionProfile = context.getScriptExpressionProfile();
+		groovyClassLoader = createGroovyLoader(scriptExpressionProfile, context);
+		getScriptCache().putInterpreter(context.getExpressionProfile(), groovyClassLoader);
+		return groovyClassLoader;
+	}
+
+	private GroovyClassLoader createGroovyLoader(ScriptExpressionProfile expressionProfile, ScriptExpressionEvaluationContext context) throws SecurityViolationException {
+		CompilerConfiguration compilerConfiguration = new CompilerConfiguration(CompilerConfiguration.DEFAULT);
+		configureCompiler(compilerConfiguration, expressionProfile, context);
+		return new GroovyClassLoader(GroovyScriptEvaluator.class.getClassLoader(), compilerConfiguration);
+	}
+
+	private void configureCompiler(CompilerConfiguration compilerConfiguration, ScriptExpressionProfile scriptExpressionProfile, ScriptExpressionEvaluationContext context) throws SecurityViolationException {
+		if (scriptExpressionProfile == null) {
+			// No configuration is needed for "almighty" compiler. 
+			return;
+		}
+		if (!BooleanUtils.isTrue(scriptExpressionProfile.isTypeChecking())) {
+			if (scriptExpressionProfile.hasRestrictions()) {
+				throw new SecurityViolationException("Requested to apply restrictions to groovy script, but the script is not set to type checking mode, in "+context.getContextDescription());
+			}
+			return;
+		}
+		
+		SecureASTCustomizer sAstCustomizer = new SecureASTCustomizer();
+		compilerConfiguration.addCompilationCustomizers(sAstCustomizer);	
+		
+		ASTTransformationCustomizer astTransCustomizer = new ASTTransformationCustomizer(
+                Collections.singletonMap("extensions", Collections.singletonList(SandboxTypeCheckingExtension.class.getName())),			
+                CompileStatic.class);
+		compilerConfiguration.addCompilationCustomizers(astTransCustomizer);
+	}
+
+	private String getSandboxError(MultipleCompilationErrorsException e) {
+		List errors = e.getErrorCollector().getErrors();
+		if (errors == null) {
+			return null;
+		}
+		for (Object error : errors) {
+			if (!(error instanceof SyntaxErrorMessage)) {
+				continue;
+			}
+			SyntaxException cause = ((SyntaxErrorMessage)error).getCause();
+			
+			if (cause == null) {
+				continue;
+			}
+
+			String causeMessage = cause.getMessage();
+			if (causeMessage == null) {
+				continue;
+			}
+			int i = causeMessage.indexOf(SANDBOX_ERROR_PREFIX);
+			if (i < 0) {
+				continue;
+			}
+			return causeMessage.substring(i + SANDBOX_ERROR_PREFIX.length());
+		}
+		return null;
+	}
+
+	@Override
+	protected Object evaluateScript(Class compiledScriptClass, ScriptExpressionEvaluationContext context) throws Exception {
+		
+		if (!Script.class.isAssignableFrom(compiledScriptClass)) {
+            throw new ExpressionEvaluationException("Expected groovy script class, but got "+compiledScriptClass);
+		}
+		
+		Binding binding = new Binding(prepareScriptVariablesValueMap(context));
+		
+		Script scriptResultObject = InvokerHelper.createScript(compiledScriptClass, binding);
+		
+		Object resultObject = scriptResultObject.run();
+		
+		return resultObject;
+	}
+	
+	static AccessDecision decideGroovyBuiltin(String className, String methodName) {
+		return BUILTIN_SCRIPT_EXPRESSION_PROFILE.decideClassAccess(className, methodName);
+	}
+	
+	static {
+		ExpressionPermissionProfile permissionProfile = new ExpressionPermissionProfile(BUILTIN_EXPRESSION_PROFILE_NAME);
+		
+		// Allow script initialization
+		permissionProfile.addClassAccessRule(Script.class, "<init>", AccessDecision.ALLOW);
+		permissionProfile.addClassAccessRule(InvokerHelper.class, "runScript", AccessDecision.ALLOW);
+		
+		// Deny access to reflection. Reflection can circumvent the sandbox protection.
+		permissionProfile.addClassAccessRule(Class.class, null, AccessDecision.DENY);
+		permissionProfile.addClassAccessRule(Method.class, null, AccessDecision.DENY);
+		
+		permissionProfile.setDecision(AccessDecision.DEFAULT);
+		
+		BUILTIN_SCRIPT_EXPRESSION_PROFILE.setPermissionProfile(permissionProfile);
+		BUILTIN_SCRIPT_EXPRESSION_PROFILE.setDecision(AccessDecision.DEFAULT);
+	}
+
+}
diff --git a/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/script/groovy/SandboxTypeCheckingExtension.java b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/script/groovy/SandboxTypeCheckingExtension.java
new file mode 100644
index 00000000000..eaa13e5f949
--- /dev/null
+++ b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/script/groovy/SandboxTypeCheckingExtension.java
@@ -0,0 +1,150 @@
+/**
+ * Copyright (c) 2019 Evolveum
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.evolveum.midpoint.model.common.expression.script.groovy;
+
+import java.util.Collection;
+
+import org.codehaus.groovy.ast.ClassHelper;
+import org.codehaus.groovy.ast.ClassNode;
+import org.codehaus.groovy.ast.MethodNode;
+import org.codehaus.groovy.ast.expr.Expression;
+import org.codehaus.groovy.ast.expr.VariableExpression;
+import org.codehaus.groovy.transform.stc.AbstractTypeCheckingExtension;
+import org.codehaus.groovy.transform.stc.StaticTypeCheckingVisitor;
+
+import com.evolveum.midpoint.model.common.expression.functions.FunctionLibrary;
+import com.evolveum.midpoint.model.common.expression.script.ScriptExpressionEvaluationContext;
+import com.evolveum.midpoint.repo.common.expression.ExpressionVariables;
+import com.evolveum.midpoint.schema.AccessDecision;
+import com.evolveum.midpoint.schema.expression.ExpressionProfile;
+import com.evolveum.midpoint.schema.expression.ScriptExpressionProfile;
+import com.evolveum.midpoint.schema.expression.TypedValue;
+import com.evolveum.midpoint.util.exception.SchemaException;
+import com.evolveum.midpoint.util.logging.Trace;
+import com.evolveum.midpoint.util.logging.TraceManager;
+
+/**
+ * @author Radovan Semancik
+ * Inspired by work of Cédric Champeau (http://melix.github.io/blog/2015/03/sandboxing.html)
+ *
+ */
+public class SandboxTypeCheckingExtension extends AbstractTypeCheckingExtension {
+	
+	private static final Trace LOGGER = TraceManager.getTrace(SandboxTypeCheckingExtension.class);
+
+	public SandboxTypeCheckingExtension(StaticTypeCheckingVisitor typeCheckingVisitor) {
+		super(typeCheckingVisitor);
+	}
+	
+	private ScriptExpressionEvaluationContext getContext() {
+		ScriptExpressionEvaluationContext context = ScriptExpressionEvaluationContext.getThreadLocal();
+		if (context == null) {
+			throw new AssertionError("No script execution context in thread-local variable during script compilation");
+		}
+		return context;
+	}
+
+	@Override
+    public void onMethodSelection(final Expression expression, final MethodNode target) {
+		ClassNode targetDeclaringClass = target.getDeclaringClass();
+//		LOGGER.info("GROOVY:onMethodSelection: target={}", target);
+//		LOGGER.info("GROOVY:onMethodSelection: target.name={}", target.getName());
+//		LOGGER.info("GROOVY:onMethodSelection: target.declaringClass={}", targetDeclaringClass);
+//		LOGGER.info("GROOVY:onMethodSelection: target.DeclaringClass.name={}", targetDeclaringClass.getName());
+//		LOGGER.info("GROOVY:onMethodSelection: target.DeclaringClass.typeClass={}", targetDeclaringClass.getTypeClass());
+		
+		AccessDecision decision = decideClass(targetDeclaringClass.getName(), target.getName());
+		
+		if (decision != AccessDecision.ALLOW) {
+			StringBuilder sb = new StringBuilder(GroovyScriptEvaluator.SANDBOX_ERROR_PREFIX);
+			sb.append("Access to Groovy method ");
+			sb.append(targetDeclaringClass.getName()).append("#").append(target.getName()).append(" ");
+			if (decision == AccessDecision.DENY) {
+				sb.append("denied");
+			} else {
+				sb.append("not allowed");
+			}
+			if (getContext().getExpressionProfile() != null) {
+				sb.append(" (applied expression profile '").append(getContext().getExpressionProfile().getIdentifier()).append("')");
+			}
+			addStaticTypeError(sb.toString(), expression);
+		}
+	}
+	
+	private AccessDecision decideClass(String className, String methodName) {
+		AccessDecision decision = GroovyScriptEvaluator.decideGroovyBuiltin(className, methodName);
+		LOGGER.trace("decideClass: builtin [{},{}] : {}", className, methodName, decision);
+		if (decision != AccessDecision.DEFAULT) {
+			return decision;
+		}
+		ScriptExpressionProfile scriptExpressionProfile = getContext().getScriptExpressionProfile();
+		if (scriptExpressionProfile == null) {
+			LOGGER.trace("decideClass: profile==null [{},{}] : ALLOW", className, methodName);
+			return AccessDecision.ALLOW;
+		}
+		decision = scriptExpressionProfile.decideClassAccess(className, methodName);
+		LOGGER.trace("decideClass: profile({}) [{},{}] : {}", getContext().getExpressionProfile().getIdentifier(), className, methodName, decision);
+		return decision;
+	}
+
+	@Override
+	public boolean handleUnresolvedVariableExpression(VariableExpression vexp) {
+		String variableName = vexp.getName();
+//		LOGGER.info("GROOVY:handleUnresolvedVariableExpression: variableName={}", variableName);
+		ScriptExpressionEvaluationContext context = getContext();
+		String contextDescription = context.getContextDescription();
+		
+		if (!isDynamic(vexp)) {
+			LOGGER.error("Unresolved script variable {} because it is not dynamic, in {}", contextDescription);
+			return false;
+		}
+		
+		ExpressionVariables variables = context.getVariables();
+		if (variables != null) {
+			TypedValue variableTypedValue = variables.get(variableName);
+			if (variableTypedValue != null) {
+				Class variableClass;
+				try {
+					variableClass = variableTypedValue.determineClass();
+				} catch (SchemaException e) {
+					String msg = "Cannot determine type of variable '"+variableName+"' ("+variableTypedValue+") in "+contextDescription+": "+e.getMessage();
+					LOGGER.error("{}", msg);
+					throw new IllegalStateException(msg, e);
+				}
+				LOGGER.trace("Determine script variable {} as expression variable, class {} in {}", variableName, variableClass, contextDescription);
+				storeType(vexp, ClassHelper.make(variableClass));
+				setHandled(true);
+				return true;
+			}
+		}
+		
+		Collection<FunctionLibrary> functions = context.getFunctions();
+		if (functions != null) {
+			for (FunctionLibrary function : functions) {
+				if (function.getVariableName().equals(variableName)) {
+					Class functionClass = function.getGenericFunctions().getClass();
+					LOGGER.trace("Determine script variable {} as function library, class {} in {}", variableName, functionClass, contextDescription);
+					storeType(vexp, ClassHelper.make(functionClass));
+					setHandled(true);
+					return true;
+				}
+			}
+		}
+		
+		LOGGER.error("Unresolved script variable {} because no declaration for it cannot be found in {}", contextDescription);
+		return false;
+    }
+}
diff --git a/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/script/jsr223/Jsr223ScriptEvaluator.java b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/script/jsr223/Jsr223ScriptEvaluator.java
index 8c7f85f684b..45780def326 100644
--- a/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/script/jsr223/Jsr223ScriptEvaluator.java
+++ b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/script/jsr223/Jsr223ScriptEvaluator.java
@@ -34,7 +34,7 @@
 import com.evolveum.midpoint.model.common.expression.functions.FunctionLibrary;
 import com.evolveum.midpoint.model.common.expression.script.AbstractCachingScriptEvaluator;
 import com.evolveum.midpoint.model.common.expression.script.ScriptEvaluator;
-import com.evolveum.midpoint.model.common.expression.script.ScriptExpressionUtil;
+import com.evolveum.midpoint.model.common.expression.script.ScriptExpressionEvaluationContext;
 import com.evolveum.midpoint.prism.*;
 import com.evolveum.midpoint.prism.crypto.Protector;
 import com.evolveum.midpoint.prism.xml.XsdTypeMapper;
@@ -61,11 +61,14 @@
 
 /**
  * Expression evaluator that is using javax.script (JSR-223) engine.
+ * 
+ * This evaluator does not really support expression profiles. It has just one
+ * global almighty compiler (ScriptEngine).
  *
  * @author Radovan Semancik
  *
  */
-public class Jsr223ScriptEvaluator extends AbstractCachingScriptEvaluator<CompiledScript> {
+public class Jsr223ScriptEvaluator extends AbstractCachingScriptEvaluator<ScriptEngine,CompiledScript> {
 	
 	private static final Trace LOGGER = TraceManager.getTrace(Jsr223ScriptEvaluator.class);
 
@@ -81,61 +84,56 @@ public Jsr223ScriptEvaluator(String engineName, PrismContext prismContext, Prote
 			throw new SystemException("The JSR-223 scripting engine for '"+engineName+"' was not found");
 		}
 	}
-
 	
 	@Override
-	protected CompiledScript compileScript(String codeString, String contextDescription) throws Exception {
+	protected CompiledScript compileScript(String codeString, ScriptExpressionEvaluationContext context) throws Exception {
 		return ((Compilable)scriptEngine).compile(codeString);
 	}
 	
 	@Override
-	protected Object evaluateScript(CompiledScript compiledScript, ExpressionVariables variables,
-			ObjectResolver objectResolver, Collection<FunctionLibrary> functions, String contextDescription,
-			Task task, OperationResult result) throws Exception {
+	protected Object evaluateScript(CompiledScript compiledScript, ScriptExpressionEvaluationContext context) throws Exception {
 		
-		Bindings bindings = convertToBindings(variables, objectResolver, functions, contextDescription, task, result);
+		Bindings bindings = convertToBindings(context);
 		return compiledScript.eval(bindings);
 	}
 	
-	private Bindings convertToBindings(ExpressionVariables variables, ObjectResolver objectResolver,
-			   Collection<FunctionLibrary> functions, String contextDescription, Task task, OperationResult result) 
+	private Bindings convertToBindings(ScriptExpressionEvaluationContext context) 
 					   throws ExpressionSyntaxException, ObjectNotFoundException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
 		Bindings bindings = scriptEngine.createBindings();
-		bindings.putAll(getVariablesMap(variables, objectResolver, functions, contextDescription, task, result));
+		bindings.putAll(prepareScriptVariablesValueMap(context));
 		return bindings;
 	}
 	
 
-	public <T> Object evaluateReportScript(String codeString, ExpressionVariables variables, ObjectResolver objectResolver, Collection<FunctionLibrary> functions,
-			String contextDescription, OperationResult result) throws ExpressionEvaluationException,
-			ObjectNotFoundException, ExpressionSyntaxException, CommunicationException, ConfigurationException, SecurityViolationException {
-
-		Bindings bindings = convertToBindings(variables, objectResolver, functions, contextDescription, (Task) null, result);
-
-//		String codeString = code;
-		if (codeString == null) {
-			throw new ExpressionEvaluationException("No script code in " + contextDescription);
-		}
-
-		boolean allowEmptyValues = true;
-//		if (expressionType.isAllowEmptyValues() != null) {
-//			allowEmptyValues = expressionType.isAllowEmptyValues();
+//	public <T> Object evaluateReportScript(String codeString, ScriptExpressionEvaluationContext context) throws ExpressionEvaluationException,
+//			ObjectNotFoundException, ExpressionSyntaxException, CommunicationException, ConfigurationException, SecurityViolationException {
+//
+//		Bindings bindings = convertToBindings(context);
+//
+////		String codeString = code;
+//		if (codeString == null) {
+//			throw new ExpressionEvaluationException("No script code in " + context.getContextDescription());
 //		}
-
-		CompiledScript compiledScript = getCompiledScript(codeString, contextDescription);
-
-		Object evalRawResult;
-		try {
-			InternalMonitor.recordCount(InternalCounters.SCRIPT_EXECUTION_COUNT);
-			evalRawResult = compiledScript.eval(bindings);
-		} catch (Throwable e) {
-			throw new ExpressionEvaluationException(e.getMessage() + " in " + contextDescription, e);
-		}
-
-
-
-		return evalRawResult;
-	}
+//
+//		boolean allowEmptyValues = true;
+////		if (expressionType.isAllowEmptyValues() != null) {
+////			allowEmptyValues = expressionType.isAllowEmptyValues();
+////		}
+//
+//		CompiledScript compiledScript = getCompiledScript(codeString, context);
+//
+//		Object evalRawResult;
+//		try {
+//			InternalMonitor.recordCount(InternalCounters.SCRIPT_EXECUTION_COUNT);
+//			evalRawResult = compiledScript.eval(bindings);
+//		} catch (Throwable e) {
+//			throw new ExpressionEvaluationException(e.getMessage() + " in " + context.getContextDescription(), e);
+//		}
+//
+//
+//
+//		return evalRawResult;
+//	}
 
 
 	/* (non-Javadoc)
diff --git a/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/script/velocity/VelocityScriptEvaluator.java b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/script/velocity/VelocityScriptEvaluator.java
index fd83a90f1cb..e092de178be 100644
--- a/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/script/velocity/VelocityScriptEvaluator.java
+++ b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/script/velocity/VelocityScriptEvaluator.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2018 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -15,9 +15,11 @@
  */
 package com.evolveum.midpoint.model.common.expression.script.velocity;
 
+import com.evolveum.midpoint.common.LocalizationService;
 import com.evolveum.midpoint.model.common.expression.functions.FunctionLibrary;
+import com.evolveum.midpoint.model.common.expression.script.AbstractScriptEvaluator;
 import com.evolveum.midpoint.model.common.expression.script.ScriptEvaluator;
-import com.evolveum.midpoint.model.common.expression.script.ScriptExpressionUtil;
+import com.evolveum.midpoint.model.common.expression.script.ScriptExpressionEvaluationContext;
 import com.evolveum.midpoint.prism.ItemDefinition;
 import com.evolveum.midpoint.prism.PrismContext;
 import com.evolveum.midpoint.prism.PrismValue;
@@ -53,60 +55,52 @@
  * @author mederly
  *
  */
-public class VelocityScriptEvaluator implements ScriptEvaluator {
+public class VelocityScriptEvaluator extends AbstractScriptEvaluator {
 
 	private static final String LANGUAGE_URL_BASE = MidPointConstants.NS_MIDPOINT_PUBLIC_PREFIX + "/expression/language#";
 
-	private PrismContext prismContext;
-	private Protector protector;
-
-	public VelocityScriptEvaluator(PrismContext prismContext, Protector protector) {
-		this.prismContext = prismContext;
-		this.protector = protector;
+	public VelocityScriptEvaluator(PrismContext prismContext, Protector protector, LocalizationService localizationService) {
+		super(prismContext, protector, localizationService);
 		Properties properties = new Properties();
 //		properties.put("runtime.references.strict", "true");
 		Velocity.init(properties);
 	}
 
 	@Override
-	public <T, V extends PrismValue> List<V> evaluate(ScriptExpressionEvaluatorType expressionType,
-			ExpressionVariables variables, ItemDefinition outputDefinition,
-			Function<Object, Object> additionalConvertor,
-			ScriptExpressionReturnTypeType suggestedReturnType,
-			ObjectResolver objectResolver, Collection<FunctionLibrary> functions,
-			String contextDescription, Task task, OperationResult result) throws ExpressionEvaluationException,
+	public <T, V extends PrismValue> List<V> evaluate(ScriptExpressionEvaluationContext context) throws ExpressionEvaluationException,
 			ObjectNotFoundException, ExpressionSyntaxException, CommunicationException, ConfigurationException, SecurityViolationException {
+		checkRestrictions(context);
 
-		VelocityContext context = createVelocityContext(variables, objectResolver, functions, contextDescription, task, result);
+		VelocityContext velocityCtx = createVelocityContext(context);
 
-		String codeString = expressionType.getCode();
+		String codeString = context.getExpressionType().getCode();
 		if (codeString == null) {
-			throw new ExpressionEvaluationException("No script code in " + contextDescription);
+			throw new ExpressionEvaluationException("No script code in " + context.getContextDescription());
 		}
 
 		boolean allowEmptyValues = false;
-		if (expressionType.isAllowEmptyValues() != null) {
-			allowEmptyValues = expressionType.isAllowEmptyValues();
+		if (context.getExpressionType().isAllowEmptyValues() != null) {
+			allowEmptyValues = context.getExpressionType().isAllowEmptyValues();
 		}
 
 		StringWriter resultWriter = new StringWriter();
 		try {
 			InternalMonitor.recordCount(InternalCounters.SCRIPT_EXECUTION_COUNT);
-			Velocity.evaluate(context, resultWriter, "", codeString);
+			Velocity.evaluate(velocityCtx, resultWriter, "", codeString);
 		} catch (RuntimeException e) {
-			throw new ExpressionEvaluationException(e.getMessage() + " in " + contextDescription, e);
+			throw new ExpressionEvaluationException(e.getMessage() + " in " + context.getContextDescription(), e);
 		}
 
-		if (outputDefinition == null) {
+		if (context.getOutputDefinition() == null) {
 			// No outputDefinition means "void" return type, we can return right now
 			return null;
 		}
 
-		QName xsdReturnType = outputDefinition.getTypeName();
+		QName xsdReturnType = context.getOutputDefinition().getTypeName();
 
 		Class<T> javaReturnType = XsdTypeMapper.toJavaType(xsdReturnType);
 		if (javaReturnType == null) {
-			javaReturnType = prismContext.getSchemaRegistry().getCompileTimeClass(xsdReturnType);
+			javaReturnType = getPrismContext().getSchemaRegistry().getCompileTimeClass(xsdReturnType);
 		}
 
 		if (javaReturnType == null) {
@@ -117,28 +111,25 @@ public <T, V extends PrismValue> List<V> evaluate(ScriptExpressionEvaluatorType
 
 		T evalResult;
 		try {
-			evalResult = ExpressionUtil.convertValue(javaReturnType, additionalConvertor, resultWriter.toString(), protector, prismContext);
+			evalResult = ExpressionUtil.convertValue(javaReturnType, context.getAdditionalConvertor(), resultWriter.toString(), getProtector(), getPrismContext());
 		} catch (IllegalArgumentException e) {
-			throw new ExpressionEvaluationException(e.getMessage()+" in "+contextDescription, e);
+			throw new ExpressionEvaluationException(e.getMessage()+" in "+context.getContextDescription(), e);
 		}
 
 		List<V> pvals = new ArrayList<>();
 		if (allowEmptyValues || !ExpressionUtil.isEmpty(evalResult)) {
-			pvals.add((V) ExpressionUtil.convertToPrismValue(evalResult, outputDefinition, contextDescription, prismContext));
+			pvals.add((V) ExpressionUtil.convertToPrismValue(evalResult, context.getOutputDefinition(), context.getContextDescription(), getPrismContext()));
 		}
 		return pvals;
 	}
 
-	private VelocityContext createVelocityContext(ExpressionVariables variables, ObjectResolver objectResolver,
-									   Collection<FunctionLibrary> functions,
-									   String contextDescription, Task task, OperationResult result) throws ExpressionSyntaxException, ObjectNotFoundException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
-		VelocityContext context = new VelocityContext();
-		Map<String,Object> scriptVariables = ScriptExpressionUtil.prepareScriptVariables(variables, objectResolver, functions, contextDescription,
-				prismContext, task, result);
+	private VelocityContext createVelocityContext(ScriptExpressionEvaluationContext context) throws ExpressionSyntaxException, ObjectNotFoundException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
+		VelocityContext velocityCtx = new VelocityContext();
+		Map<String,Object> scriptVariables = prepareScriptVariablesValueMap(context);
 		for (Map.Entry<String,Object> scriptVariable : scriptVariables.entrySet()) {
-			context.put(scriptVariable.getKey(), scriptVariable.getValue());
+			velocityCtx.put(scriptVariable.getKey(), scriptVariable.getValue());
 		}
-		return context;
+		return velocityCtx;
 	}
 
 
diff --git a/model/model-common/src/main/java/com/evolveum/midpoint/model/common/mapping/MappingImpl.java b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/mapping/MappingImpl.java
index f469f60c534..ec35b27077b 100644
--- a/model/model-common/src/main/java/com/evolveum/midpoint/model/common/mapping/MappingImpl.java
+++ b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/mapping/MappingImpl.java
@@ -28,6 +28,10 @@
 import com.evolveum.midpoint.prism.*;
 import com.evolveum.midpoint.schema.SchemaConstantsGenerated;
 import com.evolveum.midpoint.schema.constants.ExpressionConstants;
+import com.evolveum.midpoint.schema.constants.SchemaConstants;
+import com.evolveum.midpoint.schema.expression.ExpressionProfile;
+import com.evolveum.midpoint.schema.expression.TypedValue;
+import com.evolveum.midpoint.schema.expression.VariablesMap;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.*;
 import com.evolveum.prism.xml.ns._public.types_3.ItemPathType;
 
@@ -88,8 +92,10 @@ public class MappingImpl<V extends PrismValue,D extends ItemDefinition> implemen
 	private final MappingType mappingType;
 	private final ExpressionFactory expressionFactory;
 	private final ExpressionVariables variables;
+	private final PrismContext prismContext;
 
 	private final ObjectDeltaObject<?> sourceContext;
+	private TypedValue<ObjectDeltaObject<?>> typedSourceContext; // cahced
 	private final Collection<Source<?,?>> sources;
 	private final Source<?,?> defaultSource;
 
@@ -97,6 +103,7 @@ public class MappingImpl<V extends PrismValue,D extends ItemDefinition> implemen
 	private final ItemPath defaultTargetPath;
 	private final D defaultTargetDefinition;
 	private final Collection<V> originalTargetValues;
+	private final ExpressionProfile expressionProfile;
 
 	private final ObjectResolver objectResolver;
     private final SecurityContextManager securityContextManager;          // in order to get c:actor variable
@@ -147,6 +154,7 @@ public class MappingImpl<V extends PrismValue,D extends ItemDefinition> implemen
 	private static final Trace LOGGER = TraceManager.getTrace(MappingImpl.class);
 
 	private MappingImpl(Builder<V,D> builder) {
+		prismContext = builder.prismContext;
 		expressionFactory = builder.expressionFactory;
 		variables = builder.variables;
 		mappingType = builder.mappingType;
@@ -154,6 +162,7 @@ private MappingImpl(Builder<V,D> builder) {
 		securityContextManager = builder.securityContextManager;
 		defaultSource = builder.defaultSource;
 		defaultTargetDefinition = builder.defaultTargetDefinition;
+		expressionProfile = builder.expressionProfile;
 		defaultTargetPath = builder.defaultTargetPath;
 		originalTargetValues = builder.originalTargetValues;
 		sourceContext = builder.sourceContext;
@@ -220,6 +229,16 @@ public PrismObjectDefinition<?> getTargetContext() {
 	public String getContextDescription() {
 		return contextDescription;
 	}
+	
+	private TypedValue<ObjectDeltaObject<?>> getTypedSourceContext() {
+		if (sourceContext == null) {
+			return null;
+		}
+		if (typedSourceContext == null) {
+			typedSourceContext = new TypedValue<ObjectDeltaObject<?>>(sourceContext, sourceContext.getDefinition());
+		}
+		return typedSourceContext;
+	}
 
 	public String getMappingContextDescription() {
 		if (mappingContextDescription == null) {
@@ -310,7 +329,7 @@ public boolean isConditionMaskNew() {
 	}
 
 	private PrismContext getPrismContext() {
-		return outputDefinition.getPrismContext();
+		return prismContext;
 	}
 
 	@SuppressWarnings("unused")
@@ -506,12 +525,12 @@ private void checkRange(Task task, OperationResult result)
 
 	private void checkRangeTarget(Task task, OperationResult result)
 			throws ExpressionEvaluationException, ObjectNotFoundException, SchemaException, CommunicationException, ConfigurationException, SecurityViolationException {
-		QName name = outputPath.lastName();
+		String name = outputPath.lastName().getLocalPart();
 		if (originalTargetValues == null) {
 			throw new IllegalStateException("Couldn't check range for mapping in " + contextDescription + ", as original target values are not known.");
 		}
 		ValueSetDefinitionType rangetSetDefType = mappingType.getTarget().getSet();
-		ValueSetDefinition setDef = new ValueSetDefinition(rangetSetDefType, name, "range of "+name.getLocalPart()+" in "+getMappingContextDescription(), task, result);
+		ValueSetDefinition setDef = new ValueSetDefinition(rangetSetDefType, expressionProfile, name, "range of "+name+" in "+getMappingContextDescription(), task, result);
 		setDef.init(expressionFactory);
 		setDef.setAdditionalVariables(variables);
 		for (V originalValue : originalTargetValues) {
@@ -560,10 +579,10 @@ private boolean isInRange(V value, Task task, OperationResult result) throws Exp
 			// artificially create parent for PCV in order to pass it to expression
 			PrismContainer.createParentIfNeeded((PrismContainerValue) value, outputDefinition);
 		}
-		variables.addVariableDefinition(ExpressionConstants.VAR_VALUE, value);
+		variables.addVariableDefinition(ExpressionConstants.VAR_VALUE, value, value.getParent().getDefinition());
 
 		PrismPropertyDefinition<Boolean> outputDef = getPrismContext().definitionFactory().createPropertyDefinition(SchemaConstantsGenerated.C_VALUE, DOMUtil.XSD_BOOLEAN, null, false);
-		PrismPropertyValue<Boolean> rv = ExpressionUtil.evaluateExpression(variables, outputDef, range.getIsInSetExpression(), expressionFactory, "isInSet expression in " + contextDescription, task, result);
+		PrismPropertyValue<Boolean> rv = ExpressionUtil.evaluateExpression(variables, outputDef, range.getIsInSetExpression(), expressionProfile, expressionFactory, "isInSet expression in " + contextDescription, task, result);
 
 		// but now remove the parent! TODO: PM: why???
 //		if (value.getParent() != null) {
@@ -833,7 +852,7 @@ private XMLGregorianCalendar parseTimeSource(VariableBindingDefinitionType sourc
 			throw new SchemaException("Empty source path in "+getMappingContextDescription());
 		}
 
-		Object sourceObject = ExpressionUtil.resolvePath(path, variables, false, sourceContext, objectResolver, "reference time definition in "+getMappingContextDescription(), task, result);
+		Object sourceObject = ExpressionUtil.resolvePathGetValue(path, variables, false, getTypedSourceContext(), objectResolver, getPrismContext(), "reference time definition in "+getMappingContextDescription(), task, result);
 		if (sourceObject == null) {
 			return null;
 		}
@@ -884,12 +903,14 @@ private <IV extends PrismValue, ID extends ItemDefinition> Source<IV,ID> parseSo
 		if (path.isEmpty()) {
 			throw new SchemaException("Empty source path in "+getMappingContextDescription());
 		}
-		QName name = sourceType.getName();
-		if (name == null) {
-			name = ItemPath.toName(path.last());
+		QName sourceQName = sourceType.getName();
+		if (sourceQName == null) {
+			sourceQName = ItemPath.toName(path.last());
 		}
+		String variableName = sourceQName.getLocalPart();
 		ItemPath resolvePath = path;
-		Object sourceObject = ExpressionUtil.resolvePath(path, variables, true, sourceContext, objectResolver, "source definition in "+getMappingContextDescription(), task, result);
+		TypedValue typedSourceObject = ExpressionUtil.resolvePathGetTypedValue(path, variables, true, getTypedSourceContext(), objectResolver, getPrismContext(), "source definition in "+getMappingContextDescription(), task, result);
+		Object sourceObject = typedSourceObject.getValue();
 		Item<IV,ID> itemOld = null;
 		ItemDelta<IV,ID> delta = null;
 		Item<IV,ID> itemNew = null;
@@ -922,7 +943,7 @@ private <IV extends PrismValue, ID extends ItemDefinition> Source<IV,ID> parseSo
 		// apply domain
 		ValueSetDefinitionType domainSetType = sourceType.getSet();
 		if (domainSetType != null) {
-			ValueSetDefinition setDef = new ValueSetDefinition(domainSetType, name, "domain of "+name.getLocalPart()+" in "+getMappingContextDescription(), task, result);
+			ValueSetDefinition setDef = new ValueSetDefinition(domainSetType, expressionProfile, variableName, "domain of "+variableName+" in "+getMappingContextDescription(), task, result);
 			setDef.init(expressionFactory);
 			setDef.setAdditionalVariables(variables);
 			try {
@@ -962,7 +983,7 @@ private <IV extends PrismValue, ID extends ItemDefinition> Source<IV,ID> parseSo
 			}
 		}
 
-		Source<IV,ID> source = new Source<>(itemOld, delta, itemNew, name);
+		Source<IV,ID> source = new Source<>(itemOld, delta, itemNew, sourceQName, (ID)typedSourceObject.getDefinition());
 		source.setResidualPath(residualPath);
 		source.setResolvePath(resolvePath);
 		source.setSubItemDeltas(subItemDeltas);
@@ -1062,7 +1083,7 @@ private void evaluateCondition(Task task, OperationResult result) throws SchemaE
 			return;
 		}
 		Expression<PrismPropertyValue<Boolean>,PrismPropertyDefinition<Boolean>> expression =
-				ExpressionUtil.createCondition(conditionExpressionType, expressionFactory,
+				ExpressionUtil.createCondition(conditionExpressionType, expressionProfile, expressionFactory,
 				"condition in "+getMappingContextDescription(), task, result);
 		ExpressionEvaluationContext context = new ExpressionEvaluationContext(sources, variables,
 				"condition in "+getMappingContextDescription(), task, result);
@@ -1082,7 +1103,7 @@ private void evaluateExpression(Task task, OperationResult result, boolean condi
 		if (mappingType != null) {
 			expressionType = mappingType.getExpression();
 		}
-		expression = expressionFactory.makeExpression(expressionType, outputDefinition,
+		expression = expressionFactory.makeExpression(expressionType, outputDefinition, expressionProfile,
 				"expression in "+getMappingContextDescription(), task, result);
 		ExpressionEvaluationContext context = new ExpressionEvaluationContext(sources, variables,
 				"expression in "+getMappingContextDescription(), task, result);
@@ -1185,6 +1206,7 @@ public PrismValueDeltaSetTripleProducer<V, D> clone() {
 				.conditionMaskOld(conditionMaskOld)
 				.defaultSource(defaultSource)
 				.defaultTargetDefinition(defaultTargetDefinition)
+				.expressionProfile(expressionProfile)
 				.objectResolver(objectResolver)
 				.originObject(originObject)
 				.originType(originType)
@@ -1213,8 +1235,8 @@ public int hashCode() {
 		result = prime * result + (conditionMaskOld ? 1231 : 1237);
 		result = prime * result + ((conditionOutputTriple == null) ? 0 : conditionOutputTriple.hashCode());
 		result = prime * result + ((defaultSource == null) ? 0 : defaultSource.hashCode());
-		result = prime * result
-				+ ((defaultTargetDefinition == null) ? 0 : defaultTargetDefinition.hashCode());
+		result = prime * result + ((defaultTargetDefinition == null) ? 0 : defaultTargetDefinition.hashCode());
+		result = prime * result + ((expressionProfile == null) ? 0 : expressionProfile.hashCode());
 		result = prime * result + ((expressionFactory == null) ? 0 : expressionFactory.hashCode());
 		result = prime * result + ((mappingType == null) ? 0 : mappingType.hashCode());
 		result = prime * result + ((objectResolver == null) ? 0 : objectResolver.hashCode());
@@ -1258,6 +1280,11 @@ public boolean equals(Object obj) {
 				return false;
 		} else if (!defaultTargetDefinition.equals(other.defaultTargetDefinition))
 			return false;
+		if (expressionProfile == null) {
+			if (other.expressionProfile != null)
+				return false;
+		} else if (!expressionProfile.equals(other.expressionProfile))
+			return false;
 		if (expressionFactory == null) {
 			if (other.expressionFactory != null)
 				return false;
@@ -1396,6 +1423,7 @@ public static final class Builder<V extends PrismValue, D extends ItemDefinition
 		private SecurityContextManager securityContextManager;
 		private Source<?,?> defaultSource;
 		private D defaultTargetDefinition;
+		private ExpressionProfile expressionProfile;
 		private ItemPath defaultTargetPath;
 		private Collection<V> originalTargetValues;
 		private ObjectDeltaObject<?> sourceContext;
@@ -1452,6 +1480,11 @@ public Builder<V,D> defaultTargetDefinition(D val) {
 			defaultTargetDefinition = val;
 			return this;
 		}
+		
+		public Builder<V,D> expressionProfile(ExpressionProfile val) {
+			expressionProfile = val;
+			return this;
+		}
 
 		public Builder<V,D> defaultTargetPath(ItemPath val) {
 			defaultTargetPath = val;
@@ -1464,6 +1497,9 @@ public Builder<V,D> originalTargetValues(Collection<V> values) {
 		}
 
 		public Builder<V,D> sourceContext(ObjectDeltaObject<?> val) {
+			if (val.getDefinition() == null) {
+				throw new IllegalArgumentException("Attempt to set mapping source context without a definition");
+			}
 			sourceContext = val;
 			return this;
 		}
@@ -1658,39 +1694,21 @@ public RefinedObjectClassDefinition getRefinedObjectClassDefinition() {
 		}
 
 		public Builder<V, D> rootNode(ObjectReferenceType objectRef) {
-			return addVariableDefinition(null,(Object)objectRef);
+			return addVariableDefinition(null, objectRef);
 		}
 
 		public Builder<V, D> rootNode(ObjectDeltaObject<?> odo) {
-			return addVariableDefinition(null,(Object)odo);
-		}
-
-		public Builder<V, D> rootNode(ObjectType objectType) {
-			return addVariableDefinition(null,(Object)objectType);
-		}
-
-		public Builder<V, D> rootNode(PrismObject<? extends ObjectType> mpObject) {
-			return addVariableDefinition(null,(Object)mpObject);
-		}
-
-		@Deprecated
-		public void setRootNode(ObjectReferenceType objectRef) {
-			rootNode(objectRef);
-		}
-
-		@Deprecated
-		public void setRootNode(ObjectDeltaObject<?> odo) {
-			rootNode(odo);
+			return addVariableDefinition(null, odo);
 		}
 
-		@Deprecated
-		public void setRootNode(ObjectType objectType) {
-			rootNode(objectType);
+		public <O extends ObjectType> Builder<V, D> rootNode(O objectType, PrismObjectDefinition<O> definition) {
+			variables.put(null, objectType, definition);
+			return this;
 		}
 
-		@Deprecated
-		public void setRootNode(PrismObject<? extends ObjectType> mpObject) {
-			rootNode(mpObject);
+		public <O extends ObjectType> Builder<V, D> rootNode(PrismObject<? extends ObjectType> mpObject, PrismObjectDefinition<O> definition) {
+			variables.put(null, mpObject, definition);
+			return this;
 		}
 
 		public PrismContext getPrismContext() {
@@ -1701,54 +1719,73 @@ public Builder<V, D> addVariableDefinition(ExpressionVariableDefinitionType varD
 			if (varDef.getObjectRef() != null) {
 				ObjectReferenceType ref = varDef.getObjectRef();
 				ref.setType(getPrismContext().getSchemaRegistry().qualifyTypeName(ref.getType()));
-				return addVariableDefinition(varDef.getName(), ref);
+				return addVariableDefinition(varDef.getName().getLocalPart(), ref);
 			} else if (varDef.getValue() != null) {
-				return addVariableDefinition(varDef.getName(),varDef.getValue());
+				// This is raw value. We do have definition here. The best we can do is autodetect.
+				// Expression evaluation code will do that as a fallback behavior.
+				return addVariableDefinition(varDef.getName().getLocalPart(), varDef.getValue(), Object.class);
 			} else {
 				LOGGER.warn("Empty definition of variable {} in {}, ignoring it", varDef.getName(), getContextDescription());
 				return this;
 			}
 		}
 
-		public Builder<V, D> addVariableDefinition(QName name, ObjectReferenceType objectRef) {
-			return addVariableDefinition(name, (Object)objectRef);
+		public Builder<V, D> addVariableDefinition(String name, ObjectReferenceType objectRef) {
+			return addVariableDefinition(name, (Object)objectRef, objectRef.asReferenceValue().getDefinition());
 		}
 
-		public Builder<V, D> addVariableDefinition(QName name, ObjectType objectType) {
-			return addVariableDefinition(name,(Object)objectType);
+		public <O extends ObjectType> Builder<V, D> addVariableDefinition(String name, O objectType, Class<O> expectedClass) {
+			// Maybe determine definiton from schema registry here in case that object is null. We can do that here.
+			variables.putObject(name, objectType, expectedClass);
+			return this;
 		}
 
-		public Builder<V, D> addVariableDefinition(QName name, PrismObject<? extends ObjectType> midpointObject) {
-			return addVariableDefinition(name,(Object)midpointObject);
+		public <O extends ObjectType> Builder<V, D> addVariableDefinition(String name, PrismObject<O> midpointObject, Class<O> expectedClass) {
+			// Maybe determine definiton from schema registry here in case that object is null. We can do that here.
+			variables.putObject(name, midpointObject, expectedClass);
+			return this;
 		}
 
-		public Builder<V, D> addVariableDefinition(QName name, String value) {
-			return addVariableDefinition(name,(Object)value);
+		public Builder<V, D> addVariableDefinition(String name, String value) {
+			MutablePrismPropertyDefinition<Object> def = prismContext.definitionFactory().createPropertyDefinition(
+					new QName(SchemaConstants.NS_C, name), PrimitiveType.STRING.getQname());
+			return addVariableDefinition(name, (Object)value, def);
 		}
 
-		public Builder<V, D> addVariableDefinition(QName name, int value) {
-			return addVariableDefinition(name,(Object)value);
+		public Builder<V, D> addVariableDefinition(String name, int value) {
+			MutablePrismPropertyDefinition<Object> def = prismContext.definitionFactory().createPropertyDefinition(
+					new QName(SchemaConstants.NS_C, name), PrimitiveType.INT.getQname());
+			return addVariableDefinition(name, (Object)value, def);
 		}
 
-		public Builder<V, D> addVariableDefinition(QName name, Element value) {
-			return addVariableDefinition(name,(Object)value);
-		}
+//		public Builder<V, D> addVariableDefinition(String name, Element value) {
+//			return addVariableDefinition(name, (Object)value);
+//		}
 
-		public Builder<V, D> addVariableDefinition(QName name, PrismValue value) {
-			return addVariableDefinition(name,(Object)value);
+		public Builder<V, D> addVariableDefinition(String name, PrismValue value) {
+			return addVariableDefinition(name, (Object)value, value.getParent().getDefinition());
 		}
 
-		public Builder<V, D> addVariableDefinition(QName name, ObjectDeltaObject<?> value) {
-			return addVariableDefinition(name,(Object)value);
+		public Builder<V, D> addVariableDefinition(String name, ObjectDeltaObject<?> value) {
+			PrismObjectDefinition<?> definition = value.getDefinition();
+			if (definition == null) {
+				throw new IllegalArgumentException("Attempt to set variable '"+name+"' as ODO without a definition: "+value);
+			}
+			return addVariableDefinition(name,(Object)value, definition);
 		}
 
-		public Builder<V, D> addVariableDefinitions(Map<QName, Object> extraVariables) {
-			variables.addVariableDefinitions(extraVariables);
+		public Builder<V, D> addVariableDefinitions(VariablesMap extraVariables) {
+			variables.putAll(extraVariables);
 			return this;
 		}
 
-		public Builder<V, D> addVariableDefinition(QName name, Object value) {
-			variables.addVariableDefinition(name, value);
+		public Builder<V, D> addVariableDefinition(String name, Object value, ItemDefinition definition) {
+			variables.put(name, value, definition);
+			return this;
+		}
+		
+		public Builder<V, D> addVariableDefinition(String name, Object value, Class<?> typeClass) {
+			variables.put(name, value, typeClass);
 			return this;
 		}
 
diff --git a/model/model-common/src/main/java/com/evolveum/midpoint/model/common/stringpolicy/ValuePolicyProcessor.java b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/stringpolicy/ValuePolicyProcessor.java
index aff54adb35b..81c7b88c52c 100644
--- a/model/model-common/src/main/java/com/evolveum/midpoint/model/common/stringpolicy/ValuePolicyProcessor.java
+++ b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/stringpolicy/ValuePolicyProcessor.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2017 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -26,9 +26,15 @@
 import java.util.Set;
 import java.util.function.Consumer;
 
+import com.evolveum.midpoint.prism.MutablePrismPropertyDefinition;
+import com.evolveum.midpoint.prism.PrimitiveType;
 import com.evolveum.midpoint.prism.PrismContext;
+import com.evolveum.midpoint.prism.PrismObject;
+import com.evolveum.midpoint.prism.PrismObjectDefinition;
+import com.evolveum.midpoint.prism.path.ItemName;
 import com.evolveum.midpoint.prism.path.ItemPath;
 import com.evolveum.midpoint.schema.util.LocalizationUtil;
+import com.evolveum.midpoint.schema.util.MiscSchemaUtil;
 import com.evolveum.midpoint.util.LocalizableMessage;
 import com.evolveum.midpoint.util.LocalizableMessageBuilder;
 import com.evolveum.midpoint.util.LocalizableMessageList;
@@ -53,6 +59,7 @@
 import com.evolveum.midpoint.schema.ResultHandler;
 import com.evolveum.midpoint.schema.constants.ExpressionConstants;
 import com.evolveum.midpoint.schema.constants.SchemaConstants;
+import com.evolveum.midpoint.schema.expression.ExpressionProfile;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.schema.result.OperationResultStatus;
 import com.evolveum.midpoint.task.api.Task;
@@ -155,7 +162,9 @@ public <O extends ObjectType> String generate(ItemPath path, ValuePolicyType pol
 			if (result.isError()) {
 				throw new ExpressionEvaluationException(result.getMessage());
 			}
-			if (checkAttempt(generatedValue, policy, originResolver, shortDesc, task, result)) {
+			// TODO: this needs to be determined from ValuePolicyType archetype
+			ExpressionProfile expressionProfile = MiscSchemaUtil.getExpressionProfile();
+			if (checkAttempt(generatedValue, policy, expressionProfile, originResolver, shortDesc, task, result)) {
 				break;
 			}
 			LOGGER.trace("Generator attempt {}: check failed", attempt);
@@ -206,7 +215,10 @@ public <O extends ObjectType> boolean validateValue(String newValue, ValuePolicy
 		testMinimalUniqueCharacters(newValue, lims, result, messages);
 
 		testProhibitedValues(newValue, pp.getProhibitedValues(), originResolver, shortDesc, task, result, messages);
-		testCheckExpression(newValue, lims, originResolver, shortDesc, task, result, messages);
+		
+		// TODO: this needs to be determined from ValuePolicyType archetype
+		ExpressionProfile expressionProfile = MiscSchemaUtil.getExpressionProfile();
+		testCheckExpression(newValue, lims, expressionProfile, originResolver, shortDesc, task, result, messages);
 
 		if (!lims.getLimit().isEmpty()) {
 			// check limitation
@@ -395,7 +407,7 @@ private void testInvalidCharacters(List<String> valueCharacters, HashSet<String>
 	}
 	
 	private <O extends ObjectType> void testCheckExpression(String newPassword, LimitationsType lims,
-			AbstractValuePolicyOriginResolver<O> originResolver, String shortDesc, Task task, OperationResult result,
+			ExpressionProfile expressionProfile, AbstractValuePolicyOriginResolver<O> originResolver, String shortDesc, Task task, OperationResult result,
 			List<LocalizableMessage> messages) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException,
 			CommunicationException, ConfigurationException, SecurityViolationException {
 		for (CheckExpressionType checkExpression: lims.getCheckExpression()) {
@@ -403,7 +415,7 @@ private <O extends ObjectType> void testCheckExpression(String newPassword, Limi
 			if (expressionType == null) {
 				return;
 			}
-			if (!checkExpression(newPassword, expressionType, originResolver, shortDesc, task, result)) {
+			if (!checkExpression(newPassword, expressionType, expressionProfile, originResolver, shortDesc, task, result)) {
 				LocalizableMessage msg;
 				if (checkExpression.getLocalizableFailureMessage() != null) {
 					msg = LocalizationUtil.toLocalizableMessage(checkExpression.getLocalizableFailureMessage());
@@ -732,13 +744,13 @@ private String generateAttempt(ValuePolicyType policy, int defaultLength, boolea
 		return sb.toString();
 	}
 
-	private <O extends ObjectType> boolean checkAttempt(String generatedValue, ValuePolicyType policy, AbstractValuePolicyOriginResolver<O> originResolver, String shortDesc, Task task, OperationResult result) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
+	private <O extends ObjectType> boolean checkAttempt(String generatedValue, ValuePolicyType policy, ExpressionProfile expressionProfile, AbstractValuePolicyOriginResolver<O> originResolver, String shortDesc, Task task, OperationResult result) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
 		StringPolicyType stringPolicy = policy.getStringPolicy();
 		if (stringPolicy != null) {
 			LimitationsType limitationsType = stringPolicy.getLimitations();
 			if (limitationsType != null) {
 				List<CheckExpressionType> checkExpressionTypes = limitationsType.getCheckExpression();
-				if (!checkExpressions(generatedValue, checkExpressionTypes, originResolver, shortDesc, task, result)) {
+				if (!checkExpressions(generatedValue, checkExpressionTypes, expressionProfile, originResolver, shortDesc, task, result)) {
 					LOGGER.trace("Check expression returned false for generated value in {}", shortDesc);
 					return false;
 				}
@@ -752,10 +764,11 @@ private <O extends ObjectType> boolean checkAttempt(String generatedValue, Value
 		return true;
 	}
 	
-	private <O extends ObjectType> boolean checkExpressions(String generatedValue, List<CheckExpressionType> checkExpressionTypes, AbstractValuePolicyOriginResolver<O> originResolver, String shortDesc, Task task, OperationResult result) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
+	private <O extends ObjectType> boolean checkExpressions(String generatedValue, List<CheckExpressionType> checkExpressionTypes, 
+			ExpressionProfile expressionProfile, AbstractValuePolicyOriginResolver<O> originResolver, String shortDesc, Task task, OperationResult result) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
 		for (CheckExpressionType checkExpressionType: checkExpressionTypes) {
 			ExpressionType expression = checkExpressionType.getExpression();
-			if (!checkExpression(generatedValue, expression, originResolver, shortDesc, task, result)) {
+			if (!checkExpression(generatedValue, expression, expressionProfile, originResolver, shortDesc, task, result)) {
 				return false;
 			}
 		}
@@ -763,13 +776,29 @@ private <O extends ObjectType> boolean checkExpressions(String generatedValue, L
 	}
 
 	private <O extends ObjectType> boolean checkExpression(String generatedValue, ExpressionType checkExpression,
-			AbstractValuePolicyOriginResolver<O> originResolver, String shortDesc, Task task, OperationResult result)
+			ExpressionProfile expressionProfile, AbstractValuePolicyOriginResolver<O> originResolver, String shortDesc, Task task, OperationResult result)
 			throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException,
 			ConfigurationException, SecurityViolationException {
 		ExpressionVariables variables = new ExpressionVariables();
-		variables.addVariableDefinition(ExpressionConstants.VAR_INPUT, generatedValue);
-		variables.addVariableDefinition(ExpressionConstants.VAR_OBJECT, originResolver == null ? null : originResolver.getObject());
-		PrismPropertyValue<Boolean> output = ExpressionUtil.evaluateCondition(variables, checkExpression, expressionFactory, shortDesc, task, result);
+		
+		MutablePrismPropertyDefinition<Object> defInput = prismContext.definitionFactory().createPropertyDefinition(
+				new ItemName(SchemaConstants.NS_C, ExpressionConstants.VAR_INPUT), PrimitiveType.STRING.getQname());
+		variables.addVariableDefinition(ExpressionConstants.VAR_INPUT, generatedValue, defInput);
+		
+		PrismObject<O> object = null;
+		PrismObjectDefinition<O> objectDef = null;
+		if (originResolver != null) {
+			object = originResolver.getObject();
+			if (object != null) {
+				objectDef = object.getDefinition();
+			}
+		}
+		if (objectDef == null) {
+			objectDef = (PrismObjectDefinition<O>) prismContext.getSchemaRegistry().findObjectDefinitionByCompileTimeClass(ObjectType.class);
+		}
+		variables.addVariableDefinition(ExpressionConstants.VAR_OBJECT, object, objectDef);
+		
+		PrismPropertyValue<Boolean> output = ExpressionUtil.evaluateCondition(variables, checkExpression, expressionProfile, expressionFactory, shortDesc, task, result);
 		return ExpressionUtil.getBooleanConditionOutput(output);
 	}
 	
diff --git a/model/model-common/src/main/java/com/evolveum/midpoint/model/common/util/PopulatorUtil.java b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/util/PopulatorUtil.java
index 8cf9c55cc9d..0d0de4929c5 100644
--- a/model/model-common/src/main/java/com/evolveum/midpoint/model/common/util/PopulatorUtil.java
+++ b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/util/PopulatorUtil.java
@@ -35,6 +35,7 @@
 import com.evolveum.midpoint.repo.common.expression.ExpressionFactory;
 import com.evolveum.midpoint.repo.common.expression.ExpressionUtil;
 import com.evolveum.midpoint.repo.common.expression.ExpressionVariables;
+import com.evolveum.midpoint.schema.expression.ExpressionProfile;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.util.exception.CommunicationException;
@@ -115,7 +116,7 @@ private static <IV extends PrismValue, ID extends ItemDefinition, C extends Cont
 
 		String expressionDesc = "expression in populate expression in " + contextDescription;
 		ExpressionFactory expressionFactory = params.getExpressionFactory();
-		Expression<IV,ID> expression = expressionFactory.makeExpression(expressionType, propOutputDefinition,
+		Expression<IV,ID> expression = expressionFactory.makeExpression(expressionType, propOutputDefinition, params.getExpressionProfile(),
 				expressionDesc, task, result);
 		ExpressionEvaluationContext context = new ExpressionEvaluationContext(null, variables,
 				expressionDesc, task, result);
diff --git a/model/model-common/src/test/java/com/evolveum/midpoint/model/common/AbstractModelCommonTest.java b/model/model-common/src/test/java/com/evolveum/midpoint/model/common/AbstractModelCommonTest.java
new file mode 100644
index 00000000000..860418ac909
--- /dev/null
+++ b/model/model-common/src/test/java/com/evolveum/midpoint/model/common/AbstractModelCommonTest.java
@@ -0,0 +1,45 @@
+/**
+ * Copyright (c) 2019 Evolveum
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.evolveum.midpoint.model.common;
+
+import java.io.File;
+
+import com.evolveum.midpoint.test.util.TestUtil;
+
+/**
+ * @author semancik
+ *
+ */
+public class AbstractModelCommonTest {
+	
+	protected static final File COMMON_DIR = new File("src/test/resources/common");
+
+	protected static final File SYSTEM_CONFIGURATION_FILE = new File(COMMON_DIR, "system-configuration.xml");
+	protected static final String EXPRESSION_PROFILE_SAFE_NAME = "safe";
+
+	protected void displayTestTitle(final String TEST_NAME) {
+		TestUtil.displayTestTitle(this, TEST_NAME);
+	}
+	
+	protected void displayWhen(final String TEST_NAME) {
+		TestUtil.displayWhen(TEST_NAME);
+	}
+	
+	protected void displayThen(final String TEST_NAME) {
+		TestUtil.displayThen(TEST_NAME);
+	}
+
+}
diff --git a/model/model-common/src/test/java/com/evolveum/midpoint/model/common/expression/ExpressionTestUtil.java b/model/model-common/src/test/java/com/evolveum/midpoint/model/common/expression/ExpressionTestUtil.java
index b41ee8a9edf..63a302d2e54 100644
--- a/model/model-common/src/test/java/com/evolveum/midpoint/model/common/expression/ExpressionTestUtil.java
+++ b/model/model-common/src/test/java/com/evolveum/midpoint/model/common/expression/ExpressionTestUtil.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013-2018 Evolveum
+ * Copyright (c) 2013-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -38,6 +38,7 @@
 import com.evolveum.midpoint.model.common.expression.functions.FunctionLibraryUtil;
 import com.evolveum.midpoint.model.common.expression.script.ScriptExpressionEvaluatorFactory;
 import com.evolveum.midpoint.model.common.expression.script.ScriptExpressionFactory;
+import com.evolveum.midpoint.model.common.expression.script.groovy.GroovyScriptEvaluator;
 import com.evolveum.midpoint.model.common.expression.script.jsr223.Jsr223ScriptEvaluator;
 import com.evolveum.midpoint.model.common.stringpolicy.ValuePolicyProcessor;
 import com.evolveum.midpoint.prism.PrismContext;
@@ -49,6 +50,9 @@
  *
  */
 public class ExpressionTestUtil {
+	
+	public static final String CONST_FOO_NAME = "foo";
+	public static final String CONST_FOO_VALUE = "foobar";
 
 	public static Protector createInitializedProtector(PrismContext prismContext) {
 		return KeyStoreBasedProtectorBuilder.create(prismContext)
@@ -98,17 +102,22 @@ public static ExpressionFactory createInitializedExpressionFactory(ObjectResolve
         ScriptExpressionFactory scriptExpressionFactory = new ScriptExpressionFactory(prismContext, protector, repositoryService);
         scriptExpressionFactory.setObjectResolver(resolver);
         scriptExpressionFactory.setFunctions(functions);
-        Jsr223ScriptEvaluator groovyEvaluator = new Jsr223ScriptEvaluator("Groovy", prismContext, protector, LocalizationTestUtil.getLocalizationService());
+        
+        GroovyScriptEvaluator groovyEvaluator = new GroovyScriptEvaluator(prismContext, protector, LocalizationTestUtil.getLocalizationService());
         scriptExpressionFactory.registerEvaluator(groovyEvaluator.getLanguageUrl(), groovyEvaluator);
-        ScriptExpressionEvaluatorFactory scriptExpressionEvaluatorFactory = new ScriptExpressionEvaluatorFactory(scriptExpressionFactory, securityContextManager, prismContext);
-        expressionFactory.registerEvaluatorFactory(scriptExpressionEvaluatorFactory);
+        
+        Jsr223ScriptEvaluator jsEvaluator = new Jsr223ScriptEvaluator("ECMAScript", prismContext, protector, LocalizationTestUtil.getLocalizationService());
+        scriptExpressionFactory.registerEvaluator(jsEvaluator.getLanguageUrl(), jsEvaluator);
 
+    	ScriptExpressionEvaluatorFactory scriptExpressionEvaluatorFactory = new ScriptExpressionEvaluatorFactory(scriptExpressionFactory, securityContextManager, prismContext);
+        expressionFactory.registerEvaluatorFactory(scriptExpressionEvaluatorFactory);
+        
         return expressionFactory;
 	}
 
 	private static Configuration createConfiguration() {
     	BaseConfiguration config = new BaseConfiguration();
-    	config.addProperty("foo", "foobar");
+    	config.addProperty(CONST_FOO_NAME, CONST_FOO_VALUE);
 		return config;
 	}
 
diff --git a/model/model-common/src/test/java/com/evolveum/midpoint/model/common/expression/TestExpression.java b/model/model-common/src/test/java/com/evolveum/midpoint/model/common/expression/TestExpression.java
index bd6ce6dfce4..569f69c8dc4 100644
--- a/model/model-common/src/test/java/com/evolveum/midpoint/model/common/expression/TestExpression.java
+++ b/model/model-common/src/test/java/com/evolveum/midpoint/model/common/expression/TestExpression.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013-2018 Evolveum
+ * Copyright (c) 2013-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -15,111 +15,503 @@
  */
 package com.evolveum.midpoint.model.common.expression;
 
-import static org.testng.AssertJUnit.assertNotNull;
 import static org.testng.AssertJUnit.assertEquals;
+import static org.testng.AssertJUnit.assertNotNull;
+import static org.testng.AssertJUnit.assertTrue;
 
 import java.io.File;
 import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Collection;
+
+import javax.xml.namespace.QName;
+
+import org.testng.AssertJUnit;
+import org.testng.annotations.BeforeClass;
+import org.testng.annotations.Test;
+import org.xml.sax.SAXException;
 
+import com.evolveum.midpoint.common.Clock;
+import com.evolveum.midpoint.model.common.AbstractModelCommonTest;
+import com.evolveum.midpoint.model.common.ConstantsManager;
+import com.evolveum.midpoint.prism.Containerable;
+import com.evolveum.midpoint.prism.ItemDefinition;
+import com.evolveum.midpoint.prism.MutablePrismPropertyDefinition;
+import com.evolveum.midpoint.prism.PrimitiveType;
+import com.evolveum.midpoint.prism.PrismContainerDefinition;
+import com.evolveum.midpoint.prism.PrismContext;
+import com.evolveum.midpoint.prism.PrismObject;
+import com.evolveum.midpoint.prism.PrismObjectDefinition;
+import com.evolveum.midpoint.prism.PrismProperty;
+import com.evolveum.midpoint.prism.PrismPropertyDefinition;
+import com.evolveum.midpoint.prism.PrismPropertyValue;
+import com.evolveum.midpoint.prism.PrismValue;
 import com.evolveum.midpoint.prism.crypto.Protector;
+import com.evolveum.midpoint.prism.delta.PrismValueDeltaSetTriple;
+import com.evolveum.midpoint.prism.util.PrismTestUtil;
 import com.evolveum.midpoint.repo.common.DirectoryFileObjectResolver;
 import com.evolveum.midpoint.repo.common.ObjectResolver;
 import com.evolveum.midpoint.repo.common.expression.Expression;
 import com.evolveum.midpoint.repo.common.expression.ExpressionEvaluationContext;
 import com.evolveum.midpoint.repo.common.expression.ExpressionFactory;
 import com.evolveum.midpoint.repo.common.expression.ExpressionVariables;
-import com.evolveum.midpoint.common.Clock;
-import com.evolveum.midpoint.prism.*;
-
-import org.testng.annotations.BeforeSuite;
-import org.testng.annotations.Test;
-import org.xml.sax.SAXException;
-
-import com.evolveum.midpoint.prism.delta.PrismValueDeltaSetTriple;
-import com.evolveum.midpoint.prism.util.PrismTestUtil;
+import com.evolveum.midpoint.repo.common.expression.Source;
 import com.evolveum.midpoint.schema.MidPointPrismContextFactory;
 import com.evolveum.midpoint.schema.constants.ExpressionConstants;
 import com.evolveum.midpoint.schema.constants.MidPointConstants;
+import com.evolveum.midpoint.schema.expression.ExpressionProfile;
+import com.evolveum.midpoint.schema.expression.ExpressionProfiles;
 import com.evolveum.midpoint.schema.internals.InternalCounters;
 import com.evolveum.midpoint.schema.internals.InternalMonitor;
 import com.evolveum.midpoint.schema.result.OperationResult;
+import com.evolveum.midpoint.test.IntegrationTestTools;
+import com.evolveum.midpoint.test.asserter.prism.PrismValueDeltaSetTripleAsserter;
 import com.evolveum.midpoint.test.util.MidPointTestConstants;
 import com.evolveum.midpoint.test.util.TestUtil;
-import com.evolveum.midpoint.util.DOMUtil;
 import com.evolveum.midpoint.util.PrettyPrinter;
+import com.evolveum.midpoint.util.exception.CommunicationException;
+import com.evolveum.midpoint.util.exception.ConfigurationException;
+import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
+import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
 import com.evolveum.midpoint.util.exception.SchemaException;
+import com.evolveum.midpoint.util.exception.SecurityViolationException;
+import com.evolveum.midpoint.util.logging.Trace;
+import com.evolveum.midpoint.util.logging.TraceManager;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ExpressionType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.SystemConfigurationExpressionsType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.SystemConfigurationType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType;
 
 /**
  * @author Radovan Semancik
  */
-public class TestExpression {
-
-	private static final File TEST_DIR = new File("src/test/resources/expression/expression");
+public class TestExpression extends AbstractModelCommonTest {
 
-	private static final File USER_JACK_FILE = new File(TEST_DIR, "user-jack.xml");
+	protected static final File TEST_DIR = new File("src/test/resources/expression/expression");
+	
+	protected static final File USER_JACK_FILE = new File(TEST_DIR, "user-jack.xml");
+	protected static final String USER_JACK_NAME = "jack";
 
-	private static final File ACCOUNT_JACK_DUMMYFILE = new File(TEST_DIR, "account-jack-dummy.xml");
+	protected static final File ACCOUNT_JACK_DUMMY_FILE = new File(TEST_DIR, "account-jack-dummy.xml");
 
-	private static final File EXPRESSION_ITERATION_CONDITION_FILE = new File(TEST_DIR, "iteration-condition.xml");
-
-    private PrismContext prismContext;
+	protected static final File EXPRESSION_ASIS_FILE = new File(TEST_DIR, "expression-asis.xml");
+	
+	protected static final File EXPRESSION_PATH_FILE = new File(TEST_DIR, "expression-path.xml");
+	protected static final File EXPRESSION_ITERATION_CONDITION_FILE = new File(TEST_DIR, "expression-iteration-condition.xml");
+	
+	protected static final File EXPRESSION_VALUE_FILE = new File(TEST_DIR, "expression-value.xml");
+	protected static final String EXPRESSION_VALUE_OUTPUT = "GARBAGE OUT";
+	
+	protected static final File EXPRESSION_CONST_FILE = new File(TEST_DIR, "expression-const.xml");
+	
+	protected static final File EXPRESSION_SCRIPT_GROOVY_SIMPLE_FILE = new File(TEST_DIR, "expression-script-groovy-simple.xml");
+	protected static final File EXPRESSION_SCRIPT_GROOVY_SYSTEM_ALLOW_FILE = new File(TEST_DIR, "expression-script-groovy-system-allow.xml");
+	protected static final File EXPRESSION_SCRIPT_GROOVY_SYSTEM_DENY_FILE = new File(TEST_DIR, "expression-script-groovy-system-deny.xml");
+	protected static final File EXPRESSION_SCRIPT_JAVASCRIPT_FILE = new File(TEST_DIR, "expression-script-javascript.xml");
+	
+	protected static final String VAR_FOO_NAME = "foo";
+	protected static final String VAR_FOO_VALUE = "F00";
+	protected static final String VAR_BAR_NAME = "bar";
+	protected static final String VAR_BAR_VALUE = "B4R";
+	protected static final String INPUT_VALUE = "garbage in";
+	protected static final String GROOVY_SCRIPT_OUTPUT_SUCCESS = "SUCCESS";
+	
+	private static final Trace LOGGER = TraceManager.getTrace(TestExpression.class);
+	
+	
 
+	protected PrismContext prismContext;
+	protected ExpressionFactory expressionFactory;
+	protected ConstantsManager constantsManager;
+	
+	// Default "null" expression profile, no restrictions.
+	protected ExpressionProfile expressionProfile = null;
+	
 	private long lastScriptExecutionCount;
-    private static ExpressionFactory expressionFactory;
 
-	@BeforeSuite
+	@BeforeClass
 	public void setup() throws SchemaException, SAXException, IOException {
 		PrettyPrinter.setDefaultNamespacePrefix(MidPointConstants.NS_MIDPOINT_PUBLIC_PREFIX);
 		PrismTestUtil.resetPrismContext(MidPointPrismContextFactory.FACTORY);
 
 		prismContext = PrismTestUtil.createInitializedPrismContext();
+		
 		ObjectResolver resolver = new DirectoryFileObjectResolver(MidPointTestConstants.OBJECTS_DIR);
 		Protector protector = ExpressionTestUtil.createInitializedProtector(prismContext);
 		Clock clock = new Clock();
+		constantsManager = new ConstantsManager();
 		expressionFactory = ExpressionTestUtil.createInitializedExpressionFactory(resolver, protector, prismContext, clock, null, null);
+		
+		expressionProfile = compileExpressionProfile(getExpressionProfileName());
+		System.out.println("Using expression profile: " + expressionProfile);
+		LOGGER.info("EXPRESSION PROFILE: {}", expressionProfile);
 	}
+	
+	@Test
+    public void test100AsIs() throws Exception {
+    	final String TEST_NAME = "test100AsIs";
+    	displayTestTitle(TEST_NAME);
 
+    	// GIVEN
+    	OperationResult result = new OperationResult(TestExpression.class.getName()+"."+TEST_NAME);
+
+    	rememberScriptExecutionCount();
+
+    	ExpressionType expressionType = parseExpression(EXPRESSION_ASIS_FILE);
+    	Collection<Source<?, ?>> sources = prepareStringSources(INPUT_VALUE);
+		ExpressionVariables variables = prepareBasicVariables();
+		ExpressionEvaluationContext expressionContext = new ExpressionEvaluationContext(sources , variables, TEST_NAME, null, result);
+
+		// WHEN
+		PrismValueDeltaSetTriple<PrismPropertyValue<String>> outputTriple = evaluatePropertyExpression(expressionType, PrimitiveType.STRING, expressionContext);
+
+		// THEN
+		assertOutputTriple(outputTriple)
+			.assertEmptyMinus()
+			.assertEmptyPlus()
+			.zeroSet()
+				.assertSinglePropertyValue(INPUT_VALUE);
+
+		assertScriptExecutionIncrement(0);
+    }
+	
 	@Test
-    public void testIterationCondition() throws Exception {
-    	final String TEST_NAME = "testIterationCondition";
-    	TestUtil.displayTestTitle(TEST_NAME);
+    public void test110Path() throws Exception {
+    	final String TEST_NAME = "test110Path";
+    	displayTestTitle(TEST_NAME);
 
     	// GIVEN
     	OperationResult result = new OperationResult(TestExpression.class.getName()+"."+TEST_NAME);
 
     	rememberScriptExecutionCount();
 
-    	ExpressionType expressionType = PrismTestUtil.parseAtomicValue(
-    			EXPRESSION_ITERATION_CONDITION_FILE, ExpressionType.COMPLEX_TYPE);
+    	ExpressionType expressionType = parseExpression(EXPRESSION_PATH_FILE);
+    	Collection<Source<?, ?>> sources = prepareStringSources(INPUT_VALUE);
+		ExpressionVariables variables = prepareBasicVariables();
+		ExpressionEvaluationContext expressionContext = new ExpressionEvaluationContext(sources , variables, TEST_NAME, null, result);
 
-    	PrismPropertyDefinition<Boolean> outputDefinition = prismContext.definitionFactory().createPropertyDefinition(
-				ExpressionConstants.OUTPUT_ELEMENT_NAME, DOMUtil.XSD_BOOLEAN);
-		Expression<PrismPropertyValue<Boolean>,PrismPropertyDefinition<Boolean>> expression = expressionFactory.makeExpression(expressionType, outputDefinition , TEST_NAME, null, result);
+		// WHEN
+		PrismValueDeltaSetTriple<PrismPropertyValue<String>> outputTriple = evaluatePropertyExpression(expressionType, PrimitiveType.STRING, expressionContext);
 
-		ExpressionVariables variables = new ExpressionVariables();
-		PrismObject<UserType> user = PrismTestUtil.parseObject(USER_JACK_FILE);
-		variables.addVariableDefinition(ExpressionConstants.VAR_FOCUS, user);
-		variables.addVariableDefinition(ExpressionConstants.VAR_USER, user);
-		PrismObject<ShadowType> account = PrismTestUtil.parseObject(ACCOUNT_JACK_DUMMYFILE);
-		variables.addVariableDefinition(ExpressionConstants.VAR_SHADOW, account);
-		variables.addVariableDefinition(ExpressionConstants.VAR_ITERATION, 1);
-		variables.addVariableDefinition(ExpressionConstants.VAR_ITERATION_TOKEN, "001");
+		// THEN
+		assertOutputTriple(outputTriple)
+			.assertEmptyMinus()
+			.assertEmptyPlus()
+			.zeroSet()
+				.assertSinglePropertyValue(USER_JACK_NAME);
+
+		assertScriptExecutionIncrement(0);
+    }
+	
+	@Test
+    public void test120Value() throws Exception {
+    	final String TEST_NAME = "test120Value";
+    	displayTestTitle(TEST_NAME);
+
+    	// GIVEN
+    	OperationResult result = new OperationResult(TestExpression.class.getName()+"."+TEST_NAME);
+
+    	rememberScriptExecutionCount();
+
+    	ExpressionType expressionType = parseExpression(EXPRESSION_VALUE_FILE);
+    	Collection<Source<?, ?>> sources = prepareStringSources(INPUT_VALUE);
+		ExpressionVariables variables = prepareBasicVariables();
+		ExpressionEvaluationContext expressionContext = new ExpressionEvaluationContext(sources , variables, TEST_NAME, null, result);
+
+		// WHEN
+		PrismValueDeltaSetTriple<PrismPropertyValue<String>> outputTriple = evaluatePropertyExpression(expressionType, PrimitiveType.STRING, expressionContext);
+
+		// THEN
+		assertOutputTriple(outputTriple)
+			.assertEmptyMinus()
+			.assertEmptyPlus()
+			.zeroSet()
+				.assertSinglePropertyValue(EXPRESSION_VALUE_OUTPUT);
+
+		assertScriptExecutionIncrement(0);
+    }
+	
+	@Test
+    public void test130Const() throws Exception {
+    	final String TEST_NAME = "test130Const";
+    	displayTestTitle(TEST_NAME);
+
+    	// GIVEN
+    	OperationResult result = new OperationResult(TestExpression.class.getName()+"."+TEST_NAME);
+
+    	rememberScriptExecutionCount();
+
+    	ExpressionType expressionType = parseExpression(EXPRESSION_CONST_FILE);
+    	Collection<Source<?, ?>> sources = prepareStringSources(INPUT_VALUE);
+		ExpressionVariables variables = prepareBasicVariables();
+		ExpressionEvaluationContext expressionContext = new ExpressionEvaluationContext(sources , variables, TEST_NAME, null, result);
+
+		// WHEN
+		PrismValueDeltaSetTriple<PrismPropertyValue<String>> outputTriple = evaluatePropertyExpression(expressionType, PrimitiveType.STRING, expressionContext);
+
+		// THEN
+		assertOutputTriple(outputTriple)
+			.assertEmptyMinus()
+			.assertEmptyPlus()
+			.zeroSet()
+				.assertSinglePropertyValue(ExpressionTestUtil.CONST_FOO_VALUE);
+
+		assertScriptExecutionIncrement(0);
+    }
+	
+	@Test
+    public void test150ScriptGroovySimple() throws Exception {
+    	final String TEST_NAME = "test150ScriptGroovySimple";
+    	displayTestTitle(TEST_NAME);
+
+    	// GIVEN
+    	OperationResult result = new OperationResult(TestExpression.class.getName()+"."+TEST_NAME);
+
+    	rememberScriptExecutionCount();
+
+    	ExpressionType expressionType = parseExpression(EXPRESSION_SCRIPT_GROOVY_SIMPLE_FILE);
+    	Collection<Source<?, ?>> sources = prepareStringSources(INPUT_VALUE);
+		ExpressionVariables variables = prepareBasicVariables();
+		ExpressionEvaluationContext expressionContext = new ExpressionEvaluationContext(sources , variables, TEST_NAME, null, result);
+
+		// WHEN
+		PrismValueDeltaSetTriple<PrismPropertyValue<String>> outputTriple = evaluatePropertyExpression(expressionType, PrimitiveType.STRING, expressionContext);
+
+		// THEN
+		assertOutputTriple(outputTriple)
+			.assertEmptyMinus()
+			.assertEmptyPlus()
+			.zeroSet()
+				.assertSinglePropertyValue(VAR_FOO_VALUE + VAR_BAR_VALUE);
+
+		assertScriptExecutionIncrement(1);
+    }
+	
+	@Test
+    public void test152ScriptGroovySystemAllow() throws Exception {
+    	final String TEST_NAME = "test152ScriptGroovySystemAllow";
+    	displayTestTitle(TEST_NAME);
+
+    	// GIVEN
+    	OperationResult result = new OperationResult(TestExpression.class.getName()+"."+TEST_NAME);
+
+    	rememberScriptExecutionCount();
+
+    	ExpressionType expressionType = parseExpression(EXPRESSION_SCRIPT_GROOVY_SYSTEM_ALLOW_FILE);
+    	Collection<Source<?, ?>> sources = prepareStringSources(INPUT_VALUE);
+		ExpressionVariables variables = prepareBasicVariables();
+		ExpressionEvaluationContext expressionContext = new ExpressionEvaluationContext(sources , variables, TEST_NAME, null, result);
+
+		// WHEN
+		PrismValueDeltaSetTriple<PrismPropertyValue<String>> outputTriple = evaluatePropertyExpression(expressionType, PrimitiveType.STRING, expressionContext);
+
+		// THEN
+		assertOutputTriple(outputTriple)
+			.assertEmptyMinus()
+			.assertEmptyPlus()
+			.zeroSet()
+				.assertSinglePropertyValue(GROOVY_SCRIPT_OUTPUT_SUCCESS);
+
+		assertScriptExecutionIncrement(1);
+    }
+	
+	@Test
+    public void test154ScriptGroovySystemDeny() throws Exception {
+    	final String TEST_NAME = "test154ScriptGroovySystemDeny";
+    	displayTestTitle(TEST_NAME);
+
+    	// GIVEN
+    	OperationResult result = new OperationResult(TestExpression.class.getName()+"."+TEST_NAME);
+
+    	rememberScriptExecutionCount();
+
+    	ExpressionType expressionType = parseExpression(EXPRESSION_SCRIPT_GROOVY_SYSTEM_DENY_FILE);
+    	Collection<Source<?, ?>> sources = prepareStringSources(INPUT_VALUE);
+		ExpressionVariables variables = prepareBasicVariables();
+		ExpressionEvaluationContext expressionContext = new ExpressionEvaluationContext(sources , variables, TEST_NAME, null, result);
+
+		// WHEN
+		PrismValueDeltaSetTriple<PrismPropertyValue<String>> outputTriple = evaluatePropertyExpression(expressionType, PrimitiveType.STRING, expressionContext);
+
+		// THEN
+		assertOutputTriple(outputTriple)
+			.assertEmptyMinus()
+			.assertEmptyPlus()
+			.zeroSet()
+				.assertSinglePropertyValue(GROOVY_SCRIPT_OUTPUT_SUCCESS);
+
+		assertScriptExecutionIncrement(1);
+    }
+	
+	@Test
+    public void test160ScriptJavaScript() throws Exception {
+    	final String TEST_NAME = "test160ScriptJavaScript";
+    	displayTestTitle(TEST_NAME);
+
+    	// GIVEN
+    	OperationResult result = new OperationResult(TestExpression.class.getName()+"."+TEST_NAME);
+
+    	rememberScriptExecutionCount();
+
+    	ExpressionType expressionType = parseExpression(EXPRESSION_SCRIPT_JAVASCRIPT_FILE);
+    	Collection<Source<?, ?>> sources = prepareStringSources(INPUT_VALUE);
+		ExpressionVariables variables = prepareBasicVariables();
+		ExpressionEvaluationContext expressionContext = new ExpressionEvaluationContext(sources , variables, TEST_NAME, null, result);
+
+		// WHEN
+		PrismValueDeltaSetTriple<PrismPropertyValue<String>> outputTriple = evaluatePropertyExpression(expressionType, PrimitiveType.STRING, expressionContext);
+
+		// THEN
+		assertOutputTriple(outputTriple)
+			.assertEmptyMinus()
+			.assertEmptyPlus()
+			.zeroSet()
+				.assertSinglePropertyValue(VAR_FOO_VALUE + VAR_BAR_VALUE);
+
+		assertScriptExecutionIncrement(1);
+    }
+	
+	@Test
+    public void test200IterationCondition() throws Exception {
+    	final String TEST_NAME = "test200IterationCondition";
+    	displayTestTitle(TEST_NAME);
+
+    	// GIVEN
+    	OperationResult result = new OperationResult(TestExpression.class.getName()+"."+TEST_NAME);
+
+    	rememberScriptExecutionCount();
+
+    	ExpressionType expressionType = parseExpression(EXPRESSION_ITERATION_CONDITION_FILE);
+		
+		PrismObject<ShadowType> account = PrismTestUtil.parseObject(ACCOUNT_JACK_DUMMY_FILE);
+		// We need to provide some definitions for account attributes here,
+		// otherwise the tests will fail on unknown data types
+		PrismObjectDefinition<ShadowType> shadowDef = account.getDefinition().deepClone(false, null);
+		PrismContainerDefinition<Containerable> attrsDef = shadowDef.findContainerDefinition(ShadowType.F_ATTRIBUTES);
+		attrsDef.toMutable().createPropertyDefinition(new QName(MidPointConstants.NS_RI, "quote"), PrimitiveType.STRING.getQname());
+		account.setDefinition(shadowDef);
+		IntegrationTestTools.display("Account", account);
+
+		ExpressionVariables variables = prepareBasicVariables();
+		variables.put(ExpressionConstants.VAR_PROJECTION, account, shadowDef);
+		variables.put(ExpressionConstants.VAR_ITERATION, 1, 
+				TestUtil.createPrimitivePropertyDefinition(prismContext, ExpressionConstants.VAR_ITERATION, PrimitiveType.INT));
+		variables.put(ExpressionConstants.VAR_ITERATION_TOKEN, "001",
+				TestUtil.createPrimitivePropertyDefinition(prismContext, ExpressionConstants.VAR_ITERATION_TOKEN, PrimitiveType.STRING));
 
 		ExpressionEvaluationContext expressionContext = new ExpressionEvaluationContext(null , variables, TEST_NAME, null, result);
 
 		// WHEN
-		PrismValueDeltaSetTriple<PrismPropertyValue<Boolean>> outputTriple = expression.evaluate(expressionContext);
+		PrismValueDeltaSetTriple<PrismPropertyValue<Boolean>> outputTriple = evaluatePropertyExpression(expressionType, PrimitiveType.BOOLEAN, expressionContext);
 
 		// THEN
-		assertNotNull(outputTriple);
-		outputTriple.checkConsistence();
+		assertOutputTriple(outputTriple)
+			.assertEmptyMinus()
+			.assertEmptyPlus()
+			.zeroSet()
+				.assertSinglePropertyValue(Boolean.TRUE);
 
 		// Make sure that the script is executed only once. There is no delta in the variables, no need to do it twice.
 		assertScriptExecutionIncrement(1);
     }
+	
+	protected ExpressionType parseExpression(File file) throws SchemaException, IOException {
+		return PrismTestUtil.parseAtomicValue(file, ExpressionType.COMPLEX_TYPE);
+	}
+
+	protected Source<PrismPropertyValue<String>,PrismPropertyDefinition<String>> prepareStringSource(String value) throws SchemaException {
+		PrismPropertyDefinition<String> propDef = prismContext.definitionFactory().createPropertyDefinition(ExpressionConstants.VAR_INPUT_QNAME, PrimitiveType.STRING.getQname());
+		PrismProperty<String> inputProp = prismContext.itemFactory().createProperty(ExpressionConstants.VAR_INPUT_QNAME, propDef);
+		PrismPropertyValue<String> pval = prismContext.itemFactory().createPropertyValue(INPUT_VALUE);
+		inputProp.add(pval);
+		return new Source<>(inputProp, null, inputProp, ExpressionConstants.VAR_INPUT_QNAME, propDef);
+	}
+	
+	protected Collection<Source<?, ?>> prepareStringSources(String value) throws SchemaException {
+		Collection<Source<?, ?>> sources = new ArrayList<>();
+    	sources.add(prepareStringSource(value));
+    	return sources;
+	}
+	
+	protected ExpressionVariables prepareBasicVariables() throws SchemaException, IOException {
+		ExpressionVariables variables = new ExpressionVariables();
+		PrismObject<UserType> user = PrismTestUtil.parseObject(USER_JACK_FILE);
+		variables.put(ExpressionConstants.VAR_FOCUS, user, user.getDefinition());
+		variables.put(VAR_FOO_NAME, VAR_FOO_VALUE, String.class);
+		variables.put(VAR_BAR_NAME, VAR_BAR_VALUE, String.class);
+		return variables;
+	}
+
+	protected <V extends PrismValue, D extends ItemDefinition> PrismValueDeltaSetTriple<V> evaluateExpression(
+			ExpressionType expressionType, D outputDefinition, ExpressionEvaluationContext expressionContext)
+					throws SchemaException, ObjectNotFoundException, SecurityViolationException, ExpressionEvaluationException, CommunicationException, ConfigurationException {
+		Expression<V,D> expression = expressionFactory.makeExpression(expressionType, outputDefinition , getExpressionProfile(), 
+				expressionContext.getContextDescription(), expressionContext.getTask(), expressionContext.getResult());
+		LOGGER.debug("Starting evaluation of expression: {}", expression);
+		return expression.evaluate(expressionContext);
+	}
+
+	protected <T> PrismValueDeltaSetTriple<PrismPropertyValue<T>> evaluatePropertyExpression(
+			ExpressionType expressionType, QName outputType, ExpressionEvaluationContext expressionContext)
+					throws SchemaException, ObjectNotFoundException, SecurityViolationException, ExpressionEvaluationException, CommunicationException, ConfigurationException {
+		PrismPropertyDefinition<T> outputDefinition = prismContext.definitionFactory().createPropertyDefinition(
+				ExpressionConstants.OUTPUT_ELEMENT_NAME, outputType);
+		return evaluateExpression(expressionType, outputDefinition, expressionContext);
+	}
+	
+	protected <T> PrismValueDeltaSetTriple<PrismPropertyValue<T>> evaluatePropertyExpression(
+			ExpressionType expressionType, PrimitiveType outputType, ExpressionEvaluationContext expressionContext)
+					throws SchemaException, ObjectNotFoundException, SecurityViolationException, ExpressionEvaluationException, CommunicationException, ConfigurationException {
+		return evaluatePropertyExpression(expressionType, outputType.getQname(), expressionContext);
+	}
+	
+	protected <V extends PrismValue, D extends ItemDefinition> void evaluateExpressionRestricted(
+			ExpressionType expressionType, D outputDefinition, ExpressionEvaluationContext expressionContext)
+					throws SchemaException, ObjectNotFoundException, SecurityViolationException, ExpressionEvaluationException, CommunicationException, ConfigurationException {
+		Expression<V,D> expression;
+		try {
+			
+			expression = expressionFactory.makeExpression(expressionType, outputDefinition , getExpressionProfile(), 
+				expressionContext.getContextDescription(), expressionContext.getTask(), expressionContext.getResult());
+			
+		} catch (SecurityViolationException e) {
+			// Exception may happen here, or it may happen later.
+			// Expected
+			LOGGER.debug("Expected exception", e);
+			assertTrue("Wrong exception message: " + e.getMessage(), e.getMessage().contains("Access to script language"));
+			return;
+		}
+		
+		LOGGER.debug("Starting evaluation of expression (expecting security violation): {}", expression);
+		try {
+			
+			expression.evaluate(expressionContext);
+			
+			AssertJUnit.fail("Unexpected success of expression evaluation");
+			
+		} catch (SecurityViolationException e) {
+			// Expected
+			LOGGER.debug("Expected exception", e);
+			assertTrue("Wrong exception message: " + e.getMessage(),
+					e.getMessage().contains("Access to expression evaluator")
+					|| e.getMessage().contains("Access to Groovy method"));
+		}
+	}
+
+	protected <T> void evaluatePropertyExpressionRestricted(
+			ExpressionType expressionType, QName outputType, ExpressionEvaluationContext expressionContext)
+					throws SchemaException, ObjectNotFoundException, SecurityViolationException, ExpressionEvaluationException, CommunicationException, ConfigurationException {
+		PrismPropertyDefinition<T> outputDefinition = prismContext.definitionFactory().createPropertyDefinition(
+				ExpressionConstants.OUTPUT_ELEMENT_NAME, outputType);
+		evaluateExpressionRestricted(expressionType, outputDefinition, expressionContext);
+	}
+	
+	protected <T> void evaluatePropertyExpressionRestricted(
+			ExpressionType expressionType, PrimitiveType outputType, ExpressionEvaluationContext expressionContext)
+					throws SchemaException, ObjectNotFoundException, SecurityViolationException, ExpressionEvaluationException, CommunicationException, ConfigurationException {
+		evaluatePropertyExpressionRestricted(expressionType, outputType.getQname(), expressionContext);
+	}
 
     protected void rememberScriptExecutionCount() {
 		lastScriptExecutionCount = InternalMonitor.getCount(InternalCounters.SCRIPT_EXECUTION_COUNT);
@@ -131,5 +523,44 @@ protected void assertScriptExecutionIncrement(int expectedIncrement) {
 		assertEquals("Unexpected increment in script execution count", (long)expectedIncrement, actualIncrement);
 		lastScriptExecutionCount = currentScriptExecutionCount;
 	}
+	
+	protected ExpressionProfile getExpressionProfile() {
+		return expressionProfile;
+	}
+	
+	protected String getExpressionProfileName() {
+		// Default "null" expression profile, no restrictions.
+		return null;
+	}
 
+	protected ExpressionProfile compileExpressionProfile(String profileName) throws SchemaException, IOException {
+		if (profileName == null) {
+			return null;
+		}
+		PrismObject<SystemConfigurationType> systemConfig = PrismTestUtil.parseObject(getSystemConfigurationFile());
+		SystemConfigurationExpressionsType expressions = systemConfig.asObjectable().getExpressions();
+		if (expressions == null) {
+			throw new SchemaException("No expressions in system config");
+		}
+		ExpressionProfileCompiler compiler = new ExpressionProfileCompiler();
+		ExpressionProfiles profiles = compiler.compile(expressions);
+		ExpressionProfile profile = profiles.getProfile(profileName);
+		if (profile == null) {
+			throw new SchemaException("Profile '"+profile+"' not found in system config");
+		}
+		return profile;
+	}
+
+	protected File getSystemConfigurationFile() {
+		return SYSTEM_CONFIGURATION_FILE;
+	}
+
+	protected <V extends PrismValue> PrismValueDeltaSetTripleAsserter<V,Void> assertOutputTriple(PrismValueDeltaSetTriple<V> triple) {
+		assertNotNull(triple);
+		triple.checkConsistence();
+		PrismValueDeltaSetTripleAsserter<V,Void> asserter = new PrismValueDeltaSetTripleAsserter<>(triple, "expression output triple");
+		asserter.setPrismContext(prismContext);
+		asserter.display();
+		return asserter;
+	}
 }
diff --git a/model/model-common/src/test/java/com/evolveum/midpoint/model/common/expression/TestExpressionProfileSafe.java b/model/model-common/src/test/java/com/evolveum/midpoint/model/common/expression/TestExpressionProfileSafe.java
new file mode 100644
index 00000000000..3e1329070fb
--- /dev/null
+++ b/model/model-common/src/test/java/com/evolveum/midpoint/model/common/expression/TestExpressionProfileSafe.java
@@ -0,0 +1,140 @@
+/*
+ * Copyright (c) 2013-2019 Evolveum
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.evolveum.midpoint.model.common.expression;
+
+import static org.testng.AssertJUnit.assertNotNull;
+import static org.testng.AssertJUnit.assertEquals;
+
+import java.io.File;
+import java.io.IOException;
+import java.util.Collection;
+
+import com.evolveum.midpoint.prism.crypto.Protector;
+import com.evolveum.midpoint.repo.common.DirectoryFileObjectResolver;
+import com.evolveum.midpoint.repo.common.ObjectResolver;
+import com.evolveum.midpoint.repo.common.expression.Expression;
+import com.evolveum.midpoint.repo.common.expression.ExpressionEvaluationContext;
+import com.evolveum.midpoint.repo.common.expression.ExpressionFactory;
+import com.evolveum.midpoint.repo.common.expression.ExpressionVariables;
+import com.evolveum.midpoint.repo.common.expression.Source;
+import com.evolveum.midpoint.common.Clock;
+import com.evolveum.midpoint.prism.*;
+
+import org.testng.annotations.BeforeSuite;
+import org.testng.annotations.Test;
+import org.xml.sax.SAXException;
+
+import com.evolveum.midpoint.prism.delta.PrismValueDeltaSetTriple;
+import com.evolveum.midpoint.prism.util.PrismTestUtil;
+import com.evolveum.midpoint.schema.MidPointPrismContextFactory;
+import com.evolveum.midpoint.schema.constants.ExpressionConstants;
+import com.evolveum.midpoint.schema.constants.MidPointConstants;
+import com.evolveum.midpoint.schema.expression.ExpressionProfile;
+import com.evolveum.midpoint.schema.internals.InternalCounters;
+import com.evolveum.midpoint.schema.internals.InternalMonitor;
+import com.evolveum.midpoint.schema.result.OperationResult;
+import com.evolveum.midpoint.schema.util.MiscSchemaUtil;
+import com.evolveum.midpoint.test.util.MidPointTestConstants;
+import com.evolveum.midpoint.test.util.TestUtil;
+import com.evolveum.midpoint.util.DOMUtil;
+import com.evolveum.midpoint.util.PrettyPrinter;
+import com.evolveum.midpoint.util.exception.SchemaException;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ExpressionType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType;
+
+/**
+ * @author Radovan Semancik
+ */
+public class TestExpressionProfileSafe extends TestExpression {
+
+	@Override
+	protected String getExpressionProfileName() {
+		return EXPRESSION_PROFILE_SAFE_NAME;
+	}
+
+	@Test
+	@Override
+    public void test130Const() throws Exception {
+    	final String TEST_NAME = "test130Const";
+    	displayTestTitle(TEST_NAME);
+
+    	// GIVEN
+    	OperationResult result = new OperationResult(TestExpression.class.getName()+"."+TEST_NAME);
+
+    	rememberScriptExecutionCount();
+
+    	ExpressionType expressionType = parseExpression(EXPRESSION_CONST_FILE);
+    	Collection<Source<?, ?>> sources = prepareStringSources(INPUT_VALUE);
+		ExpressionVariables variables = prepareBasicVariables();
+		ExpressionEvaluationContext expressionContext = new ExpressionEvaluationContext(sources , variables, TEST_NAME, null, result);
+
+		// WHEN
+		evaluatePropertyExpressionRestricted(expressionType, PrimitiveType.STRING, expressionContext);
+
+		// THEN
+
+		assertScriptExecutionIncrement(0);
+    }
+	
+	@Test
+	@Override
+    public void test154ScriptGroovySystemDeny() throws Exception {
+    	final String TEST_NAME = "test154ScriptGroovySystemDeny";
+    	displayTestTitle(TEST_NAME);
+
+    	// GIVEN
+    	OperationResult result = new OperationResult(TestExpression.class.getName()+"."+TEST_NAME);
+
+    	rememberScriptExecutionCount();
+
+    	ExpressionType expressionType = parseExpression(EXPRESSION_SCRIPT_GROOVY_SYSTEM_DENY_FILE);
+    	Collection<Source<?, ?>> sources = prepareStringSources(INPUT_VALUE);
+		ExpressionVariables variables = prepareBasicVariables();
+		ExpressionEvaluationContext expressionContext = new ExpressionEvaluationContext(sources , variables, TEST_NAME, null, result);
+
+		// WHEN
+		evaluatePropertyExpressionRestricted(expressionType, PrimitiveType.STRING, expressionContext);
+
+		// THEN
+
+		assertScriptExecutionIncrement(0);
+    }
+	
+	@Test
+	@Override
+    public void test160ScriptJavaScript() throws Exception {
+    	final String TEST_NAME = "test160ScriptJavaScript";
+    	displayTestTitle(TEST_NAME);
+
+    	// GIVEN
+    	OperationResult result = new OperationResult(TestExpression.class.getName()+"."+TEST_NAME);
+
+    	rememberScriptExecutionCount();
+
+    	ExpressionType expressionType = parseExpression(EXPRESSION_SCRIPT_JAVASCRIPT_FILE);
+    	Collection<Source<?, ?>> sources = prepareStringSources(INPUT_VALUE);
+		ExpressionVariables variables = prepareBasicVariables();
+		ExpressionEvaluationContext expressionContext = new ExpressionEvaluationContext(sources , variables, TEST_NAME, null, result);
+
+		// WHEN
+		evaluatePropertyExpressionRestricted(expressionType, PrimitiveType.STRING, expressionContext);
+
+		// THEN
+
+		assertScriptExecutionIncrement(0);
+    }
+}
diff --git a/model/model-common/src/test/java/com/evolveum/midpoint/model/common/expression/TestExpressionUtil.java b/model/model-common/src/test/java/com/evolveum/midpoint/model/common/expression/TestExpressionUtil.java
index 32306f9417b..b244758809c 100644
--- a/model/model-common/src/test/java/com/evolveum/midpoint/model/common/expression/TestExpressionUtil.java
+++ b/model/model-common/src/test/java/com/evolveum/midpoint/model/common/expression/TestExpressionUtil.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2018 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -36,6 +36,7 @@
 
 import com.evolveum.midpoint.repo.common.expression.ExpressionUtil;
 import com.evolveum.midpoint.repo.common.expression.ExpressionVariables;
+import com.evolveum.midpoint.model.common.AbstractModelCommonTest;
 import com.evolveum.midpoint.prism.PrismObject;
 import com.evolveum.midpoint.prism.PrismProperty;
 import com.evolveum.midpoint.prism.PrismPropertyDefinition;
@@ -49,6 +50,7 @@
 import com.evolveum.midpoint.schema.constants.MidPointConstants;
 import com.evolveum.midpoint.schema.constants.SchemaConstants;
 import com.evolveum.midpoint.schema.result.OperationResult;
+import com.evolveum.midpoint.test.IntegrationTestTools;
 import com.evolveum.midpoint.test.util.MidPointTestConstants;
 import com.evolveum.midpoint.util.DOMUtil;
 import com.evolveum.midpoint.util.PrettyPrinter;
@@ -64,7 +66,7 @@
  * @author semancik
  *
  */
-public class TestExpressionUtil {
+public class TestExpressionUtil extends AbstractModelCommonTest {
 
 	public static final String USER_JACK_OID = "c0c010c0-d34d-b33f-f00d-111111111111";
 	public static final File USER_JACK_FILE = new File(MidPointTestConstants.OBJECTS_DIR, USER_JACK_OID + ".xml");
@@ -78,7 +80,7 @@ public void setup() throws SchemaException, SAXException, IOException {
     @Test
     public void testResolvePathStringProperty() throws Exception {
     	final String TEST_NAME = "testResolvePathStringProperty";
-    	System.out.println("\n===[ "+TEST_NAME+" ]===\n");
+    	displayTestTitle(TEST_NAME);
 
     	// GIVEN
 
@@ -92,7 +94,7 @@ public void testResolvePathStringProperty() throws Exception {
     @Test
     public void testResolvePathPolyStringProperty() throws Exception {
     	final String TEST_NAME = "testResolvePathPolyStringProperty";
-    	System.out.println("\n===[ "+TEST_NAME+" ]===\n");
+    	displayTestTitle(TEST_NAME);
 
     	// GIVEN
 
@@ -107,7 +109,7 @@ public void testResolvePathPolyStringProperty() throws Exception {
     @Test
     public void testResolvePathPolyStringOrig() throws Exception {
     	final String TEST_NAME = "testResolvePathPolyStringOrig";
-    	System.out.println("\n===[ "+TEST_NAME+" ]===\n");
+    	displayTestTitle(TEST_NAME);
 
     	// GIVEN
 
@@ -121,7 +123,7 @@ public void testResolvePathPolyStringOrig() throws Exception {
     @Test
     public void testResolvePathPolyStringNorm() throws Exception {
     	final String TEST_NAME = "testResolvePathPolyStringNorm";
-    	System.out.println("\n===[ "+TEST_NAME+" ]===\n");
+    	displayTestTitle(TEST_NAME);
 
     	// GIVEN
 
@@ -135,7 +137,7 @@ public void testResolvePathPolyStringNorm() throws Exception {
     @Test
     public void testResolvePathPolyStringOdo() throws Exception {
     	final String TEST_NAME = "testResolvePathPolyStringOdo";
-    	System.out.println("\n===[ "+TEST_NAME+" ]===\n");
+    	displayTestTitle(TEST_NAME);
 
     	// GIVEN
 
@@ -156,7 +158,7 @@ public void testResolvePathPolyStringOdo() throws Exception {
     @Test
     public void testResolvePathPolyStringOdoOrig() throws Exception {
     	final String TEST_NAME = "testResolvePathPolyStringOdoOrig";
-    	System.out.println("\n===[ "+TEST_NAME+" ]===\n");
+    	displayTestTitle(TEST_NAME);
 
     	// GIVEN
 
@@ -175,7 +177,7 @@ public void testResolvePathPolyStringOdoOrig() throws Exception {
     @Test
     public void testResolvePathPolyStringOdoNorm() throws Exception {
     	final String TEST_NAME = "testResolvePathPolyStringOdoNorm";
-    	System.out.println("\n===[ "+TEST_NAME+" ]===\n");
+    	displayTestTitle(TEST_NAME);
 
     	// GIVEN
 
@@ -207,18 +209,19 @@ private <T> T resolvePath(String path, ExpressionVariables variables, final Stri
 		ItemPath itemPath = toItemPath(path);
 
 		// WHEN
-    	Object resolved = ExpressionUtil.resolvePath(itemPath, variables, false, null, null, TEST_NAME, null, result);
+    	Object resolved = ExpressionUtil.resolvePathGetValue(itemPath, variables, false, null, null, 
+    			PrismTestUtil.getPrismContext(), TEST_NAME, null, result);
 
     	// THEN
-    	System.out.println("Resolved:");
-    	System.out.println(resolved);
+    	IntegrationTestTools.display("Resolved", resolved);
 
     	return (T) resolved;
     }
 
 	private ExpressionVariables createVariables() throws SchemaException, IOException {
 		ExpressionVariables variables = new ExpressionVariables();
-		variables.addVariableDefinition(ExpressionConstants.VAR_USER, createUser());
+		PrismObject<UserType> user = createUser();
+		variables.addVariableDefinition(ExpressionConstants.VAR_USER, user, user.getDefinition());
 		return variables;
 	}
 
@@ -228,9 +231,9 @@ private ExpressionVariables createVariablesOdo() throws SchemaException, IOExcep
 		ObjectDelta<UserType> delta = PrismTestUtil.getPrismContext().deltaFactory().object().createModificationReplaceProperty(UserType.class,
 				userOld.getOid(), UserType.F_FULL_NAME,
 				PrismTestUtil.createPolyString("Captain Jack Sparrow"));
-		ObjectDeltaObject<UserType> odo = new ObjectDeltaObject<>(userOld, delta, null);
+		ObjectDeltaObject<UserType> odo = new ObjectDeltaObject<>(userOld, delta, null, userOld.getDefinition());
 		odo.recompute();
-		variables.addVariableDefinition(ExpressionConstants.VAR_USER, odo);
+		variables.addVariableDefinition(ExpressionConstants.VAR_USER, odo, odo.getDefinition());
 		return variables;
 	}
 
diff --git a/model/model-common/src/test/java/com/evolveum/midpoint/model/common/expression/script/AbstractScriptTest.java b/model/model-common/src/test/java/com/evolveum/midpoint/model/common/expression/script/AbstractScriptTest.java
index 9be1c68458f..90ec30e642b 100644
--- a/model/model-common/src/test/java/com/evolveum/midpoint/model/common/expression/script/AbstractScriptTest.java
+++ b/model/model-common/src/test/java/com/evolveum/midpoint/model/common/expression/script/AbstractScriptTest.java
@@ -45,9 +45,13 @@
 import com.evolveum.midpoint.repo.common.ObjectResolver;
 import com.evolveum.midpoint.repo.common.expression.ExpressionSyntaxException;
 import com.evolveum.midpoint.repo.common.expression.ExpressionVariables;
+import com.evolveum.midpoint.schema.AccessDecision;
 import com.evolveum.midpoint.schema.MidPointPrismContextFactory;
+import com.evolveum.midpoint.schema.constants.ExpressionConstants;
 import com.evolveum.midpoint.schema.constants.MidPointConstants;
-import com.evolveum.midpoint.schema.constants.SchemaConstants;
+import com.evolveum.midpoint.schema.expression.ExpressionEvaluatorProfile;
+import com.evolveum.midpoint.schema.expression.ExpressionProfile;
+import com.evolveum.midpoint.schema.expression.ScriptExpressionProfile;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.schema.util.MiscSchemaUtil;
 import com.evolveum.midpoint.test.util.ParallelTestThread;
@@ -72,14 +76,19 @@
 public abstract class AbstractScriptTest {
 
 	protected static final QName PROPERTY_NAME = new QName(MidPointConstants.NS_MIDPOINT_TEST_PREFIX, "whatever");
-    protected static final String NS_X = "http://example.com/xxx";
-    protected static final String NS_Y = "http://example.com/yyy";
 	protected static File BASE_TEST_DIR = new File("src/test/resources/expression");
     protected static File OBJECTS_DIR = new File("src/test/resources/objects");
     protected static final String USER_OID = "c0c010c0-d34d-b33f-f00d-111111111111";
+    
+    public static final String VAR_POISON = "poison";
+    protected static final String RESULT_POISON_OK = "ALIVE";
+    protected static final String POISON_DRINK_ERROR_MESSAGE = "ALIVE";
+    
+    protected static final String RESULT_STRING_EXEC = "Hello world";
 
     public static final Trace LOGGER = TraceManager.getTrace(AbstractScriptTest.class);
 
+    protected PrismContext prismContext;
     protected ScriptExpressionFactory scriptExpressionfactory;
     protected ScriptEvaluator evaluator;
     protected LocalizationService localizationService;
@@ -92,7 +101,7 @@ public void setup() throws SchemaException, SAXException, IOException {
 
     @BeforeClass
     public void setupFactory() {
-    	PrismContext prismContext = PrismTestUtil.getPrismContext();
+    	prismContext = PrismTestUtil.getPrismContext();
     	ObjectResolver resolver = new DirectoryFileObjectResolver(OBJECTS_DIR);
     	Protector protector = KeyStoreBasedProtectorBuilder.create(prismContext).buildOnly();
     	Clock clock = new Clock();
@@ -128,9 +137,9 @@ public void testExpressionStringVariables() throws Exception {
 		evaluateAndAssertStringScalarExpresssion(
 				"expression-string-variables.xml",
 				"testExpressionStringVariables",
-				ExpressionVariables.create(
-						new QName(NS_X, "foo"), "FOO",
-						new QName(NS_Y, "bar"), "BAR"
+				createVariables(
+						"foo", "FOO", PrimitiveType.STRING,
+						"bar", "BAR", PrimitiveType.STRING
 				),
 				"FOOBAR");
     }
@@ -154,13 +163,13 @@ public void testExpressionStringVariablesParallel() throws Exception {
 					evaluateAndAssertStringScalarExpresssion(
 							"expression-string-variables.xml",
 							"testExpressionStringVariablesParallel-"+threadIndex,
-							ExpressionVariables.create(
-									new QName(NS_X, "foo"), foo,
-									new QName(NS_Y, "bar"), bar
+							createVariables(
+									"foo", foo, PrimitiveType.STRING,
+									"bar", bar, PrimitiveType.STRING
 							),
 							foo + bar);
 					
-				}, 10, 10);
+				}, 30, 3);
 		
 		// THEN
 		TestUtil.waitForThreads(threads, 60000L);
@@ -173,10 +182,12 @@ public void testExpressionObjectRefVariables() throws Exception {
     	evaluateAndAssertStringScalarExpresssion(
     			"expression-objectref-variables.xml",
     			"testExpressionObjectRefVariables",
-    			ExpressionVariables.create(
-						new QName(NS_X, "foo"), "Captain",
-						new QName(NS_Y, "jack"),
-							MiscSchemaUtil.createObjectReference(USER_OID, UserType.COMPLEX_TYPE)
+    			createVariables(
+						"foo", "Captain", String.class,
+						"jack",
+							MiscSchemaUtil.createObjectReference(USER_OID, UserType.COMPLEX_TYPE),
+							// We want 'jack' variable to contain user object, not the reference. We want the reference resolved.
+							prismContext.getSchemaRegistry().findObjectDefinitionByCompileTimeClass(UserType.class)
 				),
     			"Captain emp1234");
     }
@@ -186,10 +197,12 @@ public void testExpressionObjectRefVariablesPolyString() throws Exception {
     	evaluateAndAssertStringScalarExpresssion(
     			"expression-objectref-variables-polystring.xml",
     			"testExpressionObjectRefVariablesPolyString",
-    			ExpressionVariables.create(
-						new QName(NS_X, "foo"), "Captain",
-						new QName(NS_Y, "jack"),
-							MiscSchemaUtil.createObjectReference(USER_OID, UserType.COMPLEX_TYPE)
+    			createVariables(
+						"foo", "Captain", PrimitiveType.STRING,
+						"jack",
+							MiscSchemaUtil.createObjectReference(USER_OID, UserType.COMPLEX_TYPE),
+							// We want 'jack' variable to contain user object, not the reference. We want the reference resolved.
+							prismContext.getSchemaRegistry().findObjectDefinitionByCompileTimeClass(UserType.class)
 				),
     			"Captain Jack Sparrow");
     }
@@ -238,8 +251,11 @@ public void testUserExtensionStringifyFullName() throws Exception {
     // TODO: user + no property value
 
 	private ExpressionVariables createUserScriptVariables() {
-		return ExpressionVariables.create(SchemaConstants.C_USER,
-    			MiscSchemaUtil.createObjectReference(USER_OID, UserType.COMPLEX_TYPE));
+		return createVariables(
+				ExpressionConstants.VAR_USER,
+	    			MiscSchemaUtil.createObjectReference(USER_OID, UserType.COMPLEX_TYPE),
+	    			// We want 'user' variable to contain user object, not the reference. We want the reference resolved.
+	    			prismContext.getSchemaRegistry().findObjectDefinitionByCompileTimeClass(UserType.class));
 	}
 
 	// TODO: shadow + attributes
@@ -253,8 +269,10 @@ public void testRootNode() throws Exception {
     	evaluateAndAssertStringScalarExpresssion(
 				"expression-root-node.xml",
     			"testRootNode",
-    			ExpressionVariables.create(null,
-    	    			MiscSchemaUtil.createObjectReference(USER_OID, UserType.COMPLEX_TYPE)),
+    			createVariables(
+    					null, // root node
+	    	    			MiscSchemaUtil.createObjectReference(USER_OID, UserType.COMPLEX_TYPE),
+	    	    			prismContext.getSchemaRegistry().findObjectDefinitionByCompileTimeClass(UserType.class)),
     	    	"Black Pearl");
     }
 
@@ -263,9 +281,11 @@ public void testExpressionList() throws Exception {
 		evaluateAndAssertStringListExpresssion(
 				"expression-list.xml",
     			"testExpressionList",
-    			ExpressionVariables.create(
-						new QName(NS_Y, "jack"),
-							MiscSchemaUtil.createObjectReference(USER_OID, UserType.COMPLEX_TYPE)
+    			createVariables(
+						"jack",
+							MiscSchemaUtil.createObjectReference(USER_OID, UserType.COMPLEX_TYPE),
+							// We want 'jack' variable to contain user object, not the reference. We want the reference resolved.
+							prismContext.getSchemaRegistry().findObjectDefinitionByCompileTimeClass(UserType.class)
 				),
     			"Leaders", "Followers");
     }
@@ -302,13 +322,34 @@ private <T> List<PrismPropertyValue<T>> evaluateExpression(ScriptExpressionEvalu
 	}
 	
 	private ScriptExpression createScriptExpression(ScriptExpressionEvaluatorType expressionType, ItemDefinition outputDefinition, String shortDesc) throws ExpressionSyntaxException {
-		ScriptExpression expression = new ScriptExpression(scriptExpressionfactory.getEvaluators().get(expressionType.getLanguage()), expressionType);
+		String language = expressionType.getLanguage();
+		ScriptExpression expression = new ScriptExpression(scriptExpressionfactory.getEvaluators().get(language), expressionType);
 		expression.setOutputDefinition(outputDefinition);
 		expression.setObjectResolver(scriptExpressionfactory.getObjectResolver());
 		expression.setFunctions(new ArrayList<>(scriptExpressionfactory.getFunctions()));
+		ScriptExpressionProfile scriptExpressionProfile = getScriptExpressionProfile(language);
+		expression.setScriptExpressionProfile(scriptExpressionProfile);
+		expression.setExpressionProfile(getExpressionProfile(scriptExpressionProfile));
 		return expression;
 	}
 
+	protected ExpressionProfile getExpressionProfile(ScriptExpressionProfile scriptExpressionProfile) {
+		if (scriptExpressionProfile == null) {
+			return null;
+		}
+		ExpressionProfile expressionProfile = new ExpressionProfile(this.getClass().getSimpleName());
+		expressionProfile.setDecision(AccessDecision.DENY);
+		ExpressionEvaluatorProfile evaluatorProfile = new ExpressionEvaluatorProfile(ScriptExpressionEvaluatorFactory.ELEMENT_NAME);
+		expressionProfile.add(evaluatorProfile);
+		evaluatorProfile.setDecision(AccessDecision.DENY);
+		evaluatorProfile.add(scriptExpressionProfile);
+		return expressionProfile;
+	}
+	
+	protected ScriptExpressionProfile getScriptExpressionProfile(String language) {
+		return null;
+	}
+
 	private <T> List<PrismPropertyValue<T>> evaluateExpression(ScriptExpressionEvaluatorType scriptType, QName typeName, boolean scalar,
 			ExpressionVariables variables, String shortDesc, OperationResult opResult) throws ExpressionEvaluationException, ObjectNotFoundException, SchemaException, CommunicationException, ConfigurationException, SecurityViolationException {
 		MutableItemDefinition outputDefinition = PrismTestUtil.getPrismContext().definitionFactory().createPropertyDefinition(PROPERTY_NAME, typeName);
@@ -340,6 +381,16 @@ protected void evaluateAndAssertStringScalarExpresssion(String fileName, String
 		assertNotNull("Expression "+testName+" resulted in null value (expected '"+expectedValue+"')", expressionResult);
 		assertEquals("Expression "+testName+" resulted in wrong value", expectedValue, expressionResult.getValue());
 	}
+	
+	protected void evaluateAndAssertStringScalarExpresssionRestricted(String fileName, String testName, ExpressionVariables variables) throws SchemaException, IOException, JAXBException, ExpressionEvaluationException, ObjectNotFoundException, CommunicationException, ConfigurationException, SecurityViolationException {
+		try {
+			List<PrismPropertyValue<String>> expressionResultList = evaluateStringExpresssion(fileName, testName, variables, true);
+			AssertJUnit.fail("Expression "+testName+": unexpected success, result value: "+ expressionResultList);
+		} catch (SecurityViolationException e) {
+			System.out.println("Expected exception: " + e);
+			LOGGER.debug("Expected exception", e);
+		}
+	}
 
 	private void evaluateAndAssertStringListExpresssion(String fileName, String testName, ExpressionVariables variables, String... expectedValues) throws SchemaException, IOException, JAXBException, ExpressionEvaluationException, ObjectNotFoundException, CommunicationException, ConfigurationException, SecurityViolationException {
 		List<PrismPropertyValue<String>> expressionResultList = evaluateStringExpresssion(fileName, testName, variables, true);
@@ -374,5 +425,9 @@ private void displayTestTitle(String testName) {
 		System.out.println("===[ "+evaluator.getLanguageName()+": "+testName+" ]===========================");
 		LOGGER.info("===[ "+evaluator.getLanguageName()+": "+testName+" ]===========================");
 	}
+	
+	protected ExpressionVariables createVariables(Object... params) {
+		return ExpressionVariables.create(prismContext, params);
+	}
 
 }
diff --git a/model/model-common/src/test/java/com/evolveum/midpoint/model/common/expression/script/Poison.java b/model/model-common/src/test/java/com/evolveum/midpoint/model/common/expression/script/Poison.java
new file mode 100644
index 00000000000..2d2cdbe582f
--- /dev/null
+++ b/model/model-common/src/test/java/com/evolveum/midpoint/model/common/expression/script/Poison.java
@@ -0,0 +1,74 @@
+/**
+ * Copyright (c) 2019 Evolveum
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.evolveum.midpoint.model.common.expression.script;
+
+import static org.testng.AssertJUnit.assertTrue;
+import static org.testng.AssertJUnit.assertFalse;
+
+/**
+ * Poisonous class for sandbox testing. 
+ * 
+ * Thou shalt not drink poison. Thou shalt be doomed to death.
+ * Thou shalt not smell poison. That can have consequences.
+ * Just looking at a poison is safe.
+ * 
+ * @author Radovan Semancik
+ */
+public class Poison {
+	
+	public static final String POISON_DRINK_ERROR_MESSAGE = "POISONED!";
+	public static final String POISON_DRINK_ERROR_MESSAGE_STATIC = "POISONED(static)!";
+	
+	private boolean lookedAt = false;
+	private boolean smelled = false;
+	
+	public void look() {
+		lookedAt = true;
+	}
+	
+	public void smell() {
+		smelled = true;
+	}
+	
+	public void drink() {
+		throw new Error(POISON_DRINK_ERROR_MESSAGE);
+	}
+	
+	public static void staticDrink() {
+		throw new Error(POISON_DRINK_ERROR_MESSAGE_STATIC);
+	}
+
+	public boolean isLookedAt() {
+		return lookedAt;
+	}
+
+	public boolean isSmelled() {
+		return smelled;
+	}
+	
+	public void assertLookedAt() {
+		assertTrue("Poison not looked at!", lookedAt);
+	}
+	
+	public void assertSmelled() {
+		assertTrue("Poison was not smelled!", smelled);
+	}
+	
+	public void assertNotSmelled() {
+		assertFalse("Poison was smelled!", smelled);
+	}
+
+}
diff --git a/model/model-common/src/test/java/com/evolveum/midpoint/model/common/expression/script/TestGroovyExpressions.java b/model/model-common/src/test/java/com/evolveum/midpoint/model/common/expression/script/TestGroovyExpressions.java
index 4613cfc0003..bce348176f2 100644
--- a/model/model-common/src/test/java/com/evolveum/midpoint/model/common/expression/script/TestGroovyExpressions.java
+++ b/model/model-common/src/test/java/com/evolveum/midpoint/model/common/expression/script/TestGroovyExpressions.java
@@ -15,16 +15,21 @@
  */
 package com.evolveum.midpoint.model.common.expression.script;
 
+import static org.testng.AssertJUnit.assertEquals;
+import static org.testng.AssertJUnit.assertTrue;
+
 import com.evolveum.midpoint.repo.common.expression.ExpressionVariables;
-import com.evolveum.midpoint.model.common.expression.script.jsr223.Jsr223ScriptEvaluator;
+import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
+import com.evolveum.prism.xml.ns._public.types_3.PolyStringType;
+import com.evolveum.midpoint.model.common.expression.script.groovy.GroovyScriptEvaluator;
+import com.evolveum.midpoint.prism.PrimitiveType;
 import com.evolveum.midpoint.prism.PrismContext;
 import com.evolveum.midpoint.prism.crypto.Protector;
 import com.evolveum.midpoint.prism.util.PrismTestUtil;
 
+import org.testng.AssertJUnit;
 import org.testng.annotations.Test;
 
-import javax.xml.namespace.QName;
-
 import java.io.File;
 
 /**
@@ -53,9 +58,9 @@ public void testExpressionPolyStringEquals101() throws Exception {
 		evaluateAndAssertBooleanScalarExpresssion(
 				"expression-polystring-equals-1.xml",
 				"testExpressionPolyStringEquals101",
-				ExpressionVariables.create(
-						new QName(NS_X, "foo"), "FOO",
-						new QName(NS_Y, "bar"), "BAR"
+				createVariables(
+						"foo", "FOO", PrimitiveType.STRING,
+						"bar", "BAR", PrimitiveType.STRING
 				),
 				Boolean.TRUE);
     }
@@ -65,9 +70,9 @@ public void testExpressionPolyStringEquals102() throws Exception {
 		evaluateAndAssertBooleanScalarExpresssion(
 				"expression-polystring-equals-1.xml",
 				"testExpressionPolyStringEquals102",
-				ExpressionVariables.create(
-						new QName(NS_X, "foo"), "FOOBAR",
-						new QName(NS_Y, "bar"), "BAR"
+				createVariables(
+						"foo", "FOOBAR", PrimitiveType.STRING,
+						"bar", "BAR", PrimitiveType.STRING
 				),
 				Boolean.FALSE);
     }
@@ -77,9 +82,9 @@ public void testExpressionPolyStringEquals111() throws Exception {
 		evaluateAndAssertBooleanScalarExpresssion(
 				"expression-polystring-equals-1.xml",
 				"testExpressionPolyStringEquals111",
-				ExpressionVariables.create(
-						new QName(NS_X, "foo"), PrismTestUtil.createPolyString("FOO"),
-						new QName(NS_Y, "bar"), "BAR"
+				createVariables(
+						"foo", PrismTestUtil.createPolyString("FOO"), PolyStringType.COMPLEX_TYPE,
+						"bar", "BAR", PrimitiveType.STRING 
 				),
 				Boolean.FALSE);
     }
@@ -89,9 +94,9 @@ public void testExpressionPolyStringEquals112() throws Exception {
 		evaluateAndAssertBooleanScalarExpresssion(
 				"expression-polystring-equals-1.xml",
 				"testExpressionPolyStringEquals112",
-				ExpressionVariables.create(
-						new QName(NS_X, "foo"), PrismTestUtil.createPolyString("FOOBAR"),
-						new QName(NS_Y, "bar"), "BAR"
+				createVariables(
+						"foo", PrismTestUtil.createPolyString("FOOBAR"), PolyStringType.COMPLEX_TYPE,
+						"bar", "BAR", PrimitiveType.STRING
 				),
 				Boolean.FALSE);
     }
@@ -101,9 +106,9 @@ public void testExpressionPolyStringEquals121() throws Exception {
 		evaluateAndAssertBooleanScalarExpresssion(
 				"expression-polystring-equals-1.xml",
 				"testExpressionPolyStringEquals121",
-				ExpressionVariables.create(
-						new QName(NS_X, "foo"), PrismTestUtil.createPolyStringType("FOO"),
-						new QName(NS_Y, "bar"), "BAR"
+				createVariables(
+						"foo", PrismTestUtil.createPolyStringType("FOO"), PolyStringType.COMPLEX_TYPE,
+						"bar", "BAR", PrimitiveType.STRING
 				),
 				Boolean.FALSE);
     }
@@ -113,9 +118,9 @@ public void testExpressionPolyStringEquals122() throws Exception {
 		evaluateAndAssertBooleanScalarExpresssion(
 				"expression-polystring-equals-1.xml",
 				"testExpressionPolyStringEquals122",
-				ExpressionVariables.create(
-						new QName(NS_X, "foo"), PrismTestUtil.createPolyStringType("FOOBAR"),
-						new QName(NS_Y, "bar"), "BAR"
+				createVariables(
+						"foo", PrismTestUtil.createPolyStringType("FOOBAR"), PolyStringType.COMPLEX_TYPE,
+						"bar", "BAR", PrimitiveType.STRING
 				),
 				Boolean.FALSE);
     }
@@ -125,9 +130,9 @@ public void testExpressionPolyStringEquals201() throws Exception {
 		evaluateAndAssertBooleanScalarExpresssion(
 				"expression-polystring-equals-2.xml",
 				"testExpressionPolyStringEquals201",
-				ExpressionVariables.create(
-						new QName(NS_X, "foo"), "FOO",
-						new QName(NS_Y, "bar"), "BAR"
+				createVariables(
+						"foo", "FOO", PrimitiveType.STRING,
+						"bar", "BAR", PrimitiveType.STRING
 				),
 				Boolean.TRUE);
     }
@@ -137,9 +142,9 @@ public void testExpressionPolyStringEquals202() throws Exception {
 		evaluateAndAssertBooleanScalarExpresssion(
 				"expression-polystring-equals-2.xml",
 				"testExpressionPolyStringEquals202",
-				ExpressionVariables.create(
-						new QName(NS_X, "foo"), "FOOBAR",
-						new QName(NS_Y, "bar"), "BAR"
+				createVariables(
+						"foo", "FOOBAR", PrimitiveType.STRING,
+						"bar", "BAR", PrimitiveType.STRING
 				),
 				Boolean.FALSE);
     }
@@ -149,9 +154,9 @@ public void testExpressionPolyStringEquals211() throws Exception {
 		evaluateAndAssertBooleanScalarExpresssion(
 				"expression-polystring-equals-2.xml",
 				"testExpressionPolyStringEquals211",
-				ExpressionVariables.create(
-						new QName(NS_X, "foo"), PrismTestUtil.createPolyString("FOO"),
-						new QName(NS_Y, "bar"), "BAR"
+				createVariables(
+						"foo", PrismTestUtil.createPolyString("FOO"), PolyStringType.COMPLEX_TYPE,
+						"bar", "BAR", PrimitiveType.STRING
 				),
 				Boolean.FALSE);
     }
@@ -161,9 +166,9 @@ public void testExpressionPolyStringEquals212() throws Exception {
 		evaluateAndAssertBooleanScalarExpresssion(
 				"expression-polystring-equals-2.xml",
 				"testExpressionPolyStringEquals212",
-				ExpressionVariables.create(
-						new QName(NS_X, "foo"), PrismTestUtil.createPolyString("FOOBAR"),
-						new QName(NS_Y, "bar"), "BAR"
+				createVariables(
+						"foo", PrismTestUtil.createPolyString("FOOBAR"), PolyStringType.COMPLEX_TYPE,
+						"bar", "BAR", PrimitiveType.STRING
 				),
 				Boolean.FALSE);
     }
@@ -173,9 +178,9 @@ public void testExpressionPolyStringEquals221() throws Exception {
 		evaluateAndAssertBooleanScalarExpresssion(
 				"expression-polystring-equals-2.xml",
 				"testExpressionPolyStringEquals221",
-				ExpressionVariables.create(
-						new QName(NS_X, "foo"), PrismTestUtil.createPolyStringType("FOO"),
-						new QName(NS_Y, "bar"), "BAR"
+				createVariables(
+						"foo", PrismTestUtil.createPolyStringType("FOO"), PolyStringType.COMPLEX_TYPE,
+						"bar", "BAR", PrimitiveType.STRING
 				),
 				Boolean.FALSE);
     }
@@ -185,9 +190,9 @@ public void testExpressionPolyStringEquals222() throws Exception {
 		evaluateAndAssertBooleanScalarExpresssion(
 				"expression-polystring-equals-2.xml",
 				"testExpressionPolyStringEquals222",
-				ExpressionVariables.create(
-						new QName(NS_X, "foo"), PrismTestUtil.createPolyStringType("FOOBAR"),
-						new QName(NS_Y, "bar"), "BAR"
+				createVariables(
+						"foo", PrismTestUtil.createPolyStringType("FOOBAR"), PolyStringType.COMPLEX_TYPE,
+						"bar", "BAR", PrimitiveType.STRING
 				),
 				Boolean.FALSE);
     }
@@ -197,9 +202,9 @@ public void testExpressionPolyStringEqualsStringify101() throws Exception {
 		evaluateAndAssertBooleanScalarExpresssion(
 				"expression-polystring-equals-stringify-1.xml",
 				"testExpressionPolyStringEqualsStringify101",
-				ExpressionVariables.create(
-						new QName(NS_X, "foo"), "FOO",
-						new QName(NS_Y, "bar"), "BAR"
+				createVariables(
+						"foo", "FOO", PrimitiveType.STRING,
+						"bar", "BAR", PrimitiveType.STRING
 				),
 				Boolean.TRUE);
     }
@@ -209,9 +214,9 @@ public void testExpressionPolyStringEqualsStringify102() throws Exception {
 		evaluateAndAssertBooleanScalarExpresssion(
 				"expression-polystring-equals-stringify-1.xml",
 				"testExpressionPolyStringEqualsStringify102",
-				ExpressionVariables.create(
-						new QName(NS_X, "foo"), "FOOBAR",
-						new QName(NS_Y, "bar"), "BAR"
+				createVariables(
+						"foo", "FOOBAR", PrimitiveType.STRING,
+						"bar", "BAR", PrimitiveType.STRING
 				),
 				Boolean.FALSE);
     }
@@ -221,9 +226,9 @@ public void testExpressionPolyStringEqualsStringify111() throws Exception {
 		evaluateAndAssertBooleanScalarExpresssion(
 				"expression-polystring-equals-stringify-1.xml",
 				"testExpressionPolyStringEqualsStringify111",
-				ExpressionVariables.create(
-						new QName(NS_X, "foo"), PrismTestUtil.createPolyString("FOO"),
-						new QName(NS_Y, "bar"), "BAR"
+				createVariables(
+						"foo", PrismTestUtil.createPolyString("FOO"), PolyStringType.COMPLEX_TYPE,
+						"bar", "BAR", PrimitiveType.STRING
 				),
 				Boolean.TRUE);
     }
@@ -233,9 +238,9 @@ public void testExpressionPolyStringEqualsStringify112() throws Exception {
 		evaluateAndAssertBooleanScalarExpresssion(
 				"expression-polystring-equals-stringify-1.xml",
 				"testExpressionPolyStringEqualsStringify112",
-				ExpressionVariables.create(
-						new QName(NS_X, "foo"), PrismTestUtil.createPolyString("FOOBAR"),
-						new QName(NS_Y, "bar"), "BAR"
+				createVariables(
+						"foo", PrismTestUtil.createPolyString("FOOBAR"), PolyStringType.COMPLEX_TYPE,
+						"bar", "BAR", PrimitiveType.STRING
 				),
 				Boolean.FALSE);
     }
@@ -245,9 +250,9 @@ public void testExpressionPolyStringEqualsStringify121() throws Exception {
 		evaluateAndAssertBooleanScalarExpresssion(
 				"expression-polystring-equals-stringify-1.xml",
 				"testExpressionPolyStringEqualsStringify121",
-				ExpressionVariables.create(
-						new QName(NS_X, "foo"), PrismTestUtil.createPolyStringType("FOO"),
-						new QName(NS_Y, "bar"), "BAR"
+				createVariables(
+						"foo", PrismTestUtil.createPolyStringType("FOO"), PolyStringType.COMPLEX_TYPE,
+						"bar", "BAR", PrimitiveType.STRING
 				),
 				Boolean.TRUE);
     }
@@ -257,9 +262,9 @@ public void testExpressionPolyStringEqualsStringify122() throws Exception {
 		evaluateAndAssertBooleanScalarExpresssion(
 				"expression-polystring-equals-stringify-1.xml",
 				"testExpressionPolyStringEqualsStringify122",
-				ExpressionVariables.create(
-						new QName(NS_X, "foo"), PrismTestUtil.createPolyStringType("FOOBAR"),
-						new QName(NS_Y, "bar"), "BAR"
+				createVariables(
+						"foo", PrismTestUtil.createPolyStringType("FOOBAR"), PolyStringType.COMPLEX_TYPE,
+						"bar", "BAR", PrimitiveType.STRING
 				),
 				Boolean.FALSE);
     }
@@ -269,9 +274,9 @@ public void testExpressionPolyStringEqualsStringify201() throws Exception {
 		evaluateAndAssertBooleanScalarExpresssion(
 				"expression-polystring-equals-stringify-2.xml",
 				"testExpressionPolyStringEqualsStringify201",
-				ExpressionVariables.create(
-						new QName(NS_X, "foo"), "FOO",
-						new QName(NS_Y, "bar"), "BAR"
+				createVariables(
+						"foo", "FOO", PrimitiveType.STRING,
+						"bar", "BAR", PrimitiveType.STRING
 				),
 				Boolean.TRUE);
     }
@@ -281,9 +286,9 @@ public void testExpressionPolyStringEqualsStringify202() throws Exception {
 		evaluateAndAssertBooleanScalarExpresssion(
 				"expression-polystring-equals-stringify-2.xml",
 				"testExpressionPolyStringEqualsStringify202",
-				ExpressionVariables.create(
-						new QName(NS_X, "foo"), "FOOBAR",
-						new QName(NS_Y, "bar"), "BAR"
+				createVariables(
+						"foo", "FOOBAR", PrimitiveType.STRING,
+						"bar", "BAR", PrimitiveType.STRING
 				),
 				Boolean.FALSE);
     }
@@ -293,9 +298,9 @@ public void testExpressionPolyStringEqualsStringify211() throws Exception {
 		evaluateAndAssertBooleanScalarExpresssion(
 				"expression-polystring-equals-stringify-2.xml",
 				"testExpressionPolyStringEqualsStringify211",
-				ExpressionVariables.create(
-						new QName(NS_X, "foo"), PrismTestUtil.createPolyString("FOO"),
-						new QName(NS_Y, "bar"), "BAR"
+				createVariables(
+						"foo", PrismTestUtil.createPolyString("FOO"), PolyStringType.COMPLEX_TYPE,
+						"bar", "BAR", PrimitiveType.STRING
 				),
 				Boolean.TRUE);
     }
@@ -305,9 +310,9 @@ public void testExpressionPolyStringEqualsStringify212() throws Exception {
 		evaluateAndAssertBooleanScalarExpresssion(
 				"expression-polystring-equals-stringify-2.xml",
 				"testExpressionPolyStringEqualsStringify212",
-				ExpressionVariables.create(
-						new QName(NS_X, "foo"), PrismTestUtil.createPolyString("FOOBAR"),
-						new QName(NS_Y, "bar"), "BAR"
+				createVariables(
+						"foo", PrismTestUtil.createPolyString("FOOBAR"), PolyStringType.COMPLEX_TYPE,
+						"bar", "BAR", PrimitiveType.STRING
 				),
 				Boolean.FALSE);
     }
@@ -317,9 +322,9 @@ public void testExpressionPolyStringEqualsStringify221() throws Exception {
 		evaluateAndAssertBooleanScalarExpresssion(
 				"expression-polystring-equals-stringify-2.xml",
 				"testExpressionPolyStringEqualsStringify221",
-				ExpressionVariables.create(
-						new QName(NS_X, "foo"), PrismTestUtil.createPolyStringType("FOO"),
-						new QName(NS_Y, "bar"), "BAR"
+				createVariables(
+						"foo", PrismTestUtil.createPolyStringType("FOO"), PolyStringType.COMPLEX_TYPE,
+						"bar", "BAR", PrimitiveType.STRING
 				),
 				Boolean.TRUE);
     }
@@ -329,11 +334,208 @@ public void testExpressionPolyStringEqualsStringify222() throws Exception {
 		evaluateAndAssertBooleanScalarExpresssion(
 				"expression-polystring-equals-stringify-2.xml",
 				"testExpressionPolyStringEqualsStringify222",
-				ExpressionVariables.create(
-						new QName(NS_X, "foo"), PrismTestUtil.createPolyStringType("FOOBAR"),
-						new QName(NS_Y, "bar"), "BAR"
+				createVariables(
+						"foo", PrismTestUtil.createPolyStringType("FOOBAR"), PolyStringType.COMPLEX_TYPE,
+						"bar", "BAR", PrimitiveType.STRING
 				),
 				Boolean.FALSE);
     }
+	
+	@Test
+    public void testLookAtPoison() throws Exception {
+		Poison poison = new Poison();
+		
+		// WHEN
+		evaluateAndAssertStringScalarExpresssion(
+				"expression-poinson-look.xml",
+				"testLookAtPoison",
+				createPoisonVariables(poison),
+				RESULT_POISON_OK);
+		
+		// THEN
+		poison.assertLookedAt();
+    }
+	
+	/**
+	 * This should pass here. There are no restrictions about script execution here.
+	 */
+	@Test
+    public void testSmellPoison() throws Exception {
+		Poison poison = new Poison();
+		
+		// WHEN
+		evaluateAndAssertStringScalarExpresssion(
+				"expression-poinson-smell.xml",
+				"testSmellPoison",
+				createPoisonVariables(poison),
+				RESULT_POISON_OK);
+		
+		// THEN
+		poison.assertSmelled();
+    }
+	
+	/**
+	 * Tricky way to smell poison. It should pass here.
+	 */
+	@Test
+    public void testSmellPoisonTricky() throws Exception {
+		Poison poison = new Poison();
+		
+		// WHEN
+		evaluateAndAssertStringScalarExpresssion(
+				"expression-poinson-smell-tricky.xml",
+				"testSmellPoisonTricky",
+				createPoisonVariables(poison),
+				RESULT_POISON_OK);
+		
+		// THEN
+		poison.assertSmelled();
+		
+    }
+	
+	/**
+	 * Attempt to smell poison by using dynamic invocation.
+	 */
+	@Test
+    public void testSmellPoisonDynamic() throws Exception {
+		Poison poison = new Poison();
+		
+		// WHEN
+		evaluateAndAssertStringScalarExpresssion(
+				"expression-poinson-smell-dynamic.xml",
+				"testSmellPoisonDynamic",
+				createPoisonVariables(poison),
+				RESULT_POISON_OK);
+		
+		// THEN
+		poison.assertSmelled();
+		
+    }
+	
+	/**
+	 * Attempt to smell poison by using a very dynamic invocation.
+	 */
+	@Test
+    public void testSmellPoisonVeryDynamic() throws Exception {
+		Poison poison = new Poison();
+		
+		// WHEN
+		evaluateAndAssertStringScalarExpresssion(
+				"expression-poinson-smell-very-dynamic.xml",
+				"testSmellPoisonVeryDynamic",
+				createPoisonVariables(poison),
+				RESULT_POISON_OK);
+		
+		// THEN
+		poison.assertSmelled();
+		
+    }
+	
+	/**
+	 * Attempt to smell poison by using reflection
+	 */
+	@Test
+    public void testSmellPoisonReflection() throws Exception {
+		Poison poison = new Poison();
+		
+		// WHEN
+		evaluateAndAssertStringScalarExpresssion(
+				"expression-poinson-smell-reflection.xml",
+				"testSmellPoisonReflection",
+				createPoisonVariables(poison),
+				RESULT_POISON_OK);
+		
+		// THEN
+		poison.assertSmelled();
+		
+    }
+	
+	/**
+	 * This should pass here. There are no restrictions about script execution here.
+	 * By passing we mean throwing an error ...
+	 */
+	@Test
+    public void testDrinkPoison() throws Exception {
+		Poison poison = new Poison();
+		
+		// WHEN
+		try {
+			evaluateAndAssertStringScalarExpresssion(
+					"expression-poinson-drink.xml",
+					"testDrinkPoison",
+					createPoisonVariables(poison),
+					"");
+			
+			AssertJUnit.fail("Unexpected success");
+			
+		} catch (ExpressionEvaluationException ex) {
+			// THEN
+			assertTrue("Expected that exception message will contain "+Poison.POISON_DRINK_ERROR_MESSAGE+
+					", but it did not. It was: "+ex.getMessage(), ex.getMessage().contains(Poison.POISON_DRINK_ERROR_MESSAGE));
+			Error error = (Error) ex.getCause();
+			assertEquals("Wrong error message", Poison.POISON_DRINK_ERROR_MESSAGE, error.getMessage());
+		}
+		
+    }
+	
+	protected ExpressionVariables createPoisonVariables(Poison poison) {
+		return createVariables(
+				VAR_POISON, poison, Poison.class);
+	}
+	
+	/**
+	 * Make sure that there is a meaningful error - even if sandbox is applied.
+	 */
+	@Test
+    public void testSyntaxError() throws Exception {
+		Poison poison = new Poison();
+		
+		// WHEN
+		try {
+			evaluateAndAssertStringScalarExpresssion(
+					"expression-syntax-error.xml",
+					"testSyntaxError",
+					createPoisonVariables(poison),
+					RESULT_POISON_OK);
+		
+		} catch (ExpressionEvaluationException e) {
+			// THEN
+			assertTrue("Unexpected exception message" + e.getMessage(), e.getMessage().contains("unexpected token"));
+		}
 
+    }
+	
+	/**
+	 * Allmighty script can execute a process from string.
+	 */
+	@Test
+    public void testStringExec() throws Exception {
+		
+		// WHEN
+		evaluateAndAssertStringScalarExpresssion(
+				"expression-string-exec.xml",
+				"testStringExec",
+				null,
+				RESULT_STRING_EXEC);
+		
+		// THEN
+		
+    }
+	
+	/**
+	 * Allmighty script can execute a process from list.
+	 */
+	@Test
+    public void testListExec() throws Exception {
+		
+		// WHEN
+		evaluateAndAssertStringScalarExpresssion(
+				"expression-list-exec.xml",
+				"testListExec",
+				null,
+				RESULT_STRING_EXEC);
+		
+		// THEN
+		
+    }
 }
diff --git a/model/model-common/src/test/java/com/evolveum/midpoint/model/common/expression/script/TestGroovyExpressionsSandbox.java b/model/model-common/src/test/java/com/evolveum/midpoint/model/common/expression/script/TestGroovyExpressionsSandbox.java
new file mode 100644
index 00000000000..f91840f600c
--- /dev/null
+++ b/model/model-common/src/test/java/com/evolveum/midpoint/model/common/expression/script/TestGroovyExpressionsSandbox.java
@@ -0,0 +1,209 @@
+/*
+ * Copyright (c) 2010-2019 Evolveum
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.evolveum.midpoint.model.common.expression.script;
+
+import static org.testng.AssertJUnit.assertTrue;
+
+import java.util.List;
+
+import org.testng.annotations.Test;
+
+import com.evolveum.midpoint.schema.AccessDecision;
+import com.evolveum.midpoint.schema.expression.ExpressionPermissionProfile;
+import com.evolveum.midpoint.schema.expression.ExpressionProfile;
+import com.evolveum.midpoint.schema.expression.ScriptExpressionProfile;
+import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
+
+/**
+ * @author Radovan Semancik
+ */
+public class TestGroovyExpressionsSandbox extends TestGroovyExpressions {
+
+
+	@Override
+	protected ScriptExpressionProfile getScriptExpressionProfile(String language) {
+		ScriptExpressionProfile profile = new ScriptExpressionProfile(language);
+		
+		profile.setTypeChecking(true);
+		
+		ExpressionPermissionProfile permissionProfile = new ExpressionPermissionProfile(this.getClass().getSimpleName());
+		profile.setPermissionProfile(permissionProfile);
+		
+		permissionProfile.addClassAccessRule(Poison.class, AccessDecision.ALLOW);
+		permissionProfile.addClassAccessRule(Poison.class, "smell", AccessDecision.DENY);
+		permissionProfile.addClassAccessRule(Poison.class, "drink", AccessDecision.DENY);
+		
+		permissionProfile.addClassAccessRule(String.class, AccessDecision.ALLOW);
+		permissionProfile.addClassAccessRule(String.class, "execute", AccessDecision.DENY);
+		
+		permissionProfile.addClassAccessRule(List.class, AccessDecision.ALLOW);
+		permissionProfile.addClassAccessRule(List.class, "execute", AccessDecision.DENY);
+		
+		permissionProfile.setDecision(AccessDecision.ALLOW);
+		
+		return profile;
+	}
+	
+	/**
+	 * This should NOT pass here. There restrictions should not allow to invoke
+	 * poison.smell()
+	 */
+	@Test
+	@Override
+    public void testSmellPoison() throws Exception {
+		Poison poison = new Poison();
+		
+		// WHEN
+		evaluateAndAssertStringScalarExpresssionRestricted(
+				"expression-poinson-smell.xml",
+				"testSmellPoison",
+				createPoisonVariables(poison));
+		
+		// THEN
+		poison.assertNotSmelled();
+    }
+	
+	/**
+	 * Smelling poison should be forbidden even if the script
+	 * tries to obfuscate that a bit.
+	 */
+	@Test
+	@Override
+    public void testSmellPoisonTricky() throws Exception {
+		Poison poison = new Poison();
+		
+		// WHEN
+		evaluateAndAssertStringScalarExpresssionRestricted(
+				"expression-poinson-smell-tricky.xml",
+				"testDrinkPoisonTricky",
+				createPoisonVariables(poison));
+		
+		poison.assertNotSmelled();
+    }
+	
+	/**
+	 * Attempt to smell poison by using a dynamic invocation.
+	 */
+	@Test
+	@Override
+    public void testSmellPoisonDynamic() throws Exception {
+		Poison poison = new Poison();
+		
+		// WHEN
+		evaluateAndAssertStringScalarExpresssionRestricted(
+				"expression-poinson-smell-dynamic.xml",
+				"testSmellPoisonDynamic",
+				createPoisonVariables(poison));
+		
+		poison.assertNotSmelled();
+		
+    }
+	
+	/**
+	 * Attempt to smell poison by using a very dynamic invocation.
+	 * 
+	 * We are in type checking mode, therefore this just won't compile.
+	 */
+	@Test
+	@Override
+    public void testSmellPoisonVeryDynamic() throws Exception {
+		Poison poison = new Poison();
+		
+		// WHEN
+		try {
+			evaluateAndAssertStringScalarExpresssion(
+					"expression-poinson-smell-very-dynamic.xml",
+					"testSmellPoisonVeryDynamic",
+					createPoisonVariables(poison),
+					RESULT_POISON_OK);
+		
+		} catch (ExpressionEvaluationException e) {
+			// THEN
+			assertTrue("Unexpected exception message" + e.getMessage(), e.getMessage().contains("cannot resolve dynamic method name at compile time"));
+		}
+		
+		poison.assertNotSmelled();
+    }
+	
+	/**
+	 * Attempt to smell poison by using reflection
+	 */
+	@Test
+	@Override
+    public void testSmellPoisonReflection() throws Exception {
+		Poison poison = new Poison();
+		
+		// WHEN
+		evaluateAndAssertStringScalarExpresssionRestricted(
+				"expression-poinson-smell-reflection.xml",
+				"testSmellPoisonDynamic",
+				createPoisonVariables(poison));
+		
+		poison.assertNotSmelled();
+		
+    }
+	
+	/**
+	 * Drinking poison should be forbidden here.
+	 */
+	@Test
+	@Override
+    public void testDrinkPoison() throws Exception {
+		Poison poison = new Poison();
+		
+		// WHEN
+		evaluateAndAssertStringScalarExpresssionRestricted(
+				"expression-poinson-drink.xml",
+				"testDrinkPoison",
+				createPoisonVariables(poison));
+		
+    }
+	
+	/**
+	 * Deny execute from string.
+	 */
+	@Test
+	@Override
+    public void testStringExec() throws Exception {
+		
+		// WHEN
+		evaluateAndAssertStringScalarExpresssionRestricted(
+				"expression-string-exec.xml",
+				"testStringExec",
+				null);
+		
+		// THEN
+		
+    }
+	
+	/**
+	 * Deny execute from list.
+	 */
+	@Test
+	@Override
+    public void testListExec() throws Exception {
+		
+		// WHEN
+		evaluateAndAssertStringScalarExpresssionRestricted(
+				"expression-list-exec.xml",
+				"testListExec",
+				null);
+		
+		// THEN
+		
+    }
+
+}
diff --git a/model/model-common/src/test/java/com/evolveum/midpoint/model/common/expression/script/TestScriptCaching.java b/model/model-common/src/test/java/com/evolveum/midpoint/model/common/expression/script/TestScriptCaching.java
index bd821167082..4956f54fcce 100644
--- a/model/model-common/src/test/java/com/evolveum/midpoint/model/common/expression/script/TestScriptCaching.java
+++ b/model/model-common/src/test/java/com/evolveum/midpoint/model/common/expression/script/TestScriptCaching.java
@@ -41,6 +41,7 @@
 import com.evolveum.midpoint.model.common.expression.functions.FunctionLibraryUtil;
 import com.evolveum.midpoint.model.common.expression.script.jsr223.Jsr223ScriptEvaluator;
 import com.evolveum.midpoint.prism.ItemDefinition;
+import com.evolveum.midpoint.prism.PrimitiveType;
 import com.evolveum.midpoint.prism.PrismContext;
 import com.evolveum.midpoint.prism.PrismPropertyValue;
 import com.evolveum.midpoint.prism.crypto.Protector;
@@ -152,9 +153,9 @@ private long executeScript(String filname, String expectedResult, String desc) t
 
     	ScriptExpression scriptExpression = createScriptExpression(scriptType, outputDefinition, desc);
 
-        ExpressionVariables variables = ExpressionVariables.create(
-				new QName(NS_WHATEVER, "foo"), "FOO",
-				new QName(NS_WHATEVER, "bar"), "BAR"
+        ExpressionVariables variables = ExpressionVariables.create(getPrismContext(),
+				"foo", "FOO", PrimitiveType.STRING,
+				"bar", "BAR", PrimitiveType.STRING
 		);
 
 		// WHEN
diff --git a/model/model-common/src/test/java/com/evolveum/midpoint/model/common/expression/script/TestVelocityExpressions.java b/model/model-common/src/test/java/com/evolveum/midpoint/model/common/expression/script/TestVelocityExpressions.java
index 1669b1f4249..53e1657c1f3 100644
--- a/model/model-common/src/test/java/com/evolveum/midpoint/model/common/expression/script/TestVelocityExpressions.java
+++ b/model/model-common/src/test/java/com/evolveum/midpoint/model/common/expression/script/TestVelocityExpressions.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2017 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -17,11 +17,14 @@
 
 import com.evolveum.midpoint.repo.common.expression.ExpressionVariables;
 import com.evolveum.midpoint.model.common.expression.script.velocity.VelocityScriptEvaluator;
+import com.evolveum.midpoint.prism.PrimitiveType;
 import com.evolveum.midpoint.prism.PrismContext;
 import com.evolveum.midpoint.prism.crypto.Protector;
 import com.evolveum.midpoint.prism.util.PrismTestUtil;
 import com.evolveum.midpoint.schema.util.MiscSchemaUtil;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType;
+import com.evolveum.prism.xml.ns._public.types_3.PolyStringType;
+
 import org.testng.annotations.Test;
 
 import javax.xml.namespace.QName;
@@ -35,7 +38,7 @@ public class TestVelocityExpressions extends AbstractScriptTest {
 
 	@Override
 	protected ScriptEvaluator createEvaluator(PrismContext prismContext, Protector protector) {
-		return new VelocityScriptEvaluator(prismContext, protector);
+		return new VelocityScriptEvaluator(prismContext, protector, localizationService);
 	}
 
 	@Override
@@ -48,9 +51,11 @@ public void testExpressionList() throws Exception {
 		evaluateAndAssertStringScalarExpresssion(		// velocity has no support for output other than String
 				"expression-list.xml",
 				"testExpressionList",
-				ExpressionVariables.create(
-						new QName(NS_Y, "jack"),
-						MiscSchemaUtil.createObjectReference(USER_OID, UserType.COMPLEX_TYPE)
+				createVariables(
+						"jack",
+						MiscSchemaUtil.createObjectReference(USER_OID, UserType.COMPLEX_TYPE),
+						prismContext.definitionFactory()
+							.createReferenceDefinition(UserType.F_PERSONA_REF, UserType.COMPLEX_TYPE)
 				),
 				"[Leaders, Followers]");
 	}
@@ -60,9 +65,9 @@ public void testExpressionPolyStringEquals101() throws Exception {
 		evaluateAndAssertBooleanScalarExpresssion(
 				"expression-polystring-equals-1.xml",
 				"testExpressionPolyStringEquals101",
-				ExpressionVariables.create(
-						new QName(NS_X, "foo"), "FOO",
-						new QName(NS_Y, "bar"), "BAR"
+				createVariables(
+						"foo", "FOO", PrimitiveType.STRING,
+						"bar", "BAR", PrimitiveType.STRING
 				),
 				Boolean.TRUE);
     }
@@ -72,9 +77,9 @@ public void testExpressionPolyStringEquals102() throws Exception {
 		evaluateAndAssertBooleanScalarExpresssion(
 				"expression-polystring-equals-1.xml",
 				"testExpressionPolyStringEquals102",
-				ExpressionVariables.create(
-						new QName(NS_X, "foo"), "FOOBAR",
-						new QName(NS_Y, "bar"), "BAR"
+				createVariables(
+						"foo", "FOOBAR", PrimitiveType.STRING,
+						"bar", "BAR", PrimitiveType.STRING
 				),
 				Boolean.FALSE);
     }
@@ -84,9 +89,9 @@ public void testExpressionPolyStringEquals111() throws Exception {
 		evaluateAndAssertBooleanScalarExpresssion(
 				"expression-polystring-equals-1.xml",
 				"testExpressionPolyStringEquals111",
-				ExpressionVariables.create(
-						new QName(NS_X, "foo"), PrismTestUtil.createPolyString("FOO"),
-						new QName(NS_Y, "bar"), "BAR"
+				createVariables(
+						"foo", PrismTestUtil.createPolyString("FOO"), PolyStringType.COMPLEX_TYPE,
+						"bar", "BAR", PrimitiveType.STRING
 				),
 				Boolean.TRUE);			// velocity calls '==' on toString value
     }
@@ -96,9 +101,9 @@ public void testExpressionPolyStringEquals112() throws Exception {
 		evaluateAndAssertBooleanScalarExpresssion(
 				"expression-polystring-equals-1.xml",
 				"testExpressionPolyStringEquals112",
-				ExpressionVariables.create(
-						new QName(NS_X, "foo"), PrismTestUtil.createPolyString("FOOBAR"),
-						new QName(NS_Y, "bar"), "BAR"
+				createVariables(
+						"foo", PrismTestUtil.createPolyString("FOOBAR"), PolyStringType.COMPLEX_TYPE,
+						"bar", "BAR", PrimitiveType.STRING
 				),
 				Boolean.FALSE);
     }
@@ -108,9 +113,9 @@ public void testExpressionPolyStringEquals121() throws Exception {
 		evaluateAndAssertBooleanScalarExpresssion(
 				"expression-polystring-equals-1.xml",
 				"testExpressionPolyStringEquals121",
-				ExpressionVariables.create(
-						new QName(NS_X, "foo"), PrismTestUtil.createPolyStringType("FOO"),
-						new QName(NS_Y, "bar"), "BAR"
+				createVariables(
+						"foo", PrismTestUtil.createPolyStringType("FOO"), PolyStringType.COMPLEX_TYPE,
+						"bar", "BAR", PrimitiveType.STRING
 				),
 				Boolean.TRUE);			// velocity calls '==' on toString value
     }
@@ -120,9 +125,9 @@ public void testExpressionPolyStringEquals122() throws Exception {
 		evaluateAndAssertBooleanScalarExpresssion(
 				"expression-polystring-equals-1.xml",
 				"testExpressionPolyStringEquals122",
-				ExpressionVariables.create(
-						new QName(NS_X, "foo"), PrismTestUtil.createPolyStringType("FOOBAR"),
-						new QName(NS_Y, "bar"), "BAR"
+				createVariables(
+						"foo", PrismTestUtil.createPolyStringType("FOOBAR"), PolyStringType.COMPLEX_TYPE,
+						"bar", "BAR", PrimitiveType.STRING
 				),
 				Boolean.FALSE);
     }
@@ -132,9 +137,9 @@ public void testExpressionPolyStringEquals201() throws Exception {
 		evaluateAndAssertBooleanScalarExpresssion(
 				"expression-polystring-equals-2.xml",
 				"testExpressionPolyStringEquals201",
-				ExpressionVariables.create(
-						new QName(NS_X, "foo"), "FOO",
-						new QName(NS_Y, "bar"), "BAR"
+				createVariables(
+						"foo", "FOO", PrimitiveType.STRING,
+						"bar", "BAR", PrimitiveType.STRING
 				),
 				Boolean.TRUE);
     }
@@ -144,9 +149,9 @@ public void testExpressionPolyStringEquals202() throws Exception {
 		evaluateAndAssertBooleanScalarExpresssion(
 				"expression-polystring-equals-2.xml",
 				"testExpressionPolyStringEquals202",
-				ExpressionVariables.create(
-						new QName(NS_X, "foo"), "FOOBAR",
-						new QName(NS_Y, "bar"), "BAR"
+				createVariables(
+						"foo", "FOOBAR", PrimitiveType.STRING,
+						"bar", "BAR", PrimitiveType.STRING
 				),
 				Boolean.FALSE);
     }
@@ -156,9 +161,9 @@ public void testExpressionPolyStringEquals211() throws Exception {
 		evaluateAndAssertBooleanScalarExpresssion(
 				"expression-polystring-equals-2.xml",
 				"testExpressionPolyStringEquals211",
-				ExpressionVariables.create(
-						new QName(NS_X, "foo"), PrismTestUtil.createPolyString("FOO"),
-						new QName(NS_Y, "bar"), "BAR"
+				createVariables(
+						"foo", PrismTestUtil.createPolyString("FOO"), PolyStringType.COMPLEX_TYPE,
+						"bar", "BAR", PrimitiveType.STRING
 				),
 				Boolean.TRUE);			// velocity calls '==' on toString value
     }
@@ -168,9 +173,9 @@ public void testExpressionPolyStringEquals212() throws Exception {
 		evaluateAndAssertBooleanScalarExpresssion(
 				"expression-polystring-equals-2.xml",
 				"testExpressionPolyStringEquals212",
-				ExpressionVariables.create(
-						new QName(NS_X, "foo"), PrismTestUtil.createPolyString("FOOBAR"),
-						new QName(NS_Y, "bar"), "BAR"
+				createVariables(
+						"foo", PrismTestUtil.createPolyString("FOOBAR"), PolyStringType.COMPLEX_TYPE,
+						"bar", "BAR", PrimitiveType.STRING
 				),
 				Boolean.FALSE);
     }
@@ -180,9 +185,9 @@ public void testExpressionPolyStringEquals221() throws Exception {
 		evaluateAndAssertBooleanScalarExpresssion(
 				"expression-polystring-equals-2.xml",
 				"testExpressionPolyStringEquals221",
-				ExpressionVariables.create(
-						new QName(NS_X, "foo"), PrismTestUtil.createPolyStringType("FOO"),
-						new QName(NS_Y, "bar"), "BAR"
+				createVariables(
+						"foo", PrismTestUtil.createPolyStringType("FOO"), PolyStringType.COMPLEX_TYPE,
+						"bar", "BAR", PrimitiveType.STRING
 				),
 				Boolean.TRUE);			// velocity calls '==' on toString value
     }
@@ -192,9 +197,9 @@ public void testExpressionPolyStringEquals222() throws Exception {
 		evaluateAndAssertBooleanScalarExpresssion(
 				"expression-polystring-equals-2.xml",
 				"testExpressionPolyStringEquals222",
-				ExpressionVariables.create(
-						new QName(NS_X, "foo"), PrismTestUtil.createPolyStringType("FOOBAR"),
-						new QName(NS_Y, "bar"), "BAR"
+				createVariables(
+						"foo", PrismTestUtil.createPolyStringType("FOOBAR"), PolyStringType.COMPLEX_TYPE,
+						"bar", "BAR", PrimitiveType.STRING
 				),
 				Boolean.FALSE);
     }
@@ -204,9 +209,9 @@ public void testExpressionPolyStringEqualsStringify101() throws Exception {
 		evaluateAndAssertBooleanScalarExpresssion(
 				"expression-polystring-equals-stringify-1.xml",
 				"testExpressionPolyStringEqualsStringify101",
-				ExpressionVariables.create(
-						new QName(NS_X, "foo"), "FOO",
-						new QName(NS_Y, "bar"), "BAR"
+				createVariables(
+						"foo", "FOO", PrimitiveType.STRING,
+						"bar", "BAR", PrimitiveType.STRING
 				),
 				Boolean.TRUE);
     }
@@ -216,9 +221,9 @@ public void testExpressionPolyStringEqualsStringify102() throws Exception {
 		evaluateAndAssertBooleanScalarExpresssion(
 				"expression-polystring-equals-stringify-1.xml",
 				"testExpressionPolyStringEqualsStringify102",
-				ExpressionVariables.create(
-						new QName(NS_X, "foo"), "FOOBAR",
-						new QName(NS_Y, "bar"), "BAR"
+				createVariables(
+						"foo", "FOOBAR", PrimitiveType.STRING,
+						"bar", "BAR", PrimitiveType.STRING
 				),
 				Boolean.FALSE);
     }
@@ -228,9 +233,9 @@ public void testExpressionPolyStringEqualsStringify111() throws Exception {
 		evaluateAndAssertBooleanScalarExpresssion(
 				"expression-polystring-equals-stringify-1.xml",
 				"testExpressionPolyStringEqualsStringify111",
-				ExpressionVariables.create(
-						new QName(NS_X, "foo"), PrismTestUtil.createPolyString("FOO"),
-						new QName(NS_Y, "bar"), "BAR"
+				createVariables(
+						"foo", PrismTestUtil.createPolyString("FOO"), PolyStringType.COMPLEX_TYPE,
+						"bar", "BAR", PrimitiveType.STRING
 				),
 				Boolean.TRUE);
     }
@@ -240,9 +245,9 @@ public void testExpressionPolyStringEqualsStringify112() throws Exception {
 		evaluateAndAssertBooleanScalarExpresssion(
 				"expression-polystring-equals-stringify-1.xml",
 				"testExpressionPolyStringEqualsStringify112",
-				ExpressionVariables.create(
-						new QName(NS_X, "foo"), PrismTestUtil.createPolyString("FOOBAR"),
-						new QName(NS_Y, "bar"), "BAR"
+				createVariables(
+						"foo", PrismTestUtil.createPolyString("FOOBAR"), PolyStringType.COMPLEX_TYPE,
+						"bar", "BAR", PrimitiveType.STRING
 				),
 				Boolean.FALSE);
     }
@@ -252,9 +257,9 @@ public void testExpressionPolyStringEqualsStringify121() throws Exception {
 		evaluateAndAssertBooleanScalarExpresssion(
 				"expression-polystring-equals-stringify-1.xml",
 				"testExpressionPolyStringEqualsStringify121",
-				ExpressionVariables.create(
-						new QName(NS_X, "foo"), PrismTestUtil.createPolyStringType("FOO"),
-						new QName(NS_Y, "bar"), "BAR"
+				createVariables(
+						"foo", PrismTestUtil.createPolyStringType("FOO"), PolyStringType.COMPLEX_TYPE,
+						"bar", "BAR", PrimitiveType.STRING
 				),
 				Boolean.TRUE);
     }
@@ -264,9 +269,9 @@ public void testExpressionPolyStringEqualsStringify122() throws Exception {
 		evaluateAndAssertBooleanScalarExpresssion(
 				"expression-polystring-equals-stringify-1.xml",
 				"testExpressionPolyStringEqualsStringify122",
-				ExpressionVariables.create(
-						new QName(NS_X, "foo"), PrismTestUtil.createPolyStringType("FOOBAR"),
-						new QName(NS_Y, "bar"), "BAR"
+				createVariables(
+						"foo", PrismTestUtil.createPolyStringType("FOOBAR"), PolyStringType.COMPLEX_TYPE,
+						"bar", "BAR", PrimitiveType.STRING
 				),
 				Boolean.FALSE);
     }
@@ -276,9 +281,9 @@ public void testExpressionPolyStringEqualsStringify201() throws Exception {
 		evaluateAndAssertBooleanScalarExpresssion(
 				"expression-polystring-equals-stringify-2.xml",
 				"testExpressionPolyStringEqualsStringify201",
-				ExpressionVariables.create(
-						new QName(NS_X, "foo"), "FOO",
-						new QName(NS_Y, "bar"), "BAR"
+				createVariables(
+						"foo", "FOO", PrimitiveType.STRING,
+						"bar", "BAR", PrimitiveType.STRING
 				),
 				Boolean.TRUE);
     }
@@ -288,9 +293,9 @@ public void testExpressionPolyStringEqualsStringify202() throws Exception {
 		evaluateAndAssertBooleanScalarExpresssion(
 				"expression-polystring-equals-stringify-2.xml",
 				"testExpressionPolyStringEqualsStringify202",
-				ExpressionVariables.create(
-						new QName(NS_X, "foo"), "FOOBAR",
-						new QName(NS_Y, "bar"), "BAR"
+				createVariables(
+						"foo", "FOOBAR", PrimitiveType.STRING,
+						"bar", "BAR", PrimitiveType.STRING
 				),
 				Boolean.FALSE);
     }
@@ -300,9 +305,9 @@ public void testExpressionPolyStringEqualsStringify211() throws Exception {
 		evaluateAndAssertBooleanScalarExpresssion(
 				"expression-polystring-equals-stringify-2.xml",
 				"testExpressionPolyStringEqualsStringify211",
-				ExpressionVariables.create(
-						new QName(NS_X, "foo"), PrismTestUtil.createPolyString("FOO"),
-						new QName(NS_Y, "bar"), "BAR"
+				createVariables(
+						"foo", PrismTestUtil.createPolyString("FOO"), PolyStringType.COMPLEX_TYPE,
+						"bar", "BAR", PrimitiveType.STRING
 				),
 				Boolean.TRUE);
     }
@@ -312,9 +317,9 @@ public void testExpressionPolyStringEqualsStringify212() throws Exception {
 		evaluateAndAssertBooleanScalarExpresssion(
 				"expression-polystring-equals-stringify-2.xml",
 				"testExpressionPolyStringEqualsStringify212",
-				ExpressionVariables.create(
-						new QName(NS_X, "foo"), PrismTestUtil.createPolyString("FOOBAR"),
-						new QName(NS_Y, "bar"), "BAR"
+				createVariables(
+						"foo", PrismTestUtil.createPolyString("FOOBAR"), PolyStringType.COMPLEX_TYPE,
+						"bar", "BAR", PrimitiveType.STRING
 				),
 				Boolean.FALSE);
     }
@@ -324,9 +329,9 @@ public void testExpressionPolyStringEqualsStringify221() throws Exception {
 		evaluateAndAssertBooleanScalarExpresssion(
 				"expression-polystring-equals-stringify-2.xml",
 				"testExpressionPolyStringEqualsStringify221",
-				ExpressionVariables.create(
-						new QName(NS_X, "foo"), PrismTestUtil.createPolyStringType("FOO"),
-						new QName(NS_Y, "bar"), "BAR"
+				createVariables(
+						"foo", PrismTestUtil.createPolyStringType("FOO"), PolyStringType.COMPLEX_TYPE,
+						"bar", "BAR", PrimitiveType.STRING
 				),
 				Boolean.TRUE);
     }
@@ -336,9 +341,9 @@ public void testExpressionPolyStringEqualsStringify222() throws Exception {
 		evaluateAndAssertBooleanScalarExpresssion(
 				"expression-polystring-equals-stringify-2.xml",
 				"testExpressionPolyStringEqualsStringify222",
-				ExpressionVariables.create(
-						new QName(NS_X, "foo"), PrismTestUtil.createPolyStringType("FOOBAR"),
-						new QName(NS_Y, "bar"), "BAR"
+				createVariables(
+						"foo", PrismTestUtil.createPolyStringType("FOOBAR"), PolyStringType.COMPLEX_TYPE,
+						"bar", "BAR", PrimitiveType.STRING
 				),
 				Boolean.FALSE);
     }
diff --git a/model/model-common/src/test/java/com/evolveum/midpoint/model/common/mapping/MappingTestEvaluator.java b/model/model-common/src/test/java/com/evolveum/midpoint/model/common/mapping/MappingTestEvaluator.java
index 77cf0cc481e..84580f9d722 100644
--- a/model/model-common/src/test/java/com/evolveum/midpoint/model/common/mapping/MappingTestEvaluator.java
+++ b/model/model-common/src/test/java/com/evolveum/midpoint/model/common/mapping/MappingTestEvaluator.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2018 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -166,24 +166,25 @@ public <T> MappingImpl.Builder<PrismPropertyValue<T>, PrismPropertyDefinition<T>
                 new File(TEST_DIR, filename), MappingType.COMPLEX_TYPE);
 
         MappingImpl.Builder<PrismPropertyValue<T>,PrismPropertyDefinition<T>> mappingBuilder = mappingFactory.createMappingBuilder(mappingType, testName);
+        mappingBuilder.prismContext(prismContext);
 
         // Source context: user
-		ObjectDeltaObject<UserType> userOdo = new ObjectDeltaObject<>(userOld, userDelta, null);
+		ObjectDeltaObject<UserType> userOdo = new ObjectDeltaObject<>(userOld, userDelta, null, prismContext.getSchemaRegistry().findObjectDefinitionByCompileTimeClass(UserType.class));
         userOdo.recompute();
-		mappingBuilder.setSourceContext(userOdo);
+		mappingBuilder.sourceContext(userOdo);
 
 		// Variable $user
 		mappingBuilder.addVariableDefinition(ExpressionConstants.VAR_USER, userOdo);
 
 		// Variable $account
 		PrismObject<ShadowType> account = getAccount();
-		ObjectDeltaObject<ShadowType> accountOdo = new ObjectDeltaObject<>(account, null, null);
+		ObjectDeltaObject<ShadowType> accountOdo = new ObjectDeltaObject<>(account, null, null, account.getDefinition());
 		accountOdo.recompute();
 		mappingBuilder.addVariableDefinition(ExpressionConstants.VAR_ACCOUNT, accountOdo);
 
 		// Target context: user
 		PrismObjectDefinition<UserType> userDefinition = getUserDefinition();
-		mappingBuilder.setTargetContext(userDefinition);
+		mappingBuilder.targetContext(userDefinition);
 
 
 		ValuePolicyResolver stringPolicyResolver = new ValuePolicyResolver() {
@@ -227,15 +228,15 @@ public  <T> MappingImpl<PrismPropertyValue<T>, PrismPropertyDefinition<T>> creat
 		MappingImpl.Builder<PrismPropertyValue<T>,PrismPropertyDefinition<T>> builder = mappingFactory.createMappingBuilder(mappingType, testName);
 
 
-    	Source<PrismPropertyValue<T>,PrismPropertyDefinition<T>> defaultSource = new Source<>(null, delta, null, ExpressionConstants.VAR_INPUT);
+    	Source<PrismPropertyValue<T>,PrismPropertyDefinition<T>> defaultSource = new Source<>(null, delta, null, ExpressionConstants.VAR_INPUT_QNAME, delta.getDefinition());
     	defaultSource.recompute();
 		builder.setDefaultSource(defaultSource);
 		builder.setTargetContext(getUserDefinition());
-    	builder.addVariableDefinition(ExpressionConstants.VAR_USER, user);
-    	builder.addVariableDefinition(ExpressionConstants.VAR_FOCUS, user);
-    	builder.addVariableDefinition(ExpressionConstants.VAR_ACCOUNT, account.asPrismObject());
-    	builder.addVariableDefinition(ExpressionConstants.VAR_SHADOW, account.asPrismObject());
-    	builder.addVariableDefinition(ExpressionConstants.VAR_PROJECTION, account.asPrismObject());
+    	builder.addVariableDefinition(ExpressionConstants.VAR_USER, user, UserType.class);
+    	builder.addVariableDefinition(ExpressionConstants.VAR_FOCUS, user, UserType.class);
+    	builder.addVariableDefinition(ExpressionConstants.VAR_ACCOUNT, account.asPrismObject(), ShadowType.class);
+    	builder.addVariableDefinition(ExpressionConstants.VAR_SHADOW, account.asPrismObject(), ShadowType.class);
+    	builder.addVariableDefinition(ExpressionConstants.VAR_PROJECTION, account.asPrismObject(), ShadowType.class);
 
     	ValuePolicyResolver stringPolicyResolver = new ValuePolicyResolver() {
 			ItemPath outputPath;
diff --git a/model/model-common/src/test/java/com/evolveum/midpoint/model/common/mapping/TestMappingComplex.java b/model/model-common/src/test/java/com/evolveum/midpoint/model/common/mapping/TestMappingComplex.java
index 2c0347d3a16..03e9bafab80 100644
--- a/model/model-common/src/test/java/com/evolveum/midpoint/model/common/mapping/TestMappingComplex.java
+++ b/model/model-common/src/test/java/com/evolveum/midpoint/model/common/mapping/TestMappingComplex.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2017 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -23,6 +23,7 @@
 import org.testng.annotations.Test;
 import org.xml.sax.SAXException;
 
+import com.evolveum.midpoint.model.common.AbstractModelCommonTest;
 import com.evolveum.midpoint.prism.PrismObject;
 import com.evolveum.midpoint.prism.PrismPropertyDefinition;
 import com.evolveum.midpoint.prism.PrismPropertyValue;
@@ -38,7 +39,7 @@
 /**
  * @author Radovan Semancik
  */
-public class TestMappingComplex {
+public class TestMappingComplex extends AbstractModelCommonTest {
 
 	private static final String MAPPING_COMPLEX_FILENAME = "mapping-complex-captain.xml";
 
@@ -53,7 +54,7 @@ public void setupFactory() throws SAXException, IOException, SchemaException {
     @Test
     public void testModifyObjectSetAdditionalName() throws Exception {
     	final String TEST_NAME = "testModifyObjectSetAdditionalName";
-    	System.out.println("===[ "+TEST_NAME+"]===");
+    	displayTestTitle(TEST_NAME);
 
     	// GIVEN
     	ObjectDelta<UserType> delta = evaluator.getPrismContext().deltaFactory().object()
@@ -81,7 +82,7 @@ public void testModifyObjectSetAdditionalName() throws Exception {
     @Test
     public void testModifyObjectSetAdditionalNameFalse() throws Exception {
     	final String TEST_NAME = "testModifyObjectSetAdditionalNameFalse";
-    	System.out.println("===[ "+TEST_NAME+"]===");
+    	displayTestTitle(TEST_NAME);
 
     	// GIVEN
     	ObjectDelta<UserType> delta = evaluator.getPrismContext().deltaFactory().object()
@@ -112,7 +113,7 @@ public void testModifyObjectSetAdditionalNameFalse() throws Exception {
     @Test
     public void testModifyObjectUnrelated() throws Exception {
     	final String TEST_NAME = "testModifyObjectUnrelated";
-    	System.out.println("===[ "+TEST_NAME+"]===");
+    	displayTestTitle(TEST_NAME);
 
     	// GIVEN
     	ObjectDelta<UserType> delta = evaluator.getPrismContext().deltaFactory().object()
@@ -139,7 +140,7 @@ public void testModifyObjectUnrelated() throws Exception {
     @Test
     public void testModifyObjectUnrelatedFalse() throws Exception {
     	final String TEST_NAME = "testModifyObjectUnrelatedFalse";
-    	System.out.println("===[ "+TEST_NAME+"]===");
+    	displayTestTitle(TEST_NAME);
 
     	// GIVEN
     	ObjectDelta<UserType> delta = evaluator.getPrismContext().deltaFactory().object()
@@ -166,7 +167,7 @@ public void testModifyObjectUnrelatedFalse() throws Exception {
     @Test
     public void testAddObjectUnrelatedFalse() throws Exception {
     	final String TEST_NAME = "testAddObjectUnrelatedFalse";
-    	System.out.println("===[ "+TEST_NAME+"]===");
+    	displayTestTitle(TEST_NAME);
 
     	// GIVEN
     	PrismObject<UserType> user = evaluator.getUserOld();
@@ -191,7 +192,7 @@ public void testAddObjectUnrelatedFalse() throws Exception {
     @Test
     public void testAddObjectUnrelatedEmptyFalse() throws Exception {
     	final String TEST_NAME = "testAddObjectUnrelatedEmptyFalse";
-    	System.out.println("===[ "+TEST_NAME+"]===");
+    	displayTestTitle(TEST_NAME);
 
     	// GIVEN
     	PrismObject<UserType> user = evaluator.getUserOld();
@@ -211,5 +212,4 @@ public void testAddObjectUnrelatedEmptyFalse() throws Exception {
 		PrismValueDeltaSetTriple<PrismPropertyValue<PolyString>> outputTriple = mapping.getOutputTriple();
 		assertNull("Unexpected value in outputTriple: "+outputTriple, outputTriple);
     }
-
 }
diff --git a/model/model-common/src/test/java/com/evolveum/midpoint/model/common/mapping/TestMappingDynamicSimple.java b/model/model-common/src/test/java/com/evolveum/midpoint/model/common/mapping/TestMappingDynamicSimple.java
index 2a2cdfe0362..3065cea86e9 100644
--- a/model/model-common/src/test/java/com/evolveum/midpoint/model/common/mapping/TestMappingDynamicSimple.java
+++ b/model/model-common/src/test/java/com/evolveum/midpoint/model/common/mapping/TestMappingDynamicSimple.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2017 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -42,15 +42,19 @@
 import org.testng.annotations.Test;
 import org.xml.sax.SAXException;
 
+import com.evolveum.midpoint.model.common.AbstractModelCommonTest;
 import com.evolveum.midpoint.model.common.expression.evaluator.GenerateExpressionEvaluator;
 import com.evolveum.midpoint.prism.polystring.PolyString;
 import com.evolveum.midpoint.prism.util.PrismAsserts;
 import com.evolveum.midpoint.prism.util.PrismTestUtil;
 import com.evolveum.midpoint.prism.xml.XmlTypeConverter;
+import com.evolveum.midpoint.schema.constants.MidPointConstants;
 import com.evolveum.midpoint.schema.constants.SchemaConstants;
+import com.evolveum.midpoint.schema.expression.VariablesMap;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.schema.util.MiscSchemaUtil;
 import com.evolveum.midpoint.schema.util.SchemaTestConstants;
+import com.evolveum.midpoint.test.IntegrationTestTools;
 import com.evolveum.midpoint.test.util.MidPointTestConstants;
 import com.evolveum.midpoint.test.util.TestUtil;
 import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
@@ -65,7 +69,7 @@
 /**
  * @author Radovan Semancik
  */
-public class TestMappingDynamicSimple {
+public class TestMappingDynamicSimple extends AbstractModelCommonTest {
 
 	private static final String NS_EXTENSION = "http://midpoint.evolveum.com/xml/ns/test/extension";
 	private static final String PATTERN_NUMERIC = "^\\d+$";
@@ -80,6 +84,9 @@ public void setupFactory() throws SAXException, IOException, SchemaException {
 
     @Test
     public void testValueSingleDeep() throws Exception {
+    	final String TEST_NAME = "testValueSingleDeep";
+    	displayTestTitle(TEST_NAME);
+    	
         // WHEN
     	PrismValueDeltaSetTriple<PrismPropertyValue<String>> outputTriple = evaluator.evaluateMappingDynamicAdd(
     			"mapping-value-single-deep.xml",
@@ -97,6 +104,9 @@ public void testValueSingleDeep() throws Exception {
 
     @Test
     public void testValueSingleShallow() throws Exception {
+    	final String TEST_NAME = "testValueSingleShallow";
+    	displayTestTitle(TEST_NAME);
+    	
         // WHEN
     	PrismValueDeltaSetTriple<PrismPropertyValue<String>> outputTriple = evaluator.evaluateMappingDynamicAdd(
     			"mapping-value-single-shallow.xml",
@@ -114,6 +124,9 @@ public void testValueSingleShallow() throws Exception {
 
     @Test
     public void testValueMultiDeep() throws Exception {
+    	final String TEST_NAME = "testValueMultiDeep";
+    	displayTestTitle(TEST_NAME);
+    	
     	// WHEN
     	PrismValueDeltaSetTriple<PrismPropertyValue<String>> outputTriple = evaluator.evaluateMappingDynamicAdd(
     			"mapping-value-multi-deep.xml",
@@ -131,6 +144,9 @@ public void testValueMultiDeep() throws Exception {
 
     @Test
     public void testValueMultiShallow() throws Exception {
+    	final String TEST_NAME = "testValueMultiShallow";
+    	displayTestTitle(TEST_NAME);
+    	
     	// WHEN
     	PrismValueDeltaSetTriple<PrismPropertyValue<String>> outputTriple = evaluator.evaluateMappingDynamicAdd(
     			"mapping-value-multi-shallow.xml",
@@ -148,6 +164,9 @@ public void testValueMultiShallow() throws Exception {
 
     @Test
     public void testValueSingleEnum() throws Exception {
+    	final String TEST_NAME = "testValueSingleEnum";
+    	displayTestTitle(TEST_NAME);
+    	
         // WHEN
     	PrismValueDeltaSetTriple<PrismPropertyValue<ActivationStatusType>> outputTriple = evaluator.evaluateMappingDynamicAdd(
     			"mapping-value-single-enum.xml",
@@ -165,6 +184,9 @@ public void testValueSingleEnum() throws Exception {
 
 	@Test
     public void testAsIsAdd() throws Exception {
+		final String TEST_NAME = "testAsIsAdd";
+    	displayTestTitle(TEST_NAME);
+    	
     	// WHEN
     	PrismValueDeltaSetTriple<PrismPropertyValue<String>> outputTriple = evaluator.evaluateMappingDynamicAdd(
     			"mapping-asis.xml",
@@ -182,6 +204,9 @@ public void testAsIsAdd() throws Exception {
 
     @Test
     public void testAsIsDelete() throws Exception {
+    	final String TEST_NAME = "testAsIsDelete";
+    	displayTestTitle(TEST_NAME);
+    	
     	// WHEN
     	PrismValueDeltaSetTriple<PrismPropertyValue<String>> outputTriple = evaluator.evaluateMappingDynamicDelete(
 				"mapping-asis.xml",
@@ -200,6 +225,9 @@ public void testAsIsDelete() throws Exception {
 
     @Test
     public void testAsIsStringToPolyString() throws Exception {
+    	final String TEST_NAME = "testAsIsStringToPolyString";
+    	displayTestTitle(TEST_NAME);
+    	
     	// WHEN
     	PrismValueDeltaSetTriple<PrismPropertyValue<String>> outputTriple = evaluator.evaluateMapping(
 				"mapping-asis.xml",
@@ -215,6 +243,9 @@ public void testAsIsStringToPolyString() throws Exception {
 
     @Test
     public void testAsIsStringToProtectedString() throws Exception {
+    	final String TEST_NAME = "testAsIsStringToProtectedString";
+    	displayTestTitle(TEST_NAME);
+    	
     	// WHEN
     	PrismValueDeltaSetTriple<PrismPropertyValue<ProtectedStringType>> outputTriple = evaluator.evaluateMapping(
     			"mapping-asis.xml",
@@ -230,6 +261,9 @@ public void testAsIsStringToProtectedString() throws Exception {
 
     @Test
     public void testAsIsProtectedStringToProtectedString() throws Exception {
+    	final String TEST_NAME = "testAsIsProtectedStringToProtectedString";
+    	displayTestTitle(TEST_NAME);
+    	
     	// WHEN
     	PrismValueDeltaSetTriple<PrismPropertyValue<ProtectedStringType>> outputTriple = evaluator.evaluateMapping(
     			"mapping-asis-password.xml",
@@ -245,6 +279,9 @@ public void testAsIsProtectedStringToProtectedString() throws Exception {
 
     @Test
     public void testAsIsProtectedStringToString() throws Exception {
+    	final String TEST_NAME = "testAsIsProtectedStringToString";
+    	displayTestTitle(TEST_NAME);
+    	
     	// WHEN
     	PrismValueDeltaSetTriple<PrismPropertyValue<String>> outputTriple = evaluator.evaluateMapping(
     			"mapping-asis-password.xml",
@@ -260,6 +297,9 @@ public void testAsIsProtectedStringToString() throws Exception {
 
     @Test
     public void testAsIsProtectedStringToPolyString() throws Exception {
+    	final String TEST_NAME = "testAsIsProtectedStringToPolyString";
+    	displayTestTitle(TEST_NAME);
+    	
     	// WHEN
     	PrismValueDeltaSetTriple<PrismPropertyValue<PolyString>> outputTriple = evaluator.evaluateMapping(
     			"mapping-asis-password.xml",
@@ -276,6 +316,9 @@ public void testAsIsProtectedStringToPolyString() throws Exception {
 
     @Test
     public void testPathVariables() throws Exception {
+    	final String TEST_NAME = "testPathVariables";
+    	displayTestTitle(TEST_NAME);
+    	
     	// WHEN
     	PrismValueDeltaSetTriple<PrismPropertyValue<String>> outputTriple = evaluator.evaluateMappingDynamicAdd(
 				"mapping-path-system-variables.xml",
@@ -293,6 +336,9 @@ public void testPathVariables() throws Exception {
 
     @Test
     public void testPathExtensionProperty() throws Exception {
+    	final String TEST_NAME = "testPathExtensionProperty";
+    	displayTestTitle(TEST_NAME);
+    	
     	// WHEN
     	PrismValueDeltaSetTriple<PrismPropertyValue<String>> outputTriple = evaluator.evaluateMapping(
 				"mapping-path-extension-variable.xml",
@@ -567,11 +613,13 @@ public void testScriptExtraVariablesRef() throws Exception {
     	MappingImpl.Builder<PrismPropertyValue<String>,PrismPropertyDefinition<String>> builder = evaluator.createMappingBuilder("mapping-script-extra-variables.xml",
 				"testScriptExtraVariablesRef", "employeeType", null);
 
-    	Map<QName, Object> vars = new HashMap<>();
+    	VariablesMap vars = new VariablesMap();
     	ObjectReferenceType ref = MiscSchemaUtil.createObjectReference(
         	"c0c010c0-d34d-b33f-f00d-111111111112",
         	UserType.COMPLEX_TYPE);
-        vars.put(new QName(SchemaConstants.NS_C, "sailor"), ref);
+        vars.put("sailor", ref,
+        		PrismTestUtil.getPrismContext().definitionFactory().createReferenceDefinition(
+        				new QName(SchemaConstants.NS_C, "sailor"), UserType.COMPLEX_TYPE));
         builder.addVariableDefinitions(vars);
 
 		MappingImpl<PrismPropertyValue<String>,PrismPropertyDefinition<String>> mapping = builder.build();
@@ -591,16 +639,17 @@ public void testScriptExtraVariablesRef() throws Exception {
 
     @Test
     public void testScriptExtraVariablesJaxb() throws Exception {
-    	// GIVEN
     	final String TEST_NAME = "testScriptExtraVariablesJaxb";
-    	TestUtil.displayTestTitle(TEST_NAME);
+    	displayTestTitle(TEST_NAME);
+    	
+    	// GIVEN
     	MappingImpl.Builder<PrismPropertyValue<String>,PrismPropertyDefinition<String>> builder = evaluator.createMappingBuilder("mapping-script-extra-variables.xml",
     			TEST_NAME, "employeeType", null);
 
-    	Map<QName, Object> vars = new HashMap<>();
+    	VariablesMap vars = new VariablesMap();
     	UserType userType = (UserType) PrismTestUtil.parseObject(
                 new File(MidPointTestConstants.OBJECTS_DIR, "c0c010c0-d34d-b33f-f00d-111111111112.xml")).asObjectable();
-        vars.put(new QName(SchemaConstants.NS_C, "sailor"), userType);
+        vars.put("sailor", userType, userType.asPrismObject().getDefinition());
         builder.addVariableDefinitions(vars);
 		MappingImpl<PrismPropertyValue<String>,PrismPropertyDefinition<String>> mapping = builder.build();
 
@@ -636,7 +685,7 @@ public void testScriptFullNameNoChange() throws Exception {
     @Test
     public void testScriptFullNameReplaceGivenName() throws Exception {
     	final String TEST_NAME = "testScriptFullNameReplaceGivenName";
-    	TestUtil.displayTestTitle(TEST_NAME);
+    	displayTestTitle(TEST_NAME);
     	// WHEN
     	PrismValueDeltaSetTriple<PrismPropertyValue<PolyString>> outputTriple = evaluator.evaluateMappingDynamicReplace(
 				"mapping-script-fullname.xml",
@@ -655,7 +704,7 @@ public void testScriptFullNameReplaceGivenName() throws Exception {
     @Test
     public void testScriptFullNameDeleteGivenName() throws Exception {
     	final String TEST_NAME = "testScriptFullNameDeleteGivenName";
-    	TestUtil.displayTestTitle(TEST_NAME);
+    	displayTestTitle(TEST_NAME);
 
     	// GIVEN
     	ObjectDelta<UserType> delta = evaluator.getPrismContext().deltaFactory().object()
@@ -684,7 +733,7 @@ public void testScriptFullNameDeleteGivenName() throws Exception {
     @Test
     public void testScriptFullNameDeleteGivenNameFromNull() throws Exception {
     	final String TEST_NAME = "testScriptFullNameDeleteGivenNameFromNull";
-    	TestUtil.displayTestTitle(TEST_NAME);
+    	displayTestTitle(TEST_NAME);
 
     	// GIVEN
     	ObjectDelta<UserType> delta = evaluator.getPrismContext().deltaFactory().object()
@@ -716,7 +765,7 @@ public void testScriptFullNameDeleteGivenNameFromNull() throws Exception {
     @Test
     public void testScriptFullNameDeleteGivenNameFamilyName() throws Exception {
     	final String TEST_NAME = "testScriptFullNameDeleteGivenNameFamilyName";
-    	TestUtil.displayTestTitle(TEST_NAME);
+    	displayTestTitle(TEST_NAME);
 
     	// GIVEN
     	ObjectDelta<UserType> delta = evaluator.getPrismContext().deltaFactory().object()
@@ -879,7 +928,7 @@ public void testValueConditionFalse() throws Exception {
     public void testConditionNonEmptyCaptain() throws Exception {
     	// GIVEN
     	final String TEST_NAME = "testConditionNonEmptyCaptain";
-    	TestUtil.displayTestTitle(TEST_NAME);
+    	displayTestTitle(TEST_NAME);
 
     	PrismObject<UserType> user = evaluator.getUserOld();
     	user.asObjectable().getEmployeeType().clear();
@@ -907,7 +956,7 @@ public void testConditionNonEmptyCaptain() throws Exception {
     public void testConditionNonEmptyEmpty() throws Exception {
     	// GIVEN
     	final String TEST_NAME = "testConditionNonEmptyEmpty";
-    	TestUtil.displayTestTitle(TEST_NAME);
+    	displayTestTitle(TEST_NAME);
 
     	PrismObject<UserType> user = evaluator.getUserOld();
     	user.asObjectable().getEmployeeType().clear();
@@ -932,7 +981,7 @@ public void testConditionNonEmptyEmpty() throws Exception {
     public void testConditionNonEmptyNoValue() throws Exception {
     	// GIVEN
     	final String TEST_NAME = "testConditionNonEmptyNoValue";
-    	TestUtil.displayTestTitle(TEST_NAME);
+    	displayTestTitle(TEST_NAME);
 
     	PrismObject<UserType> user = evaluator.getUserOld();
     	user.asObjectable().getEmployeeType().clear();
@@ -955,7 +1004,7 @@ public void testConditionNonEmptyNoValue() throws Exception {
     @Test
     public void testScriptTransformMultiAddDelete() throws Exception {
     	final String TEST_NAME = "testScriptTransformMultiAddDelete";
-    	TestUtil.displayTestTitle(TEST_NAME);
+    	displayTestTitle(TEST_NAME);
 
     	// GIVEN
     	ObjectDelta<UserType> delta = evaluator.getPrismContext().deltaFactory().object()
@@ -997,7 +1046,7 @@ public void testScriptTransformMultiAddDelete() throws Exception {
     @Test
     public void testScriptTransformMultiReplace() throws Exception {
     	final String TEST_NAME = "testScriptTransformMultiReplace";
-    	TestUtil.displayTestTitle(TEST_NAME);
+    	displayTestTitle(TEST_NAME);
 
     	// GIVEN
     	ObjectDelta<UserType> delta = evaluator.getPrismContext().deltaFactory().object()
@@ -1035,11 +1084,20 @@ public void testScriptTransformMultiReplace() throws Exception {
     @Test
     public void testInboundMapping() throws Exception{
     	final String TEST_NAME = "testInboundMapping";
-    	TestUtil.displayTestTitle(TEST_NAME);
+    	displayTestTitle(TEST_NAME);
 
 	    PrismContext prismContext = evaluator.getPrismContext();
 
-    	PrismObject<ShadowType> account = PrismTestUtil.parseObject(new File(MappingTestEvaluator.TEST_DIR + "/account-inbound-mapping.xml"));
+    	PrismObject<ShadowType> account = PrismTestUtil.parseObject(new File(MappingTestEvaluator.TEST_DIR, "account-inbound-mapping.xml"));
+    	// We need to provide some definitions for account attributes here,
+		// otherwise the tests will fail on unknown data types
+		PrismObjectDefinition<ShadowType> shadowDef = account.getDefinition().deepClone(true, null);
+		PrismContainerDefinition<Containerable> attrsDef = shadowDef.findContainerDefinition(ShadowType.F_ATTRIBUTES);
+		attrsDef.toMutable().createPropertyDefinition(new QName(MidPointConstants.NS_RI, "uid"), PrimitiveType.STRING.getQname());
+		attrsDef.toMutable().createPropertyDefinition(SchemaConstants.ICFS_NAME, PrimitiveType.STRING.getQname());
+		account.setDefinition(shadowDef);
+		IntegrationTestTools.display("Account", account);
+		
     	Item oldItem = account.findItem(ItemPath.create(ShadowType.F_ATTRIBUTES, SchemaTestConstants.ICFS_NAME));
     	ItemDelta delta = prismContext.deltaFactory().property().createModificationAddProperty(SchemaTestConstants.ICFS_NAME_PATH_PARTS, (PrismPropertyDefinition) oldItem.getDefinition(), ((PrismPropertyValue) oldItem.getAnyValue()).getValue());
 
@@ -1048,6 +1106,8 @@ public void testInboundMapping() throws Exception{
     	MappingImpl<PrismPropertyValue<PolyString>,PrismPropertyDefinition<PolyString>> mapping = evaluator.createInboudMapping("mapping-inbound.xml", TEST_NAME, delta, user.asObjectable(), account.asObjectable(), null, null);
 
     	OperationResult opResult = new OperationResult(TEST_NAME);
+    	
+    	displayWhen(TEST_NAME);
     	mapping.evaluate(null, opResult);
 
     	PrismValueDeltaSetTriple<PrismPropertyValue<PolyString>> outputTriple = mapping.getOutputTriple();
@@ -1060,7 +1120,7 @@ public void testInboundMapping() throws Exception{
     @Test
     public void testGenerateDefault() throws Exception {
     	final String TEST_NAME = "testGenerateDefault";
-    	TestUtil.displayTestTitle(TEST_NAME);
+    	displayTestTitle(TEST_NAME);
 
     	final ValuePolicyType stringPolicy = evaluator.getValuePolicy();
     	// GIVEN
@@ -1130,7 +1190,7 @@ public void testGeneratePolicyNumericString() throws Exception {
 
     private void generatePolicy(final String TEST_NAME, String mappingFileName, String policyFileName, String pattern, boolean ignoreMax)
     		throws Exception {
-    	TestUtil.displayTestTitle(TEST_NAME);
+    	displayTestTitle(TEST_NAME);
 
     	// This is just for validation. The expression has to resolve reference of its own
     	PrismObject<ValuePolicyType> valuePolicy = PrismTestUtil.parseObject(
@@ -1216,7 +1276,7 @@ public void testGeneratePolicyNumericLong() throws Exception {
 
     private <T> void generatePolicyNumeric(final String TEST_NAME, String mappingFileName,
     		String policyFileName, String extensionPropName, Class<T> clazz) throws Exception {
-    	TestUtil.displayTestTitle(TEST_NAME);
+    	displayTestTitle(TEST_NAME);
 
     	// This is just for validation. The expression has to resolve reference of its own
     	PrismObject<ValuePolicyType> valuePolicy = PrismTestUtil.parseObject(
@@ -1274,7 +1334,7 @@ private <T> void generatePolicyNumeric(final String TEST_NAME, String mappingFil
 	@Test
     public void testGenerateProtectedString() throws Exception {
     	final String TEST_NAME = "testGenerateProtectedString";
-    	TestUtil.displayTestTitle(TEST_NAME);
+    	displayTestTitle(TEST_NAME);
     	// GIVEN
     	MappingImpl<PrismPropertyValue<ProtectedStringType>,PrismPropertyDefinition<ProtectedStringType>> mapping = evaluator.createMapping("mapping-generate.xml",
     			TEST_NAME, SchemaConstants.PATH_PASSWORD_VALUE, null);
diff --git a/model/model-common/src/test/java/com/evolveum/midpoint/model/common/mapping/TestMappingDynamicSysVar.java b/model/model-common/src/test/java/com/evolveum/midpoint/model/common/mapping/TestMappingDynamicSysVar.java
index 2a483d28945..acc1daae44e 100644
--- a/model/model-common/src/test/java/com/evolveum/midpoint/model/common/mapping/TestMappingDynamicSysVar.java
+++ b/model/model-common/src/test/java/com/evolveum/midpoint/model/common/mapping/TestMappingDynamicSysVar.java
@@ -30,6 +30,7 @@
 import org.testng.annotations.Test;
 import org.xml.sax.SAXException;
 
+import com.evolveum.midpoint.model.common.AbstractModelCommonTest;
 import com.evolveum.midpoint.prism.PrismObject;
 import com.evolveum.midpoint.prism.PrismProperty;
 import com.evolveum.midpoint.prism.PrismPropertyDefinition;
@@ -52,7 +53,7 @@
 /**
  * @author Radovan Semancik
  */
-public class TestMappingDynamicSysVar {
+public class TestMappingDynamicSysVar extends AbstractModelCommonTest {
 
 	private static final String NS_EXTENSION = "http://midpoint.evolveum.com/xml/ns/test/extension";
 	private static final String PATTERN_NUMERIC = "^\\d+$";
@@ -78,7 +79,7 @@ public void testScriptSystemVariablesConditionAddObjectTrueSourcecontextGroovy()
     public void testScriptSystemVariablesConditionAddObjectTrue(String filename) throws Exception {
     	// GIVEN
     	final String TEST_NAME = "testScriptSystemVariablesConditionAddObjectTrue";
-    	System.out.println("===[ "+TEST_NAME+"]===");
+    	displayTestTitle(TEST_NAME);
 
     	PrismObject<UserType> user = evaluator.getUserOld();
     	user.asObjectable().getEmployeeType().clear();
@@ -107,7 +108,7 @@ public void testScriptSystemVariablesConditionAddObjectTrue(String filename) thr
     @Test
     public void testScriptSystemVariablesConditionModifyObjectTrueGroovyUnrelated() throws Exception {
     	final String TEST_NAME = "testScriptSystemVariablesConditionAddObjectTrueGroovyUnrelated";
-    	System.out.println("===[ "+TEST_NAME+"]===");
+    	displayTestTitle(TEST_NAME);
 
     	// GIVEN
     	ObjectDelta<UserType> delta = evaluator.getPrismContext().deltaFactory().object()
@@ -141,7 +142,7 @@ public void testScriptSystemVariablesConditionAddObjectFalseSourcecontextGroovy(
     public void testScriptSystemVariablesConditionAddObjectFalse(String filename) throws Exception {
     	// GIVEN
     	final String TEST_NAME = "testScriptSystemVariablesConditionAddObjectFalse";
-    	System.out.println("===[ "+TEST_NAME+"]===");
+    	displayTestTitle(TEST_NAME);
 
     	PrismObject<UserType> user = evaluator.getUserOld();
     	user.asObjectable().getEmployeeType().clear();
@@ -175,7 +176,7 @@ public void testScriptSystemVariablesConditionAddObjectFalseNoValSourcecontextGr
     public void testScriptSystemVariablesConditionAddObjectFalseNoVal(String filename) throws Exception {
     	// GIVEN
     	final String TEST_NAME = "testScriptSystemVariablesConditionAddObjectFalseNoVal";
-    	System.out.println("===[ "+TEST_NAME+"]===");
+    	displayTestTitle(TEST_NAME);
 
     	PrismObject<UserType> user = evaluator.getUserOld();
     	PrismProperty<String> employeeTypeProperty = user.findProperty(UserType.F_EMPLOYEE_TYPE);
@@ -209,7 +210,7 @@ public void testScriptSystemVariablesConditionAddObjectFalseNoPropertySourcecont
     public void testScriptSystemVariablesConditionAddObjectFalseNoProperty(String filename) throws Exception {
     	// GIVEN
     	final String TEST_NAME = "testScriptSystemVariablesConditionAddObjectFalseNoProperty";
-    	System.out.println("===[ "+TEST_NAME+"]===");
+    	displayTestTitle(TEST_NAME);
 
 
     	PrismObject<UserType> user = evaluator.getUserOld();
@@ -239,7 +240,7 @@ public void testScriptSystemVariablesConditionTrueToTrueGroovy() throws Exceptio
     public void testScriptSystemVariablesConditionTrueToTrue(String filename) throws Exception {
     	// GIVEN
     	final String TEST_NAME = "testScriptSystemVariablesConditionTrueToTrue";
-    	System.out.println("===[ "+TEST_NAME+"]===");
+    	displayTestTitle(TEST_NAME);
 
     	ObjectDelta<UserType> delta = evaluator.getPrismContext().deltaFactory().object()
 			    .createModificationReplaceProperty(UserType.class, evaluator.USER_OLD_OID,
@@ -273,7 +274,7 @@ public void testScriptSystemVariablesConditionFalseToFalseGroovy() throws Except
     public void testScriptSystemVariablesConditionFalseToFalse(String filename) throws Exception {
     	// GIVEN
     	final String TEST_NAME = "testScriptSystemVariablesConditionFalseToFalse";
-    	System.out.println("===[ "+TEST_NAME+"]===");
+    	displayTestTitle(TEST_NAME);
 
     	ObjectDelta<UserType> delta = evaluator.getPrismContext().deltaFactory().object()
 			    .createModificationReplaceProperty(UserType.class, evaluator.USER_OLD_OID,
@@ -301,7 +302,7 @@ public void testScriptSystemVariablesConditionFalseToTrueGroovy() throws Excepti
     public void testScriptSystemVariablesConditionFalseToTrue(String filename) throws Exception {
     	// GIVEN
     	final String TEST_NAME = "testScriptSystemVariablesConditionFalseToTrue";
-    	System.out.println("===[ "+TEST_NAME+"]===");
+    	displayTestTitle(TEST_NAME);
 
     	ObjectDelta<UserType> delta = evaluator.getPrismContext().deltaFactory().object()
 			    .createModificationReplaceProperty(UserType.class, evaluator.USER_OLD_OID,
@@ -331,7 +332,7 @@ public void testScriptSystemVariablesConditionTrueToFalseGroovy() throws Excepti
     public void testScriptSystemVariablesConditionTrueToFalse(String filename) throws Exception {
     	// GIVEN
     	final String TEST_NAME = "testScriptSystemVariablesConditionTrueToFalse";
-    	System.out.println("===[ "+TEST_NAME+"]===");
+    	displayTestTitle(TEST_NAME);
 
     	ObjectDelta<UserType> delta = evaluator.getPrismContext().deltaFactory().object()
 			    .createModificationReplaceProperty(UserType.class, evaluator.USER_OLD_OID,
@@ -382,7 +383,7 @@ public void testScriptSystemVariablesConditionEmptySingleTrueFunction() throws E
     }
 
     public void testScriptSystemVariablesConditionEmptyTrue(final String TEST_NAME, String filename) throws Exception {
-    	System.out.println("===[ "+TEST_NAME+"]===");
+    	displayTestTitle(TEST_NAME);
 
     	// GIVEN
     	ObjectDelta<UserType> delta = evaluator.getPrismContext().deltaFactory().object()
@@ -423,7 +424,7 @@ public void testScriptSystemVariablesConditionEmptySingleFalseToTrueFunction() t
     }
 
     public void testScriptSystemVariablesConditionEmptyFalseToTrue(final String TEST_NAME, String filename) throws Exception {
-    	System.out.println("===[ "+TEST_NAME+"]===");
+    	displayTestTitle(TEST_NAME);
 
     	// GIVEN
     	ObjectDelta<UserType> delta = evaluator.getPrismContext().deltaFactory().object()
@@ -475,7 +476,7 @@ public void testScriptSystemVariablesConditionEmptySingleFalseFunction() throws
     }
 
     public void testScriptSystemVariablesConditionEmptyFalse(final String TEST_NAME, String filename) throws Exception {
-    	System.out.println("===[ "+TEST_NAME+"]===");
+    	displayTestTitle(TEST_NAME);
 
     	// GIVEN
     	ObjectDelta<UserType> delta = evaluator.getPrismContext().deltaFactory().object()
@@ -514,7 +515,7 @@ public void testScriptSystemVariablesConditionEmptySingleTrueToFalseFunction() t
     }
 
     public void testScriptSystemVariablesConditionEmptyTrueToFalse(final String TEST_NAME, String filename) throws Exception {
-    	System.out.println("===[ "+TEST_NAME+"]===");
+    	displayTestTitle(TEST_NAME);
 
     	// GIVEN
     	ObjectDelta<UserType> delta = evaluator.getPrismContext().deltaFactory().object()
@@ -544,7 +545,7 @@ public void testScriptSystemVariablesConditionEmptyTrueToFalse(final String TEST
     @Test
     public void testNpeFalseToTrue() throws Exception {
     	final String TEST_NAME = "testNpeFalseToTrue";
-    	System.out.println("===[ "+TEST_NAME+"]===");
+    	displayTestTitle(TEST_NAME);
 
     	// GIVEN
     	ObjectDelta<UserType> delta = evaluator.getPrismContext().deltaFactory().object()
@@ -570,7 +571,7 @@ public void testNpeFalseToTrue() throws Exception {
     @Test
     public void testNpeTrueToFalse() throws Exception {
     	final String TEST_NAME = "testNpeTrueToFalse";
-    	System.out.println("===[ "+TEST_NAME+"]===");
+    	displayTestTitle(TEST_NAME);
 
     	// GIVEN
     	ObjectDelta<UserType> delta = evaluator.getPrismContext().deltaFactory().object()
@@ -600,7 +601,7 @@ public void testNpeTrueToFalse() throws Exception {
     @Test
     public void testPathEnum() throws Exception {
     	final String TEST_NAME = "testPathEnum";
-    	System.out.println("===[ "+TEST_NAME+"]===");
+    	displayTestTitle(TEST_NAME);
 
     	// GIVEN
     	ObjectDelta<UserType> delta = evaluator.getPrismContext().deltaFactory().object()
@@ -644,7 +645,7 @@ public void testEmployeeNumberString() throws Exception {
     @Test
     public void testEmployeeNumberPolyString() throws Exception {
     	final String TEST_NAME = "testEmployeeNumberPolyString";
-    	System.out.println("===[ "+TEST_NAME+"]===");
+    	displayTestTitle(TEST_NAME);
     	// WHEN
     	PrismValueDeltaSetTriple<PrismPropertyValue<PolyString>> outputTriple = evaluator.evaluateMappingDynamicReplace(
     			"mapping-script-system-variables-employee-number.xml",
diff --git a/model/model-common/src/test/resources/common/system-configuration.xml b/model/model-common/src/test/resources/common/system-configuration.xml
new file mode 100644
index 00000000000..e76d7b179b3
--- /dev/null
+++ b/model/model-common/src/test/resources/common/system-configuration.xml
@@ -0,0 +1,118 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<!--
+  ~ Copyright (c) 2010-2019 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<systemConfiguration oid="00000000-0000-0000-0000-000000000001" version="0"
+	xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+	xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+	xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3">
+    <name>SystemConfiguration</name>
+    
+    <expressions>
+    	<expressionProfile>
+    		<identifier>safe</identifier>
+    		<decision>deny</decision> <!-- default decision of those evaluators that are not explicitly enumerated. -->
+    		<evaluator>
+    			<type>asIs</type>
+    			<decision>allow</decision>
+    		</evaluator>
+    		<evaluator>
+    			<type>path</type>
+    			<decision>allow</decision>
+    		</evaluator>
+    		<evaluator>
+    			<type>value</type>
+    			<decision>allow</decision>
+    		</evaluator>
+<!--
+			Const is safe. But we need something to prohibit here.
+    		<evaluator>
+    			<type>const</type>
+    			<decision>allow</decision>
+    		</evaluator>  -->
+    		<evaluator>
+    			<type>script</type>
+    			<decision>deny</decision> <!-- default decision of those script languages that are not explicitly enumerated. -->
+    			<script>
+    				<language>http://midpoint.evolveum.com/xml/ns/public/expression/language#Groovy</language>
+    				<decision>allow</decision>
+    				<typeChecking>true</typeChecking>
+    				<permissionProfile>script-safe</permissionProfile>
+    			</script>
+    		</evaluator>
+    	</expressionProfile>
+	    <permissionProfile>
+	    	<identifier>script-safe</identifier>
+	    	<decision>deny</decision> <!-- Default decision for those classes that are not explicitly enumerated. -->
+	    	<package>
+	    		<name>com.evolveum.midpoint.xml.ns._public.common.common_3</name>
+	    		<description>MidPoint common schema - generated bean classes</description>
+	    		<decision>allow</decision>
+	    	</package>
+	    	<package>
+	    		<name>com.evolveum.prism.xml.ns._public.types_3</name>
+	    		<description>Prism schema - bean classes</description>
+	    		<decision>allow</decision>
+	    	</package>
+	    	<class>
+	    		<name>java.lang.String</name>
+	    			<description>String operations are generally safe. But Groovy is adding execute() method which is very dangerous.</description>
+	    			<decision>allow</decision> <!-- Default decision for those methods that are not explicitly enumerated. -->
+	    			<method>
+	    				<name>execute</name>
+	    				<decision>deny</decision>
+	    			</method>
+	    	</class>
+	    	<class>
+	    		<name>java.lang.CharSequence</name>
+	    			<decision>allow</decision>
+	    	</class>
+	    	<class>
+	    		<name>java.util.List</name>
+	    			<description>List operations are generally safe. But Groovy is adding execute() method which is very dangerous.</description>
+	    			<decision>allow</decision>
+	    			<method>
+	    				<name>execute</name>
+	    				<decision>deny</decision>
+	    			</method>
+	    	</class>
+	    	<class>
+	    		<name>java.lang.System</name>
+	    			<description>Just a few methods of System are safe enough.</description>
+	    			<decision>deny</decision>
+	    			<method>
+	    				<name>currentTimeMillis</name>
+	    				<decision>allow</decision>
+	    			</method>
+	    	</class>
+	    	<class>
+	    		<name>java.lang.IllegalStateException</name>
+	    			<description>Basic Java exception. Also used in test.</description>
+	    			<decision>allow</decision>
+	    	</class>
+	    	<class>
+	    		<name>java.lang.IllegalArgumentException</name>
+	    			<description>Basic Java exception.</description>
+	    			<decision>allow</decision>
+	    	</class>
+	    	<class>
+	    		<name>com.evolveum.midpoint.model.common.expression.functions.LogExpressionFunctions</name>
+	    		<description>MidPoint logging functions library</description>
+	    		<decision>allow</decision>
+	    	</class>
+	    </permissionProfile>
+    </expressions>
+</systemConfiguration>
diff --git a/model/model-common/src/test/resources/expression/expression/account-jack-dummy.xml b/model/model-common/src/test/resources/expression/expression/account-jack-dummy.xml
index 03d44f915a2..773455bcedc 100644
--- a/model/model-common/src/test/resources/expression/expression/account-jack-dummy.xml
+++ b/model/model-common/src/test/resources/expression/expression/account-jack-dummy.xml
@@ -20,7 +20,7 @@
 	xmlns:c='http://midpoint.evolveum.com/xml/ns/public/common/common-3'
 	xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
 	xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
-	xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance/10000000-0000-0000-0000-000000000004"
+	xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
 	xmlns:xsd="http://www.w3.org/2001/XMLSchema"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
 	<resourceRef oid="10000000-0000-0000-0000-000000000004"/>
diff --git a/model/model-common/src/test/resources/expression/expression/expression-asis.xml b/model/model-common/src/test/resources/expression/expression/expression-asis.xml
new file mode 100644
index 00000000000..23283a9419c
--- /dev/null
+++ b/model/model-common/src/test/resources/expression/expression/expression-asis.xml
@@ -0,0 +1,28 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright (c) 2019 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+  <expression 
+  		  xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+          xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+          xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
+          xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
+          xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
+          xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
+          xmlns:piracy="http://midpoint.evolveum.com/xml/ns/samples/piracy"
+          xmlns:xsd="http://www.w3.org/2001/XMLSchema"
+          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+	<asIs/>
+</expression>
\ No newline at end of file
diff --git a/model/model-common/src/test/resources/expression/expression/expression-const.xml b/model/model-common/src/test/resources/expression/expression/expression-const.xml
new file mode 100644
index 00000000000..7d4679ef04d
--- /dev/null
+++ b/model/model-common/src/test/resources/expression/expression/expression-const.xml
@@ -0,0 +1,28 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright (c) 2019 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+  <expression 
+  		  xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+          xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+          xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
+          xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
+          xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
+          xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
+          xmlns:piracy="http://midpoint.evolveum.com/xml/ns/samples/piracy"
+          xmlns:xsd="http://www.w3.org/2001/XMLSchema"
+          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+	<const>foo</const>
+</expression>
\ No newline at end of file
diff --git a/model/model-common/src/test/resources/expression/expression/iteration-condition.xml b/model/model-common/src/test/resources/expression/expression/expression-iteration-condition.xml
similarity index 84%
rename from model/model-common/src/test/resources/expression/expression/iteration-condition.xml
rename to model/model-common/src/test/resources/expression/expression/expression-iteration-condition.xml
index e816d4cc212..48bc5648aaa 100644
--- a/model/model-common/src/test/resources/expression/expression/iteration-condition.xml
+++ b/model/model-common/src/test/resources/expression/expression/expression-iteration-condition.xml
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
-  ~ Copyright (c) 2013 Evolveum
+  ~ Copyright (c) 2013-2019 Evolveum
   ~
   ~ Licensed under the Apache License, Version 2.0 (the "License");
   ~ you may not use this file except in compliance with the License.
@@ -26,12 +26,12 @@
           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
 	<variable>
 		<name>quote</name>
-		<path>$shadow/attributes/ri:quote</path>
+		<path>$projection/attributes/ri:quote</path>
 	</variable>
 	<script>
 		<code>
-			log.debug("quote={}, user={}", quote, user);
-			if (user != null &amp;&amp; quote == null &amp;&amp; user.getName() != null &amp;&amp; user.getName().getOrig().equals("drake")) {
+			log.debug("quote={}, focus={}", quote, focus);
+			if (focus != null &amp;&amp; quote == null &amp;&amp; focus.getName() != null &amp;&amp; focus.getName().getOrig().equals("drake")) {
 				// Make sure it fails if executed without quote, this should not happen
 				throw new IllegalStateException("Kaboom!");
 			}
diff --git a/model/model-common/src/test/resources/expression/expression/expression-path.xml b/model/model-common/src/test/resources/expression/expression/expression-path.xml
new file mode 100644
index 00000000000..21f59f1af12
--- /dev/null
+++ b/model/model-common/src/test/resources/expression/expression/expression-path.xml
@@ -0,0 +1,28 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright (c) 2019 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+  <expression 
+  		  xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+          xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+          xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
+          xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
+          xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
+          xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
+          xmlns:piracy="http://midpoint.evolveum.com/xml/ns/samples/piracy"
+          xmlns:xsd="http://www.w3.org/2001/XMLSchema"
+          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+	<path>$focus/name</path>
+</expression>
\ No newline at end of file
diff --git a/model/model-common/src/test/resources/expression/expression/expression-script-groovy-simple.xml b/model/model-common/src/test/resources/expression/expression/expression-script-groovy-simple.xml
new file mode 100644
index 00000000000..bfedcbb7150
--- /dev/null
+++ b/model/model-common/src/test/resources/expression/expression/expression-script-groovy-simple.xml
@@ -0,0 +1,32 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright (c) 2013-2019 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+  <expression 
+  		  xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+          xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+          xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
+          xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
+          xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
+          xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
+          xmlns:piracy="http://midpoint.evolveum.com/xml/ns/samples/piracy"
+          xmlns:xsd="http://www.w3.org/2001/XMLSchema"
+          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+	<script>
+		<code>
+			foo + bar;
+		</code>
+	</script>
+</expression>
\ No newline at end of file
diff --git a/model/model-common/src/test/resources/expression/expression/expression-script-groovy-system-allow.xml b/model/model-common/src/test/resources/expression/expression/expression-script-groovy-system-allow.xml
new file mode 100644
index 00000000000..ca740e40de3
--- /dev/null
+++ b/model/model-common/src/test/resources/expression/expression/expression-script-groovy-system-allow.xml
@@ -0,0 +1,36 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright (c) 2013-2019 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+  <expression 
+  		  xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+          xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+          xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
+          xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
+          xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
+          xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
+          xmlns:piracy="http://midpoint.evolveum.com/xml/ns/samples/piracy"
+          xmlns:xsd="http://www.w3.org/2001/XMLSchema"
+          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+	<script>
+		<code>
+			def millis = java.lang.System.currentTimeMillis()
+			if (millis &lt; 1553523254311) {
+				throw new IllegalStateException("Time is weird: "+millis)
+			}
+			return "SUCCESS"
+		</code>
+	</script>
+</expression>
\ No newline at end of file
diff --git a/model/model-common/src/test/resources/expression/expression/expression-script-groovy-system-deny.xml b/model/model-common/src/test/resources/expression/expression/expression-script-groovy-system-deny.xml
new file mode 100644
index 00000000000..b3acb3cce1a
--- /dev/null
+++ b/model/model-common/src/test/resources/expression/expression/expression-script-groovy-system-deny.xml
@@ -0,0 +1,34 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright (c) 2013-2019 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+  <expression 
+  		  xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+          xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+          xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
+          xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
+          xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
+          xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
+          xmlns:piracy="http://midpoint.evolveum.com/xml/ns/samples/piracy"
+          xmlns:xsd="http://www.w3.org/2001/XMLSchema"
+          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+	<script>
+		<code>
+			def props = java.lang.System.getProperties()
+			log.info("Got properties: {}", props)
+			return "SUCCESS"
+		</code>
+	</script>
+</expression>
\ No newline at end of file
diff --git a/model/model-common/src/test/resources/expression/expression/expression-script-javascript.xml b/model/model-common/src/test/resources/expression/expression/expression-script-javascript.xml
new file mode 100644
index 00000000000..059ecf3ce8c
--- /dev/null
+++ b/model/model-common/src/test/resources/expression/expression/expression-script-javascript.xml
@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright (c) 2013-2019 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+  <expression 
+  		  xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+          xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+          xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
+          xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
+          xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
+          xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
+          xmlns:piracy="http://midpoint.evolveum.com/xml/ns/samples/piracy"
+          xmlns:xsd="http://www.w3.org/2001/XMLSchema"
+          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+	<script>
+		<language>http://midpoint.evolveum.com/xml/ns/public/expression/language#ECMAScript</language>
+		<code>
+			foo + bar;
+		</code>
+	</script>
+</expression>
\ No newline at end of file
diff --git a/model/model-common/src/test/resources/expression/expression/expression-value.xml b/model/model-common/src/test/resources/expression/expression/expression-value.xml
new file mode 100644
index 00000000000..25797e6f93f
--- /dev/null
+++ b/model/model-common/src/test/resources/expression/expression/expression-value.xml
@@ -0,0 +1,28 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright (c) 2019 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+  <expression 
+  		  xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+          xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+          xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
+          xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
+          xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
+          xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
+          xmlns:piracy="http://midpoint.evolveum.com/xml/ns/samples/piracy"
+          xmlns:xsd="http://www.w3.org/2001/XMLSchema"
+          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+	<value>GARBAGE OUT</value>
+</expression>
\ No newline at end of file
diff --git a/model/model-common/src/test/resources/expression/groovy/expression-list-exec.xml b/model/model-common/src/test/resources/expression/groovy/expression-list-exec.xml
new file mode 100644
index 00000000000..11b5a617aa4
--- /dev/null
+++ b/model/model-common/src/test/resources/expression/groovy/expression-list-exec.xml
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright (c) 2010-2019 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<script xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
+	<language>http://midpoint.evolveum.com/xml/ns/public/expression/language#Groovy</language>
+	<code>
+		def process = [ "echo", "-n", "Hello world" ].execute()
+		process.waitFor()
+		return process.text
+	</code>
+</script>
diff --git a/model/model-common/src/test/resources/expression/groovy/expression-poinson-drink.xml b/model/model-common/src/test/resources/expression/groovy/expression-poinson-drink.xml
new file mode 100644
index 00000000000..5aa41ae1894
--- /dev/null
+++ b/model/model-common/src/test/resources/expression/groovy/expression-poinson-drink.xml
@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright (c) 2010-2019 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<script xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
+	<language>http://midpoint.evolveum.com/xml/ns/public/expression/language#Groovy</language>
+	<code>
+		poison.drink()
+		return "ALIVE"
+	</code>
+</script>
diff --git a/model/model-common/src/test/resources/expression/groovy/expression-poinson-look.xml b/model/model-common/src/test/resources/expression/groovy/expression-poinson-look.xml
new file mode 100644
index 00000000000..0e2e0bac853
--- /dev/null
+++ b/model/model-common/src/test/resources/expression/groovy/expression-poinson-look.xml
@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright (c) 2010-2019 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<script xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
+	<language>http://midpoint.evolveum.com/xml/ns/public/expression/language#Groovy</language>
+	<code>
+		poison.look()
+		return "ALIVE"
+	</code>
+</script>
diff --git a/model/model-common/src/test/resources/expression/groovy/expression-poinson-smell-dynamic.xml b/model/model-common/src/test/resources/expression/groovy/expression-poinson-smell-dynamic.xml
new file mode 100644
index 00000000000..61bc8a61513
--- /dev/null
+++ b/model/model-common/src/test/resources/expression/groovy/expression-poinson-smell-dynamic.xml
@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright (c) 2010-2019 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<script xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
+	<language>http://midpoint.evolveum.com/xml/ns/public/expression/language#Groovy</language>
+	<code>
+		poison."smell"()
+		return "ALIVE"
+	</code>
+</script>
diff --git a/model/model-common/src/test/resources/expression/groovy/expression-poinson-smell-reflection.xml b/model/model-common/src/test/resources/expression/groovy/expression-poinson-smell-reflection.xml
new file mode 100644
index 00000000000..94815a1d312
--- /dev/null
+++ b/model/model-common/src/test/resources/expression/groovy/expression-poinson-smell-reflection.xml
@@ -0,0 +1,26 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright (c) 2010-2019 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<script xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
+	<language>http://midpoint.evolveum.com/xml/ns/public/expression/language#Groovy</language>
+	<code>
+		def c = Class.forName('com.evolveum.midpoint.model.common.expression.script.Poison')
+		def m = c.getMethod('smell')
+		m.invoke(poison)
+		return "ALIVE"
+	</code>
+</script>
diff --git a/model/model-common/src/test/resources/expression/groovy/expression-poinson-smell-tricky.xml b/model/model-common/src/test/resources/expression/groovy/expression-poinson-smell-tricky.xml
new file mode 100644
index 00000000000..10b2924222a
--- /dev/null
+++ b/model/model-common/src/test/resources/expression/groovy/expression-poinson-smell-tricky.xml
@@ -0,0 +1,26 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright (c) 2010-2019 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<script xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
+	<language>http://midpoint.evolveum.com/xml/ns/public/expression/language#Groovy</language>
+	<code>
+	    // try to obfuscate the things a bit
+		def p = poison
+		p.smell()
+		return "ALIVE"
+	</code>
+</script>
diff --git a/model/model-common/src/test/resources/expression/groovy/expression-poinson-smell-very-dynamic.xml b/model/model-common/src/test/resources/expression/groovy/expression-poinson-smell-very-dynamic.xml
new file mode 100644
index 00000000000..0f66639f3d0
--- /dev/null
+++ b/model/model-common/src/test/resources/expression/groovy/expression-poinson-smell-very-dynamic.xml
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright (c) 2010-2019 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<script xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
+	<language>http://midpoint.evolveum.com/xml/ns/public/expression/language#Groovy</language>
+	<code>
+		def method = 's' + 'mell';
+		poison."${method}"()
+		return "ALIVE"
+	</code>
+</script>
diff --git a/model/model-common/src/test/resources/expression/groovy/expression-poinson-smell.xml b/model/model-common/src/test/resources/expression/groovy/expression-poinson-smell.xml
new file mode 100644
index 00000000000..7b1b5e5bec7
--- /dev/null
+++ b/model/model-common/src/test/resources/expression/groovy/expression-poinson-smell.xml
@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright (c) 2010-2019 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<script xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
+	<language>http://midpoint.evolveum.com/xml/ns/public/expression/language#Groovy</language>
+	<code>
+		poison.smell()
+		return "ALIVE"
+	</code>
+</script>
diff --git a/model/model-common/src/test/resources/expression/groovy/expression-string-exec.xml b/model/model-common/src/test/resources/expression/groovy/expression-string-exec.xml
new file mode 100644
index 00000000000..d4176ac8891
--- /dev/null
+++ b/model/model-common/src/test/resources/expression/groovy/expression-string-exec.xml
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright (c) 2010-2019 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<script xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
+	<language>http://midpoint.evolveum.com/xml/ns/public/expression/language#Groovy</language>
+	<code>
+		def process = "echo -n Hello world".execute()
+		process.waitFor()
+		return process.text
+	</code>
+</script>
diff --git a/model/model-common/src/test/resources/expression/groovy/expression-syntax-error.xml b/model/model-common/src/test/resources/expression/groovy/expression-syntax-error.xml
new file mode 100644
index 00000000000..eb0765cbccd
--- /dev/null
+++ b/model/model-common/src/test/resources/expression/groovy/expression-syntax-error.xml
@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright (c) 2010-2019 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<script xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
+	<language>http://midpoint.evolveum.com/xml/ns/public/expression/language#Groovy</language>
+	<code>
+		@! THIS / is \ a / line \ n0is3 
+	</code>
+</script>
diff --git a/model/model-common/src/test/resources/logback-test.xml b/model/model-common/src/test/resources/logback-test.xml
index c9d3466d570..8a4313aee43 100644
--- a/model/model-common/src/test/resources/logback-test.xml
+++ b/model/model-common/src/test/resources/logback-test.xml
@@ -25,7 +25,8 @@
     <logger name="org.hibernate.engine.jdbc.spi.SqlExceptionHelper" level="OFF"/>
 	<logger name="com.evolveum.midpoint.schema" level="DEBUG" />
 	<logger name="com.evolveum.midpoint.common.LoggingConfigurationManager" level="TRACE" />
-	<logger name="com.evolveum.midpoint.model.common.expression" level="DEBUG" />
+	<logger name="com.evolveum.midpoint.model.repo.expression" level="TRACE" />
+	<logger name="com.evolveum.midpoint.model.common.expression" level="TRACE" />
 	<logger name="com.evolveum.midpoint.model.common.mapping" level="TRACE" />
 	<logger name="com.evolveum.midpoint.model" level="TRACE" />
 	<!-- Projector "TRACE" is just too much info ... -->
diff --git a/model/model-common/src/test/resources/mapping/account-inbound-mapping.xml b/model/model-common/src/test/resources/mapping/account-inbound-mapping.xml
index 01fd766bc40..5076b48d48a 100644
--- a/model/model-common/src/test/resources/mapping/account-inbound-mapping.xml
+++ b/model/model-common/src/test/resources/mapping/account-inbound-mapping.xml
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
-  ~ Copyright (c) 2010-2017 Evolveum
+  ~ Copyright (c) 2010-2019 Evolveum
   ~
   ~ Licensed under the Apache License, Version 2.0 (the "License");
   ~ you may not use this file except in compliance with the License.
@@ -20,7 +20,7 @@
 	xmlns:c='http://midpoint.evolveum.com/xml/ns/public/common/common-3'
 	xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
 	xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
-	xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance/10000000-0000-0000-0000-000000000004"
+	xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
 	xmlns:xsd="http://www.w3.org/2001/XMLSchema"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
     
diff --git a/model/model-common/src/test/resources/mapping/mapping-inbound.xml b/model/model-common/src/test/resources/mapping/mapping-inbound.xml
index b6da44c89fb..fa432c716f8 100644
--- a/model/model-common/src/test/resources/mapping/mapping-inbound.xml
+++ b/model/model-common/src/test/resources/mapping/mapping-inbound.xml
@@ -10,7 +10,7 @@
 
 <mapping xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
 	xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
-	xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance/10000000-0000-0000-0000-000000000004">
+	xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">
 	<strength>weak</strength>
 	<source><!-- This is for external accounts to pass to $user/name when creating 
 			midPoint users -->
diff --git a/model/model-common/testng-unit.xml b/model/model-common/testng-unit.xml
index b3eb36e6bb8..403372df714 100644
--- a/model/model-common/testng-unit.xml
+++ b/model/model-common/testng-unit.xml
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
-  ~ Copyright (c) 2010-2018 Evolveum
+  ~ Copyright (c) 2010-2019 Evolveum
   ~
   ~ Licensed under the Apache License, Version 2.0 (the "License");
   ~ you may not use this file except in compliance with the License.
@@ -26,11 +26,13 @@
 		<classes>
 			<class name="com.evolveum.midpoint.model.common.expression.script.TestJavaScriptExpressions" />
 			<class name="com.evolveum.midpoint.model.common.expression.script.TestGroovyExpressions" />
+			<class name="com.evolveum.midpoint.model.common.expression.script.TestGroovyExpressionsSandbox" />
 			<class name="com.evolveum.midpoint.model.common.expression.script.TestPythonExpressions" />
 			<class name="com.evolveum.midpoint.model.common.expression.script.TestVelocityExpressions" />
 			<class name="com.evolveum.midpoint.model.common.expression.script.TestExpressionFunctions" />
 			<class name="com.evolveum.midpoint.model.common.expression.script.TestScriptCaching" />
 			<class name="com.evolveum.midpoint.model.common.expression.TestExpression" />
+			<class name="com.evolveum.midpoint.model.common.expression.TestExpressionProfileSafe" />
 			<class name="com.evolveum.midpoint.model.common.expression.TestExpressionUtil" />  
 			<class name="com.evolveum.midpoint.model.common.mapping.TestMappingDynamicSimple" />
 			<class name="com.evolveum.midpoint.model.common.mapping.TestMappingDynamicSysVar" />
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/ExtensionSchemaRestService.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/ExtensionSchemaRestService.java
index 5e061a84af0..28fae54cd2f 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/ExtensionSchemaRestService.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/ExtensionSchemaRestService.java
@@ -16,21 +16,29 @@
 
 package com.evolveum.midpoint.model.impl;
 
+import com.evolveum.midpoint.model.api.ModelAuthorizationAction;
+import com.evolveum.midpoint.model.impl.security.SecurityHelper;
+import com.evolveum.midpoint.model.impl.util.RestServiceUtil;
 import com.evolveum.midpoint.prism.PrismContext;
 import com.evolveum.midpoint.prism.schema.SchemaDescription;
 import com.evolveum.midpoint.prism.schema.SchemaRegistry;
+import com.evolveum.midpoint.schema.result.OperationResult;
+import com.evolveum.midpoint.security.enforcer.api.AuthorizationParameters;
+import com.evolveum.midpoint.security.enforcer.api.SecurityEnforcer;
+import com.evolveum.midpoint.task.api.Task;
+import com.evolveum.midpoint.util.logging.LoggingUtils;
 import com.evolveum.midpoint.util.logging.Trace;
 import com.evolveum.midpoint.util.logging.TraceManager;
-import org.apache.commons.io.FileUtils;
 import org.apache.commons.lang3.StringUtils;
+import org.apache.cxf.jaxrs.ext.MessageContext;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Service;
 
 import javax.ws.rs.*;
+import javax.ws.rs.core.Context;
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Response;
 import java.io.File;
-import java.io.IOException;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.List;
@@ -47,32 +55,50 @@ public class ExtensionSchemaRestService {
 
     private static final String MIDPOINT_HOME = System.getProperty("midpoint.home");
 
-    @Autowired
-    private PrismContext prismContext;
+    @Autowired private PrismContext prismContext;
+    @Autowired private SecurityEnforcer securityEnforcer;
+    @Autowired private SecurityHelper securityHelper;
+
+    public static final String CLASS_DOT = ExtensionSchemaRestService.class.getName() + ".";
+    private static final String OPERATION_LIST_SCHEMAS = CLASS_DOT +  "listSchemas";
+    private static final String OPERATION_GET_SCHEMA = CLASS_DOT +  "getSchema";
 
     @GET
     @Produces(MediaType.TEXT_PLAIN)
-    public Response listSchemas() {
-        SchemaRegistry registry = prismContext.getSchemaRegistry();
-        Collection<SchemaDescription> descriptions = registry.getSchemaDescriptions();
+    public Response listSchemas(@Context MessageContext mc) {
 
-        List<String> names = new ArrayList<>();
+        Task task = RestServiceUtil.initRequest(mc);
+        OperationResult result = task.getResult().createSubresult(OPERATION_LIST_SCHEMAS);
 
-        for (SchemaDescription description : descriptions) {
-            String name = computeName(MIDPOINT_HOME, description);
-            if (name == null) {
-                continue;
+        Response response;
+        try {
+            securityEnforcer.authorize(ModelAuthorizationAction.GET_EXTENSION_SCHEMA.getUrl(), null, AuthorizationParameters.EMPTY, null, task, result);
+
+            SchemaRegistry registry = prismContext.getSchemaRegistry();
+            Collection<SchemaDescription> descriptions = registry.getSchemaDescriptions();
+
+            List<String> names = new ArrayList<>();
+
+            for (SchemaDescription description : descriptions) {
+                String name = computeName(description);
+                if (name != null) {
+                    names.add(name);
+                }
             }
 
-            names.add(name);
+            String output = StringUtils.join(names, "\n");
+            response = Response.ok(output).build();
+        } catch (Exception ex) {
+            // we avoid RestServiceUtil.handleException because we cannot serialize OperationResultType into text/plain
+            LoggingUtils.logUnexpectedException(LOGGER, "Got exception while servicing REST request: {}", ex, result.getOperation());
+            response = Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity(ex.getMessage()).build();              // TODO handle this somehow better
         }
 
-        String result = StringUtils.join(names, "\n");
-
-        return Response.ok(result).build();
+        RestServiceUtil.finishRequest(task, securityHelper);
+        return response;
     }
 
-    private String computeName(String midpointHome, SchemaDescription description) {
+    private String computeName(SchemaDescription description) {
         String path = description.getPath();
         if (path == null) {
             return null;
@@ -83,11 +109,9 @@ private String computeName(String midpointHome, SchemaDescription description) {
             return null;
         }
 
-        File home = new File(midpointHome, "/schema");
+        File home = new File(ExtensionSchemaRestService.MIDPOINT_HOME, "/schema");
         java.nio.file.Path homePath = home.toPath();
-
         java.nio.file.Path filePath = file.toPath();
-
         java.nio.file.Path relative = homePath.relativize(filePath);
 
         return relative.toString();
@@ -96,44 +120,47 @@ private String computeName(String midpointHome, SchemaDescription description) {
     @GET
     @Path("/{name}")
     @Produces({MediaType.TEXT_XML, MediaType.TEXT_PLAIN})
-    public Response getSchema(@PathParam("name") String name) {
-        if (name == null) {
-            return Response.status(Response.Status.BAD_REQUEST).type(MediaType.TEXT_PLAIN_TYPE)
-                    .entity("Name not defined").build();
-        }
+    public Response getSchema(@PathParam("name") String name, @Context MessageContext mc) {
 
-        if (!name.toLowerCase().endsWith(".xsd") && name.length() > 4) {
-            return Response.status(Response.Status.BAD_REQUEST).type(MediaType.TEXT_PLAIN_TYPE)
-                    .entity("Name must be an xsd schema (.xsd extension expected)").build();
-        }
+        Task task = RestServiceUtil.initRequest(mc);
+        OperationResult result = task.getResult().createSubresult(OPERATION_GET_SCHEMA);
 
-        SchemaRegistry registry = prismContext.getSchemaRegistry();
-        Collection<SchemaDescription> descriptions = registry.getSchemaDescriptions();
+        Response response;
+        try {
+            securityEnforcer.authorize(ModelAuthorizationAction.GET_EXTENSION_SCHEMA.getUrl(), null, AuthorizationParameters.EMPTY, null, task, result);
 
-        SchemaDescription description = null;
-        for (SchemaDescription desc : descriptions) {
-            String descName = computeName(MIDPOINT_HOME, desc);
-            if (descName == null || !descName.equals(name)) {
-                continue;
+            if (name == null) {
+                response = Response.status(Response.Status.BAD_REQUEST).type(MediaType.TEXT_PLAIN_TYPE)
+                        .entity("Name not defined").build();
+            } else if (!name.toLowerCase().endsWith(".xsd") && name.length() > 4) {
+                response = Response.status(Response.Status.BAD_REQUEST).type(MediaType.TEXT_PLAIN_TYPE)
+                        .entity("Name must be an xsd schema (.xsd extension expected)").build();
+            } else {
+                SchemaRegistry registry = prismContext.getSchemaRegistry();
+                Collection<SchemaDescription> descriptions = registry.getSchemaDescriptions();
+
+                SchemaDescription description = null;
+                for (SchemaDescription desc : descriptions) {
+                    String descName = computeName(desc);
+                    if (descName != null && descName.equals(name)) {
+                        description = desc;
+                        break;
+                    }
+                }
+
+                if (description != null) {
+                    response = Response.ok(new File(description.getPath())).build();
+                } else {
+                    response = Response.status(Response.Status.NOT_FOUND).type(MediaType.TEXT_PLAIN_TYPE)
+                            .entity("Unknown name").build();
+                }
             }
-
-            description = desc;
-            break;
-        }
-
-        if (description == null) {
-            return Response.status(Response.Status.NOT_FOUND).type(MediaType.TEXT_PLAIN_TYPE)
-                    .entity("Unknown name").build();
+        } catch (Exception ex) {
+            result.computeStatus();
+            response = RestServiceUtil.handleException(result, ex);
         }
 
-        try {
-            String xsd = FileUtils.readFileToString(new File(description.getPath()));
-
-            return Response.ok(xsd).build();
-        } catch (IOException ex) {
-            LOGGER.error("Couldn't load schema file for " + name, ex);
-
-            return Response.serverError().type(MediaType.TEXT_PLAIN_TYPE).entity(ex.getMessage()).build();
-        }
+        RestServiceUtil.finishRequest(task, securityHelper);
+        return response;
     }
 }
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/ModelRestService.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/ModelRestService.java
index 27a2c9c3094..78a9c42f8ff 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/ModelRestService.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/ModelRestService.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013-2017 Evolveum
+ * Copyright (c) 2013-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -37,6 +37,7 @@
 import com.evolveum.midpoint.schema.*;
 import com.evolveum.midpoint.schema.constants.MidPointConstants;
 import com.evolveum.midpoint.schema.constants.ObjectTypes;
+import com.evolveum.midpoint.schema.expression.VariablesMap;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.security.api.SecurityUtil;
 import com.evolveum.midpoint.task.api.Task;
@@ -925,7 +926,7 @@ public Response executeScript(@Converter(ExecuteScriptConverter.class) ExecuteSc
 				URI resourceUri = uriInfo.getAbsolutePathBuilder().path(task.getOid()).build(task.getOid());
 				response = RestServiceUtil.createResponse(Response.Status.CREATED, resourceUri, result);
 			} else {
-				ScriptExecutionResult executionResult = scriptingService.evaluateExpression(command, Collections.emptyMap(),
+				ScriptExecutionResult executionResult = scriptingService.evaluateExpression(command, VariablesMap.emptyMap(),
 						false, task, result);
 				ExecuteScriptResponseType responseData = new ExecuteScriptResponseType()
 						.result(result.createOperationResultType())
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/controller/CollectionProcessor.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/controller/CollectionProcessor.java
index a754b4d8373..6370dafa7d0 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/controller/CollectionProcessor.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/controller/CollectionProcessor.java
@@ -31,6 +31,7 @@
 import com.evolveum.midpoint.model.api.context.EvaluatedCollectionStatsTrigger;
 import com.evolveum.midpoint.model.api.context.EvaluatedPolicyRule;
 import com.evolveum.midpoint.model.api.context.EvaluatedPolicyRuleTrigger;
+import com.evolveum.midpoint.model.common.ArchetypeManager;
 import com.evolveum.midpoint.model.common.SystemObjectCache;
 import com.evolveum.midpoint.model.impl.lens.AssignmentPathImpl;
 import com.evolveum.midpoint.model.impl.lens.AssignmentPathSegmentImpl;
@@ -91,8 +92,7 @@ public class CollectionProcessor {
 	@Autowired private RelationRegistry relationRegistry;
 	@Autowired private ModelService modelService;
 	@Autowired @Qualifier("modelObjectResolver") private ObjectResolver objectResolver;
-	// TODO change to archetype manager
-	@Autowired private SystemObjectCache systemObjectCache;
+	@Autowired private ArchetypeManager archetypeManager;
 	
 	public Collection<EvaluatedPolicyRule> evaluateCollectionPolicyRules(PrismObject<ObjectCollectionType> collection, CompiledObjectCollectionView collectionView, Class<? extends ObjectType> targetTypeClass, Task task, OperationResult result) throws ObjectNotFoundException, SchemaException, SecurityViolationException, CommunicationException, ConfigurationException, ExpressionEvaluationException {
 		if (collectionView == null) {
@@ -253,7 +253,7 @@ public void compileObjectCollectionView(CompiledObjectCollectionView existingVie
 			existingView.setFilter(filter);
 			
 			try {
-				PrismObject<ArchetypeType> archetype = systemObjectCache.getArchetype(collectionRef.getOid(), result);
+				PrismObject<ArchetypeType> archetype = archetypeManager.getArchetype(collectionRef.getOid(), result);
 				ArchetypePolicyType archetypePolicy = archetype.asObjectable().getArchetypePolicy();
 				if (archetypePolicy != null) {
 					DisplayType archetypeDisplay = archetypePolicy.getDisplay();
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/controller/MappingDiagEvaluator.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/controller/MappingDiagEvaluator.java
index cc3855c4abf..a6da4c14d2b 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/controller/MappingDiagEvaluator.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/controller/MappingDiagEvaluator.java
@@ -142,6 +142,6 @@ private ObjectDeltaObject<?> createSourceContext(MappingEvaluationRequestType re
 		} else {
 			delta = null;
 		}
-		return new ObjectDeltaObject(oldObject, delta, null);
+		return new ObjectDeltaObject(oldObject, delta, null, oldObject.getDefinition());
 	}
 }
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/controller/ModelController.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/controller/ModelController.java
index 66111da16fe..3c9c61831a5 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/controller/ModelController.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/controller/ModelController.java
@@ -52,6 +52,7 @@
 import com.evolveum.midpoint.schema.*;
 import com.evolveum.midpoint.schema.constants.ObjectTypes;
 import com.evolveum.midpoint.schema.constants.SchemaConstants;
+import com.evolveum.midpoint.schema.expression.VariablesMap;
 import com.evolveum.midpoint.schema.internals.InternalsConfig;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.schema.result.OperationResultRunner;
@@ -2116,7 +2117,7 @@ public ScriptExecutionResult evaluateExpression(ScriptingExpressionType expressi
 
     @Override
     public ScriptExecutionResult evaluateExpression(@NotNull ExecuteScriptType scriptExecutionCommand,
-		    @NotNull Map<String, Object> initialVariables, boolean recordProgressAndIterationStatistics, @NotNull Task task,
+		    @NotNull VariablesMap initialVariables, boolean recordProgressAndIterationStatistics, @NotNull Task task,
 		    @NotNull OperationResult result)
 			throws ScriptExecutionException, SchemaException, SecurityViolationException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException {
         checkScriptingAuthorization(task, result);
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/controller/ModelInteractionServiceImpl.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/controller/ModelInteractionServiceImpl.java
index 5c0dbceeec4..767e5fa3573 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/controller/ModelInteractionServiceImpl.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/controller/ModelInteractionServiceImpl.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2018 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -15,6 +15,12 @@
  */
 package com.evolveum.midpoint.model.impl.controller;
 
+import static com.evolveum.midpoint.schema.GetOperationOptions.createExecutionPhase;
+import static com.evolveum.midpoint.schema.SelectorOptions.createCollection;
+import static com.evolveum.midpoint.schema.util.ObjectTypeUtil.createObjectRef;
+import static com.evolveum.midpoint.xml.ns._public.common.common_3.TaskExecutionStatusType.RUNNABLE;
+import static java.util.Collections.singleton;
+
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collection;
@@ -27,15 +33,6 @@
 
 import javax.xml.namespace.QName;
 
-import com.evolveum.midpoint.prism.*;
-import com.evolveum.midpoint.prism.delta.*;
-import com.evolveum.midpoint.prism.path.ItemPath;
-import com.evolveum.midpoint.prism.path.ItemName;
-import com.evolveum.midpoint.prism.query.*;
-import com.evolveum.midpoint.prism.util.ItemPathTypeUtil;
-import com.evolveum.midpoint.repo.common.expression.*;
-import com.evolveum.midpoint.schema.*;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.*;
 import org.apache.commons.lang.BooleanUtils;
 import org.apache.commons.lang.Validate;
 import org.apache.commons.lang3.StringUtils;
@@ -57,6 +54,7 @@
 import com.evolveum.midpoint.model.api.AssignmentObjectRelation;
 import com.evolveum.midpoint.model.api.CollectionStats;
 import com.evolveum.midpoint.model.api.AssignmentCandidatesSpecification;
+import com.evolveum.midpoint.model.api.AssignmentObjectRelation;
 import com.evolveum.midpoint.model.api.ModelAuthorizationAction;
 import com.evolveum.midpoint.model.api.ModelExecuteOptions;
 import com.evolveum.midpoint.model.api.ModelInteractionService;
@@ -71,12 +69,11 @@
 import com.evolveum.midpoint.model.api.context.EvaluatedAssignmentTarget;
 import com.evolveum.midpoint.model.api.context.EvaluatedPolicyRule;
 import com.evolveum.midpoint.model.api.context.ModelContext;
-import com.evolveum.midpoint.model.api.hooks.ChangeHook;
 import com.evolveum.midpoint.model.api.hooks.HookRegistry;
 import com.evolveum.midpoint.model.api.util.DeputyUtils;
 import com.evolveum.midpoint.model.api.util.MergeDeltas;
-import com.evolveum.midpoint.model.api.util.ModelUtils;
 import com.evolveum.midpoint.model.api.visualizer.Scene;
+import com.evolveum.midpoint.model.common.ArchetypeManager;
 import com.evolveum.midpoint.model.common.SystemObjectCache;
 import com.evolveum.midpoint.model.common.mapping.MappingFactory;
 import com.evolveum.midpoint.model.common.stringpolicy.AbstractValuePolicyOriginResolver;
@@ -97,19 +94,60 @@
 import com.evolveum.midpoint.model.impl.lens.projector.Projector;
 import com.evolveum.midpoint.model.impl.security.SecurityHelper;
 import com.evolveum.midpoint.model.impl.security.UserProfileCompiler;
-import com.evolveum.midpoint.model.impl.util.ModelImplUtils;
 import com.evolveum.midpoint.model.impl.visualizer.Visualizer;
+import com.evolveum.midpoint.prism.Containerable;
+import com.evolveum.midpoint.prism.Item;
+import com.evolveum.midpoint.prism.ItemDefinition;
+import com.evolveum.midpoint.prism.PrismConstants;
+import com.evolveum.midpoint.prism.PrismContainer;
+import com.evolveum.midpoint.prism.PrismContainerDefinition;
+import com.evolveum.midpoint.prism.PrismContainerValue;
+import com.evolveum.midpoint.prism.PrismContext;
+import com.evolveum.midpoint.prism.PrismObject;
+import com.evolveum.midpoint.prism.PrismObjectDefinition;
+import com.evolveum.midpoint.prism.PrismProperty;
+import com.evolveum.midpoint.prism.PrismPropertyDefinition;
+import com.evolveum.midpoint.prism.PrismPropertyValue;
+import com.evolveum.midpoint.prism.PrismReferenceValue;
 import com.evolveum.midpoint.prism.crypto.EncryptionException;
 import com.evolveum.midpoint.prism.crypto.Protector;
+import com.evolveum.midpoint.prism.delta.DeltaFactory;
+import com.evolveum.midpoint.prism.delta.ObjectDelta;
+import com.evolveum.midpoint.prism.delta.PlusMinusZero;
+import com.evolveum.midpoint.prism.delta.PropertyDelta;
+import com.evolveum.midpoint.prism.path.ItemName;
+import com.evolveum.midpoint.prism.path.ItemPath;
 import com.evolveum.midpoint.prism.polystring.PolyString;
+import com.evolveum.midpoint.prism.query.AllFilter;
+import com.evolveum.midpoint.prism.query.AndFilter;
+import com.evolveum.midpoint.prism.query.EqualFilter;
+import com.evolveum.midpoint.prism.query.FilterCreationUtil;
+import com.evolveum.midpoint.prism.query.InOidFilter;
+import com.evolveum.midpoint.prism.query.NoneFilter;
+import com.evolveum.midpoint.prism.query.NotFilter;
+import com.evolveum.midpoint.prism.query.ObjectFilter;
+import com.evolveum.midpoint.prism.query.ObjectQuery;
+import com.evolveum.midpoint.prism.query.OrFilter;
+import com.evolveum.midpoint.prism.query.RefFilter;
+import com.evolveum.midpoint.prism.query.TypeFilter;
 import com.evolveum.midpoint.prism.util.ItemDeltaItem;
+import com.evolveum.midpoint.prism.util.ItemPathTypeUtil;
 import com.evolveum.midpoint.prism.util.ObjectDeltaObject;
 import com.evolveum.midpoint.provisioning.api.ProvisioningService;
-import com.evolveum.midpoint.repo.api.PreconditionViolationException;
 import com.evolveum.midpoint.repo.api.RepositoryService;
 import com.evolveum.midpoint.repo.cache.RepositoryCache;
+import com.evolveum.midpoint.repo.common.expression.ExpressionFactory;
+import com.evolveum.midpoint.repo.common.expression.ExpressionVariables;
+import com.evolveum.midpoint.schema.GetOperationOptions;
+import com.evolveum.midpoint.schema.ObjectDeltaOperation;
+import com.evolveum.midpoint.schema.RelationRegistry;
+import com.evolveum.midpoint.schema.ResourceShadowDiscriminator;
+import com.evolveum.midpoint.schema.SchemaHelper;
+import com.evolveum.midpoint.schema.SearchResultList;
+import com.evolveum.midpoint.schema.SelectorOptions;
 import com.evolveum.midpoint.schema.constants.ObjectTypes;
 import com.evolveum.midpoint.schema.constants.SchemaConstants;
+import com.evolveum.midpoint.schema.expression.VariablesMap;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.schema.result.OperationResultStatus;
 import com.evolveum.midpoint.schema.statistics.ConnectorOperationalStatus;
@@ -149,17 +187,57 @@
 import com.evolveum.midpoint.xml.ns._public.common.api_types_3.PolicyItemDefinitionType;
 import com.evolveum.midpoint.xml.ns._public.common.api_types_3.PolicyItemTargetType;
 import com.evolveum.midpoint.xml.ns._public.common.api_types_3.PolicyItemsDefinitionType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.AbstractRoleType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.AbstractWorkItemType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.AccessCertificationConfigurationType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ActivationStatusType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ActivationType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ArchetypePolicyType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ArchetypeType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.AssignmentHolderType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.AssignmentRelationType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.AssignmentType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthenticationsPolicyType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationDecisionType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationPhaseType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialSourceType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialsPolicyType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialsResetPolicyType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.DeploymentInformationType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.FocusType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.LayerType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.LensContextType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.LocalizableMessageTemplateType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.LocalizableMessageType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.LookupTableRowType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.LookupTableType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.MergeConfigurationType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectCollectionType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectReferenceType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectTemplateItemDefinitionType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectTemplateType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.OrderConstraintsType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.OtherPrivilegesLimitationType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.PasswordType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.RegistrationsPolicyType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.RelationDefinitionType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ResourceType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.RoleType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.SecurityPolicyType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.SecurityQuestionsCredentialsPolicyType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.SecurityQuestionsCredentialsType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.StringPolicyType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.SystemConfigurationType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.TaskType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ValuePolicyType;
 import com.evolveum.prism.xml.ns._public.types_3.ItemPathType;
 import com.evolveum.prism.xml.ns._public.types_3.PolyStringType;
 import com.evolveum.prism.xml.ns._public.types_3.ProtectedStringType;
 import com.evolveum.prism.xml.ns._public.types_3.RawType;
 
-import static com.evolveum.midpoint.schema.GetOperationOptions.createExecutionPhase;
-import static com.evolveum.midpoint.schema.SelectorOptions.createCollection;
-import static com.evolveum.midpoint.schema.util.ObjectTypeUtil.createObjectRef;
-import static com.evolveum.midpoint.xml.ns._public.common.common_3.TaskExecutionStatusType.RUNNABLE;
-import static java.util.Collections.singleton;
-
 /**
  * @author semancik
  *
@@ -181,6 +259,7 @@ public class ModelInteractionServiceImpl implements ModelInteractionService {
 	@Qualifier("cacheRepositoryService")
 	private transient RepositoryService cacheRepositoryService;
 	@Autowired private SystemObjectCache systemObjectCache;
+	@Autowired private ArchetypeManager archetypeManager;
 	@Autowired private RelationRegistry relationRegistry;
 	@Autowired private ValuePolicyProcessor policyProcessor;
 	@Autowired private Protector protector;
@@ -1521,7 +1600,7 @@ private boolean determineDeputyValidity(PrismObject<UserType> potentialDeputy, L
 		AssignmentEvaluator.Builder<UserType> builder =
 				new AssignmentEvaluator.Builder<UserType>()
 						.repository(cacheRepositoryService)
-						.focusOdo(new ObjectDeltaObject<>(potentialDeputy, null, potentialDeputy))
+						.focusOdo(new ObjectDeltaObject<>(potentialDeputy, null, potentialDeputy, potentialDeputy.getDefinition()))
 						.channel(null)
 						.objectResolver(objectResolver)
 						.systemObjectCache(systemObjectCache)
@@ -1610,11 +1689,11 @@ public MidPointPrincipal dropPowerOfAttorney(Task task, OperationResult result)
 	@Override
 	@NotNull
 	public LocalizableMessageType createLocalizableMessageType(LocalizableMessageTemplateType template,
-			Map<QName, Object> variables, Task task, OperationResult result)
+			VariablesMap variables, Task task, OperationResult result)
 			throws ObjectNotFoundException, SchemaException, ExpressionEvaluationException, CommunicationException,
 			ConfigurationException, SecurityViolationException {
 		ExpressionVariables vars = new ExpressionVariables();
-		vars.addVariableDefinitions(variables);
+		vars.putAll(variables);
 		return LensUtil.interpretLocalizableMessageTemplate(template, vars, expressionFactory, prismContext, task, result);
 	}
 
@@ -1769,40 +1848,11 @@ public TaskType submitTaskFromTemplate(String templateTaskOid, Map<QName, Object
 
 	@Override
 	public <O extends AssignmentHolderType> ArchetypePolicyType determineArchetypePolicy(PrismObject<O> assignmentHolder, OperationResult result) throws SchemaException, ConfigurationException {
-		if (assignmentHolder == null) {
-			return null;
-		}
-		PrismObject<ArchetypeType> archetype = determineArchetype(assignmentHolder, result);
-		if (archetype == null) {
-			return getArchetypePolicyLegacy(assignmentHolder, result);
-		}
-		return archetype.asObjectable().getArchetypePolicy();
+		return archetypeManager.determineArchetypePolicy(assignmentHolder, result);
 	}
 	
 	private <O extends AssignmentHolderType> PrismObject<ArchetypeType> determineArchetype(PrismObject<O> assignmentHolder, OperationResult result) throws SchemaException, ConfigurationException {
-		if (assignmentHolder == null) {
-			return null;
-		}
-		if (!assignmentHolder.canRepresent(AssignmentHolderType.class)) {
-			return null;
-		}
-		List<ObjectReferenceType> archetypeRefs = ((AssignmentHolderType)assignmentHolder.asObjectable()).getArchetypeRef();
-		if (archetypeRefs == null || archetypeRefs.isEmpty()) {
-			return null;
-		}
-		if (archetypeRefs.size() > 1) {
-			throw new SchemaException("Only a single archetype for an object is supported: "+assignmentHolder);
-		}
-		ObjectReferenceType archetypeRef = archetypeRefs.get(0);
-
-		PrismObject<ArchetypeType> archetype;
-		try {
-			archetype = systemObjectCache.getArchetype(archetypeRef.getOid(), result);
-		} catch (ObjectNotFoundException e) {
-			LOGGER.warn("Archetype {} for object {} cannot be found", archetypeRef.getOid(), assignmentHolder);
-			return null;
-		}
-		return archetype;
+		return archetypeManager.determineArchetype(assignmentHolder, result);
 	}
 	
 	@Override
@@ -1899,21 +1949,6 @@ private <O extends AssignmentHolderType> boolean isHolderArchetype(List<ObjectRe
 		}
 		return false;
 	}
-
-	private <O extends ObjectType> ArchetypePolicyType getArchetypePolicyLegacy(PrismObject<O> object, OperationResult result) throws SchemaException, ConfigurationException {
-		SystemConfigurationType systemConfiguration;
-		try {
-			systemConfiguration = getSystemConfiguration(result);
-		} catch (ObjectNotFoundException e) {
-			// This can happen in tests
-			return null;
-		}
-		ObjectPolicyConfigurationType objectPolicyConfiguration = ModelUtils.determineObjectPolicyConfiguration(object, systemConfiguration);
-		if (objectPolicyConfiguration == null) {
-			return null;
-		}
-		return objectPolicyConfiguration;
-	}
 	
 	@Override
 	@Experimental
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/controller/ObjectMerger.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/controller/ObjectMerger.java
index 2760bf2b5d3..456ca2c424c 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/controller/ObjectMerger.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/controller/ObjectMerger.java
@@ -1,5 +1,5 @@
 /**
- * Copyright (c) 2016-2018 Evolveum
+ * Copyright (c) 2016-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -538,7 +538,7 @@ private <O extends ObjectType, I extends Item> ItemDelta mergeItem(PrismObject<O
 		Expression<PrismValue, ItemDefinition> valueExpression = null;
 		if (itemMergeConfig.getValueExpression() != null) {
 			ExpressionType expressionType = itemMergeConfig.getValueExpression();
-			valueExpression = expressionFactory.makeExpression(expressionType, itemDefinition,
+			valueExpression = expressionFactory.makeExpression(expressionType, itemDefinition, MiscSchemaUtil.getExpressionProfile(),
 					"value expression for item " + itemPath + " in merge configuration " + mergeConfigurationName,
 					task, result);
 		}
@@ -681,11 +681,11 @@ private Collection<PrismValue> cleanContainerIds(Collection<PrismValue> pvals) {
 	private <O extends ObjectType> Collection<PrismValue> evaluateValueExpression(PrismObject<O> objectLeft, PrismObject<O> objectRight, String side, PrismValue origValue, Expression<PrismValue, ItemDefinition> valueExpression,
 			Task task, OperationResult result) throws SchemaException, ExpressionEvaluationException, ObjectNotFoundException, CommunicationException, ConfigurationException, SecurityViolationException {
 		ExpressionVariables variables = new ExpressionVariables();
-		variables.addVariableDefinition(ExpressionConstants.VAR_SIDE, side);
-		variables.addVariableDefinition(ExpressionConstants.VAR_OBJECT_LEFT, side);
-		variables.addVariableDefinition(ExpressionConstants.VAR_OBJECT_RIGHT, side);
-		variables.addVariableDefinition(ExpressionConstants.VAR_INPUT, origValue);
-		variables.addVariableDefinition(ExpressionConstants.VAR_VALUE, origValue);
+		variables.put(ExpressionConstants.VAR_SIDE, side, String.class);
+		variables.put(ExpressionConstants.VAR_OBJECT_LEFT, side, String.class);
+		variables.put(ExpressionConstants.VAR_OBJECT_RIGHT, side, String.class);
+		variables.put(ExpressionConstants.VAR_INPUT, origValue, origValue.getParent().getDefinition());
+		variables.put(ExpressionConstants.VAR_VALUE, origValue, origValue.getParent().getDefinition());
 		ExpressionEvaluationContext exprContext = new ExpressionEvaluationContext(null, variables, "for value "+origValue, task, result);
 		PrismValueDeltaSetTriple<PrismValue> triple = valueExpression.evaluate(exprContext);
 		if (triple == null) {
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/controller/SchemaTransformer.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/controller/SchemaTransformer.java
index 7620ea9f23b..7621cde02e1 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/controller/SchemaTransformer.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/controller/SchemaTransformer.java
@@ -1,5 +1,5 @@
 /**
- * Copyright (c) 2014-2017 Evolveum
+ * Copyright (c) 2014-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -18,7 +18,7 @@
 import com.evolveum.midpoint.common.crypto.CryptoUtil;
 import com.evolveum.midpoint.model.api.ModelAuthorizationAction;
 import com.evolveum.midpoint.model.api.ModelExecuteOptions;
-import com.evolveum.midpoint.model.api.util.ModelUtils;
+import com.evolveum.midpoint.model.common.ArchetypeManager;
 import com.evolveum.midpoint.model.common.SystemObjectCache;
 import com.evolveum.midpoint.model.impl.lens.LensContext;
 import com.evolveum.midpoint.model.impl.lens.LensFocusContext;
@@ -67,15 +67,10 @@ public class SchemaTransformer {
 
 	private static final Trace LOGGER = TraceManager.getTrace(SchemaTransformer.class);
 
-	@Autowired(required = true)
-	@Qualifier("cacheRepositoryService")
-	private transient RepositoryService cacheRepositoryService;
-
-	@Autowired(required = true)
-	private SecurityEnforcer securityEnforcer;
-
-	@Autowired(required = true)
-	private SystemObjectCache systemObjectCache;
+	@Autowired @Qualifier("cacheRepositoryService") private transient RepositoryService cacheRepositoryService;
+	@Autowired private SecurityEnforcer securityEnforcer;
+	@Autowired private SystemObjectCache systemObjectCache;
+	@Autowired private ArchetypeManager archetypeManager;
 
 	@Autowired
 	private PrismContext prismContext;
@@ -507,15 +502,11 @@ public AuthorizationDecisionType computeItemDecision(ObjectSecurityConstraints s
 	}
 
     public <O extends ObjectType> ObjectTemplateType determineObjectTemplate(PrismObject<O> object, AuthorizationPhaseType phase, OperationResult result) throws SchemaException, ConfigurationException, ObjectNotFoundException {
-    	PrismObject<SystemConfigurationType> systemConfiguration = systemObjectCache.getSystemConfiguration(result);
-    	if (systemConfiguration == null) {
+    	ArchetypePolicyType archetypePolicy = archetypeManager.determineArchetypePolicy(object, result);
+    	if (archetypePolicy == null) {
     		return null;
     	}
-    	ObjectPolicyConfigurationType objectPolicyConfiguration = ModelUtils.determineObjectPolicyConfiguration(object, systemConfiguration.asObjectable());
-    	if (objectPolicyConfiguration == null) {
-    		return null;
-    	}
-    	ObjectReferenceType objectTemplateRef = objectPolicyConfiguration.getObjectTemplateRef();
+    	ObjectReferenceType objectTemplateRef = archetypePolicy.getObjectTemplateRef();
     	if (objectTemplateRef == null) {
     		return null;
     	}
@@ -528,7 +519,7 @@ public <O extends ObjectType> ObjectTemplateType determineObjectTemplate(Class<O
     	if (systemConfiguration == null) {
     		return null;
     	}
-    	ObjectPolicyConfigurationType objectPolicyConfiguration = ModelUtils.determineObjectPolicyConfiguration(objectClass, null, systemConfiguration.asObjectable());
+    	ObjectPolicyConfigurationType objectPolicyConfiguration = ArchetypeManager.determineObjectPolicyConfiguration(objectClass, null, systemConfiguration.asObjectable());
     	if (objectPolicyConfiguration == null) {
     		return null;
     	}
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/dataModel/DataModelVisualizerImpl.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/dataModel/DataModelVisualizerImpl.java
index 9f5b502e050..c33614f7af4 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/dataModel/DataModelVisualizerImpl.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/dataModel/DataModelVisualizerImpl.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2017 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -304,7 +304,7 @@ private void processInboundMapping(@NotNull DataModel model, @NotNull ResourceDa
 	}
 
 	private DataItem resolveSourceItem(@NotNull DataModel model, @NotNull ResourceDataItem currentItem,
-			@NotNull MappingType mapping, @NotNull VariableBindingDefinitionType sourceDecl, @Nullable QName defaultVariable) {
+			@NotNull MappingType mapping, @NotNull VariableBindingDefinitionType sourceDecl, @Nullable String defaultVariable) {
 		// todo from the description
 		return resolveSourceItem(model, currentItem, mapping, sourceDecl.getPath().getItemPath(), defaultVariable);
 	}
@@ -312,16 +312,16 @@ private DataItem resolveSourceItem(@NotNull DataModel model, @NotNull ResourceDa
 	// for outbound (but sometimes also inbound) mappings
 	@NotNull
 	private DataItem resolveSourceItem(@NotNull DataModel model, @NotNull ResourceDataItem currentItem,
-			@NotNull MappingType mapping, @NotNull ItemPath path, @Nullable QName defaultVariable) {
+			@NotNull MappingType mapping, @NotNull ItemPath path, @Nullable String defaultVariable) {
 		if (!path.startsWithName()) {
 			LOGGER.warn("Probably incorrect path ({}) - does not start with a name - skipping", path);
 			return createAdHocDataItem(model, path);
 		}
-		QName varName;
+		String varName;
 		ItemPath itemPath;
 		Object first = path.first();
 		if (ItemPath.isVariable(first)) {
-			varName = ItemPath.toVariableName(first);
+			varName = ItemPath.toVariableName(first).getLocalPart();
 			itemPath = path.rest();
 		} else {
 			if (defaultVariable == null) {
@@ -332,13 +332,13 @@ private DataItem resolveSourceItem(@NotNull DataModel model, @NotNull ResourceDa
 			itemPath = path;
 		}
 
-		if (QNameUtil.match(ExpressionConstants.VAR_ACCOUNT, varName)) {
+		if (ExpressionConstants.VAR_ACCOUNT.equals(varName)) {
 			return resolveResourceItem(model, currentItem, itemPath);
-		} else if (QNameUtil.match(ExpressionConstants.VAR_USER, varName)) {
+		} else if (ExpressionConstants.VAR_USER.equals(varName)) {
 			return model.resolveRepositoryItem(UserType.class, itemPath);
-		} else if (QNameUtil.match(ExpressionConstants.VAR_ACTOR, varName)) {
+		} else if (ExpressionConstants.VAR_ACTOR.equals(varName)) {
 			return model.resolveRepositoryItem(UserType.class, itemPath);			// TODO
-		} else if (QNameUtil.match(ExpressionConstants.VAR_FOCUS, varName)) {
+		} else if (ExpressionConstants.VAR_FOCUS.equals(varName)) {
 			Class<? extends ObjectType> guessedClass = guessFocusClass(currentItem.getResourceOid(), currentItem.getKind(), currentItem.getIntent());
 			DataItem item = model.resolveRepositoryItem(guessedClass, itemPath);
 			if (item != null) {
@@ -346,7 +346,7 @@ private DataItem resolveSourceItem(@NotNull DataModel model, @NotNull ResourceDa
 			}
 			// TODO guess e.g. by item existence in schema
 			LOGGER.warn("Couldn't resolve {} in $focus", path);
-		} else if (QNameUtil.match(ExpressionConstants.VAR_INPUT, varName)) {
+		} else if (ExpressionConstants.VAR_INPUT.equals(varName)) {
 			return currentItem;
 		} else {
 			LOGGER.warn("Unsupported variable {} in {}", varName, path);
@@ -361,7 +361,7 @@ private DataItem createAdHocDataItem(DataModel model, ItemPath path) {
 	// currently for inbounds only
 	@NotNull
 	private DataItem resolveTargetItem(@NotNull DataModel model, @NotNull ResourceDataItem currentItem,
-			@NotNull MappingType mapping, @NotNull VariableBindingDefinitionType targetDecl, @Nullable QName defaultVariable) {
+			@NotNull MappingType mapping, @NotNull VariableBindingDefinitionType targetDecl, @Nullable String defaultVariable) {
 		// todo from the description
 		return resolveTargetItem(model, currentItem, mapping, targetDecl.getPath().getItemPath(), defaultVariable);
 	}
@@ -369,16 +369,16 @@ private DataItem resolveTargetItem(@NotNull DataModel model, @NotNull ResourceDa
 	// currently for inbounds only
 	@NotNull
 	private DataItem resolveTargetItem(@NotNull DataModel model, @NotNull ResourceDataItem currentItem,
-			@NotNull MappingType mapping, @NotNull ItemPath path, @Nullable QName defaultVariable) {
+			@NotNull MappingType mapping, @NotNull ItemPath path, @Nullable String defaultVariable) {
 		if (!path.startsWithName()) {
 			LOGGER.warn("Probably incorrect path ({}) - does not start with a name - skipping", path);
 			return createAdHocDataItem(model, path);
 		}
-		QName varName;
+		String varName;
 		ItemPath itemPath;
 		Object first = path.first();
 		if (ItemPath.isVariable(first)) {
-			varName = ItemPath.toVariableName(first);
+			varName = ItemPath.toVariableName(first).getLocalPart();
 			itemPath = path.rest();
 		} else {
 			if (defaultVariable == null) {
@@ -389,13 +389,13 @@ private DataItem resolveTargetItem(@NotNull DataModel model, @NotNull ResourceDa
 			itemPath = path;
 		}
 
-		if (QNameUtil.match(ExpressionConstants.VAR_ACCOUNT, varName)) {
+		if (ExpressionConstants.VAR_ACCOUNT.equals(varName)) {
 			return resolveResourceItem(model, currentItem, itemPath);				// does make sense?
-		} else if (QNameUtil.match(ExpressionConstants.VAR_USER, varName)) {
+		} else if (ExpressionConstants.VAR_USER.equals(varName)) {
 			return model.resolveRepositoryItem(UserType.class, itemPath);
-		} else if (QNameUtil.match(ExpressionConstants.VAR_ACTOR, varName)) {
+		} else if (ExpressionConstants.VAR_ACTOR.equals(varName)) {
 			return model.resolveRepositoryItem(UserType.class, itemPath);			// TODO
-		} else if (QNameUtil.match(ExpressionConstants.VAR_FOCUS, varName)) {
+		} else if (ExpressionConstants.VAR_FOCUS.equals(varName)) {
 			Class<? extends ObjectType> guessedClass = guessFocusClass(currentItem.getResourceOid(), currentItem.getKind(), currentItem.getIntent());
 			DataItem item = model.resolveRepositoryItem(guessedClass, itemPath);
 			if (item != null) {
@@ -403,7 +403,7 @@ private DataItem resolveTargetItem(@NotNull DataModel model, @NotNull ResourceDa
 			}
 			// TODO guess e.g. by item existence in schema
 			LOGGER.warn("Couldn't resolve {} in $focus", path);
-		} else if (QNameUtil.match(ExpressionConstants.VAR_INPUT, varName)) {
+		} else if (ExpressionConstants.VAR_INPUT.equals(varName)) {
 			return currentItem;														// does make sense?
 		} else {
 			LOGGER.warn("Unsupported variable {} in {}", varName, path);
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/expr/ExpressionHandler.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/expr/ExpressionHandler.java
index 611a5e5e249..5d389a29827 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/expr/ExpressionHandler.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/expr/ExpressionHandler.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2018 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -27,7 +27,9 @@
 import com.evolveum.midpoint.repo.api.RepositoryService;
 import com.evolveum.midpoint.schema.constants.ExpressionConstants;
 import com.evolveum.midpoint.schema.constants.ObjectTypes;
+import com.evolveum.midpoint.schema.expression.ExpressionProfile;
 import com.evolveum.midpoint.schema.result.OperationResult;
+import com.evolveum.midpoint.schema.util.MiscSchemaUtil;
 import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.util.DOMUtil;
 import com.evolveum.midpoint.util.exception.CommunicationException;
@@ -52,18 +54,10 @@
 @Component
 public class ExpressionHandler {
 
-	@Autowired(required = true)
-	@Qualifier("cacheRepositoryService")
-	private RepositoryService repositoryService;
-
-	@Autowired(required = true)
-	private ExpressionFactory expressionFactory;
-
-	@Autowired(required = true)
-	private ModelObjectResolver modelObjectResolver;
-
-    @Autowired(required = true)
-    private PrismContext prismContext;
+	@Autowired @Qualifier("cacheRepositoryService") private RepositoryService repositoryService;
+	@Autowired private ExpressionFactory expressionFactory;
+	@Autowired private ModelObjectResolver modelObjectResolver;
+    @Autowired private PrismContext prismContext;
 
 	public String evaluateExpression(ShadowType shadow, ExpressionType expressionType,
 			String shortDesc, Task task, OperationResult result) throws ExpressionEvaluationException, ObjectNotFoundException, SchemaException, CommunicationException, ConfigurationException, SecurityViolationException {
@@ -78,7 +72,7 @@ public String evaluateExpression(ShadowType shadow, ExpressionType expressionTyp
 		PrismPropertyDefinition<String> outputDefinition = prismContext.definitionFactory().createPropertyDefinition(ExpressionConstants.OUTPUT_ELEMENT_NAME,
 				DOMUtil.XSD_STRING);
 		Expression<PrismPropertyValue<String>,PrismPropertyDefinition<String>> expression = expressionFactory.makeExpression(expressionType,
-				outputDefinition, shortDesc, task, result);
+				outputDefinition, MiscSchemaUtil.getExpressionProfile(), shortDesc, task, result);
 
 		ExpressionEvaluationContext params = new ExpressionEvaluationContext(null, variables, shortDesc, task, result);
 		PrismValueDeltaSetTriple<PrismPropertyValue<String>> outputTriple = ModelExpressionThreadLocalHolder.evaluateExpressionInContext(expression, params, task, result);
@@ -109,8 +103,9 @@ public boolean evaluateConfirmationExpression(UserType user, ShadowType shadow,
 
 		PrismPropertyDefinition<Boolean> outputDefinition = prismContext.definitionFactory().createPropertyDefinition(ExpressionConstants.OUTPUT_ELEMENT_NAME,
 				DOMUtil.XSD_BOOLEAN);
+		ExpressionProfile expressionProfile = MiscSchemaUtil.getExpressionProfile();
 		Expression<PrismPropertyValue<Boolean>,PrismPropertyDefinition<Boolean>> expression = expressionFactory.makeExpression(expressionType,
-				outputDefinition, shortDesc, task, result);
+				outputDefinition, expressionProfile, shortDesc, task, result);
 
 		ExpressionEvaluationContext params = new ExpressionEvaluationContext(null, variables, shortDesc, task, result);
 		PrismValueDeltaSetTriple<PrismPropertyValue<Boolean>> outputTriple = ModelExpressionThreadLocalHolder.evaluateExpressionInContext(expression, params, task, result);
@@ -155,16 +150,16 @@ public static ExpressionVariables getDefaultXPathVariables(UserType user,
 
 		ExpressionVariables variables = new ExpressionVariables();
 		if (user != null) {
-			variables.addVariableDefinition(ExpressionConstants.VAR_USER, user.asPrismObject());
+			variables.put(ExpressionConstants.VAR_USER, user.asPrismObject(), user.asPrismObject().getDefinition());
 		}
 
 		if (shadow != null) {
-			variables.addVariableDefinition(ExpressionConstants.VAR_ACCOUNT, shadow.asPrismObject());
-			variables.addVariableDefinition(ExpressionConstants.VAR_PROJECTION, shadow.asPrismObject());
+			variables.addVariableDefinition(ExpressionConstants.VAR_ACCOUNT, shadow.asPrismObject(), shadow.asPrismObject().getDefinition());
+			variables.addVariableDefinition(ExpressionConstants.VAR_PROJECTION, shadow.asPrismObject(), shadow.asPrismObject().getDefinition());
 		}
 
 		if (resource != null) {
-			variables.addVariableDefinition(ExpressionConstants.VAR_RESOURCE, resource.asPrismObject());
+			variables.addVariableDefinition(ExpressionConstants.VAR_RESOURCE, resource.asPrismObject(), resource.asPrismObject().getDefinition());
 		}
 
 		return variables;
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/expr/MidpointFunctionsImpl.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/expr/MidpointFunctionsImpl.java
index 25ebdfb5978..649bcc4f08a 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/expr/MidpointFunctionsImpl.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/expr/MidpointFunctionsImpl.java
@@ -1769,7 +1769,7 @@ public <F extends FocusType> List<F> getFocusesByCorrelationRule(Class<F> type,
 		discriminator.setIntent(intent);
 		
 		SynchronizationContext<F> syncCtx = new SynchronizationContext<>(shadow.asPrismObject(), shadow.asPrismObject(),
-				resource.asPrismObject(), getCurrentTask().getChannel(), getCurrentTask(), getCurrentResult());
+				resource.asPrismObject(), getCurrentTask().getChannel(), getPrismContext(), getCurrentTask(), getCurrentResult());
 		
 		ObjectSynchronizationType applicablePolicy = null;
 		
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/expr/SequentialValueExpressionEvaluator.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/expr/SequentialValueExpressionEvaluator.java
index 6cbc4fc434e..b93e378349d 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/expr/SequentialValueExpressionEvaluator.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/expr/SequentialValueExpressionEvaluator.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015 Evolveum
+ * Copyright (c) 2015-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -20,6 +20,10 @@
 import com.evolveum.midpoint.repo.common.expression.ExpressionEvaluationContext;
 import com.evolveum.midpoint.repo.common.expression.ExpressionEvaluator;
 import com.evolveum.midpoint.repo.common.expression.ExpressionUtil;
+import com.evolveum.midpoint.repo.common.expression.evaluator.AbstractExpressionEvaluator;
+
+import javax.xml.namespace.QName;
+
 import com.evolveum.midpoint.model.impl.lens.LensContext;
 import com.evolveum.midpoint.prism.crypto.Protector;
 import com.evolveum.midpoint.prism.delta.PrismValueDeltaSetTriple;
@@ -28,6 +32,7 @@
 import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
 import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
 import com.evolveum.midpoint.util.exception.SchemaException;
+import com.evolveum.midpoint.util.exception.SecurityViolationException;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.FocusType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.SequentialValueExpressionEvaluatorType;
 
@@ -35,27 +40,22 @@
  * @author semancik
  *
  */
-public class SequentialValueExpressionEvaluator<V extends PrismValue, D extends ItemDefinition> implements ExpressionEvaluator<V,D> {
+public class SequentialValueExpressionEvaluator<V extends PrismValue, D extends ItemDefinition> extends AbstractExpressionEvaluator<V, D, SequentialValueExpressionEvaluatorType> {
 
-	private SequentialValueExpressionEvaluatorType sequentialValueEvaluatorType;
-	private D outputDefinition;
-	private Protector protector;
 	RepositoryService repositoryService;
-	private PrismContext prismContext;
 
-	SequentialValueExpressionEvaluator(SequentialValueExpressionEvaluatorType sequentialValueEvaluatorType,
+	SequentialValueExpressionEvaluator(QName elementName, SequentialValueExpressionEvaluatorType sequentialValueEvaluatorType,
 			D outputDefinition, Protector protector, RepositoryService repositoryService, PrismContext prismContext) {
-		this.sequentialValueEvaluatorType = sequentialValueEvaluatorType;
-		this.outputDefinition = outputDefinition;
-		this.protector = protector;
+		super(elementName, sequentialValueEvaluatorType, outputDefinition, protector, prismContext);
 		this.repositoryService = repositoryService;
-		this.prismContext = prismContext;
 	}
 
 	@Override
-	public PrismValueDeltaSetTriple<V> evaluate(ExpressionEvaluationContext context) throws SchemaException,
-			ExpressionEvaluationException, ObjectNotFoundException {
-        long counter = getSequenceCounter(sequentialValueEvaluatorType.getSequenceRef().getOid(), repositoryService, context.getResult());
+	public PrismValueDeltaSetTriple<V> evaluate(ExpressionEvaluationContext context) 
+			throws SchemaException, ExpressionEvaluationException, ObjectNotFoundException, SecurityViolationException {
+		checkEvaluatorProfile(context);
+		
+        long counter = getSequenceCounter(getExpressionEvaluatorType().getSequenceRef().getOid(), repositoryService, context.getResult());
 
 		Object value = ExpressionUtil.convertToOutputValue(counter, outputDefinition, protector);
 
@@ -89,7 +89,7 @@ public static long getSequenceCounter(String sequenceOid, RepositoryService repo
 	 */
 	@Override
 	public String shortDebugDump() {
-		return "squentialValue: "+sequentialValueEvaluatorType.getSequenceRef().getOid();
+		return "squentialValue: "+getExpressionEvaluatorType().getSequenceRef().getOid();
 	}
 
 }
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/expr/SequentialValueExpressionEvaluatorFactory.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/expr/SequentialValueExpressionEvaluatorFactory.java
index c82bd164872..0ae39c56c85 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/expr/SequentialValueExpressionEvaluatorFactory.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/expr/SequentialValueExpressionEvaluatorFactory.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015-2017 Evolveum
+ * Copyright (c) 2015-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -31,6 +31,7 @@
 import com.evolveum.midpoint.prism.PrismValue;
 import com.evolveum.midpoint.prism.crypto.Protector;
 import com.evolveum.midpoint.repo.api.RepositoryService;
+import com.evolveum.midpoint.schema.expression.ExpressionProfile;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
@@ -44,6 +45,8 @@
  */
 @Component
 public class SequentialValueExpressionEvaluatorFactory extends AbstractAutowiredExpressionEvaluatorFactory {
+	
+	private static final QName ELEMENT_NAME = new ObjectFactory().createSequentialValue(new SequentialValueExpressionEvaluatorType()).getName();
 
 	@Autowired private Protector protector;
 	@Autowired private PrismContext prismContext;
@@ -51,15 +54,19 @@ public class SequentialValueExpressionEvaluatorFactory extends AbstractAutowired
 
 	@Override
 	public QName getElementName() {
-		return new ObjectFactory().createSequentialValue(new SequentialValueExpressionEvaluatorType()).getName();
+		return ELEMENT_NAME;
 	}
 
 	/* (non-Javadoc)
 	 * @see com.evolveum.midpoint.common.expression.ExpressionEvaluatorFactory#createEvaluator(javax.xml.bind.JAXBElement, com.evolveum.midpoint.prism.PrismContext)
 	 */
 	@Override
-	public <V extends PrismValue,D extends ItemDefinition> ExpressionEvaluator<V,D> createEvaluator(Collection<JAXBElement<?>> evaluatorElements,
-																									D outputDefinition, ExpressionFactory factory, String contextDescription, Task task, OperationResult result)
+	public <V extends PrismValue,D extends ItemDefinition> ExpressionEvaluator<V,D> createEvaluator(
+			Collection<JAXBElement<?>> evaluatorElements,
+			D outputDefinition, 
+			ExpressionProfile expressionProfile,
+			ExpressionFactory factory, 
+			String contextDescription, Task task, OperationResult result)
 					throws SchemaException, ObjectNotFoundException {
 
 		if (evaluatorElements.size() > 1) {
@@ -81,7 +88,7 @@ public <V extends PrismValue,D extends ItemDefinition> ExpressionEvaluator<V,D>
         	throw new SchemaException("Missing sequence reference in sequentialValue expression evaluator in "+contextDescription);
         }
 
-		return new SequentialValueExpressionEvaluator<>(seqEvaluatorType, outputDefinition, protector, repositoryService, prismContext);
+		return new SequentialValueExpressionEvaluator<>(ELEMENT_NAME, seqEvaluatorType, outputDefinition, protector, repositoryService, prismContext);
 	}
 
 }
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/AbstractConstruction.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/AbstractConstruction.java
index 70384fcb21a..930b86b3245 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/AbstractConstruction.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/AbstractConstruction.java
@@ -98,6 +98,9 @@ public ObjectDeltaObject<F> getFocusOdo() {
 	}
 
 	public void setFocusOdo(ObjectDeltaObject<F> focusOdo) {
+		if (focusOdo.getDefinition() == null) {
+			throw new IllegalArgumentException("No definition in focus ODO "+focusOdo);
+		}
 		this.focusOdo = focusOdo;
 	}
 
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/AssignmentCollector.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/AssignmentCollector.java
index befbeba942e..d877354b72d 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/AssignmentCollector.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/AssignmentCollector.java
@@ -29,7 +29,7 @@
 import com.evolveum.midpoint.model.api.context.EvaluatedAssignment;
 import com.evolveum.midpoint.model.api.context.EvaluatedAssignmentTarget;
 import com.evolveum.midpoint.model.api.util.DeputyUtils;
-import com.evolveum.midpoint.model.api.util.ModelUtils;
+import com.evolveum.midpoint.model.common.ArchetypeManager;
 import com.evolveum.midpoint.model.common.SystemObjectCache;
 import com.evolveum.midpoint.model.common.mapping.MappingFactory;
 import com.evolveum.midpoint.model.impl.lens.projector.MappingEvaluator;
@@ -61,6 +61,7 @@
 import com.evolveum.midpoint.util.logging.Trace;
 import com.evolveum.midpoint.util.logging.TraceManager;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.AdminGuiConfigurationType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ArchetypePolicyType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.AssignmentHolderType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.AssignmentType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectPolicyConfigurationType;
@@ -81,6 +82,7 @@ public class AssignmentCollector {
 	@Qualifier("cacheRepositoryService")
 	private RepositoryService repositoryService;
 	@Autowired private SystemObjectCache systemObjectCache;
+	@Autowired private ArchetypeManager archetypeManager;
 	@Autowired private RelationRegistry relationRegistry;
 	@Autowired private PrismContext prismContext;
 	@Autowired @Qualifier("modelObjectResolver") private ObjectResolver objectResolver;
@@ -92,7 +94,7 @@ public class AssignmentCollector {
 	
 	public <AH extends AssignmentHolderType> Collection<EvaluatedAssignment<AH>> collect(PrismObject<AH> assignmentHolder, PrismObject<SystemConfigurationType> systemConfiguration, boolean loginMode, Task task, OperationResult result) throws SchemaException {
 		
-		LensContext<AH> lensContext = createAuthenticationLensContext(assignmentHolder, systemConfiguration);
+		LensContext<AH> lensContext = createAuthenticationLensContext(assignmentHolder, result);
 		
 		AH assignmentHolderType = assignmentHolder.asObjectable();
 		Collection<AssignmentType> forcedAssignments = null;
@@ -110,7 +112,7 @@ public <AH extends AssignmentHolderType> Collection<EvaluatedAssignment<AH>> col
 			AssignmentEvaluator.Builder<AH> builder =
 					new AssignmentEvaluator.Builder<AH>()
 							.repository(repositoryService)
-							.focusOdo(new ObjectDeltaObject<>(assignmentHolder, null, assignmentHolder))
+							.focusOdo(new ObjectDeltaObject<>(assignmentHolder, null, assignmentHolder, assignmentHolder.getDefinition()))
 							.channel(null)
 							.objectResolver(objectResolver)
 							.systemObjectCache(systemObjectCache)
@@ -149,6 +151,12 @@ private <AH extends AssignmentHolderType> Collection<EvaluatedAssignment<AH>> ev
 				try {
 					ItemDeltaItem<PrismContainerValue<AssignmentType>,PrismContainerDefinition<AssignmentType>> assignmentIdi = new ItemDeltaItem<>();
 					assignmentIdi.setItemOld(LensUtil.createAssignmentSingleValueContainerClone(assignmentType));
+					PrismContainerDefinition definition = assignmentType.asPrismContainerValue().getDefinition();
+					if (definition == null) {
+						// TODO: optimize
+						definition = prismContext.getSchemaRegistry().findObjectDefinitionByCompileTimeClass(AssignmentHolderType.class).findContainerDefinition(AssignmentHolderType.F_ASSIGNMENT);
+					}
+					assignmentIdi.setDefinition(definition);
 					assignmentIdi.recompute();
 					EvaluatedAssignment<AH> assignment = assignmentEvaluator.evaluate(assignmentIdi, PlusMinusZero.ZERO, false, assignmentHolder, assignmentHolder.toString(), virtual, task, result);
 					evaluatedAssignments.add(assignment);
@@ -163,27 +171,25 @@ private <AH extends AssignmentHolderType> Collection<EvaluatedAssignment<AH>> ev
 		return evaluatedAssignments;
 	}
 
-	private <AH extends AssignmentHolderType> LensContext<AH> createAuthenticationLensContext(PrismObject<AH> user, PrismObject<SystemConfigurationType> systemConfiguration) throws SchemaException {
+	private <AH extends AssignmentHolderType> LensContext<AH> createAuthenticationLensContext(PrismObject<AH> user, OperationResult result) throws SchemaException {
 		LensContext<AH> lensContext = new LensContextPlaceholder<>(user, prismContext);
-		if (systemConfiguration != null) {
-			ObjectPolicyConfigurationType policyConfigurationType = determineObjectPolicyConfiguration(user, systemConfiguration);
-			lensContext.getFocusContext().setObjectPolicyConfigurationType(policyConfigurationType);
-		}
+		ArchetypePolicyType policyConfigurationType = determineObjectPolicyConfiguration(user, result);
+		lensContext.getFocusContext().setArchetypePolicyType(policyConfigurationType);
 		return lensContext;
 	}
 
-	private <AH extends AssignmentHolderType> ObjectPolicyConfigurationType determineObjectPolicyConfiguration(PrismObject<AH> user, PrismObject<SystemConfigurationType> systemConfiguration) throws SchemaException {
-		ObjectPolicyConfigurationType policyConfigurationType;
+	private <AH extends AssignmentHolderType> ArchetypePolicyType determineObjectPolicyConfiguration(PrismObject<AH> user, OperationResult result) throws SchemaException {
+		ArchetypePolicyType archetypePolicy;
 		try {
-			policyConfigurationType = ModelUtils.determineObjectPolicyConfiguration(user, systemConfiguration.asObjectable());
+			archetypePolicy = archetypeManager.determineArchetypePolicy(user, result);
 		} catch (ConfigurationException e) {
 			throw new SchemaException(e.getMessage(), e);
 		}
 		if (LOGGER.isTraceEnabled()) {
 			LOGGER.trace("Selected policy configuration from subtypes {}:\n{}", 
-					FocusTypeUtil.determineSubTypes(user), policyConfigurationType==null?null:policyConfigurationType.asPrismContainerValue().debugDump(1));
+					FocusTypeUtil.determineSubTypes(user), archetypePolicy==null?null:archetypePolicy.asPrismContainerValue().debugDump(1));
 		}
 		
-		return policyConfigurationType;
+		return archetypePolicy;
 	}
 }
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/AssignmentEvaluator.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/AssignmentEvaluator.java
index a2f5f420a0d..1bd2572b5f8 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/AssignmentEvaluator.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/AssignmentEvaluator.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2018 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -34,7 +34,7 @@
 import com.evolveum.midpoint.model.api.context.EvaluatedAssignment;
 import com.evolveum.midpoint.model.api.context.EvaluationOrder;
 import com.evolveum.midpoint.model.api.util.DeputyUtils;
-import com.evolveum.midpoint.model.api.util.ModelUtils;
+import com.evolveum.midpoint.model.common.ArchetypeManager;
 import com.evolveum.midpoint.model.common.SystemObjectCache;
 import com.evolveum.midpoint.model.common.mapping.MappingImpl;
 import com.evolveum.midpoint.model.common.mapping.MappingFactory;
@@ -55,10 +55,12 @@
 import com.evolveum.midpoint.schema.constants.ExpressionConstants;
 import com.evolveum.midpoint.schema.constants.ObjectTypes;
 import com.evolveum.midpoint.schema.constants.SchemaConstants;
+import com.evolveum.midpoint.schema.expression.ExpressionProfile;
 import com.evolveum.midpoint.schema.internals.InternalMonitor;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.schema.util.FocusTypeUtil;
 import com.evolveum.midpoint.schema.util.LifecycleUtil;
+import com.evolveum.midpoint.schema.util.MiscSchemaUtil;
 import com.evolveum.midpoint.schema.util.ObjectTypeUtil;
 import com.evolveum.midpoint.security.api.Authorization;
 import com.evolveum.midpoint.task.api.Task;
@@ -724,15 +726,17 @@ private <O extends ObjectType> List<PrismObject<O>> resolveTargetsFromFilter(Cla
 		ModelExpressionThreadLocalHolder.pushExpressionEnvironment(new ExpressionEnvironment<>(lensContext, null, ctx.task, ctx.result));
 		try {
 			PrismObject<SystemConfigurationType> systemConfiguration = systemObjectCache.getSystemConfiguration(ctx.result);
-			ExpressionVariables variables = ModelImplUtils.getDefaultExpressionVariables(segment.source, null, null, systemConfiguration.asObjectable());
-			variables.addVariableDefinition(ExpressionConstants.VAR_SOURCE, segment.getOrderOneObject());
+			ExpressionVariables variables = ModelImplUtils.getDefaultExpressionVariables(segment.source, null, null, systemConfiguration.asObjectable(), prismContext);
+			variables.put(ExpressionConstants.VAR_SOURCE, segment.getOrderOneObject(), ObjectType.class);
 			AssignmentPathVariables assignmentPathVariables = LensUtil.computeAssignmentPathVariables(ctx.assignmentPath);
 			if (assignmentPathVariables != null) {
-				ModelImplUtils.addAssignmentPathVariables(assignmentPathVariables, variables);
+				ModelImplUtils.addAssignmentPathVariables(assignmentPathVariables, variables, getPrismContext());
 			}
 			variables.addVariableDefinitions(getAssignmentEvaluationVariables());
 			ObjectFilter origFilter = prismContext.getQueryConverter().parseFilter(filter, targetClass);
-			ObjectFilter evaluatedFilter = ExpressionUtil.evaluateFilterExpressions(origFilter, variables, getMappingFactory().getExpressionFactory(), prismContext, " evaluating resource filter expression ", ctx.task, ctx.result);
+			// TODO: expression profile should be determined from the holding object archetype
+			ExpressionProfile expressionProfile = MiscSchemaUtil.getExpressionProfile();
+			ObjectFilter evaluatedFilter = ExpressionUtil.evaluateFilterExpressions(origFilter, variables, expressionProfile, getMappingFactory().getExpressionFactory(), prismContext, " evaluating resource filter expression ", ctx.task, ctx.result);
 			if (evaluatedFilter == null) {
 				throw new SchemaException("The OID is null and filter could not be evaluated in assignment targetRef in "+segment.source);
 			}
@@ -746,7 +750,7 @@ private <O extends ObjectType> List<PrismObject<O>> resolveTargetsFromFilter(Cla
 
 	private ExpressionVariables getAssignmentEvaluationVariables() {
 		ExpressionVariables variables = new ExpressionVariables();
-		variables.addVariableDefinition(ExpressionConstants.VAR_LOGIN_MODE, loginMode);
+		variables.put(ExpressionConstants.VAR_LOGIN_MODE, loginMode, Boolean.class);
 		// e.g. AssignmentEvaluator itself, model context, etc (when needed)
 		return variables;
 	}
@@ -773,7 +777,7 @@ private void evaluateSegmentTarget(AssignmentPathSegmentImpl segment, PlusMinusZ
 
 		checkRelationWithTarget(segment, targetType, relation);
 
-		LifecycleStateModelType targetStateModel = ModelUtils.determineLifecycleModel(targetType.asPrismObject(), systemConfiguration);
+		LifecycleStateModelType targetStateModel = ArchetypeManager.determineLifecycleModel(targetType.asPrismObject(), systemConfiguration);
 		boolean isTargetValid = LensUtil.isFocusValid(targetType, now, activationComputer, targetStateModel);
 		if (!isTargetValid) {
 			isValid = false;
@@ -1305,12 +1309,12 @@ public PrismValueDeltaSetTriple<PrismPropertyValue<Boolean>> evaluateCondition(M
 				.originType(OriginType.ASSIGNMENTS)
 				.originObject(source)
 				.defaultTargetDefinition(prismContext.definitionFactory().createPropertyDefinition(CONDITION_OUTPUT_NAME, DOMUtil.XSD_BOOLEAN))
-				.addVariableDefinitions(getAssignmentEvaluationVariables().getMap())
+				.addVariableDefinitions(getAssignmentEvaluationVariables())
 				.addVariableDefinition(ExpressionConstants.VAR_USER, focusOdo)
 				.addVariableDefinition(ExpressionConstants.VAR_FOCUS, focusOdo)
-				.addVariableDefinition(ExpressionConstants.VAR_SOURCE, source)
+				.addVariableDefinition(ExpressionConstants.VAR_SOURCE, source, ObjectType.class)
 				.rootNode(focusOdo);
-        builder = LensUtil.addAssignmentPathVariables(builder, assignmentPathVariables);
+        builder = LensUtil.addAssignmentPathVariables(builder, assignmentPathVariables, prismContext);
 
 		MappingImpl<PrismPropertyValue<Boolean>, PrismPropertyDefinition<Boolean>> mapping = builder.build();
 
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/AssignmentPathSegmentImpl.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/AssignmentPathSegmentImpl.java
index f893f1aa20a..9638e096bc6 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/AssignmentPathSegmentImpl.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/AssignmentPathSegmentImpl.java
@@ -34,6 +34,9 @@
 import com.evolveum.midpoint.util.logging.Trace;
 import com.evolveum.midpoint.util.logging.TraceManager;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.*;
+
+import net.sf.ehcache.store.disk.ods.AATreeSet;
+
 import org.jetbrains.annotations.NotNull;
 
 import java.util.ArrayList;
@@ -274,6 +277,9 @@ public class AssignmentPathSegmentImpl implements AssignmentPathSegment {
 			@NotNull PrismContext prismContext) {
 		this.source = source;
 		this.sourceDescription = sourceDescription;
+		if (assignmentIdi.getDefinition() == null) {
+			throw new IllegalArgumentException("Attept to set segment assignment IDI withough a definition");
+		}
 		this.assignmentIdi = assignmentIdi;
 		this.isAssignment = isAssignment;
 		this.evaluatedForOld = evaluatedForOld;
@@ -291,6 +297,7 @@ private static ItemDeltaItem<PrismContainerValue<AssignmentType>, PrismContainer
 		try {
 			ItemDeltaItem<PrismContainerValue<AssignmentType>, PrismContainerDefinition<AssignmentType>> idi = new ItemDeltaItem<>();
 			idi.setItemOld(LensUtil.createAssignmentSingleValueContainerClone(assignment));
+			idi.setDefinition(assignment.asPrismContainerValue().getDefinition());
 			idi.recompute();
 			return idi;
 		} catch (SchemaException e) {
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/AssignmentPathVariables.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/AssignmentPathVariables.java
index 39a43703b4a..fe65b74df1c 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/AssignmentPathVariables.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/AssignmentPathVariables.java
@@ -83,4 +83,20 @@ public void setImmediateRole(PrismObject<? extends AbstractRoleType> immediateRo
 		this.immediateRole = immediateRole;
 	}
 
+	public PrismContainerDefinition<AssignmentType> getAssignmentDefinition() {
+		if (magicAssignment != null && magicAssignment.getDefinition() != null) {
+			return magicAssignment.getDefinition();
+		}
+		if (immediateAssignment != null && immediateAssignment.getDefinition() != null) {
+			return immediateAssignment.getDefinition();
+		}
+		if (thisAssignment != null && thisAssignment.getDefinition() != null) {
+			return thisAssignment.getDefinition();
+		}
+		if (focusAssignment != null && focusAssignment.getDefinition() != null) {
+			return focusAssignment.getDefinition();
+		}
+		return null;
+	}
+
 }
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/ChangeExecutor.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/ChangeExecutor.java
index 4d798ccb2ac..a49ba021fd3 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/ChangeExecutor.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/ChangeExecutor.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2018 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -62,9 +62,11 @@
 import com.evolveum.midpoint.schema.constants.ExpressionConstants;
 import com.evolveum.midpoint.schema.constants.ObjectTypes;
 import com.evolveum.midpoint.schema.constants.SchemaConstants;
+import com.evolveum.midpoint.schema.expression.ExpressionProfile;
 import com.evolveum.midpoint.schema.internals.InternalsConfig;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.schema.result.OperationResultStatus;
+import com.evolveum.midpoint.schema.util.MiscSchemaUtil;
 import com.evolveum.midpoint.schema.util.ShadowUtil;
 import com.evolveum.midpoint.security.api.MidPointPrincipal;
 import com.evolveum.midpoint.security.api.OwnerResolver;
@@ -169,8 +171,8 @@ public <O extends ObjectType> boolean executeChanges(LensContext<O> context, Tas
 						focusDelta = focusContext.getObjectAny().createModifyDelta();
 					}
 
-					ObjectPolicyConfigurationType objectPolicyConfigurationType = focusContext.getObjectPolicyConfigurationType();
-					applyObjectPolicy(focusContext, focusDelta, objectPolicyConfigurationType);
+					ArchetypePolicyType archetypePolicy = focusContext.getArchetypePolicyType();
+					applyObjectPolicy(focusContext, focusDelta, archetypePolicy);
 
 					OperationResult subResult = result.createSubresult(
 							OPERATION_EXECUTE_FOCUS + "." + focusContext.getObjectTypeClass().getSimpleName());
@@ -568,14 +570,14 @@ private boolean isEquivalentAddDelta(PrismObject<ShadowType> object1, PrismObjec
 	}
 
 	private <O extends ObjectType> void applyObjectPolicy(LensFocusContext<O> focusContext,
-			ObjectDelta<O> focusDelta, ObjectPolicyConfigurationType objectPolicyConfigurationType) {
-		if (objectPolicyConfigurationType == null) {
+			ObjectDelta<O> focusDelta, ArchetypePolicyType archetypePolicy) {
+		if (archetypePolicy == null) {
 			return;
 		}
 		PrismObject<O> objectNew = focusContext.getObjectNew();
 		if (focusDelta.isAdd() && objectNew.getOid() == null) {
 
-			for (PropertyConstraintType propertyConstraintType : objectPolicyConfigurationType
+			for (PropertyConstraintType propertyConstraintType : archetypePolicy
 					.getPropertyConstraint()) {
 				if (BooleanUtils.isTrue(propertyConstraintType.isOidBound())) {
 					ItemPath itemPath = propertyConstraintType.getPath().getItemPath();
@@ -586,7 +588,7 @@ private <O extends ObjectType> void applyObjectPolicy(LensFocusContext<O> focusC
 			}
 
 			// deprecated
-			if (BooleanUtils.isTrue(objectPolicyConfigurationType.isOidNameBoundMode())) {
+			if (BooleanUtils.isTrue(archetypePolicy.isOidNameBoundMode())) {
 				String name = objectNew.asObjectable().getName().getOrig();
 				focusContext.setOid(name);
 			}
@@ -1636,12 +1638,13 @@ private <F extends ObjectType, T extends ObjectType> OperationProvisioningScript
 				.getResourceShadowDiscriminator();
 
 		ExpressionVariables variables = ModelImplUtils.getDefaultExpressionVariables(user, shadow, discr,
-				resource.asPrismObject(), context.getSystemConfiguration(), objectContext);
+				resource.asPrismObject(), context.getSystemConfiguration(), objectContext, prismContext);
 		// Having delta in provisioning scripts may be very useful. E.g. the script can optimize execution of expensive operations.
-		variables.addVariableDefinition(ExpressionConstants.VAR_DELTA, projectionCtx.getDelta());
+		variables.put(ExpressionConstants.VAR_DELTA, projectionCtx.getDelta(), ObjectDelta.class);
+		ExpressionProfile expressionProfile = MiscSchemaUtil.getExpressionProfile();
 		ModelExpressionThreadLocalHolder.pushExpressionEnvironment(new ExpressionEnvironment<>(context, (LensProjectionContext) objectContext, task, result));
 		try {
-			return evaluateScript(resourceScripts, discr, operation, null, variables, context, objectContext, task, result);
+			return evaluateScript(resourceScripts, discr, operation, null, variables, expressionProfile, context, objectContext, task, result);
 		} finally {
 			ModelExpressionThreadLocalHolder.popExpressionEnvironment();
 		}
@@ -1650,7 +1653,7 @@ private <F extends ObjectType, T extends ObjectType> OperationProvisioningScript
 
 	private OperationProvisioningScriptsType evaluateScript(OperationProvisioningScriptsType resourceScripts,
 			ResourceShadowDiscriminator discr, ProvisioningOperationTypeType operation, BeforeAfterType order,
-			ExpressionVariables variables, LensContext<?> context,
+			ExpressionVariables variables, ExpressionProfile expressionProfile, LensContext<?> context,
 			LensElementContext<?> objectContext, Task task,
 			OperationResult result)
 					throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
@@ -1680,7 +1683,7 @@ private OperationProvisioningScriptsType evaluateScript(OperationProvisioningScr
 					}
 				}
 				// Let's do the most expensive evaluation last
-				if (!evaluateScriptCondition(script, variables, task, result)){
+				if (!evaluateScriptCondition(script, variables, expressionProfile, task, result)){
 					continue;
 				}
 				for (ProvisioningScriptArgumentType argument : script.getArgument()) {
@@ -1694,13 +1697,13 @@ private OperationProvisioningScriptsType evaluateScript(OperationProvisioningScr
 	}
 
 	private boolean evaluateScriptCondition(OperationProvisioningScriptType script,
-			ExpressionVariables variables, Task task, OperationResult result) throws SchemaException, ExpressionEvaluationException, ObjectNotFoundException, CommunicationException, ConfigurationException, SecurityViolationException {
+			ExpressionVariables variables, ExpressionProfile expressionProfile, Task task, OperationResult result) throws SchemaException, ExpressionEvaluationException, ObjectNotFoundException, CommunicationException, ConfigurationException, SecurityViolationException {
 		ExpressionType condition = script.getCondition();
 		if (condition == null) {
 			return true;
 		}
 
-		PrismPropertyValue<Boolean> conditionOutput = ExpressionUtil.evaluateCondition(variables, condition, expressionFactory, " condition for provisioning script ", task, result);
+		PrismPropertyValue<Boolean> conditionOutput = ExpressionUtil.evaluateCondition(variables, condition, expressionProfile, expressionFactory, " condition for provisioning script ", task, result);
 		if (conditionOutput == null) {
 			return true;
 		}
@@ -1724,7 +1727,7 @@ private void evaluateScriptArgument(ProvisioningScriptArgumentType argument,
 
 		String shortDesc = "Provisioning script argument expression";
 		Expression<PrismPropertyValue<String>, PrismPropertyDefinition<String>> expression = expressionFactory
-				.makeExpression(argument, scriptArgumentDefinition, shortDesc, task, result);
+				.makeExpression(argument, scriptArgumentDefinition, MiscSchemaUtil.getExpressionProfile(), shortDesc, task, result);
 
 		ExpressionEvaluationContext params = new ExpressionEvaluationContext(null, variables, shortDesc, task,
 				result);
@@ -1777,12 +1780,12 @@ private <T extends ObjectType, F extends ObjectType> void executeReconciliationS
 		if (resourceScripts == null) {
 			return;
 		}
-		
-		executeProvisioningScripts(context, projContext, resourceScripts, ProvisioningOperationTypeType.RECONCILE, order, task, parentResult);
+		ExpressionProfile expressionProfile = MiscSchemaUtil.getExpressionProfile();		
+		executeProvisioningScripts(context, projContext, resourceScripts, ProvisioningOperationTypeType.RECONCILE, order, expressionProfile, task, parentResult);
 	}
 	
 	private <T extends ObjectType, F extends ObjectType> Object executeProvisioningScripts(LensContext<F> context, LensProjectionContext projContext,
-			OperationProvisioningScriptsType scripts, ProvisioningOperationTypeType operation, BeforeAfterType order, Task task, OperationResult parentResult) 
+			OperationProvisioningScriptsType scripts, ProvisioningOperationTypeType operation, BeforeAfterType order, ExpressionProfile expressionProfile, Task task, OperationResult parentResult) 
 					throws SchemaException, ObjectNotFoundException,
 					ExpressionEvaluationException, CommunicationException, ConfigurationException,
 					SecurityViolationException, ObjectAlreadyExistsException {
@@ -1821,13 +1824,13 @@ private <T extends ObjectType, F extends ObjectType> Object executeProvisioningS
 
 		ExpressionVariables variables = ModelImplUtils.getDefaultExpressionVariables(user, shadow,
 				projContext.getResourceShadowDiscriminator(), resource.asPrismObject(),
-				context.getSystemConfiguration(), projContext);
+				context.getSystemConfiguration(), projContext, prismContext);
 		Object scriptResult = null;
 		ModelExpressionThreadLocalHolder.pushExpressionEnvironment(new ExpressionEnvironment<>(context, projContext, task, parentResult));
 		try {
 			OperationProvisioningScriptsType evaluatedScript = evaluateScript(scripts,
 					projContext.getResourceShadowDiscriminator(), operation, order,
-					variables, context, projContext, task, parentResult);
+					variables, expressionProfile, context, projContext, task, parentResult);
 			for (OperationProvisioningScriptType script : evaluatedScript.getScript()) {
 				ModelImplUtils.setRequestee(task, context);
 				scriptResult = provisioning.executeScript(resource.getOid(), script, task, parentResult);
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/Clockwork.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/Clockwork.java
index e1a2b41fe8a..d55806fdaee 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/Clockwork.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/Clockwork.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2018 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -49,6 +49,7 @@
 import com.evolveum.midpoint.model.api.ModelExecuteOptions;
 import com.evolveum.midpoint.model.api.ProgressInformation;
 import com.evolveum.midpoint.model.api.ProgressListener;
+import com.evolveum.midpoint.model.api.context.ModelContext;
 import com.evolveum.midpoint.model.api.context.ModelState;
 import com.evolveum.midpoint.model.api.hooks.ChangeHook;
 import com.evolveum.midpoint.model.api.hooks.HookOperationMode;
@@ -647,17 +648,20 @@ private void evaluateScriptingHook(LensContext context, HookType hookType,
     	LOGGER.trace("Evaluating {}", shortDesc);
 		// TODO: it would be nice to cache this
 		// null output definition: this script has no output
-		ScriptExpression scriptExpression = scriptExpressionFactory.createScriptExpression(scriptExpressionEvaluatorType, null, expressionFactory, shortDesc, task, result);
+		ScriptExpression scriptExpression = scriptExpressionFactory.createScriptExpression(scriptExpressionEvaluatorType, null, context.getPrivilegedExpressionProfile(), expressionFactory, shortDesc, task, result);
 
 		ExpressionVariables variables = new ExpressionVariables();
-		variables.addVariableDefinition(ExpressionConstants.VAR_PRISM_CONTEXT, prismContext);
-		variables.addVariableDefinition(ExpressionConstants.VAR_MODEL_CONTEXT, context);
+		variables.put(ExpressionConstants.VAR_PRISM_CONTEXT, prismContext, PrismContext.class);
+		variables.put(ExpressionConstants.VAR_MODEL_CONTEXT, context, ModelContext.class);
 		LensFocusContext focusContext = context.getFocusContext();
 		PrismObject focus = null;
 		if (focusContext != null) {
-			focus = focusContext.getObjectAny();
+			variables.put(ExpressionConstants.VAR_FOCUS, focusContext.getObjectAny(), focusContext.getObjectDefinition());
+		} else {
+			PrismObjectDefinition<ObjectType> def = prismContext.getSchemaRegistry().findObjectDefinitionByCompileTimeClass(ObjectType.class);
+			variables.put(ExpressionConstants.VAR_FOCUS, null, def);
 		}
-		variables.addVariableDefinition(ExpressionConstants.VAR_FOCUS, focus);
+		
 
 		ModelImplUtils.evaluateScript(scriptExpression, context, variables, false, shortDesc, task, result);
 		LOGGER.trace("Finished evaluation of {}", shortDesc);
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/ClockworkAuthorizationHelper.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/ClockworkAuthorizationHelper.java
index b5c3d77e95b..0ee0fc4c3af 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/ClockworkAuthorizationHelper.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/ClockworkAuthorizationHelper.java
@@ -37,11 +37,11 @@
 import com.evolveum.midpoint.prism.PrismContext;
 import com.evolveum.midpoint.prism.PrismObject;
 import com.evolveum.midpoint.prism.util.ObjectDeltaObject;
+import com.evolveum.midpoint.schema.AccessDecision;
 import com.evolveum.midpoint.schema.RelationRegistry;
 import com.evolveum.midpoint.schema.constants.SchemaConstants;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.security.api.OwnerResolver;
-import com.evolveum.midpoint.security.enforcer.api.AccessDecision;
 import com.evolveum.midpoint.security.enforcer.api.AuthorizationParameters;
 import com.evolveum.midpoint.security.enforcer.api.ObjectSecurityConstraints;
 import com.evolveum.midpoint.security.enforcer.api.SecurityEnforcer;
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/Construction.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/Construction.java
index 9c1d782dba4..ab428dff10e 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/Construction.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/Construction.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2017 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -47,8 +47,10 @@
 import com.evolveum.midpoint.schema.ResourceShadowDiscriminator;
 import com.evolveum.midpoint.schema.ResultHandler;
 import com.evolveum.midpoint.schema.constants.ExpressionConstants;
+import com.evolveum.midpoint.schema.expression.ExpressionProfile;
 import com.evolveum.midpoint.schema.processor.ResourceAttributeDefinition;
 import com.evolveum.midpoint.schema.result.OperationResult;
+import com.evolveum.midpoint.schema.util.MiscSchemaUtil;
 import com.evolveum.midpoint.schema.util.ObjectTypeUtil;
 import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.util.DebugUtil;
@@ -97,6 +99,7 @@ public class Construction<AH extends AssignmentHolderType> extends AbstractConst
 
 	private ObjectType orderOneObject;
 	private ResourceType resource;
+	private ExpressionProfile expressionProfile;
 	private MappingFactory mappingFactory;
 	private MappingEvaluator mappingEvaluator;
 	private Collection<MappingImpl<? extends PrismPropertyValue<?>, ? extends PrismPropertyDefinition<?>>> attributeMappings;
@@ -111,6 +114,8 @@ public class Construction<AH extends AssignmentHolderType> extends AbstractConst
 	public Construction(ConstructionType constructionType, ObjectType source) {
 		super(constructionType, source);
 		this.attributeMappings = null;
+		// TODO: this is wrong. It should be set up during the evaluation process.
+		this.expressionProfile = MiscSchemaUtil.getExpressionProfile();
 	}
 
 	public ObjectType getOrderOneObject() {
@@ -236,18 +241,18 @@ private ResourceType resolveTarget(String sourceDescription, Task task, Operatio
 			CommunicationException, ConfigurationException, SecurityViolationException {
 		// SearchFilterType filter = targetRef.getFilter();
 		ExpressionVariables variables = ModelImplUtils
-				.getDefaultExpressionVariables(getFocusOdo().getNewObject().asObjectable(), null, null, null);
+				.getDefaultExpressionVariables(getFocusOdo().getNewObject().asObjectable(), null, null, null, mappingEvaluator.getPrismContext());
 		if (assignmentPathVariables == null) {
 			assignmentPathVariables = LensUtil.computeAssignmentPathVariables(getAssignmentPath());
 		}
-		ModelImplUtils.addAssignmentPathVariables(assignmentPathVariables, variables);
+		ModelImplUtils.addAssignmentPathVariables(assignmentPathVariables, variables, getPrismContext());
 		LOGGER.info("Expression variables for filter evaluation: {}", variables);
 
 		ObjectFilter origFilter = getPrismContext().getQueryConverter().parseFilter(getConstructionType().getResourceRef().getFilter(),
 				ResourceType.class);
 		LOGGER.info("Orig filter {}", origFilter);
 		ObjectFilter evaluatedFilter = ExpressionUtil.evaluateFilterExpressions(origFilter, variables,
-				getMappingFactory().getExpressionFactory(), getPrismContext(),
+				expressionProfile, getMappingFactory().getExpressionFactory(), getPrismContext(),
 				" evaluating resource filter expression ", task, result);
 		LOGGER.info("evaluatedFilter filter {}", evaluatedFilter);
 
@@ -449,13 +454,40 @@ private <T> MappingImpl<PrismPropertyValue<T>, ResourceAttributeDefinition<T>> e
 				outboundMappingType,
 				"for attribute " + PrettyPrinter.prettyPrint(attrName) + " in " + getSource());
 
-		MappingImpl<PrismPropertyValue<T>, ResourceAttributeDefinition<T>> evaluatedMapping = evaluateMapping(
-				builder, attrName, outputDefinition, null, task, result);
+		MappingImpl<PrismPropertyValue<T>, ResourceAttributeDefinition<T>> evaluatedMapping;
+		
+		try {
+		
+			evaluatedMapping = evaluateMapping(builder, attrName, outputDefinition, null, task, result);
+			
+		} catch (SchemaException e) {
+			throw new SchemaException(getAttributeEvaluationErrorMesssage(attrName, e), e);
+		} catch (ExpressionEvaluationException e) {
+			// No need to specially handle this here. It was already handled in the expression-processing
+			// code and it has proper description.
+			throw e;
+		} catch (ObjectNotFoundException e) {
+			throw new ObjectNotFoundException(getAttributeEvaluationErrorMesssage(attrName, e), e);
+		} catch (SecurityViolationException e) {
+			throw new SecurityViolationException(getAttributeEvaluationErrorMesssage(attrName, e), e);
+		} catch (ConfigurationException e) {
+			throw new ConfigurationException(getAttributeEvaluationErrorMesssage(attrName, e), e);
+		} catch (CommunicationException e) {
+			throw new CommunicationException(getAttributeEvaluationErrorMesssage(attrName, e), e);
+		}
 
 		LOGGER.trace("Evaluated mapping for attribute " + attrName + ": " + evaluatedMapping);
 		return evaluatedMapping;
 	}
 
+	private String getAttributeEvaluationErrorMesssage(QName attrName, Exception e) {
+		return "Error evaluating mapping for attribute "+PrettyPrinter.prettyPrint(attrName)+" in "+getHumanReadableConstructionDescription()+": "+e.getMessage();
+	}
+
+	private String getHumanReadableConstructionDescription() {
+		return "construction for ("+resource+"/"+getKind()+"/"+getIntent()+") in "+getSource();
+	}
+
 	public <T> RefinedAttributeDefinition<T> findAttributeDefinition(QName attributeName) {
 		if (refinedObjectClassDefinition == null) {
 			throw new IllegalStateException(
@@ -565,18 +597,18 @@ private <V extends PrismValue, D extends ItemDefinition> MappingImpl<V, D> evalu
 				.rootNode(getFocusOdo())
 				.addVariableDefinition(ExpressionConstants.VAR_USER, getFocusOdo())
 				.addVariableDefinition(ExpressionConstants.VAR_FOCUS, getFocusOdo())
-				.addVariableDefinition(ExpressionConstants.VAR_SOURCE, getSource())
-				.addVariableDefinition(ExpressionConstants.VAR_CONTAINING_OBJECT, getSource())
-				.addVariableDefinition(ExpressionConstants.VAR_ORDER_ONE_OBJECT, orderOneObject);
+				.addVariableDefinition(ExpressionConstants.VAR_SOURCE, getSource(), ObjectType.class)
+				.addVariableDefinition(ExpressionConstants.VAR_CONTAINING_OBJECT, getSource(), ObjectType.class)
+				.addVariableDefinition(ExpressionConstants.VAR_ORDER_ONE_OBJECT, orderOneObject, ObjectType.class);
 
 		if (assocTargetObjectClassDefinition != null) {
 			builder = builder.addVariableDefinition(ExpressionConstants.VAR_ASSOCIATION_TARGET_OBJECT_CLASS_DEFINITION,
-					assocTargetObjectClassDefinition);
+					assocTargetObjectClassDefinition, RefinedObjectClassDefinition.class);
 		}
-		builder = builder.addVariableDefinition(ExpressionConstants.VAR_RESOURCE, resource);
-		builder = LensUtil.addAssignmentPathVariables(builder, assignmentPathVariables);
+		builder = builder.addVariableDefinition(ExpressionConstants.VAR_RESOURCE, resource, ResourceType.class);
+		builder = LensUtil.addAssignmentPathVariables(builder, assignmentPathVariables, getPrismContext());
 		if (getSystemConfiguration() != null) {
-			builder = builder.addVariableDefinition(ExpressionConstants.VAR_CONFIGURATION, getSystemConfiguration());
+			builder = builder.addVariableDefinition(ExpressionConstants.VAR_CONFIGURATION, getSystemConfiguration(), SystemConfigurationType.class);
 		}
 		// TODO: other variables ?
 
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/EvaluatedPolicyRuleImpl.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/EvaluatedPolicyRuleImpl.java
index ada9a1e177e..e6058bea447 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/EvaluatedPolicyRuleImpl.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/EvaluatedPolicyRuleImpl.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2016-2017 Evolveum
+ * Copyright (c) 2016-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -391,22 +391,27 @@ public List<PolicyActionType> getEnabledActions() {
 
 	private <AH extends AssignmentHolderType> ExpressionVariables createExpressionVariables(PolicyRuleEvaluationContext<AH> rctx, PrismObject<AH> object) {
 		ExpressionVariables var = new ExpressionVariables();
-		var.addVariableDefinition(ExpressionConstants.VAR_USER, object);
-		var.addVariableDefinition(ExpressionConstants.VAR_FOCUS, object);
-		var.addVariableDefinition(ExpressionConstants.VAR_OBJECT, object);
+		var.put(ExpressionConstants.VAR_USER, object, object.getDefinition());
+		var.put(ExpressionConstants.VAR_FOCUS, object, object.getDefinition());
+		var.put(ExpressionConstants.VAR_OBJECT, object, object.getDefinition());
 		if (rctx instanceof AssignmentPolicyRuleEvaluationContext) {
 			AssignmentPolicyRuleEvaluationContext<AH> actx = (AssignmentPolicyRuleEvaluationContext<AH>) rctx;
-			var.addVariableDefinition(ExpressionConstants.VAR_TARGET, actx.evaluatedAssignment.getTarget());
-			var.addVariableDefinition(ExpressionConstants.VAR_EVALUATED_ASSIGNMENT, actx.evaluatedAssignment);
-			var.addVariableDefinition(ExpressionConstants.VAR_ASSIGNMENT, actx.evaluatedAssignment.getAssignmentType(actx.state == ObjectState.BEFORE));
+			var.put(ExpressionConstants.VAR_TARGET, actx.evaluatedAssignment.getTarget(), actx.evaluatedAssignment.getTarget().getDefinition());
+			var.put(ExpressionConstants.VAR_EVALUATED_ASSIGNMENT, actx.evaluatedAssignment, EvaluatedAssignment.class);
+			AssignmentType assignment = actx.evaluatedAssignment.getAssignmentType(actx.state == ObjectState.BEFORE);
+			var.put(ExpressionConstants.VAR_ASSIGNMENT, assignment, assignment.asPrismContainerValue().getDefinition());
 		} else if (rctx instanceof ObjectPolicyRuleEvaluationContext) {
-			var.addVariableDefinition(ExpressionConstants.VAR_TARGET, null);
-			var.addVariableDefinition(ExpressionConstants.VAR_EVALUATED_ASSIGNMENT, null);
-			var.addVariableDefinition(ExpressionConstants.VAR_ASSIGNMENT, null);
+			PrismObjectDefinition<ObjectType> targetDef = rctx.lensContext.getPrismContext().getSchemaRegistry().findObjectDefinitionByCompileTimeClass(ObjectType.class);
+			var.put(ExpressionConstants.VAR_TARGET, null, targetDef);
+			var.put(ExpressionConstants.VAR_EVALUATED_ASSIGNMENT, null, EvaluatedAssignment.class);
+			PrismContainerDefinition<AssignmentType> assignmentDef = rctx.lensContext.getPrismContext().getSchemaRegistry()
+				.findObjectDefinitionByCompileTimeClass(AssignmentHolderType.class)
+					.findContainerDefinition(AssignmentHolderType.F_ASSIGNMENT);
+			var.put(ExpressionConstants.VAR_ASSIGNMENT, null, assignmentDef);
 		} else if (rctx != null) {
 			throw new AssertionError(rctx);
 		}
-		var.addVariableDefinition(VAR_RULE_EVALUATION_CONTEXT, rctx);
+		var.put(VAR_RULE_EVALUATION_CONTEXT, rctx, PolicyRuleEvaluationContext.class);
 		return var;
 	}
 
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/LensContext.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/LensContext.java
index fab1969b365..3d506357569 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/LensContext.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/LensContext.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2018 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -28,7 +28,9 @@
 import com.evolveum.midpoint.repo.api.RepositoryService;
 import com.evolveum.midpoint.schema.ObjectDeltaOperation;
 import com.evolveum.midpoint.schema.ResourceShadowDiscriminator;
+import com.evolveum.midpoint.schema.expression.ExpressionProfile;
 import com.evolveum.midpoint.schema.result.OperationResult;
+import com.evolveum.midpoint.schema.util.MiscSchemaUtil;
 import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.util.DebugUtil;
 import com.evolveum.midpoint.util.LocalizableMessage;
@@ -1465,4 +1467,13 @@ public void finishBuild() {
 			projectionContext.finishBuild();
 		}
 	}
+	
+	/**
+	 * Expression profile to use for "privileged" operations, such as scripting hooks.
+	 */
+	public ExpressionProfile getPrivilegedExpressionProfile() {
+		// TODO: determine from system configuration.
+		return MiscSchemaUtil.getExpressionProfile();
+	}
+	
 }
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/LensFocusContext.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/LensFocusContext.java
index c439dc89fbb..2a8e7f3b639 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/LensFocusContext.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/LensFocusContext.java
@@ -22,7 +22,7 @@
 import com.evolveum.midpoint.prism.path.UniformItemPath;
 import com.evolveum.midpoint.prism.path.ItemPath;
 import com.evolveum.midpoint.prism.util.ObjectDeltaObject;
-import com.evolveum.midpoint.model.api.util.ModelUtils;
+import com.evolveum.midpoint.model.common.ArchetypeManager;
 import com.evolveum.midpoint.prism.Item;
 import com.evolveum.midpoint.prism.ItemDefinition;
 import com.evolveum.midpoint.prism.Objectable;
@@ -56,7 +56,7 @@ public class LensFocusContext<O extends ObjectType> extends LensElementContext<O
 
 	private ObjectDeltaWaves<O> secondaryDeltas = new ObjectDeltaWaves<>();
 
-	transient private ObjectPolicyConfigurationType objectPolicyConfigurationType;
+	transient private ArchetypePolicyType archetypePolicyType;
 
 	// extracted from the template(s)
 	// this is not to be serialized into XML, but let's not mark it as transient
@@ -74,19 +74,19 @@ private int getExecutionWave() {
 		return getLensContext().getProjectionWave();
 	}
 
-	public ObjectPolicyConfigurationType getObjectPolicyConfigurationType() {
-		return objectPolicyConfigurationType;
+	public ArchetypePolicyType getArchetypePolicyType() {
+		return archetypePolicyType;
 	}
 	
-	public void setObjectPolicyConfigurationType(ObjectPolicyConfigurationType objectPolicyConfigurationType) {
-		this.objectPolicyConfigurationType = objectPolicyConfigurationType;
+	public void setArchetypePolicyType(ArchetypePolicyType objectPolicyConfigurationType) {
+		this.archetypePolicyType = objectPolicyConfigurationType;
 	}
 	
 	public LifecycleStateModelType getLifecycleModel() {
-		if (objectPolicyConfigurationType == null) {
+		if (archetypePolicyType == null) {
 			return null;
 		}
-		return objectPolicyConfigurationType.getLifecycleStateModel();
+		return archetypePolicyType.getLifecycleStateModel();
 	}
 
 	@Override
@@ -161,7 +161,7 @@ public void deleteSecondaryDeltas() {
 
 	@Override
 	public ObjectDeltaObject<O> getObjectDeltaObject() throws SchemaException {
-		return new ObjectDeltaObject<>(getObjectOld(), getDelta(), getObjectNew());
+		return new ObjectDeltaObject<>(getObjectOld(), getDelta(), getObjectNew(), getObjectDefinition());
 	}
 
 	@Override
@@ -306,13 +306,13 @@ private void updateObjectPolicy() throws ConfigurationException {
 			return;
 		}
 		PrismObject<O> object = getObjectAny();
-		ObjectPolicyConfigurationType policyConfigurationType = ModelUtils.determineObjectPolicyConfiguration(object, systemConfiguration.asObjectable());
-		if (policyConfigurationType != getObjectPolicyConfigurationType()) {
+		ObjectPolicyConfigurationType policyConfigurationType = ArchetypeManager.determineObjectPolicyConfiguration(object, systemConfiguration.asObjectable());
+		if (policyConfigurationType != getArchetypePolicyType()) {
 			if (LOGGER.isTraceEnabled()) {
 				LOGGER.trace("Changed policy configuration because of changed subtypes {}:\n{}", 
 						FocusTypeUtil.determineSubTypes(object), policyConfigurationType==null?null:policyConfigurationType.asPrismContainerValue().debugDump(1));
 			}
-			setObjectPolicyConfigurationType(policyConfigurationType);
+			setArchetypePolicyType(policyConfigurationType);
 		}
 	}
 
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/LensProjectionContext.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/LensProjectionContext.java
index 5c133b53177..03559d0c3f0 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/LensProjectionContext.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/LensProjectionContext.java
@@ -253,7 +253,7 @@ public Collection<ObjectDelta<ShadowType>> getAllDeltas() {
 	
 	@Override
 	public ObjectDeltaObject<ShadowType> getObjectDeltaObject() throws SchemaException {
-		return new ObjectDeltaObject<>(getObjectCurrent(), getDelta(), getObjectNew());
+		return new ObjectDeltaObject<>(getObjectCurrent(), getDelta(), getObjectNew(), getObjectDefinition());
 	}
 
 	public boolean hasSecondaryDelta() {
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/LensUtil.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/LensUtil.java
index e62ded644a9..84defa1b2c3 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/LensUtil.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/LensUtil.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2018 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -266,15 +266,15 @@ public static Object getIterationVariableValue(LensProjectionContext accCtx) {
 		if (iterationOld == null) {
 			return accCtx.getIteration();
 		}
-		PrismPropertyDefinition<Integer> propDef = accCtx.getPrismContext().definitionFactory().createPropertyDefinition(ExpressionConstants.VAR_ITERATION,
+		PrismPropertyDefinition<Integer> propDef = accCtx.getPrismContext().definitionFactory().createPropertyDefinition(ExpressionConstants.VAR_ITERATION_QNAME,
 				DOMUtil.XSD_INT);
 		PrismProperty<Integer> propOld = propDef.instantiate();
 		propOld.setRealValue(iterationOld);
-		PropertyDelta<Integer> propDelta = propDef.createEmptyDelta(ExpressionConstants.VAR_ITERATION);
+		PropertyDelta<Integer> propDelta = propDef.createEmptyDelta(ExpressionConstants.VAR_ITERATION_QNAME);
 		propDelta.setRealValuesToReplace(accCtx.getIteration());
 		PrismProperty<Integer> propNew = propDef.instantiate();
 		propNew.setRealValue(accCtx.getIteration());
-		ItemDeltaItem<PrismPropertyValue<Integer>,PrismPropertyDefinition<Integer>> idi = new ItemDeltaItem<>(propOld, propDelta, propNew);
+		ItemDeltaItem<PrismPropertyValue<Integer>,PrismPropertyDefinition<Integer>> idi = new ItemDeltaItem<>(propOld, propDelta, propNew, propDef);
 		return idi;
 	}
 
@@ -288,14 +288,14 @@ public static Object getIterationTokenVariableValue(LensProjectionContext accCtx
 			return accCtx.getIterationToken();
 		}
 		PrismPropertyDefinition<String> propDef = accCtx.getPrismContext().definitionFactory().createPropertyDefinition(
-				ExpressionConstants.VAR_ITERATION_TOKEN, DOMUtil.XSD_STRING);
+				ExpressionConstants.VAR_ITERATION_TOKEN_QNAME, DOMUtil.XSD_STRING);
 		PrismProperty<String> propOld = propDef.instantiate();
 		propOld.setRealValue(iterationTokenOld);
-		PropertyDelta<String> propDelta = propDef.createEmptyDelta(ExpressionConstants.VAR_ITERATION_TOKEN);
+		PropertyDelta<String> propDelta = propDef.createEmptyDelta(ExpressionConstants.VAR_ITERATION_TOKEN_QNAME);
 		propDelta.setRealValuesToReplace(accCtx.getIterationToken());
 		PrismProperty<String> propNew = propDef.instantiate();
 		propNew.setRealValue(accCtx.getIterationToken());
-		ItemDeltaItem<PrismPropertyValue<String>,PrismPropertyDefinition<String>> idi = new ItemDeltaItem<>(propOld, propDelta, propNew);
+		ItemDeltaItem<PrismPropertyValue<String>,PrismPropertyDefinition<String>> idi = new ItemDeltaItem<>(propOld, propDelta, propNew, propDef);
 		return idi;
 	}
 
@@ -468,18 +468,18 @@ public static <F extends ObjectType> String formatIterationToken(LensContext<F>
 			return formatIterationTokenDefault(iteration);
 		}
 	    PrismContext prismContext = context.getPrismContext();
-	    PrismPropertyDefinition<String> outputDefinition = prismContext.definitionFactory().createPropertyDefinition(ExpressionConstants.VAR_ITERATION_TOKEN,
+	    PrismPropertyDefinition<String> outputDefinition = prismContext.definitionFactory().createPropertyDefinition(ExpressionConstants.VAR_ITERATION_TOKEN_QNAME,
 				DOMUtil.XSD_STRING);
-		Expression<PrismPropertyValue<String>,PrismPropertyDefinition<String>> expression = expressionFactory.makeExpression(tokenExpressionType, outputDefinition , "iteration token expression in "+accountContext.getHumanReadableName(), task, result);
+		Expression<PrismPropertyValue<String>,PrismPropertyDefinition<String>> expression = expressionFactory.makeExpression(tokenExpressionType, outputDefinition, MiscSchemaUtil.getExpressionProfile(), "iteration token expression in "+accountContext.getHumanReadableName(), task, result);
 
 		Collection<Source<?,?>> sources = new ArrayList<>();
-		MutablePrismPropertyDefinition<Integer> inputDefinition = prismContext.definitionFactory().createPropertyDefinition(ExpressionConstants.VAR_ITERATION,
+		MutablePrismPropertyDefinition<Integer> inputDefinition = prismContext.definitionFactory().createPropertyDefinition(ExpressionConstants.VAR_ITERATION_QNAME,
 				DOMUtil.XSD_INT);
 		inputDefinition.setMaxOccurs(1);
 		PrismProperty<Integer> input = inputDefinition.instantiate();
 		input.addRealValue(iteration);
 		ItemDeltaItem<PrismPropertyValue<Integer>,PrismPropertyDefinition<Integer>> idi = new ItemDeltaItem<>(input);
-		Source<PrismPropertyValue<Integer>,PrismPropertyDefinition<Integer>> iterationSource = new Source<>(idi, ExpressionConstants.VAR_ITERATION);
+		Source<PrismPropertyValue<Integer>,PrismPropertyDefinition<Integer>> iterationSource = new Source<>(idi, ExpressionConstants.VAR_ITERATION_QNAME);
 		sources.add(iterationSource);
 
 		ExpressionEvaluationContext expressionContext = new ExpressionEvaluationContext(sources , variables,
@@ -527,10 +527,11 @@ public static <F extends ObjectType> boolean evaluateIterationCondition(LensCont
 			return true;
 		}
 		Expression<PrismPropertyValue<Boolean>,PrismPropertyDefinition<Boolean>> expression = expressionFactory.makeExpression(
-				expressionType, ExpressionUtil.createConditionOutputDefinition(context.getPrismContext()) , desc, task, result);
+				expressionType, ExpressionUtil.createConditionOutputDefinition(context.getPrismContext()), MiscSchemaUtil.getExpressionProfile(),
+				desc, task, result);
 
-		variables.addVariableDefinition(ExpressionConstants.VAR_ITERATION, iteration);
-		variables.addVariableDefinition(ExpressionConstants.VAR_ITERATION_TOKEN, iterationToken);
+		variables.put(ExpressionConstants.VAR_ITERATION, iteration, Integer.class);
+		variables.put(ExpressionConstants.VAR_ITERATION_TOKEN, iterationToken, String.class);
 
 		ExpressionEvaluationContext expressionContext = new ExpressionEvaluationContext(null , variables, desc, task, result);
 		ExpressionEnvironment<?> env = new ExpressionEnvironment<>(context, null, task, result);
@@ -710,10 +711,10 @@ private static void  mergeExtensionContainers(Item<PrismContainerValue<Assignmen
 	    }
 	}
 
-	public static <V extends PrismValue,D extends ItemDefinition> MappingImpl.Builder<V,D> addAssignmentPathVariables(MappingImpl.Builder<V,D> builder, AssignmentPathVariables assignmentPathVariables) {
+	public static <V extends PrismValue,D extends ItemDefinition> MappingImpl.Builder<V,D> addAssignmentPathVariables(MappingImpl.Builder<V,D> builder, AssignmentPathVariables assignmentPathVariables, PrismContext prismContext) {
     	ExpressionVariables expressionVariables = new ExpressionVariables();
-		ModelImplUtils.addAssignmentPathVariables(assignmentPathVariables, expressionVariables);
-		return builder.addVariableDefinitions(expressionVariables.getMap());
+		ModelImplUtils.addAssignmentPathVariables(assignmentPathVariables, expressionVariables, prismContext);
+		return builder.addVariableDefinitions(expressionVariables);
     }
 
     public static <F extends ObjectType> void checkContextSanity(LensContext<F> context, String activityDescription,
@@ -726,20 +727,20 @@ public static <F extends ObjectType> void checkContextSanity(LensContext<F> cont
 				if (namePolyType == null) {
 					throw new SchemaException("Focus "+focusObjectNew+" does not have a name after "+activityDescription);
 				}
-				ObjectPolicyConfigurationType objectPolicyConfigurationType = focusContext.getObjectPolicyConfigurationType();
-				checkObjectPolicy(focusContext, objectPolicyConfigurationType);
+				ArchetypePolicyType archetypePolicy = focusContext.getArchetypePolicyType();
+				checkArchetypePolicy(focusContext, archetypePolicy);
 			}
 		}
 	}
 
-	private static <F extends ObjectType> void checkObjectPolicy(LensFocusContext<F> focusContext, ObjectPolicyConfigurationType objectPolicyConfigurationType) throws SchemaException, PolicyViolationException {
-		if (objectPolicyConfigurationType == null) {
+	private static <F extends ObjectType> void checkArchetypePolicy(LensFocusContext<F> focusContext, ArchetypePolicyType archetypePolicy) throws SchemaException, PolicyViolationException {
+		if (archetypePolicy == null) {
 			return;
 		}
 		PrismObject<F> focusObjectNew = focusContext.getObjectNew();
 		ObjectDelta<F> focusDelta = focusContext.getDelta();
 
-		for (PropertyConstraintType propertyConstraintType: objectPolicyConfigurationType.getPropertyConstraint()) {
+		for (PropertyConstraintType propertyConstraintType: archetypePolicy.getPropertyConstraint()) {
 			ItemPath itemPath = propertyConstraintType.getPath().getItemPath();
 			if (BooleanUtils.isTrue(propertyConstraintType.isOidBound())) {
 				if (focusDelta != null) {
@@ -774,7 +775,7 @@ private static <F extends ObjectType> void checkObjectPolicy(LensFocusContext<F>
 		}
 
 		// Deprecated
-		if (BooleanUtils.isTrue(objectPolicyConfigurationType.isOidNameBoundMode())) {
+		if (BooleanUtils.isTrue(archetypePolicy.isOidNameBoundMode())) {
 			if (focusDelta != null) {
 				if (focusDelta.isAdd()) {
 					PolyStringType namePolyType = focusObjectNew.asObjectable().getName();
@@ -1032,7 +1033,7 @@ public static <T> T evaluateExpressionSingle(ExpressionType expressionBean, Expr
 		PrismPropertyDefinition<T> resultDef = prismContext.definitionFactory().createPropertyDefinition(
 				new QName(SchemaConstants.NS_C, "result"), typeName);
 		Expression<PrismPropertyValue<T>,PrismPropertyDefinition<T>> expression =
-				expressionFactory.makeExpression(expressionBean, resultDef, contextDescription, task, result);
+				expressionFactory.makeExpression(expressionBean, resultDef, MiscSchemaUtil.getExpressionProfile(), contextDescription, task, result);
 		ExpressionEvaluationContext eeContext = new ExpressionEvaluationContext(null, expressionVariables, contextDescription, task, result);
 		eeContext.setAdditionalConvertor(additionalConvertor);
 		PrismValueDeltaSetTriple<PrismPropertyValue<T>> exprResultTriple = ModelExpressionThreadLocalHolder
@@ -1096,8 +1097,8 @@ public static <F extends ObjectType> void reclaimSequences(LensContext<F> contex
 		}
 	}
 	
-	public static <AH extends AssignmentHolderType> void applyObjectPolicyConstraints(LensFocusContext<AH> focusContext, ObjectPolicyConfigurationType objectPolicyConfigurationType, PrismContext prismContext) throws SchemaException, ConfigurationException {
-		if (objectPolicyConfigurationType == null) {
+	public static <AH extends AssignmentHolderType> void applyObjectPolicyConstraints(LensFocusContext<AH> focusContext, ArchetypePolicyType archetypePolicy, PrismContext prismContext) throws SchemaException, ConfigurationException {
+		if (archetypePolicy == null) {
 			return;
 		}
 
@@ -1107,10 +1108,10 @@ public static <AH extends AssignmentHolderType> void applyObjectPolicyConstraint
 			return;
 		}
 
-		for (PropertyConstraintType propertyConstraintType: objectPolicyConfigurationType.getPropertyConstraint()) {
+		for (PropertyConstraintType propertyConstraintType: archetypePolicy.getPropertyConstraint()) {
 			if (propertyConstraintType.getPath() == null) {
-				LOGGER.error("Invalid configuration. Path is mandatory for property constraint definition in {} defined in system configuration", objectPolicyConfigurationType);
-				throw new SchemaException("Invalid configuration. Path is mandatory for property constraint definition in " + objectPolicyConfigurationType + " defined in system configuration.");
+				LOGGER.error("Invalid configuration. Path is mandatory for property constraint definition in {} defined in system configuration", archetypePolicy);
+				throw new SchemaException("Invalid configuration. Path is mandatory for property constraint definition in " + archetypePolicy + " defined in system configuration.");
 			}
 			ItemPath itemPath = propertyConstraintType.getPath().getItemPath();
 			if (BooleanUtils.isTrue(propertyConstraintType.isOidBound())) {
@@ -1141,7 +1142,7 @@ public static <AH extends AssignmentHolderType> void applyObjectPolicyConstraint
 		}
 
 		// Deprecated
-		if (BooleanUtils.isTrue(objectPolicyConfigurationType.isOidNameBoundMode())) {
+		if (BooleanUtils.isTrue(archetypePolicy.isOidNameBoundMode())) {
 			// Generate the name now - unless it is already present
 			PolyStringType focusNewName = focusNew.asObjectable().getName();
 			if (focusNewName == null) {
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/PersonaProcessor.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/PersonaProcessor.java
index 464b580a120..8fe0aba5ec8 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/PersonaProcessor.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/PersonaProcessor.java
@@ -277,7 +277,7 @@ public <F extends FocusType, T extends FocusType> void personaAdd(LensContext<F>
 		FocusTypeUtil.setSubtype(target, constructionType.getTargetSubtype());
 
 		// pretend ADD focusOdo. We need to push all the items through the object template
-		ObjectDeltaObject<F> focusOdo = new ObjectDeltaObject<>(null, focus.createAddDelta(), focus);
+		ObjectDeltaObject<F> focusOdo = new ObjectDeltaObject<>(null, focus.createAddDelta(), focus, context.getFocusContext().getObjectDefinition());
 		ObjectDelta<T> targetDelta = target.createAddDelta();
 
 		String contextDesc = "object mapping "+objectMappingType+ " for persona construction for "+focus;
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/ActivationProcessor.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/ActivationProcessor.java
index 9c472b5ca30..f0c4573b099 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/ActivationProcessor.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/ActivationProcessor.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2017 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -59,6 +59,7 @@
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ResourceBidirectionalMappingType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ResourceObjectLifecycleDefinitionType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ResourceObjectTypeDefinitionType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ResourceType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType;
 import com.evolveum.midpoint.xml.ns._public.resource.capabilities_3.ActivationCapabilityType;
@@ -504,32 +505,35 @@ private <F extends FocusType> boolean evaluateExistenceMapping(final LensContext
 			// Source: legal
 	        ItemDeltaItem<PrismPropertyValue<Boolean>,PrismPropertyDefinition<Boolean>> legalSourceIdi = getLegalIdi(projCtx);
 	        Source<PrismPropertyValue<Boolean>,PrismPropertyDefinition<Boolean>> legalSource
-	        	= new Source<>(legalSourceIdi, ExpressionConstants.VAR_LEGAL);
+	        	= new Source<>(legalSourceIdi, ExpressionConstants.VAR_LEGAL_QNAME);
 			builder.defaultSource(legalSource);
 
             // Source: assigned
             ItemDeltaItem<PrismPropertyValue<Boolean>,PrismPropertyDefinition<Boolean>> assignedIdi = getAssignedIdi(projCtx);
-            Source<PrismPropertyValue<Boolean>,PrismPropertyDefinition<Boolean>> assignedSource = new Source<>(assignedIdi, ExpressionConstants.VAR_ASSIGNED);
+            Source<PrismPropertyValue<Boolean>,PrismPropertyDefinition<Boolean>> assignedSource = new Source<>(assignedIdi, ExpressionConstants.VAR_ASSIGNED_QNAME);
 			builder.addSource(assignedSource);
 
             // Source: focusExists
 	        ItemDeltaItem<PrismPropertyValue<Boolean>,PrismPropertyDefinition<Boolean>> focusExistsSourceIdi = getFocusExistsIdi(context.getFocusContext());
 	        Source<PrismPropertyValue<Boolean>,PrismPropertyDefinition<Boolean>> focusExistsSource
-	        	= new Source<>(focusExistsSourceIdi, ExpressionConstants.VAR_FOCUS_EXISTS);
+	        	= new Source<>(focusExistsSourceIdi, ExpressionConstants.VAR_FOCUS_EXISTS_QNAME);
 			builder.addSource(focusExistsSource);
 
 			// Variable: focus
-			builder.addVariableDefinition(ExpressionConstants.VAR_FOCUS, context.getFocusContext().getObjectDeltaObject());
+			builder.addVariableDefinition(ExpressionConstants.VAR_FOCUS, context.getFocusContext().getObjectDeltaObject(), context.getFocusContext().getObjectDefinition());
 
-	        // Variable: user (for convenience, same as "focus")
-			builder.addVariableDefinition(ExpressionConstants.VAR_USER, context.getFocusContext().getObjectDeltaObject());
+	        // Variable: user (for convenience, same as "focus"), DEPRECATED
+			builder.addVariableDefinition(ExpressionConstants.VAR_USER, context.getFocusContext().getObjectDeltaObject(), context.getFocusContext().getObjectDefinition());
 
-			// Variable: shadow
-			builder.addVariableDefinition(ExpressionConstants.VAR_SHADOW, projCtx.getObjectDeltaObject());
-			builder.addVariableDefinition(ExpressionConstants.VAR_PROJECTION, projCtx.getObjectDeltaObject());
+			// Variable: projection
+			// This may be tricky when creation of a new projection is considered. 
+			// In that case we do not have any projection object (account) yet, neigher new nor old. But we already have
+			// projection context. We have to pass projection definition explicitly here.
+			builder.addVariableDefinition(ExpressionConstants.VAR_SHADOW, projCtx.getObjectDeltaObject(), projCtx.getObjectDefinition());
+			builder.addVariableDefinition(ExpressionConstants.VAR_PROJECTION, projCtx.getObjectDeltaObject(), projCtx.getObjectDefinition());
 
 			// Variable: resource
-			builder.addVariableDefinition(ExpressionConstants.VAR_RESOURCE, projCtx.getResource());
+			builder.addVariableDefinition(ExpressionConstants.VAR_RESOURCE, projCtx.getResource(), ResourceType.class);
 
 			builder.originType(OriginType.OUTBOUND);
 			builder.originObject(projCtx.getResource());
@@ -599,32 +603,32 @@ private <T, F extends FocusType> void evaluateActivationMapping(final LensContex
 			
 			        }
 
-			        Source<PrismPropertyValue<ActivationStatusType>,PrismPropertyDefinition<ActivationStatusType>> computedSource = new Source<>(computedIdi, ExpressionConstants.VAR_INPUT);
+			        Source<PrismPropertyValue<ActivationStatusType>,PrismPropertyDefinition<ActivationStatusType>> computedSource = new Source<>(computedIdi, ExpressionConstants.VAR_INPUT_QNAME);
 
 			        builder.defaultSource(computedSource);
 
-			        Source<PrismPropertyValue<T>,PrismPropertyDefinition<T>> source = new Source<>(sourceIdi, ExpressionConstants.VAR_ADMINISTRATIVE_STATUS);
+			        Source<PrismPropertyValue<T>,PrismPropertyDefinition<T>> source = new Source<>(sourceIdi, ExpressionConstants.VAR_ADMINISTRATIVE_STATUS_QNAME);
 					builder.addSource(source);
 
 		        } else {
-		        	Source<PrismPropertyValue<T>,PrismPropertyDefinition<T>> source = new Source<>(sourceIdi, ExpressionConstants.VAR_INPUT);
+		        	Source<PrismPropertyValue<T>,PrismPropertyDefinition<T>> source = new Source<>(sourceIdi, ExpressionConstants.VAR_INPUT_QNAME);
 					builder.defaultSource(source);
 		        }
 
 				// Source: legal
 		        ItemDeltaItem<PrismPropertyValue<Boolean>,PrismPropertyDefinition<Boolean>> legalIdi = getLegalIdi(projCtx);
-		        Source<PrismPropertyValue<Boolean>,PrismPropertyDefinition<Boolean>> legalSource = new Source<>(legalIdi, ExpressionConstants.VAR_LEGAL);
+		        Source<PrismPropertyValue<Boolean>,PrismPropertyDefinition<Boolean>> legalSource = new Source<>(legalIdi, ExpressionConstants.VAR_LEGAL_QNAME);
 				builder.addSource(legalSource);
 
                 // Source: assigned
                 ItemDeltaItem<PrismPropertyValue<Boolean>,PrismPropertyDefinition<Boolean>> assignedIdi = getAssignedIdi(projCtx);
-                Source<PrismPropertyValue<Boolean>,PrismPropertyDefinition<Boolean>> assignedSource = new Source<>(assignedIdi, ExpressionConstants.VAR_ASSIGNED);
+                Source<PrismPropertyValue<Boolean>,PrismPropertyDefinition<Boolean>> assignedSource = new Source<>(assignedIdi, ExpressionConstants.VAR_ASSIGNED_QNAME);
 				builder.addSource(assignedSource);
 
                 // Source: focusExists
 		        ItemDeltaItem<PrismPropertyValue<Boolean>,PrismPropertyDefinition<Boolean>> focusExistsSourceIdi = getFocusExistsIdi(context.getFocusContext());
 		        Source<PrismPropertyValue<Boolean>,PrismPropertyDefinition<Boolean>> focusExistsSource
-		        	= new Source<>(focusExistsSourceIdi, ExpressionConstants.VAR_FOCUS_EXISTS);
+		        	= new Source<>(focusExistsSourceIdi, ExpressionConstants.VAR_FOCUS_EXISTS_QNAME);
 		        builder.addSource(focusExistsSource);
 
 				return builder;
@@ -657,7 +661,7 @@ private <T, F extends FocusType> void evaluateOutboundMapping(final LensContext<
         MappingInitializer<PrismPropertyValue<T>,PrismPropertyDefinition<T>> internalInitializer =
 			builder -> {
 
-				builder.addVariableDefinitions(ModelImplUtils.getDefaultExpressionVariables(context, projCtx).getMap());
+				builder.addVariableDefinitions(ModelImplUtils.getDefaultExpressionVariables(context, projCtx));
 
 		        builder.originType(OriginType.OUTBOUND);
 				builder.originObject(projCtx.getResource());
@@ -800,7 +804,7 @@ private ItemDeltaItem<PrismPropertyValue<Boolean>, PrismPropertyDefinition<Boole
 			propertyOld.setRealValue(old);
 			PropertyDelta<Boolean> delta = propertyOld.createDelta();
 			delta.setValuesToReplace(prismContext.itemFactory().createPropertyValue(current));
-			return new ItemDeltaItem<>(propertyOld, delta, property);
+			return new ItemDeltaItem<>(propertyOld, delta, property, definition);
 		}
 	}
 
@@ -843,7 +847,7 @@ private <F extends ObjectType> ItemDeltaItem<PrismPropertyValue<Boolean>,PrismPr
 			existsPropOld.setRealValue(existsOld);
 			PropertyDelta<Boolean> existsDelta = existsPropOld.createDelta();
 			existsDelta.setValuesToReplace(prismContext.itemFactory().createPropertyValue(existsNew));
-			return new ItemDeltaItem<>(existsPropOld, existsDelta, existsProp);
+			return new ItemDeltaItem<>(existsPropOld, existsDelta, existsProp, existsDef);
 		}
 	}
 
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/ContextLoader.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/ContextLoader.java
index 04d58cb01ad..70d45bd794d 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/ContextLoader.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/ContextLoader.java
@@ -37,7 +37,7 @@
 import com.evolveum.midpoint.common.refinery.RefinedObjectClassDefinition;
 import com.evolveum.midpoint.model.api.ModelExecuteOptions;
 import com.evolveum.midpoint.model.api.context.SynchronizationPolicyDecision;
-import com.evolveum.midpoint.model.api.util.ModelUtils;
+import com.evolveum.midpoint.model.common.ArchetypeManager;
 import com.evolveum.midpoint.model.common.SystemObjectCache;
 import com.evolveum.midpoint.model.impl.lens.ClockworkMedic;
 import com.evolveum.midpoint.model.impl.lens.LensContext;
@@ -90,6 +90,7 @@ public class ContextLoader {
     private transient RepositoryService cacheRepositoryService;
 
 	@Autowired private SystemObjectCache systemObjectCache;
+	@Autowired private ArchetypeManager archetypeManager;
 	@Autowired private ProvisioningService provisioningService;
 	@Autowired private PrismContext prismContext;
 	@Autowired private SecurityHelper securityHelper;
@@ -424,14 +425,13 @@ private <F extends ObjectType> void loadFromSystemConfig(LensContext<F> context,
 
         if (context.getFocusContext() != null) {
         	PrismObject<F> object = context.getFocusContext().getObjectAny();
-            if (context.getFocusContext().getObjectPolicyConfigurationType() == null) {
-				ObjectPolicyConfigurationType policyConfigurationType =
-                        ModelUtils.determineObjectPolicyConfiguration(object, systemConfigurationType);
+            if (context.getFocusContext().getArchetypePolicyType() == null) {
+				ArchetypePolicyType policyConfigurationType = archetypeManager.determineArchetypePolicy(object, result);
 				if (LOGGER.isTraceEnabled()) {
 					LOGGER.trace("Selected policy configuration from subtypes {}:\n{}", 
 							FocusTypeUtil.determineSubTypes(object), policyConfigurationType==null?null:policyConfigurationType.asPrismContainerValue().debugDump(1));
 				}
-                context.getFocusContext().setObjectPolicyConfigurationType(policyConfigurationType);
+                context.getFocusContext().setArchetypePolicyType(policyConfigurationType);
             }
         }
 
@@ -458,12 +458,12 @@ private <F extends ObjectType> PrismObject<ObjectTemplateType> determineFocusTem
 		if (focusContext == null) {
 			return null;
 		}
-		ObjectPolicyConfigurationType policyConfigurationType = focusContext.getObjectPolicyConfigurationType();
-		if (policyConfigurationType == null) {
+		ArchetypePolicyType archetypePolicy = focusContext.getArchetypePolicyType();
+		if (archetypePolicy == null) {
 			LOGGER.trace("No default object template (no policy)");
 			return null;
 		}
-		ObjectReferenceType templateRef = policyConfigurationType.getObjectTemplateRef();
+		ObjectReferenceType templateRef = archetypePolicy.getObjectTemplateRef();
 		if (templateRef == null) {
 			LOGGER.trace("No default object template (no templateRef)");
 			return null;
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/MappingEvaluator.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/MappingEvaluator.java
index 33b037ba4f4..3ec183718fd 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/MappingEvaluator.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/MappingEvaluator.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013-2018 Evolveum
+ * Copyright (c) 2013-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -50,6 +50,7 @@
 import com.evolveum.midpoint.prism.path.UniformItemPath;
 import com.evolveum.midpoint.prism.util.ObjectDeltaObject;
 import com.evolveum.midpoint.schema.constants.ExpressionConstants;
+import com.evolveum.midpoint.schema.expression.TypedValue;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.util.exception.CommonException;
@@ -89,8 +90,12 @@ public class MappingEvaluator {
     @Autowired private CredentialsProcessor credentialsProcessor;
     @Autowired private ContextLoader contextLoader;
     @Autowired private PrismContext prismContext;
+    
+    public PrismContext getPrismContext() {
+		return prismContext;
+	}
 
-    public static final List<QName> FOCUS_VARIABLE_NAMES = Arrays.asList(ExpressionConstants.VAR_FOCUS, ExpressionConstants.VAR_USER);
+	public static final List<String> FOCUS_VARIABLE_NAMES = Arrays.asList(ExpressionConstants.VAR_FOCUS, ExpressionConstants.VAR_USER);
 
 	public <V extends PrismValue, D extends ItemDefinition, F extends ObjectType> void evaluateMapping(
 			MappingImpl<V,D> mapping, LensContext<F> lensContext, Task task, OperationResult parentResult) throws ExpressionEvaluationException, ObjectNotFoundException, SchemaException, SecurityViolationException, ConfigurationException, CommunicationException {
@@ -146,7 +151,7 @@ public <T, F extends FocusType> void evaluateOutboundMapping(final LensContext<F
         MappingInitializer<PrismPropertyValue<T>,PrismPropertyDefinition<T>> internalInitializer =
 			builder -> {
 
-				builder.addVariableDefinitions(ModelImplUtils.getDefaultExpressionVariables(context, projCtx).getMap());
+				builder.addVariableDefinitions(ModelImplUtils.getDefaultExpressionVariables(context, projCtx));
 
 		        builder.originType(OriginType.OUTBOUND);
 				builder.originObject(projCtx.getResource());
@@ -670,13 +675,14 @@ public ValuePolicyType resolve() {
 		};
 
 		ExpressionVariables variables = new ExpressionVariables();
-		FOCUS_VARIABLE_NAMES.forEach(name -> variables.addVariableDefinition(name, focusOdo));
-		variables.addVariableDefinition(ExpressionConstants.VAR_ITERATION, iteration);
-		variables.addVariableDefinition(ExpressionConstants.VAR_ITERATION_TOKEN, iterationToken);
-		variables.addVariableDefinition(ExpressionConstants.VAR_CONFIGURATION, configuration);
-		variables.addVariableDefinition(ExpressionConstants.VAR_OPERATION, context.getFocusContext().getOperation().getValue());
+		FOCUS_VARIABLE_NAMES.forEach(name -> variables.addVariableDefinition(name, focusOdo, focusOdo.getDefinition()));
+		variables.put(ExpressionConstants.VAR_ITERATION, iteration, Integer.class);
+		variables.put(ExpressionConstants.VAR_ITERATION_TOKEN, iterationToken, String.class);
+		variables.put(ExpressionConstants.VAR_CONFIGURATION, configuration, SystemConfigurationType.class);
+		variables.put(ExpressionConstants.VAR_OPERATION, context.getFocusContext().getOperation().getValue(), String.class);
 
-		Collection<V> targetValues = ExpressionUtil.computeTargetValues(mappingType.getTarget(), defaultTargetObject, variables, mappingFactory.getObjectResolver(), contextDesc, prismContext, task, result);
+		TypedValue<PrismObject<T>> defaultTargetContext = new TypedValue<>(defaultTargetObject);
+		Collection<V> targetValues = ExpressionUtil.computeTargetValues(mappingType.getTarget(), defaultTargetContext, variables, mappingFactory.getObjectResolver(), contextDesc, prismContext, task, result);
 
 		MappingImpl.Builder<V,D> mappingBuilder = mappingFactory.<V,D>createMappingBuilder(mappingType, contextDesc)
 				.sourceContext(focusOdo)
@@ -690,7 +696,7 @@ public ValuePolicyType resolve() {
 				.rootNode(focusOdo)
 				.now(now);
 
-		mappingBuilder = LensUtil.addAssignmentPathVariables(mappingBuilder, assignmentPathVariables);
+		mappingBuilder = LensUtil.addAssignmentPathVariables(mappingBuilder, assignmentPathVariables, prismContext);
 
 		MappingImpl<V,D> mapping = mappingBuilder.build();
 
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/OutboundProcessor.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/OutboundProcessor.java
index 61f5eabc8be..285f149a4d0 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/OutboundProcessor.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/OutboundProcessor.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2017 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -60,8 +60,10 @@
 import com.evolveum.midpoint.xml.ns._public.common.common_3.MappingStrengthType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.MappingType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectReferenceType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ResourceType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowAssociationType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.SystemConfigurationType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ValuePolicyType;
 
 /**
@@ -210,15 +212,16 @@ private <F extends FocusType, V extends PrismValue, D extends ItemDefinition> Ma
 		mappingBuilder.addVariableDefinition(ExpressionConstants.VAR_ACCOUNT, projectionOdo);
 		mappingBuilder.addVariableDefinition(ExpressionConstants.VAR_SHADOW, projectionOdo);
 		mappingBuilder.addVariableDefinition(ExpressionConstants.VAR_PROJECTION, projectionOdo);
-		mappingBuilder.addVariableDefinition(ExpressionConstants.VAR_CONFIGURATION, context.getSystemConfiguration());
+		mappingBuilder.addVariableDefinition(ExpressionConstants.VAR_CONFIGURATION, context.getSystemConfiguration(), SystemConfigurationType.class);
 		mappingBuilder.addVariableDefinition(ExpressionConstants.VAR_ITERATION,
-				LensUtil.getIterationVariableValue(projCtx));
+				LensUtil.getIterationVariableValue(projCtx), Integer.class);
 		mappingBuilder.addVariableDefinition(ExpressionConstants.VAR_ITERATION_TOKEN,
-				LensUtil.getIterationTokenVariableValue(projCtx));
-		mappingBuilder.addVariableDefinition(ExpressionConstants.VAR_RESOURCE, projCtx.getResource());
+				LensUtil.getIterationTokenVariableValue(projCtx), String.class);
+		mappingBuilder.addVariableDefinition(ExpressionConstants.VAR_RESOURCE, projCtx.getResource(), ResourceType.class);
 		mappingBuilder.addVariableDefinition(ExpressionConstants.VAR_OPERATION, operation);
 		if (assocTargetObjectClassDefinition != null) {
-			mappingBuilder.addVariableDefinition(ExpressionConstants.VAR_ASSOCIATION_TARGET_OBJECT_CLASS_DEFINITION, assocTargetObjectClassDefinition);
+			mappingBuilder.addVariableDefinition(ExpressionConstants.VAR_ASSOCIATION_TARGET_OBJECT_CLASS_DEFINITION,
+					assocTargetObjectClassDefinition, RefinedObjectClassDefinition.class);
 		}
 		mappingBuilder.rootNode(focusOdo);
 		mappingBuilder.originType(OriginType.OUTBOUND);
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/ProjectionValuesProcessor.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/ProjectionValuesProcessor.java
index 704bfa2a0a0..d33ff8fbc50 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/ProjectionValuesProcessor.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/ProjectionValuesProcessor.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2017 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -512,7 +512,7 @@ private <F extends ObjectType> ExpressionVariables createExpressionVariables(Len
 			LensProjectionContext projectionContext) {
 		return ModelImplUtils.getDefaultExpressionVariables(context.getFocusContext().getObjectNew(), projectionContext.getObjectNew(),
 				projectionContext.getResourceShadowDiscriminator(), projectionContext.getResource().asPrismObject(),
-				context.getSystemConfiguration(), projectionContext);
+				context.getSystemConfiguration(), projectionContext, prismContext);
 	}
 
 	private <F extends ObjectType> boolean evaluateIterationCondition(LensContext<F> context,
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/credentials/ProjectionCredentialsProcessor.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/credentials/ProjectionCredentialsProcessor.java
index b4cd21972ec..4dfb973d07c 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/credentials/ProjectionCredentialsProcessor.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/credentials/ProjectionCredentialsProcessor.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2018 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -195,7 +195,7 @@ public ValuePolicyType resolve() {
 		MappingInitializer<PrismPropertyValue<ProtectedStringType>,PrismPropertyDefinition<ProtectedStringType>> initializer =
 			(builder) -> {
 				builder.defaultTargetDefinition(projPasswordPropertyDefinition);
-				builder.defaultSource(new Source<>(userPasswordIdi, ExpressionConstants.VAR_INPUT));
+				builder.defaultSource(new Source<>(userPasswordIdi, ExpressionConstants.VAR_INPUT_QNAME));
 				builder.valuePolicyResolver(stringPolicyResolver);
 				return builder;
 			};
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/focus/AssignmentHolderProcessor.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/focus/AssignmentHolderProcessor.java
index 603bb508c59..251089bcbb7 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/focus/AssignmentHolderProcessor.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/focus/AssignmentHolderProcessor.java
@@ -166,11 +166,11 @@ private <AH extends AssignmentHolderType> void processFocusFocus(LensContext<AH>
 		
 		while (true) {
 
-			ObjectPolicyConfigurationType objectPolicyConfigurationType = focusContext.getObjectPolicyConfigurationType();
-			LensUtil.applyObjectPolicyConstraints(focusContext, objectPolicyConfigurationType, prismContext);
+			ArchetypePolicyType archetypePolicy = focusContext.getArchetypePolicyType();
+			LensUtil.applyObjectPolicyConstraints(focusContext, archetypePolicy, prismContext);
 
 			ExpressionVariables variablesPreIteration = ModelImplUtils.getDefaultExpressionVariables(focusContext.getObjectNew(),
-					null, null, null, context.getSystemConfiguration(), focusContext);
+					null, null, null, context.getSystemConfiguration(), focusContext, prismContext);
 			if (iterationToken == null) {
 				iterationToken = LensUtil.formatIterationToken(context, focusContext,
 						iterationSpecificationType, iteration, expressionFactory, variablesPreIteration, task, result);
@@ -335,7 +335,7 @@ private <AH extends AssignmentHolderType> void processFocusFocus(LensContext<AH>
 		        if (checker.isSatisfiesConstraints()) {
 		        	LOGGER.trace("Current focus satisfies uniqueness constraints. Iteration {}, token '{}'", iteration, iterationToken);
 		        	ExpressionVariables variablesPostIteration = ModelImplUtils.getDefaultExpressionVariables(focusContext.getObjectNew(),
-		        			null, null, null, context.getSystemConfiguration(), focusContext);
+		        			null, null, null, context.getSystemConfiguration(), focusContext, prismContext);
 		        	if (LensUtil.evaluateIterationCondition(context, focusContext,
 		        			iterationSpecificationType, iteration, iterationToken, false, expressionFactory, variablesPostIteration,
 		        			task, result)) {
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/focus/AssignmentTripleEvaluator.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/focus/AssignmentTripleEvaluator.java
index 2281d260999..ca4ca3c54ae 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/focus/AssignmentTripleEvaluator.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/focus/AssignmentTripleEvaluator.java
@@ -476,10 +476,15 @@ private void processAssignment(DeltaSetTriple<EvaluatedAssignmentImpl<AH>> evalu
         }
     }
 
-	private ItemDeltaItem<PrismContainerValue<AssignmentType>, PrismContainerDefinition<AssignmentType>> createAssignmentIdiNoChange(
-			PrismContainerValue<AssignmentType> cval) throws SchemaException {
+	private ItemDeltaItem<PrismContainerValue<AssignmentType>, PrismContainerDefinition<AssignmentType>> createAssignmentIdiNoChange(PrismContainerValue<AssignmentType> cval) throws SchemaException {
 		ItemDeltaItem<PrismContainerValue<AssignmentType>, PrismContainerDefinition<AssignmentType>> idi = new ItemDeltaItem<>();
 		idi.setItemOld(LensUtil.createAssignmentSingleValueContainerClone(cval.asContainerable()));
+		PrismContainerDefinition<AssignmentType> definition = cval.getDefinition();
+		if (definition == null) {
+			// TODO: optimize
+			definition = prismContext.getSchemaRegistry().findObjectDefinitionByCompileTimeClass(AssignmentHolderType.class).findContainerDefinition(AssignmentHolderType.F_ASSIGNMENT);
+		}
+		idi.setDefinition(definition);
 		idi.recompute();
 		return idi;
 	}
@@ -494,6 +499,7 @@ private ItemDeltaItem<PrismContainerValue<AssignmentType>, PrismContainerDefinit
 						.add(cval.asContainerable().clone())
 						.asItemDelta();
 		idi.setDelta(itemDelta);
+		idi.setDefinition(cval.getDefinition());
 		idi.recompute();
 		return idi;
 	}
@@ -521,6 +527,7 @@ private ItemDeltaItem<PrismContainerValue<AssignmentType>, PrismContainerDefinit
 						.delete(cval.asContainerable().clone())
 						.asItemDelta();
 		idi.setDelta(itemDelta);
+		idi.setDefinition(cval.getDefinition());
 		idi.recompute();
 		return idi;
 	}
@@ -531,6 +538,7 @@ private ItemDeltaItem<PrismContainerValue<AssignmentType>, PrismContainerDefinit
 		ItemDeltaItem<PrismContainerValue<AssignmentType>, PrismContainerDefinition<AssignmentType>> idi = new ItemDeltaItem<>();
 		idi.setItemOld(LensUtil.createAssignmentSingleValueContainerClone(cval.asContainerable()));
 		idi.setSubItemDeltas(subItemDeltas);
+		idi.setDefinition(cval.getDefinition());
 		idi.recompute();
 		return idi;
 	}
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/focus/FocalMappingSpec.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/focus/FocalMappingSpec.java
index 619042017dd..665848362b5 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/focus/FocalMappingSpec.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/focus/FocalMappingSpec.java
@@ -1,5 +1,5 @@
 /**
- * Copyright (c) 2017 Evolveum
+ * Copyright (c) 2017-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -116,7 +116,7 @@ public <V extends PrismValue, D extends ItemDefinition, AH extends AssignmentHol
 		assignmentType.targetRef(role.getOid(), role.asPrismObject().getDefinition().getTypeName(), relation);
 
 		Source<PrismContainerValue<AssignmentType>, PrismContainerDefinition<AssignmentType>> source =
-				new Source<>(assignment, null, assignment, FocusType.F_ASSIGNMENT);
+				new Source<>(assignment, null, assignment, FocusType.F_ASSIGNMENT, assignmentDef);
 		return (Source<V, D>) source;
 	}
 	
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/focus/FocusLifecycleProcessor.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/focus/FocusLifecycleProcessor.java
index b0fbd18eb08..67bde41d83e 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/focus/FocusLifecycleProcessor.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/focus/FocusLifecycleProcessor.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2018 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -46,6 +46,7 @@
 import com.evolveum.midpoint.schema.constants.SchemaConstants;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.schema.util.LifecycleUtil;
+import com.evolveum.midpoint.schema.util.MiscSchemaUtil;
 import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.util.exception.CommunicationException;
 import com.evolveum.midpoint.util.exception.ConfigurationException;
@@ -144,11 +145,12 @@ private <F extends AssignmentHolderType> boolean shouldTransition(LensContext<F>
 		String desc = "condition for transition to state "+targetLifecycleState+" for "+context.getFocusContext().getHumanReadableName();
 		
 		ExpressionVariables variables = new ExpressionVariables();
-		variables.addVariableDefinition(ExpressionConstants.VAR_OBJECT, context.getFocusContext().getObjectNew());
+		variables.put(ExpressionConstants.VAR_OBJECT, context.getFocusContext().getObjectNew(), context.getFocusContext().getObjectNew().getDefinition());
 		// TODO: more variables?
 		
 		Expression<PrismPropertyValue<Boolean>,PrismPropertyDefinition<Boolean>> expression = expressionFactory.makeExpression(
-				conditionExpressionType, ExpressionUtil.createConditionOutputDefinition(context.getPrismContext()) , desc, task, result);
+				conditionExpressionType, ExpressionUtil.createConditionOutputDefinition(context.getPrismContext()),
+				MiscSchemaUtil.getExpressionProfile(), desc, task, result);
 		ExpressionEvaluationContext expressionContext = new ExpressionEvaluationContext(null , variables, desc, task, result);
 		ExpressionEnvironment<?> env = new ExpressionEnvironment<>(context, null, task, result);
 		PrismValueDeltaSetTriple<PrismPropertyValue<Boolean>> outputTriple = ModelExpressionThreadLocalHolder.evaluateExpressionInContext(expression, expressionContext, env);
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/focus/InboundProcessor.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/focus/InboundProcessor.java
index 9660385b0f0..0c44182d43b 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/focus/InboundProcessor.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/focus/InboundProcessor.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2018 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -68,6 +68,7 @@
 import com.evolveum.midpoint.repo.common.expression.VariableProducer;
 import com.evolveum.midpoint.schema.constants.ExpressionConstants;
 import com.evolveum.midpoint.schema.constants.SchemaConstants;
+import com.evolveum.midpoint.schema.expression.TypedValue;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.util.DebugUtil;
@@ -92,9 +93,11 @@
 import com.evolveum.midpoint.xml.ns._public.common.common_3.PropertyAccessType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ResourceBidirectionalMappingAndDefinitionType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ResourceBidirectionalMappingType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ResourceObjectAssociationType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ResourceType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowAssociationType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ValueFilterType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ValuePolicyType;
 import com.evolveum.prism.xml.ns._public.types_3.ProtectedStringType;
@@ -123,6 +126,8 @@ public class InboundProcessor {
     @Autowired private Protector protector;
     @Autowired private ProvisioningService provisioningService;
     
+	private PrismContainerDefinition<ResourceObjectAssociationType> associationContainerDefinition;
+    
 //    private Map<ItemDefinition, List<Mapping<?,?>>> mappingsToTarget;
 
     <O extends ObjectType> void processInbound(LensContext<O> context, XMLGregorianCalendar now, Task task, OperationResult result) throws SchemaException, ExpressionEvaluationException, ObjectNotFoundException, ConfigurationException, CommunicationException, SecurityViolationException {
@@ -378,7 +383,7 @@ private <V extends PrismValue, D extends ItemDefinition, F extends FocusType> bo
                 if (projCurrent != null) {
                 	oldAccountProperty = projCurrent.findProperty(accountAttributePath);
                 }
-                collectMappingsForTargets(context, projContext, inboundMappingType, accountAttributeName, oldAccountProperty, attributeAPrioriDelta, focus, null, mappingsToTarget, task, result);
+                collectMappingsForTargets(context, projContext, inboundMappingType, accountAttributeName, oldAccountProperty, attributeAPrioriDelta, (D)attrDef, focus, null, mappingsToTarget, task, result);
 
             } else if (projCurrent != null) {
 
@@ -389,7 +394,7 @@ private <V extends PrismValue, D extends ItemDefinition, F extends FocusType> bo
 
                 PrismProperty<?> oldAccountProperty = projCurrent.findProperty(accountAttributePath);
                 LOGGER.trace("Processing inbound from account sync absolute state (currentAccount): {}", oldAccountProperty);
-                collectMappingsForTargets(context, projContext, inboundMappingType, accountAttributeName, oldAccountProperty, null,
+                collectMappingsForTargets(context, projContext, inboundMappingType, accountAttributeName, (Item<V,D>)oldAccountProperty, null, (D)attrDef,
                 		focus, null, mappingsToTarget, task, result);
             }
         }
@@ -397,7 +402,7 @@ private <V extends PrismValue, D extends ItemDefinition, F extends FocusType> bo
         return true;
 	}
 	
-	private <V extends PrismValue, D extends ItemDefinition, F extends FocusType> boolean processAssociationInbound(QName accountAttributeName,
+	private <V extends PrismValue, D extends ItemDefinition, F extends FocusType> boolean processAssociationInbound(QName associationQName,
 			ObjectDelta<ShadowType> aPrioriProjectionDelta, final LensProjectionContext projContext,
             RefinedObjectClassDefinition projectionDefinition, final LensContext<F> context,
             XMLGregorianCalendar now, Map<ItemDefinition, List<MappingImpl<?,?>>> mappingsToTarget,
@@ -406,40 +411,40 @@ private <V extends PrismValue, D extends ItemDefinition, F extends FocusType> bo
 		PrismObject<ShadowType> projCurrent = projContext.getObjectCurrent();
         PrismObject<ShadowType> projNew = projContext.getObjectNew();
 
-        final ItemDelta<V, D> attributeAPrioriDelta;
+        final ItemDelta<V, D> associationAPrioriDelta;
         if (aPrioriProjectionDelta != null) {
-            attributeAPrioriDelta = aPrioriProjectionDelta.findItemDelta(ShadowType.F_ASSOCIATION);
-            if (attributeAPrioriDelta == null && !projContext.isFullShadow() && !LensUtil.hasDependentContext(context, projContext)) {
+            associationAPrioriDelta = aPrioriProjectionDelta.findItemDelta(ShadowType.F_ASSOCIATION);
+            if (associationAPrioriDelta == null && !projContext.isFullShadow() && !LensUtil.hasDependentContext(context, projContext)) {
 				LOGGER.trace("Skipping inbound for {} in {}: Not a full shadow and account a priori delta exists, but doesn't have change for processed property.",
-						accountAttributeName, projContext.getResourceShadowDiscriminator());
+						associationQName, projContext.getResourceShadowDiscriminator());
 				return true;
             }
         } else {
-        	attributeAPrioriDelta = null;
+        	associationAPrioriDelta = null;
 		}
 
-        RefinedAssociationDefinition associationDef = projectionDefinition.findAssociationDefinition(accountAttributeName);
+        RefinedAssociationDefinition associationRefinedDef = projectionDefinition.findAssociationDefinition(associationQName);
 
         //TODO:
-        if (associationDef.isIgnored(LayerType.MODEL)) {
+        if (associationRefinedDef.isIgnored(LayerType.MODEL)) {
         	LOGGER.trace("Skipping inbound for association {} in {} because the association is ignored",
-            		PrettyPrinter.prettyPrint(accountAttributeName), projContext.getResourceShadowDiscriminator());
+            		PrettyPrinter.prettyPrint(associationQName), projContext.getResourceShadowDiscriminator());
         	return true;
         }
 
-        List<MappingType> inboundMappingTypes = associationDef.getInboundMappingTypes();
+        List<MappingType> inboundMappingTypes = associationRefinedDef.getInboundMappingTypes();
 		if (LOGGER.isTraceEnabled()) {
-			LOGGER.trace("Processing inbound for {} in {}; ({} mappings)", PrettyPrinter.prettyPrint(accountAttributeName),
+			LOGGER.trace("Processing inbound for {} in {}; ({} mappings)", PrettyPrinter.prettyPrint(associationQName),
 					projContext.getResourceShadowDiscriminator(), inboundMappingTypes.size());
 		}
 
-    	PropertyLimitations limitations = associationDef.getLimitations(LayerType.MODEL);
+    	PropertyLimitations limitations = associationRefinedDef.getLimitations(LayerType.MODEL);
     	if (limitations != null) {
     		PropertyAccessType access = limitations.getAccess();
     		if (access != null) {
     			if (access.isRead() == null || !access.isRead()) {
     				LOGGER.warn("Inbound mapping for non-readable association {} in {}, skipping",
-    						accountAttributeName, projContext.getHumanReadableName());
+    						associationQName, projContext.getHumanReadableName());
     				return true;
     			}
     		}
@@ -449,6 +454,8 @@ private <V extends PrismValue, D extends ItemDefinition, F extends FocusType> bo
         	return true;
         }
         
+        PrismContainerDefinition<ResourceObjectAssociationType> associationContainerDef = getAssociationContainerDefinition();
+        
         for (MappingType inboundMappingType : inboundMappingTypes) {
 
         	// There are two processing options:
@@ -471,9 +478,9 @@ private <V extends PrismValue, D extends ItemDefinition, F extends FocusType> bo
 				}
 			}
 
-			if (attributeAPrioriDelta == null && !projContext.isFullShadow() && !LensUtil.hasDependentContext(context, projContext)) {
+			if (associationAPrioriDelta == null && !projContext.isFullShadow() && !LensUtil.hasDependentContext(context, projContext)) {
 				LOGGER.trace("Skipping association inbound for {} in {}: Not a full shadow and account a priori delta exists, but doesn't have change for processed property.",
-						accountAttributeName, projContext.getResourceShadowDiscriminator());
+						associationQName, projContext.getResourceShadowDiscriminator());
 				continue;
 			}
 
@@ -485,8 +492,8 @@ private <V extends PrismValue, D extends ItemDefinition, F extends FocusType> bo
         	}
 
             ItemDelta focusItemDelta = null;
-            if (attributeAPrioriDelta != null) {
-                LOGGER.trace("Processing association inbound from a priori delta: {}", attributeAPrioriDelta);
+            if (associationAPrioriDelta != null) {
+                LOGGER.trace("Processing association inbound from a priori delta: {}", associationAPrioriDelta);
                 
                 PrismContainer<ShadowAssociationType> oldShadowAssociation = projCurrent.findContainer(ShadowType.F_ASSOCIATION);
                 
@@ -494,20 +501,20 @@ private <V extends PrismValue, D extends ItemDefinition, F extends FocusType> bo
                 if (oldShadowAssociation != null) {
                 	filteredAssociations = oldShadowAssociation.getDefinition().instantiate();
                     Collection<PrismContainerValue<ShadowAssociationType>> filteredAssociationValues = oldShadowAssociation.getValues().stream()
-                    		.filter(rVal -> accountAttributeName.equals(rVal.asContainerable().getName()))
+                    		.filter(rVal -> associationQName.equals(rVal.asContainerable().getName()))
                     		.map(val -> val.clone())
                     		.collect(Collectors.toCollection(ArrayList::new));
                     prismContext.adopt(filteredAssociations);
                     filteredAssociations.addAll(filteredAssociationValues);
                 }
                 
-                resolveEntitlementsIfNeeded((ContainerDelta<ShadowAssociationType>) attributeAPrioriDelta, filteredAssociations, projContext, task, result);
+                resolveEntitlementsIfNeeded((ContainerDelta<ShadowAssociationType>) associationAPrioriDelta, filteredAssociations, projContext, task, result);
                 
              
                 VariableProducer<PrismContainerValue<ShadowAssociationType>> entitlementVariable = 
                 		(value, variables) -> resolveEntitlement(value, projContext, variables); 
-                collectMappingsForTargets(context, projContext, inboundMappingType, accountAttributeName, (Item) oldShadowAssociation,
-						attributeAPrioriDelta, focus, (VariableProducer) entitlementVariable, mappingsToTarget, task, result);
+                collectMappingsForTargets(context, projContext, inboundMappingType, associationQName, (Item) oldShadowAssociation,
+						associationAPrioriDelta, (D)associationContainerDef, focus, (VariableProducer) entitlementVariable, mappingsToTarget, task, result);
 
             } else if (projCurrent != null) {
 
@@ -526,20 +533,22 @@ private <V extends PrismValue, D extends ItemDefinition, F extends FocusType> bo
                 
                 PrismContainer<ShadowAssociationType> filteredAssociations = oldShadowAssociation.getDefinition().instantiate();
                 Collection<PrismContainerValue<ShadowAssociationType>> filteredAssociationValues = oldShadowAssociation.getValues().stream()
-                		.filter(rVal -> accountAttributeName.equals(rVal.asContainerable().getName()))
+                		.filter(rVal -> associationQName.equals(rVal.asContainerable().getName()))
                 		.map(val -> val.clone())
                 		.collect(Collectors.toCollection(ArrayList::new));
-                prismContext.adopt(filteredAssociations);
                 filteredAssociations.addAll(filteredAssociationValues);
-                
-                resolveEntitlementsIfNeeded((ContainerDelta<ShadowAssociationType>) attributeAPrioriDelta, filteredAssociations, projContext, task, result);
+                // Make sure all the modified/cloned associations have proper definition
+	            filteredAssociations.applyDefinition(oldShadowAssociation.getDefinition(), false);
+	            
+                resolveEntitlementsIfNeeded((ContainerDelta<ShadowAssociationType>) associationAPrioriDelta, filteredAssociations, projContext, task, result);
                 
                 VariableProducer<PrismContainerValue<ShadowAssociationType>> entitlementVariable = 
-                		(value, variables) -> resolveEntitlement(value, projContext, variables);;
+                		(value, variables) -> resolveEntitlement(value, projContext, variables);
+
                 		
                 LOGGER.trace("Processing association inbound from account sync absolute state (currentAccount): {}", filteredAssociations);
-				collectMappingsForTargets(context, projContext, inboundMappingType, accountAttributeName, filteredAssociations,
-						null, focus, entitlementVariable, mappingsToTarget, task, result);
+				collectMappingsForTargets(context, projContext, inboundMappingType, associationQName, (Item<V,D>)filteredAssociations,
+						null, (D)associationContainerDef, focus, (VariableProducer<V>)entitlementVariable, mappingsToTarget, task, result);
                 
             }
         }
@@ -551,11 +560,7 @@ private void resolveEntitlement(PrismContainerValue<ShadowAssociationType> value
 		LOGGER.trace("Producing value {} ", value);
 		PrismObject<ShadowType> entitlement = projContext.getEntitlementMap().get(value.findReference(ShadowAssociationType.F_SHADOW_REF).getOid());
 		LOGGER.trace("Resolved entitlement {}", entitlement);
-		if (variables.containsKey(ExpressionConstants.VAR_ENTITLEMENT)) {
-			variables.replaceVariableDefinition(ExpressionConstants.VAR_ENTITLEMENT, entitlement);
-		} else {
-			variables.addVariableDefinition(ExpressionConstants.VAR_ENTITLEMENT, entitlement);
-		}
+		variables.put(ExpressionConstants.VAR_ENTITLEMENT, entitlement, entitlement.getDefinition());
 	}
 
 	private <F extends FocusType> void processAuxiliaryObjectClassInbound(
@@ -606,6 +611,8 @@ private <F extends FocusType> void processAuxiliaryObjectClassInbound(
     	} else {
     		focus = context.getFocusContext().getObjectNew();
     	}
+    	
+    	PrismPropertyDefinition<QName> auxiliaryObjectClassPropertyDefinition = prismContext.getSchemaRegistry().findObjectDefinitionByCompileTimeClass(ShadowType.class).findPropertyDefinition(ShadowType.F_AUXILIARY_OBJECT_CLASS);
 
         for (MappingType inboundMappingType : inboundMappingTypes) {
 
@@ -613,7 +620,7 @@ private <F extends FocusType> void processAuxiliaryObjectClassInbound(
 
             PrismProperty<QName> oldAccountProperty = projCurrent.findProperty(ShadowType.F_AUXILIARY_OBJECT_CLASS);
             LOGGER.trace("Processing inbound from account sync absolute state (currentAccount): {}", oldAccountProperty);
-            collectMappingsForTargets(context, projContext, inboundMappingType, ShadowType.F_AUXILIARY_OBJECT_CLASS, oldAccountProperty, null, focus, null, mappingsToTarget, task, result);
+            collectMappingsForTargets(context, projContext, inboundMappingType, ShadowType.F_AUXILIARY_OBJECT_CLASS, oldAccountProperty, null, auxiliaryObjectClassPropertyDefinition, focus, null, mappingsToTarget, task, result);
         }
 	}
 
@@ -713,10 +720,14 @@ private <F extends ObjectType> boolean checkWeakSkip(MappingImpl<?,?> inbound, P
         return false;
     }
 	
+	/**
+	 * Note: in this case "attribute" may also be an association
+	 */
 	private <F extends FocusType, V extends PrismValue, D extends ItemDefinition> void collectMappingsForTargets(final LensContext<F> context,
     		LensProjectionContext projectionCtx, MappingType inboundMappingType,
-    		QName accountAttributeName, Item<V,D> oldAccountProperty,
+    		QName accountAttributeQName, Item<V,D> oldAccountProperty,
     		ItemDelta<V,D> attributeAPrioriDelta,
+    		D attributeDefinition,
             PrismObject<F> focusNew, 
             VariableProducer<V> variableProducer, Map<ItemDefinition, List<MappingImpl<?,?>>> mappingsToTarget,
             Task task, OperationResult result) throws ObjectNotFoundException, SchemaException, ConfigurationException, CommunicationException, SecurityViolationException, ExpressionEvaluationException {
@@ -727,24 +738,30 @@ private <F extends FocusType, V extends PrismValue, D extends ItemDefinition> vo
 
     	ResourceType resource = projectionCtx.getResource();
     	MappingImpl.Builder<V,D> builder = mappingFactory.createMappingBuilder(inboundMappingType,
-    			"inbound expression for "+accountAttributeName+" in "+resource);
+    			"inbound expression for "+accountAttributeQName+" in "+resource);
 
     	if (!builder.isApplicableToChannel(context.getChannel())) {
     		return;
     	}
     	
-    	PrismObject<ShadowType> accountNew = projectionCtx.getObjectNew();
+    	PrismObject<ShadowType> shadowNew = projectionCtx.getObjectNew();
+    	PrismObjectDefinition<ShadowType> shadowNewDef;
+    	if (shadowNew == null) {
+    		shadowNewDef = prismContext.getSchemaRegistry().findObjectDefinitionByCompileTimeClass(ShadowType.class);
+    	} else {
+    		shadowNewDef = shadowNew.getDefinition();
+    	}
     	ExpressionVariables variables = new ExpressionVariables();
-    	variables.addVariableDefinition(ExpressionConstants.VAR_USER, focusNew);
-    	variables.addVariableDefinition(ExpressionConstants.VAR_FOCUS, focusNew);
-    	variables.addVariableDefinition(ExpressionConstants.VAR_ACCOUNT, accountNew);
-    	variables.addVariableDefinition(ExpressionConstants.VAR_SHADOW, accountNew);
-    	variables.addVariableDefinition(ExpressionConstants.VAR_PROJECTION, accountNew);
-    	variables.addVariableDefinition(ExpressionConstants.VAR_RESOURCE, resource);
-    	variables.addVariableDefinition(ExpressionConstants.VAR_CONFIGURATION, context.getSystemConfiguration());
-    	variables.addVariableDefinition(ExpressionConstants.VAR_OPERATION, context.getFocusContext().getOperation().getValue());
+    	variables.put(ExpressionConstants.VAR_USER, focusNew, focusNew.getDefinition());
+    	variables.put(ExpressionConstants.VAR_FOCUS, focusNew, focusNew.getDefinition());
+    	variables.put(ExpressionConstants.VAR_ACCOUNT, shadowNew, shadowNewDef);
+    	variables.put(ExpressionConstants.VAR_SHADOW, shadowNew, shadowNewDef);
+    	variables.put(ExpressionConstants.VAR_PROJECTION, shadowNew, shadowNewDef);
+    	variables.put(ExpressionConstants.VAR_RESOURCE, resource, resource.asPrismObject().getDefinition());
+    	variables.put(ExpressionConstants.VAR_CONFIGURATION, context.getSystemConfiguration(), context.getSystemConfiguration().getDefinition());
+    	variables.put(ExpressionConstants.VAR_OPERATION, context.getFocusContext().getOperation().getValue(), String.class);
     	    	
-    	Source<V,D> defaultSource = new Source<>(oldAccountProperty, attributeAPrioriDelta, null, ExpressionConstants.VAR_INPUT);
+    	Source<V,D> defaultSource = new Source<>(oldAccountProperty, attributeAPrioriDelta, null, ExpressionConstants.VAR_INPUT_QNAME, (D)attributeDefinition);
     	defaultSource.recompute();
 		builder = builder.defaultSource(defaultSource)
 				.targetContext(LensUtil.getFocusDefinition(context))
@@ -755,7 +772,8 @@ private <F extends FocusType, V extends PrismValue, D extends ItemDefinition> vo
 				.originObject(resource);
 		
 		if (!context.getFocusContext().isDelete()){
-				Collection<V> originalValues = ExpressionUtil.computeTargetValues(inboundMappingType.getTarget(), focusNew, variables, mappingFactory.getObjectResolver() , "resolving range",
+				TypedValue<PrismObject<F>> targetContext = new TypedValue<>(focusNew);
+				Collection<V> originalValues = ExpressionUtil.computeTargetValues(inboundMappingType.getTarget(), targetContext, variables, mappingFactory.getObjectResolver() , "resolving range",
 						prismContext, task, result);
 				builder.originalTargetValues(originalValues);
 		}
@@ -1337,17 +1355,19 @@ private <F extends FocusType> void processSpecialPropertyInbound(Collection<Mapp
 				if (specialAttributeDelta == null){
 					specialAttributeDelta = sourceIdi.getDelta();
 				}
-				Source<PrismPropertyValue<?>,PrismPropertyDefinition<?>> source = new Source<>(sourceIdi.getItemOld(), specialAttributeDelta,
-						sourceIdi.getItemOld(), ExpressionConstants.VAR_INPUT);
+				Source<PrismPropertyValue<?>,PrismPropertyDefinition<?>> source = new Source<>(
+						sourceIdi.getItemOld(), specialAttributeDelta, sourceIdi.getItemOld(),
+						ExpressionConstants.VAR_INPUT_QNAME, 
+						(PrismPropertyDefinition<?>)sourceIdi.getDefinition());
 				builder = builder.defaultSource(source)
-						.addVariableDefinition(ExpressionConstants.VAR_USER, newUser)
-						.addVariableDefinition(ExpressionConstants.VAR_FOCUS, newUser);
+						.addVariableDefinition(ExpressionConstants.VAR_USER, newUser, UserType.class)
+						.addVariableDefinition(ExpressionConstants.VAR_FOCUS, newUser, FocusType.class);
 
 				PrismObject<ShadowType> accountNew = projContext.getObjectNew();
-				builder = builder.addVariableDefinition(ExpressionConstants.VAR_ACCOUNT, accountNew)
-						.addVariableDefinition(ExpressionConstants.VAR_SHADOW, accountNew)
-						.addVariableDefinition(ExpressionConstants.VAR_PROJECTION, accountNew)
-						.addVariableDefinition(ExpressionConstants.VAR_RESOURCE, projContext.getResource())
+				builder = builder.addVariableDefinition(ExpressionConstants.VAR_ACCOUNT, accountNew, ShadowType.class)
+						.addVariableDefinition(ExpressionConstants.VAR_SHADOW, accountNew, ShadowType.class)
+						.addVariableDefinition(ExpressionConstants.VAR_PROJECTION, accountNew, ShadowType.class)
+						.addVariableDefinition(ExpressionConstants.VAR_RESOURCE, projContext.getResource(), ResourceType.class)
 						.valuePolicyResolver(createStringPolicyResolver(context, task, opResult))
 						.originType(OriginType.INBOUND)
 						.originObject(projContext.getResource());
@@ -1427,6 +1447,14 @@ private <F extends FocusType> void processSpecialPropertyInbound(Collection<Mapp
 //                inboundMappingTypes, "inbound mapping for " + sourcePath + " in " + accContext.getResource(), now, initializer, targetPropertyNew, primaryPropDelta, newUser, true, strongMappingWasUsed, context, accContext, task, opResult);
 
     }
+    
+	private PrismContainerDefinition<ResourceObjectAssociationType> getAssociationContainerDefinition() {
+		if (associationContainerDefinition == null) {
+			associationContainerDefinition = prismContext.getSchemaRegistry().findObjectDefinitionByCompileTimeClass(ShadowType.class).findContainerDefinition(ShadowType.F_ASSOCIATION);
+		}
+		return associationContainerDefinition;
+	}
+
 
 //    private Collection<Mapping> getMappingApplicableToChannel(
 //			Collection<MappingType> inboundMappingTypes, String description, String channelUri) {
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/focus/ObjectTemplateProcessor.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/focus/ObjectTemplateProcessor.java
index f06737e3339..b528cd2d097 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/focus/ObjectTemplateProcessor.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/focus/ObjectTemplateProcessor.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2018 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -87,6 +87,7 @@
 import com.evolveum.midpoint.util.logging.Trace;
 import com.evolveum.midpoint.util.logging.TraceManager;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.AbstractRoleType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ArchetypePolicyType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.AssignmentHolderType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.AutoassignMappingType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.AutoassignSpecificationType;
@@ -225,12 +226,12 @@ private <F extends ObjectType> ObjectTemplateType determineFocusTemplate(LensCon
 		if (focusContext == null) {
 			return null;
 		}
-		ObjectPolicyConfigurationType policyConfigurationType = focusContext.getObjectPolicyConfigurationType();
-		if (policyConfigurationType == null) {
+		ArchetypePolicyType archetypePolicy = focusContext.getArchetypePolicyType();
+		if (archetypePolicy == null) {
 			LOGGER.trace("No default object template (no policy)");
 			return null;
 		}
-		ObjectReferenceType templateRef = policyConfigurationType.getObjectTemplateRef();
+		ObjectReferenceType templateRef = archetypePolicy.getObjectTemplateRef();
 		if (templateRef == null) {
 			LOGGER.trace("No default object template (no templateRef)");
 			return null;
@@ -616,12 +617,13 @@ private boolean dependsOn(FocalMappingSpec mappingSpec1, FocalMappingSpec mappin
 
 	// must be Uniform because of the later use in outputTripleMap
 	private ItemPath stripFocusVariableSegment(ItemPath sourcePath) {
-		if (sourcePath.startsWithVariable()
-			&& QNameUtil.matchAny(sourcePath.firstToVariableNameOrNull(), MappingEvaluator.FOCUS_VARIABLE_NAMES)) {
-			return sourcePath.stripVariableSegment();
-		} else {
-			return sourcePath;
+		if (sourcePath.startsWithVariable()) {
+			QName variableQName = sourcePath.firstToVariableNameOrNull();
+			if (variableQName != null && MappingEvaluator.FOCUS_VARIABLE_NAMES.contains(variableQName.getLocalPart())) {
+				return sourcePath.stripVariableSegment();
+			}
 		}
+		return sourcePath;
 	}
 
 	private <V extends PrismValue, D extends ItemDefinition, AH extends AssignmentHolderType, T extends AssignmentHolderType> XMLGregorianCalendar collectTripleFromMappings(
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/policy/PolicyRuleProcessor.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/policy/PolicyRuleProcessor.java
index 3e74b92ff6f..1941c8bf29c 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/policy/PolicyRuleProcessor.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/policy/PolicyRuleProcessor.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2017 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -617,7 +617,7 @@ private <AH extends AssignmentHolderType> boolean isRuleConditionTrue(GlobalPoli
 
 		MappingImpl.Builder<PrismPropertyValue<Boolean>, PrismPropertyDefinition<Boolean>> builder = mappingFactory
 				.createMappingBuilder();
-		ObjectDeltaObject<AH> focusOdo = new ObjectDeltaObject<>(focus, null, focus);
+		ObjectDeltaObject<AH> focusOdo = new ObjectDeltaObject<>(focus, null, focus, focus.getDefinition());
 		builder = builder.mappingType(condition)
 				.contextDescription("condition in global policy rule " + globalPolicyRule.getName())
 				.sourceContext(focusOdo)
@@ -625,9 +625,9 @@ private <AH extends AssignmentHolderType> boolean isRuleConditionTrue(GlobalPoli
 						prismContext.definitionFactory().createPropertyDefinition(CONDITION_OUTPUT_NAME, DOMUtil.XSD_BOOLEAN))
 				.addVariableDefinition(ExpressionConstants.VAR_USER, focusOdo)
 				.addVariableDefinition(ExpressionConstants.VAR_FOCUS, focusOdo)
-				.addVariableDefinition(ExpressionConstants.VAR_TARGET, evaluatedAssignment != null ? evaluatedAssignment.getTarget() : null)
-				.addVariableDefinition(ExpressionConstants.VAR_EVALUATED_ASSIGNMENT, evaluatedAssignment)
-				.addVariableDefinition(ExpressionConstants.VAR_ASSIGNMENT, evaluatedAssignment != null ? evaluatedAssignment.getAssignmentType() : null)
+				.addVariableDefinition(ExpressionConstants.VAR_TARGET, evaluatedAssignment != null ? evaluatedAssignment.getTarget() : null, EvaluatedAssignment.class)
+				.addVariableDefinition(ExpressionConstants.VAR_EVALUATED_ASSIGNMENT, evaluatedAssignment, EvaluatedAssignment.class)
+				.addVariableDefinition(ExpressionConstants.VAR_ASSIGNMENT, evaluatedAssignment != null ? evaluatedAssignment.getAssignmentType() : null, AssignmentType.class)
 				.rootNode(focusOdo);
 
 		MappingImpl<PrismPropertyValue<Boolean>, PrismPropertyDefinition<Boolean>> mapping = builder.build();
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/policy/PolicyRuleScriptExecutor.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/policy/PolicyRuleScriptExecutor.java
index 2b0d56ab5cb..a2e591e6258 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/policy/PolicyRuleScriptExecutor.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/policy/PolicyRuleScriptExecutor.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2018 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -24,6 +24,7 @@
 import com.evolveum.midpoint.prism.PrismObject;
 import com.evolveum.midpoint.prism.delta.DeltaSetTriple;
 import com.evolveum.midpoint.schema.constants.ExpressionConstants;
+import com.evolveum.midpoint.schema.expression.VariablesMap;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.util.logging.LoggingUtils;
@@ -96,7 +97,7 @@ private void executeScript(ScriptExecutionPolicyActionType action, EvaluatedPoli
 			Task task, OperationResult parentResult, ExecuteScriptType executeScriptBean) {
 		OperationResult result = parentResult.createSubresult(EXECUTE_SCRIPT_OPERATION);
 		try {
-			Map<String, Object> initialVariables = createInitialVariables(action, rule, context);
+			VariablesMap initialVariables = createInitialVariables(action, rule, context);
 			if (executeScriptBean.getInput() == null && context.getFocusContext() != null) {
 				PrismObject objectAny = ((LensFocusContext) context.getFocusContext()).getObjectAny();
 				if (objectAny != null) {
@@ -115,12 +116,12 @@ private void executeScript(ScriptExecutionPolicyActionType action, EvaluatedPoli
 		}
 	}
 
-	private Map<String, Object> createInitialVariables(ScriptExecutionPolicyActionType action, EvaluatedPolicyRule rule,
+	private VariablesMap createInitialVariables(ScriptExecutionPolicyActionType action, EvaluatedPolicyRule rule,
 			ModelContext<?> context) {
-		Map<String, Object> rv = new HashMap<>();
-		rv.put(ExpressionConstants.VAR_POLICY_ACTION.getLocalPart(), action);
-		rv.put(ExpressionConstants.VAR_POLICY_RULE.getLocalPart(), rule);
-		rv.put(ExpressionConstants.VAR_MODEL_CONTEXT.getLocalPart(), context);
+		VariablesMap rv = new VariablesMap();
+		rv.put(ExpressionConstants.VAR_POLICY_ACTION, action, ScriptExecutionPolicyActionType.class);
+		rv.put(ExpressionConstants.VAR_POLICY_RULE, rule, EvaluatedPolicyRule.class);
+		rv.put(ExpressionConstants.VAR_MODEL_CONTEXT, context, ModelContext.class);
 		return rv;
 	}
 }
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/policy/evaluators/ConstraintEvaluatorHelper.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/policy/evaluators/ConstraintEvaluatorHelper.java
index 324726304e0..a61056e8abb 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/policy/evaluators/ConstraintEvaluatorHelper.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/policy/evaluators/ConstraintEvaluatorHelper.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2017 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,6 +16,7 @@
 
 package com.evolveum.midpoint.model.impl.lens.projector.policy.evaluators;
 
+import com.evolveum.midpoint.model.api.context.EvaluatedAssignment;
 import com.evolveum.midpoint.model.impl.lens.LensUtil;
 import com.evolveum.midpoint.model.impl.lens.projector.policy.AssignmentPolicyRuleEvaluationContext;
 import com.evolveum.midpoint.model.impl.lens.projector.policy.ObjectState;
@@ -52,9 +53,9 @@
 @Component
 public class ConstraintEvaluatorHelper {
 
-	public static final QName VAR_EVALUATOR_HELPER = new QName(SchemaConstants.NS_C, "evaluatorHelper");
-	public static final QName VAR_CONSTRAINT_ELEMENT = new QName(SchemaConstants.NS_C, "constraintElement");
-	public static final QName VAR_CONSTRAINT = new QName(SchemaConstants.NS_C, "constraint");
+	public static final String VAR_EVALUATOR_HELPER = "evaluatorHelper";
+	public static final String VAR_CONSTRAINT_ELEMENT = "constraintElement";
+	public static final String VAR_CONSTRAINT = "constraint";
 
 	@Autowired private PrismContext prismContext;
 	@Autowired protected ExpressionFactory expressionFactory;
@@ -64,27 +65,34 @@ public <AH extends AssignmentHolderType> ExpressionVariables createExpressionVar
 			JAXBElement<? extends AbstractPolicyConstraintType> constraintElement) {
 		ExpressionVariables var = new ExpressionVariables();
 		PrismObject<AH> object = rctx.getObject();
-		var.addVariableDefinition(ExpressionConstants.VAR_USER, object);
-		var.addVariableDefinition(ExpressionConstants.VAR_FOCUS, object);
-		var.addVariableDefinition(ExpressionConstants.VAR_OBJECT, object);
-		var.addVariableDefinition(ExpressionConstants.VAR_OBJECT_DISPLAY_INFORMATION, LocalizationUtil.createLocalizableMessageType(createDisplayInformation(object, false)));
+		var.put(ExpressionConstants.VAR_USER, object, object.getDefinition());
+		var.put(ExpressionConstants.VAR_FOCUS, object, object.getDefinition());
+		var.put(ExpressionConstants.VAR_OBJECT, object, object.getDefinition());
+		var.put(ExpressionConstants.VAR_OBJECT_DISPLAY_INFORMATION, 
+				LocalizationUtil.createLocalizableMessageType(createDisplayInformation(object, false)), LocalizableMessageType.class);
 		if (rctx instanceof AssignmentPolicyRuleEvaluationContext) {
 			AssignmentPolicyRuleEvaluationContext actx = (AssignmentPolicyRuleEvaluationContext<AH>) rctx;
 			PrismObject target = actx.evaluatedAssignment.getTarget();
-			var.addVariableDefinition(ExpressionConstants.VAR_TARGET, target);
-			var.addVariableDefinition(ExpressionConstants.VAR_TARGET_DISPLAY_INFORMATION, LocalizationUtil.createLocalizableMessageType(createDisplayInformation(target, false)));
-			var.addVariableDefinition(ExpressionConstants.VAR_EVALUATED_ASSIGNMENT, actx.evaluatedAssignment);
-			var.addVariableDefinition(ExpressionConstants.VAR_ASSIGNMENT, actx.evaluatedAssignment.getAssignmentType(actx.state == ObjectState.BEFORE));
+			var.put(ExpressionConstants.VAR_TARGET, target, target.getDefinition());
+			var.put(ExpressionConstants.VAR_TARGET_DISPLAY_INFORMATION,
+					LocalizationUtil.createLocalizableMessageType(createDisplayInformation(target, false)), LocalizableMessageType.class);
+			var.put(ExpressionConstants.VAR_EVALUATED_ASSIGNMENT, actx.evaluatedAssignment, EvaluatedAssignment.class);
+			AssignmentType assignmentType = actx.evaluatedAssignment.getAssignmentType(actx.state == ObjectState.BEFORE);
+			var.put(ExpressionConstants.VAR_ASSIGNMENT, assignmentType, assignmentType.asPrismContainerValue().getDefinition());
 		} else {
-			var.addVariableDefinition(ExpressionConstants.VAR_TARGET, null);
-			var.addVariableDefinition(ExpressionConstants.VAR_TARGET_DISPLAY_INFORMATION, null);
-			var.addVariableDefinition(ExpressionConstants.VAR_EVALUATED_ASSIGNMENT, null);
-			var.addVariableDefinition(ExpressionConstants.VAR_ASSIGNMENT, null);
+			PrismObjectDefinition<ObjectType> targetDef = rctx.lensContext.getPrismContext().getSchemaRegistry().findObjectDefinitionByCompileTimeClass(ObjectType.class);
+			var.put(ExpressionConstants.VAR_TARGET, null, targetDef);
+			var.put(ExpressionConstants.VAR_TARGET_DISPLAY_INFORMATION, null, LocalizableMessageType.class);
+			var.put(ExpressionConstants.VAR_EVALUATED_ASSIGNMENT, null, EvaluatedAssignment.class);
+			PrismContainerDefinition<AssignmentType> assignmentDef = rctx.lensContext.getPrismContext().getSchemaRegistry()
+					.findObjectDefinitionByCompileTimeClass(AssignmentHolderType.class)
+						.findContainerDefinition(AssignmentHolderType.F_ASSIGNMENT);
+			var.put(ExpressionConstants.VAR_ASSIGNMENT, null, assignmentDef);
 		}
-		var.addVariableDefinition(VAR_RULE_EVALUATION_CONTEXT, rctx);
-		var.addVariableDefinition(VAR_EVALUATOR_HELPER, this);
-		var.addVariableDefinition(VAR_CONSTRAINT, constraintElement != null ? constraintElement.getValue() : null);
-		var.addVariableDefinition(VAR_CONSTRAINT_ELEMENT, constraintElement);
+		var.put(VAR_RULE_EVALUATION_CONTEXT, rctx, PolicyRuleEvaluationContext.class);
+		var.put(VAR_EVALUATOR_HELPER, this, ConstraintEvaluatorHelper.class);
+		var.put(VAR_CONSTRAINT, constraintElement != null ? constraintElement.getValue() : null, AbstractPolicyConstraintType.class);
+		var.put(VAR_CONSTRAINT_ELEMENT, constraintElement, JAXBElement.class);
 		return var;
 	}
 
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/policy/evaluators/StateConstraintEvaluator.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/policy/evaluators/StateConstraintEvaluator.java
index 156b97be083..ade002fb1bf 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/policy/evaluators/StateConstraintEvaluator.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/policy/evaluators/StateConstraintEvaluator.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2017 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -30,6 +30,7 @@
 import com.evolveum.midpoint.prism.query.ObjectFilter;
 import com.evolveum.midpoint.repo.common.expression.ExpressionFactory;
 import com.evolveum.midpoint.schema.constants.SchemaConstants;
+import com.evolveum.midpoint.schema.expression.VariablesMap;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.schema.util.LocalizationUtil;
 import com.evolveum.midpoint.schema.util.ObjectTypeUtil;
@@ -46,7 +47,6 @@
 import com.evolveum.midpoint.util.logging.Trace;
 import com.evolveum.midpoint.util.logging.TraceManager;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.AssignmentHolderType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.FocusType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.LocalizableMessageType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.PolicyConstraintsType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.StatePolicyConstraintType;
@@ -127,9 +127,9 @@ private <AH extends AssignmentHolderType> EvaluatedPolicyRuleTrigger<?> evaluate
 			}
 		}
 		if (constraint.getExecuteScript() != null) {
-			Map<String, Object> variables = new HashMap<>();
-			variables.put(VAR_OBJECT.getLocalPart(), object);
-			variables.put(VAR_RULE_EVALUATION_CONTEXT.getLocalPart(), ctx);
+			VariablesMap variables = new VariablesMap();
+			variables.put(VAR_OBJECT, object, object.getDefinition());
+			variables.put(VAR_RULE_EVALUATION_CONTEXT, ctx, PolicyRuleEvaluationContext.class);
 			ExecutionContext resultingContext;
 			try {
 				resultingContext = scriptingExpressionEvaluator.evaluateExpressionPrivileged(constraint.getExecuteScript(), variables, ctx.task, result);
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/scripting/ExecutionContext.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/scripting/ExecutionContext.java
index 2fd69ebe296..8318b94b63e 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/scripting/ExecutionContext.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/scripting/ExecutionContext.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2014 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -21,6 +21,7 @@
 import com.evolveum.midpoint.model.api.ScriptExecutionResult;
 import com.evolveum.midpoint.prism.PrismContext;
 import com.evolveum.midpoint.prism.query.QueryConverter;
+import com.evolveum.midpoint.schema.expression.VariablesMap;
 import com.evolveum.midpoint.task.api.RunningTask;
 import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.util.exception.SystemException;
@@ -46,13 +47,13 @@ public class ExecutionContext {
     private final ScriptingExpressionEvaluator scriptingExpressionEvaluator;
     private final StringBuilder consoleOutput = new StringBuilder();
     private final Map<String, PipelineData> globalVariables = new HashMap<>();      // will probably remain unused
-    private final Map<String, Object> initialVariables;                             // used e.g. when there are no data in a pipeline; these are frozen - i.e. made immutable if possible; to be cloned-on-use
+    private final VariablesMap initialVariables;                             // used e.g. when there are no data in a pipeline; these are frozen - i.e. made immutable if possible; to be cloned-on-use
     private PipelineData finalOutput;                                        // used only when passing result to external clients (TODO do this more cleanly)
     private final boolean recordProgressAndIterationStatistics;
 
     public ExecutionContext(ScriptingExpressionEvaluationOptionsType options, Task task,
             ScriptingExpressionEvaluator scriptingExpressionEvaluator,
-            boolean privileged, boolean recordProgressAndIterationStatistics, Map<String, Object> initialVariables) {
+            boolean privileged, boolean recordProgressAndIterationStatistics, VariablesMap initialVariables) {
         this.options = options;
         this.task = task;
         this.scriptingExpressionEvaluator = scriptingExpressionEvaluator;
@@ -85,7 +86,7 @@ public void setGlobalVariable(String name, PipelineData value) {
         globalVariables.put(name, value);
     }
 
-    public Map<String, Object> getInitialVariables() {
+    public VariablesMap getInitialVariables() {
         return initialVariables;
     }
 
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/scripting/IterativeScriptExecutionTaskHandler.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/scripting/IterativeScriptExecutionTaskHandler.java
index 2b71b75a487..5d17f28bc57 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/scripting/IterativeScriptExecutionTaskHandler.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/scripting/IterativeScriptExecutionTaskHandler.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2018 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -24,6 +24,7 @@
 import com.evolveum.midpoint.prism.PrismProperty;
 import com.evolveum.midpoint.repo.common.task.AbstractSearchIterativeResultHandler;
 import com.evolveum.midpoint.schema.constants.SchemaConstants;
+import com.evolveum.midpoint.schema.expression.VariablesMap;
 import com.evolveum.midpoint.schema.result.OperationConstants;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.task.api.*;
@@ -87,7 +88,7 @@ protected boolean handleObject(PrismObject<ObjectType> object, RunningTask worke
 				try {
 					ExecuteScriptType executeScriptRequest = executeScriptRequestTemplate.clone();
 					executeScriptRequest.setInput(new ValueListType().value(object.asObjectable()));
-					ScriptExecutionResult executionResult = scriptingService.evaluateExpression(executeScriptRequest, emptyMap(),
+					ScriptExecutionResult executionResult = scriptingService.evaluateExpression(executeScriptRequest, VariablesMap.emptyMap(),
 							false, workerTask, result);
 					LOGGER.debug("Execution output: {} item(s)", executionResult.getDataOutput().size());
 					LOGGER.debug("Execution result:\n{}", executionResult.getConsoleOutput());
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/scripting/PipelineData.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/scripting/PipelineData.java
index 51caec48541..7bbb9d0c993 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/scripting/PipelineData.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/scripting/PipelineData.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2014 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -21,6 +21,7 @@
 import com.evolveum.midpoint.prism.*;
 import com.evolveum.midpoint.prism.query.ObjectQuery;
 import com.evolveum.midpoint.schema.SearchResultList;
+import com.evolveum.midpoint.schema.expression.VariablesMap;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.schema.util.ObjectTypeUtil;
 import com.evolveum.midpoint.util.DebugDumpable;
@@ -38,8 +39,6 @@
 import java.util.*;
 import java.util.stream.Collectors;
 
-import static java.util.Collections.emptyMap;
-
 /**
  * Data that are passed between individual scripting actions.
  *
@@ -73,10 +72,10 @@ public String debugDump(int indent) {
     }
 
     public static PipelineData create(PrismValue value) {
-        return create(value, emptyMap());
+        return create(value, VariablesMap.emptyMap());
     }
 
-    public static PipelineData create(PrismValue value, Map<String, Object> variables) {
+    public static PipelineData create(PrismValue value, VariablesMap variables) {
         PipelineData d = createEmpty();
         d.add(new PipelineItem(value, newOperationResult(), variables));
         return d;
@@ -100,14 +99,14 @@ public void addAllFrom(PipelineData otherData) {
         }
     }
 
-    public void addValue(PrismValue value, Map<String, Object> variables) {
+    public void addValue(PrismValue value, VariablesMap variables) {
 		addValue(value, null, variables);
     }
 
-    public void addValue(PrismValue value, OperationResult result, Map<String, Object> variables) {
+    public void addValue(PrismValue value, OperationResult result, VariablesMap variables) {
 		data.add(new PipelineItem(value,
 				result != null ? result : newOperationResult(),
-				variables != null ? variables : emptyMap()));
+				variables != null ? variables : VariablesMap.emptyMap()));
     }
 
     public String getDataAsSingleString() throws ScriptExecutionException {
@@ -122,7 +121,7 @@ public String getDataAsSingleString() throws ScriptExecutionException {
         }
     }
 
-    static PipelineData createItem(@NotNull PrismValue value, Map<String, Object> variables) throws SchemaException {
+    static PipelineData createItem(@NotNull PrismValue value, VariablesMap variables) throws SchemaException {
         PipelineData data = createEmpty();
 	    data.addValue(value, variables);
 	    return data;
@@ -180,7 +179,7 @@ private Collection<ObjectReferenceType> resolveQuery(Class<? extends ObjectType>
 		return objects.stream().map(o -> ObjectTypeUtil.createObjectRef(o, context.getPrismContext())).collect(Collectors.toList());
 	}
 
-	static PipelineData parseFrom(ValueListType input, Map<String, Object> frozenInitialVariables, PrismContext prismContext) {
+	static PipelineData parseFrom(ValueListType input, VariablesMap frozenInitialVariables, PrismContext prismContext) {
 		PipelineData rv = new PipelineData();
 		if (input != null) {
 			for (Object o : input.getValue()) {
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/scripting/ScriptExecutionTaskHandler.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/scripting/ScriptExecutionTaskHandler.java
index e4e887ce2f1..0c8cb33a8d5 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/scripting/ScriptExecutionTaskHandler.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/scripting/ScriptExecutionTaskHandler.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2017 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -22,6 +22,7 @@
 import com.evolveum.midpoint.model.api.ScriptingService;
 import com.evolveum.midpoint.prism.PrismProperty;
 import com.evolveum.midpoint.schema.constants.SchemaConstants;
+import com.evolveum.midpoint.schema.expression.VariablesMap;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.task.api.*;
 import com.evolveum.midpoint.util.exception.CommunicationException;
@@ -41,8 +42,6 @@
 
 import javax.annotation.PostConstruct;
 
-import static java.util.Collections.emptyMap;
-
 /**
  * @author mederly
  */
@@ -78,7 +77,7 @@ public TaskRunResult run(RunningTask task, TaskPartitionDefinitionType partition
         }
 
         try {
-            ScriptExecutionResult executionResult = scriptingService.evaluateExpression(executeScriptProperty.getRealValue(), emptyMap(),
+            ScriptExecutionResult executionResult = scriptingService.evaluateExpression(executeScriptProperty.getRealValue(), VariablesMap.emptyMap(),
 		            true, task, result);
             LOGGER.debug("Execution output: {} item(s)", executionResult.getDataOutput().size());
             LOGGER.debug("Execution result:\n{}", executionResult.getConsoleOutput());
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/scripting/ScriptingExpressionEvaluator.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/scripting/ScriptingExpressionEvaluator.java
index a476c18b400..534a4f3e134 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/scripting/ScriptingExpressionEvaluator.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/scripting/ScriptingExpressionEvaluator.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2017 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -28,7 +28,10 @@
 import com.evolveum.midpoint.prism.query.ObjectFilter;
 import com.evolveum.midpoint.repo.common.expression.ExpressionFactory;
 import com.evolveum.midpoint.schema.constants.SchemaConstants;
+import com.evolveum.midpoint.schema.expression.ExpressionProfile;
+import com.evolveum.midpoint.schema.expression.VariablesMap;
 import com.evolveum.midpoint.schema.result.OperationResult;
+import com.evolveum.midpoint.schema.util.MiscSchemaUtil;
 import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.task.api.TaskManager;
 import com.evolveum.midpoint.util.exception.CommunicationException;
@@ -53,8 +56,6 @@
 import java.util.List;
 import java.util.Map;
 
-import static java.util.Collections.emptyMap;
-
 /**
  * Main entry point for evaluating scripting expressions.
  *
@@ -142,7 +143,7 @@ public void evaluateExpressionInBackground(ExecuteScriptType executeScriptComman
 	/**
 	 * Main entry point.
 	 */
-	public ExecutionContext evaluateExpression(@NotNull ExecuteScriptType executeScript, Map<String, Object> initialVariables,
+	public ExecutionContext evaluateExpression(@NotNull ExecuteScriptType executeScript, VariablesMap initialVariables,
 			boolean recordProgressAndIterationStatistics, Task task, OperationResult result) throws ScriptExecutionException {
 		return evaluateExpression(executeScript, initialVariables, false, recordProgressAndIterationStatistics, task, result);
     }
@@ -151,7 +152,7 @@ public ExecutionContext evaluateExpression(@NotNull ExecuteScriptType executeScr
 	 * Entry point for privileged execution.
 	 * Note that privileged execution means
 	 */
-	public ExecutionContext evaluateExpressionPrivileged(@NotNull ExecuteScriptType executeScript, @NotNull Map<String, Object> initialVariables, Task task, OperationResult result) throws ScriptExecutionException {
+	public ExecutionContext evaluateExpressionPrivileged(@NotNull ExecuteScriptType executeScript, @NotNull VariablesMap initialVariables, Task task, OperationResult result) throws ScriptExecutionException {
 		return evaluateExpression(executeScript, initialVariables, true, false, task, result);
 	}
 
@@ -159,14 +160,15 @@ public ExecutionContext evaluateExpressionPrivileged(@NotNull ExecuteScriptType
 	 * Convenience method (if we don't have full ExecuteScriptType).
 	 */
 	public ExecutionContext evaluateExpression(ScriptingExpressionType expression, Task task, OperationResult result) throws ScriptExecutionException {
-		return evaluateExpression(createExecuteScriptCommand(expression), emptyMap(), false, task, result);
+		return evaluateExpression(createExecuteScriptCommand(expression), VariablesMap.emptyMap(), false, task, result);
 	}
 
-	private ExecutionContext evaluateExpression(@NotNull ExecuteScriptType executeScript, Map<String, Object> initialVariables,
+	private ExecutionContext evaluateExpression(@NotNull ExecuteScriptType executeScript, VariablesMap initialVariables,
             boolean privileged, boolean recordProgressAndIterationStatistics, Task task, OperationResult result) throws ScriptExecutionException {
 		Validate.notNull(executeScript.getScriptingExpression(), "Scripting expression must be present");
+		ExpressionProfile expressionProfile = MiscSchemaUtil.getExpressionProfile();
 		try {
-			Map<String, Object> frozenVariables = VariablesUtil.initialPreparation(initialVariables, executeScript.getVariables(), expressionFactory, modelObjectResolver, prismContext, task, result);
+			VariablesMap frozenVariables = VariablesUtil.initialPreparation(initialVariables, executeScript.getVariables(), expressionFactory, modelObjectResolver, prismContext, expressionProfile, task, result);
 			PipelineData pipelineData = PipelineData.parseFrom(executeScript.getInput(), frozenVariables, prismContext);
 			ExecutionContext context = new ExecutionContext(executeScript.getOptions(), task, this,
                     privileged, recordProgressAndIterationStatistics, frozenVariables);
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/scripting/VariablesUtil.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/scripting/VariablesUtil.java
index 8e1c9b1cfa8..b50f1ff70e5 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/scripting/VariablesUtil.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/scripting/VariablesUtil.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2018 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -28,6 +28,9 @@
 import com.evolveum.midpoint.schema.SchemaConstantsGenerated;
 import com.evolveum.midpoint.schema.constants.ExpressionConstants;
 import com.evolveum.midpoint.schema.constants.SchemaConstants;
+import com.evolveum.midpoint.schema.expression.ExpressionProfile;
+import com.evolveum.midpoint.schema.expression.TypedValue;
+import com.evolveum.midpoint.schema.expression.VariablesMap;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.util.MiscUtil;
@@ -40,6 +43,7 @@
 import com.evolveum.midpoint.util.exception.SecurityViolationException;
 import com.evolveum.midpoint.util.logging.Trace;
 import com.evolveum.midpoint.util.logging.TraceManager;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.TaskType;
 import com.evolveum.midpoint.xml.ns._public.model.scripting_3.ScriptingVariableDefinitionType;
 import com.evolveum.midpoint.xml.ns._public.model.scripting_3.ScriptingVariablesDefinitionType;
 import com.evolveum.prism.xml.ns._public.types_3.ItemPathType;
@@ -61,37 +65,40 @@ static class VariableResolutionContext {
 		@NotNull final ExpressionFactory expressionFactory;
 		@NotNull final ObjectResolver objectResolver;
 		@NotNull final PrismContext prismContext;
+		final ExpressionProfile expressionProfile;
 		@NotNull final Task task;
 		VariableResolutionContext(@NotNull ExpressionFactory expressionFactory,
-				@NotNull ObjectResolver objectResolver, @NotNull PrismContext prismContext, @NotNull Task task) {
+				@NotNull ObjectResolver objectResolver, @NotNull PrismContext prismContext, ExpressionProfile expressionProfile, @NotNull Task task) {
 			this.expressionFactory = expressionFactory;
 			this.objectResolver = objectResolver;
 			this.prismContext = prismContext;
+			this.expressionProfile = expressionProfile;
 			this.task = task;
 		}
 	}
 
 	// We create immutable versions of prism variables to avoid unnecessary downstream cloning
 	@NotNull
-	static Map<String, Object> initialPreparation(Map<String, Object> initialVariables,
+	static VariablesMap initialPreparation(VariablesMap initialVariables,
 			ScriptingVariablesDefinitionType derivedVariables, ExpressionFactory expressionFactory, ObjectResolver objectResolver,
-			PrismContext prismContext, Task task, OperationResult result)
+			PrismContext prismContext, ExpressionProfile expressionProfile, Task task, OperationResult result)
 			throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
-		HashMap<String, Object> rv = new HashMap<>();
+		VariablesMap rv = new VariablesMap();
 		addProvidedVariables(rv, initialVariables, task);
 		addDerivedVariables(rv, derivedVariables,
-				new VariableResolutionContext(expressionFactory, objectResolver, prismContext, task), result);
+				new VariableResolutionContext(expressionFactory, objectResolver, prismContext, expressionProfile, task), result);
 		return rv;
 	}
 
-	private static void addProvidedVariables(HashMap<String, Object> resultingVariables, Map<String, Object> initialVariables, Task task) {
-		putImmutableValue(resultingVariables, ExpressionConstants.VAR_TASK.getLocalPart(), task.getTaskPrismObject().asObjectable());
+	private static void addProvidedVariables(VariablesMap resultingVariables, VariablesMap initialVariables, Task task) {
+		TypedValue<TaskType> taskValAndDef = new TypedValue<>(task.getTaskPrismObject().asObjectable(), task.getTaskPrismObject().getDefinition());
+		putImmutableValue(resultingVariables, ExpressionConstants.VAR_TASK, taskValAndDef);
 		if (initialVariables != null) {
 			initialVariables.forEach((key, value) -> putImmutableValue(resultingVariables, key, value));
 		}
 	}
 
-	private static void addDerivedVariables(HashMap<String, Object> resultingVariables,
+	private static void addDerivedVariables(VariablesMap resultingVariables,
 			ScriptingVariablesDefinitionType definitions, VariableResolutionContext ctx, OperationResult result)
 			throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
 		if (definitions == null) {
@@ -102,50 +109,52 @@ private static void addDerivedVariables(HashMap<String, Object> resultingVariabl
 				continue;       // todo or throw an exception?
 			}
 			String shortDesc = "scripting variable " + definition.getName();
-			Object value;
+			TypedValue valueAndDef;
 			if (definition.getExpression().getExpressionEvaluator().size() == 1 &&
 					QNameUtil.match(SchemaConstantsGenerated.C_PATH, definition.getExpression().getExpressionEvaluator().get(0).getName())) {
-				value = variableFromPathExpression(resultingVariables, definition.getExpression().getExpressionEvaluator().get(0), ctx, shortDesc, result);
+				valueAndDef = variableFromPathExpression(resultingVariables, definition.getExpression().getExpressionEvaluator().get(0), ctx, shortDesc, result);
 			} else {
-				value = variableFromOtherExpression(resultingVariables, definition, ctx, shortDesc, result);
+				valueAndDef = variableFromOtherExpression(resultingVariables, definition, ctx, shortDesc, result);
 			}
-			putImmutableValue(resultingVariables, definition.getName(), value);
+			putImmutableValue(resultingVariables, definition.getName(), valueAndDef);
 		}
 	}
 
-	private static Object variableFromPathExpression(HashMap<String, Object> resultingVariables,
+	private static TypedValue variableFromPathExpression(VariablesMap resultingVariables,
 			JAXBElement<?> expressionEvaluator, VariableResolutionContext ctx, String shortDesc, OperationResult result)
 			throws SchemaException, ObjectNotFoundException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
 		if (!(expressionEvaluator.getValue() instanceof ItemPathType)) {
 			throw new IllegalArgumentException("Path expression: expected ItemPathType but got " + expressionEvaluator.getValue());
 		}
 		ItemPath itemPath = ctx.prismContext.toPath((ItemPathType) expressionEvaluator.getValue());
-		return ExpressionUtil.resolvePath(itemPath, createVariables(resultingVariables), false, null, ctx.objectResolver, shortDesc, ctx.task, result);
+		return ExpressionUtil.resolvePathGetTypedValue(itemPath, createVariables(resultingVariables), false, null, ctx.objectResolver, ctx.prismContext, shortDesc, ctx.task, result);
 	}
 
-	private static ExpressionVariables createVariables(HashMap<String, Object> variableMap) {
+	private static ExpressionVariables createVariables(VariablesMap variableMap) {
 		ExpressionVariables rv = new ExpressionVariables();
-		Map<String, Object> clonedVariableMap = cloneIfNecessary(variableMap);
-		clonedVariableMap.forEach((name, value) -> rv.addVariableDefinition(new QName(SchemaConstants.NS_C, name), value));
+		VariablesMap clonedVariableMap = cloneIfNecessary(variableMap);
+		clonedVariableMap.forEach((name, value) -> rv.put(name, value));
 		return rv;
 	}
 
-	private static Object variableFromOtherExpression(HashMap<String, Object> resultingVariables,
+	private static TypedValue variableFromOtherExpression(VariablesMap resultingVariables,
 			ScriptingVariableDefinitionType definition, VariableResolutionContext ctx, String shortDesc,
 			OperationResult result) throws ExpressionEvaluationException, ObjectNotFoundException, SchemaException, CommunicationException, ConfigurationException, SecurityViolationException {
 		ItemDefinition<?> outputDefinition = determineOutputDefinition(definition, ctx, shortDesc);
 		Expression<PrismValue, ItemDefinition<?>> expression = ctx.expressionFactory
-				.makeExpression(definition.getExpression(), outputDefinition, shortDesc, ctx.task, result);
+				.makeExpression(definition.getExpression(), outputDefinition, ctx.expressionProfile, shortDesc, ctx.task, result);
 		ExpressionEvaluationContext context = new ExpressionEvaluationContext(null, createVariables(resultingVariables), shortDesc, ctx.task, result);
 		PrismValueDeltaSetTriple<?> triple = ModelExpressionThreadLocalHolder
 				.evaluateAnyExpressionInContext(expression, context, ctx.task, result);
 		Collection<?> resultingValues = triple.getNonNegativeValues();
+		Object value;
 		if (definition.getMaxOccurs() != null && outputDefinition.isSingleValue()           // cardinality of outputDefinition is derived solely from definition.maxOccurs (if specified)
 				|| definition.getMaxOccurs() == null || resultingValues.size() <= 1) {
-			return MiscUtil.getSingleValue(resultingValues, null, shortDesc);       // unwrapping will occur when the value is used
+			value = MiscUtil.getSingleValue(resultingValues, null, shortDesc);       // unwrapping will occur when the value is used
 		} else {
-			return unwrapPrismValues(resultingValues);
+			value = unwrapPrismValues(resultingValues);
 		}
+		return new TypedValue(value, outputDefinition);
 	}
 
 	// TODO shouldn't we unwrap collections of prism values in the same way as in ExpressionUtil.convertVariableValue ?
@@ -187,23 +196,33 @@ private static ItemDefinition<?> determineOutputDefinition(ScriptingVariableDefi
 		}
 	}
 
-	private static void putImmutableValue(HashMap<String, Object> map, String name, Object value) {
-		map.put(name, makeImmutable(value));
+	private static void putImmutableValue(VariablesMap map, String name, TypedValue valueAndDef) {
+		map.put(name, makeImmutable(valueAndDef));
 	}
 
 	@NotNull
-	public static Map<String, Object> cloneIfNecessary(@NotNull Map<String, Object> variables) {
-		HashMap<String, Object> rv = new HashMap<>();
+	public static VariablesMap cloneIfNecessary(@NotNull VariablesMap variables) {
+		VariablesMap rv = new VariablesMap();
 		variables.forEach((key, value) -> rv.put(key, cloneIfNecessary(key, value)));
 		return rv;
 	}
+	
+	@Nullable
+	public static <T> TypedValue<T> cloneIfNecessary(String name, TypedValue<T> valueAndDef) {
+		T valueClone = (T) cloneIfNecessary(name, valueAndDef.getValue());
+		if (valueClone == valueAndDef.getValue()) {
+			return valueAndDef;
+		} else {
+			return valueAndDef.createTransformed(valueClone);
+		}
+	}
 
 	@Nullable
-	public static Object cloneIfNecessary(String name, Object value) {
+	public static <T> T cloneIfNecessary(String name, T value) {
 		if (value == null) {
 			return null;
 		}
-		Object immutableOrNull = tryMakingImmutable(value);
+		T immutableOrNull = tryMakingImmutable(value);
 		if (immutableOrNull != null) {
 			return immutableOrNull;
 		} else {
@@ -216,7 +235,18 @@ public static Object cloneIfNecessary(String name, Object value) {
 		}
 	}
 
-	public static <T> T makeImmutable(T value) {
+	
+	public static <T> TypedValue<T> makeImmutable(TypedValue<T> valueAndDef) {
+		T immutableValue = (T) makeImmutableValue(valueAndDef.getValue());
+		if (immutableValue == valueAndDef.getValue()) {
+			return valueAndDef;
+		} else {
+			valueAndDef.setValue(immutableValue);
+		}
+		return valueAndDef;
+	}
+	
+	public static <T> T makeImmutableValue(T value) {
 		T rv = tryMakingImmutable(value);
 		return rv != null ? rv : value;
 	}
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/scripting/actions/ScriptExecutor.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/scripting/actions/ScriptExecutor.java
index 84fd3765b11..103eb4a8593 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/scripting/actions/ScriptExecutor.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/scripting/actions/ScriptExecutor.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2018 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -29,6 +29,9 @@
 import com.evolveum.midpoint.repo.common.expression.ExpressionUtil;
 import com.evolveum.midpoint.repo.common.expression.ExpressionVariables;
 import com.evolveum.midpoint.schema.constants.ExpressionConstants;
+import com.evolveum.midpoint.schema.expression.ExpressionProfile;
+import com.evolveum.midpoint.schema.expression.TypedValue;
+import com.evolveum.midpoint.schema.expression.VariablesMap;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.util.QNameUtil;
 import com.evolveum.midpoint.util.exception.CommunicationException;
@@ -89,11 +92,12 @@ public PipelineData execute(ActionExpressionType expression, PipelineData input,
 	    boolean quiet = expressionHelper.getArgumentAsBoolean(expression.getParameter(), PARAM_QUIET, input, context, false, PARAM_QUIET, globalResult);
 
 		ItemDefinition<?> outputDefinition = getItemDefinition(outputItem);
+		ExpressionProfile expressionProfile = null; // TODO
 
 		ScriptExpression scriptExpression;
 		try {
-			scriptExpression = scriptExpressionFactory.createScriptExpression(script, outputDefinition, expressionFactory, "script", context.getTask(), globalResult);
-		} catch (ExpressionSyntaxException e) {
+			scriptExpression = scriptExpressionFactory.createScriptExpression(script, outputDefinition, expressionProfile, expressionFactory, "script", context.getTask(), globalResult);
+		} catch (ExpressionSyntaxException | SecurityViolationException e) {
 			throw new ScriptExecutionException("Couldn't parse script expression: " + e.getMessage(), e);
 		}
 
@@ -104,7 +108,8 @@ public PipelineData execute(ActionExpressionType expression, PipelineData input,
 			context.checkTaskStop();
 			Throwable exception = null;
 			try {
-				Object outObject = executeScript(scriptExpression, input, context.getInitialVariables(), context, result);
+				TypedValue<PipelineData> inputTypedValue = new TypedValue<>(input, PipelineData.class);
+				Object outObject = executeScript(scriptExpression, inputTypedValue, context.getInitialVariables(), context, result);
 				if (outObject != null) {
 					addToData(outObject, PipelineData.newOperationResult(), output);
 				} else {
@@ -139,7 +144,9 @@ public PipelineData execute(ActionExpressionType expression, PipelineData input,
 				}
 				Throwable exception = null;
 				try {
-					Object outObject = executeScript(scriptExpression, value, item.getVariables(), context, result);
+					// Hack. TODO: we need to add definitions to Pipeline items.
+					TypedValue typedValue = new TypedValue(value, value == null ? Object.class : value.getClass());
+					Object outObject = executeScript(scriptExpression, typedValue, item.getVariables(), context, result);
 					if (outObject != null) {
 						addToData(outObject, item.getResult(), output);
 					} else {
@@ -205,14 +212,14 @@ private ItemDefinition<?> getItemDefinition(String itemUri) throws ScriptExecuti
 		throw new ScriptExecutionException("Supplied item identification " + itemUri + " corresponds neither to item name nor type name");
 	}
 
-	private Object executeScript(ScriptExpression scriptExpression, Object input,
-			Map<String, Object> externalVariables, ExecutionContext context, OperationResult result)
+	private <I> Object executeScript(ScriptExpression scriptExpression, TypedValue<I> inputTypedValue,
+			VariablesMap externalVariables, ExecutionContext context, OperationResult result)
 			throws ExpressionEvaluationException, ObjectNotFoundException, SchemaException, CommunicationException, ConfigurationException, SecurityViolationException {
 		ExpressionVariables variables = new ExpressionVariables();
-		variables.addVariableDefinition(ExpressionConstants.VAR_INPUT, input);
-		variables.addVariableDefinition(ExpressionConstants.VAR_PRISM_CONTEXT, prismContext);
-		ExpressionUtil.addActorVariable(variables, securityContextManager);
-		externalVariables.forEach((k, v) -> variables.addVariableDefinition(new QName(NS_C, k), cloneIfNecessary(k, v)));
+		variables.put(ExpressionConstants.VAR_INPUT, inputTypedValue);
+		variables.put(ExpressionConstants.VAR_PRISM_CONTEXT, prismContext, PrismContext.class);
+		ExpressionUtil.addActorVariable(variables, securityContextManager, prismContext);
+		externalVariables.forEach((k, v) -> variables.put(k, cloneIfNecessary(k, v)));
 
 		List<?> rv = ModelImplUtils.evaluateScript(scriptExpression, null, variables, true, "in '"+NAME+"' action", context.getTask(), result);
 
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/scripting/expressions/SearchEvaluator.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/scripting/expressions/SearchEvaluator.java
index b22d088634e..886bd543eed 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/scripting/expressions/SearchEvaluator.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/scripting/expressions/SearchEvaluator.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2017 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -32,7 +32,9 @@
 import com.evolveum.midpoint.schema.ResultHandler;
 import com.evolveum.midpoint.schema.SelectorOptions;
 import com.evolveum.midpoint.schema.constants.ObjectTypes;
+import com.evolveum.midpoint.schema.expression.ExpressionProfile;
 import com.evolveum.midpoint.schema.result.OperationResult;
+import com.evolveum.midpoint.schema.util.MiscSchemaUtil;
 import com.evolveum.midpoint.util.exception.*;
 import com.evolveum.midpoint.util.logging.LoggingUtils;
 import com.evolveum.midpoint.util.logging.Trace;
@@ -72,6 +74,8 @@ public <T extends ObjectType> PipelineData evaluate(SearchExpressionType searchE
 			ExecutionContext context, OperationResult globalResult)
 		    throws ScriptExecutionException {
         Validate.notNull(searchExpression.getType());
+        
+        ExpressionProfile expressionProfile = MiscSchemaUtil.getExpressionProfile();
 
 	    List<PipelineItem> data = input.getData();
 	    if (data.isEmpty()) {
@@ -112,10 +116,10 @@ public <T extends ObjectType> PipelineData evaluate(SearchExpressionType searchE
 		    ObjectQuery objectQuery;
 		    if (unresolvedObjectQuery != null) {
 			    ExpressionVariables variables = new ExpressionVariables();
-			    item.getVariables().forEach((name, value) -> variables.addVariableDefinition(new QName(name), cloneIfNecessary(name, value)));
+			    item.getVariables().forEach((name, value) -> variables.put(name, cloneIfNecessary(name, value)));
 			    try {
-				    objectQuery = ExpressionUtil
-						    .evaluateQueryExpressions(unresolvedObjectQuery, variables, expressionFactory, prismContext,
+					objectQuery = ExpressionUtil
+						    .evaluateQueryExpressions(unresolvedObjectQuery, variables, expressionProfile, expressionFactory, prismContext,
 								    "bulk action query", context.getTask(), globalResult);
 			    } catch (SchemaException | ObjectNotFoundException | ExpressionEvaluationException | CommunicationException | ConfigurationException | SecurityViolationException e) {
 				    // TODO continue on any error?
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/security/UserProfileCompiler.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/security/UserProfileCompiler.java
index c3158118040..50d64cb60f9 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/security/UserProfileCompiler.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/security/UserProfileCompiler.java
@@ -19,46 +19,31 @@
 import java.util.Collection;
 import java.util.Collections;
 import java.util.HashMap;
-import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
 
 import javax.xml.namespace.QName;
 
-import com.evolveum.midpoint.prism.query.RefFilter;
 import org.jetbrains.annotations.NotNull;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.stereotype.Component;
 
-import com.evolveum.midpoint.common.ActivationComputer;
-import com.evolveum.midpoint.common.Clock;
 import com.evolveum.midpoint.model.api.authentication.CompiledObjectCollectionView;
 import com.evolveum.midpoint.model.api.authentication.CompiledUserProfile;
 import com.evolveum.midpoint.model.api.authentication.MidPointUserProfilePrincipal;
 import com.evolveum.midpoint.model.api.context.EvaluatedAssignment;
 import com.evolveum.midpoint.model.api.context.EvaluatedAssignmentTarget;
 import com.evolveum.midpoint.model.api.util.DeputyUtils;
-import com.evolveum.midpoint.model.api.util.ModelUtils;
 import com.evolveum.midpoint.model.common.SystemObjectCache;
 import com.evolveum.midpoint.model.common.mapping.MappingFactory;
 import com.evolveum.midpoint.model.impl.controller.CollectionProcessor;
 import com.evolveum.midpoint.model.impl.lens.AssignmentCollector;
-import com.evolveum.midpoint.model.impl.lens.AssignmentEvaluator;
-import com.evolveum.midpoint.model.impl.lens.LensContext;
-import com.evolveum.midpoint.model.impl.lens.LensContextPlaceholder;
-import com.evolveum.midpoint.model.impl.lens.LensUtil;
-import com.evolveum.midpoint.model.impl.lens.projector.MappingEvaluator;
-import com.evolveum.midpoint.prism.PrismContainerDefinition;
-import com.evolveum.midpoint.prism.PrismContainerValue;
 import com.evolveum.midpoint.prism.PrismContext;
 import com.evolveum.midpoint.prism.PrismObject;
-import com.evolveum.midpoint.prism.delta.PlusMinusZero;
 import com.evolveum.midpoint.prism.query.ObjectFilter;
-import com.evolveum.midpoint.prism.util.ItemDeltaItem;
-import com.evolveum.midpoint.prism.util.ObjectDeltaObject;
+import com.evolveum.midpoint.prism.query.RefFilter;
 import com.evolveum.midpoint.repo.api.RepositoryService;
-import com.evolveum.midpoint.repo.cache.RepositoryCache;
 import com.evolveum.midpoint.repo.common.ObjectResolver;
 import com.evolveum.midpoint.schema.RelationRegistry;
 import com.evolveum.midpoint.schema.constants.ObjectTypes;
@@ -69,14 +54,12 @@
 import com.evolveum.midpoint.security.api.Authorization;
 import com.evolveum.midpoint.security.api.AuthorizationTransformer;
 import com.evolveum.midpoint.security.api.DelegatorWithOtherPrivilegesLimitations;
-import com.evolveum.midpoint.security.api.MidPointPrincipal;
 import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.util.QNameUtil;
 import com.evolveum.midpoint.util.exception.CommunicationException;
 import com.evolveum.midpoint.util.exception.ConfigurationException;
 import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
 import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
-import com.evolveum.midpoint.util.exception.PolicyViolationException;
 import com.evolveum.midpoint.util.exception.SchemaException;
 import com.evolveum.midpoint.util.exception.SecurityViolationException;
 import com.evolveum.midpoint.util.logging.Trace;
@@ -87,9 +70,7 @@
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ArchetypePolicyType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ArchetypeType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.AssignmentHolderType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.AssignmentType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.CollectionRefSpecificationType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.CollectionSpecificationType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.DashboardWidgetType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.DisplayType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.DistinctSearchOptionType;
@@ -104,7 +85,6 @@
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectCollectionType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectFormType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectFormsType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectPolicyConfigurationType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectReferenceType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.OtherPrivilegesLimitationType;
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/security/UserProfileServiceImpl.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/security/UserProfileServiceImpl.java
index 78c72d94096..be757343f60 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/security/UserProfileServiceImpl.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/security/UserProfileServiceImpl.java
@@ -39,15 +39,13 @@
 
 import com.evolveum.midpoint.model.api.authentication.MidPointUserProfilePrincipal;
 import com.evolveum.midpoint.model.api.authentication.UserProfileService;
-import com.evolveum.midpoint.model.api.util.ModelUtils;
+import com.evolveum.midpoint.model.common.ArchetypeManager;
 import com.evolveum.midpoint.model.impl.UserComputer;
 import com.evolveum.midpoint.prism.PrismContext;
 import com.evolveum.midpoint.prism.PrismObject;
 import com.evolveum.midpoint.prism.delta.ObjectDelta;
 import com.evolveum.midpoint.prism.polystring.PolyString;
 import com.evolveum.midpoint.prism.query.ObjectQuery;
-import com.evolveum.midpoint.prism.util.ItemDeltaItem;
-import com.evolveum.midpoint.prism.util.ObjectDeltaObject;
 import com.evolveum.midpoint.repo.api.RepositoryService;
 import com.evolveum.midpoint.repo.common.ObjectResolver;
 import com.evolveum.midpoint.schema.SearchResultList;
@@ -56,7 +54,6 @@
 import com.evolveum.midpoint.schema.util.ObjectQueryUtil;
 import com.evolveum.midpoint.security.api.AuthorizationTransformer;
 import com.evolveum.midpoint.security.api.MidPointPrincipal;
-import com.evolveum.midpoint.security.api.MidPointPrincipalManager;
 import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.task.api.TaskManager;
 import com.evolveum.midpoint.util.exception.CommunicationException;
@@ -174,7 +171,7 @@ private LifecycleStateModelType getLifecycleModel(PrismObject<UserType> user, Pr
     		return null;
     	}
 		try {
-			return ModelUtils.determineLifecycleModel(user, systemConfiguration.asObjectable());
+			return ArchetypeManager.determineLifecycleModel(user, systemConfiguration.asObjectable());
 		} catch (ConfigurationException e) {
 			throw new SystemException(e.getMessage(), e);
 		}
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/sync/CorrelationConfirmationEvaluator.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/sync/CorrelationConfirmationEvaluator.java
index 224393156d6..dded1fca8ed 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/sync/CorrelationConfirmationEvaluator.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/sync/CorrelationConfirmationEvaluator.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2017 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -29,6 +29,7 @@
 import com.evolveum.midpoint.model.impl.util.ModelImplUtils;
 import com.evolveum.midpoint.prism.*;
 import com.evolveum.midpoint.schema.RelationRegistry;
+import com.evolveum.midpoint.schema.util.MiscSchemaUtil;
 import com.evolveum.midpoint.schema.util.ObjectTypeUtil;
 import org.apache.commons.lang.Validate;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -40,6 +41,7 @@
 import com.evolveum.midpoint.prism.query.ObjectQuery;
 import com.evolveum.midpoint.repo.api.RepositoryService;
 import com.evolveum.midpoint.schema.constants.ExpressionConstants;
+import com.evolveum.midpoint.schema.expression.ExpressionProfile;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.schema.util.SchemaDebugUtil;
 import com.evolveum.midpoint.task.api.Task;
@@ -70,21 +72,11 @@ public class CorrelationConfirmationEvaluator {
 
 	private static transient Trace LOGGER = TraceManager.getTrace(CorrelationConfirmationEvaluator.class);
 
-	@Autowired(required = true)
-	@Qualifier("cacheRepositoryService")
-	private RepositoryService repositoryService;
-
-	@Autowired(required = true)
-	private PrismContext prismContext;
-	
-	@Autowired
-	private RelationRegistry relationRegistry;
-
-	@Autowired(required = true)
-	private ExpressionFactory expressionFactory;
-
-	@Autowired(required = true)
-	private MatchingRuleRegistry matchingRuleRegistry;
+	@Autowired @Qualifier("cacheRepositoryService") private RepositoryService repositoryService;
+	@Autowired private PrismContext prismContext;
+	@Autowired private RelationRegistry relationRegistry;
+	@Autowired private ExpressionFactory expressionFactory;
+	@Autowired private MatchingRuleRegistry matchingRuleRegistry;
 	
 	public <F extends FocusType> List<PrismObject<F>> findFocusesByCorrelationRule(Class<F> focusType, ShadowType currentShadow,
 			List<ConditionalSearchFilterType> conditionalFilters, ResourceType resourceType, SystemConfigurationType configurationType, Task task, OperationResult result)
@@ -95,15 +87,18 @@ public <F extends FocusType> List<PrismObject<F>> findFocusesByCorrelationRule(C
 					+ "returning empty list of users.", resourceType);
 			return null;
 		}
+		
+		// TODO: determine from the resource
+		ExpressionProfile expressionProfile = MiscSchemaUtil.getExpressionProfile();
 
 		List<PrismObject<F>> users = null;
 		for (ConditionalSearchFilterType conditionalFilter : conditionalFilters) {
 			// TODO: better description
-			if (satisfyCondition(currentShadow, conditionalFilter, resourceType, configurationType, "Condition expression", task,
+			if (satisfyCondition(currentShadow, conditionalFilter, expressionProfile, resourceType, configurationType, "Condition expression", task,
 					result)) {
 				LOGGER.trace("Condition {} in correlation expression evaluated to true", conditionalFilter.getCondition());
 				List<PrismObject<F>> foundUsers = findFocusesByCorrelationRule(focusType, currentShadow, conditionalFilter,
-						resourceType, configurationType, task, result);
+						expressionProfile, resourceType, configurationType, task, result);
 				if (foundUsers == null && users == null) {
 					continue;
 				}
@@ -141,7 +136,7 @@ public <F extends FocusType> List<PrismObject<F>> findFocusesByCorrelationRule(C
 	}
 	
 	private boolean satisfyCondition(ShadowType currentShadow, ConditionalSearchFilterType conditionalFilter,
-			ResourceType resourceType, SystemConfigurationType configurationType, String shortDesc, Task task,
+			ExpressionProfile expressionProfile, ResourceType resourceType, SystemConfigurationType configurationType, String shortDesc, Task task,
 			OperationResult parentResult) throws SchemaException,
 			ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
 		
@@ -150,11 +145,11 @@ private boolean satisfyCondition(ShadowType currentShadow, ConditionalSearchFilt
 		}
 		
 		ExpressionType condition = conditionalFilter.getCondition();
-		ExpressionVariables variables = ModelImplUtils.getDefaultExpressionVariables(null,currentShadow, resourceType, configurationType);
+		ExpressionVariables variables = ModelImplUtils.getDefaultExpressionVariables(null,currentShadow, resourceType, configurationType, prismContext);
 		ItemDefinition outputDefinition = prismContext.definitionFactory().createPropertyDefinition(
 				ExpressionConstants.OUTPUT_ELEMENT_NAME, DOMUtil.XSD_BOOLEAN);
 		PrismPropertyValue<Boolean> satisfy = (PrismPropertyValue) ExpressionUtil.evaluateExpression(variables,
-				outputDefinition, condition, expressionFactory, shortDesc, task, parentResult);
+				outputDefinition, condition, expressionProfile, expressionFactory, shortDesc, task, parentResult);
 		if (satisfy.getValue() == null) {
 			return false;
 		}
@@ -173,7 +168,7 @@ private <F extends FocusType> boolean contains(List<PrismObject<F>> users, Prism
 	
 	
 	private <F extends FocusType> List<PrismObject<F>> findFocusesByCorrelationRule(Class<F> focusType,
-			ShadowType currentShadow, ConditionalSearchFilterType conditionalFilter, ResourceType resourceType, SystemConfigurationType configurationType,
+			ShadowType currentShadow, ConditionalSearchFilterType conditionalFilter, ExpressionProfile expressionProfile, ResourceType resourceType, SystemConfigurationType configurationType,
 			Task task, OperationResult result)
 			throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException{
 		if (!conditionalFilter.containsFilterClause()) {
@@ -185,7 +180,7 @@ private <F extends FocusType> List<PrismObject<F>> findFocusesByCorrelationRule(
 		ObjectQuery q;
 		try {
 			q = prismContext.getQueryConverter().createObjectQuery(focusType, conditionalFilter);
-			q = updateFilterWithAccountValues(currentShadow, resourceType, configurationType, q, "Correlation expression", task, result);
+			q = updateFilterWithAccountValues(currentShadow, resourceType, configurationType, q, expressionProfile, "Correlation expression", task, result);
 			if (q == null) {
 				// Null is OK here, it means that the value in the filter
 				// evaluated
@@ -235,7 +230,7 @@ private <F extends FocusType> List<PrismObject<F>> findFocusesByCorrelationRule(
 
 
 	private <F extends FocusType> boolean matchUserCorrelationRule(Class<F> focusType, PrismObject<ShadowType> currentShadow,
-			PrismObject<F> userType, ResourceType resourceType, SystemConfigurationType configurationType,
+			ExpressionProfile expressionProfile, PrismObject<F> userType, ResourceType resourceType, SystemConfigurationType configurationType,
 			ConditionalSearchFilterType conditionalFilter, Task task, OperationResult result) throws SchemaException {
 		if (conditionalFilter == null) {
 			LOGGER.warn("Correlation rule for resource '{}' doesn't contain query, "
@@ -254,7 +249,7 @@ private <F extends FocusType> boolean matchUserCorrelationRule(Class<F> focusTyp
 		ObjectQuery q;
 		try {
 			q = prismContext.getQueryConverter().createObjectQuery(focusType, conditionalFilter);
-			q = updateFilterWithAccountValues(currentShadow.asObjectable(), resourceType, configurationType, q, "Correlation expression", task, result);
+			q = updateFilterWithAccountValues(currentShadow.asObjectable(), resourceType, configurationType, q, expressionProfile, "Correlation expression", task, result);
 			if (LOGGER.isDebugEnabled()) {
 				LOGGER.debug("Start matching user {} with correlation expression {}", userType, q != null ? q.debugDump() : "(null)");
 			}
@@ -293,7 +288,7 @@ public <F extends FocusType> boolean matchFocusByCorrelationRule(Synchronization
 			for (ConditionalSearchFilterType conditionalFilter : conditionalFilters) {
 			
 				//TODO: can we expect that systemConfig and resource are always present?
-				if (matchUserCorrelationRule(syncCtx.getFocusClass(), syncCtx.getApplicableShadow(), focus, syncCtx.getResource().asObjectable(), 
+				if (matchUserCorrelationRule(syncCtx.getFocusClass(), syncCtx.getApplicableShadow(), syncCtx.getExpressionProfile(), focus, syncCtx.getResource().asObjectable(), 
 						syncCtx.getSystemConfiguration().asObjectable(), conditionalFilter, syncCtx.getTask(), syncCtx.getResult())) {
 					LOGGER.debug("SYNCHRONIZATION: CORRELATION: expression for {} match user: {}", syncCtx.getApplicableShadow(), focus);
 					return true;
@@ -350,20 +345,20 @@ public <F extends FocusType> List<PrismObject<F>> findUserByConfirmationRule(Cla
 	}
 
 	private ObjectQuery updateFilterWithAccountValues(ShadowType currentShadow, ResourceType resource, SystemConfigurationType configuration,
-			ObjectQuery origQuery, String shortDesc, Task task, OperationResult result) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
+			ObjectQuery origQuery, ExpressionProfile expressionProfile, String shortDesc, Task task, OperationResult result) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
 		
 		if (origQuery.getFilter() == null) {
 			LOGGER.trace("No filter provided, skipping updating filter");
 			return origQuery;
 		}
 		
-		return evaluateQueryExpressions(origQuery, currentShadow, resource, configuration, shortDesc, task, result);
+		return evaluateQueryExpressions(origQuery, expressionProfile, currentShadow, resource, configuration, shortDesc, task, result);
 	}
 
-	private ObjectQuery evaluateQueryExpressions(ObjectQuery query, ShadowType currentShadow, ResourceType resource, SystemConfigurationType configuration,
+	private ObjectQuery evaluateQueryExpressions(ObjectQuery query, ExpressionProfile expressionProfile, ShadowType currentShadow, ResourceType resource, SystemConfigurationType configuration,
 			String shortDesc, Task task, OperationResult result) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
-		ExpressionVariables variables = ModelImplUtils.getDefaultExpressionVariables(null, currentShadow, resource, configuration);
-		return ExpressionUtil.evaluateQueryExpressions(query, variables, expressionFactory, prismContext, shortDesc, task, result);
+		ExpressionVariables variables = ModelImplUtils.getDefaultExpressionVariables(null, currentShadow, resource, configuration, prismContext);
+		return ExpressionUtil.evaluateQueryExpressions(query, variables, expressionProfile, expressionFactory, prismContext, shortDesc, task, result);
 	}
 	
 	public <F extends FocusType> boolean evaluateConfirmationExpression(Class<F> focusType, F user, ShadowType shadow, ResourceType resource,
@@ -374,13 +369,13 @@ public <F extends FocusType> boolean evaluateConfirmationExpression(Class<F> foc
 		Validate.notNull(expressionType, "Expression must not be null.");
 		Validate.notNull(result, "Operation result must not be null.");
 
-		ExpressionVariables variables = ModelImplUtils.getDefaultExpressionVariables(user, shadow, resource, configuration);
+		ExpressionVariables variables = ModelImplUtils.getDefaultExpressionVariables(user, shadow, resource, configuration, prismContext);
 		String shortDesc = "confirmation expression for "+resource.asPrismObject();
 		
 		PrismPropertyDefinition<Boolean> outputDefinition = prismContext.definitionFactory().createPropertyDefinition(ExpressionConstants.OUTPUT_ELEMENT_NAME,
 				DOMUtil.XSD_BOOLEAN);
 		Expression<PrismPropertyValue<Boolean>,PrismPropertyDefinition<Boolean>> expression = expressionFactory.makeExpression(expressionType, 
-				outputDefinition, shortDesc, task, result);
+				outputDefinition, MiscSchemaUtil.getExpressionProfile(), shortDesc, task, result);
 
 		ExpressionEvaluationContext params = new ExpressionEvaluationContext(null, variables, shortDesc, task, result);
 		PrismValueDeltaSetTriple<PrismPropertyValue<Boolean>> outputTriple = ModelExpressionThreadLocalHolder
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/sync/SynchronizationContext.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/sync/SynchronizationContext.java
index dbc98abb425..4d949b038bb 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/sync/SynchronizationContext.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/sync/SynchronizationContext.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2018 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -26,14 +26,17 @@
 import com.evolveum.midpoint.common.SynchronizationUtils;
 import com.evolveum.midpoint.common.refinery.RefinedResourceSchema;
 import com.evolveum.midpoint.common.refinery.RefinedResourceSchemaImpl;
+import com.evolveum.midpoint.prism.PrismContext;
 import com.evolveum.midpoint.prism.PrismObject;
 import com.evolveum.midpoint.prism.PrismProperty;
 import com.evolveum.midpoint.prism.util.PrismMonitor;
 import com.evolveum.midpoint.schema.constants.ObjectTypes;
 import com.evolveum.midpoint.schema.constants.SchemaConstants;
+import com.evolveum.midpoint.schema.expression.ExpressionProfile;
 import com.evolveum.midpoint.schema.processor.ObjectClassComplexTypeDefinition;
 import com.evolveum.midpoint.schema.processor.ResourceSchema;
 import com.evolveum.midpoint.schema.result.OperationResult;
+import com.evolveum.midpoint.schema.util.MiscSchemaUtil;
 import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.util.QNameUtil;
 import com.evolveum.midpoint.util.exception.ConfigurationException;
@@ -62,6 +65,7 @@ public class SynchronizationContext<F extends FocusType> {
 	private PrismObject<ResourceType> resource;
 	private PrismObject<SystemConfigurationType> systemConfiguration;
 	private String chanel;
+	private ExpressionProfile expressionProfile;
 	
 	private Task task;
 	private OperationResult result;
@@ -80,14 +84,18 @@ public class SynchronizationContext<F extends FocusType> {
 	
 	private boolean shadowExistsInRepo = true;
 	private boolean forceIntentChange;
+
+	private PrismContext prismContext;
 	
-	public SynchronizationContext(PrismObject<ShadowType> applicableShadow, PrismObject<ShadowType> currentShadow, PrismObject<ResourceType> resource, String chanel, Task task, OperationResult result) {
+	public SynchronizationContext(PrismObject<ShadowType> applicableShadow, PrismObject<ShadowType> currentShadow, PrismObject<ResourceType> resource, String chanel, PrismContext prismContext, Task task, OperationResult result) {
 		this.applicableShadow = applicableShadow;
 		this.currentShadow = currentShadow;
 		this.resource = resource;
 		this.chanel = chanel;
 		this.task = task;
 		this.result = result;
+		this.prismContext = prismContext;
+		this.expressionProfile = MiscSchemaUtil.getExpressionProfile();
 	}
 	
 	public boolean isSynchronizationEnabled() {
@@ -301,6 +309,10 @@ public F getCurrentOwner() {
 	public F getCorrelatedOwner() {
 		return correlatedOwner;
 	}
+	
+	public PrismContext getPrismContext() {
+		return prismContext;
+	}
 
 	public SynchronizationSituationType getSituation() {
 		return situation;
@@ -353,6 +365,14 @@ public void setChanel(String chanel) {
 //		return reaction;
 //	}
 	
+	public ExpressionProfile getExpressionProfile() {
+		return expressionProfile;
+	}
+
+	public void setExpressionProfile(ExpressionProfile expressionProfile) {
+		this.expressionProfile = expressionProfile;
+	}
+
 	public void setReaction(SynchronizationReactionType reaction) {
 		this.reaction = reaction;
 	}
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/sync/SynchronizationServiceImpl.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/sync/SynchronizationServiceImpl.java
index 5ebfcccd394..a63249729d4 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/sync/SynchronizationServiceImpl.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/sync/SynchronizationServiceImpl.java
@@ -1,6 +1,6 @@
 /*
 
- * Copyright (c) 2010-2018 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -201,7 +201,7 @@ public <F extends FocusType> SynchronizationContext<F> loadSynchronizationContex
 			Task task, OperationResult result)
 					throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
 
-		SynchronizationContext<F> syncCtx = new SynchronizationContext<>(applicableShadow, currentShadow, resource, sourceChanel, task, result);
+		SynchronizationContext<F> syncCtx = new SynchronizationContext<>(applicableShadow, currentShadow, resource, sourceChanel, prismContext, task, result);
 		syncCtx.setSystemConfiguration(configuration);
 		
 		SynchronizationType synchronization = resource.asObjectable().getSynchronization();
@@ -267,15 +267,15 @@ private <F extends FocusType> ObjectSynchronizationDiscriminatorType evaluateSyn
 		ExpressionType classificationExpression = synchronizationSorterType.getExpression();
 		String desc = "synchronization divider type ";
 		ExpressionVariables variables = ModelImplUtils.getDefaultExpressionVariables(null, syncCtx.getApplicableShadow(), null,
-				syncCtx.getResource(), syncCtx.getSystemConfiguration(), null);
-		variables.addVariableDefinition(ExpressionConstants.VAR_CHANNEL, syncCtx.getChanel());
+				syncCtx.getResource(), syncCtx.getSystemConfiguration(), null, syncCtx.getPrismContext());
+		variables.put(ExpressionConstants.VAR_CHANNEL, syncCtx.getChanel(), String.class);
 		try {
 			ModelExpressionThreadLocalHolder.pushExpressionEnvironment(new ExpressionEnvironment<>(task, result));
 			//noinspection unchecked
 			PrismPropertyDefinition<ObjectSynchronizationDiscriminatorType> discriminatorDef = prismContext.getSchemaRegistry()
 					.findPropertyDefinitionByElementName(new QName(SchemaConstants.NS_C, "objectSynchronizationDiscriminator"));
 			PrismPropertyValue<ObjectSynchronizationDiscriminatorType> evaluateDiscriminator = ExpressionUtil.evaluateExpression(variables, discriminatorDef, 
-					classificationExpression, expressionFactory, desc, task, result);
+					classificationExpression, syncCtx.getExpressionProfile(), expressionFactory, desc, task, result);
 			if (evaluateDiscriminator == null) {
 				return null;
 			}
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/sync/SynchronizationServiceUtils.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/sync/SynchronizationServiceUtils.java
index 995eb809487..530b2493381 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/sync/SynchronizationServiceUtils.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/sync/SynchronizationServiceUtils.java
@@ -1,3 +1,18 @@
+/*
+ * Copyright (c) 2010-2019 Evolveum
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package com.evolveum.midpoint.model.impl.sync;
 
 import java.util.List;
@@ -95,11 +110,11 @@ private static <F extends FocusType> Boolean evaluateSynchronizationPolicyCondit
 		ExpressionType conditionExpressionType = synchronizationPolicy.getCondition();
 		String desc = "condition in object synchronization " + synchronizationPolicy.getName();
 		ExpressionVariables variables = ModelImplUtils.getDefaultExpressionVariables(null, syncCtx.getApplicableShadow(), null,
-				syncCtx.getResource(), syncCtx.getSystemConfiguration(), null);
+				syncCtx.getResource(), syncCtx.getSystemConfiguration(), null, syncCtx.getPrismContext());
 		try {
 			ModelExpressionThreadLocalHolder.pushExpressionEnvironment(new ExpressionEnvironment<>(syncCtx.getTask(), syncCtx.getResult()));
 			PrismPropertyValue<Boolean> evaluateCondition = ExpressionUtil.evaluateCondition(variables,
-					conditionExpressionType, expressionFactory, desc, syncCtx.getTask(), syncCtx.getResult());
+					conditionExpressionType, syncCtx.getExpressionProfile(), expressionFactory, desc, syncCtx.getTask(), syncCtx.getResult());
 			return evaluateCondition.getValue();
 		} finally {
 			ModelExpressionThreadLocalHolder.popExpressionEnvironment();
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/util/AbstractSearchIterativeModelTaskHandler.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/util/AbstractSearchIterativeModelTaskHandler.java
index 4459d2ef4bb..6717c407fbe 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/util/AbstractSearchIterativeModelTaskHandler.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/util/AbstractSearchIterativeModelTaskHandler.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2018 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -38,6 +38,7 @@
 import com.evolveum.midpoint.schema.ResultHandler;
 import com.evolveum.midpoint.schema.SelectorOptions;
 import com.evolveum.midpoint.schema.constants.SchemaConstants;
+import com.evolveum.midpoint.schema.expression.ExpressionProfile;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.security.enforcer.api.SecurityEnforcer;
 import com.evolveum.midpoint.task.api.Task;
@@ -84,11 +85,11 @@ protected ObjectQuery preProcessQuery(ObjectQuery query, Task coordinatorTask, O
 		if (ExpressionUtil.hasExpressions(query.getFilter())) {
 			PrismObject<SystemConfigurationType> configuration = systemObjectCache.getSystemConfiguration(opResult);
 			ExpressionVariables variables = ModelImplUtils.getDefaultExpressionVariables(null, null, null,
-					configuration != null ? configuration.asObjectable() : null);
+					configuration != null ? configuration.asObjectable() : null, prismContext);
 			try {
 				ExpressionEnvironment<?> env = new ExpressionEnvironment<>(coordinatorTask, opResult);
 				ModelExpressionThreadLocalHolder.pushExpressionEnvironment(env);
-				query = ExpressionUtil.evaluateQueryExpressions(query, variables, expressionFactory,
+				query = ExpressionUtil.evaluateQueryExpressions(query, variables, getExpressionProfile(), expressionFactory,
 						prismContext, "evaluate query expressions", coordinatorTask, opResult);
 			} finally {
 				ModelExpressionThreadLocalHolder.popExpressionEnvironment();
@@ -97,7 +98,7 @@ protected ObjectQuery preProcessQuery(ObjectQuery query, Task coordinatorTask, O
 		
 		return query;
 	}
-	
+
 	@Override
 	protected <O extends ObjectType> Integer countObjects(Class<O> type, ObjectQuery query, Collection<SelectorOptions<GetOperationOptions>> queryOptions, Task coordinatorTask, OperationResult opResult) throws SchemaException, ObjectNotFoundException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
 		return modelObjectResolver.countObjects(type, query, queryOptions, coordinatorTask, opResult);
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/util/DataModelUtil.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/util/DataModelUtil.java
index 218d6246baf..7e171dd3bc3 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/util/DataModelUtil.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/util/DataModelUtil.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2017 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -75,9 +75,9 @@ public ItemDefinition<?> getDefinition() {
 
 	public static class PathResolutionContext {
 		@NotNull PrismContext prismContext;
-		QName defaultVariable;
+		String defaultVariable;
 
-		public PathResolutionContext(@NotNull PrismContext prismContext, QName defaultVariable) {
+		public PathResolutionContext(@NotNull PrismContext prismContext, String defaultVariable) {
 			this.prismContext = prismContext;
 			this.defaultVariable = defaultVariable;
 		}
@@ -88,7 +88,7 @@ public static class ResourceResolutionContext extends PathResolutionContext {
 		@NotNull ShadowKindType kind;
 		@NotNull String intent;
 
-		public ResourceResolutionContext(@NotNull PrismContext prismContext, QName defaultVariable, @NotNull ResourceType resource,
+		public ResourceResolutionContext(@NotNull PrismContext prismContext, String defaultVariable, @NotNull ResourceType resource,
 				@NotNull ShadowKindType kind, @NotNull String intent) {
 			super(prismContext, defaultVariable);
 			this.resource = resource;
@@ -104,11 +104,11 @@ public static PathResolutionResult resolvePath(@NotNull ItemPath path, @NotNull
 			return new PathResolutionResult(new Issue(Issue.Severity.WARNING, CAT_ITEM_PATH, C_DOES_NOT_START_WITH_NAME,
 							"Path does not start with a name nor variable: '" + path + "'", null, null));
 		}
-		QName varName;
+		String varName;
 		ItemPath itemPath;
 		Object first = path.first();
 		if (ItemPath.isVariable(first)) {
-			varName = ItemPath.toVariableName(first);
+			varName = ItemPath.toVariableName(first).getLocalPart();
 			itemPath = path.rest();
 		} else {
 			if (context.defaultVariable == null) {
@@ -119,7 +119,7 @@ public static PathResolutionResult resolvePath(@NotNull ItemPath path, @NotNull
 			itemPath = path;
 		}
 
-		if (QNameUtil.match(ExpressionConstants.VAR_ACCOUNT, varName)) {
+		if (ExpressionConstants.VAR_ACCOUNT.equals(varName)) {
 			if (!(context instanceof ResourceResolutionContext)) {
 				return new PathResolutionResult(new Issue(Issue.Severity.WARNING, CAT_ITEM_PATH, C_ILLEGAL_USE_OF_ACCOUNT_VARIABLE,
 						"Illegal use of 'account' variable: '" + path + "'", null, null));
@@ -127,7 +127,7 @@ public static PathResolutionResult resolvePath(@NotNull ItemPath path, @NotNull
 				// TODO implement checking of $account-based paths
 				return null;
 			}
-		} else if (QNameUtil.match(ExpressionConstants.VAR_USER, varName) || QNameUtil.match(ExpressionConstants.VAR_FOCUS, varName)) {
+		} else if (ExpressionConstants.VAR_USER.equals(varName) || ExpressionConstants.VAR_FOCUS.equals(varName)) {
 			Class<? extends FocusType> clazz = FocusType.class;
 			if (context instanceof ResourceResolutionContext) {
 				ResourceResolutionContext rctx = (ResourceResolutionContext) context;
@@ -143,9 +143,9 @@ public static PathResolutionResult resolvePath(@NotNull ItemPath path, @NotNull
 				}
 			}
 			return resolvePathForType(clazz, itemPath, context);
-		} else if (QNameUtil.match(ExpressionConstants.VAR_ACTOR, varName)) {
+		} else if (ExpressionConstants.VAR_ACTOR.equals(varName)) {
 			return resolvePathForType(UserType.class, itemPath, context);
-		} else if (QNameUtil.match(ExpressionConstants.VAR_INPUT, varName)) {
+		} else if (ExpressionConstants.VAR_INPUT.equals(varName)) {
 			return null;
 		} else {
 			return null;		// TODO list all possible variables here and issue a warning if no one matches
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/util/ModelImplUtils.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/util/ModelImplUtils.java
index 12205dff239..1f857045182 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/util/ModelImplUtils.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/util/ModelImplUtils.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2018 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -21,6 +21,7 @@
 import com.evolveum.midpoint.model.api.ModelAuthorizationAction;
 import com.evolveum.midpoint.model.api.ModelExecuteOptions;
 import com.evolveum.midpoint.model.api.ModelPublicConstants;
+import com.evolveum.midpoint.model.api.context.AssignmentPath;
 import com.evolveum.midpoint.model.common.expression.script.ScriptExpression;
 import com.evolveum.midpoint.model.impl.ModelConstants;
 import com.evolveum.midpoint.model.impl.expr.ExpressionEnvironment;
@@ -672,26 +673,27 @@ public static ModelExecuteOptions getModelExecuteOptions(Task task) throws Schem
 	public static ExpressionVariables getDefaultExpressionVariables(@NotNull LensContext<?> context, @Nullable LensProjectionContext projCtx) throws SchemaException {
 		ExpressionVariables variables = new ExpressionVariables();
 		if (context.getFocusContext() != null) {
-			variables.addVariableDefinition(ExpressionConstants.VAR_FOCUS, context.getFocusContext().getObjectDeltaObject());
-			variables.addVariableDefinition(ExpressionConstants.VAR_USER, context.getFocusContext().getObjectDeltaObject());
+			variables.put(ExpressionConstants.VAR_FOCUS, context.getFocusContext().getObjectDeltaObject(), context.getFocusContext().getObjectDeltaObject().getDefinition());
+			variables.put(ExpressionConstants.VAR_USER, context.getFocusContext().getObjectDeltaObject(), context.getFocusContext().getObjectDeltaObject().getDefinition());
 		}
 		if (projCtx != null) {
-			variables.addVariableDefinition(ExpressionConstants.VAR_PROJECTION, projCtx.getObjectDeltaObject());
-			variables.addVariableDefinition(ExpressionConstants.VAR_SHADOW, projCtx.getObjectDeltaObject());
-			variables.addVariableDefinition(ExpressionConstants.VAR_ACCOUNT, projCtx.getObjectDeltaObject());
-			variables.addVariableDefinition(ExpressionConstants.VAR_RESOURCE, projCtx.getResource());
+			variables.put(ExpressionConstants.VAR_PROJECTION, projCtx.getObjectDeltaObject(), projCtx.getObjectDefinition());
+			variables.put(ExpressionConstants.VAR_SHADOW, projCtx.getObjectDeltaObject(), projCtx.getObjectDefinition());
+			variables.put(ExpressionConstants.VAR_ACCOUNT, projCtx.getObjectDeltaObject(), projCtx.getObjectDefinition());
+			variables.put(ExpressionConstants.VAR_RESOURCE, projCtx.getResource(), projCtx.getResource().asPrismObject().getDefinition());
 		}
 	
-		variables.addVariableDefinition(ExpressionConstants.VAR_OPERATION, projCtx.getOperation().getValue());
-		variables.addVariableDefinition(ExpressionConstants.VAR_ITERATION, LensUtil.getIterationVariableValue(projCtx));
-		variables.addVariableDefinition(ExpressionConstants.VAR_ITERATION_TOKEN, LensUtil.getIterationTokenVariableValue(projCtx));
+		variables.put(ExpressionConstants.VAR_OPERATION, projCtx.getOperation().getValue(), String.class);
+		variables.put(ExpressionConstants.VAR_ITERATION, LensUtil.getIterationVariableValue(projCtx), Integer.class);
+		variables.put(ExpressionConstants.VAR_ITERATION_TOKEN, LensUtil.getIterationTokenVariableValue(projCtx), String.class);
 	
-		variables.addVariableDefinition(ExpressionConstants.VAR_CONFIGURATION, context.getSystemConfiguration());
+		variables.put(ExpressionConstants.VAR_CONFIGURATION, context.getSystemConfiguration(), context.getSystemConfiguration().getDefinition());
 		return variables;
 	}
 
 	public static ExpressionVariables getDefaultExpressionVariables(ObjectType focusType,
-			ShadowType shadowType, ResourceType resourceType, SystemConfigurationType configurationType) {
+			ShadowType shadowType, ResourceType resourceType, SystemConfigurationType configurationType,
+			PrismContext prismContext) {
 		PrismObject<? extends ObjectType> focus = null;
 		if (focusType != null) {
 			focus = focusType.asPrismObject();
@@ -708,53 +710,85 @@ public static ExpressionVariables getDefaultExpressionVariables(ObjectType focus
 		if (configurationType != null) {
 			configuration = configurationType.asPrismObject();
 		}
-		return getDefaultExpressionVariables(focus, shadow, null, resource, configuration, null);
+		return getDefaultExpressionVariables(focus, shadow, null, resource, configuration, null, prismContext);
 	}
 
 	public static <O extends ObjectType> ExpressionVariables getDefaultExpressionVariables(PrismObject<? extends ObjectType> focus,
 			PrismObject<? extends ShadowType> shadow, ResourceShadowDiscriminator discr,
-			PrismObject<ResourceType> resource, PrismObject<SystemConfigurationType> configuration, LensElementContext<O> affectedElementContext) {
+			PrismObject<ResourceType> resource, PrismObject<SystemConfigurationType> configuration, LensElementContext<O> affectedElementContext,
+			PrismContext prismContext) {
 		ExpressionVariables variables = new ExpressionVariables();
-		addDefaultExpressionVariables(variables, focus, shadow, discr, resource, configuration, affectedElementContext);
+		addDefaultExpressionVariables(variables, focus, shadow, discr, resource, configuration, affectedElementContext, prismContext);
 		return variables;
 	}
 
 	public static <O extends ObjectType> void addDefaultExpressionVariables(ExpressionVariables variables, PrismObject<? extends ObjectType> focus,
 			PrismObject<? extends ShadowType> shadow, ResourceShadowDiscriminator discr,
-			PrismObject<ResourceType> resource, PrismObject<SystemConfigurationType> configuration, LensElementContext<O> affectedElementContext) {
+			PrismObject<ResourceType> resource, PrismObject<SystemConfigurationType> configuration, LensElementContext<O> affectedElementContext,
+			PrismContext prismContext) {
 	
+		PrismObjectDefinition<? extends ObjectType> focusDef;
+		if (focus == null) {
+			focusDef = prismContext.getSchemaRegistry().findObjectDefinitionByCompileTimeClass(FocusType.class);
+		} else {
+			focusDef = focus.getDefinition();
+		}
+		
+		PrismObjectDefinition<? extends ShadowType> shadowDef;
+		if (shadow == null) {
+			shadowDef = prismContext.getSchemaRegistry().findObjectDefinitionByCompileTimeClass(ShadowType.class);
+		} else {
+			shadowDef = shadow.getDefinition();
+		}
+		
+		PrismObjectDefinition<ResourceType> resourceDef;
+		if (resource == null) {
+			resourceDef = prismContext.getSchemaRegistry().findObjectDefinitionByCompileTimeClass(ResourceType.class);
+		} else {
+			resourceDef = resource.getDefinition();
+		}
+		
+		PrismObjectDefinition<SystemConfigurationType> configDef;
+		if (configuration == null) {
+			configDef = prismContext.getSchemaRegistry().findObjectDefinitionByCompileTimeClass(SystemConfigurationType.class);
+		} else {
+			configDef = configuration.getDefinition();
+		}
+		
 	    // Legacy. And convenience/understandability.
 	    if (focus == null || focus.canRepresent(UserType.class) || (discr != null && discr.getKind() == ShadowKindType.ACCOUNT)) {
-		    variables.addVariableDefinition(ExpressionConstants.VAR_USER, focus);
-	        variables.addVariableDefinition(ExpressionConstants.VAR_ACCOUNT, shadow);
+		    variables.put(ExpressionConstants.VAR_USER, focus, focusDef);
+	        variables.put(ExpressionConstants.VAR_ACCOUNT, shadow, shadowDef);
 	    }
 	
-	    variables.addVariableDefinition(ExpressionConstants.VAR_FOCUS, focus);
-		variables.addVariableDefinition(ExpressionConstants.VAR_SHADOW, shadow);
-		variables.addVariableDefinition(ExpressionConstants.VAR_PROJECTION, shadow);
-		variables.addVariableDefinition(ExpressionConstants.VAR_RESOURCE, resource);
-		variables.addVariableDefinition(ExpressionConstants.VAR_CONFIGURATION, configuration);
+	    variables.put(ExpressionConstants.VAR_FOCUS, focus, focusDef);
+		variables.put(ExpressionConstants.VAR_SHADOW, shadow, shadowDef);
+		variables.put(ExpressionConstants.VAR_PROJECTION, shadow, shadowDef);
+		variables.put(ExpressionConstants.VAR_RESOURCE, resource, resourceDef);
+		variables.put(ExpressionConstants.VAR_CONFIGURATION, configuration, configDef);
 	
 		if (affectedElementContext != null) {
-			variables.addVariableDefinition(ExpressionConstants.VAR_OPERATION, affectedElementContext.getOperation().getValue());
+			variables.put(ExpressionConstants.VAR_OPERATION, affectedElementContext.getOperation().getValue(), String.class);
 			// We do not want to add delta to all expressions. The delta may be tricky. Is it focus delta? projection delta? Primary? Secondary?
 			// It is better to leave delta to be accessed from the model context. And in cases when it is clear which delta is meant
 			// (e.g. provisioning scripts) we can still add the delta explicitly.
 		}
 	}
 
-	public static void addAssignmentPathVariables(AssignmentPathVariables assignmentPathVariables, ExpressionVariables expressionVariables) {
+	public static void addAssignmentPathVariables(AssignmentPathVariables assignmentPathVariables, ExpressionVariables expressionVariables, PrismContext prismContext) {
 		if (assignmentPathVariables != null) {
-			expressionVariables.addVariableDefinition(ExpressionConstants.VAR_ASSIGNMENT, assignmentPathVariables.getMagicAssignment());
-			expressionVariables.addVariableDefinition(ExpressionConstants.VAR_ASSIGNMENT_PATH, assignmentPathVariables.getAssignmentPath());
-			expressionVariables.addVariableDefinition(ExpressionConstants.VAR_IMMEDIATE_ASSIGNMENT, assignmentPathVariables.getImmediateAssignment());
-			expressionVariables.addVariableDefinition(ExpressionConstants.VAR_THIS_ASSIGNMENT, assignmentPathVariables.getThisAssignment());
-			expressionVariables.addVariableDefinition(ExpressionConstants.VAR_FOCUS_ASSIGNMENT, assignmentPathVariables.getFocusAssignment());
-			expressionVariables.addVariableDefinition(ExpressionConstants.VAR_IMMEDIATE_ROLE, assignmentPathVariables.getImmediateRole());
+			PrismContainerDefinition<AssignmentType> assignmentDef = assignmentPathVariables.getAssignmentDefinition();
+			expressionVariables.put(ExpressionConstants.VAR_ASSIGNMENT, assignmentPathVariables.getMagicAssignment(), assignmentDef);
+			expressionVariables.put(ExpressionConstants.VAR_ASSIGNMENT_PATH, assignmentPathVariables.getAssignmentPath(), AssignmentPath.class);
+			expressionVariables.put(ExpressionConstants.VAR_IMMEDIATE_ASSIGNMENT, assignmentPathVariables.getImmediateAssignment(), assignmentDef);
+			expressionVariables.put(ExpressionConstants.VAR_THIS_ASSIGNMENT, assignmentPathVariables.getThisAssignment(), assignmentDef);
+			expressionVariables.put(ExpressionConstants.VAR_FOCUS_ASSIGNMENT, assignmentPathVariables.getFocusAssignment(), assignmentDef);
+			PrismObjectDefinition<AbstractRoleType> abstractRoleDefinition = prismContext.getSchemaRegistry().findObjectDefinitionByCompileTimeClass(AbstractRoleType.class);
+			expressionVariables.put(ExpressionConstants.VAR_IMMEDIATE_ROLE, (PrismObject) assignmentPathVariables.getImmediateRole(), abstractRoleDefinition);
 		} else {
 			// to avoid "no such variable" exceptions in boundary cases
 			// for null/empty paths we might consider creating empty AssignmentPathVariables objects to keep null/empty path distinction
-			expressionVariables.addVariableDefinition(ExpressionConstants.VAR_ASSIGNMENT_PATH, null);
+			expressionVariables.put(ExpressionConstants.VAR_ASSIGNMENT_PATH, null, AssignmentPath.class);
 		}
 	}
 
@@ -811,20 +845,24 @@ private static PrismReferenceValue getAuditTarget(ObjectDelta<? extends ObjectTy
 
 	public static <V extends PrismValue, F extends ObjectType> List<V> evaluateScript(
 	            ScriptExpression scriptExpression, LensContext<F> lensContext, ExpressionVariables variables, boolean useNew, String shortDesc, Task task, OperationResult parentResult) throws ExpressionEvaluationException, ObjectNotFoundException, SchemaException, CommunicationException, ConfigurationException, SecurityViolationException {
-			ExpressionEnvironment<F> env = new ExpressionEnvironment<>();
-			env.setLensContext(lensContext);
-			env.setCurrentResult(parentResult);
-			env.setCurrentTask(task);
-			ModelExpressionThreadLocalHolder.pushExpressionEnvironment(env);
-	        try {
-	            return scriptExpression.evaluate(variables, ScriptExpressionReturnTypeType.SCALAR, useNew, shortDesc, task, parentResult);
-	        } finally {
-	        	ModelExpressionThreadLocalHolder.popExpressionEnvironment();
-	//			if (lensContext.getDebugListener() != null) {
-	//				lensContext.getDebugListener().afterScriptEvaluation(lensContext, scriptExpression);
-	//			}
-	        }
-	    }
+			
+		ExpressionEnvironment<F> env = new ExpressionEnvironment<>();
+		env.setLensContext(lensContext);
+		env.setCurrentResult(parentResult);
+		env.setCurrentTask(task);
+		ModelExpressionThreadLocalHolder.pushExpressionEnvironment(env);
+		
+        try {
+        	
+            return scriptExpression.evaluate(variables, ScriptExpressionReturnTypeType.SCALAR, useNew, shortDesc, task, parentResult);
+            
+        } finally {
+        	ModelExpressionThreadLocalHolder.popExpressionEnvironment();
+//			if (lensContext.getDebugListener() != null) {
+//				lensContext.getDebugListener().afterScriptEvaluation(lensContext, scriptExpression);
+//			}
+        }
+    }
 
 	public static CriticalityType handleConnectorErrorCriticality(ResourceType resourceType, Throwable e, OperationResult result) throws ObjectNotFoundException, CommunicationException, SchemaException, ConfigurationException, 
 	SecurityViolationException, PolicyViolationException, ExpressionEvaluationException, ObjectAlreadyExistsException, PreconditionViolationException {
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/validator/ResourceValidatorImpl.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/validator/ResourceValidatorImpl.java
index 4c417b44e21..90872af0628 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/validator/ResourceValidatorImpl.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/validator/ResourceValidatorImpl.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2017 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
diff --git a/model/model-impl/src/main/resources/ctx-model.xml b/model/model-impl/src/main/resources/ctx-model.xml
index 97cc399362f..404ed55539f 100644
--- a/model/model-impl/src/main/resources/ctx-model.xml
+++ b/model/model-impl/src/main/resources/ctx-model.xml
@@ -81,7 +81,7 @@
           <constructor-arg name="protector" ref="protector"/>
     </bean>
 
-    <bean id="groovyScriptEvaluator" class="com.evolveum.midpoint.model.common.expression.script.GroovyScriptEvaluator"
+    <bean id="groovyScriptEvaluator" class="com.evolveum.midpoint.model.common.expression.script.groovy.GroovyScriptEvaluator"
           scope="singleton">
           <constructor-arg name="prismContext" ref="prismContext"/>
           <constructor-arg name="protector" ref="protector"/>
diff --git a/model/model-impl/src/test/java/com/evolveum/midpoint/model/impl/expr/TestFilterExpression.java b/model/model-impl/src/test/java/com/evolveum/midpoint/model/impl/expr/TestFilterExpression.java
index 9ba7ec7dd5a..7248e9a0c73 100644
--- a/model/model-impl/src/test/java/com/evolveum/midpoint/model/impl/expr/TestFilterExpression.java
+++ b/model/model-impl/src/test/java/com/evolveum/midpoint/model/impl/expr/TestFilterExpression.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2017 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -38,6 +38,7 @@
 import com.evolveum.midpoint.repo.common.expression.ExpressionUtil;
 import com.evolveum.midpoint.repo.common.expression.ExpressionVariables;
 import com.evolveum.midpoint.model.impl.AbstractInternalModelIntegrationTest;
+import com.evolveum.midpoint.prism.PrimitiveType;
 import com.evolveum.midpoint.prism.PrismContext;
 import com.evolveum.midpoint.prism.PrismObject;
 import com.evolveum.midpoint.prism.PrismPropertyValue;
@@ -55,6 +56,7 @@
 import com.evolveum.midpoint.schema.constants.ExpressionConstants;
 import com.evolveum.midpoint.schema.constants.MidPointConstants;
 import com.evolveum.midpoint.schema.result.OperationResult;
+import com.evolveum.midpoint.schema.util.MiscSchemaUtil;
 import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.task.api.TaskManager;
 import com.evolveum.midpoint.test.util.TestUtil;
@@ -289,18 +291,17 @@ private ObjectFilter evaluateExpressionAssertFilter(String filename,
 
 		ObjectFilter filter = prismContext.getQueryConverter().createObjectFilter(UserType.class, filterType);
 
-		Map<QName, Object> params = new HashMap<>();
 		PrismPropertyValue<String> pval = null;
 		if (input != null) {
 			pval = prismContext.itemFactory().createPropertyValue(input);
 		}
-		params.put(ExpressionConstants.VAR_INPUT, pval);
 
-		ExpressionVariables variables = new ExpressionVariables();
-		variables.addVariableDefinitions(params);
+		ExpressionVariables variables = createVariables(
+				ExpressionConstants.VAR_INPUT, pval, PrimitiveType.STRING);
 
 		// WHEN
-		ObjectFilter evaluatedFilter = ExpressionUtil.evaluateFilterExpressions(filter, variables, expressionFactory, prismContext,
+		ObjectFilter evaluatedFilter = ExpressionUtil.evaluateFilterExpressions(filter, variables, 
+				MiscSchemaUtil.getExpressionProfile(), expressionFactory, prismContext,
 				"evaluating filter with null value not allowed", task, result);
 
 		// THEN
diff --git a/model/model-impl/src/test/java/com/evolveum/midpoint/model/impl/expr/TestModelExpressions.java b/model/model-impl/src/test/java/com/evolveum/midpoint/model/impl/expr/TestModelExpressions.java
index c4c32a253cb..8992b1dbc82 100644
--- a/model/model-impl/src/test/java/com/evolveum/midpoint/model/impl/expr/TestModelExpressions.java
+++ b/model/model-impl/src/test/java/com/evolveum/midpoint/model/impl/expr/TestModelExpressions.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2018 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -51,6 +51,7 @@
 import com.evolveum.midpoint.schema.constants.SchemaConstants;
 import com.evolveum.midpoint.schema.internals.InternalCounters;
 import com.evolveum.midpoint.schema.result.OperationResult;
+import com.evolveum.midpoint.schema.util.MiscSchemaUtil;
 import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.task.api.TaskManager;
 import com.evolveum.midpoint.test.util.TestUtil;
@@ -136,7 +137,7 @@ public void testGetUserByOid() throws Exception {
         OperationResult result = new OperationResult(TestModelExpressions.class.getName() + "." + TEST_NAME);
         PrismObject<UserType> chef = repositoryService.getObject(UserType.class, CHEF_OID, null, result);
 
-        ExpressionVariables variables = ExpressionVariables.create(ExpressionConstants.VAR_USER, chef);
+        ExpressionVariables variables = createVariables(ExpressionConstants.VAR_USER, chef, chef.getDefinition());
 
         // WHEN, THEN
         assertExecuteScriptExpressionString(TEST_NAME, variables, chef.asObjectable().getName().getOrig());
@@ -155,9 +156,9 @@ public void testGetManagersOids() throws Exception {
 
         ScriptExpressionEvaluatorType scriptType = parseScriptType("expression-" + TEST_NAME + ".xml");
         PrismPropertyDefinition<String> outputDefinition = getPrismContext().definitionFactory().createPropertyDefinition(PROPERTY_NAME, DOMUtil.XSD_STRING);
-        ScriptExpression scriptExpression = scriptExpressionFactory.createScriptExpression(scriptType, outputDefinition, expressionFactory, TEST_NAME, task, result);
-        ExpressionVariables variables = new ExpressionVariables();
-        variables.addVariableDefinition(new QName(SchemaConstants.NS_C, "user"), chef);
+        ScriptExpression scriptExpression = scriptExpressionFactory.createScriptExpression(scriptType, outputDefinition, 
+        		MiscSchemaUtil.getExpressionProfile(), expressionFactory, TEST_NAME, task, result);
+        ExpressionVariables variables = createVariables(ExpressionConstants.VAR_USER, chef, chef.getDefinition());
 
         // WHEN
         List<PrismPropertyValue<String>> scriptOutputs = evaluate(scriptExpression, variables, false, TEST_NAME, null, result);
@@ -189,10 +190,12 @@ public void testIsUniquePropertyValue() throws Exception {
 
         ScriptExpressionEvaluatorType scriptType = parseScriptType("expression-" + TEST_NAME + ".xml");
         PrismPropertyDefinition<Boolean> outputDefinition = getPrismContext().definitionFactory().createPropertyDefinition(PROPERTY_NAME, DOMUtil.XSD_BOOLEAN);
-        ScriptExpression scriptExpression = scriptExpressionFactory.createScriptExpression(scriptType, outputDefinition, expressionFactory, TEST_NAME, task, result);
-        ExpressionVariables variables = new ExpressionVariables();
-        variables.addVariableDefinition(new QName(SchemaConstants.NS_C, "user"), chef);
-        variables.addVariableDefinition(new QName(SchemaConstants.NS_C, "value"), "Scumm Bar Chef");
+        ScriptExpression scriptExpression = scriptExpressionFactory.createScriptExpression(scriptType, outputDefinition, 
+        		MiscSchemaUtil.getExpressionProfile(), expressionFactory, TEST_NAME, task, result);
+        
+        ExpressionVariables variables = createVariables(
+        		ExpressionConstants.VAR_USER, chef, chef.getDefinition(),
+        		ExpressionConstants.VAR_VALUE, "Scumm Bar Chef", String.class);
 
         // WHEN
         List<PrismPropertyValue<Boolean>> scriptOutputs = evaluate(scriptExpression, variables, false, TEST_NAME, null, result);
@@ -218,7 +221,9 @@ public void testGetLinkedShadowName() throws Exception {
 
         rememberCounter(InternalCounters.SHADOW_FETCH_OPERATION_COUNT);
 
-        ExpressionVariables variables = ExpressionVariables.create(ExpressionConstants.VAR_USER, getUser(USER_GUYBRUSH_OID));
+        PrismObject<UserType> user = getUser(USER_GUYBRUSH_OID);
+        ExpressionVariables variables = createVariables(
+        		ExpressionConstants.VAR_USER, user, user.getDefinition());
 
         assertExecuteScriptExpressionString(TEST_NAME, variables, ACCOUNT_GUYBRUSH_DUMMY_USERNAME);
 
@@ -232,7 +237,9 @@ public void testGetLinkedShadowKindIntentUsername() throws Exception {
 
         rememberCounter(InternalCounters.SHADOW_FETCH_OPERATION_COUNT);
 
-        ExpressionVariables variables = ExpressionVariables.create(ExpressionConstants.VAR_USER, getUser(USER_GUYBRUSH_OID));
+        PrismObject<UserType> user = getUser(USER_GUYBRUSH_OID);
+        ExpressionVariables variables = createVariables(
+        		ExpressionConstants.VAR_USER, user, user.getDefinition());
 
         assertExecuteScriptExpressionString(TEST_NAME, variables, ACCOUNT_GUYBRUSH_DUMMY_USERNAME);
 
@@ -246,7 +253,9 @@ public void testGetLinkedShadowKindIntentFullname() throws Exception {
 
         rememberCounter(InternalCounters.SHADOW_FETCH_OPERATION_COUNT);
 
-        ExpressionVariables variables = ExpressionVariables.create(ExpressionConstants.VAR_USER, getUser(USER_GUYBRUSH_OID));
+        PrismObject<UserType> user = getUser(USER_GUYBRUSH_OID);
+        ExpressionVariables variables = createVariables(
+        		ExpressionConstants.VAR_USER, user, user.getDefinition());
 
         assertExecuteScriptExpressionString(TEST_NAME, variables, ACCOUNT_GUYBRUSH_DUMMY_FULLNAME);
 
@@ -260,7 +269,9 @@ public void testGetLinkedShadowNameRepo() throws Exception {
 
         rememberCounter(InternalCounters.SHADOW_FETCH_OPERATION_COUNT);
 
-        ExpressionVariables variables = ExpressionVariables.create(ExpressionConstants.VAR_USER, getUser(USER_GUYBRUSH_OID));
+        PrismObject<UserType> user = getUser(USER_GUYBRUSH_OID);
+        ExpressionVariables variables = createVariables(
+        		ExpressionConstants.VAR_USER, user, user.getDefinition());
 
         assertExecuteScriptExpressionString(TEST_NAME, variables, ACCOUNT_GUYBRUSH_DUMMY_USERNAME);
 
@@ -274,7 +285,9 @@ public void testGetLinkedShadowKindIntentUsernameRepo() throws Exception {
 
         rememberCounter(InternalCounters.SHADOW_FETCH_OPERATION_COUNT);
 
-        ExpressionVariables variables = ExpressionVariables.create(ExpressionConstants.VAR_USER, getUser(USER_GUYBRUSH_OID));
+        PrismObject<UserType> user = getUser(USER_GUYBRUSH_OID);
+        ExpressionVariables variables = createVariables(
+        		ExpressionConstants.VAR_USER, user, user.getDefinition());
 
         assertExecuteScriptExpressionString(TEST_NAME, variables, ACCOUNT_GUYBRUSH_DUMMY_USERNAME);
 
@@ -288,7 +301,9 @@ public void testGetLinkedShadowKindIntentFullnameRepo() throws Exception {
 
         rememberCounter(InternalCounters.SHADOW_FETCH_OPERATION_COUNT);
 
-        ExpressionVariables variables = ExpressionVariables.create(ExpressionConstants.VAR_USER, getUser(USER_GUYBRUSH_OID));
+        PrismObject<UserType> user = getUser(USER_GUYBRUSH_OID);
+        ExpressionVariables variables = createVariables(
+        		ExpressionConstants.VAR_USER, user, user.getDefinition());
 
         assertExecuteScriptExpressionString(TEST_NAME, variables, null);
 
@@ -308,7 +323,8 @@ private String executeScriptExpressionString(final String TEST_NAME, ExpressionV
 
     	ScriptExpressionEvaluatorType scriptType = parseScriptType("expression-" + TEST_NAME + ".xml");
     	ItemDefinition outputDefinition = getPrismContext().definitionFactory().createPropertyDefinition(PROPERTY_NAME, DOMUtil.XSD_STRING);
-        ScriptExpression scriptExpression = scriptExpressionFactory.createScriptExpression(scriptType, outputDefinition, expressionFactory, TEST_NAME, task, result);
+        ScriptExpression scriptExpression = scriptExpressionFactory.createScriptExpression(scriptType, outputDefinition,
+        		MiscSchemaUtil.getExpressionProfile(), expressionFactory, TEST_NAME, task, result);
         if (variables == null) {
         	variables = new ExpressionVariables();
         }
diff --git a/model/model-impl/src/test/java/com/evolveum/midpoint/model/impl/lens/TestAbstractAssignmentEvaluator.java b/model/model-impl/src/test/java/com/evolveum/midpoint/model/impl/lens/TestAbstractAssignmentEvaluator.java
index ce9d382a107..c0cbb159254 100644
--- a/model/model-impl/src/test/java/com/evolveum/midpoint/model/impl/lens/TestAbstractAssignmentEvaluator.java
+++ b/model/model-impl/src/test/java/com/evolveum/midpoint/model/impl/lens/TestAbstractAssignmentEvaluator.java
@@ -1,5 +1,5 @@
 /**
- * Copyright (c) 2010-2017 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -119,7 +119,7 @@ public void initSystem(Task initTask, OperationResult initResult) throws Excepti
 	@Test
 	public void test100Direct() throws Exception {
 		final String TEST_NAME = "test100Direct";
-		TestUtil.displayTestTitle(this, TEST_NAME);
+		displayTestTitle(TEST_NAME);
 
 		// GIVEN
 		Task task = taskManager.createTaskInstance(TestAssignmentEvaluator.class.getName() + "." + TEST_NAME);
@@ -129,20 +129,17 @@ public void test100Direct() throws Exception {
 
         AssignmentType assignmentType = getAssignmentType(ASSIGNMENT_DIRECT_FILE);
 
-		ObjectDeltaObject<UserType> userOdo = new ObjectDeltaObject<>(userTypeJack.asPrismObject(), null, null);
-		userOdo.recompute();
+		ObjectDeltaObject<UserType> userOdo = createUserOdo(userTypeJack.asPrismObject());
 
-		ItemDeltaItem<PrismContainerValue<AssignmentType>,PrismContainerDefinition<AssignmentType>> assignmentIdi = new ItemDeltaItem<>();
-		assignmentIdi.setItemOld(LensUtil.createAssignmentSingleValueContainerClone(assignmentType));
-		assignmentIdi.recompute();
+		ItemDeltaItem<PrismContainerValue<AssignmentType>,PrismContainerDefinition<AssignmentType>> assignmentIdi = createAssignmentIdi(assignmentType);
 
 		// WHEN
-		TestUtil.displayWhen(TEST_NAME);
+		displayWhen(TEST_NAME);
 		EvaluatedAssignmentImpl<UserType> evaluatedAssignment = assignmentEvaluator.evaluate(assignmentIdi, PlusMinusZero.ZERO, false, userTypeJack, "testDirect", false, task, result);
 		evaluatedAssignment.evaluateConstructions(userOdo, task, result);
 
 		// THEN
-		TestUtil.displayThen(TEST_NAME);
+		displayThen(TEST_NAME);
 		result.computeStatus();
 		TestUtil.assertSuccess(result);
 
@@ -157,11 +154,11 @@ public void test100Direct() throws Exception {
 
 		assertEquals("Wrong number of admin GUI configs", 0, evaluatedAssignment.getAdminGuiConfigurations().size());
 	}
-
+	
 	@Test
 	public void test110DirectExpression() throws Exception {
 		final String TEST_NAME = "test110DirectExpression";
-		TestUtil.displayTestTitle(this, TEST_NAME);
+		displayTestTitle(TEST_NAME);
 
 		// GIVEN
 		Task task = taskManager.createTaskInstance(TestAssignmentEvaluator.class.getName() + "." + TEST_NAME);
@@ -170,21 +167,19 @@ public void test110DirectExpression() throws Exception {
 
         AssignmentType assignmentType = getAssignmentType(ASSIGNMENT_DIRECT_EXPRESSION_FILE);
 
-		ObjectDeltaObject<UserType> userOdo = new ObjectDeltaObject<>(userTypeJack.asPrismObject(), null, null);
+		ObjectDeltaObject<UserType> userOdo = createUserOdo(userTypeJack.asPrismObject());
 		userOdo.recompute();
 		AssignmentEvaluator<UserType> assignmentEvaluator = createAssignmentEvaluator(userOdo);
 
-		ItemDeltaItem<PrismContainerValue<AssignmentType>,PrismContainerDefinition<AssignmentType>> assignmentIdi = new ItemDeltaItem<>();
-		assignmentIdi.setItemOld(LensUtil.createAssignmentSingleValueContainerClone(assignmentType));
-		assignmentIdi.recompute();
+		ItemDeltaItem<PrismContainerValue<AssignmentType>,PrismContainerDefinition<AssignmentType>> assignmentIdi = createAssignmentIdi(assignmentType);
 
 		// WHEN
-		TestUtil.displayWhen(TEST_NAME);
+		displayWhen(TEST_NAME);
 		EvaluatedAssignmentImpl<UserType> evaluatedAssignment = assignmentEvaluator.evaluate(assignmentIdi, PlusMinusZero.ZERO, false, userTypeJack, "testDirect", false, task, result);
 		evaluatedAssignment.evaluateConstructions(userOdo, task, result);
 
 		// THEN
-		TestUtil.displayThen(TEST_NAME);
+		displayThen(TEST_NAME);
 		result.computeStatus();
 		TestUtil.assertSuccess(result);
 
@@ -202,7 +197,7 @@ public void test110DirectExpression() throws Exception {
 	@Test
 	public void test120DirectExpressionReplaceDescription() throws Exception {
 		final String TEST_NAME = "test120DirectExpressionReplaceDescription";
-		TestUtil.displayTestTitle(this, TEST_NAME);
+		displayTestTitle(TEST_NAME);
 
 		// GIVEN
 		Task task = taskManager.createTaskInstance(TestAssignmentEvaluator.class.getName() + "." + TEST_NAME);
@@ -216,24 +211,22 @@ public void test120DirectExpressionReplaceDescription() throws Exception {
 		ObjectDelta<UserType> userDelta = prismContext.deltaFactory().object()
 				.createModificationReplaceProperty(UserType.class, USER_JACK_OID,
 				path, "captain");
-		ObjectDeltaObject<UserType> userOdo = new ObjectDeltaObject<>(user, userDelta, null);
-		userOdo.recompute();
+		ObjectDeltaObject<UserType> userOdo = createUserOdo(user, userDelta);
 		AssignmentEvaluator<UserType> assignmentEvaluator = createAssignmentEvaluator(userOdo);
 
-		ItemDeltaItem<PrismContainerValue<AssignmentType>,PrismContainerDefinition<AssignmentType>> assignmentIdi = new ItemDeltaItem<>();
-		assignmentIdi.setItemOld(LensUtil.createAssignmentSingleValueContainerClone(assignmentType));
+		ItemDeltaItem<PrismContainerValue<AssignmentType>,PrismContainerDefinition<AssignmentType>> assignmentIdi = createAssignmentIdi(assignmentType);
 		assignmentIdi.setSubItemDeltas(userDelta.getModifications());
 		assignmentIdi.recompute();
-
+		display("Assignment IDI", assignmentIdi);
+		
 		// WHEN
-		TestUtil.displayWhen(TEST_NAME);
+		displayWhen(TEST_NAME);
 		EvaluatedAssignmentImpl<UserType> evaluatedAssignment = assignmentEvaluator.evaluate(assignmentIdi, PlusMinusZero.ZERO, false, userTypeJack, "testDirect", false, task, result);
 		evaluatedAssignment.evaluateConstructions(userOdo, task, result);
 
 		// THEN
-		TestUtil.displayThen(TEST_NAME);
-		result.computeStatus();
-		TestUtil.assertSuccess(result);
+		displayThen(TEST_NAME);
+		assertSuccess(result);
 
 		assertNotNull(evaluatedAssignment);
 		display("Evaluated assignment",evaluatedAssignment);
@@ -245,6 +238,7 @@ public void test120DirectExpressionReplaceDescription() throws Exception {
 		assertEquals(1,construction.getAttributeMappings().size());
 		MappingImpl<PrismPropertyValue<String>, PrismPropertyDefinition<String>> attributeMapping = (MappingImpl<PrismPropertyValue<String>, PrismPropertyDefinition<String>>) construction.getAttributeMappings().iterator().next();
 		PrismValueDeltaSetTriple<PrismPropertyValue<String>> outputTriple = attributeMapping.getOutputTriple();
+		display("output triple", outputTriple);
 		PrismAsserts.assertTripleNoZero(outputTriple);
 	  	PrismAsserts.assertTriplePlus(outputTriple, "The best captain the world has ever seen");
 	  	PrismAsserts.assertTripleMinus(outputTriple, "The best pirate the world has ever seen");
@@ -263,7 +257,7 @@ public void test120DirectExpressionReplaceDescription() throws Exception {
 	@Test
 	public void test130DirectExpressionReplaceDescriptionFromNull() throws Exception {
 		final String TEST_NAME = "test130DirectExpressionReplaceDescriptionFromNull";
-		TestUtil.displayTestTitle(this, TEST_NAME);
+		displayTestTitle(TEST_NAME);
 
 		// GIVEN
 		Task task = taskManager.createTaskInstance(TestAssignmentEvaluator.class.getName() + "." + TEST_NAME);
@@ -274,33 +268,26 @@ public void test130DirectExpressionReplaceDescriptionFromNull() throws Exception
 		assignmentType.setDescription(null);
 		user.asObjectable().getAssignment().add(assignmentType.clone());
 
-//		// We need to make sure that the assignment has a parent
-//		PrismContainerDefinition<AssignmentType> assignmentContainerDefinition = user.getDefinition().findContainerDefinition(UserType.F_ASSIGNMENT);
-//		PrismContainer<AssignmentType> assignmentContainer = assignmentContainerDefinition.instantiate();
-//		assignmentContainer.add(assignmentType.asPrismContainerValue().clone());
-
 		ItemPath path = ItemPath.create(UserType.F_ASSIGNMENT, 123L, AssignmentType.F_DESCRIPTION);
 		ObjectDelta<UserType> userDelta = prismContext.deltaFactory().object()
 				.createModificationReplaceProperty(UserType.class, USER_JACK_OID,
 				path, "sailor");
-		ObjectDeltaObject<UserType> userOdo = new ObjectDeltaObject<>(user, userDelta, null);
+		ObjectDeltaObject<UserType> userOdo = createUserOdo(user, userDelta);
 		userOdo.recompute();
 		AssignmentEvaluator<UserType> assignmentEvaluator = createAssignmentEvaluator(userOdo);
 
-		ItemDeltaItem<PrismContainerValue<AssignmentType>,PrismContainerDefinition<AssignmentType>> assignmentIdi = new ItemDeltaItem<>();
-		assignmentIdi.setItemOld(LensUtil.createAssignmentSingleValueContainerClone(assignmentType));
+		ItemDeltaItem<PrismContainerValue<AssignmentType>,PrismContainerDefinition<AssignmentType>> assignmentIdi = createAssignmentIdi(assignmentType);
 		assignmentIdi.setSubItemDeltas(userDelta.getModifications());
 		assignmentIdi.recompute();
 
 		// WHEN
-		TestUtil.displayWhen(TEST_NAME);
+		displayWhen(TEST_NAME);
 		EvaluatedAssignmentImpl<UserType> evaluatedAssignment = assignmentEvaluator.evaluate(assignmentIdi, PlusMinusZero.ZERO, false, userTypeJack, "testDirect", false, task, result);
 		evaluatedAssignment.evaluateConstructions(userOdo, task, result);
 
 		// THEN
-		TestUtil.displayThen(TEST_NAME);
-		result.computeStatus();
-		TestUtil.assertSuccess(result);
+		displayThen(TEST_NAME);
+		assertSuccess(result);
 
 		assertNotNull(evaluatedAssignment);
 		display("Evaluated assignment",evaluatedAssignment);
@@ -353,7 +340,7 @@ Explanation for roles structure (copied from role-corp-generic-metarole.xml)
     @Test
     public void test140RoleVisitor() throws Exception {
         final String TEST_NAME = "test140RoleVisitor";
-        TestUtil.displayTestTitle(this, TEST_NAME);
+        displayTestTitle(TEST_NAME);
 
         // GIVEN
         Task task = taskManager.createTaskInstance(TestAssignmentEvaluator.class.getName() + "." + TEST_NAME);
@@ -363,22 +350,18 @@ public void test140RoleVisitor() throws Exception {
 
         AssignmentType assignmentType = getAssignmentType(ASSIGNMENT_ROLE_VISITOR_FILE);
 
-        ObjectDeltaObject<UserType> userOdo = new ObjectDeltaObject<>(userTypeJack.asPrismObject(), null, null);
-        userOdo.recompute();
+        ObjectDeltaObject<UserType> userOdo = createUserOdo(userTypeJack.asPrismObject());
 
-        ItemDeltaItem<PrismContainerValue<AssignmentType>,PrismContainerDefinition<AssignmentType>> assignmentIdi = new ItemDeltaItem<>();
-        assignmentIdi.setItemOld(LensUtil.createAssignmentSingleValueContainerClone(assignmentType));
-        assignmentIdi.recompute();
+        ItemDeltaItem<PrismContainerValue<AssignmentType>,PrismContainerDefinition<AssignmentType>> assignmentIdi = createAssignmentIdi(assignmentType);
 
         // WHEN
-        TestUtil.displayWhen(TEST_NAME);
+        displayWhen(TEST_NAME);
         EvaluatedAssignmentImpl<UserType> evaluatedAssignment = assignmentEvaluator.evaluate(assignmentIdi, PlusMinusZero.ZERO, false, userTypeJack, TEST_NAME, false, task, result);
         evaluatedAssignment.evaluateConstructions(userOdo, task, result);
 
         // THEN
-        TestUtil.displayThen(TEST_NAME);
-        result.computeStatus();
-        TestUtil.assertSuccess(result);
+        displayThen(TEST_NAME);
+        assertSuccess(result);
 
         assertNotNull(evaluatedAssignment);
         display("Evaluated assignment",evaluatedAssignment.debugDump());
@@ -402,7 +385,7 @@ public void test140RoleVisitor() throws Exception {
     @Test
     public void test142RoleVisitorDisabledAssignment() throws Exception {
         final String TEST_NAME = "test142RoleVisitorDisabledAssignment";
-        TestUtil.displayTestTitle(this, TEST_NAME);
+        displayTestTitle(TEST_NAME);
 
         // GIVEN
         Task task = taskManager.createTaskInstance(TestAssignmentEvaluator.class.getName() + "." + TEST_NAME);
@@ -413,20 +396,17 @@ public void test142RoleVisitorDisabledAssignment() throws Exception {
         AssignmentType assignmentType = getAssignmentType(ASSIGNMENT_ROLE_VISITOR_FILE);
         assignmentType.setActivation(ActivationUtil.createDisabled());
 
-        ObjectDeltaObject<UserType> userOdo = new ObjectDeltaObject<>(userTypeJack.asPrismObject(), null, null);
-        userOdo.recompute();
+        ObjectDeltaObject<UserType> userOdo = createUserOdo(userTypeJack.asPrismObject());
 
-        ItemDeltaItem<PrismContainerValue<AssignmentType>,PrismContainerDefinition<AssignmentType>> assignmentIdi = new ItemDeltaItem<>();
-        assignmentIdi.setItemOld(LensUtil.createAssignmentSingleValueContainerClone(assignmentType));
-        assignmentIdi.recompute();
+        ItemDeltaItem<PrismContainerValue<AssignmentType>,PrismContainerDefinition<AssignmentType>> assignmentIdi = createAssignmentIdi(assignmentType);
 
         // WHEN
-        TestUtil.displayWhen(TEST_NAME);
+        displayWhen(TEST_NAME);
         EvaluatedAssignmentImpl<UserType> evaluatedAssignment = assignmentEvaluator.evaluate(assignmentIdi, PlusMinusZero.ZERO, false, userTypeJack, TEST_NAME, false, task, result);
         evaluatedAssignment.evaluateConstructions(userOdo, task, result);
 
         // THEN
-        TestUtil.displayThen(TEST_NAME);
+        displayThen(TEST_NAME);
         result.computeStatus();
         TestUtil.assertSuccess(result);
 
@@ -452,7 +432,7 @@ public void test142RoleVisitorDisabledAssignment() throws Exception {
     @Test
     public void test150RoleEngineer() throws Exception {
         final String TEST_NAME = "test150RoleEngineer";
-        TestUtil.displayTestTitle(this, TEST_NAME);
+        displayTestTitle(TEST_NAME);
 
         // GIVEN
         Task task = taskManager.createTaskInstance(TestAssignmentEvaluator.class.getName() + "." + TEST_NAME);
@@ -462,22 +442,18 @@ public void test150RoleEngineer() throws Exception {
 
         AssignmentType assignmentType = getAssignmentType(ASSIGNMENT_ROLE_ENGINEER_FILE);
 
-        ObjectDeltaObject<UserType> userOdo = new ObjectDeltaObject<>(userTypeJack.asPrismObject(), null, null);
-        userOdo.recompute();
+        ObjectDeltaObject<UserType> userOdo = createUserOdo(userTypeJack.asPrismObject());
 
-        ItemDeltaItem<PrismContainerValue<AssignmentType>,PrismContainerDefinition<AssignmentType>> assignmentIdi = new ItemDeltaItem<>();
-        assignmentIdi.setItemOld(LensUtil.createAssignmentSingleValueContainerClone(assignmentType));
-        assignmentIdi.recompute();
+        ItemDeltaItem<PrismContainerValue<AssignmentType>,PrismContainerDefinition<AssignmentType>> assignmentIdi = createAssignmentIdi(assignmentType);
 
         // WHEN
-        TestUtil.displayWhen(TEST_NAME);
+        displayWhen(TEST_NAME);
         EvaluatedAssignmentImpl<UserType> evaluatedAssignment = assignmentEvaluator.evaluate(assignmentIdi, PlusMinusZero.ZERO, false, userTypeJack, "testRoleEngineer", false, task, result);
         evaluatedAssignment.evaluateConstructions(userOdo, task, result);
 
         // THEN
-        TestUtil.displayThen(TEST_NAME);
-        result.computeStatus();
-        TestUtil.assertSuccess(result);
+        displayThen(TEST_NAME);
+        assertSuccess(result);
 
         assertNotNull(evaluatedAssignment);
         display("Evaluated assignment",evaluatedAssignment.debugDump());
@@ -502,7 +478,7 @@ public void test150RoleEngineer() throws Exception {
     @Test
     public void test160AddRoleEngineer() throws Exception {
         final String TEST_NAME = "test160AddRoleEngineer";
-        TestUtil.displayTestTitle(this, TEST_NAME);
+        displayTestTitle(TEST_NAME);
 
         // GIVEN
         Task task = taskManager.createTaskInstance(TestAssignmentEvaluator.class.getName() + "." + TEST_NAME);
@@ -516,24 +492,20 @@ public void test160AddRoleEngineer() throws Exception {
         ObjectDelta<UserType> userDelta = prismContext.deltaFactory().object()
 		        .createModificationAddContainer(UserType.class, USER_JACK_OID, UserType.F_ASSIGNMENT,
 				        assignmentForUser.asPrismContainerValue());
-        ObjectDeltaObject<UserType> userOdo = new ObjectDeltaObject<>(user, userDelta, null);
-        userOdo.recompute();
+        ObjectDeltaObject<UserType> userOdo = createUserOdo(user, userDelta);
         AssignmentEvaluator<UserType> assignmentEvaluator = createAssignmentEvaluator(userOdo);
         PrismAsserts.assertParentConsistency(userTypeJack.asPrismObject());
 
-        ItemDeltaItem<PrismContainerValue<AssignmentType>,PrismContainerDefinition<AssignmentType>> assignmentIdi = new ItemDeltaItem<>();
-        assignmentIdi.setItemOld(LensUtil.createAssignmentSingleValueContainerClone(assignmentType));
-        assignmentIdi.recompute();
+        ItemDeltaItem<PrismContainerValue<AssignmentType>,PrismContainerDefinition<AssignmentType>> assignmentIdi = createAssignmentIdi(assignmentType);
 
         // WHEN
-        TestUtil.displayWhen(TEST_NAME);
+        displayWhen(TEST_NAME);
         EvaluatedAssignmentImpl<UserType> evaluatedAssignment = assignmentEvaluator.evaluate(assignmentIdi, PlusMinusZero.ZERO, false, userTypeJack, TEST_NAME, false, task, result);
         evaluatedAssignment.evaluateConstructions(userOdo, task, result);
 
         // THEN
-        TestUtil.displayThen(TEST_NAME);
-        result.computeStatus();
-        TestUtil.assertSuccess(result);
+        displayThen(TEST_NAME);
+        assertSuccess(result);
 
         assertNotNull(evaluatedAssignment);
         display("Evaluated assignment",evaluatedAssignment.debugDump());
@@ -577,7 +549,7 @@ public void test160AddRoleEngineer() throws Exception {
     @Test
     public void test170RoleManagerChangeCostCenter() throws Exception {
         final String TEST_NAME = "test170RoleManagerChangeCostCenter";
-        TestUtil.displayTestTitle(this, TEST_NAME);
+        displayTestTitle(TEST_NAME);
 
         // GIVEN
         Task task = taskManager.createTaskInstance(TestAssignmentEvaluator.class.getName() + "." + TEST_NAME);
@@ -593,22 +565,19 @@ public void test170RoleManagerChangeCostCenter() throws Exception {
         ObjectDelta<UserType> userDelta = prismContext.deltaFactory().object()
 		        .createModificationReplaceProperty(UserType.class, USER_JACK_OID,
                 UserType.F_COST_CENTER, "management");
-        ObjectDeltaObject<UserType> userOdo = new ObjectDeltaObject<>(user, userDelta, null);
-        userOdo.recompute();
+        ObjectDeltaObject<UserType> userOdo = createUserOdo(user, userDelta);
         AssignmentEvaluator<UserType> assignmentEvaluator = createAssignmentEvaluator(userOdo);
         PrismAsserts.assertParentConsistency(userTypeJack.asPrismObject());
 
-        ItemDeltaItem<PrismContainerValue<AssignmentType>,PrismContainerDefinition<AssignmentType>> assignmentIdi = new ItemDeltaItem<>();
-        assignmentIdi.setItemOld(LensUtil.createAssignmentSingleValueContainerClone(assignmentType));
-        assignmentIdi.recompute();
+        ItemDeltaItem<PrismContainerValue<AssignmentType>,PrismContainerDefinition<AssignmentType>> assignmentIdi = createAssignmentIdi(assignmentType);
 
         // WHEN
-        TestUtil.displayWhen(TEST_NAME);
+        displayWhen(TEST_NAME);
         EvaluatedAssignmentImpl<UserType> evaluatedAssignment = assignmentEvaluator.evaluate(assignmentIdi, PlusMinusZero.ZERO, false, userTypeJack, TEST_NAME, false, task, result);
         evaluatedAssignment.evaluateConstructions(userOdo, task, result);
 
         // THEN
-        TestUtil.displayThen(TEST_NAME);
+        displayThen(TEST_NAME);
         result.computeStatus();
         TestUtil.assertSuccess(result);
 
@@ -643,7 +612,7 @@ public void test170RoleManagerChangeCostCenter() throws Exception {
     @Test
     public void test180RoleManagerRemoveCostCenter() throws Exception {
         final String TEST_NAME = "test180RoleManagerRemoveCostCenter";
-        TestUtil.displayTestTitle(this, TEST_NAME);
+        displayTestTitle(TEST_NAME);
 
         // GIVEN
         Task task = taskManager.createTaskInstance(TestAssignmentEvaluator.class.getName() + "." + TEST_NAME);
@@ -660,22 +629,19 @@ public void test180RoleManagerRemoveCostCenter() throws Exception {
         ObjectDelta<UserType> userDelta = prismContext.deltaFactory().object()
 		        .createModificationReplaceProperty(UserType.class, USER_JACK_OID,
                 UserType.F_COST_CENTER);
-        ObjectDeltaObject<UserType> userOdo = new ObjectDeltaObject<>(user, userDelta, null);
-        userOdo.recompute();
+        ObjectDeltaObject<UserType> userOdo = createUserOdo(user, userDelta);
         AssignmentEvaluator<UserType> assignmentEvaluator = createAssignmentEvaluator(userOdo);
         PrismAsserts.assertParentConsistency(userTypeJack.asPrismObject());
 
-        ItemDeltaItem<PrismContainerValue<AssignmentType>,PrismContainerDefinition<AssignmentType>> assignmentIdi = new ItemDeltaItem<>();
-        assignmentIdi.setItemOld(LensUtil.createAssignmentSingleValueContainerClone(assignmentType));
-        assignmentIdi.recompute();
+        ItemDeltaItem<PrismContainerValue<AssignmentType>,PrismContainerDefinition<AssignmentType>> assignmentIdi = createAssignmentIdi(assignmentType);
 
         // WHEN
-        TestUtil.displayWhen(TEST_NAME);
+        displayWhen(TEST_NAME);
         EvaluatedAssignmentImpl<UserType> evaluatedAssignment = assignmentEvaluator.evaluate(assignmentIdi, PlusMinusZero.ZERO, false, userTypeJack, TEST_NAME, false, task, result);
         evaluatedAssignment.evaluateConstructions(userOdo, task, result);
 
         // THEN
-        TestUtil.displayThen(TEST_NAME);
+        displayThen(TEST_NAME);
         result.computeStatus();
         TestUtil.assertSuccess(result);
 
@@ -706,7 +672,7 @@ public void test180RoleManagerRemoveCostCenter() throws Exception {
 	@Test(enabled = false)
 	public void test200DisableEngineerEmployeeInducement() throws Exception {
 		final String TEST_NAME = "test200DisableEngineerEmployeeInducement";
-		TestUtil.displayTestTitle(this, TEST_NAME);
+		displayTestTitle(TEST_NAME);
 
 		// GIVEN
 		Task task = taskManager.createTaskInstance(TestAssignmentEvaluator.class.getName() + "." + TEST_NAME);
@@ -724,20 +690,17 @@ public void test200DisableEngineerEmployeeInducement() throws Exception {
 
 		AssignmentType assignmentType = getAssignmentType(ASSIGNMENT_ROLE_ENGINEER_FILE);
 
-		ObjectDeltaObject<UserType> userOdo = new ObjectDeltaObject<>(userTypeJack.asPrismObject(), null, null);
-		userOdo.recompute();
+		ObjectDeltaObject<UserType> userOdo = createUserOdo(userTypeJack.asPrismObject());
 
-		ItemDeltaItem<PrismContainerValue<AssignmentType>,PrismContainerDefinition<AssignmentType>> assignmentIdi = new ItemDeltaItem<>();
-		assignmentIdi.setItemOld(LensUtil.createAssignmentSingleValueContainerClone(assignmentType));
-		assignmentIdi.recompute();
+		ItemDeltaItem<PrismContainerValue<AssignmentType>,PrismContainerDefinition<AssignmentType>> assignmentIdi = createAssignmentIdi(assignmentType);
 
 		// WHEN
-		TestUtil.displayWhen(TEST_NAME);
+		displayWhen(TEST_NAME);
 		EvaluatedAssignmentImpl<UserType> evaluatedAssignment = assignmentEvaluator.evaluate(assignmentIdi, PlusMinusZero.ZERO, false, userTypeJack, "testRoleEngineer", false, task, result);
 		evaluatedAssignment.evaluateConstructions(userOdo, task, result);
 
 		// THEN
-		TestUtil.displayThen(TEST_NAME);
+		displayThen(TEST_NAME);
 		result.computeStatus();
 		TestUtil.assertSuccess(result);
 
@@ -745,28 +708,12 @@ public void test200DisableEngineerEmployeeInducement() throws Exception {
 		display("Evaluated assignment",evaluatedAssignment.debugDump());
 
 		// TODO
-//		assertEquals(2, evaluatedAssignment.getConstructions().size());
-//		PrismAsserts.assertParentConsistency(userTypeJack.asPrismObject());
-//
-//		assertConstruction(evaluatedAssignment, ZERO, "title", ZERO, "Engineer");
-//		assertConstruction(evaluatedAssignment, ZERO, "title", PLUS);
-//		assertConstruction(evaluatedAssignment, ZERO, "title", MINUS);
-//		assertNoConstruction(evaluatedAssignment, PLUS, "title");
-//		assertNoConstruction(evaluatedAssignment, MINUS, "title");
-//
-//		assertConstruction(evaluatedAssignment, ZERO, "location", ZERO, "Caribbean");
-//		assertConstruction(evaluatedAssignment, ZERO, "location", PLUS);
-//		assertConstruction(evaluatedAssignment, ZERO, "location", MINUS);
-//		assertNoConstruction(evaluatedAssignment, PLUS, "location");
-//		assertNoConstruction(evaluatedAssignment, MINUS, "location");
-//
-//		assertEquals("Wrong number of admin GUI configs", 1, evaluatedAssignment.getAdminGuiConfigurations().size());
 	}
 
 	@Test(enabled = false)
 	public void test299ReenableEngineerEmployeeInducement() throws Exception {
 		final String TEST_NAME = "test299ReenableEngineerEmployeeInducement";
-		TestUtil.displayTestTitle(this, TEST_NAME);
+		displayTestTitle(TEST_NAME);
 
 		// GIVEN
 		Task task = taskManager.createTaskInstance(TestAssignmentEvaluator.class.getName() + "." + TEST_NAME);
@@ -787,7 +734,7 @@ public void test299ReenableEngineerEmployeeInducement() throws Exception {
 	@Test
 	public void test300DisableRoleEmployee() throws Exception {
 		final String TEST_NAME = "test300DisableRoleEmployee";
-		TestUtil.displayTestTitle(this, TEST_NAME);
+		displayTestTitle(TEST_NAME);
 
 		// GIVEN
 		Task task = taskManager.createTaskInstance(TestAssignmentEvaluator.class.getName() + "." + TEST_NAME);
@@ -805,20 +752,17 @@ public void test300DisableRoleEmployee() throws Exception {
 
 		AssignmentType assignmentType = getAssignmentType(ASSIGNMENT_ROLE_ENGINEER_FILE);
 
-		ObjectDeltaObject<UserType> userOdo = new ObjectDeltaObject<>(userTypeJack.asPrismObject(), null, null);
-		userOdo.recompute();
+		ObjectDeltaObject<UserType> userOdo = createUserOdo(userTypeJack.asPrismObject());
 
-		ItemDeltaItem<PrismContainerValue<AssignmentType>,PrismContainerDefinition<AssignmentType>> assignmentIdi = new ItemDeltaItem<>();
-		assignmentIdi.setItemOld(LensUtil.createAssignmentSingleValueContainerClone(assignmentType));
-		assignmentIdi.recompute();
+		ItemDeltaItem<PrismContainerValue<AssignmentType>,PrismContainerDefinition<AssignmentType>> assignmentIdi = createAssignmentIdi(assignmentType);
 
 		// WHEN
-		TestUtil.displayWhen(TEST_NAME);
+		displayWhen(TEST_NAME);
 		EvaluatedAssignmentImpl<UserType> evaluatedAssignment = assignmentEvaluator.evaluate(assignmentIdi, PlusMinusZero.ZERO, false, userTypeJack, "testRoleEngineer", false, task, result);
 		evaluatedAssignment.evaluateConstructions(userOdo, task, result);
 
 		// THEN
-		TestUtil.displayThen(TEST_NAME);
+		displayThen(TEST_NAME);
 		result.computeStatus();
 		TestUtil.assertSuccess(result);
 
@@ -845,7 +789,7 @@ public void test300DisableRoleEmployee() throws Exception {
 	@Test
 	public void test310DisableRoleEngineer() throws Exception {
 		final String TEST_NAME = "test310DisableRoleEngineer";
-		TestUtil.displayTestTitle(this, TEST_NAME);
+		displayTestTitle(TEST_NAME);
 
 		// GIVEN
 		Task task = taskManager.createTaskInstance(TestAssignmentEvaluator.class.getName() + "." + TEST_NAME);
@@ -863,20 +807,17 @@ public void test310DisableRoleEngineer() throws Exception {
 
 		AssignmentType assignmentType = getAssignmentType(ASSIGNMENT_ROLE_ENGINEER_FILE);
 
-		ObjectDeltaObject<UserType> userOdo = new ObjectDeltaObject<>(userTypeJack.asPrismObject(), null, null);
-		userOdo.recompute();
+		ObjectDeltaObject<UserType> userOdo = createUserOdo(userTypeJack.asPrismObject());
 
-		ItemDeltaItem<PrismContainerValue<AssignmentType>,PrismContainerDefinition<AssignmentType>> assignmentIdi = new ItemDeltaItem<>();
-		assignmentIdi.setItemOld(LensUtil.createAssignmentSingleValueContainerClone(assignmentType));
-		assignmentIdi.recompute();
+		ItemDeltaItem<PrismContainerValue<AssignmentType>,PrismContainerDefinition<AssignmentType>> assignmentIdi = createAssignmentIdi(assignmentType);
 
 		// WHEN
-		TestUtil.displayWhen(TEST_NAME);
+		displayWhen(TEST_NAME);
 		EvaluatedAssignmentImpl<UserType> evaluatedAssignment = assignmentEvaluator.evaluate(assignmentIdi, PlusMinusZero.ZERO, false, userTypeJack, "testRoleEngineer", false, task, result);
 		evaluatedAssignment.evaluateConstructions(userOdo, task, result);
 
 		// THEN
-		TestUtil.displayThen(TEST_NAME);
+		displayThen(TEST_NAME);
 		result.computeStatus();
 		TestUtil.assertSuccess(result);
 
@@ -908,7 +849,7 @@ public void test310DisableRoleEngineer() throws Exception {
 	@Test
 	public void test400UserFred() throws Exception {
 		final String TEST_NAME = "test400UserFred";
-		TestUtil.displayTestTitle(this, TEST_NAME);
+		displayTestTitle(TEST_NAME);
 
 		// GIVEN
 		Task task = taskManager.createTaskInstance(TestAssignmentEvaluator.class.getName() + "." + TEST_NAME);
@@ -933,13 +874,12 @@ public void test400UserFred() throws Exception {
 		addFocusDeltaToContext(lensContext, descriptionDelta);
 
 		// WHEN
-		TestUtil.displayWhen(TEST_NAME);
+		displayWhen(TEST_NAME);
 		projector.project(lensContext, "test", task, result);
 
 		// THEN
-		TestUtil.displayThen(TEST_NAME);
-		result.computeStatus();
-		TestUtil.assertSuccess(result);
+		displayThen(TEST_NAME);
+		assertSuccess(result);
 
 		DeltaSetTriple<EvaluatedAssignmentImpl<?>> triple = lensContext.getEvaluatedAssignmentTriple();
 		display("Evaluated assignment triple", triple.debugDump());
@@ -978,8 +918,7 @@ protected void assertConstruction(EvaluatedAssignmentImpl<UserType> evaluatedAss
 
 	protected AssignmentEvaluator<UserType> createAssignmentEvaluator() throws ObjectNotFoundException, SchemaException {
 		PrismObject<UserType> userJack = userTypeJack.asPrismObject();
-		ObjectDeltaObject<UserType> focusOdo = new ObjectDeltaObject<>(userJack, null, null);
-		focusOdo.recompute();
+		ObjectDeltaObject<UserType> focusOdo = createUserOdo(userJack);
 		return createAssignmentEvaluator(focusOdo);
 	}
 
@@ -1006,23 +945,21 @@ protected AssignmentEvaluator<UserType> createAssignmentEvaluator(ObjectDeltaObj
 				.build();
 	}
 
-//	protected AssignmentEvaluator<UserType> createLoginModeAssignmentEvaluator(PrismObject<UserType> focus) throws ObjectNotFoundException, SchemaException {
-//		return new AssignmentEvaluator.Builder<UserType>()
-//				.repository(repositoryService)
-//				.focusOdo(new ObjectDeltaObject<>(focus, null, focus))
-//				.channel(null)
-//				.objectResolver(objectResolver)
-//				.systemObjectCache(systemObjectCache)
-//				.prismContext(prismContext)
-//				.mappingFactory(mappingFactory)
-//				.mappingEvaluator(mappingEvaluator)
-//				.activationComputer(activationComputer)
-//				.now(clock.currentTimeXMLGregorianCalendar())
-//				.loginMode(true)
-//				// We do not have real lens context here. But the push methods in ModelExpressionThreadLocalHolder
-//				// will need something to push on the stack. So give them context placeholder.
-//				.lensContext(new LensContextPlaceholder<>(focus, prismContext))
-//				.build();
-//	}
+	private ObjectDeltaObject<UserType> createUserOdo(PrismObject<UserType> user) throws SchemaException {
+		return createUserOdo(user, null);
+	}
+	
+	private ObjectDeltaObject<UserType> createUserOdo(PrismObject<UserType> user, ObjectDelta<UserType> userDelta) throws SchemaException {
+		ObjectDeltaObject<UserType> userOdo = new ObjectDeltaObject<>(user, userDelta, null, user.getDefinition());
+		userOdo.recompute();
+		return userOdo;
+	}
 
+	private ItemDeltaItem<PrismContainerValue<AssignmentType>,PrismContainerDefinition<AssignmentType>> createAssignmentIdi(AssignmentType assignmentType) throws SchemaException {
+		ItemDeltaItem<PrismContainerValue<AssignmentType>,PrismContainerDefinition<AssignmentType>> assignmentIdi = new ItemDeltaItem<>();
+		assignmentIdi.setItemOld(LensUtil.createAssignmentSingleValueContainerClone(assignmentType));
+		assignmentIdi.setDefinition(getAssignmentDefinition());
+		assignmentIdi.recompute();
+		return assignmentIdi;
+	}
 }
diff --git a/model/model-impl/src/test/java/com/evolveum/midpoint/model/impl/lens/TestAssignmentProcessor2.java b/model/model-impl/src/test/java/com/evolveum/midpoint/model/impl/lens/TestAssignmentProcessor2.java
index 81e2b06f1cc..e5c48f7e4d4 100644
--- a/model/model-impl/src/test/java/com/evolveum/midpoint/model/impl/lens/TestAssignmentProcessor2.java
+++ b/model/model-impl/src/test/java/com/evolveum/midpoint/model/impl/lens/TestAssignmentProcessor2.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2018 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -271,7 +271,7 @@ public void test020AssignMR1ToR1() throws Exception {
 	@Test(enabled = FIRST_PART)
 	public void test030AssignR1ToJackProjectorDisabled() throws Exception {
 		final String TEST_NAME = "test030AssignR1ToJackProjectorDisabled";
-		TestUtil.displayTestTitle(this, TEST_NAME);
+		displayTestTitle(TEST_NAME);
 
 		// GIVEN
 		Task task = taskManager.createTaskInstance(TestAssignmentProcessor.class.getName() + "." + TEST_NAME);
@@ -303,7 +303,7 @@ public void test030AssignR1ToJackProjectorDisabled() throws Exception {
 	@Test(enabled = FIRST_PART)
 	public void test040AssignR1ToJackAsApprover() throws Exception {
 		final String TEST_NAME = "test040AssignR1ToJackAsApprover";
-		TestUtil.displayTestTitle(this, TEST_NAME);
+		displayTestTitle(TEST_NAME);
 
 		// GIVEN
 		Task task = taskManager.createTaskInstance(TestAssignmentProcessor.class.getName() + "." + TEST_NAME);
@@ -360,7 +360,7 @@ public void test040AssignR1ToJackAsApprover() throws Exception {
 	@Test(enabled = FIRST_PART)
 	public void test050JackDeputyOfBarbossa() throws Exception {
 		final String TEST_NAME = "test050JackDeputyOfBarbossa";
-		TestUtil.displayTestTitle(this, TEST_NAME);
+		displayTestTitle(TEST_NAME);
 
 		// GIVEN
 		Task task = taskManager.createTaskInstance(TestAssignmentProcessor.class.getName() + "." + TEST_NAME);
@@ -443,7 +443,7 @@ public void test050JackDeputyOfBarbossa() throws Exception {
 	@Test(enabled = FIRST_PART)
 	public void test060JackDeputyOfGuybrushDeputyOfBarbossa() throws Exception {
 		final String TEST_NAME = "test060JackDeputyOfGuybrushDeputyOfBarbossa";
-		TestUtil.displayTestTitle(this, TEST_NAME);
+		displayTestTitle(TEST_NAME);
 
 		// GIVEN
 		Task task = taskManager.createTaskInstance(TestAssignmentProcessor.class.getName() + "." + TEST_NAME);
@@ -511,7 +511,7 @@ public void test060JackDeputyOfGuybrushDeputyOfBarbossa() throws Exception {
 	@Test(enabled = FIRST_PART)
 	public void test062JackDeputyOfGuybrushDeputyOfBarbossaInLoginMode() throws Exception {
 		final String TEST_NAME = "test062JackDeputyOfGuybrushDeputyOfBarbossaInLoginMode";
-		TestUtil.displayTestTitle(this, TEST_NAME);
+		displayTestTitle(TEST_NAME);
 
 		// GIVEN
 		Task task = taskManager.createTaskInstance(TestAssignmentProcessor.class.getName() + "." + TEST_NAME);
@@ -526,7 +526,7 @@ public void test062JackDeputyOfGuybrushDeputyOfBarbossaInLoginMode() throws Exce
 
 		AssignmentEvaluator<UserType> assignmentEvaluator = new AssignmentEvaluator.Builder<UserType>()
 				.repository(repositoryService)
-				.focusOdo(new ObjectDeltaObject<>(jack, null, jack))
+				.focusOdo(new ObjectDeltaObject<>(jack, null, jack, jack.getDefinition()))
 				.lensContext(context)
 				.channel(context.getChannel())
 				.objectResolver(objectResolver)
@@ -543,17 +543,19 @@ public void test062JackDeputyOfGuybrushDeputyOfBarbossaInLoginMode() throws Exce
 
 		ItemDeltaItem<PrismContainerValue<AssignmentType>,PrismContainerDefinition<AssignmentType>> assignmentIdi = new ItemDeltaItem<>();
 		assignmentIdi.setItemOld(LensUtil.createAssignmentSingleValueContainerClone(jackGuybrushAssignment));
+		assignmentIdi.setDefinition(jackGuybrushAssignment.asPrismContainerValue().getDefinition());
 		assignmentIdi.recompute();
 
 		// WHEN
+		displayWhen(TEST_NAME);
 		EvaluatedAssignmentImpl<UserType> evaluatedAssignment = assignmentEvaluator
 				.evaluate(assignmentIdi, PlusMinusZero.ZERO, false, jack.asObjectable(), jack.toString(), false, task, result);
 
 		// THEN
+		displayThen(TEST_NAME);
 		display("Output context", context);
 		display("Evaluated assignment", evaluatedAssignment);
 
-		result.computeStatus();
 		assertSuccess("Assignment evaluator failed (result)", result);
 
 		assertEquals("Wrong evaluatedAssignment.isValid", true, evaluatedAssignment.isValid());
@@ -599,7 +601,7 @@ public void test062JackDeputyOfGuybrushDeputyOfBarbossaInLoginMode() throws Exce
 	@Test(enabled = FIRST_PART)
 	public void test070JackDeputyOfBarbossaApproverOfR1() throws Exception {
 		final String TEST_NAME = "test070JackDeputyOfBarbossaApproverOfR1";
-		TestUtil.displayTestTitle(this, TEST_NAME);
+		displayTestTitle(TEST_NAME);
 
 		// GIVEN
 		Task task = taskManager.createTaskInstance(TestAssignmentProcessor.class.getName() + "." + TEST_NAME);
@@ -679,7 +681,7 @@ public void test070JackDeputyOfBarbossaApproverOfR1() throws Exception {
 	@Test(enabled = FIRST_PART)
 	public void test100DisableSomeRoles() throws Exception {
 		final String TEST_NAME = "test100DisableSomeRoles";
-		TestUtil.displayTestTitle(this, TEST_NAME);
+		displayTestTitle(TEST_NAME);
 
 		// GIVEN
 		Task task = taskManager.createTaskInstance(TestAssignmentProcessor.class.getName() + "." + TEST_NAME);
@@ -696,7 +698,7 @@ public void test100DisableSomeRoles() throws Exception {
 	@Test(enabled = FIRST_PART)
 	public void test110AssignR1ToJack() throws Exception {
 		final String TEST_NAME = "test010AssignR1ToJack";
-		TestUtil.displayTestTitle(this, TEST_NAME);
+		displayTestTitle(TEST_NAME);
 
 		// GIVEN
 		Task task = taskManager.createTaskInstance(TestAssignmentProcessor.class.getName() + "." + TEST_NAME);
@@ -757,7 +759,7 @@ public void test110AssignR1ToJack() throws Exception {
 	@Test(enabled = FIRST_PART)
 	public void test150DisableSomeAssignments() throws Exception {
 		final String TEST_NAME = "test150DisableSomeAssignments";
-		TestUtil.displayTestTitle(this, TEST_NAME);
+		displayTestTitle(TEST_NAME);
 
 		// GIVEN
 		Task task = taskManager.createTaskInstance(TestAssignmentProcessor.class.getName() + "." + TEST_NAME);
@@ -772,7 +774,7 @@ public void test150DisableSomeAssignments() throws Exception {
 	@Test(enabled = FIRST_PART)
 	public void test160AssignR1ToJack() throws Exception {
 		final String TEST_NAME = "test160AssignR1ToJack";
-		TestUtil.displayTestTitle(this, TEST_NAME);
+		displayTestTitle(TEST_NAME);
 
 		// GIVEN
 		Task task = taskManager.createTaskInstance(TestAssignmentProcessor.class.getName() + "." + TEST_NAME);
@@ -833,7 +835,7 @@ public void test160AssignR1ToJack() throws Exception {
 	@Test(enabled = FIRST_PART)
 	public void test200AddConditions() throws Exception {
 		final String TEST_NAME = "test200AddConditions";
-		TestUtil.displayTestTitle(this, TEST_NAME);
+		displayTestTitle(TEST_NAME);
 
 		// GIVEN
 		Task task = taskManager.createTaskInstance(TestAssignmentProcessor.class.getName() + "." + TEST_NAME);
@@ -854,7 +856,7 @@ public void test200AddConditions() throws Exception {
 	@Test(enabled = FIRST_PART)
 	public void test210AssignR1ToJack() throws Exception {
 		final String TEST_NAME = "test210AssignR1ToJack";
-		TestUtil.displayTestTitle(this, TEST_NAME);
+		displayTestTitle(TEST_NAME);
 
 		// GIVEN
 		Task task = taskManager.createTaskInstance(TestAssignmentProcessor.class.getName() + "." + TEST_NAME);
@@ -920,7 +922,7 @@ public void test210AssignR1ToJack() throws Exception {
 	@Test(enabled = SECOND_PART)
 	public void test300AssignR7ToJack() throws Exception {
 		final String TEST_NAME = "test300AssignR7ToJack";
-		TestUtil.displayTestTitle(this, TEST_NAME);
+		displayTestTitle(TEST_NAME);
 
 		// GIVEN
 		Task task = taskManager.createTaskInstance(TestAssignmentProcessor.class.getName() + "." + TEST_NAME);
@@ -1063,7 +1065,7 @@ public void test300AssignR7ToJack() throws Exception {
 	@Test(enabled = THIRD_PART)
 	public void test400AssignJackPirate() throws Exception {
 		final String TEST_NAME = "test400AssignJackPirate";
-		TestUtil.displayTestTitle(this, TEST_NAME);
+		displayTestTitle(TEST_NAME);
 
 		// GIVEN
 		Task task = taskManager.createTaskInstance(TestAssignmentProcessor.class.getName() + "." + TEST_NAME);
@@ -1461,38 +1463,38 @@ public static void startCallback(String desc) {
 	}
 
 	private static final List<String> RECORDED_VARIABLES = Arrays.asList(
-			ExpressionConstants.VAR_ASSIGNMENT.getLocalPart(),
-			ExpressionConstants.VAR_FOCUS_ASSIGNMENT.getLocalPart(),
-			ExpressionConstants.VAR_IMMEDIATE_ASSIGNMENT.getLocalPart(),
-			ExpressionConstants.VAR_THIS_ASSIGNMENT.getLocalPart(),
-			ExpressionConstants.VAR_FOCUS.getLocalPart(),
-			ExpressionConstants.VAR_ORDER_ONE_OBJECT.getLocalPart(),
-			ExpressionConstants.VAR_IMMEDIATE_ROLE.getLocalPart(),
-			ExpressionConstants.VAR_SOURCE.getLocalPart(),
-			ExpressionConstants.VAR_ASSIGNMENT_PATH.getLocalPart());
+			ExpressionConstants.VAR_ASSIGNMENT,
+			ExpressionConstants.VAR_FOCUS_ASSIGNMENT,
+			ExpressionConstants.VAR_IMMEDIATE_ASSIGNMENT,
+			ExpressionConstants.VAR_THIS_ASSIGNMENT,
+			ExpressionConstants.VAR_FOCUS,
+			ExpressionConstants.VAR_ORDER_ONE_OBJECT,
+			ExpressionConstants.VAR_IMMEDIATE_ROLE,
+			ExpressionConstants.VAR_SOURCE,
+			ExpressionConstants.VAR_ASSIGNMENT_PATH);
 
 	@SuppressWarnings("unchecked")
 	public static void variableCallback(String name, Object value, String desc) {
 		if (recording()) {
 			if (RECORDED_VARIABLES.contains(name)) {
 				System.out.println(desc + ": name = " + name + ", value = " + value);
-				if (ExpressionConstants.VAR_ASSIGNMENT.getLocalPart().equals(name)) {
+				if (ExpressionConstants.VAR_ASSIGNMENT.equals(name)) {
 					currentRun.assignment = (AssignmentType) value;
-				} else if (ExpressionConstants.VAR_FOCUS_ASSIGNMENT.getLocalPart().equals(name)) {
+				} else if (ExpressionConstants.VAR_FOCUS_ASSIGNMENT.equals(name)) {
 					currentRun.focusAssignment = (AssignmentType) value;
-				} else if (ExpressionConstants.VAR_IMMEDIATE_ASSIGNMENT.getLocalPart().equals(name))
+				} else if (ExpressionConstants.VAR_IMMEDIATE_ASSIGNMENT.equals(name))
 					currentRun.immediateAssignment = (AssignmentType) value;
-				else if (ExpressionConstants.VAR_THIS_ASSIGNMENT.getLocalPart().equals(name)) {
+				else if (ExpressionConstants.VAR_THIS_ASSIGNMENT.equals(name)) {
 					currentRun.thisAssignment = (AssignmentType) value;
-				} else if (ExpressionConstants.VAR_FOCUS.getLocalPart().equals(name)) {
+				} else if (ExpressionConstants.VAR_FOCUS.equals(name)) {
 					currentRun.focus = (FocusType) value;
-				} else if (ExpressionConstants.VAR_ORDER_ONE_OBJECT.getLocalPart().equals(name)) {
+				} else if (ExpressionConstants.VAR_ORDER_ONE_OBJECT.equals(name)) {
 					currentRun.thisObject = (FocusType) value;
-				} else if (ExpressionConstants.VAR_IMMEDIATE_ROLE.getLocalPart().equals(name)) {
+				} else if (ExpressionConstants.VAR_IMMEDIATE_ROLE.equals(name)) {
 					currentRun.immediateRole = (FocusType) value;
-				} else if (ExpressionConstants.VAR_SOURCE.getLocalPart().equals(name)) {
+				} else if (ExpressionConstants.VAR_SOURCE.equals(name)) {
 					currentRun.source = (FocusType) value;
-				} else if (ExpressionConstants.VAR_ASSIGNMENT_PATH.getLocalPart().equals(name)) {
+				} else if (ExpressionConstants.VAR_ASSIGNMENT_PATH.equals(name)) {
 					currentRun.assignmentPath = (AssignmentPathImpl) value;
 				}
 			}
@@ -1525,7 +1527,7 @@ public static void finishCallback(String desc) {
 	@Test(enabled = FOURTH_PART)
 	public void test500AssignJackOrg11() throws Exception {
 		final String TEST_NAME = "test500AssignJackOrg11";
-		TestUtil.displayTestTitle(this, TEST_NAME);
+		displayTestTitle(TEST_NAME);
 
 		// GIVEN
 		Task task = taskManager.createTaskInstance(TestAssignmentProcessor.class.getName() + "." + TEST_NAME);
@@ -1586,7 +1588,7 @@ public void test500AssignJackOrg11() throws Exception {
 	@Test(enabled = FOURTH_PART)
 	public void test505AssignJackOrg11AsManager() throws Exception {
 		final String TEST_NAME = "test505AssignJackOrg11AsManager";
-		TestUtil.displayTestTitle(this, TEST_NAME);
+		displayTestTitle(TEST_NAME);
 
 		// GIVEN
 		Task task = taskManager.createTaskInstance(TestAssignmentProcessor.class.getName() + "." + TEST_NAME);
@@ -1644,7 +1646,7 @@ public void test505AssignJackOrg11AsManager() throws Exception {
 	@Test(enabled = FOURTH_PART)
 	public void test507AssignJackOrg11AsApprover() throws Exception {
 		final String TEST_NAME = "test507AssignJackOrg11AsApprover";
-		TestUtil.displayTestTitle(this, TEST_NAME);
+		displayTestTitle(TEST_NAME);
 
 		// GIVEN
 		Task task = taskManager.createTaskInstance(TestAssignmentProcessor.class.getName() + "." + TEST_NAME);
@@ -1701,7 +1703,7 @@ public void test507AssignJackOrg11AsApprover() throws Exception {
 	@Test(enabled = FOURTH_PART)
 	public void test510AssignJackOrg21() throws Exception {
 		final String TEST_NAME = "test510AssignJackOrg21";
-		TestUtil.displayTestTitle(this, TEST_NAME);
+		displayTestTitle(TEST_NAME);
 
 		// GIVEN
 		Task task = taskManager.createTaskInstance(TestAssignmentProcessor.class.getName() + "." + TEST_NAME);
@@ -1757,7 +1759,7 @@ public void test510AssignJackOrg21() throws Exception {
 	@Test(enabled = FOURTH_PART)
 	public void test515AssignJackOrg21AsManager() throws Exception {
 		final String TEST_NAME = "test515AssignJackOrg21AsManager";
-		TestUtil.displayTestTitle(this, TEST_NAME);
+		displayTestTitle(TEST_NAME);
 
 		// GIVEN
 		Task task = taskManager.createTaskInstance(TestAssignmentProcessor.class.getName() + "." + TEST_NAME);
@@ -1827,7 +1829,7 @@ public void test515AssignJackOrg21AsManager() throws Exception {
 	@Test(enabled = FOURTH_PART)
 	public void test520AssignJackOrg41AsApprover() throws Exception {
 		final String TEST_NAME = "test520AssignJackOrg41AsApprover";
-		TestUtil.displayTestTitle(this, TEST_NAME);
+		displayTestTitle(TEST_NAME);
 
 		// GIVEN
 		Task task = taskManager.createTaskInstance(TestAssignmentProcessor.class.getName() + "." + TEST_NAME);
@@ -1894,7 +1896,7 @@ public void test520AssignJackOrg41AsApprover() throws Exception {
 	@Test(enabled = FIFTH_PART)
 	public void test600AssignA1ToJack() throws Exception {
 		final String TEST_NAME = "test600AssignA1ToJack";
-		TestUtil.displayTestTitle(this, TEST_NAME);
+		displayTestTitle(TEST_NAME);
 
 		// GIVEN
 		Task task = taskManager.createTaskInstance(TestAssignmentProcessor.class.getName() + "." + TEST_NAME);
@@ -1912,7 +1914,6 @@ public void test600AssignA1ToJack() throws Exception {
 		display("Output context", context);
 		display("Evaluated assignment triple", context.getEvaluatedAssignmentTriple());
 
-		result.computeStatus();
 		assertSuccess("Assignment processor failed (result)", result);
 
 		Collection<EvaluatedAssignmentImpl<UserType>> evaluatedAssignments = assertAssignmentTripleSetSize(context, 0, 1, 0);
diff --git a/model/model-impl/src/test/java/com/evolveum/midpoint/model/impl/lens/TestPolicyRules2.java b/model/model-impl/src/test/java/com/evolveum/midpoint/model/impl/lens/TestPolicyRules2.java
index cbf4d421858..a3d90a00053 100644
--- a/model/model-impl/src/test/java/com/evolveum/midpoint/model/impl/lens/TestPolicyRules2.java
+++ b/model/model-impl/src/test/java/com/evolveum/midpoint/model/impl/lens/TestPolicyRules2.java
@@ -140,7 +140,7 @@ public void initSystem(Task initTask, OperationResult initResult) throws Excepti
 	@Test
 	public void test100JackAttemptAssignRoleStudent() throws Exception {
 		final String TEST_NAME = "test100JackAttemptAssignRoleStudent";
-		TestUtil.displayTestTitle(this, TEST_NAME);
+		displayTestTitle(TEST_NAME);
 
 		// GIVEN
 		Task task = taskManager.createTaskInstance(TestPolicyRules2.class.getName() + "." + TEST_NAME);
@@ -155,13 +155,12 @@ public void test100JackAttemptAssignRoleStudent() throws Exception {
 		assertFocusModificationSanity(context);
 
 		// WHEN
-		TestUtil.displayWhen(TEST_NAME);
+		displayWhen(TEST_NAME);
 		projector.project(context, ACTIVITY_DESCRIPTION, task, result);
 
 		// THEN
-		TestUtil.displayThen(TEST_NAME);
-		result.computeStatus();
-		TestUtil.assertSuccess(result);
+		displayThen(TEST_NAME);
+		assertSuccess(result);
 
 		dumpPolicyRules(context);
 		//dumpPolicySituations(context);
@@ -184,7 +183,7 @@ public void test100JackAttemptAssignRoleStudent() throws Exception {
 	@Test
 	public void test110JoeAttemptAssignRoleStudent() throws Exception {
 		final String TEST_NAME = "test110JoeAttemptAssignRoleStudent";
-		TestUtil.displayTestTitle(this, TEST_NAME);
+		displayTestTitle(TEST_NAME);
 
 		// GIVEN
 		Task task = taskManager.createTaskInstance(TestPolicyRules2.class.getName() + "." + TEST_NAME);
@@ -199,11 +198,11 @@ public void test110JoeAttemptAssignRoleStudent() throws Exception {
 		assertFocusModificationSanity(context);
 
 		// WHEN
-		TestUtil.displayWhen(TEST_NAME);
+		displayWhen(TEST_NAME);
 		projector.project(context, ACTIVITY_DESCRIPTION, task, result);
 
 		// THEN
-		TestUtil.displayThen(TEST_NAME);
+		displayThen(TEST_NAME);
 		result.computeStatus();
 		TestUtil.assertSuccess(result);
 
@@ -231,7 +230,7 @@ public void test110JoeAttemptAssignRoleStudent() throws Exception {
 	@Test
 	public void test120JackAttemptToMoveTo1900AndAssignRoleStudent() throws Exception {
 		final String TEST_NAME = "test120JackAttemptToMoveTo1900AndAssignRoleStudent";
-		TestUtil.displayTestTitle(this, TEST_NAME);
+		displayTestTitle(TEST_NAME);
 
 		// GIVEN
 		Task task = taskManager.createTaskInstance(TestPolicyRules2.class.getName() + "." + TEST_NAME);
@@ -250,11 +249,11 @@ public void test120JackAttemptToMoveTo1900AndAssignRoleStudent() throws Exceptio
 		assertFocusModificationSanity(context);
 
 		// WHEN
-		TestUtil.displayWhen(TEST_NAME);
+		displayWhen(TEST_NAME);
 		projector.project(context, ACTIVITY_DESCRIPTION, task, result);
 
 		// THEN
-		TestUtil.displayThen(TEST_NAME);
+		displayThen(TEST_NAME);
 		result.computeStatus();
 		TestUtil.assertSuccess(result);
 
@@ -284,7 +283,7 @@ public void test120JackAttemptToMoveTo1900AndAssignRoleStudent() throws Exceptio
 	@Test
 	public void test130JackMoveTo1900AndAssignRoleStudent() throws Exception {
 		final String TEST_NAME = "test130JackMoveTo1900AndAssignRoleStudent";
-		TestUtil.displayTestTitle(this, TEST_NAME);
+		displayTestTitle(TEST_NAME);
 
 		// GIVEN
 		Task task = taskManager.createTaskInstance(TestPolicyRules2.class.getName() + "." + TEST_NAME);
@@ -303,12 +302,12 @@ public void test130JackMoveTo1900AndAssignRoleStudent() throws Exception {
 		assertFocusModificationSanity(context);
 
 		// WHEN
-		TestUtil.displayWhen(TEST_NAME);
+		displayWhen(TEST_NAME);
 
 		clockwork.run(context, task, result);
 
 		// THEN
-		TestUtil.displayThen(TEST_NAME);
+		displayThen(TEST_NAME);
 		result.computeStatus();
 		TestUtil.assertSuccess(result);
 
@@ -340,7 +339,7 @@ public void test130JackMoveTo1900AndAssignRoleStudent() throws Exception {
 	@Test
 	public void test135JackChangeValidTo() throws Exception {
 		final String TEST_NAME = "test135JackChangeValidTo";
-		TestUtil.displayTestTitle(this, TEST_NAME);
+		displayTestTitle(TEST_NAME);
 
 		// GIVEN
 		Task task = taskManager.createTaskInstance(TestPolicyRules2.class.getName() + "." + TEST_NAME);
@@ -358,13 +357,13 @@ public void test135JackChangeValidTo() throws Exception {
 		assertFocusModificationSanity(context);
 
 		// WHEN
-		TestUtil.displayWhen(TEST_NAME);
+		displayWhen(TEST_NAME);
 
 		// cannot run the clockwork as in the secondary state the deltas are no longer considered (!)
 		projector.project(context, ACTIVITY_DESCRIPTION, task, result);
 
 		// THEN
-		TestUtil.displayThen(TEST_NAME);
+		displayThen(TEST_NAME);
 		result.computeStatus();
 		TestUtil.assertSuccess(result);
 
@@ -388,7 +387,7 @@ public void test135JackChangeValidTo() throws Exception {
 	@Test
 	public void test140JackNoChange() throws Exception {
 		final String TEST_NAME = "test140JackNoChange";
-		TestUtil.displayTestTitle(this, TEST_NAME);
+		displayTestTitle(TEST_NAME);
 
 		// GIVEN
 		Task task = taskManager.createTaskInstance(TestPolicyRules2.class.getName() + "." + TEST_NAME);
@@ -401,12 +400,12 @@ public void test140JackNoChange() throws Exception {
 		assertFocusModificationSanity(context);
 
 		// WHEN
-		TestUtil.displayWhen(TEST_NAME);
+		displayWhen(TEST_NAME);
 
 		projector.project(context, ACTIVITY_DESCRIPTION, task, result);
 
 		// THEN
-		TestUtil.displayThen(TEST_NAME);
+		displayThen(TEST_NAME);
 		result.computeStatus();
 		TestUtil.assertSuccess(result);
 
@@ -429,7 +428,7 @@ public void test140JackNoChange() throws Exception {
 	@Test
 	public void test142JackNoChangeButTaskExists() throws Exception {
 		final String TEST_NAME = "test142JackNoChangeButTaskExists";
-		TestUtil.displayTestTitle(this, TEST_NAME);
+		displayTestTitle(TEST_NAME);
 
 		// GIVEN
 		Task task = taskManager.createTaskInstance(TestPolicyRules2.class.getName() + "." + TEST_NAME);
@@ -460,12 +459,12 @@ public void test142JackNoChangeButTaskExists() throws Exception {
 		assertFocusModificationSanity(context);
 
 		// WHEN
-		TestUtil.displayWhen(TEST_NAME);
+		displayWhen(TEST_NAME);
 
 		projector.project(context, ACTIVITY_DESCRIPTION, task, result);
 
 		// THEN
-		TestUtil.displayThen(TEST_NAME);
+		displayThen(TEST_NAME);
 		result.computeStatus();
 		TestUtil.assertSuccess(result);
 
@@ -490,7 +489,7 @@ public void test142JackNoChangeButTaskExists() throws Exception {
 	@Test
 	public void test150FrankAttemptToAssignRoleStudentButDisabled() throws Exception {
 		final String TEST_NAME = "test150FrankAttemptToAssignRoleStudentButDisabled";
-		TestUtil.displayTestTitle(this, TEST_NAME);
+		displayTestTitle(TEST_NAME);
 
 		// GIVEN
 		Task task = taskManager.createTaskInstance(TestPolicyRules2.class.getName() + "." + TEST_NAME);
@@ -510,11 +509,11 @@ public void test150FrankAttemptToAssignRoleStudentButDisabled() throws Exception
 		assertFocusModificationSanity(context);
 
 		// WHEN
-		TestUtil.displayWhen(TEST_NAME);
+		displayWhen(TEST_NAME);
 		projector.project(context, ACTIVITY_DESCRIPTION, task, result);
 
 		// THEN
-		TestUtil.displayThen(TEST_NAME);
+		displayThen(TEST_NAME);
 		result.computeStatus();
 		TestUtil.assertSuccess(result);
 
@@ -538,7 +537,7 @@ public void test150FrankAttemptToAssignRoleStudentButDisabled() throws Exception
 	@Test
 	public void test160AttemptToAddPeter() throws Exception {
 		final String TEST_NAME = "test160AttemptToAddPeter";
-		TestUtil.displayTestTitle(this, TEST_NAME);
+		displayTestTitle(TEST_NAME);
 
 		// GIVEN
 		Task task = taskManager.createTaskInstance(TestPolicyRules2.class.getName() + "." + TEST_NAME);
@@ -551,11 +550,11 @@ public void test160AttemptToAddPeter() throws Exception {
 		assertFocusModificationSanity(context);
 
 		// WHEN
-		TestUtil.displayWhen(TEST_NAME);
+		displayWhen(TEST_NAME);
 		projector.project(context, ACTIVITY_DESCRIPTION, task, result);
 
 		// THEN
-		TestUtil.displayThen(TEST_NAME);
+		displayThen(TEST_NAME);
 		result.computeStatus();
 		TestUtil.assertSuccess(result);
 
@@ -578,7 +577,7 @@ public void test160AttemptToAddPeter() throws Exception {
 	@Test
 	public void test170AddPeter() throws Exception {
 		final String TEST_NAME = "test170AddPeter";
-		TestUtil.displayTestTitle(this, TEST_NAME);
+		displayTestTitle(TEST_NAME);
 
 		// GIVEN
 		Task task = taskManager.createTaskInstance(TestPolicyRules2.class.getName() + "." + TEST_NAME);
@@ -591,11 +590,11 @@ public void test170AddPeter() throws Exception {
 		assertFocusModificationSanity(context);
 
 		// WHEN
-		TestUtil.displayWhen(TEST_NAME);
+		displayWhen(TEST_NAME);
 		clockwork.run(context, task, result);
 
 		// THEN
-		TestUtil.displayThen(TEST_NAME);
+		displayThen(TEST_NAME);
 		result.computeStatus();
 		TestUtil.assertSuccess(result);
 
@@ -636,7 +635,7 @@ public void test170AddPeter() throws Exception {
 	@Test
 	public void test180StudentRecompute() throws Exception {
 		final String TEST_NAME = "test180StudentRecompute";
-		TestUtil.displayTestTitle(this, TEST_NAME);
+		displayTestTitle(TEST_NAME);
 
 		// GIVEN
 		Task task = taskManager.createTaskInstance(TestPolicyRules2.class.getName() + "." + TEST_NAME);
@@ -649,12 +648,12 @@ public void test180StudentRecompute() throws Exception {
 		assertFocusModificationSanity(context);
 
 		// WHEN
-		TestUtil.displayWhen(TEST_NAME);
+		displayWhen(TEST_NAME);
 
 		projector.project(context, ACTIVITY_DESCRIPTION, task, result);
 
 		// THEN
-		TestUtil.displayThen(TEST_NAME);
+		displayThen(TEST_NAME);
 		result.computeStatus();
 		TestUtil.assertSuccess(result);
 
@@ -672,7 +671,7 @@ public void test180StudentRecompute() throws Exception {
 	@Test
 	public void test200AddUnresolvable() throws Exception {
 		final String TEST_NAME = "test200AddUnresolvable";
-		TestUtil.displayTestTitle(this, TEST_NAME);
+		displayTestTitle(TEST_NAME);
 
 		// GIVEN
 		Task task = taskManager.createTaskInstance(TestPolicyRules2.class.getName() + "." + TEST_NAME);
@@ -685,13 +684,13 @@ public void test200AddUnresolvable() throws Exception {
 		assertFocusModificationSanity(context);
 
 		// WHEN
-		TestUtil.displayWhen(TEST_NAME);
+		displayWhen(TEST_NAME);
 		try {
 			clockwork.run(context, task, result);
-			TestUtil.displayThen(TEST_NAME);
+			displayThen(TEST_NAME);
 			fail("unexpected success");
 		} catch (ObjectNotFoundException e) {
-			TestUtil.displayThen(TEST_NAME);
+			displayThen(TEST_NAME);
 			System.out.println("Expected exception: " + e);
 			e.printStackTrace(System.out);
 			if (!e.getMessage().contains("No policy constraint named 'unresolvable' could be found")) {
@@ -703,7 +702,7 @@ public void test200AddUnresolvable() throws Exception {
 	@Test
 	public void test210AddCyclic() throws Exception {
 		final String TEST_NAME = "test210AddCyclic";
-		TestUtil.displayTestTitle(this, TEST_NAME);
+		displayTestTitle(TEST_NAME);
 
 		// GIVEN
 		Task task = taskManager.createTaskInstance(TestPolicyRules2.class.getName() + "." + TEST_NAME);
@@ -716,13 +715,13 @@ public void test210AddCyclic() throws Exception {
 		assertFocusModificationSanity(context);
 
 		// WHEN
-		TestUtil.displayWhen(TEST_NAME);
+		displayWhen(TEST_NAME);
 		try {
 			clockwork.run(context, task, result);
-			TestUtil.displayThen(TEST_NAME);
+			displayThen(TEST_NAME);
 			fail("unexpected success");
 		} catch (SchemaException e) {
-			TestUtil.displayThen(TEST_NAME);
+			displayThen(TEST_NAME);
 			System.out.println("Expected exception: " + e);
 			e.printStackTrace(System.out);
 			if (!e.getMessage().contains("Trying to resolve cyclic reference to constraint")) {
@@ -734,7 +733,7 @@ public void test210AddCyclic() throws Exception {
 	@Test
 	public void test220AddChained() throws Exception {
 		final String TEST_NAME = "test220AddChained";
-		TestUtil.displayTestTitle(this, TEST_NAME);
+		displayTestTitle(TEST_NAME);
 
 		// GIVEN
 		Task task = taskManager.createTaskInstance(TestPolicyRules2.class.getName() + "." + TEST_NAME);
@@ -747,10 +746,10 @@ public void test220AddChained() throws Exception {
 		assertFocusModificationSanity(context);
 
 		// WHEN
-		TestUtil.displayWhen(TEST_NAME);
+		displayWhen(TEST_NAME);
 		clockwork.run(context, task, result);
 
-		TestUtil.displayThen(TEST_NAME);
+		displayThen(TEST_NAME);
 		display("Output context", context);
 
 		Map<String,EvaluatedPolicyRule> rules = new HashMap<>();
@@ -794,7 +793,7 @@ public void test220AddChained() throws Exception {
 	@Test
 	public void test230AddAmbiguous() throws Exception {
 		final String TEST_NAME = "test230AddAmbiguous";
-		TestUtil.displayTestTitle(this, TEST_NAME);
+		displayTestTitle(TEST_NAME);
 
 		// GIVEN
 		Task task = taskManager.createTaskInstance(TestPolicyRules2.class.getName() + "." + TEST_NAME);
@@ -807,13 +806,13 @@ public void test230AddAmbiguous() throws Exception {
 		assertFocusModificationSanity(context);
 
 		// WHEN
-		TestUtil.displayWhen(TEST_NAME);
+		displayWhen(TEST_NAME);
 		try {
 			clockwork.run(context, task, result);
-			TestUtil.displayThen(TEST_NAME);
+			displayThen(TEST_NAME);
 			fail("unexpected success");
 		} catch (SchemaException e) {
-			TestUtil.displayThen(TEST_NAME);
+			displayThen(TEST_NAME);
 			System.out.println("Expected exception: " + e);
 			e.printStackTrace(System.out);
 			if (!e.getMessage().contains("Conflicting definitions of 'constraint-B'")) {
@@ -826,7 +825,7 @@ public void test230AddAmbiguous() throws Exception {
 	@Test
 	public void test300ModifyInducement() throws Exception {
 		final String TEST_NAME = "test300ModifyInducement";
-		TestUtil.displayTestTitle(this, TEST_NAME);
+		displayTestTitle(TEST_NAME);
 
 		// GIVEN
 		Task task = taskManager.createTaskInstance(TestPolicyRules2.class.getName() + "." + TEST_NAME);
@@ -842,13 +841,13 @@ public void test300ModifyInducement() throws Exception {
 		assertFocusModificationSanity(context);
 
 		// WHEN
-		TestUtil.displayWhen(TEST_NAME);
+		displayWhen(TEST_NAME);
 		try {
 			clockwork.run(context, task, result);
-			TestUtil.displayThen(TEST_NAME);
+			displayThen(TEST_NAME);
 			fail("unexpected success");
 		} catch (PolicyViolationException e) {
-			TestUtil.displayThen(TEST_NAME);
+			displayThen(TEST_NAME);
 			System.out.println("Expected exception: " + e);
 			e.printStackTrace(System.out);
 			if (!getTranslatedMessage(e).contains("Role \"Immutable inducements\" is to be modified")) {
@@ -861,7 +860,7 @@ public void test300ModifyInducement() throws Exception {
 	@Test
 	public void test310ModifyInducementPass() throws Exception {
 		final String TEST_NAME = "test310ModifyInducementPass";
-		TestUtil.displayTestTitle(this, TEST_NAME);
+		displayTestTitle(TEST_NAME);
 
 		// GIVEN
 		Task task = taskManager.createTaskInstance(TestPolicyRules2.class.getName() + "." + TEST_NAME);
@@ -877,9 +876,9 @@ public void test310ModifyInducementPass() throws Exception {
 		assertFocusModificationSanity(context);
 
 		// WHEN
-		TestUtil.displayWhen(TEST_NAME);
+		displayWhen(TEST_NAME);
 		clockwork.run(context, task, result);
-		TestUtil.displayThen(TEST_NAME);
+		displayThen(TEST_NAME);
 		result.computeStatus();
 		assertSuccess("unexpected failure", result);
 	}
@@ -888,7 +887,7 @@ public void test310ModifyInducementPass() throws Exception {
 	@Test
 	public void test320ModifyInducementPass2() throws Exception {
 		final String TEST_NAME = "test320ModifyInducementPass2";
-		TestUtil.displayTestTitle(this, TEST_NAME);
+		displayTestTitle(TEST_NAME);
 
 		// GIVEN
 		Task task = taskManager.createTaskInstance(TestPolicyRules2.class.getName() + "." + TEST_NAME);
@@ -904,9 +903,9 @@ public void test320ModifyInducementPass2() throws Exception {
 		assertFocusModificationSanity(context);
 
 		// WHEN
-		TestUtil.displayWhen(TEST_NAME);
+		displayWhen(TEST_NAME);
 		clockwork.run(context, task, result);
-		TestUtil.displayThen(TEST_NAME);
+		displayThen(TEST_NAME);
 		result.computeStatus();
 		assertSuccess("unexpected failure", result);
 	}
@@ -915,7 +914,7 @@ public void test320ModifyInducementPass2() throws Exception {
 	@Test
 	public void test330AddInducement() throws Exception {
 		final String TEST_NAME = "test330AddInducement";
-		TestUtil.displayTestTitle(this, TEST_NAME);
+		displayTestTitle(TEST_NAME);
 
 		// GIVEN
 		Task task = taskManager.createTaskInstance(TestPolicyRules2.class.getName() + "." + TEST_NAME);
@@ -931,13 +930,13 @@ public void test330AddInducement() throws Exception {
 		assertFocusModificationSanity(context);
 
 		// WHEN
-		TestUtil.displayWhen(TEST_NAME);
+		displayWhen(TEST_NAME);
 		try {
 			clockwork.run(context, task, result);
-			TestUtil.displayThen(TEST_NAME);
+			displayThen(TEST_NAME);
 			fail("unexpected success");
 		} catch (PolicyViolationException e) {
-			TestUtil.displayThen(TEST_NAME);
+			displayThen(TEST_NAME);
 			System.out.println("Expected exception: " + e);
 			e.printStackTrace(System.out);
 			if (!getTranslatedMessage(e).contains("Role \"No inducements add or delete\" is to be modified")) {
@@ -950,7 +949,7 @@ public void test330AddInducement() throws Exception {
 	@Test
 	public void test340AddInducementViaExpression() throws Exception {
 		final String TEST_NAME = "test340AddInducementViaExpression";
-		TestUtil.displayTestTitle(this, TEST_NAME);
+		displayTestTitle(TEST_NAME);
 
 		// GIVEN
 		Task task = taskManager.createTaskInstance(TestPolicyRules2.class.getName() + "." + TEST_NAME);
@@ -966,13 +965,13 @@ public void test340AddInducementViaExpression() throws Exception {
 		assertFocusModificationSanity(context);
 
 		// WHEN
-		TestUtil.displayWhen(TEST_NAME);
+		displayWhen(TEST_NAME);
 		try {
 			clockwork.run(context, task, result);
-			TestUtil.displayThen(TEST_NAME);
+			displayThen(TEST_NAME);
 			fail("unexpected success");
 		} catch (PolicyViolationException e) {
-			TestUtil.displayThen(TEST_NAME);
+			displayThen(TEST_NAME);
 			System.out.println("Expected exception: " + e);
 			e.printStackTrace(System.out);
 			if (!getTranslatedMessage(e).contains("Role \"No inducements add or delete (expression)\" is to be modified")) {
diff --git a/model/model-impl/src/test/java/com/evolveum/midpoint/model/impl/lens/TestPolicyStateRecording.java b/model/model-impl/src/test/java/com/evolveum/midpoint/model/impl/lens/TestPolicyStateRecording.java
index 0fe255a5455..7849fc0731e 100644
--- a/model/model-impl/src/test/java/com/evolveum/midpoint/model/impl/lens/TestPolicyStateRecording.java
+++ b/model/model-impl/src/test/java/com/evolveum/midpoint/model/impl/lens/TestPolicyStateRecording.java
@@ -118,8 +118,7 @@ public void test100JackAssignRoleJudge() throws Exception {
 		t.displayThen();
 		UserType jack = getUser(USER_JACK_OID).asObjectable();
 		display("jack", jack);
-		t.result.computeStatus();
-		TestUtil.assertSuccess(t.result);
+		assertSuccess(t.result);
 
 		assertAssignedRole(jack.asPrismObject(), ROLE_JUDGE_OID);
 		assertEquals("Wrong # of assignments", 1, jack.getAssignment().size());
@@ -143,8 +142,7 @@ public void test110JackAssignRolePirate() throws Exception {
 		t.displayThen();
 		UserType jack = getUser(USER_JACK_OID).asObjectable();
 		display("jack", jack);
-		t.result.computeStatus();
-		TestUtil.assertSuccess(t.result);
+		assertSuccess(t.result);
 
 		assertAssignedRole(jack.asPrismObject(), ROLE_PIRATE_OID);
 		assertEquals("Wrong # of assignments", 2, jack.getAssignment().size());
@@ -162,6 +160,7 @@ public void test120RecomputeJack() throws Exception {
 		TestCtx t = createContext(this, "test120RecomputeJack");
 
 		// GIVEN
+		dummyAuditService.clear();
 
 		// WHEN
 		t.displayWhen();
@@ -172,8 +171,7 @@ public void test120RecomputeJack() throws Exception {
 		t.displayThen();
 		UserType jack = getUser(USER_JACK_OID).asObjectable();
 		display("jack", jack);
-		t.result.computeStatus();
-		TestUtil.assertSuccess(t.result);
+		assertSuccess(t.result);
 
 		// TODO test that assignment IDs are filled in correctly (currently they are not)
 		assertEquals("Wrong # of assignments", 2, jack.getAssignment().size());
@@ -208,8 +206,7 @@ public void test130JackUnassignRolePirate() throws Exception {
 		t.displayThen();
 		jack = getUser(USER_JACK_OID).asObjectable();
 		display("jack", jack);
-		t.result.computeStatus();
-		TestUtil.assertSuccess(t.result);
+		assertSuccess(t.result);
 
 		assertNotAssignedRole(jack.asPrismObject(), ROLE_PIRATE_OID);
 		assertEquals("Wrong # of assignments", 1, jack.getAssignment().size());
@@ -240,8 +237,7 @@ public void test200BobAssign2a3a() throws Exception {
 		t.displayThen();
 		UserType bob = getUser(userBobOid).asObjectable();
 		display("bob", bob);
-		t.result.computeStatus();
-		TestUtil.assertSuccess(t.result);
+		assertSuccess(t.result);
 
 		assertAssignedRole(bob.asPrismObject(), roleATest2aOid);
 		assertAssignedRole(bob.asPrismObject(), roleATest3aOid);
@@ -276,8 +272,7 @@ public void test210BobAssign2b3b() throws Exception {
 		t.displayThen();
 		UserType bob = getUser(userBobOid).asObjectable();
 		display("bob", bob);
-		t.result.computeStatus();
-		TestUtil.assertSuccess(t.result);
+		assertSuccess(t.result);
 
 		assertAssignedRole(bob.asPrismObject(), roleATest2aOid);
 		assertAssignedRole(bob.asPrismObject(), roleATest2bOid);
@@ -322,8 +317,7 @@ public void test220AliceAssign2a2b() throws Exception {
 		t.displayThen();
 		alice = getUser(alice.getOid()).asObjectable();
 		display("alice", alice);
-		t.result.computeStatus();
-		TestUtil.assertSuccess(t.result);
+		assertSuccess(t.result);
 
 		assertAssignedRole(alice.asPrismObject(), roleATest2aOid);
 		assertAssignedRole(alice.asPrismObject(), roleATest2bOid);
@@ -360,8 +354,7 @@ public void test230ChuckAssign2a2b() throws Exception {
 		t.displayThen();
 		chuck = getUser(chuck.getOid()).asObjectable();
 		display("chuck", chuck);
-		t.result.computeStatus();
-		TestUtil.assertSuccess(t.result);
+		assertSuccess(t.result);
 
 		assertAssignedRole(chuck.asPrismObject(), roleATest2aOid);
 		assertAssignedRole(chuck.asPrismObject(), roleATest2bOid);
@@ -399,8 +392,7 @@ public void test240DanAssign2a2b() throws Exception {
 		t.displayThen();
 		dan = getUser(dan.getOid()).asObjectable();
 		display("dan", dan);
-		t.result.computeStatus();
-		TestUtil.assertSuccess(t.result);
+		assertSuccess(t.result);
 
 		assertAssignedRole(dan.asPrismObject(), roleATest2aOid);
 		assertAssignedRole(dan.asPrismObject(), roleATest2bOid);
@@ -433,8 +425,7 @@ public void test250EveAssign2b() throws Exception {
 		t.displayThen();
 		UserType eve = getUser(userEveOid).asObjectable();
 		display("alice", eve);
-		t.result.computeStatus();
-		TestUtil.assertSuccess(t.result);
+		assertSuccess(t.result);
 
 		assertAssignedRole(eve.asPrismObject(), roleATest2aOid);
 		assertAssignedRole(eve.asPrismObject(), roleATest2bOid);
@@ -465,8 +456,7 @@ public void test300MakeRoleWrong() throws Exception {
 		t.displayThen();
 		RoleType wrong = getRole(roleATestWrongOid).asObjectable();
 		display("role 'wrong'", wrong);
-		t.result.computeStatus();
-		TestUtil.assertSuccess(t.result);
+		assertSuccess(t.result);
 
 		assertEquals("Wrong policy situations for role", Collections.singletonList(WRONG_URI), wrong.getPolicySituation());
 
@@ -492,8 +482,7 @@ public void test310CreateWrongRole() throws Exception {
 		t.displayThen();
 		wrong2 = getRole(wrong2.getOid()).asObjectable();
 		display("role 'wrong-2'", wrong2);
-		t.result.computeStatus();
-		TestUtil.assertSuccess(t.result);
+		assertSuccess(t.result);
 
 		assertEquals("Wrong policy situations for role", Collections.singletonList(WRONG_URI), wrong2.getPolicySituation());
 
@@ -522,8 +511,7 @@ public void test320CreateWrongRoleKnownOid() throws Exception {
 		t.displayThen();
 		wrong3 = getRole(wrong3.getOid()).asObjectable();
 		display("role 'wrong-3'", wrong3);
-		t.result.computeStatus();
-		TestUtil.assertSuccess(t.result);
+		assertSuccess(t.result);
 
 		assertEquals("Wrong policy situations for role", Collections.singletonList(WRONG_URI), wrong3.getPolicySituation());
 
diff --git a/model/model-impl/src/test/java/com/evolveum/midpoint/model/impl/sync/TestCorrelationConfiramtionEvaluator.java b/model/model-impl/src/test/java/com/evolveum/midpoint/model/impl/sync/TestCorrelationConfiramtionEvaluator.java
index 1c9f7455859..c7c956e187f 100644
--- a/model/model-impl/src/test/java/com/evolveum/midpoint/model/impl/sync/TestCorrelationConfiramtionEvaluator.java
+++ b/model/model-impl/src/test/java/com/evolveum/midpoint/model/impl/sync/TestCorrelationConfiramtionEvaluator.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2017 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -54,7 +54,7 @@
 
 @ContextConfiguration(locations = {"classpath:ctx-model-test-main.xml"})
 @DirtiesContext(classMode = ClassMode.AFTER_CLASS)
-public class TestCorrelationConfiramtionEvaluator extends AbstractInternalModelIntegrationTest{
+public class TestCorrelationConfiramtionEvaluator extends AbstractInternalModelIntegrationTest {
 
 	private static final String TEST_DIR = "src/test/resources/sync";
 	private static final String CORRELATION_OR_FILTER = TEST_DIR + "/correlation-or-filter.xml";
@@ -243,7 +243,7 @@ private SynchronizationContext<UserType> createSynchronizationContext(File accou
 		PrismObject<SystemConfigurationType> systemConfiguration = systemObjectCache.getSystemConfiguration(result);
 		assertNotNull("Unexpected null system configuration", systemConfiguration);
 		
-		SynchronizationContext<UserType> syncCtx = new SynchronizationContext<>(shadow.asPrismObject(), shadow.asPrismObject(), resourceType.asPrismObject(), null, task, result);
+		SynchronizationContext<UserType> syncCtx = new SynchronizationContext<>(shadow.asPrismObject(), shadow.asPrismObject(), resourceType.asPrismObject(), null, prismContext, task, result);
 		syncCtx.setSystemConfiguration(systemConfiguration);
 		syncCtx.setObjectSynchronization(objectSynchronizationType);
 		syncCtx.setFocusClass(UserType.class);
diff --git a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestIterativeTasks.java b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestIterativeTasks.java
new file mode 100644
index 00000000000..1030469ab07
--- /dev/null
+++ b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestIterativeTasks.java
@@ -0,0 +1,107 @@
+/*
+ * Copyright (c) 2010-2019 Evolveum
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.evolveum.midpoint.model.intest;
+
+import com.evolveum.midpoint.schema.result.OperationResult;
+import com.evolveum.midpoint.task.api.RunningTask;
+import com.evolveum.midpoint.task.api.Task;
+import com.evolveum.midpoint.util.exception.ObjectAlreadyExistsException;
+import com.evolveum.midpoint.util.exception.SchemaException;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.TaskType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType;
+import org.springframework.test.annotation.DirtiesContext;
+import org.springframework.test.annotation.DirtiesContext.ClassMode;
+import org.springframework.test.context.ContextConfiguration;
+import org.testng.AssertJUnit;
+import org.testng.annotations.Test;
+
+import java.io.File;
+import java.util.Collection;
+
+import static org.testng.AssertJUnit.assertNotNull;
+
+/**
+ * Tests AbstractSearchIterativeTaskHandler and related classes. See e.g. MID-5227.
+ */
+@ContextConfiguration(locations = {"classpath:ctx-model-intest-test-main.xml"})
+@DirtiesContext(classMode = ClassMode.AFTER_CLASS)
+public class TestIterativeTasks extends AbstractInitializedModelIntegrationTest {
+
+	public static final File TEST_DIR = new File("src/test/resources/iterative-tasks");
+
+	private static final File TASK_BUCKETS_MULTITHREADED_FILE = new File(TEST_DIR, "task-buckets-multithreaded.xml");
+	private static final String TASK_BUCKETS_MULTITHREADED_OID = "4ccd0cde-c506-49eb-9718-f85ba3438515";
+
+	private static final int BUCKETS = 10;              // must be <= 100   (if > 10, adapt buckets specification in task)
+	private static final int USERS_PER_BUCKET = 3;      // must be <= 10
+
+	private static final int EXPECTED_SUBTASKS = 4;
+
+	private static TestIterativeTasks instance;         // brutal hack
+
+	@Override
+	public void initSystem(Task initTask, OperationResult initResult) throws Exception {
+		super.initSystem(initTask, initResult);
+		createUsers(initResult);
+		instance = this;
+	}
+
+	private void createUsers(OperationResult result) throws ObjectAlreadyExistsException, SchemaException {
+		for (int i = 0; i < BUCKETS; i++) {
+			for (int j = 0; j < USERS_PER_BUCKET; j++) {
+				createUser(result, i*10 + j);
+			}
+		}
+	}
+
+	private void createUser(OperationResult result, int number) throws ObjectAlreadyExistsException, SchemaException {
+		UserType user = new UserType(prismContext)
+				.name(String.format("%03d", number))
+				.subtype("test");
+		repositoryService.addObject(user.asPrismObject(), null, result);
+	}
+
+	/**
+	 * MID-5227
+	 */
+	@Test
+    public void test100RunBucketsMultithreaded() throws Exception {
+		final String TEST_NAME = "test100RunBucketsMultithreaded";
+        displayTestTitle(TEST_NAME);
+
+        // GIVEN
+
+		// WHEN
+        displayWhen(TEST_NAME);
+		addTask(TASK_BUCKETS_MULTITHREADED_FILE);
+
+		// THEN
+		displayThen(TEST_NAME);
+		waitForTaskFinish(TASK_BUCKETS_MULTITHREADED_OID, false);
+	}
+
+	@SuppressWarnings("unused") // called from Groovy code
+	public static void checkLightweightSubtasks(TaskType subtask) {
+		RunningTask parent = instance.taskManager.getLocallyRunningTaskByIdentifier(subtask.getParent());
+		assertNotNull("no parent running task", parent);
+		Collection<? extends RunningTask> subtasks = parent.getLightweightAsynchronousSubtasks();
+		LOGGER.info("Subtask: {}, parent: {}, its subtasks: ({}): {}", subtask, parent, subtasks.size(), subtasks);
+		if (subtasks.size() > EXPECTED_SUBTASKS) {
+			AssertJUnit.fail("Exceeded the expected number of subtasks: have " + subtasks.size() + ", expected max: " + EXPECTED_SUBTASKS + ": " + subtasks);
+		}
+	}
+
+}
diff --git a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestModelServiceContract.java b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestModelServiceContract.java
index 7f4ad51f2d0..3ea66025c8c 100644
--- a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestModelServiceContract.java
+++ b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestModelServiceContract.java
@@ -891,10 +891,11 @@ public void test120AddAccount() throws Exception {
      */
 	@Test
     public void test121ModifyUserAddAccountRef() throws Exception {
-        TestUtil.displayTestTitle(this, "test121ModifyUserAddAccountRef");
+		final String TEST_NAME = "test121ModifyUserAddAccountRef";
+        displayTestTitle(TEST_NAME);
 
         // GIVEN
-        Task task = taskManager.createTaskInstance(TestModelServiceContract.class.getName() + ".test121ModifyUserAddAccountRef");
+        Task task = createTask(TEST_NAME);
         OperationResult result = task.getResult();
         preTestCleanup(AssignmentPolicyEnforcementType.POSITIVE);
 
@@ -902,10 +903,9 @@ public void test121ModifyUserAddAccountRef() throws Exception {
 		        .createEmptyModifyDelta(UserType.class, USER_JACK_OID);
         ReferenceDelta accountDelta = prismContext.deltaFactory().reference().createModificationAdd(UserType.F_LINK_REF, getUserDefinition(), accountJackOid);
 		userDelta.addModification(accountDelta);
-		Collection<ObjectDelta<? extends ObjectType>> deltas = MiscSchemaUtil.createCollection(userDelta);
 
 		// WHEN
-		modelService.executeChanges(deltas, null, task, result);
+		executeChanges(userDelta, null, task, result);
 
 		// THEN
 		assertSuccess(result);
diff --git a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/scripting/TestScriptingBasic.java b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/scripting/TestScriptingBasic.java
index fa75b4f42a1..0100e00d980 100644
--- a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/scripting/TestScriptingBasic.java
+++ b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/scripting/TestScriptingBasic.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2017 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -31,6 +31,7 @@
 import com.evolveum.midpoint.prism.util.PrismAsserts;
 import com.evolveum.midpoint.schema.constants.RelationTypes;
 import com.evolveum.midpoint.schema.constants.SchemaConstants;
+import com.evolveum.midpoint.schema.expression.VariablesMap;
 import com.evolveum.midpoint.schema.internals.InternalMonitor;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.schema.result.OperationResultStatus;
@@ -59,7 +60,6 @@
 
 import static com.evolveum.midpoint.prism.xml.XmlTypeConverter.createDuration;
 import static com.evolveum.midpoint.prism.xml.XmlTypeConverter.fromNow;
-import static java.util.Collections.emptyMap;
 import static java.util.Collections.singleton;
 import static org.apache.commons.collections4.CollectionUtils.emptyIfNull;
 import static org.testng.AssertJUnit.*;
@@ -183,7 +183,7 @@ public void test112Echo() throws Exception {
 		ExecuteScriptType executeScript = parseRealValue(ECHO_FILE);
 
 		// WHEN
-		ExecutionContext output = scriptingExpressionEvaluator.evaluateExpression(executeScript, emptyMap(), false, task, result);
+		ExecutionContext output = scriptingExpressionEvaluator.evaluateExpression(executeScript, VariablesMap.emptyMap(), false, task, result);
 
 		// THEN
 		dumpOutput(output, result);
@@ -259,9 +259,9 @@ public void test202SearchUserWithExpressions() throws Exception {
 		Task task = createTask(DOT_CLASS + TEST_NAME);
 		OperationResult result = task.getResult();
 	    ExecuteScriptType executeScript = prismContext.parserFor(SEARCH_FOR_USERS_WITH_EXPRESSIONS_FILE).parseRealValue();
-	    Map<String, Object> variables = new HashMap<>();
-	    variables.put("value1", "administrator");
-	    variables.put("value2", "jack");
+	    VariablesMap variables = new VariablesMap();
+	    variables.put("value1", "administrator", String.class);
+	    variables.put("value2", "jack", String.class);
 
         // WHEN
         ExecutionContext output = scriptingExpressionEvaluator.evaluateExpression(executeScript, variables, false, task, result);
@@ -996,7 +996,7 @@ public void test520GeneratePasswordsFullInput() throws Exception {
 		ExecuteScriptType executeScript = parseRealValue(GENERATE_PASSWORDS_2_FILE);
 
 		// WHEN
-		ExecutionContext output = scriptingExpressionEvaluator.evaluateExpression(executeScript, emptyMap(), false, task, result);
+		ExecutionContext output = scriptingExpressionEvaluator.evaluateExpression(executeScript, VariablesMap.emptyMap(), false, task, result);
 
 		// THEN
         dumpOutput(output, result);
@@ -1022,7 +1022,7 @@ public void test530GeneratePasswordsReally() throws Exception {
 		ExecuteScriptType executeScript = parseRealValue(GENERATE_PASSWORDS_3_FILE);
 
 		// WHEN
-		ExecutionContext output = scriptingExpressionEvaluator.evaluateExpression(executeScript, emptyMap(), false, task, result);
+		ExecutionContext output = scriptingExpressionEvaluator.evaluateExpression(executeScript, VariablesMap.emptyMap(), false, task, result);
 
 		// THEN
         dumpOutput(output, result);
@@ -1124,7 +1124,7 @@ public void test550UseVariables() throws Exception {
 				.addRealValues("group1", "group2", "group3");
 
 		// WHEN
-		ExecutionContext output = scriptingExpressionEvaluator.evaluateExpression(executeScript, emptyMap(), false, task, result);
+		ExecutionContext output = scriptingExpressionEvaluator.evaluateExpression(executeScript, VariablesMap.emptyMap(), false, task, result);
 
 		// THEN
 		dumpOutput(output, result);
@@ -1149,7 +1149,7 @@ public void test560StartTaskFromTemplate() throws Exception {
 		ExecuteScriptType exec = prismContext.parserFor(START_TASKS_FROM_TEMPLATE_FILE).parseRealValue();
 
 		// WHEN
-		ExecutionContext output = scriptingExpressionEvaluator.evaluateExpression(exec, emptyMap(), false, task, result);
+		ExecutionContext output = scriptingExpressionEvaluator.evaluateExpression(exec, VariablesMap.emptyMap(), false, task, result);
 
 		// THEN
 		dumpOutput(output, result);
@@ -1227,7 +1227,7 @@ public void test575ResumeTask() throws Exception {
 		ExecuteScriptType exec = prismContext.parserFor(RESUME_SUSPENDED_TASKS_FILE).parseRealValue();
 
 		// WHEN
-		ExecutionContext output = scriptingExpressionEvaluator.evaluateExpression(exec, emptyMap(), false, task, result);
+		ExecutionContext output = scriptingExpressionEvaluator.evaluateExpression(exec, VariablesMap.emptyMap(), false, task, result);
 
 		// THEN
 		dumpOutput(output, result);
diff --git a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/sync/TestParallelDiscovery.java b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/sync/TestParallelDiscovery.java
new file mode 100644
index 00000000000..10ac997b8e9
--- /dev/null
+++ b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/sync/TestParallelDiscovery.java
@@ -0,0 +1,310 @@
+/*
+ * Copyright (c) 2010-2019 Evolveum
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.evolveum.midpoint.model.intest.sync;
+
+import com.evolveum.icf.dummy.resource.DummyGroup;
+import com.evolveum.icf.dummy.resource.DummyResource;
+import com.evolveum.midpoint.common.refinery.RefinedResourceSchema;
+import com.evolveum.midpoint.common.refinery.RefinedResourceSchemaImpl;
+import com.evolveum.midpoint.model.intest.AbstractInitializedModelIntegrationTest;
+import com.evolveum.midpoint.prism.PrismObject;
+import com.evolveum.midpoint.prism.query.ObjectQuery;
+import com.evolveum.midpoint.schema.SearchResultList;
+import com.evolveum.midpoint.schema.internals.InternalCounters;
+import com.evolveum.midpoint.schema.internals.InternalMonitor;
+import com.evolveum.midpoint.schema.internals.InternalOperationClasses;
+import com.evolveum.midpoint.schema.processor.ResourceSchema;
+import com.evolveum.midpoint.schema.result.OperationResult;
+import com.evolveum.midpoint.task.api.Task;
+import com.evolveum.midpoint.test.DummyResourceContoller;
+import com.evolveum.midpoint.test.util.TestUtil;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.AssignmentPolicyEnforcementType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ResourceType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType;
+import org.springframework.test.annotation.DirtiesContext;
+import org.springframework.test.annotation.DirtiesContext.ClassMode;
+import org.springframework.test.context.ContextConfiguration;
+import org.testng.annotations.Test;
+
+import java.io.File;
+import java.util.ArrayList;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+import java.util.stream.Collectors;
+
+import static org.testng.AssertJUnit.assertEquals;
+
+/**
+ * Tests the parallel discovery of accounts with entitlements.
+ *
+ * Do not use in regular tests (for now).
+ *
+ * See MID-5237.
+ *
+ * ------------------------------------------------------------------------------
+ *
+ * Setup:
+ *  - synchronizing accounts from SteelBlue to SteelGrey (using user template that assigns a role for SteelGrey)
+ *  - starting with N user accounts on SteelBlue and SteelGrey; M groups on SteelGrey
+ *  - during SteelGrey account creation, account+groups are discovered there
+ *  - because that occurs in multiple threads, we expect that duplicate group shadows are created
+ *
+ */
+@ContextConfiguration(locations = {"classpath:ctx-model-intest-test-main.xml"})
+@DirtiesContext(classMode = ClassMode.AFTER_CLASS)
+public class TestParallelDiscovery extends AbstractInitializedModelIntegrationTest {
+
+	// --- START of test configuration ---
+	private static final SyncKind KIND = SyncKind.IMPORT;
+	private static final Distribution DISTRIBUTION = Distribution.MULTITHREADED;
+	// --- END of test configuration ---
+	
+	private static final File TEST_DIR = new File("src/test/resources/sync");
+	
+	private static final File ROLE_STEELGREY_FILE = new File(TEST_DIR, "role-steelgrey.xml");
+	private static final File USER_TEMPLATE_STEELGREY_FILE = new File(TEST_DIR, "user-template-steelgrey.xml");
+	private static final String USER_TEMPLATE_STEELGREY_OID = "a7745154-c9c4-43d3-89c1-8de89e615baf";
+
+	private static final File RESOURCE_DUMMY_STEELBLUE_FILE = new File(TEST_DIR, "resource-dummy-steelblue.xml");
+	private static final String RESOURCE_DUMMY_STEELBLUE_OID = "8d97261a-ef5e-4199-9700-670577441c7f";
+	private static final String RESOURCE_DUMMY_STEELBLUE_NAME = "steelblue";
+
+	private static final File RESOURCE_DUMMY_STEELGREY_FILE = new File(TEST_DIR, "resource-dummy-steelgrey.xml");
+	private static final String RESOURCE_DUMMY_STEELGREY_OID = "ff5899c7-8b02-4a0e-8f7d-74c154721d5d";
+	private static final String RESOURCE_DUMMY_STEELGREY_NAME = "steelgrey";
+
+	private static final File TASK_IMPORT_DUMMY_STEELBLUE_MULTITHREADED_FILE = new File(TEST_DIR, "task-import-dummy-steelblue-multithreaded.xml");
+	private static final String TASK_IMPORT_DUMMY_STEELBLUE_MULTITHREADED_OID = "d553eec5-0e03-4efd-80ba-18e6715c26aa";
+
+	private static final File TASK_RECONCILE_DUMMY_STEELBLUE_MULTITHREADED_FILE = new File(TEST_DIR, "task-reconcile-dummy-steelblue-multithreaded.xml");
+	private static final String TASK_RECONCILE_DUMMY_STEELBLUE_MULTITHREADED_OID = "c1351099-eabf-4ca3-b157-9a7b6c16b960";
+
+	private static final File TASK_RECONCILE_DUMMY_STEELBLUE_PARTITIONED_FILE = new File(TEST_DIR, "task-reconcile-dummy-steelblue-partitioned.xml");
+	private static final String TASK_RECONCILE_DUMMY_STEELBLUE_PARTITIONED_OID = "0e1f67e2-45b3-4fd9-b193-e1a5fea1d315";
+
+	private DummyResource dummyResourceSteelBlue;
+	private DummyResourceContoller dummyResourceCtlSteelBlue;
+	private ResourceType resourceDummySteelBlueType;
+	private PrismObject<ResourceType> resourceDummySteelBlue;
+
+	private DummyResource dummyResourceSteelGrey;
+	private DummyResourceContoller dummyResourceCtlSteelGrey;
+	private ResourceType resourceDummySteelGreyType;
+	private PrismObject<ResourceType> resourceDummySteelGrey;
+
+	private static final int NUMBER_OF_GROUPS = 10;
+
+	private static final int NUMBER_OF_USERS = 20;
+	private final List<String> userNames = new ArrayList<>();
+
+	private static final double GROUP_ASSIGNMENT_PROBABILITY = 0.3;
+
+	enum SyncKind { IMPORT, RECONCILIATION }
+	enum Distribution { MULTITHREADED, PARTITIONED }
+
+	private String getSyncTaskOid() {
+		if (KIND == SyncKind.IMPORT) {
+			if (DISTRIBUTION == Distribution.MULTITHREADED) {
+				return TASK_IMPORT_DUMMY_STEELBLUE_MULTITHREADED_OID;
+			} else {
+				throw new AssertionError("unsupported");
+			}
+		} else {
+			if (DISTRIBUTION == Distribution.MULTITHREADED) {
+				return TASK_RECONCILE_DUMMY_STEELBLUE_MULTITHREADED_OID;
+			} else {
+				return TASK_RECONCILE_DUMMY_STEELBLUE_PARTITIONED_OID;
+			}
+		}
+	}
+
+	private File getSyncTaskFile() {
+		if (KIND == SyncKind.IMPORT) {
+			if (DISTRIBUTION == Distribution.MULTITHREADED) {
+				return TASK_IMPORT_DUMMY_STEELBLUE_MULTITHREADED_FILE;
+			} else {
+				throw new AssertionError("unsupported");
+			}
+		} else {
+			if (DISTRIBUTION == Distribution.MULTITHREADED) {
+				return TASK_RECONCILE_DUMMY_STEELBLUE_MULTITHREADED_FILE;
+			} else {
+				return TASK_RECONCILE_DUMMY_STEELBLUE_PARTITIONED_FILE;
+			}
+		}
+	}
+
+	@Override
+	public void initSystem(Task initTask, OperationResult initResult) throws Exception {
+		super.initSystem(initTask, initResult);
+
+		repoAddObjectFromFile(ROLE_STEELGREY_FILE, initResult);
+		repoAddObjectFromFile(USER_TEMPLATE_STEELGREY_FILE, initResult);
+		setDefaultUserTemplate(USER_TEMPLATE_STEELGREY_OID);
+
+		dummyResourceCtlSteelBlue = DummyResourceContoller.create(RESOURCE_DUMMY_STEELBLUE_NAME, resourceDummySteelBlue);
+		dummyResourceCtlSteelBlue.extendSchemaPirate();
+		dummyResourceSteelBlue = dummyResourceCtlSteelBlue.getDummyResource();
+		resourceDummySteelBlue = importAndGetObjectFromFile(ResourceType.class, RESOURCE_DUMMY_STEELBLUE_FILE, RESOURCE_DUMMY_STEELBLUE_OID, initTask, initResult);
+		resourceDummySteelBlueType = resourceDummySteelBlue.asObjectable();
+		dummyResourceCtlSteelBlue.setResource(resourceDummySteelBlue);
+
+		dummyResourceCtlSteelGrey = DummyResourceContoller.create(RESOURCE_DUMMY_STEELGREY_NAME, resourceDummySteelGrey);
+		dummyResourceCtlSteelGrey.extendSchemaPirate();
+		dummyResourceSteelGrey = dummyResourceCtlSteelGrey.getDummyResource();
+		resourceDummySteelGrey = importAndGetObjectFromFile(ResourceType.class, RESOURCE_DUMMY_STEELGREY_FILE, RESOURCE_DUMMY_STEELGREY_OID, initTask, initResult);
+		resourceDummySteelGreyType = resourceDummySteelGrey.asObjectable();
+		dummyResourceCtlSteelGrey.setResource(resourceDummySteelGrey);
+
+		for (int i = 0; i < NUMBER_OF_USERS; i++) {
+			String userName = String.format("user%06d", i);
+			dummyResourceCtlSteelBlue.addAccount(userName);
+			dummyResourceCtlSteelGrey.addAccount(userName);
+			userNames.add(userName);
+		}
+
+		for (int i = 0; i < NUMBER_OF_GROUPS; i++) {
+			String groupName = String.format("group%06d", i);
+			DummyGroup group = dummyResourceCtlSteelGrey.addGroup(groupName);
+			for (String name : userNames) {
+				if (Math.random() < GROUP_ASSIGNMENT_PROBABILITY) {
+					group.addMember(name);
+				}
+			}
+		}
+
+		InternalMonitor.reset();
+		InternalMonitor.setTrace(InternalOperationClasses.SHADOW_FETCH_OPERATIONS, true);
+	}
+	
+	@Override
+	protected int getNumberOfUsers() {
+		return super.getNumberOfUsers() + NUMBER_OF_USERS;
+	}
+
+	protected PrismObject<UserType> getDefaultActor() {
+		return userAdministrator;
+	}
+
+	@Test
+    public void test001Sanity() throws Exception {
+		final String TEST_NAME = "test001Sanity";
+        displayTestTitle(TEST_NAME);
+
+        display("Dummy resource azure", dummyResourceSteelBlue);
+
+        // WHEN
+        ResourceSchema resourceSchemaSteelBlue = RefinedResourceSchemaImpl.getResourceSchema(resourceDummySteelBlueType, prismContext);
+        ResourceSchema resourceSchemaSteelGrey = RefinedResourceSchemaImpl.getResourceSchema(resourceDummySteelGreyType, prismContext);
+
+        display("Dummy steel blue resource schema", resourceSchemaSteelBlue);
+        display("Dummy steel grey resource schema", resourceSchemaSteelGrey);
+
+        // THEN
+        dummyResourceCtlSteelBlue.assertDummyResourceSchemaSanityExtended(resourceSchemaSteelBlue);
+        dummyResourceCtlSteelGrey.assertDummyResourceSchemaSanityExtended(resourceSchemaSteelGrey);
+	}
+
+	@Test
+    public void test002SanityRefined() throws Exception {
+		final String TEST_NAME = "test002SanityRefined";
+        displayTestTitle(TEST_NAME);
+
+        // WHEN
+        RefinedResourceSchema refinedSchemaSteelBlue = RefinedResourceSchemaImpl.getRefinedSchema(resourceDummySteelBlueType, prismContext);
+        RefinedResourceSchema refinedSchemaSteelGrey = RefinedResourceSchemaImpl.getRefinedSchema(resourceDummySteelGreyType, prismContext);
+
+        display("Dummy steel blue refined schema", refinedSchemaSteelBlue);
+        display("Dummy steel grey refined schema", refinedSchemaSteelGrey);
+
+        // THEN
+        dummyResourceCtlSteelBlue.assertRefinedSchemaSanity(refinedSchemaSteelBlue);
+        dummyResourceCtlSteelGrey.assertRefinedSchemaSanity(refinedSchemaSteelGrey);
+	}
+
+	@Test
+    public void test100Synchronize() throws Exception {
+		final String TEST_NAME = "test100Synchronize";
+        displayTestTitle(TEST_NAME);
+
+        // GIVEN
+        Task task = createTask(TEST_NAME);
+        OperationResult result = task.getResult();
+        assumeAssignmentPolicy(AssignmentPolicyEnforcementType.RELATIVE);
+
+        // Preconditions
+        List<PrismObject<UserType>> usersBefore = modelService.searchObjects(UserType.class, null, null, task, result);
+        display("Users before", usersBefore);
+		ObjectQuery onSteelBlueQuery = prismContext.queryFor(ShadowType.class)
+				.item(ShadowType.F_RESOURCE_REF).ref(RESOURCE_DUMMY_STEELBLUE_OID)
+				.build();
+		ObjectQuery onSteelGreyQuery = prismContext.queryFor(ShadowType.class)
+				.item(ShadowType.F_RESOURCE_REF).ref(RESOURCE_DUMMY_STEELGREY_OID)
+				.build();
+		SearchResultList<PrismObject<ShadowType>> shadowsBlueBefore = repositoryService.searchObjects(ShadowType.class, onSteelBlueQuery, null, result);
+		display("Shadows on blue before", shadowsBlueBefore);
+		SearchResultList<PrismObject<ShadowType>> shadowsGreyBefore = repositoryService.searchObjects(ShadowType.class, onSteelGreyQuery, null, result);
+		display("Shadows on grey before", shadowsGreyBefore);
+
+		loginAdministrator();
+
+        dummyAuditService.clear();
+        rememberCounter(InternalCounters.SHADOW_FETCH_OPERATION_COUNT);
+
+		// WHEN
+        displayWhen(TEST_NAME);
+        addObject(getSyncTaskFile(), task, result);
+
+        // THEN
+        displayThen(TEST_NAME);
+
+        if (DISTRIBUTION == Distribution.MULTITHREADED) {
+	        waitForTaskFinish(getSyncTaskOid(), true, 600000);
+        } else {
+	        waitForTaskTreeNextFinishedRun(getSyncTaskOid(), 600000);
+        }
+
+        // THEN
+        displayThen(TEST_NAME);
+        result.computeStatus();
+        TestUtil.assertSuccess(result);
+
+		List<PrismObject<UserType>> usersAfter = modelService.searchObjects(UserType.class, null, null, task, result);
+        display("Users after", usersAfter);
+		SearchResultList<PrismObject<ShadowType>> shadowsBlueAfter = repositoryService.searchObjects(ShadowType.class, onSteelBlueQuery, null, result);
+		display("Shadows on blue after", shadowsBlueAfter);
+		SearchResultList<PrismObject<ShadowType>> shadowsGreyAfter = repositoryService.searchObjects(ShadowType.class, onSteelGreyQuery, null, result);
+		display("Shadows on grey after", shadowsGreyAfter);
+
+		List<String> shadowNames = shadowsGreyAfter.stream().map(o -> o.getName().getOrig()).collect(Collectors.toList());
+		Set<String> uniqueNames = new HashSet<>();
+		List<String> duplicateNames = shadowNames.stream()
+				.filter(e -> !uniqueNames.add(e))
+				.collect(Collectors.toList());
+		System.out.println("Shadow (grey) names: " + shadowNames.size());
+		System.out.println("Unique (grey) shadow names: " + uniqueNames.size());
+		System.out.println("Duplicate (grey) names: " + duplicateNames);
+		assertEquals("Duplicate (grey) names: " + duplicateNames, 0, duplicateNames.size());
+
+		PrismObject<ShadowType> account0 = shadowsGreyAfter.stream()
+				.filter(o -> o.asObjectable().getName().getOrig().equals(userNames.get(0))).findFirst().orElseThrow(AssertionError::new);
+		PrismObject<ShadowType> shadow = modelService.getObject(ShadowType.class, account0.getOid(), null, task, result);
+		display("user0 shadow", shadow);
+	}
+
+}
diff --git a/model/model-intest/src/test/resources/common/role-pirate.xml b/model/model-intest/src/test/resources/common/role-pirate.xml
index 8fe1599fe0a..5ce03e9b45b 100644
--- a/model/model-intest/src/test/resources/common/role-pirate.xml
+++ b/model/model-intest/src/test/resources/common/role-pirate.xml
@@ -1,5 +1,5 @@
 <!--
-  ~ Copyright (c) 2010-2017 Evolveum
+  ~ Copyright (c) 2010-2019 Evolveum
   ~
   ~ Licensed under the Apache License, Version 2.0 (the "License");
   ~ you may not use this file except in compliance with the License.
@@ -25,6 +25,12 @@
     	<extension>
     		<piracy:sea>The Seven Seas</piracy:sea>
     	</extension>
+    	<!-- This role is always assigned to users. Therefore this should not be needed.
+    	     But, there are some attempts in security tests to assign this role to another role.
+    	     This attempt fails on gossip attribute mapping not getting fullName. We do not want
+    	     that failure, we want to check whether security properly denies the operation.
+    	     Hence the focusType definition. -->
+    	<focusType>UserType</focusType>
     	<construction id="60004">
     		<resourceRef oid="10000000-0000-0000-0000-000000000004" type="c:ResourceType"/>
     		<kind>account</kind>
@@ -73,7 +79,7 @@
                 	</source>
                 	<expression>
 						<script>
-							<code>fullName + ' is the best pirate ' + ( locality == null ? 'the world' : locality ) + ' has ever seen'</code> 
+							<code>fullName + ' is the best pirate ' + ( locality == null ? 'the world' : locality ) + ' has ever seen'</code>
 						</script>
 					</expression>
 				</outbound>
diff --git a/model/model-intest/src/test/resources/iterative-tasks/task-buckets-multithreaded.xml b/model/model-intest/src/test/resources/iterative-tasks/task-buckets-multithreaded.xml
new file mode 100644
index 00000000000..a9606e2f797
--- /dev/null
+++ b/model/model-intest/src/test/resources/iterative-tasks/task-buckets-multithreaded.xml
@@ -0,0 +1,68 @@
+<!--
+  ~ Copyright (c) 2010-2019 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<task xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+	  xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+	  xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
+	  xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
+	  xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	  oid="4ccd0cde-c506-49eb-9718-f85ba3438515">
+	<name>Buckets, multiple threads</name>
+	<extension xmlns:mext="http://midpoint.evolveum.com/xml/ns/public/model/extension-3"
+			   xmlns:se="http://midpoint.evolveum.com/xml/ns/public/model/scripting/extension-3" xsi:type="c:ExtensionType">
+		<mext:workerThreads>4</mext:workerThreads>
+		<mext:objectType>UserType</mext:objectType>
+		<mext:objectQuery>
+			<q:filter>
+				<q:equal>
+					<q:path>subtype</q:path>
+					<q:value>test</q:value>
+				</q:equal>
+			</q:filter>
+		</mext:objectQuery>
+		<se:executeScript xmlns:s="http://midpoint.evolveum.com/xml/ns/public/model/scripting-3">
+			<s:action>
+				<s:type>execute-script</s:type>
+				<s:parameter>
+					<s:name>script</s:name>
+					<c:value xsi:type="c:ScriptExpressionEvaluatorType">
+						<c:code>
+							log.info('Found user {}', input)
+							com.evolveum.midpoint.model.intest.TestIterativeTasks.checkLightweightSubtasks(task)
+						</c:code>
+					</c:value>
+				</s:parameter>
+			</s:action>
+		</se:executeScript>
+	</extension>
+	<taskIdentifier>4ccd0cde-c506-49eb-9718-f85ba3438515</taskIdentifier>
+	<ownerRef oid="00000000-0000-0000-0000-000000000002" relation="org:default" type="c:UserType"/>
+	<executionStatus>runnable</executionStatus>
+	<category>BulkActions</category>
+	<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/iterative-scripting/handler-3</handlerUri>
+	<workManagement>
+		<taskKind>standalone</taskKind>
+		<buckets>
+			<stringSegmentation>
+				<c:discriminator>name</c:discriminator>
+				<boundaryCharacters>0</boundaryCharacters>
+				<boundaryCharacters>0-9</boundaryCharacters>
+			</stringSegmentation>
+		</buckets>
+	</workManagement>
+	<recurrence>single</recurrence>
+	<binding>loose</binding>
+</task>
diff --git a/model/model-intest/src/test/resources/schema/piracy.xsd b/model/model-intest/src/test/resources/schema/piracy.xsd
index bf67bad924c..c2d7dad61bb 100644
--- a/model/model-intest/src/test/resources/schema/piracy.xsd
+++ b/model/model-intest/src/test/resources/schema/piracy.xsd
@@ -209,5 +209,18 @@
 			</xsd:element>
 		</xsd:sequence>
 	</xsd:complexType>
+	
+	<!-- org extension -->
+
+    <xsd:complexType name="OrgTypeExtensionType">
+        <xsd:annotation>
+            <xsd:appinfo>
+                <a:extension ref="c:OrgType"/>
+            </xsd:appinfo>
+        </xsd:annotation>
+        <xsd:sequence>
+			<xsd:element ref="tns:sea"/>
+        </xsd:sequence>
+    </xsd:complexType>
 
 </xsd:schema>
diff --git a/model/model-intest/src/test/resources/sync/resource-dummy-steelgrey.xml b/model/model-intest/src/test/resources/sync/resource-dummy-steelgrey.xml
new file mode 100644
index 00000000000..42bc7653705
--- /dev/null
+++ b/model/model-intest/src/test/resources/sync/resource-dummy-steelgrey.xml
@@ -0,0 +1,190 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright (c) 2010-2019 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<!-- Simplified resource for testing multithreaded discovery -->
+
+<resource oid="ff5899c7-8b02-4a0e-8f7d-74c154721d5d"
+		  xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+          xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+          xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
+          xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
+          xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
+          xmlns:xsd="http://www.w3.org/2001/XMLSchema"
+          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+
+	<name>Dummy Resource SteelGrey</name>
+	<connectorRef type="c:ConnectorType">
+		<filter>
+			<q:and>
+				<q:equal>
+					<q:path>connectorType</q:path>
+					<q:value>com.evolveum.icf.dummy.connector.DummyConnector</q:value>
+				</q:equal>
+				<q:equal>
+					<q:path>connectorVersion</q:path>
+					<q:value>2.0</q:value>
+				</q:equal>
+			</q:and>
+		</filter>
+	</connectorRef>
+	<connectorConfiguration xmlns:icfi="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/bundle/com.evolveum.icf.dummy/com.evolveum.icf.dummy.connector.DummyConnector"
+	               xmlns:icfc="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/connector-schema-3">
+					   
+		<icfc:configurationProperties>
+			<icfi:instanceId>steelgrey</icfi:instanceId>
+		</icfc:configurationProperties>
+		<icfc:resultsHandlerConfiguration>
+			<icfc:enableFilteredResultsHandler>false</icfc:enableFilteredResultsHandler>
+		</icfc:resultsHandlerConfiguration>
+
+	</connectorConfiguration>
+
+	<schemaHandling>
+	
+		<objectType>
+			<kind>account</kind>
+			<intent>default</intent>
+			<displayName>Default Account</displayName>
+			<default>true</default>
+			<objectClass>ri:AccountObjectClass</objectClass>
+			<attribute>
+				<ref>icfs:name</ref>
+				<outbound>
+					<source>
+						<path>name</path>
+					</source>
+				</outbound>
+			</attribute>
+			<attribute>
+				<ref>icfs:uid</ref>
+				<displayName>UID</displayName>
+			</attribute>
+			<association>
+            	<ref>ri:group</ref>
+            	<kind>entitlement</kind>
+            	<intent>group</intent>
+            	<direction>objectToSubject</direction>
+            	<associationAttribute>ri:members</associationAttribute>
+            	<valueAttribute>icfs:name</valueAttribute>
+            </association>
+		</objectType>
+		
+		<objectType>
+			<kind>entitlement</kind>
+        	<intent>group</intent>
+        	<default>true</default>
+        	<objectClass>ri:GroupObjectClass</objectClass>
+        	<attribute>
+				<ref>icfs:name</ref>
+				<outbound>
+				    <source>
+				    	<path>name</path>
+				    </source>
+				</outbound>
+			</attribute>
+            <attribute>
+				<ref>ri:members</ref>
+				<fetchStrategy>minimal</fetchStrategy>
+			</attribute>
+        </objectType>
+		
+	</schemaHandling>
+	
+	<synchronization>
+		<objectSynchronization>
+			<enabled>true</enabled>
+			<objectClass>ri:AccountObjectClass</objectClass>
+			<kind>account</kind>
+			<intent>default</intent>
+			<correlation>
+				<q:equal>
+					<q:path>c:name</q:path>
+					<expression>
+						<script>
+							<code>
+								basic.getAttributeValue(account,
+								'http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3', 'name')
+							</code>
+						</script>
+					</expression>
+				</q:equal>
+			</correlation>
+			<reaction>
+				<situation>linked</situation>
+				<synchronize>true</synchronize>
+			</reaction>
+			<reaction>
+				<situation>deleted</situation>
+				<synchronize>true</synchronize>
+				<action>
+					<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#unlink</handlerUri>
+				</action>
+			</reaction>
+			<reaction>
+				<situation>unlinked</situation>
+				<synchronize>true</synchronize>
+				<action>
+					<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#link</handlerUri>
+				</action>
+			</reaction>
+			<reaction>
+				<situation>unmatched</situation>
+			</reaction>
+		</objectSynchronization>
+		<objectSynchronization>
+			<enabled>true</enabled>
+			<objectClass>ri:GroupObjectClass</objectClass>
+			<kind>entitlement</kind>
+			<intent>group</intent>
+			<focusType>RoleType</focusType>
+			<correlation>
+				<q:equal>
+					<q:path>c:name</q:path>
+					<expression>
+						<script>
+							<code>
+								basic.getAttributeValue(account, 
+									'http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3', 'name')
+							</code>
+						</script>
+					</expression>
+				</q:equal>
+			</correlation>
+			<reaction>
+	            <situation>linked</situation>
+	            <synchronize>true</synchronize>
+	        </reaction>
+	        <reaction>
+	            <situation>deleted</situation>
+	            <synchronize>true</synchronize>
+	            <action>
+	            	<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#unlink</handlerUri>
+	            </action>
+	        </reaction>
+	        <reaction>
+	            <situation>unlinked</situation>
+	            <synchronize>true</synchronize>
+	            <action>
+	            	<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#link</handlerUri>
+	            </action>
+	        </reaction>
+	        <reaction>
+	            <situation>unmatched</situation>
+	        </reaction>
+        </objectSynchronization>
+	</synchronization>
+</resource>
diff --git a/model/model-intest/src/test/resources/sync/role-steelgrey.xml b/model/model-intest/src/test/resources/sync/role-steelgrey.xml
new file mode 100644
index 00000000000..c13fdfe680b
--- /dev/null
+++ b/model/model-intest/src/test/resources/sync/role-steelgrey.xml
@@ -0,0 +1,27 @@
+<!--
+  ~ Copyright (c) 2010-2019 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+<role oid="3ada6d1a-13a3-495b-943f-5b541a764bf1"
+        xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+        xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
+    <name>SteelGrey</name>
+    <inducement>
+    	<construction>
+    		<resourceRef oid="ff5899c7-8b02-4a0e-8f7d-74c154721d5d" type="c:ResourceType"/> <!--  Dummy Steel Grey -->
+    		<kind>account</kind>
+    		<intent>default</intent>
+    	</construction>
+    </inducement>
+</role>
diff --git a/model/model-intest/src/test/resources/sync/user-template-steelgrey.xml b/model/model-intest/src/test/resources/sync/user-template-steelgrey.xml
new file mode 100644
index 00000000000..2139e235348
--- /dev/null
+++ b/model/model-intest/src/test/resources/sync/user-template-steelgrey.xml
@@ -0,0 +1,40 @@
+<?xml version="1.0"?>
+
+<!--
+  ~ Copyright (c) 2010-2019 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+<objectTemplate oid="a7745154-c9c4-43d3-89c1-8de89e615baf"
+                xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+                xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+                xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
+                xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
+                xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3">
+
+    <name>User template for SteelGrey</name>
+
+    <mapping>
+        <name>SteelGrey Role assignment</name>
+        <expression>
+            <assignmentTargetSearch>
+                <targetType>c:RoleType</targetType>
+                <oid>3ada6d1a-13a3-495b-943f-5b541a764bf1</oid>
+            </assignmentTargetSearch>
+        </expression>
+        <target>
+            <path>assignment</path>
+        </target>
+    </mapping>
+
+</objectTemplate>
diff --git a/model/model-test/src/main/java/com/evolveum/midpoint/model/test/AbstractModelIntegrationTest.java b/model/model-test/src/main/java/com/evolveum/midpoint/model/test/AbstractModelIntegrationTest.java
index e90f07b5ffc..b2c0bc26016 100644
--- a/model/model-test/src/main/java/com/evolveum/midpoint/model/test/AbstractModelIntegrationTest.java
+++ b/model/model-test/src/main/java/com/evolveum/midpoint/model/test/AbstractModelIntegrationTest.java
@@ -107,7 +107,6 @@
 import com.evolveum.midpoint.model.api.context.ModelProjectionContext;
 import com.evolveum.midpoint.model.api.expr.MidpointFunctions;
 import com.evolveum.midpoint.model.api.hooks.HookRegistry;
-import com.evolveum.midpoint.model.api.util.ModelUtils;
 import com.evolveum.midpoint.model.common.SystemObjectCache;
 import com.evolveum.midpoint.model.common.stringpolicy.UserValuePolicyOriginResolver;
 import com.evolveum.midpoint.model.common.stringpolicy.ValuePolicyProcessor;
@@ -130,6 +129,7 @@
 import com.evolveum.midpoint.provisioning.api.ProvisioningService;
 import com.evolveum.midpoint.repo.api.RepositoryService;
 import com.evolveum.midpoint.repo.common.ObjectResolver;
+import com.evolveum.midpoint.repo.common.expression.ExpressionVariables;
 import com.evolveum.midpoint.schema.constants.ObjectTypes;
 import com.evolveum.midpoint.schema.constants.SchemaConstants;
 import com.evolveum.midpoint.schema.internals.InternalsConfig;
@@ -6325,5 +6325,9 @@ protected <O extends AbstractRoleType> AssignmentCandidatesSpecificationAsserter
 		asserter.display();
 		return asserter;
 	}
+	
+	protected ExpressionVariables createVariables(Object... params) {
+		return ExpressionVariables.create(prismContext, params);
+	}
 
 }
diff --git a/model/notifications-api/src/main/java/com/evolveum/midpoint/notifications/api/events/BaseEvent.java b/model/notifications-api/src/main/java/com/evolveum/midpoint/notifications/api/events/BaseEvent.java
index 9b00fbac5e5..43ac74665ce 100644
--- a/model/notifications-api/src/main/java/com/evolveum/midpoint/notifications/api/events/BaseEvent.java
+++ b/model/notifications-api/src/main/java/com/evolveum/midpoint/notifications/api/events/BaseEvent.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2013 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -22,7 +22,9 @@
 import com.evolveum.midpoint.prism.delta.ItemDelta;
 import com.evolveum.midpoint.prism.delta.ObjectDelta;
 import com.evolveum.midpoint.prism.path.*;
-import com.evolveum.midpoint.schema.constants.SchemaConstants;
+import com.evolveum.midpoint.schema.constants.ExpressionConstants;
+import com.evolveum.midpoint.schema.expression.TypedValue;
+import com.evolveum.midpoint.schema.expression.VariablesMap;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.task.api.LightweightIdentifier;
 import com.evolveum.midpoint.task.api.LightweightIdentifierGenerator;
@@ -34,10 +36,8 @@
 import org.jetbrains.annotations.NotNull;
 import org.jetbrains.annotations.Nullable;
 
-import javax.xml.namespace.QName;
 import java.util.Collection;
 import java.util.List;
-import java.util.Map;
 
 /**
  * @author mederly
@@ -54,6 +54,7 @@ public abstract class BaseEvent implements Event, DebugDumpable, ShortDumpable {
 	protected final EventHandlerType adHocHandler;
 
 	private transient NotificationFunctions notificationFunctions;	// needs not be set when creating an event ... it is set in NotificationManager
+	private transient PrismContext prismContext;
 
     // about who is this operation (null if unknown);
     // - for model notifications, this is the focus, (usually a user but may be e.g. role or other kind of object)
@@ -240,13 +241,23 @@ boolean changeTypeMatchesOperationType(ChangeType changeType, EventOperationType
         }
     }
 
-    public void createExpressionVariables(Map<QName, Object> variables, OperationResult result) {
-        variables.put(SchemaConstants.C_EVENT, this);
-        variables.put(SchemaConstants.C_REQUESTER, requester != null ? requester.resolveObjectType(result, false) : null);
-        variables.put(SchemaConstants.C_REQUESTEE, requestee != null ? requestee.resolveObjectType(result, true) : null);
+    public void createExpressionVariables(VariablesMap variables, OperationResult result) {
+        variables.put(ExpressionConstants.VAR_EVENT, this, Event.class);
+        variables.put(ExpressionConstants.VAR_REQUESTER, resolveTypedObject(requester, false, result));
+        variables.put(ExpressionConstants.VAR_REQUESTEE, resolveTypedObject(requestee, true, result));
     }
 
-    // Finding items in deltas/objects
+    protected TypedValue<ObjectType> resolveTypedObject(SimpleObjectRef ref, boolean allowNotFound, OperationResult result) {
+		if (ref == null) {
+			PrismObjectDefinition<ObjectType> def = prismContext.getSchemaRegistry().findObjectDefinitionByCompileTimeClass(ObjectType.class);
+			return new TypedValue<>(null, def);
+		} else {
+			ObjectType resolveObjectType = ref.resolveObjectType(result, allowNotFound);
+			return new TypedValue<>(resolveObjectType, resolveObjectType.asPrismObject().getDefinition());
+		}
+	}
+
+	// Finding items in deltas/objects
     // this is similar to delta.hasItemDelta but much, much more relaxed (we completely ignore ID path segments and we take subpaths into account)
     //
     // Very experimental implementation. Needs a bit of time to clean up and test adequately.
@@ -374,6 +385,14 @@ public void setNotificationFunctions(NotificationFunctions notificationFunctions
 		this.notificationFunctions = notificationFunctions;
 	}
 
+	public PrismContext getPrismContext() {
+		return prismContext;
+	}
+
+	public void setPrismContext(PrismContext prismContext) {
+		this.prismContext = prismContext;
+	}
+
 	public String getStatusAsText() {
 		if (isSuccess()) {
 			return "SUCCESS";
diff --git a/model/notifications-api/src/main/java/com/evolveum/midpoint/notifications/api/events/CaseWorkItemEvent.java b/model/notifications-api/src/main/java/com/evolveum/midpoint/notifications/api/events/CaseWorkItemEvent.java
index f299e9647a5..c9e00c8dfa3 100644
--- a/model/notifications-api/src/main/java/com/evolveum/midpoint/notifications/api/events/CaseWorkItemEvent.java
+++ b/model/notifications-api/src/main/java/com/evolveum/midpoint/notifications/api/events/CaseWorkItemEvent.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2017 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -18,7 +18,9 @@
 
 import com.evolveum.midpoint.prism.delta.ChangeType;
 import com.evolveum.midpoint.prism.path.ItemPath;
+import com.evolveum.midpoint.schema.constants.ExpressionConstants;
 import com.evolveum.midpoint.schema.constants.SchemaConstants;
+import com.evolveum.midpoint.schema.expression.VariablesMap;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.task.api.LightweightIdentifierGenerator;
 import com.evolveum.midpoint.util.DebugUtil;
@@ -64,10 +66,10 @@ public SimpleObjectRef getAssignee() {
     }
 
 	@Override
-    public void createExpressionVariables(Map<QName, Object> variables, OperationResult result) {
+    public void createExpressionVariables(VariablesMap variables, OperationResult result) {
         super.createExpressionVariables(variables, result);
-        variables.put(SchemaConstants.C_ASSIGNEE, assignee.resolveObjectType(result, false));
-        variables.put(SchemaConstants.C_WORK_ITEM, workItem);
+        variables.put(ExpressionConstants.VAR_ASSIGNEE, resolveTypedObject(assignee, false, result));
+        variables.put(ExpressionConstants.VAR_WORK_ITEM, workItem, CaseWorkItemType.class);
     }
 
 	@Override
diff --git a/model/notifications-api/src/main/java/com/evolveum/midpoint/notifications/api/events/Event.java b/model/notifications-api/src/main/java/com/evolveum/midpoint/notifications/api/events/Event.java
index 0a5c502577f..2c60f513f4c 100644
--- a/model/notifications-api/src/main/java/com/evolveum/midpoint/notifications/api/events/Event.java
+++ b/model/notifications-api/src/main/java/com/evolveum/midpoint/notifications/api/events/Event.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2017 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -17,16 +17,13 @@
 package com.evolveum.midpoint.notifications.api.events;
 
 import com.evolveum.midpoint.prism.path.ItemPath;
+import com.evolveum.midpoint.schema.expression.VariablesMap;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.task.api.LightweightIdentifier;
 import com.evolveum.midpoint.util.DebugDumpable;
 import com.evolveum.midpoint.util.ShortDumpable;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.*;
 
-import javax.xml.namespace.QName;
-
-import java.util.Map;
-
 /**
  * @author mederly
  */
@@ -82,7 +79,7 @@ public interface Event extends DebugDumpable, ShortDumpable {
 
     void setRequestee(SimpleObjectRef requestee);
 
-    void createExpressionVariables(Map<QName, Object> variables, OperationResult result);
+    void createExpressionVariables(VariablesMap variables, OperationResult result);
 
     /**
      * Checks if the event is related to an item with a given path.
diff --git a/model/notifications-api/src/main/java/com/evolveum/midpoint/notifications/api/events/WorkItemAllocationEvent.java b/model/notifications-api/src/main/java/com/evolveum/midpoint/notifications/api/events/WorkItemAllocationEvent.java
index 11a8fccfcfc..3eb5d057ee1 100644
--- a/model/notifications-api/src/main/java/com/evolveum/midpoint/notifications/api/events/WorkItemAllocationEvent.java
+++ b/model/notifications-api/src/main/java/com/evolveum/midpoint/notifications/api/events/WorkItemAllocationEvent.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2017 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -17,6 +17,7 @@
 package com.evolveum.midpoint.notifications.api.events;
 
 import com.evolveum.midpoint.prism.delta.ChangeType;
+import com.evolveum.midpoint.schema.expression.VariablesMap;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.task.api.LightweightIdentifierGenerator;
 import com.evolveum.midpoint.wf.api.WorkItemOperationInfo;
@@ -26,8 +27,6 @@
 import org.jetbrains.annotations.Nullable;
 
 import javax.xml.datatype.Duration;
-import javax.xml.namespace.QName;
-import java.util.Map;
 
 /**
  * @author mederly
@@ -52,7 +51,7 @@ public boolean isCategoryType(EventCategoryType eventCategoryType) {
     }
 
 	@Override
-    public void createExpressionVariables(Map<QName, Object> variables, OperationResult result) {
+    public void createExpressionVariables(VariablesMap variables, OperationResult result) {
         super.createExpressionVariables(variables, result);
     }
 
diff --git a/model/notifications-api/src/main/java/com/evolveum/midpoint/notifications/api/events/WorkItemCustomEvent.java b/model/notifications-api/src/main/java/com/evolveum/midpoint/notifications/api/events/WorkItemCustomEvent.java
index 10114624762..c1f0219b3e2 100644
--- a/model/notifications-api/src/main/java/com/evolveum/midpoint/notifications/api/events/WorkItemCustomEvent.java
+++ b/model/notifications-api/src/main/java/com/evolveum/midpoint/notifications/api/events/WorkItemCustomEvent.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2017 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -17,6 +17,7 @@
 package com.evolveum.midpoint.notifications.api.events;
 
 import com.evolveum.midpoint.prism.delta.ChangeType;
+import com.evolveum.midpoint.schema.expression.VariablesMap;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.task.api.LightweightIdentifierGenerator;
 import com.evolveum.midpoint.wf.api.WorkItemOperationSourceInfo;
@@ -24,9 +25,6 @@
 import org.jetbrains.annotations.NotNull;
 import org.jetbrains.annotations.Nullable;
 
-import javax.xml.namespace.QName;
-import java.util.Map;
-
 /**
  * @author mederly
  */
@@ -50,7 +48,7 @@ public boolean isCategoryType(EventCategoryType eventCategoryType) {
     }
 
 	@Override
-    public void createExpressionVariables(Map<QName, Object> variables, OperationResult result) {
+    public void createExpressionVariables(VariablesMap variables, OperationResult result) {
         super.createExpressionVariables(variables, result);
     }
 
diff --git a/model/notifications-api/src/main/java/com/evolveum/midpoint/notifications/api/events/WorkItemEvent.java b/model/notifications-api/src/main/java/com/evolveum/midpoint/notifications/api/events/WorkItemEvent.java
index 9a78ce6b4c7..492af28fe1c 100644
--- a/model/notifications-api/src/main/java/com/evolveum/midpoint/notifications/api/events/WorkItemEvent.java
+++ b/model/notifications-api/src/main/java/com/evolveum/midpoint/notifications/api/events/WorkItemEvent.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2017 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -17,7 +17,8 @@
 package com.evolveum.midpoint.notifications.api.events;
 
 import com.evolveum.midpoint.prism.delta.ChangeType;
-import com.evolveum.midpoint.schema.constants.SchemaConstants;
+import com.evolveum.midpoint.schema.constants.ExpressionConstants;
+import com.evolveum.midpoint.schema.expression.VariablesMap;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.task.api.LightweightIdentifierGenerator;
 import com.evolveum.midpoint.util.DebugUtil;
@@ -29,9 +30,6 @@
 import org.jetbrains.annotations.Nullable;
 
 import javax.xml.datatype.Duration;
-import javax.xml.namespace.QName;
-
-import java.util.Map;
 
 /**
  * @author mederly
@@ -115,10 +113,10 @@ public WorkItemOperationSourceInfo getSourceInfo() {
 	}
 
 	@Override
-    public void createExpressionVariables(Map<QName, Object> variables, OperationResult result) {
+    public void createExpressionVariables(VariablesMap variables, OperationResult result) {
         super.createExpressionVariables(variables, result);
-        variables.put(SchemaConstants.C_ASSIGNEE, assignee != null ? assignee.resolveObjectType(result, false) : null);
-        variables.put(SchemaConstants.C_WORK_ITEM, workItem);
+        variables.put(ExpressionConstants.VAR_ASSIGNEE, resolveTypedObject(assignee, false, result));
+        variables.put(ExpressionConstants.VAR_WORK_ITEM, workItem, WorkItemType.class);
     }
 
     public AbstractWorkItemOutputType getOutput() {
diff --git a/model/notifications-api/src/main/java/com/evolveum/midpoint/notifications/api/events/WorkItemLifecycleEvent.java b/model/notifications-api/src/main/java/com/evolveum/midpoint/notifications/api/events/WorkItemLifecycleEvent.java
index 806006812b5..d7e6e819c7c 100644
--- a/model/notifications-api/src/main/java/com/evolveum/midpoint/notifications/api/events/WorkItemLifecycleEvent.java
+++ b/model/notifications-api/src/main/java/com/evolveum/midpoint/notifications/api/events/WorkItemLifecycleEvent.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2017 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -17,6 +17,7 @@
 package com.evolveum.midpoint.notifications.api.events;
 
 import com.evolveum.midpoint.prism.delta.ChangeType;
+import com.evolveum.midpoint.schema.expression.VariablesMap;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.task.api.LightweightIdentifierGenerator;
 import com.evolveum.midpoint.wf.api.WorkItemOperationInfo;
@@ -25,9 +26,6 @@
 import org.jetbrains.annotations.NotNull;
 import org.jetbrains.annotations.Nullable;
 
-import javax.xml.namespace.QName;
-import java.util.Map;
-
 /**
  * @author mederly
  */
@@ -50,7 +48,7 @@ public boolean isCategoryType(EventCategoryType eventCategoryType) {
     }
 
 	@Override
-    public void createExpressionVariables(Map<QName, Object> variables, OperationResult result) {
+    public void createExpressionVariables(VariablesMap variables, OperationResult result) {
         super.createExpressionVariables(variables, result);
     }
 
diff --git a/model/notifications-impl/src/main/java/com/evolveum/midpoint/notifications/impl/NotificationManagerImpl.java b/model/notifications-impl/src/main/java/com/evolveum/midpoint/notifications/impl/NotificationManagerImpl.java
index 2eee894fe28..012c51e06a3 100644
--- a/model/notifications-impl/src/main/java/com/evolveum/midpoint/notifications/impl/NotificationManagerImpl.java
+++ b/model/notifications-impl/src/main/java/com/evolveum/midpoint/notifications/impl/NotificationManagerImpl.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2013 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -22,6 +22,7 @@
 import com.evolveum.midpoint.notifications.api.events.BaseEvent;
 import com.evolveum.midpoint.notifications.api.events.Event;
 import com.evolveum.midpoint.notifications.api.transports.Transport;
+import com.evolveum.midpoint.prism.PrismContext;
 import com.evolveum.midpoint.repo.api.RepositoryService;
 import com.evolveum.midpoint.schema.constants.SchemaConstants;
 import com.evolveum.midpoint.schema.result.OperationResult;
@@ -55,11 +56,9 @@ public class NotificationManagerImpl implements NotificationManager {
     @Qualifier("cacheRepositoryService")
     private transient RepositoryService cacheRepositoryService;
 
-	@Autowired
-	private NotificationFunctions notificationFunctions;
-
-	@Autowired
-	private TaskManager taskManager;
+	@Autowired private PrismContext prismContext;
+	@Autowired private NotificationFunctions notificationFunctions;
+	@Autowired private TaskManager taskManager;
 
     private boolean disabled = false;               // for testing purposes (in order for model-intest to run more quickly)
 
@@ -110,6 +109,7 @@ public void processEvent(@Nullable Event event, Task task, OperationResult resul
 
 		if (event instanceof BaseEvent) {
 			((BaseEvent) event).setNotificationFunctions(notificationFunctions);
+			((BaseEvent) event).setPrismContext(prismContext);
 		}
 
 		LOGGER.trace("NotificationManager processing event:\n{}", event.debugDumpLazily(1));
diff --git a/model/notifications-impl/src/main/java/com/evolveum/midpoint/notifications/impl/api/transports/CustomTransport.java b/model/notifications-impl/src/main/java/com/evolveum/midpoint/notifications/impl/api/transports/CustomTransport.java
index 8645ab73c76..b3639530382 100644
--- a/model/notifications-impl/src/main/java/com/evolveum/midpoint/notifications/impl/api/transports/CustomTransport.java
+++ b/model/notifications-impl/src/main/java/com/evolveum/midpoint/notifications/impl/api/transports/CustomTransport.java
@@ -30,8 +30,10 @@
 import com.evolveum.midpoint.prism.PrismPropertyDefinition;
 import com.evolveum.midpoint.prism.PrismPropertyValue;
 import com.evolveum.midpoint.repo.api.RepositoryService;
+import com.evolveum.midpoint.schema.constants.ExpressionConstants;
 import com.evolveum.midpoint.schema.constants.SchemaConstants;
 import com.evolveum.midpoint.schema.result.OperationResult;
+import com.evolveum.midpoint.schema.util.MiscSchemaUtil;
 import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.util.DOMUtil;
 import com.evolveum.midpoint.util.exception.CommunicationException;
@@ -159,15 +161,15 @@ private void evaluateExpression(ExpressionType expressionType, ExpressionVariabl
         QName resultName = new QName(SchemaConstants.NS_C, "result");
         PrismPropertyDefinition<String> resultDef = prismContext.definitionFactory().createPropertyDefinition(resultName, DOMUtil.XSD_STRING);
 
-        Expression<PrismPropertyValue<String>,PrismPropertyDefinition<String>> expression = expressionFactory.makeExpression(expressionType, resultDef, shortDesc, task, result);
+        Expression<PrismPropertyValue<String>,PrismPropertyDefinition<String>> expression = expressionFactory.makeExpression(expressionType, resultDef, MiscSchemaUtil.getExpressionProfile(), shortDesc, task, result);
         ExpressionEvaluationContext params = new ExpressionEvaluationContext(null, expressionVariables, shortDesc, task, result);
         ModelExpressionThreadLocalHolder.evaluateExpressionInContext(expression, params, task, result);
     }
 
     protected ExpressionVariables getDefaultVariables(Message message, Event event) throws UnsupportedEncodingException {
     	ExpressionVariables variables = new ExpressionVariables();
-        variables.addVariableDefinition(SchemaConstants.C_MESSAGE, message);
-        variables.addVariableDefinition(SchemaConstants.C_EVENT, event);
+        variables.put(ExpressionConstants.VAR_MESSAGE, message, Message.class);
+        variables.put(ExpressionConstants.VAR_EVENT, event, Event.class);
         return variables;
     }
 
diff --git a/model/notifications-impl/src/main/java/com/evolveum/midpoint/notifications/impl/api/transports/MailTransport.java b/model/notifications-impl/src/main/java/com/evolveum/midpoint/notifications/impl/api/transports/MailTransport.java
index 28d79275e04..0468bdd38df 100644
--- a/model/notifications-impl/src/main/java/com/evolveum/midpoint/notifications/impl/api/transports/MailTransport.java
+++ b/model/notifications-impl/src/main/java/com/evolveum/midpoint/notifications/impl/api/transports/MailTransport.java
@@ -16,7 +16,8 @@
 
 package com.evolveum.midpoint.notifications.impl.api.transports;
 
-import java.io.File;
+import static com.evolveum.midpoint.notifications.impl.api.transports.TransportUtil.formatToFileOld;
+
 import java.nio.file.Files;
 import java.nio.file.Paths;
 import java.util.Date;
@@ -25,10 +26,6 @@
 import javax.activation.DataHandler;
 import javax.activation.DataSource;
 import javax.activation.FileDataSource;
-import javax.activation.FileTypeMap;
-import javax.activation.MimeType;
-import javax.activation.MimeTypeParseException;
-import javax.activation.MimetypesFileTypeMap;
 import javax.annotation.PostConstruct;
 import javax.mail.BodyPart;
 import javax.mail.MessagingException;
@@ -38,18 +35,14 @@
 import javax.mail.internet.MimeBodyPart;
 import javax.mail.internet.MimeMessage;
 import javax.mail.internet.MimeMultipart;
-import javax.mail.internet.MimeUtility;
 
-import com.evolveum.midpoint.notifications.api.events.Event;
 import org.apache.commons.lang.StringUtils;
-import org.bouncycastle.asn1.dvcs.Data;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.stereotype.Component;
-import org.springframework.util.MimeTypeUtils;
 
-import com.evolveum.midpoint.model.api.util.ModelUtils;
 import com.evolveum.midpoint.notifications.api.NotificationManager;
+import com.evolveum.midpoint.notifications.api.events.Event;
 import com.evolveum.midpoint.notifications.api.transports.Message;
 import com.evolveum.midpoint.notifications.api.transports.Transport;
 import com.evolveum.midpoint.notifications.impl.NotificationFunctionsImpl;
@@ -72,8 +65,6 @@
 import com.evolveum.prism.xml.ns._public.types_3.ProtectedStringType;
 import com.evolveum.prism.xml.ns._public.types_3.RawType;
 
-import static com.evolveum.midpoint.notifications.impl.api.transports.TransportUtil.formatToFileOld;
-
 /**
  * @author mederly
  */
diff --git a/model/notifications-impl/src/main/java/com/evolveum/midpoint/notifications/impl/api/transports/SimpleSmsTransport.java b/model/notifications-impl/src/main/java/com/evolveum/midpoint/notifications/impl/api/transports/SimpleSmsTransport.java
index d4feb13f7a8..b0e30845530 100644
--- a/model/notifications-impl/src/main/java/com/evolveum/midpoint/notifications/impl/api/transports/SimpleSmsTransport.java
+++ b/model/notifications-impl/src/main/java/com/evolveum/midpoint/notifications/impl/api/transports/SimpleSmsTransport.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2017 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -31,8 +31,10 @@
 import com.evolveum.midpoint.notifications.impl.NotificationFunctionsImpl;
 import com.evolveum.midpoint.prism.delta.PrismValueDeltaSetTriple;
 import com.evolveum.midpoint.repo.api.RepositoryService;
+import com.evolveum.midpoint.schema.constants.ExpressionConstants;
 import com.evolveum.midpoint.schema.constants.SchemaConstants;
 import com.evolveum.midpoint.schema.result.OperationResult;
+import com.evolveum.midpoint.schema.util.MiscSchemaUtil;
 import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.util.DOMUtil;
 import com.evolveum.midpoint.util.exception.CommunicationException;
@@ -320,7 +322,7 @@ private List<String> evaluateExpression(ExpressionType expressionType, Expressio
         }
 
         Expression<PrismPropertyValue<String>,PrismPropertyDefinition<String>> expression =
-		        expressionFactory.makeExpression(expressionType, resultDef, shortDesc, task, result);
+		        expressionFactory.makeExpression(expressionType, resultDef, MiscSchemaUtil.getExpressionProfile(), shortDesc, task, result);
         ExpressionEvaluationContext params = new ExpressionEvaluationContext(null, expressionVariables, shortDesc, task, result);
         PrismValueDeltaSetTriple<PrismPropertyValue<String>> exprResult = ModelExpressionThreadLocalHolder
 				.evaluateExpressionInContext(expression, params, task, result);
@@ -339,19 +341,19 @@ private List<String> evaluateExpression(ExpressionType expressionType, Expressio
 
     protected ExpressionVariables getDefaultVariables(String from, List<String> to, Message message) throws UnsupportedEncodingException {
     	ExpressionVariables variables = new ExpressionVariables();
-        variables.addVariableDefinition(SchemaConstants.C_FROM, from);
-        variables.addVariableDefinition(SchemaConstants.C_ENCODED_FROM, URLEncoder.encode(from, "US-ASCII"));
-        variables.addVariableDefinition(SchemaConstants.C_TO, to.get(0));
-        variables.addVariableDefinition(SchemaConstants.C_TO_LIST, to);
+        variables.put(ExpressionConstants.VAR_FROM, from, String.class);
+        variables.put(ExpressionConstants.VAR_ENCODED_FROM, URLEncoder.encode(from, "US-ASCII"), String.class);
+        variables.put(ExpressionConstants.VAR_TO, to.get(0), String.class);
+        variables.put(ExpressionConstants.VAR_TO_LIST, to, List.class);
 	    List<String> encodedTo = new ArrayList<>();
 	    for (String s : to) {
 		    encodedTo.add(URLEncoder.encode(s, "US-ASCII"));
 	    }
-	    variables.addVariableDefinition(SchemaConstants.C_ENCODED_TO, encodedTo.get(0));
-	    variables.addVariableDefinition(SchemaConstants.C_ENCODED_TO_LIST, encodedTo);
-        variables.addVariableDefinition(SchemaConstants.C_MESSAGE_TEXT, message.getBody());
-        variables.addVariableDefinition(SchemaConstants.C_ENCODED_MESSAGE_TEXT, URLEncoder.encode(message.getBody(), "US-ASCII"));
-        variables.addVariableDefinition(SchemaConstants.C_MESSAGE, message);
+	    variables.put(ExpressionConstants.VAR_ENCODED_TO, encodedTo.get(0), String.class);
+	    variables.put(ExpressionConstants.VAR_ENCODED_TO_LIST, encodedTo, List.class);
+        variables.put(ExpressionConstants.VAR_MESSAGE_TEXT, message.getBody(), String.class);
+        variables.put(ExpressionConstants.VAR_ENCODED_MESSAGE_TEXT, URLEncoder.encode(message.getBody(), "US-ASCII"), String.class);
+        variables.put(ExpressionConstants.VAR_MESSAGE, message, Message.class);
         return variables;
     }
 
diff --git a/model/notifications-impl/src/main/java/com/evolveum/midpoint/notifications/impl/helpers/NotificationExpressionHelper.java b/model/notifications-impl/src/main/java/com/evolveum/midpoint/notifications/impl/helpers/NotificationExpressionHelper.java
index 85a7549d484..44173fedfae 100644
--- a/model/notifications-impl/src/main/java/com/evolveum/midpoint/notifications/impl/helpers/NotificationExpressionHelper.java
+++ b/model/notifications-impl/src/main/java/com/evolveum/midpoint/notifications/impl/helpers/NotificationExpressionHelper.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2018 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -18,6 +18,7 @@
 
 import com.evolveum.midpoint.model.common.SystemObjectCache;
 import com.evolveum.midpoint.model.impl.expr.ModelExpressionThreadLocalHolder;
+import com.evolveum.midpoint.notifications.api.NotificationFunctions;
 import com.evolveum.midpoint.notifications.api.events.Event;
 import com.evolveum.midpoint.notifications.impl.NotificationFunctionsImpl;
 import com.evolveum.midpoint.notifications.impl.formatters.TextFormatter;
@@ -29,7 +30,9 @@
 import com.evolveum.midpoint.repo.common.expression.ExpressionVariables;
 import com.evolveum.midpoint.schema.constants.ExpressionConstants;
 import com.evolveum.midpoint.schema.constants.SchemaConstants;
+import com.evolveum.midpoint.schema.expression.VariablesMap;
 import com.evolveum.midpoint.schema.result.OperationResult;
+import com.evolveum.midpoint.schema.util.MiscSchemaUtil;
 import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.util.DOMUtil;
 import com.evolveum.midpoint.util.exception.*;
@@ -81,7 +84,7 @@ public boolean evaluateBooleanExpression(ExpressionType expressionType, Expressi
 
 		QName resultName = new QName(SchemaConstants.NS_C, "result");
 		PrismPropertyDefinition<Boolean> resultDef = prismContext.definitionFactory().createPropertyDefinition(resultName, DOMUtil.XSD_BOOLEAN);
-		Expression<PrismPropertyValue<Boolean>,PrismPropertyDefinition<Boolean>> expression = expressionFactory.makeExpression(expressionType, resultDef, shortDesc, task, result);
+		Expression<PrismPropertyValue<Boolean>,PrismPropertyDefinition<Boolean>> expression = expressionFactory.makeExpression(expressionType, resultDef, MiscSchemaUtil.getExpressionProfile(), shortDesc, task, result);
 		ExpressionEvaluationContext params = new ExpressionEvaluationContext(null, expressionVariables, shortDesc, task, result);
 
 		PrismValueDeltaSetTriple<PrismPropertyValue<Boolean>> exprResultTriple = ModelExpressionThreadLocalHolder
@@ -119,7 +122,7 @@ private List<String> evaluateExpression(ExpressionType expressionType, Expressio
 		MutablePrismPropertyDefinition<String> resultDef = prismContext.definitionFactory().createPropertyDefinition(resultName, DOMUtil.XSD_STRING);
 		resultDef.setMaxOccurs(-1);
 
-		Expression<PrismPropertyValue<String>,PrismPropertyDefinition<String>> expression = expressionFactory.makeExpression(expressionType, resultDef, shortDesc, task, result);
+		Expression<PrismPropertyValue<String>,PrismPropertyDefinition<String>> expression = expressionFactory.makeExpression(expressionType, resultDef, MiscSchemaUtil.getExpressionProfile(), shortDesc, task, result);
 		ExpressionEvaluationContext params = new ExpressionEvaluationContext(null, expressionVariables, shortDesc, task, result);
 		PrismValueDeltaSetTriple<PrismPropertyValue<String>> exprResult = ModelExpressionThreadLocalHolder
 				.evaluateExpressionInContext(expression, params, task, result);
@@ -151,7 +154,7 @@ public List<NotificationMessageAttachmentType> evaluateNotificationMessageAttach
 
 		QName resultName = new QName(SchemaConstants.NS_C, "result");
 		PrismPropertyDefinition<NotificationMessageAttachmentType> resultDef = prismContext.definitionFactory().createPropertyDefinition(resultName, NotificationMessageAttachmentType.COMPLEX_TYPE);
-		Expression<PrismPropertyValue<NotificationMessageAttachmentType>,PrismPropertyDefinition<NotificationMessageAttachmentType>> expression = expressionFactory.makeExpression(expressionType, resultDef, shortDesc, task, result);
+		Expression<PrismPropertyValue<NotificationMessageAttachmentType>,PrismPropertyDefinition<NotificationMessageAttachmentType>> expression = expressionFactory.makeExpression(expressionType, resultDef, MiscSchemaUtil.getExpressionProfile(), shortDesc, task, result);
 		ExpressionEvaluationContext params = new ExpressionEvaluationContext(null, expressionVariables, shortDesc, task, result);
 
 		PrismValueDeltaSetTriple<PrismPropertyValue<NotificationMessageAttachmentType>> exprResultTriple = ModelExpressionThreadLocalHolder
@@ -171,11 +174,12 @@ public List<NotificationMessageAttachmentType> evaluateNotificationMessageAttach
 
 	public ExpressionVariables getDefaultVariables(Event event, OperationResult result) {
 		ExpressionVariables expressionVariables = new ExpressionVariables();
-		Map<QName, Object> variables = new HashMap<>();
+		VariablesMap variables = new VariablesMap();
 		event.createExpressionVariables(variables, result);
-		variables.put(SchemaConstants.C_TEXT_FORMATTER, textFormatter);
-		variables.put(SchemaConstants.C_NOTIFICATION_FUNCTIONS, notificationsUtil);
-		variables.put(ExpressionConstants.VAR_CONFIGURATION, getSystemConfiguration(result));
+		variables.put(ExpressionConstants.VAR_TEXT_FORMATTER, textFormatter, TextFormatter.class);
+		variables.put(ExpressionConstants.VAR_NOTIFICATION_FUNCTIONS, notificationsUtil, NotificationFunctions.class);
+		PrismObject<SystemConfigurationType> systemConfiguration = getSystemConfiguration(result);
+		variables.put(ExpressionConstants.VAR_CONFIGURATION, systemConfiguration, systemConfiguration.getDefinition());
 		expressionVariables.addVariableDefinitions(variables);
 		return expressionVariables;
 	}
diff --git a/model/notifications-impl/src/main/java/com/evolveum/midpoint/notifications/impl/notifiers/CustomNotifier.java b/model/notifications-impl/src/main/java/com/evolveum/midpoint/notifications/impl/notifiers/CustomNotifier.java
index 68fe25de639..6cf1f6164d7 100644
--- a/model/notifications-impl/src/main/java/com/evolveum/midpoint/notifications/impl/notifiers/CustomNotifier.java
+++ b/model/notifications-impl/src/main/java/com/evolveum/midpoint/notifications/impl/notifiers/CustomNotifier.java
@@ -34,8 +34,10 @@
 import com.evolveum.midpoint.prism.PrismPropertyDefinition;
 import com.evolveum.midpoint.prism.PrismPropertyValue;
 import com.evolveum.midpoint.prism.delta.PrismValueDeltaSetTriple;
+import com.evolveum.midpoint.schema.constants.ExpressionConstants;
 import com.evolveum.midpoint.schema.constants.SchemaConstants;
 import com.evolveum.midpoint.schema.result.OperationResult;
+import com.evolveum.midpoint.schema.util.MiscSchemaUtil;
 import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.util.exception.CommunicationException;
 import com.evolveum.midpoint.util.exception.ConfigurationException;
@@ -115,7 +117,7 @@ public boolean processEvent(Event event, EventHandlerType eventHandlerType, Noti
 
 			try {
 				for (String transportName : config.getTransport()) {
-					variables.addVariableDefinition(SchemaConstants.C_TRANSPORT_NAME, transportName);
+					variables.put(ExpressionConstants.VAR_TRANSPORT_NAME, transportName, String.class);
 					Transport transport = notificationManager.getTransport(transportName);
 
 					Message message = getMessageFromExpression(config, variables, task, result);
@@ -171,7 +173,7 @@ private List<NotificationMessageType> evaluateExpression(ExpressionType expressi
 				prismContext.definitionFactory().createPropertyDefinition(resultName, NotificationMessageType.COMPLEX_TYPE);
 
 		Expression<PrismPropertyValue<NotificationMessageType>,PrismPropertyDefinition<NotificationMessageType>> expression =
-				expressionFactory.makeExpression(expressionType, resultDef, shortDesc, task, result);
+				expressionFactory.makeExpression(expressionType, resultDef, MiscSchemaUtil.getExpressionProfile(), shortDesc, task, result);
 		ExpressionEvaluationContext params = new ExpressionEvaluationContext(null, expressionVariables, shortDesc, task, result);
 		PrismValueDeltaSetTriple<PrismPropertyValue<NotificationMessageType>> exprResult = ModelExpressionThreadLocalHolder
 				.evaluateExpressionInContext(expression, params, task, result);
diff --git a/model/notifications-impl/src/main/java/com/evolveum/midpoint/notifications/impl/notifiers/GeneralNotifier.java b/model/notifications-impl/src/main/java/com/evolveum/midpoint/notifications/impl/notifiers/GeneralNotifier.java
index 917f56127a8..e631d55dcbc 100644
--- a/model/notifications-impl/src/main/java/com/evolveum/midpoint/notifications/impl/notifiers/GeneralNotifier.java
+++ b/model/notifications-impl/src/main/java/com/evolveum/midpoint/notifications/impl/notifiers/GeneralNotifier.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2017 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -33,6 +33,7 @@
 import com.evolveum.midpoint.prism.delta.ItemDelta;
 import com.evolveum.midpoint.prism.delta.ObjectDelta;
 import com.evolveum.midpoint.prism.polystring.PolyString;
+import com.evolveum.midpoint.schema.constants.ExpressionConstants;
 import com.evolveum.midpoint.schema.constants.SchemaConstants;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.task.api.Task;
@@ -112,7 +113,7 @@ public boolean processEvent(Event event, EventHandlerType eventHandlerType, Noti
                     try {
                         for (String transportName : generalNotifierType.getTransport()) {
 
-                            variables.replaceVariableDefinition(SchemaConstants.C_TRANSPORT_NAME, transportName);
+                            variables.put(ExpressionConstants.VAR_TRANSPORT_NAME, transportName, String.class);
                             Transport transport = notificationManager.getTransport(transportName);
 
                             List<String> recipientsAddresses = getRecipientsAddresses(event, generalNotifierType, variables,
diff --git a/model/report-api/src/main/java/com/evolveum/midpoint/report/api/ReportManager.java b/model/report-api/src/main/java/com/evolveum/midpoint/report/api/ReportManager.java
index 4b27eb35665..cdde8dcbc8a 100644
--- a/model/report-api/src/main/java/com/evolveum/midpoint/report/api/ReportManager.java
+++ b/model/report-api/src/main/java/com/evolveum/midpoint/report/api/ReportManager.java
@@ -35,10 +35,6 @@
 import java.io.InputStream;
 
 /**
- * todo comments [lazyman]
- *
- * WORK IN PROGRESS
- *
  * @author lazyman
  * @author katkav
  */
diff --git a/model/report-api/src/main/java/com/evolveum/midpoint/report/api/ReportService.java b/model/report-api/src/main/java/com/evolveum/midpoint/report/api/ReportService.java
index 7db3b4fc761..9976029c6d2 100644
--- a/model/report-api/src/main/java/com/evolveum/midpoint/report/api/ReportService.java
+++ b/model/report-api/src/main/java/com/evolveum/midpoint/report/api/ReportService.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2018 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,9 +16,6 @@
 package com.evolveum.midpoint.report.api;
 
 import java.util.Collection;
-import java.util.Map;
-
-import javax.xml.namespace.QName;
 
 import com.evolveum.midpoint.audit.api.AuditEventRecord;
 import com.evolveum.midpoint.prism.Containerable;
@@ -28,6 +25,9 @@
 import com.evolveum.midpoint.prism.query.ObjectQuery;
 import com.evolveum.midpoint.schema.GetOperationOptions;
 import com.evolveum.midpoint.schema.SelectorOptions;
+import com.evolveum.midpoint.schema.expression.VariablesMap;
+import com.evolveum.midpoint.schema.result.OperationResult;
+import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.util.exception.CommunicationException;
 import com.evolveum.midpoint.util.exception.ConfigurationException;
 import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
@@ -35,20 +35,29 @@
 import com.evolveum.midpoint.util.exception.SchemaException;
 import com.evolveum.midpoint.util.exception.SecurityViolationException;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ReportType;
 
 public interface ReportService {
 
 	String PARAMETER_REPORT_SERVICE = "reportService";
 
-	ObjectQuery parseQuery(String query, Map<QName, Object> parameters) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException;
+	PrismObject<ReportType> getReportDefinition(String reportOid, Task task, OperationResult result)
+			throws ObjectNotFoundException, SchemaException, SecurityViolationException, CommunicationException, ConfigurationException, ExpressionEvaluationException;
+	
+	ObjectQuery parseQuery(PrismObject<ReportType> report, String query, VariablesMap parameters, Task task, OperationResult result) 
+			throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException;
 
-	Collection<PrismObject<? extends ObjectType>> searchObjects(ObjectQuery query,
-			Collection<SelectorOptions<GetOperationOptions>> options) throws SchemaException, ObjectNotFoundException, SecurityViolationException, CommunicationException, ConfigurationException, ExpressionEvaluationException;
+	Collection<PrismObject<? extends ObjectType>> searchObjects(ObjectQuery query, Collection<SelectorOptions<GetOperationOptions>> options, Task task, OperationResult result)
+			throws SchemaException, ObjectNotFoundException, SecurityViolationException, CommunicationException, ConfigurationException, ExpressionEvaluationException;
 
-	Collection<PrismContainerValue<? extends Containerable>> evaluateScript(String script, Map<QName, Object> parameters) throws SchemaException, ExpressionEvaluationException, ObjectNotFoundException, CommunicationException, ConfigurationException, SecurityViolationException;
-	Object evaluate(String script, Map<QName, Object> parameters) throws SchemaException, ExpressionEvaluationException, ObjectNotFoundException, CommunicationException, ConfigurationException, SecurityViolationException;
+	Collection<PrismContainerValue<? extends Containerable>> evaluateScript(PrismObject<ReportType> report, String script, VariablesMap parameters, Task task, OperationResult result) 
+			throws SchemaException, ExpressionEvaluationException, ObjectNotFoundException, CommunicationException, ConfigurationException, SecurityViolationException;
+	
+	Object evaluate(PrismObject<ReportType> report, String script, VariablesMap parameters, Task task, OperationResult result)
+			throws SchemaException, ExpressionEvaluationException, ObjectNotFoundException, CommunicationException, ConfigurationException, SecurityViolationException;
 
-	Collection<AuditEventRecord> evaluateAuditScript(String script, Map<QName, Object> parameters) throws SchemaException, ExpressionEvaluationException, ObjectNotFoundException, CommunicationException, ConfigurationException, SecurityViolationException;
+	Collection<AuditEventRecord> evaluateAuditScript(PrismObject<ReportType> report, String script, VariablesMap parameters, Task task, OperationResult result) 
+			throws SchemaException, ExpressionEvaluationException, ObjectNotFoundException, CommunicationException, ConfigurationException, SecurityViolationException;
 
 	// hack todo fixme
 	PrismContext getPrismContext();
diff --git a/model/report-impl/pom.xml b/model/report-impl/pom.xml
index 808d1fdfc26..ab9557e3025 100644
--- a/model/report-impl/pom.xml
+++ b/model/report-impl/pom.xml
@@ -1,6 +1,6 @@
 <?xml version="1.0"?>
 <!--
-  ~ Copyright (c) 2010-2017 Evolveum
+  ~ Copyright (c) 2010-2019 Evolveum
   ~
   ~ Licensed under the Apache License, Version 2.0 (the "License");
   ~ you may not use this file except in compliance with the License.
@@ -133,6 +133,10 @@
 			<groupId>commons-lang</groupId>
 			<artifactId>commons-lang</artifactId>
 		</dependency>
+		<dependency>
+			<groupId>org.apache.commons</groupId>
+			<artifactId>commons-lang3</artifactId>
+		</dependency>
 		<dependency>
 			<groupId>commons-io</groupId>
 			<artifactId>commons-io</artifactId>
diff --git a/model/report-impl/src/main/java/com/evolveum/midpoint/report/impl/JRMidpointCompiler.java b/model/report-impl/src/main/java/com/evolveum/midpoint/report/impl/JRMidpointCompiler.java
index 25055d2fc00..a4e24b8fe34 100644
--- a/model/report-impl/src/main/java/com/evolveum/midpoint/report/impl/JRMidpointCompiler.java
+++ b/model/report-impl/src/main/java/com/evolveum/midpoint/report/impl/JRMidpointCompiler.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2018 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -18,6 +18,12 @@
 import java.io.File;
 import java.io.Serializable;
 
+import com.evolveum.midpoint.schema.util.ReportTypeUtil;
+import com.evolveum.midpoint.util.DebugUtil;
+import com.evolveum.midpoint.util.logging.Trace;
+import com.evolveum.midpoint.util.logging.TraceManager;
+
+import net.sf.jasperreports.compilers.JRGroovyGenerator;
 import net.sf.jasperreports.crosstabs.JRCrosstab;
 import net.sf.jasperreports.engine.JRDataset;
 import net.sf.jasperreports.engine.JRException;
@@ -27,16 +33,21 @@
 import net.sf.jasperreports.engine.design.JRCompilationSourceCode;
 import net.sf.jasperreports.engine.design.JRCompilationUnit;
 import net.sf.jasperreports.engine.design.JRCompiler;
+import net.sf.jasperreports.engine.design.JRDefaultCompilationSourceCode;
 import net.sf.jasperreports.engine.design.JRSourceCompileTask;
 import net.sf.jasperreports.engine.design.JasperDesign;
 import net.sf.jasperreports.engine.fill.JREvaluator;
 
 /**
- * @author katka
- *
+ * Custom expression compiler for JasperReports. This class is used to direct all expression execution
+ * to our custom evaluator (JRMidpointEvaluator).
+ * This compiler is not really compiling anything. It just fakes everything.
+ * 
+ * @author katkav
  */
 public class JRMidpointCompiler extends JRAbstractCompiler {
 	
+	private static final transient Trace LOGGER = TraceManager.getTrace(JRMidpointCompiler.class);
 	
 	/**
 	 * @param jasperReportsContext
@@ -44,7 +55,6 @@ public class JRMidpointCompiler extends JRAbstractCompiler {
 	 */
 	public JRMidpointCompiler(JasperReportsContext jasperReportsContext) {
 		super(jasperReportsContext, false);
-		// TODO Auto-generated constructor stub
 	}
 
 	/* (non-Javadoc)
@@ -85,10 +95,9 @@ protected JREvaluator loadEvaluator(Serializable compileData, String unitName) t
 	 */
 	@Override
 	protected void checkLanguage(String language) throws JRException {
-		if (!"midPoint".equals(language)) {
-			throw new JRException("asdasd");
+		if (!ReportTypeUtil.REPORT_LANGUAGE.equals(language)) {
+			throw new JRException("Expression language '"+language+" is not supported");
 		}
-			
 	}
 
 	/* (non-Javadoc)
@@ -96,7 +105,7 @@ protected void checkLanguage(String language) throws JRException {
 	 */
 	@Override
 	protected JRCompilationSourceCode generateSourceCode(JRSourceCompileTask sourceTask) throws JRException {
-		// TODO Auto-generated method stub
+//		return new JRDefaultCompilationSourceCode("FAKE", null);
 		return null;
 	}
 
@@ -105,7 +114,7 @@ protected JRCompilationSourceCode generateSourceCode(JRSourceCompileTask sourceT
 	 */
 	@Override
 	protected String compileUnits(JRCompilationUnit[] units, String classpath, File tempDirFile) throws JRException {
-		// TODO Auto-generated method stub
+		// just pretend compilation, do nothing
 		return null;
 	}
 
@@ -114,7 +123,6 @@ protected String compileUnits(JRCompilationUnit[] units, String classpath, File
 	 */
 	@Override
 	protected String getSourceFileName(String unitName) {
-		// TODO Auto-generated method stub
 		return unitName;
 	}
 
diff --git a/model/report-impl/src/main/java/com/evolveum/midpoint/report/impl/JRMidpointEvaluator.java b/model/report-impl/src/main/java/com/evolveum/midpoint/report/impl/JRMidpointEvaluator.java
index e8562f7a211..01c09d2f96c 100644
--- a/model/report-impl/src/main/java/com/evolveum/midpoint/report/impl/JRMidpointEvaluator.java
+++ b/model/report-impl/src/main/java/com/evolveum/midpoint/report/impl/JRMidpointEvaluator.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2018 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,44 +16,24 @@
 package com.evolveum.midpoint.report.impl;
 
 import java.io.Serializable;
-import java.util.HashMap;
 import java.util.Map;
-import java.util.Map.Entry;
-import java.util.Set;
 
-import javax.xml.namespace.QName;
-
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.context.ApplicationContext;
-import org.springframework.context.ApplicationContextAware;
-
-import com.evolveum.midpoint.model.common.expression.script.ScriptExpressionEvaluator;
-import com.evolveum.midpoint.model.common.expression.script.ScriptExpressionEvaluatorFactory;
-import com.evolveum.midpoint.model.common.expression.script.ScriptExpressionUtil;
-import com.evolveum.midpoint.repo.common.expression.ExpressionEvaluatorFactory;
-import com.evolveum.midpoint.repo.common.expression.ExpressionUtil;
+import com.evolveum.midpoint.prism.PrismObject;
 import com.evolveum.midpoint.report.api.ReportService;
-import com.evolveum.midpoint.util.exception.CommunicationException;
-import com.evolveum.midpoint.util.exception.ConfigurationException;
-import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
-import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
-import com.evolveum.midpoint.util.exception.SchemaException;
-import com.evolveum.midpoint.util.exception.SecurityViolationException;
+import com.evolveum.midpoint.schema.expression.VariablesMap;
+import com.evolveum.midpoint.schema.result.OperationResult;
+import com.evolveum.midpoint.schema.util.ReportTypeUtil;
+import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.util.logging.Trace;
 import com.evolveum.midpoint.util.logging.TraceManager;
-import com.ibm.icu.text.ChineseDateFormat.Field;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ReportType;
 
 import net.sf.jasperreports.engine.JRDataset;
 import net.sf.jasperreports.engine.JRException;
 import net.sf.jasperreports.engine.JRExpression;
 import net.sf.jasperreports.engine.JRExpressionChunk;
-import net.sf.jasperreports.engine.JRField;
 import net.sf.jasperreports.engine.JRRuntimeException;
 import net.sf.jasperreports.engine.JasperReport;
-import net.sf.jasperreports.engine.fill.ExpressionValues;
-import net.sf.jasperreports.engine.fill.FillExpressionDefaultValues;
-import net.sf.jasperreports.engine.fill.FillExpressionEstimatedValues;
-import net.sf.jasperreports.engine.fill.FillExpressionOldValues;
 import net.sf.jasperreports.engine.fill.JREvaluator;
 import net.sf.jasperreports.engine.fill.JRExpressionEvalException;
 import net.sf.jasperreports.engine.fill.JRFillField;
@@ -73,6 +53,8 @@ public class JRMidpointEvaluator extends JREvaluator {
 	
 	private ReportService reportService;
 	
+	private PrismObject<ReportType> report;
+	
 	private JasperReport jasperReport;
 	private JRDataset dataset;
 	
@@ -96,28 +78,79 @@ public JRMidpointEvaluator(JasperReport jasperReprot) {
 	}
 	
 	@Override
-	protected void customizedInit(Map<String, JRFillParameter> parametersMap, Map<String, JRFillField> fieldsMap,
+	public void customizedInit(Map<String, JRFillParameter> parametersMap, Map<String, JRFillField> fieldsMap,
 			Map<String, JRFillVariable> variablesMap) throws JRException {
-		LOGGER.info("cutomized init: ");
-		LOGGER.info("parametersMap : {}", parametersMap);
-		LOGGER.info("fieldsMap : {}", fieldsMap);
-		LOGGER.info("variablesMap : {}", variablesMap);
+		LOGGER.trace("customizedInit: ");
+		LOGGER.trace("  parametersMap : {}", parametersMap);
+		LOGGER.trace("  fieldsMap : {}", fieldsMap);
+		LOGGER.trace("  variablesMap : {}", variablesMap);
 		
 		this.parametersMap = parametersMap;
 		this.fieldsMap = fieldsMap;
 		this.variablesMap = variablesMap;
+		
+		PrismObject<ReportType> midPointReportObject = (PrismObject<ReportType>) parametersMap.get(ReportTypeUtil.PARAMETER_REPORT_OBJECT).getValue();
+		LOGGER.trace("midPointReportObject : {}", midPointReportObject);
 				
 		reportService = SpringApplicationContext.getBean(ReportService.class);
+		
+	}
+	
+	private Task getTask() {
+		JRFillParameter taskParam = parametersMap.get(ReportTypeUtil.PARAMETER_TASK);
+		if (taskParam == null) {
+			//TODO throw exception??
+			return null;
+		}
+		
+		return (Task) taskParam.getValue();
+	}
+	
+	private OperationResult getOperationResult() {
+		JRFillParameter resultParam = parametersMap.get(ReportTypeUtil.PARAMETER_OPERATION_RESULT);
+		if (resultParam == null) {
+			//TODO throw exception???
+			return null;
+		}
+		return (OperationResult) resultParam.getValue();
+	}
+	
+	private PrismObject<ReportType> getReport() {
+		JRFillParameter resultParam = parametersMap.get(ReportTypeUtil.PARAMETER_REPORT_OBJECT);
+		if (resultParam == null) {
+			//TODO throw exception???
+			return null;
+		}
+		return (PrismObject<ReportType>) resultParam.getValue();
 	}
 
 	@Override
 	public Object evaluate(JRExpression expression) throws JRExpressionEvalException {
+		return evaluateExpression(expression, Mode.DEFAULT);
+	}
+	
+	@Override
+	public Object evaluateOld(JRExpression expression) throws JRExpressionEvalException {
+		return evaluateExpression(expression, Mode.OLD);
+	}
+	
+	@Override
+	public Object evaluateEstimated(JRExpression expression) throws JRExpressionEvalException {
+		return evaluateExpression(expression, Mode.ESTIMATED);
+	}
+	
+	private void logEvaluate(Mode mode, JRExpression expression) {
+		LOGGER.trace("JasperReport expression: evaluate({}): {} (type:{})", mode, expression, expression==null?null:expression.getType());
+	}
+	
+	private Object evaluateExpression(JRExpression expression, Mode mode) {
+		logEvaluate(mode, expression);
 		if (expression == null) {
 			return null;
 		}
 		JRExpressionChunk[] ch = expression.getChunks();
 		
-		Map<QName, Object> parameters = new HashMap<>();
+		VariablesMap variables = new VariablesMap();
 		
 		String groovyCode = "";
 		
@@ -125,64 +158,141 @@ public Object evaluate(JRExpression expression) throws JRExpressionEvalException
 			if (chunk == null) {
 				break;
 			}
+//			LOGGER.trace("JR chunk: {}: {}", chunk.getType(), chunk.getText());
 			
-			switch (chunk.getType()){
+			groovyCode += chunk.getText();
+			switch (chunk.getType()) {
 				case JRExpressionChunk.TYPE_FIELD:
-					groovyCode += chunk.getText();
 					JRFillField field = fieldsMap.get(chunk.getText());
-					parameters.put(new QName(field.getName()), field.getValue());
+					variables.put(field.getName(), getFieldValue(chunk.getText(), mode), field.getValueClass());
 					break;
 				case JRExpressionChunk.TYPE_PARAMETER:
-					groovyCode += chunk.getText();
 					JRFillParameter param = parametersMap.get(chunk.getText());
-					parameters.put(new QName(param.getName()), param.getValue());
+					// Mode does not influence this one
+					variables.put(param.getName(), param.getValue(), param.getValueClass());
 					break;
 				case JRExpressionChunk.TYPE_VARIABLE:
-					groovyCode += chunk.getText();
 					JRFillVariable var = variablesMap.get(chunk.getText());
-					parameters.put(new QName(var.getName()), var.getValue());
+					variables.put(var.getName(), var.getValue(), var.getValueClass());
 					break;
 				case JRExpressionChunk.TYPE_TEXT:
-					groovyCode += chunk.getText();
 					break;
-				default :
-					groovyCode += chunk.getText();
+				default:
+					LOGGER.trace("nothing to do for chunk type {}", chunk.getType());
 						
 			}
 			
 		}
 		
-		
-		if (reportService != null) {
-			try {
-				return reportService.evaluate(groovyCode, parameters);
-			} catch (SchemaException | ExpressionEvaluationException | ObjectNotFoundException | CommunicationException
-					| ConfigurationException | SecurityViolationException e) {
-				throw new JRRuntimeException(e.getMessage(), e);
-			}
+		if (reportService == null) {
+			throw new JRRuntimeException("No report service");
 		}
 		
-		byte type = ch[0].getType();
-		return "tralalal";
+		try {
+			
+			Object evaluationResult = reportService.evaluate(getReport(), groovyCode, variables, getTask(), getOperationResult());
+			
+			traceEvaluationSuccess(mode, variables, groovyCode, evaluationResult);
+			return evaluationResult;
+			
+		} catch (Throwable e) {
+			traceEvaluationFailure(mode, variables, groovyCode, e);
+			throw new JRRuntimeException(e.getMessage(), e);
+		}
+
+	}
+	
+	private void traceEvaluationSuccess(Mode mode, VariablesMap variables, String code, Object result) {
+		if (!LOGGER.isTraceEnabled()) {
+			return;
+		}
+		StringBuilder sb = traceEvaluationHead(mode, variables, code);
+		sb.append("Result: ").append(result).append("\n");
+		traceEvaluationTail(sb);
+	}
+	
+	private void traceEvaluationFailure(Mode mode, VariablesMap variables, String code, Throwable e) {
+		if (!LOGGER.isTraceEnabled()) {
+			return;
+		}
+		StringBuilder sb = traceEvaluationHead(mode, variables, code);
+		sb.append("Error: ").append(e).append("\n");
+		traceEvaluationTail(sb);
+	}
+
+	
+	private StringBuilder traceEvaluationHead(Mode mode, VariablesMap variables, String code) {
+		StringBuilder sb = new StringBuilder();
+		sb.append("---[ JasperReport expression evaluation ]---\n");
+		sb.append("Report: ").append(getReport()).append("\n");
+		sb.append("Mode: ").append(mode).append("\n");
+		sb.append("Variables:\n");
+		sb.append(variables.debugDump(1)).append("\n");
+		sb.append("Code:\n");
+		sb.append(code).append("\n");
+		return sb;
+	}
+
+	
+	private void traceEvaluationTail(StringBuilder sb) {
+		sb.append("---------------------------------------------");
+		LOGGER.trace("\n{}", sb.toString());
 	}
 
+	private Object getFieldValue(String name, Mode mode) {
+		JRFillField field = fieldsMap.get(name);
+		if (field == null) {
+			return null;
+		}
+		switch (mode) {
+			case DEFAULT:
+			case ESTIMATED:
+				return field.getValue();
+			case OLD:
+				return field.getOldValue();
+			default:
+				throw new IllegalArgumentException("Wrong mode "+mode);
+		}
+	}
+	
+	private Object getVariableValue(String name, Mode mode) {
+		JRFillVariable var = variablesMap.get(name);
+		if (var == null) {
+			return null;
+		}
+		switch (mode) {
+			case DEFAULT:
+				return var.getValue();
+			case ESTIMATED:
+				return var.getEstimatedValue();
+			case OLD:
+				return var.getOldValue();
+			default:
+				throw new IllegalArgumentException("Wrong mode "+mode);
+		}
+	}
+	
+	enum Mode { DEFAULT, OLD, ESTIMATED };
+	
+	// NOT USED
+
 	@Override
 	protected Object evaluate(int id) throws Throwable {
-		LOGGER.info("evaluate: {}", id);
-		return null;
-		
+		// Not used. Not even invoked.
+		throw new UnsupportedOperationException("Boom! This code should not be reached");
 	}
 
 	@Override
 	protected Object evaluateOld(int id) throws Throwable {
-		LOGGER.info("evaluateOld: {}", id);
-		return null;
+		// Not used. Not even invoked.
+		throw new UnsupportedOperationException("Boom! This code should not be reached");
 	}
 
 	@Override
 	protected Object evaluateEstimated(int id) throws Throwable {
-		LOGGER.info("evaluateEstimated: {}", id);
-		return null;
+		// Not used. Not even invoked.
+		throw new UnsupportedOperationException("Boom! This code should not be reached");
 	}
 
+
 }
diff --git a/model/report-impl/src/main/java/com/evolveum/midpoint/report/impl/MidPointLocalQueryExecutor.java b/model/report-impl/src/main/java/com/evolveum/midpoint/report/impl/MidPointLocalQueryExecutor.java
index a11f89aaff5..29064d82e17 100644
--- a/model/report-impl/src/main/java/com/evolveum/midpoint/report/impl/MidPointLocalQueryExecutor.java
+++ b/model/report-impl/src/main/java/com/evolveum/midpoint/report/impl/MidPointLocalQueryExecutor.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2018 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -35,6 +35,11 @@
 import com.evolveum.midpoint.report.api.ReportService;
 import com.evolveum.midpoint.schema.GetOperationOptions;
 import com.evolveum.midpoint.schema.SelectorOptions;
+import com.evolveum.midpoint.schema.expression.TypedValue;
+import com.evolveum.midpoint.schema.expression.VariablesMap;
+import com.evolveum.midpoint.schema.result.OperationResult;
+import com.evolveum.midpoint.schema.util.ReportTypeUtil;
+import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.util.exception.CommunicationException;
 import com.evolveum.midpoint.util.exception.ConfigurationException;
 import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
@@ -44,6 +49,7 @@
 import com.evolveum.midpoint.util.logging.Trace;
 import com.evolveum.midpoint.util.logging.TraceManager;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ReportType;
 
 public class MidPointLocalQueryExecutor extends MidPointQueryExecutor {
 
@@ -52,6 +58,9 @@ public class MidPointLocalQueryExecutor extends MidPointQueryExecutor {
 	private String script;
 	private Class type;
 	private ReportService reportService;
+	private PrismObject<ReportType> report;
+	private Task task;
+	private OperationResult operationResult;
 
 
 	public MidPointLocalQueryExecutor(JasperReportsContext jasperReportsContext, JRDataset dataset,
@@ -62,41 +71,58 @@ public MidPointLocalQueryExecutor(JasperReportsContext jasperReportsContext, JRD
 	protected MidPointLocalQueryExecutor(JasperReportsContext jasperReportsContext, JRDataset dataset,
 			Map<String, ? extends JRValueParameter> parametersMap) {
 		super(jasperReportsContext, dataset, parametersMap);
+		
+		if (LOGGER.isDebugEnabled()) {
+			LOGGER.debug("Creating MidPointLocalQueryExecutor, params:\n{}", ReportUtils.dumpParams(parametersMap, 1));
+		}
 
 		//JRFillParameter fillparam = (JRFillParameter) parametersMap.get(JRParameter.REPORT_PARAMETERS_MAP);
 		//Map reportParams = (Map) fillparam.getValue();
-		reportService = (ReportService) parametersMap.get(ReportService.PARAMETER_REPORT_SERVICE).getValue();
+		reportService = getParameterValue(parametersMap, ReportService.PARAMETER_REPORT_SERVICE);
+		report = getParameterValue(parametersMap, ReportTypeUtil.PARAMETER_REPORT_OBJECT);
+		task = getParameterValue(parametersMap, ReportTypeUtil.PARAMETER_TASK);
+
+		// The PARAMETER_OPERATION_RESULT will not make it here. It is properly set in the task, but it won't arrive here.
+		// No idea why.
+//		operationResult = getParameterValue(parametersMap, ReportCreateTaskHandler.PARAMETER_OPERATION_RESULT);
+		operationResult = task.getResult(); // WORKAROUND
 
 		parseQuery();
 	}
+	
+	private <T> T getParameterValue(Map<String, ? extends JRValueParameter> parametersMap, String name) {
+		JRValueParameter jrValueParameter = parametersMap.get(name);
+		if (jrValueParameter == null) {
+			throw new IllegalArgumentException("No parameter '"+name+"' in JasperReport parameters");
+		}
+		return (T) jrValueParameter.getValue();
+	}
 
 	@Override
-	protected <T> PrismPropertyValue<T> createPropertyValue(T realValue) {
-		return reportService.getPrismContext().itemFactory().createPropertyValue(realValue);
+	protected <T> TypedValue<T> createTypedPropertyValue(T realValue, Class<T> valueClass) {
+		PrismPropertyValue<T> pval = reportService.getPrismContext().itemFactory().createPropertyValue(realValue);
+		return new TypedValue<>(pval, valueClass);
 	}
 
 	@Override
-	protected Object getParsedQuery(String query, Map<QName, Object> expressionParameters) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
-		return reportService.parseQuery(query, expressionParameters);
+	protected Object getParsedQuery(String query, VariablesMap expressionParameters) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
+		return reportService.parseQuery(report, query, expressionParameters, task, operationResult);
 	}
 
 	@Override
 	protected Collection<PrismObject<? extends ObjectType>> searchObjects(Object query, Collection<SelectorOptions<GetOperationOptions>> options) throws SchemaException, ObjectNotFoundException, SecurityViolationException, CommunicationException, ConfigurationException, ExpressionEvaluationException{
-		return reportService.searchObjects((ObjectQuery) query, SelectorOptions.createCollection(GetOperationOptions.createRaw()));
+		return reportService.searchObjects((ObjectQuery) query, SelectorOptions.createCollection(GetOperationOptions.createRaw()), task, operationResult);
 	}
 
 	@Override
-	protected Collection<PrismContainerValue<? extends Containerable>>
-	evaluateScript(String script,
-				   Map<QName, Object> parameters) throws SchemaException, ObjectNotFoundException,
-			SecurityViolationException, CommunicationException, ConfigurationException,
-			ExpressionEvaluationException {
-		return reportService.evaluateScript(script, getParameters());
+	protected Collection<PrismContainerValue<? extends Containerable>> evaluateScript(String script, VariablesMap parameters)
+			throws SchemaException, ObjectNotFoundException, SecurityViolationException, CommunicationException, ConfigurationException, ExpressionEvaluationException {
+		return reportService.evaluateScript(report, script, getParameters(), task, operationResult);
 	}
 
 	@Override
-	protected Collection<AuditEventRecord> searchAuditRecords(String script, Map<QName, Object> parameters) throws SchemaException, ExpressionEvaluationException, ObjectNotFoundException, CommunicationException, ConfigurationException, SecurityViolationException {
-		return reportService.evaluateAuditScript(script, parameters);
+	protected Collection<AuditEventRecord> searchAuditRecords(String script, VariablesMap parameters) throws SchemaException, ExpressionEvaluationException, ObjectNotFoundException, CommunicationException, ConfigurationException, SecurityViolationException {
+		return reportService.evaluateAuditScript(report, script, parameters, task, operationResult);
 	}
 
 	@Override
diff --git a/model/report-impl/src/main/java/com/evolveum/midpoint/report/impl/MidPointQueryExecutor.java b/model/report-impl/src/main/java/com/evolveum/midpoint/report/impl/MidPointQueryExecutor.java
index 6ae7fcbb104..7280acdf6ca 100644
--- a/model/report-impl/src/main/java/com/evolveum/midpoint/report/impl/MidPointQueryExecutor.java
+++ b/model/report-impl/src/main/java/com/evolveum/midpoint/report/impl/MidPointQueryExecutor.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2018 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -17,11 +17,8 @@
 
 import java.util.ArrayList;
 import java.util.Collection;
-import java.util.HashMap;
 import java.util.Map;
 
-import javax.xml.namespace.QName;
-
 import com.evolveum.midpoint.prism.*;
 import net.sf.jasperreports.engine.JRDataSource;
 import net.sf.jasperreports.engine.JRDataset;
@@ -38,6 +35,8 @@
 import com.evolveum.midpoint.report.api.ReportService;
 import com.evolveum.midpoint.schema.GetOperationOptions;
 import com.evolveum.midpoint.schema.SelectorOptions;
+import com.evolveum.midpoint.schema.expression.TypedValue;
+import com.evolveum.midpoint.schema.expression.VariablesMap;
 import com.evolveum.midpoint.util.exception.CommunicationException;
 import com.evolveum.midpoint.util.exception.ConfigurationException;
 import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
@@ -49,14 +48,15 @@
 import com.evolveum.midpoint.util.logging.TraceManager;
 import com.evolveum.midpoint.xml.ns._public.common.audit_3.AuditEventRecordType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ReportType;
 
 public abstract class MidPointQueryExecutor extends JRAbstractQueryExecuter {
 
 	private static final Trace LOGGER = TraceManager.getTrace(MidPointLocalQueryExecutor.class);
+	
 	private Object query;
 	private String script;
 	private Class type;
-	private ReportService reportService;
 
 	public String getScript() {
 		return script;
@@ -68,11 +68,11 @@ public Class getType() {
 		return type;
 	}
 
-	protected abstract <T> PrismPropertyValue<T> createPropertyValue(T realValue);
+	protected abstract <T> TypedValue<T> createTypedPropertyValue(T realValue, Class<T> valueClass);
 
-	protected Map<QName, Object> getParameters(){
+	protected VariablesMap getParameters(){
 		JRParameter[] params = dataset.getParameters();
-		Map<QName, Object> expressionParameters = new HashMap<>();
+		VariablesMap expressionParameters = new VariablesMap();
 		for (JRParameter param : params){
 			if (param.isSystemDefined()){
 				continue;
@@ -80,7 +80,7 @@ protected Map<QName, Object> getParameters(){
 			//LOGGER.trace(((JRBaseParameter)param).getName());
 			Object v = getParameterValue(param.getName());
 			try{
-			expressionParameters.put(new QName(param.getName()), createPropertyValue(v));
+			expressionParameters.put(param.getName(), createTypedPropertyValue(v, (Class)param.getValueClass()));
 			} catch (Exception e){
 				//just skip properties that are not important for midpoint
 			}
@@ -90,20 +90,20 @@ protected Map<QName, Object> getParameters(){
 		return expressionParameters;
 	}
 
-	protected Map<QName, Object> getPromptingParameters(){
+	protected VariablesMap getPromptingParameters() {
 		JRParameter[] params = dataset.getParameters();
-		Map<QName, Object> expressionParameters = new HashMap<>();
-		for (JRParameter param : params){
-			if (param.isSystemDefined()){
+		VariablesMap expressionParameters = new VariablesMap();
+		for (JRParameter param : params) {
+			if (param.isSystemDefined()) {
 				continue;
 			}
-			if (!param.isForPrompting()){
+			if (!param.isForPrompting()) {
 				continue;
 			}
 			//LOGGER.trace(((JRBaseParameter)param).getName());
 			Object v = getParameterValue(param.getName());
 			try{
-			expressionParameters.put(new QName(param.getName()), createPropertyValue(v));
+			expressionParameters.put(param.getName(), createTypedPropertyValue(v, (Class)param.getValueClass()));
 			} catch (Exception e){
 				//just skip properties that are not important for midpoint
 			}
@@ -113,7 +113,7 @@ protected Map<QName, Object> getPromptingParameters(){
 		return expressionParameters;
 	}
 
-	protected abstract Object getParsedQuery(String query, Map<QName, Object> expressionParameters) throws  SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException;
+	protected abstract Object getParsedQuery(String query, VariablesMap expressionParameters) throws  SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException;
 
 	protected String getParsedScript(String script){
 		String normalized = script.replace("<code>", "");
@@ -127,9 +127,9 @@ protected MidPointQueryExecutor(JasperReportsContext jasperReportsContext, JRDat
 
 	protected abstract Collection<PrismObject<? extends ObjectType>> searchObjects(Object query, Collection<SelectorOptions<GetOperationOptions>> options) throws SchemaException, ObjectNotFoundException, SecurityViolationException, CommunicationException, ConfigurationException, ExpressionEvaluationException;
 
-	protected abstract Collection<PrismContainerValue<? extends Containerable>> evaluateScript(String script, Map<QName, Object> parameters) throws SchemaException, ObjectNotFoundException, SecurityViolationException, CommunicationException, ConfigurationException, ExpressionEvaluationException;
+	protected abstract Collection<PrismContainerValue<? extends Containerable>> evaluateScript(String script, VariablesMap parameters) throws SchemaException, ObjectNotFoundException, SecurityViolationException, CommunicationException, ConfigurationException, ExpressionEvaluationException;
 
-	protected abstract Collection<AuditEventRecord> searchAuditRecords(String script, Map<QName, Object> parameters) throws SchemaException, ExpressionEvaluationException, ObjectNotFoundException, CommunicationException, ConfigurationException, SecurityViolationException;
+	protected abstract Collection<AuditEventRecord> searchAuditRecords(String script, VariablesMap parameters) throws SchemaException, ExpressionEvaluationException, ObjectNotFoundException, CommunicationException, ConfigurationException, SecurityViolationException;
 
 	protected abstract JRDataSource createDataSourceFromObjects(Collection<PrismObject<? extends ObjectType>> results);
 
diff --git a/model/report-impl/src/main/java/com/evolveum/midpoint/report/impl/MidPointQueryExecutorFactory.java b/model/report-impl/src/main/java/com/evolveum/midpoint/report/impl/MidPointQueryExecutorFactory.java
index bfcf0c6a566..ef1e9d7aa26 100644
--- a/model/report-impl/src/main/java/com/evolveum/midpoint/report/impl/MidPointQueryExecutorFactory.java
+++ b/model/report-impl/src/main/java/com/evolveum/midpoint/report/impl/MidPointQueryExecutorFactory.java
@@ -1,8 +1,24 @@
+/*
+ * Copyright (c) 2010-2019 Evolveum
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package com.evolveum.midpoint.report.impl;
 
 import java.util.Map;
 
 import com.evolveum.midpoint.report.api.ReportService;
+import com.evolveum.midpoint.schema.util.ReportTypeUtil;
 
 import net.sf.jasperreports.engine.JRDataset;
 import net.sf.jasperreports.engine.JRException;
@@ -12,7 +28,7 @@
 import net.sf.jasperreports.engine.query.JRQueryExecuter;
 
 
-public class MidPointQueryExecutorFactory extends AbstractQueryExecuterFactory{
+public class MidPointQueryExecutorFactory extends AbstractQueryExecuterFactory {
 
 
 //	public final static String PARAMETER_MIDPOINT_CONNECTION = "MIDPOINT_CONNECTION";
@@ -26,7 +42,10 @@ public class MidPointQueryExecutorFactory extends AbstractQueryExecuterFactory{
 
 
 	private final static Object[] MIDPOINT_BUILTIN_PARAMETERS = {
-		ReportService.PARAMETER_REPORT_SERVICE, "midpoint.connection"
+		ReportService.PARAMETER_REPORT_SERVICE, ReportTypeUtil.PARAMETER_OPERATION_RESULT,
+		ReportTypeUtil.PARAMETER_REPORT_OBJECT, ReportTypeUtil.PARAMETER_REPORT_OID,
+		ReportTypeUtil.PARAMETER_TASK,
+		"midpoint.connection"
 		};
 
 
diff --git a/model/report-impl/src/main/java/com/evolveum/midpoint/report/impl/ReportCreateTaskHandler.java b/model/report-impl/src/main/java/com/evolveum/midpoint/report/impl/ReportCreateTaskHandler.java
index 1ef83132dd9..f3daf50ba0f 100644
--- a/model/report-impl/src/main/java/com/evolveum/midpoint/report/impl/ReportCreateTaskHandler.java
+++ b/model/report-impl/src/main/java/com/evolveum/midpoint/report/impl/ReportCreateTaskHandler.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2018 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -37,10 +37,15 @@
 import com.evolveum.midpoint.task.api.*;
 import net.sf.jasperreports.engine.JRException;
 import net.sf.jasperreports.engine.JRTemplate;
+import net.sf.jasperreports.engine.JasperCompileManager;
 import net.sf.jasperreports.engine.JasperExportManager;
 import net.sf.jasperreports.engine.JasperFillManager;
 import net.sf.jasperreports.engine.JasperPrint;
 import net.sf.jasperreports.engine.JasperReport;
+import net.sf.jasperreports.engine.design.JRDesignExpression;
+import net.sf.jasperreports.engine.design.JRDesignParameter;
+import net.sf.jasperreports.engine.design.JRDesignReportTemplate;
+import net.sf.jasperreports.engine.design.JasperDesign;
 import net.sf.jasperreports.engine.export.JRCsvExporter;
 import net.sf.jasperreports.engine.export.JRRtfExporter;
 import net.sf.jasperreports.engine.export.JRXlsExporter;
@@ -81,6 +86,7 @@
 import com.evolveum.midpoint.schema.util.ObjectTypeUtil;
 import com.evolveum.midpoint.schema.util.ReportTypeUtil;
 import com.evolveum.midpoint.task.api.TaskRunResult.TaskRunResultStatus;
+import com.evolveum.midpoint.util.DebugUtil;
 import com.evolveum.midpoint.util.exception.CommunicationException;
 import com.evolveum.midpoint.util.exception.ConfigurationException;
 import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
@@ -116,15 +122,18 @@ public class ReportCreateTaskHandler implements TaskHandler {
     public static final String REPORT_CREATE_TASK_URI = "http://midpoint.evolveum.com/xml/ns/public/report/create/handler-3";
     private static final Trace LOGGER = TraceManager.getTrace(ReportCreateTaskHandler.class);
 
-    private static String PARAMETER_TEMPLATE_STYLES = "baseTemplateStyles";
-    private static String PARAMETER_REPORT_OID = "reportOid";
-    private static String PARAMETER_OPERATION_RESULT = "operationResult";
+    // TODO: is this a good place for those constants?
+//    public static final String PARAMETER_TEMPLATE_STYLES = "baseTemplateStyles";
+//    public static final String PARAMETER_REPORT_OID = "midpointReportOid";
+//    public static final String PARAMETER_REPORT_OBJECT = "midpointReportObject";
+//    public static final String PARAMETER_TASK = "midpointTask";
+//    public static final String PARAMETER_OPERATION_RESULT = "midpointOperationResult";
 
-    private static String MIDPOINT_HOME = System.getProperty("midpoint.home");
-    private static String EXPORT_DIR = MIDPOINT_HOME + "export/";
-    private static String TEMP_DIR = MIDPOINT_HOME + "tmp/";
+    private static final String MIDPOINT_HOME = System.getProperty("midpoint.home");
+    private static final String EXPORT_DIR = MIDPOINT_HOME + "export/";
+    private static final String TEMP_DIR = MIDPOINT_HOME + "tmp/";
 
-    private static String JASPER_VIRTUALIZER_PKG = "net.sf.jasperreports.engine.fill";
+    private static final String JASPER_VIRTUALIZER_PKG = "net.sf.jasperreports.engine.fill";
 
     @Autowired private TaskManager taskManager;
     @Autowired private ModelService modelService;
@@ -157,7 +166,7 @@ public TaskRunResult run(RunningTask task, TaskPartitionDefinitionType partition
             ReportType parentReport = objectResolver.resolve(task.getObjectRef(), ReportType.class, null, "resolving report", task, result);
             Map<String, Object> parameters = completeReport(parentReport, task, result);
 
-            JasperReport jasperReport = ReportTypeUtil.loadJasperReport(parentReport);
+            JasperReport jasperReport = loadJasperReport(parentReport);
             LOGGER.trace("compile jasper design, create jasper report : {}", jasperReport);
 
             PrismContainer<ReportParameterType> reportParams = (PrismContainer) task.getExtensionItem(ReportConstants.REPORT_PARAMS_PROPERTY_NAME);
@@ -224,8 +233,11 @@ public TaskRunResult run(RunningTask task, TaskPartitionDefinitionType partition
                     LOGGER.error("Cannot find Jasper virtualizer: " + e.getMessage());
                 }
             }
+            
+            if (LOGGER.isTraceEnabled()) {
+            	LOGGER.trace("All Report parameters:\n{}", DebugUtil.debugDump(parameters, 1));
+            }
 
-            LOGGER.trace("All Report parameters : {}", parameters);
             JasperPrint jasperPrint = JasperFillManager.fillReport(jasperReport, parameters);
             LOGGER.trace("fill report : {}", jasperPrint);
 
@@ -276,46 +288,19 @@ private Map<String, Object> completeReport(ReportType parentReport, JasperReport
             params.put(subReportName, subReport);
         }
 
-        Map<String, Object> parameters = prepareReportParameters(parentReport, result);
+        Map<String, Object> parameters = prepareReportParameters(parentReport, task, result);
         params.putAll(parameters);
-        LOGGER.trace("create report params : {}", parameters);
 
         Map<String, Object> subreportParameters = processSubreportParameters(parentReport, task, result);
         params.putAll(subreportParameters);
+        
+        if (LOGGER.isTraceEnabled()) {
+        	LOGGER.trace("create report params:\n{}", DebugUtil.debugDump(parameters, 1));
+        }
         return params;
     }
 
-//	private JasperReport loadJasperReport(ReportType reportType) throws SchemaException{
-//
-//			if (reportType.getTemplate() == null) {
-//				throw new IllegalStateException("Could not create report. No jasper template defined.");
-//			}
-//			try	 {
-//		    	 	byte[] reportTemplate = Base64.decodeBase64(reportType.getTemplate());
-//		    	
-//		    	 	InputStream inputStreamJRXML = new ByteArrayInputStream(reportTemplate);
-//		    	 	JasperDesign jasperDesign = JRXmlLoader.load(inputStreamJRXML);
-//		    	 	LOGGER.trace("load jasper design : {}", jasperDesign);
-//
-//				 if (reportType.getTemplateStyle() != null){
-//					JRDesignReportTemplate templateStyle = new JRDesignReportTemplate(new JRDesignExpression("$P{" + PARAMETER_TEMPLATE_STYLES + "}"));
-//					jasperDesign.addTemplate(templateStyle);
-//					JRDesignParameter parameter = new JRDesignParameter();
-//					parameter.setName(PARAMETER_TEMPLATE_STYLES);
-//					parameter.setValueClass(JRTemplate.class);
-//					parameter.setForPrompting(false);
-//					jasperDesign.addParameter(parameter);
-//				 }
-//				 JasperReport jasperReport = JasperCompileManager.compileReport(jasperDesign);
-//				 return jasperReport;
-//			 } catch (JRException ex){
-//				 LOGGER.error("Couldn't create jasper report design {}", ex.getMessage());
-//				 throw new SchemaException(ex.getMessage(), ex.getCause());
-//			 }
-//
-//
-//	}
-    private Map<String, Object> prepareReportParameters(ReportType reportType, OperationResult parentResult) {
+    private Map<String, Object> prepareReportParameters(ReportType reportType, Task task, OperationResult parentResult) {
         Map<String, Object> params = new HashMap<>();
         if (reportType.getTemplateStyle() != null) {
             byte[] reportTemplateStyleBase64 = reportType.getTemplateStyle();
@@ -324,7 +309,7 @@ private Map<String, Object> prepareReportParameters(ReportType reportType, Opera
                 LOGGER.trace("Style template string {}", new String(reportTemplateStyle));
                 InputStream inputStreamJRTX = new ByteArrayInputStream(reportTemplateStyle);
                 JRTemplate templateStyle = JRXmlTemplateLoader.load(inputStreamJRTX);
-                params.put(PARAMETER_TEMPLATE_STYLES, templateStyle);
+                params.put(ReportTypeUtil.PARAMETER_TEMPLATE_STYLES, templateStyle);
                 LOGGER.trace("Style template parameter {}", templateStyle);
 
             } catch (Exception ex) {
@@ -333,10 +318,16 @@ private Map<String, Object> prepareReportParameters(ReportType reportType, Opera
             }
 
         }
+        
+        if (parentResult == null) {
+        	throw new IllegalArgumentException("No result");
+        }
 
         // for our special datasource
-        params.put(PARAMETER_REPORT_OID, reportType.getOid());
-        params.put(PARAMETER_OPERATION_RESULT, parentResult);
+        params.put(ReportTypeUtil.PARAMETER_REPORT_OID, reportType.getOid());
+        params.put(ReportTypeUtil.PARAMETER_REPORT_OBJECT, reportType.asPrismObject());
+        params.put(ReportTypeUtil.PARAMETER_TASK, task);
+        params.put(ReportTypeUtil.PARAMETER_OPERATION_RESULT, parentResult);
         params.put(ReportService.PARAMETER_REPORT_SERVICE, reportService);
 
         return params;
@@ -359,10 +350,10 @@ private Map<String, Object> getSubreportParameters(SubreportType subreportType,
         ReportType reportType = objectResolver.resolve(subreportType.getReportRef(), ReportType.class, null,
                 "resolve subreport", task, subResult);
 
-        Map<String, Object> parameters = prepareReportParameters(reportType, subResult);
+        Map<String, Object> parameters = prepareReportParameters(reportType, task, subResult);
         reportParams.putAll(parameters);
 
-        JasperReport jasperReport = ReportTypeUtil.loadJasperReport(reportType);
+        JasperReport jasperReport = loadJasperReport(reportType);
         reportParams.put(subreportType.getName(), jasperReport);
 
         Map<String, Object> subReportParams = processSubreportParameters(reportType, task, subResult);
@@ -370,6 +361,57 @@ private Map<String, Object> getSubreportParameters(SubreportType subreportType,
 
         return reportParams;
     }
+    
+	private JasperReport loadJasperReport(ReportType reportType) throws SchemaException {
+
+		if (reportType.getTemplate() == null) {
+			throw new IllegalStateException("Could not create report. No jasper template defined.");
+		}
+		
+		LOGGER.trace("Loading Jasper report for {}", reportType);
+		try	 {
+	    	 	JasperDesign jasperDesign = ReportTypeUtil.loadJasperDesign(reportType.getTemplate());
+//	    	 	LOGGER.trace("load jasper design : {}", jasperDesign);
+	    	 	jasperDesign.setLanguage(ReportTypeUtil.REPORT_LANGUAGE);
+
+			 if (reportType.getTemplateStyle() != null){
+				JRDesignReportTemplate templateStyle = new JRDesignReportTemplate(new JRDesignExpression("$P{" + ReportTypeUtil.PARAMETER_TEMPLATE_STYLES + "}"));
+				jasperDesign.addTemplate(templateStyle);
+				
+				jasperDesign.addParameter(createParameter(ReportTypeUtil.PARAMETER_TEMPLATE_STYLES, JRTemplate.class));
+				
+			 }
+
+			 jasperDesign.addParameter(createParameter("finalQuery", Object.class));
+			 jasperDesign.addParameter(createParameter(ReportTypeUtil.PARAMETER_REPORT_OID, String.class));
+			 //TODO is this right place, we don't see e.g. task
+//			 jasperDesign.addParameter(createParameter(PARAMETER_TASK, Object.class));
+			 jasperDesign.addParameter(createParameter(ReportTypeUtil.PARAMETER_OPERATION_RESULT, OperationResult.class));
+			 
+			 //TODO maybe other paramteres? sunch as PARAMETER_REPORT_OBJECT PARAMETER_REPORT_SERVICE ???
+
+			 JasperReport jasperReport = JasperCompileManager.compileReport(jasperDesign);
+			 
+			 LOGGER.trace("Loaded Jasper report for {}: {}", reportType, jasperReport);
+			 
+			 return jasperReport;
+			 
+		 } catch (JRException ex) {
+			 LOGGER.error("Error loading Jasper report for {}: {}", reportType, ex.getMessage(), ex);
+			 throw new SchemaException(ex.getMessage(), ex.getCause());
+		 }
+	}
+	
+	private JRDesignParameter createParameter(String paramName, Class<?> valueClass) {
+		JRDesignParameter param = new JRDesignParameter();
+		param.setName(paramName);
+		param.setValueClass(valueClass);
+		param.setForPrompting(false);
+		param.setSystemDefined(true);
+		return param;
+		
+	}
+
 
     private void recordProgress(Task task, long progress, OperationResult opResult) {
         try {
@@ -542,9 +584,9 @@ private void processPostReportScript(ReportType parentReport, String reportOutpu
         }
         
         ExpressionVariables variables = new ExpressionVariables();
-        variables.addVariableDefinition(ExpressionConstants.VAR_OBJECT, parentReport);
-        variables.addVariableDefinition(ExpressionConstants.VAR_TASK, task.getTaskPrismObject().asObjectable());
-        variables.addVariableDefinition(ExpressionConstants.VAR_FILE, commandLineScriptExecutor.getOsSpecificFilePath(reportOutputFilePath));
+        variables.put(ExpressionConstants.VAR_OBJECT, parentReport, parentReport.asPrismObject().getDefinition());
+        variables.put(ExpressionConstants.VAR_TASK, task.getTaskPrismObject().asObjectable(), task.getTaskPrismObject().getDefinition());
+        variables.put(ExpressionConstants.VAR_FILE, commandLineScriptExecutor.getOsSpecificFilePath(reportOutputFilePath), String.class);
 
         try {
         	
diff --git a/model/report-impl/src/main/java/com/evolveum/midpoint/report/impl/ReportServiceImpl.java b/model/report-impl/src/main/java/com/evolveum/midpoint/report/impl/ReportServiceImpl.java
index 444ca120267..f7cd87a4247 100644
--- a/model/report-impl/src/main/java/com/evolveum/midpoint/report/impl/ReportServiceImpl.java
+++ b/model/report-impl/src/main/java/com/evolveum/midpoint/report/impl/ReportServiceImpl.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2018 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -17,9 +17,7 @@
 
 import java.util.ArrayList;
 import java.util.Collection;
-import java.util.HashMap;
 import java.util.List;
-import java.util.Map;
 import java.util.Map.Entry;
 import java.util.Set;
 
@@ -45,21 +43,35 @@
 import com.evolveum.midpoint.repo.common.expression.ExpressionUtil;
 import com.evolveum.midpoint.repo.common.expression.ExpressionVariables;
 import com.evolveum.midpoint.model.api.ModelService;
+import com.evolveum.midpoint.model.common.ArchetypeManager;
 import com.evolveum.midpoint.model.common.expression.functions.FunctionLibrary;
-import com.evolveum.midpoint.model.common.expression.script.jsr223.Jsr223ScriptEvaluator;
+import com.evolveum.midpoint.model.common.expression.script.ScriptExpression;
+import com.evolveum.midpoint.model.common.expression.script.ScriptExpressionEvaluationContext;
+import com.evolveum.midpoint.model.common.expression.script.ScriptExpressionEvaluatorFactory;
+import com.evolveum.midpoint.model.common.expression.script.ScriptExpressionFactory;
+import com.evolveum.midpoint.model.common.expression.script.groovy.GroovyScriptEvaluator;
 import com.evolveum.midpoint.model.impl.expr.ExpressionEnvironment;
 import com.evolveum.midpoint.model.impl.expr.ModelExpressionThreadLocalHolder;
 import com.evolveum.midpoint.prism.Objectable;
+import com.evolveum.midpoint.prism.PrimitiveType;
 import com.evolveum.midpoint.prism.PrismContext;
 import com.evolveum.midpoint.prism.PrismObject;
 import com.evolveum.midpoint.prism.PrismPropertyValue;
+import com.evolveum.midpoint.prism.PrismValue;
 import com.evolveum.midpoint.prism.query.ObjectFilter;
 import com.evolveum.midpoint.prism.query.ObjectQuery;
 import com.evolveum.midpoint.prism.query.TypeFilter;
 import com.evolveum.midpoint.report.api.ReportService;
 import com.evolveum.midpoint.schema.GetOperationOptions;
 import com.evolveum.midpoint.schema.SelectorOptions;
+import com.evolveum.midpoint.schema.constants.ExpressionConstants;
+import com.evolveum.midpoint.schema.expression.ExpressionEvaluatorProfile;
+import com.evolveum.midpoint.schema.expression.ExpressionProfile;
+import com.evolveum.midpoint.schema.expression.ScriptExpressionProfile;
+import com.evolveum.midpoint.schema.expression.TypedValue;
+import com.evolveum.midpoint.schema.expression.VariablesMap;
 import com.evolveum.midpoint.schema.result.OperationResult;
+import com.evolveum.midpoint.schema.util.ObjectQueryUtil;
 import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.task.api.TaskManager;
 import com.evolveum.midpoint.util.exception.CommunicationException;
@@ -71,6 +83,8 @@
 import com.evolveum.midpoint.util.logging.Trace;
 import com.evolveum.midpoint.util.logging.TraceManager;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ReportType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ScriptExpressionEvaluatorType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType;
 import com.evolveum.prism.xml.ns._public.query_3.SearchFilterType;
 
@@ -91,39 +105,50 @@ public class ReportServiceImpl implements ReportService {
 	@Autowired private FunctionLibrary midpointFunctionLibrary;
 	@Autowired private LocalizationService localizationService;
 	@Autowired private SecurityEnforcer securityEnforcer;
-
+	@Autowired private ScriptExpressionFactory scriptExpressionFactory;
+	@Autowired private ArchetypeManager archetypeManager;
+	
 	@Override
-	public ObjectQuery parseQuery(String query, Map<QName, Object> parameters) throws SchemaException,
+	public ObjectQuery parseQuery(PrismObject<ReportType> report, String query, VariablesMap parameters, Task task, OperationResult result) throws SchemaException,
 			ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
 		if (StringUtils.isBlank(query)) {
 			return null;
 		}
-
+		
 		ObjectQuery parsedQuery;
 		try {
-			Task task = taskManager.createTaskInstance();
-			ModelExpressionThreadLocalHolder.pushExpressionEnvironment(new ExpressionEnvironment<>(task, task.getResult()));
-			SearchFilterType filter = prismContext.parserFor(query).parseRealValue(SearchFilterType.class);
-			LOGGER.trace("filter {}", filter);
-			ObjectFilter f = prismContext.getQueryConverter().parseFilter(filter, UserType.class);
-			LOGGER.trace("f {}", f.debugDump());
-			if (!(f instanceof TypeFilter)) {
+			
+			ExpressionProfile expressionProfile = determineExpressionProfile(report, result);
+			
+			ModelExpressionThreadLocalHolder.pushExpressionEnvironment(new ExpressionEnvironment<>(task, result));
+			SearchFilterType filterType = prismContext.parserFor(query).parseRealValue(SearchFilterType.class);
+			if (LOGGER.isTraceEnabled()) {
+				LOGGER.trace("filter(SearchFilterType)\n{}", filterType.debugDump(1));
+			}
+			ObjectFilter filter = prismContext.getQueryConverter().parseFilter(filterType, UserType.class);
+			if (LOGGER.isTraceEnabled()) {
+				LOGGER.trace("filter(ObjectFilter)\n{}", filter.debugDump(1));
+			}
+			if (!(filter instanceof TypeFilter)) {
 				throw new IllegalArgumentException(
 						"Defined query must contain type. Use 'type filter' in your report query.");
 			}
 
-			ObjectFilter subFilter = ((TypeFilter) f).getFilter();
+			ObjectFilter subFilter = ((TypeFilter) filter).getFilter();
 			ObjectQuery q = prismContext.queryFactory().createQuery(subFilter);
 
 			ExpressionVariables variables = new ExpressionVariables();
-			variables.addVariableDefinitions(parameters);
-
-			q = ExpressionUtil.evaluateQueryExpressions(q, variables, expressionFactory, prismContext,
-					"parsing expression values for report", task, task.getResult());
-			((TypeFilter) f).setFilter(q.getFilter());
-			parsedQuery = prismContext.queryFactory().createQuery(f);
-
-			LOGGER.trace("query dump {}", parsedQuery.debugDump());
+			variables.putAll(parameters);
+
+			q = ExpressionUtil.evaluateQueryExpressions(q, variables, expressionProfile, expressionFactory, prismContext,
+					"parsing expression values for report", task, result);
+			((TypeFilter) filter).setFilter(q.getFilter());
+			ObjectQueryUtil.simplify(filter, prismContext);
+			parsedQuery = prismContext.queryFactory().createQuery(filter);
+			
+			if (LOGGER.isTraceEnabled()) {
+				LOGGER.trace("report query (parsed):\n{}", parsedQuery.debugDump(1));
+			}
 		} catch (SchemaException | ObjectNotFoundException | ExpressionEvaluationException | CommunicationException | ConfigurationException | SecurityViolationException e) {
 			// TODO Auto-generated catch block
 			throw e;
@@ -135,10 +160,8 @@ public ObjectQuery parseQuery(String query, Map<QName, Object> parameters) throw
 	}
 
 	@Override
-	public Collection<PrismObject<? extends ObjectType>> searchObjects(ObjectQuery query,
-			Collection<SelectorOptions<GetOperationOptions>> options) throws SchemaException,
-			ObjectNotFoundException, SecurityViolationException, CommunicationException,
-			ConfigurationException, ExpressionEvaluationException {
+	public Collection<PrismObject<? extends ObjectType>> searchObjects(ObjectQuery query, Collection<SelectorOptions<GetOperationOptions>> options, Task task, OperationResult parentResult)
+			throws SchemaException, ObjectNotFoundException, SecurityViolationException, CommunicationException, ConfigurationException, ExpressionEvaluationException {
 		// List<PrismObject<? extends ObjectType>> results = new ArrayList<>();
 
 		// GetOperationOptions options = GetOperationOptions.createRaw();
@@ -156,9 +179,6 @@ public Collection<PrismObject<? extends ObjectType>> searchObjects(ObjectQuery q
 
 		ObjectQuery queryForSearch = prismContext.queryFactory().createQuery(typeFilter.getFilter());
 
-		Task task = taskManager.createTaskInstance(ReportService.class.getName() + ".searchObjects()");
-		OperationResult parentResult = task.getResult();
-
 		// options.add(new
 		// SelectorOptions(GetOperationOptions.createResolveNames()));
 		GetOperationOptions getOptions = GetOperationOptions.createResolveNames();
@@ -180,32 +200,26 @@ public Collection<PrismObject<? extends ObjectType>> searchObjects(ObjectQuery q
 
 	}
 
-	public Collection<PrismContainerValue<? extends Containerable>> evaluateScript(String script,
-			Map<QName, Object> parameters) throws SchemaException, ExpressionEvaluationException,
-			ObjectNotFoundException, CommunicationException, ConfigurationException, SecurityViolationException {
+	@Override
+	public Collection<PrismContainerValue<? extends Containerable>> evaluateScript(PrismObject<ReportType> report, String script, VariablesMap parameters, Task task, OperationResult result) 
+					throws SchemaException, ExpressionEvaluationException, ObjectNotFoundException, CommunicationException, ConfigurationException, SecurityViolationException {
 		List<PrismContainerValue<? extends Containerable>> results = new ArrayList<>();
 
 		ExpressionVariables variables = new ExpressionVariables();
-		variables.addVariableDefinitions(parameters);
+		variables.putAll(parameters);
 
 		// special variable for audit report
-		variables.addVariableDefinition(new QName("auditParams"), getConvertedParams(parameters));
+		variables.put("auditParams", getConvertedParams(parameters));
 
-		Task task = taskManager.createTaskInstance(ReportService.class.getName() + ".evaluateScript");
-		OperationResult parentResult = task.getResult();
+		ScriptExpressionEvaluationContext context = new ScriptExpressionEvaluationContext();
+		context.setVariables(variables);
+		context.setContextDescription("report script"); // TODO: improve
+		context.setTask(task);
+		context.setResult(result);
+		setupExpressionProfiles(context, report);
+		
+		Object o = evaluateReportScript(script, context);
 
-		Collection<FunctionLibrary> functions = createFunctionLibraries();
-
-		Jsr223ScriptEvaluator scripts = new Jsr223ScriptEvaluator("Groovy", prismContext,
-				prismContext.getDefaultProtector(), localizationService);
-		ModelExpressionThreadLocalHolder.pushExpressionEnvironment(new ExpressionEnvironment<>(task, task.getResult()));
-		Object o;
-		try{
-			o = scripts.evaluateReportScript(script, variables, objectResolver, functions, "desc",
-				parentResult);
-		} finally{
-			ModelExpressionThreadLocalHolder.popExpressionEnvironment();
-		}
 		if (o != null) {
 
 			if (Collection.class.isAssignableFrom(o.getClass())) {
@@ -224,32 +238,26 @@ public Collection<PrismContainerValue<? extends Containerable>> evaluateScript(S
 		return results;
 	}
 	
+
 	@Override
-	public Object evaluate(String script,
-			Map<QName, Object> parameters) throws SchemaException, ExpressionEvaluationException,
+	public Object evaluate(PrismObject<ReportType> report, String script, VariablesMap parameters, Task task, OperationResult result) throws SchemaException, ExpressionEvaluationException,
 			ObjectNotFoundException, CommunicationException, ConfigurationException, SecurityViolationException {
 
 		ExpressionVariables variables = new ExpressionVariables();
 		variables.addVariableDefinitions(parameters);
 
 		// special variable for audit report
-		variables.addVariableDefinition(new QName("auditParams"), getConvertedParams(parameters));
+		variables.put("auditParams", getConvertedParams(parameters));
 
-		Task task = taskManager.createTaskInstance(ReportService.class.getName() + ".evaluateScript");
-		OperationResult parentResult = task.getResult();
+		ScriptExpressionEvaluationContext context = new ScriptExpressionEvaluationContext();
+		context.setVariables(variables);
+		context.setContextDescription("report script"); // TODO: improve
+		context.setTask(task);
+		context.setResult(result);
+		setupExpressionProfiles(context, report);
 
-		Collection<FunctionLibrary> functions = createFunctionLibraries();
+		Object o = evaluateReportScript(script, context);
 
-		Jsr223ScriptEvaluator scripts = new Jsr223ScriptEvaluator("Groovy", prismContext,
-				prismContext.getDefaultProtector(), localizationService);
-		ModelExpressionThreadLocalHolder.pushExpressionEnvironment(new ExpressionEnvironment<>(task, task.getResult()));
-		Object o;
-		try{
-			o = scripts.evaluateReportScript(script, variables, objectResolver, functions, "desc",
-				parentResult);
-		} finally{
-			ModelExpressionThreadLocalHolder.popExpressionEnvironment();
-		}
 		return o;
 
 	}
@@ -268,28 +276,24 @@ protected PrismContainerValue convertResultingObject(Object obj) {
         }
 	}
 
-	public Collection<AuditEventRecord> evaluateAuditScript(String script, Map<QName, Object> parameters)
+	@Override
+	public Collection<AuditEventRecord> evaluateAuditScript(PrismObject<ReportType> report, String script, VariablesMap parameters, Task task, OperationResult result)
 			throws SchemaException, ExpressionEvaluationException, ObjectNotFoundException, CommunicationException, ConfigurationException, SecurityViolationException {
 		Collection<AuditEventRecord> results = new ArrayList<>();
 
 		ExpressionVariables variables = new ExpressionVariables();
-			variables.addVariableDefinition(new QName("auditParams"), getConvertedParams(parameters));
+			variables.put("auditParams", getConvertedParams(parameters));
 
-		Task task = taskManager.createTaskInstance(ReportService.class.getName() + ".searchObjects()");
-		OperationResult parentResult = task.getResult();
+		ScriptExpressionEvaluationContext context = new ScriptExpressionEvaluationContext();
+		context.setVariables(variables);
+		
+		context.setContextDescription("report script"); // TODO: improve
+		context.setTask(task);
+		context.setResult(result);
+		setupExpressionProfiles(context, report);
 
-		Collection<FunctionLibrary> functions = createFunctionLibraries();
+		Object o = evaluateReportScript(script, context);
 
-		Jsr223ScriptEvaluator scripts = new Jsr223ScriptEvaluator("Groovy", prismContext,
-				prismContext.getDefaultProtector(), localizationService);
-		ModelExpressionThreadLocalHolder.pushExpressionEnvironment(new ExpressionEnvironment<>(task, task.getResult()));
-		Object o;
-		try{
-			o = scripts.evaluateReportScript(script, variables, objectResolver, functions, "desc",
-				parentResult);
-		} finally {
-			ModelExpressionThreadLocalHolder.popExpressionEnvironment();
-		}
 		if (o != null) {
 
 			if (Collection.class.isAssignableFrom(o.getClass())) {
@@ -313,22 +317,23 @@ public Collection<AuditEventRecord> evaluateAuditScript(String script, Map<QName
 		return results;
 	}
 
-	private Map<String, Object> getConvertedParams(Map<QName, Object> parameters) {
+	private TypedValue<VariablesMap> getConvertedParams(VariablesMap parameters) {
 		if (parameters == null) {
-			return null;
+			return new TypedValue<>(null, VariablesMap.class);
 		}
 
-		Map<String, Object> resultParams = new HashMap<>();
-		Set<Entry<QName, Object>> paramEntries = parameters.entrySet();
-		for (Entry<QName, Object> e : paramEntries) {
-			if (e.getValue() instanceof PrismPropertyValue) {
-				resultParams.put(e.getKey().getLocalPart(), ((PrismPropertyValue) e.getValue()).getValue());
+		VariablesMap resultParamMap = new VariablesMap();
+		Set<Entry<String, TypedValue>> paramEntries = parameters.entrySet();
+		for (Entry<String, TypedValue> e : paramEntries) {
+			Object value = e.getValue().getValue();
+			if (value instanceof PrismPropertyValue) {
+				resultParamMap.put(e.getKey(), e.getValue().createTransformed(((PrismPropertyValue) value).getValue()));
 			} else {
-				resultParams.put(e.getKey().getLocalPart(), e.getValue());
+				resultParamMap.put(e.getKey(), e.getValue());
 			}
 		}
 
-		return resultParams;
+		return new TypedValue<>(resultParamMap, VariablesMap.class);
 	}
 
 	private Collection<FunctionLibrary> createFunctionLibraries() {
@@ -355,4 +360,73 @@ private Collection<FunctionLibrary> createFunctionLibraries() {
 	public PrismContext getPrismContext() {
 		return prismContext;
 	}
+	
+	public <T> Object evaluateReportScript(String codeString, ScriptExpressionEvaluationContext context) throws ExpressionEvaluationException,
+					ObjectNotFoundException, CommunicationException, ConfigurationException, SecurityViolationException, SchemaException {
+		
+		ScriptExpressionEvaluatorType expressionType = new ScriptExpressionEvaluatorType();
+		expressionType.setCode(codeString);
+		context.setExpressionType(expressionType);
+		// Be careful about output definition here. We really do NOT want to set it.
+		// Not setting the definition means that we want raw value without any conversion.
+		// This is what we really want, because there may be exotic things such as JRTemplate going through those expressions
+		// We do not have any reasonable prism definitions for those.
+		
+		context.setFunctions(createFunctionLibraries());
+		context.setObjectResolver(objectResolver);
+		
+		ScriptExpression scriptExpression = scriptExpressionFactory.createScriptExpression(
+				expressionType, context.getOutputDefinition(), context.getExpressionProfile(), expressionFactory, context.getContextDescription(), context.getTask(), context.getResult());
+		
+		ModelExpressionThreadLocalHolder.pushExpressionEnvironment(new ExpressionEnvironment<>(context.getTask(), context.getResult()));
+		List<PrismValue> expressionResult;
+		try {
+			expressionResult = scriptExpression.evaluate(context);
+		} finally {
+			ModelExpressionThreadLocalHolder.popExpressionEnvironment();
+		}
+		
+		if (expressionResult == null || expressionResult.isEmpty()) {
+			return null;
+		}
+		if (expressionResult.size() > 1) {
+			throw new ExpressionEvaluationException("Too many results from expression "+context.getContextDescription());
+		}
+		return expressionResult.get(0).getRealValue();
+	}
+	
+	private ExpressionProfile determineExpressionProfile(PrismObject<ReportType> report, OperationResult result) throws SchemaException, ConfigurationException {
+		if (report == null) {
+			throw new IllegalArgumentException("No report defined, cannot determine profile");
+		}
+		return archetypeManager.determineExpressionProfile(report, result);
+	}
+	
+	private void setupExpressionProfiles(ScriptExpressionEvaluationContext context, PrismObject<ReportType> report) throws SchemaException, ConfigurationException {
+		ExpressionProfile expressionProfile = determineExpressionProfile(report, context.getResult());
+		LOGGER.trace("Using expression profile '"+(expressionProfile==null?null:expressionProfile.getIdentifier())+"' for report evaluation, determined from: {}", report);
+		context.setExpressionProfile(expressionProfile);
+		context.setScriptExpressionProfile(findScriptExpressionProfile(expressionProfile, report));
+	}
+
+	private ScriptExpressionProfile findScriptExpressionProfile(ExpressionProfile expressionProfile, PrismObject<ReportType> report) {
+		if (expressionProfile == null) {
+			return null;
+		}
+		ExpressionEvaluatorProfile scriptEvaluatorProfile = expressionProfile.getEvaluatorProfile(ScriptExpressionEvaluatorFactory.ELEMENT_NAME);
+		if (scriptEvaluatorProfile == null) {
+			return null;
+		}
+		return scriptEvaluatorProfile.getScriptExpressionProfile(getScriptLanguageName(report));
+	}
+
+	private String getScriptLanguageName(PrismObject<ReportType> report) {
+		// Hardcoded for now
+		return GroovyScriptEvaluator.LANGUAGE_NAME;
+	}
+
+	@Override
+	public PrismObject<ReportType> getReportDefinition(String reportOid, Task task, OperationResult result) throws ObjectNotFoundException, SchemaException, SecurityViolationException, CommunicationException, ConfigurationException, ExpressionEvaluationException {
+		return model.getObject(ReportType.class, reportOid, null, task, result);
+	}
 }
diff --git a/model/report-impl/src/main/java/com/evolveum/midpoint/report/impl/ReportUtils.java b/model/report-impl/src/main/java/com/evolveum/midpoint/report/impl/ReportUtils.java
index d90a57f8ecb..a796075a858 100644
--- a/model/report-impl/src/main/java/com/evolveum/midpoint/report/impl/ReportUtils.java
+++ b/model/report-impl/src/main/java/com/evolveum/midpoint/report/impl/ReportUtils.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2015 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -32,6 +32,7 @@
 import java.util.Date;
 import java.util.List;
 import java.util.ResourceBundle;
+import java.util.Set;
 
 import javax.xml.datatype.XMLGregorianCalendar;
 import javax.xml.namespace.QName;
@@ -41,6 +42,7 @@
 import com.evolveum.midpoint.xml.ns._public.common.common_3.*;
 import org.apache.commons.lang.StringUtils;
 
+import com.evolveum.midpoint.util.DebugUtil;
 import com.evolveum.midpoint.util.PrettyPrinter;
 import com.evolveum.midpoint.util.exception.SchemaException;
 import com.evolveum.midpoint.util.logging.Trace;
@@ -55,11 +57,16 @@
 import com.evolveum.prism.xml.ns._public.types_3.PolyStringType;
 import com.evolveum.prism.xml.ns._public.types_3.ProtectedStringType;
 import com.evolveum.prism.xml.ns._public.types_3.RawType;
+
+import net.sf.jasperreports.engine.JRValueParameter;
+
 import org.jetbrains.annotations.NotNull;
 
 import java.lang.reflect.Method;
 import java.util.Iterator;
 import java.util.Locale;
+import java.util.Map;
+import java.util.Map.Entry;
 import java.util.MissingResourceException;
 import java.util.stream.Collectors;
 import org.apache.commons.lang.WordUtils;
@@ -871,4 +878,12 @@ public static String printProperty(List<String> property, String defaultValue) {
 					String.join(",", property)
 					: defaultValue;
 	}
+
+	public static Object dumpParams(Map<String, ? extends JRValueParameter> parametersMap, int indent) {
+		StringBuilder sb = new StringBuilder();
+		for (Entry<String, ? extends JRValueParameter> entry : parametersMap.entrySet()) {
+			DebugUtil.debugDumpWithLabelToStringLn(sb, entry.getKey(), entry.getValue().getValue(), indent);
+		}
+		return sb.toString();
+	}
 }
diff --git a/model/report-impl/src/main/java/com/evolveum/midpoint/report/impl/ReportWebService.java b/model/report-impl/src/main/java/com/evolveum/midpoint/report/impl/ReportWebService.java
index 4f0760714c3..2846ec71588 100644
--- a/model/report-impl/src/main/java/com/evolveum/midpoint/report/impl/ReportWebService.java
+++ b/model/report-impl/src/main/java/com/evolveum/midpoint/report/impl/ReportWebService.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2018 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -23,18 +23,24 @@
 import javax.xml.namespace.QName;
 
 import com.evolveum.midpoint.xml.ns._public.common.common_3.SelectorQualifiedGetOptionsType;
+
+import org.apache.commons.lang3.StringUtils;
 import org.apache.cxf.interceptor.Fault;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Service;
 
 import com.evolveum.midpoint.audit.api.AuditEventRecord;
+import com.evolveum.midpoint.model.common.util.AbstractModelWebService;
 import com.evolveum.midpoint.prism.PrismContext;
 import com.evolveum.midpoint.prism.PrismObject;
 import com.evolveum.midpoint.prism.query.ObjectQuery;
 import com.evolveum.midpoint.report.api.ReportPort;
 import com.evolveum.midpoint.report.api.ReportService;
 import com.evolveum.midpoint.schema.constants.SchemaConstants;
+import com.evolveum.midpoint.schema.expression.VariablesMap;
+import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.schema.util.MiscSchemaUtil;
+import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.util.exception.CommunicationException;
 import com.evolveum.midpoint.util.exception.ConfigurationException;
 import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
@@ -47,27 +53,36 @@
 import com.evolveum.midpoint.xml.ns._public.common.audit_3.AuditEventRecordListType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ReportParameterType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ReportType;
 import com.evolveum.midpoint.xml.ns._public.report.report_3.RemoteReportParameterType;
 import com.evolveum.midpoint.xml.ns._public.report.report_3.RemoteReportParametersType;
 import com.evolveum.midpoint.xml.ns._public.report.report_3.ReportPortType;
 
 @Service
-public class ReportWebService implements ReportPortType, ReportPort {
-
-	private static transient Trace LOGGER = TraceManager.getTrace(ReportWebService.class);
+public class ReportWebService extends AbstractModelWebService implements ReportPortType, ReportPort {
 
-	@Autowired(required = true)
-	private PrismContext prismContext;
+	private static final String OP_EVALUATE_SCRIPT = ReportWebService.class.getName() + ".evaluateScript";
+	private static final String OP_EVALUATE_AUDIT_SCRIPT = ReportWebService.class.getName() + ".evaluateAuditScript";
+	private static final String OP_PROCESS_REPORT = ReportWebService.class.getName() + ".processReport";
 
-	@Autowired(required = true)
-	private ReportService reportService;
+	private static transient Trace LOGGER = TraceManager.getTrace(ReportWebService.class);
 
+	@Autowired private PrismContext prismContext;
+	@Autowired private ReportService reportService;
 
 	@Override
-	public ObjectListType evaluateScript(String script, RemoteReportParametersType parameters) {
+	public ObjectListType evaluateScript(String reportOid, String script, RemoteReportParametersType parameters) {
+		
+		Task task = createTaskInstance(OP_EVALUATE_SCRIPT);
+		auditLogin(task);
+		OperationResult operationResult = task.getResult();
+		
 		try {
-			Map<QName, Object> params = getParamsMap(parameters);
-			Collection resultList = reportService.evaluateScript(script, params);
+			
+			PrismObject<ReportType> report = authorizeReportProcessing(reportOid, task, operationResult);
+			
+			VariablesMap params = getParamsMap(parameters);
+			Collection resultList = reportService.evaluateScript(report, script, params, task, operationResult);
 			return createObjectListType(resultList);
 		} catch (Throwable e) {
 			throw new Fault(e);
@@ -76,11 +91,17 @@ public ObjectListType evaluateScript(String script, RemoteReportParametersType p
 	}
 
 	@Override
-	public AuditEventRecordListType evaluateAuditScript(String script, RemoteReportParametersType parameters) {
+	public AuditEventRecordListType evaluateAuditScript(String reportOid, String script, RemoteReportParametersType parameters) {
+		
+		Task task = createTaskInstance(OP_EVALUATE_AUDIT_SCRIPT);
+		auditLogin(task);
+		OperationResult operationResult = task.getResult();
 
 		try {
-			Map<QName, Object> params = getParamsMap(parameters);
-			Collection<AuditEventRecord> resultList = reportService.evaluateAuditScript(script, params);
+			PrismObject<ReportType> report = authorizeReportProcessing(reportOid, task, operationResult);
+			
+			VariablesMap params = getParamsMap(parameters);
+			Collection<AuditEventRecord> resultList = reportService.evaluateAuditScript(report, script, params, task, operationResult);
 			return createAuditEventRecordListType(resultList);
 		} catch (Throwable e) {
 			// TODO Auto-generated catch block
@@ -89,26 +110,26 @@ public AuditEventRecordListType evaluateAuditScript(String script, RemoteReportP
 
 	}
 
-	private Map<QName, Object> getParamsMap(RemoteReportParametersType parametersType) throws SchemaException {
+	private VariablesMap getParamsMap(RemoteReportParametersType parametersType) throws SchemaException {
 
 		prismContext.adopt(parametersType);
-		Map<QName, Object> parametersMap = new HashMap<>();
+		VariablesMap parametersMap = new VariablesMap();
 		if (parametersType == null || parametersType.getRemoteParameter() == null
 				|| parametersType.getRemoteParameter().isEmpty()) {
 			return parametersMap;
 		}
 		List<RemoteReportParameterType> items = parametersType.getRemoteParameter();
 		for (RemoteReportParameterType item : items) {
-			QName paramName = new QName(SchemaConstants.NS_REPORT, item.getParameterName());
+			String paramName = item.getParameterName();
 			ReportParameterType param = item.getParameterValue();
 			if (param == null){
 				parametersMap.put(paramName, null);
 				continue;
 			}
 			if (param.getAny().size() == 1) {
-				parametersMap.put(paramName, param.getAny().get(0));
+				parametersMap.put(paramName, param.getAny().get(0), param.getAny().get(0).getClass());
 			} else {
-				parametersMap.put(paramName, param.getAny());
+				parametersMap.put(paramName, param.getAny(), List.class);
 			}
 
 		}
@@ -156,15 +177,20 @@ private AuditEventRecordListType createAuditEventRecordListType(Collection<Audit
 
 
 	@Override
-	public ObjectListType processReport(String query, RemoteReportParametersType parameters,
-			SelectorQualifiedGetOptionsType options) {
+	public ObjectListType processReport(String reportOid, String query, RemoteReportParametersType parameters, SelectorQualifiedGetOptionsType options) {
 
+		Task task = createTaskInstance(OP_PROCESS_REPORT);
+		auditLogin(task);
+		OperationResult operationResult = task.getResult();
+		
 		try {
 
-			Map<QName, Object> parametersMap = getParamsMap(parameters);
-			ObjectQuery q = reportService.parseQuery(query, parametersMap);
+			PrismObject<ReportType> report = authorizeReportProcessing(reportOid, task, operationResult);
+			
+			VariablesMap parametersMap = getParamsMap(parameters);
+			ObjectQuery q = reportService.parseQuery(report, query, parametersMap, task, operationResult);
 			Collection<PrismObject<? extends ObjectType>> resultList = reportService.searchObjects(q,
-					MiscSchemaUtil.optionsTypeToOptions(options, prismContext));
+					MiscSchemaUtil.optionsTypeToOptions(options, prismContext), task, operationResult);
 
 			return createObjectListType(resultList);
 		} catch (SchemaException | ObjectNotFoundException | SecurityViolationException
@@ -175,4 +201,13 @@ public ObjectListType processReport(String query, RemoteReportParametersType par
 
 	}
 
+	private PrismObject<ReportType> authorizeReportProcessing(String reportOid, Task task, OperationResult result) throws ObjectNotFoundException, SchemaException, SecurityViolationException, CommunicationException, ConfigurationException, ExpressionEvaluationException {
+		if (StringUtils.isBlank(reportOid)) {
+			throw new SchemaException("No report OID specified");
+		}
+		PrismObject<ReportType> report = reportService.getReportDefinition(reportOid, task, result);
+		// TODO TODO TODO: authorization
+		return report;
+	}
+
 }
diff --git a/model/report-impl/src/main/java/com/evolveum/midpoint/report/impl/ReportWebServiceRaw.java b/model/report-impl/src/main/java/com/evolveum/midpoint/report/impl/ReportWebServiceRaw.java
index b436b693f52..5e4ae28e8b2 100644
--- a/model/report-impl/src/main/java/com/evolveum/midpoint/report/impl/ReportWebServiceRaw.java
+++ b/model/report-impl/src/main/java/com/evolveum/midpoint/report/impl/ReportWebServiceRaw.java
@@ -1,3 +1,18 @@
+/**
+ * Copyright (c) 2010-2019 Evolveum
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package com.evolveum.midpoint.report.impl;
 
 import java.io.PrintWriter;
@@ -109,19 +124,19 @@ public DOMSource invokeAllowingFaults(DOMSource request) throws FaultMessage {
 	        try {
 	        	if (requestObject instanceof EvaluateScriptType){
 	        		EvaluateScriptType s = (EvaluateScriptType) requestObject;
-	        		ObjectListType olt = reportService.evaluateScript(s.getScript(), s.getParameters());
+	        		ObjectListType olt = reportService.evaluateScript(s.getReportOid(), s.getScript(), s.getParameters());
 	        		EvaluateScriptResponseType sr = new EvaluateScriptResponseType();
 	        		sr.setObjectList(olt);
 	        		response = prismContext.domSerializer().context(ctx).serializeAnyData(sr, ReportPort.EVALUATE_SCRIPT_RESPONSE);
 	        	} else if (requestObject instanceof EvaluateAuditScriptType){
 	        		EvaluateAuditScriptType s = (EvaluateAuditScriptType) requestObject;
-	        		AuditEventRecordListType olt = reportService.evaluateAuditScript(s.getScript(), s.getParameters());
+	        		AuditEventRecordListType olt = reportService.evaluateAuditScript(s.getReportOid(), s.getScript(), s.getParameters());
 	        		EvaluateAuditScriptResponseType sr = new EvaluateAuditScriptResponseType();
 	        		sr.setObjectList(olt);
 	        		response = prismContext.domSerializer().context(ctx).serializeAnyData(sr, ReportPort.EVALUATE_AUDIT_SCRIPT_RESPONSE);
 	            } else if (requestObject instanceof ProcessReportType){
 	            	ProcessReportType p = (ProcessReportType) requestObject;
-	            	ObjectListType olt = reportService.processReport(p.getQuery(), p.getParameters(), p.getOptions());
+	            	ObjectListType olt = reportService.processReport(p.getReportOid(), p.getQuery(), p.getParameters(), p.getOptions());
 	            	ProcessReportResponseType pr = new ProcessReportResponseType();
 	            	pr.setObjectList(olt);
 	            	response = prismContext.domSerializer().context(ctx).serializeAnyData(pr, ReportPort.PROCESS_REPORT_RESPONSE);
diff --git a/model/report-impl/src/test/java/com/evolveum/midpoint/report/AbstractReportIntegrationTest.java b/model/report-impl/src/test/java/com/evolveum/midpoint/report/AbstractReportIntegrationTest.java
index 55bb928f512..fe58230b2fc 100644
--- a/model/report-impl/src/test/java/com/evolveum/midpoint/report/AbstractReportIntegrationTest.java
+++ b/model/report-impl/src/test/java/com/evolveum/midpoint/report/AbstractReportIntegrationTest.java
@@ -1,5 +1,5 @@
 /**
- * Copyright (c) 2010-2017 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -37,11 +37,32 @@
 public class AbstractReportIntegrationTest extends AbstractModelIntegrationTest {
 
 	protected final static File TEST_DIR_COMMON = new File("src/test/resources/common");
+	protected final static File EXPORT_DIR = new File("target/midpoint-home/export");
+
+	protected final static File TEST_REPOSTS_DIR = new File("src/test/resources/reports");
+		
+	protected final static File REPORT_USER_LIST_FILE = new File(TEST_REPOSTS_DIR, "report-user-list.xml"); 
+	protected final static String REPORT_USER_LIST_OID = "00000000-0000-0000-0000-000000000110";
+	
+	protected final static File REPORT_USER_LIST_EXPRESSIONS_CSV_FILE = new File(TEST_REPOSTS_DIR, "report-user-list-expressions-csv.xml"); 
+	protected final static String REPORT_USER_LIST_EXPRESSIONS_CSV_OID = "8fa48180-4f17-11e9-9eed-3fb4721a135e";
+	
+	protected final static File REPORT_USER_LIST_EXPRESSIONS_POISONOUS_QUERY_CSV_FILE = new File(TEST_REPOSTS_DIR, "report-user-list-expressions-poisonous-query-csv.xml"); 
+	protected final static String REPORT_USER_LIST_EXPRESSIONS_POISONOUS_QUERY_CSV_OID = "5c5af02a-4fe9-11e9-bb07-7b4e52fe05cd";
+	
+	protected final static File REPORT_USER_LIST_EXPRESSIONS_POISONOUS_FIELD_CSV_FILE = new File(TEST_REPOSTS_DIR, "report-user-list-expressions-poisonous-field-csv.xml"); 
+	protected final static String REPORT_USER_LIST_EXPRESSIONS_POISONOUS_FIELD_CSV_OID = "76c58132-4fe9-11e9-86fe-ff36d221f673";
+	
+	protected final static File REPORT_USER_LIST_SCRIPT_FILE = new File(TEST_REPOSTS_DIR, "report-user-list-script.xml"); 
+	protected final static String REPORT_USER_LIST_SCRIPT_OID = "222bf2b8-c89b-11e7-bf36-ebd4e4d45a80";
 
 	protected final static File USER_JACK_FILE = new File(TEST_DIR_COMMON, "user-jack.xml"); 
 	protected final static String USER_JACK_OID = "c0c010c0-d34d-b33f-f00d-111111111111";
 	
+	protected final static File USERS_MONKEY_ISLAND_FILE = new File(TEST_DIR_COMMON, "users-monkey-island.xml");
+	
 	protected final static File SYSTEM_CONFIGURATION_FILE = new File(TEST_DIR_COMMON, "system-configuration.xml");
+	protected final static File SYSTEM_CONFIGURATION_SAFE_FILE = new File(TEST_DIR_COMMON, "system-configuration-safe.xml");
 
 	protected final static File RESOURCE_OPENDJ_FILE = new File(TEST_DIR_COMMON, "resource-opendj.xml");
 	protected final static String RESOURCE_OPENDJ_OID = "ef2bc95b-76e0-59e2-86d6-3d4f02d3ffff";
@@ -67,7 +88,7 @@ public void initSystem(Task initTask, OperationResult initResult) throws Excepti
 		// System Configuration
 		modelService.postInit(initResult);
 		try {
-			repoAddObjectFromFile(SYSTEM_CONFIGURATION_FILE, initResult);
+			repoAddObjectFromFile(getSystemConfigurationFile(), initResult);
 		} catch (ObjectAlreadyExistsException e) {
 			throw new ObjectAlreadyExistsException("System configuration already exists in repository;" +
 					"looks like the previous test haven't cleaned it up", e);
@@ -81,6 +102,10 @@ public void initSystem(Task initTask, OperationResult initResult) throws Excepti
 		assumeAssignmentPolicy(AssignmentPolicyEnforcementType.RELATIVE);
 	}
 
+	protected File getSystemConfigurationFile() {
+		return SYSTEM_CONFIGURATION_FILE;
+	}
+
 	@Override
 	protected PrismObject<UserType> getDefaultActor() {
 		return userAdministrator;
diff --git a/model/report-impl/src/test/java/com/evolveum/midpoint/report/TestReport.java b/model/report-impl/src/test/java/com/evolveum/midpoint/report/TestReport.java
index 7b2fecdcb38..f1490f19c46 100644
--- a/model/report-impl/src/test/java/com/evolveum/midpoint/report/TestReport.java
+++ b/model/report-impl/src/test/java/com/evolveum/midpoint/report/TestReport.java
@@ -1,5 +1,5 @@
 /**
- * Copyright (c) 2010-2017 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -15,9 +15,18 @@
  */
 package com.evolveum.midpoint.report;
 
+import static org.testng.AssertJUnit.assertEquals;
+import static org.testng.AssertJUnit.assertNotNull;
+import static org.testng.AssertJUnit.assertNull;
 import static org.testng.AssertJUnit.assertTrue;
 
 import java.io.File;
+import java.io.FilenameFilter;
+import java.io.IOException;
+import java.nio.file.Files;
+import java.nio.file.Paths;
+import java.util.Arrays;
+import java.util.List;
 
 import org.springframework.test.annotation.DirtiesContext;
 import org.springframework.test.annotation.DirtiesContext.ClassMode;
@@ -25,13 +34,20 @@
 import org.testng.annotations.Test;
 
 import com.evolveum.midpoint.prism.PrismObject;
+import com.evolveum.midpoint.schema.SearchResultList;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.test.util.MidPointTestConstants;
 import com.evolveum.midpoint.test.util.TestUtil;
+import com.evolveum.midpoint.util.exception.CommunicationException;
+import com.evolveum.midpoint.util.exception.ConfigurationException;
+import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
+import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
+import com.evolveum.midpoint.util.exception.SchemaException;
+import com.evolveum.midpoint.util.exception.SecurityViolationException;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ReportType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.RoleType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.TaskType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType;
 
 /**
  * Basic report tests.
@@ -40,20 +56,18 @@
 @DirtiesContext(classMode = ClassMode.AFTER_CLASS)
 public class TestReport extends AbstractReportIntegrationTest {
 
-	protected final static File TEST_DIR = new File("src/test/resources/reports");
-	
-	protected final static File REPORT_USER_LIST_FILE = new File(TEST_DIR, "report-user-list.xml"); 
-	protected final static String REPORT_USER_LIST_OID = "00000000-0000-0000-0000-000000000110";
-	
-	protected final static File REPORT_USER_LIST_SCRIPT_FILE = new File(TEST_DIR, "report-user-list-script.xml"); 
-	protected final static String REPORT_USER_LIST_SCRIPT_OID = "222bf2b8-c89b-11e7-bf36-ebd4e4d45a80";
-
 	@Override
 	public void initSystem(Task initTask, OperationResult initResult) throws Exception {
 		super.initSystem(initTask, initResult);
 		
-		repoAddObjectFromFile(REPORT_USER_LIST_FILE, RoleType.class, initResult);
-		repoAddObjectFromFile(REPORT_USER_LIST_SCRIPT_FILE, RoleType.class, initResult);
+		repoAddObjectFromFile(REPORT_USER_LIST_FILE, ReportType.class, initResult);
+		repoAddObjectFromFile(REPORT_USER_LIST_EXPRESSIONS_CSV_FILE, ReportType.class, initResult);
+		repoAddObjectFromFile(REPORT_USER_LIST_EXPRESSIONS_POISONOUS_QUERY_CSV_FILE, ReportType.class, initResult);
+		repoAddObjectFromFile(REPORT_USER_LIST_EXPRESSIONS_POISONOUS_FIELD_CSV_FILE, ReportType.class, initResult);
+		repoAddObjectFromFile(REPORT_USER_LIST_SCRIPT_FILE, ReportType.class, initResult);
+		
+		// Let's make this more interesting by adding a couple of users
+		importObjectsFromFileNotRaw(USERS_MONKEY_ISLAND_FILE, initTask, initResult);
 	}
 
 
@@ -82,9 +96,125 @@ public void test100ReportUserList() throws Exception {
       PrismObject<TaskType> finishedTask = getTask(task.getOid());
       display("Background task", finishedTask);
       
-      TestUtil.assertSuccess("Report task result", finishedTask.asObjectable().getResult());
+      assertSuccess("Report task result", finishedTask.asObjectable().getResult());
+  }
+  
+  /**
+   * Ordinary user list report. Should work well under all circumstances.
+   * Even with safe expression profile.
+   */
+  @Test
+  public void test110ReportUserListExpressionsCsv() throws Exception {
+	  final String TEST_NAME = "test110ReportUserListExpressionsCsv";
+	  testReportListUsersCsv(TEST_NAME, REPORT_USER_LIST_EXPRESSIONS_CSV_OID);
+  }
+  
+  /**
+   * Reports with poisonous operations in the query. This should work with null profile.
+   * But it should fail with safe profile.
+   * Field operations are safe in this report, just the query is poisonous.
+   */
+  @Test
+  public void test112ReportUserListExpressionsPoisonousQueryCsv() throws Exception {
+	  final String TEST_NAME = "test112ReportUserListExpressionsPoisonousQueryCsv";
+	  testReportListUsersCsv(TEST_NAME, REPORT_USER_LIST_EXPRESSIONS_POISONOUS_QUERY_CSV_OID);
+  }
+
+  /**
+   * Reports with poisonous operations in the field expression. This should work with null profile.
+   * But it should fail with safe profile.
+   * Query expression is safe in this report, just fields are poisonous.
+   */
+  @Test
+  public void test114ReportUserListExpressionsPoisonousFieldCsv() throws Exception {
+	  final String TEST_NAME = "test114ReportUserListExpressionsPoisonousFieldCsv";
+	  testReportListUsersCsv(TEST_NAME, REPORT_USER_LIST_EXPRESSIONS_POISONOUS_FIELD_CSV_OID);
   }
   
+  protected void testReportListUsersCsv(final String TEST_NAME, String reportOid) throws Exception {
+	  PrismObject<ReportType> report = getObject(ReportType.class, reportOid);
+	  
+      PrismObject<TaskType> finishedTask = runReportTaskListUsersCsv(TEST_NAME, report);
+      
+      assertSuccess("Finished report task result", finishedTask.asObjectable().getResult());
+      
+      checkCsvUserReport(report);
+  }
+  
+  protected void testReportListUsersCsvFailure(final String TEST_NAME, String reportOid) throws Exception {
+	  PrismObject<ReportType> report = getObject(ReportType.class, reportOid);
+	  
+      PrismObject<TaskType> finishedTask = runReportTaskListUsersCsv(TEST_NAME, report);
+      
+      assertFailure("Finished report task result", finishedTask.asObjectable().getResult());
+      
+      assertNoCsvReport(report);
+  }
+
+  protected PrismObject<TaskType> runReportTaskListUsersCsv(final String TEST_NAME, PrismObject<ReportType> report) throws Exception {
+	  displayTestTitle(TEST_NAME);
+	  
+      Task task = createTask(TEST_NAME);
+      OperationResult result = task.getResult();
+      
+      // WHEN
+      displayWhen(TEST_NAME);
+      reportManager.runReport(report, null, task, result);
+      
+      assertInProgress(result);
+      
+      display("Background task (running)", task);
+      
+      waitForTaskFinish(task.getOid(), true);
+
+      // THEN
+      displayThen(TEST_NAME);
+      PrismObject<TaskType> finishedTask = getTask(task.getOid());
+      display("Background task (finished)", finishedTask);
+      
+      return finishedTask;
+  }
+  
+  
+  protected void checkCsvUserReport(PrismObject<ReportType> report) throws IOException, SchemaException, ObjectNotFoundException, SecurityViolationException, CommunicationException, ConfigurationException, ExpressionEvaluationException {
+	  File outputFile = findOutputFile(report);
+	  display("Found report file", outputFile);
+	  assertNotNull("No output file for "+report, outputFile);
+	  List<String> lines = Files.readAllLines(Paths.get(outputFile.getPath()));
+	  display("Report content ("+lines.size()+" lines)", String.join("\n", lines));
+	  outputFile.renameTo(new File(outputFile.getParentFile(), "processed-"+outputFile.getName()));
+	  
+	  Task task = createTask("checkCsvUserReport");
+      OperationResult result = task.getResult();
+	  SearchResultList<PrismObject<UserType>> currentUsers = modelService.searchObjects(UserType.class, null, null, task, result);
+	  display("Current users in midPoint ("+currentUsers.size()+" users)", currentUsers.toString());
+	  
+	  assertEquals("Unexpected number of report lines", currentUsers.size() + 1, lines.size());
+  }
+  
+  protected void assertNoCsvReport(PrismObject<ReportType> report) throws IOException, SchemaException, ObjectNotFoundException, SecurityViolationException, CommunicationException, ConfigurationException, ExpressionEvaluationException {
+	  File outputFile = findOutputFile(report);
+	  display("Found report file (expected null)", outputFile);
+	  assertNull("Unexpected output file for "+report+": "+outputFile, outputFile);
+  }
+  
+  protected File findOutputFile(PrismObject<ReportType> report) {
+	  String filePrefix = report.getName().getOrig();
+	  File[] matchingFiles = EXPORT_DIR.listFiles(new FilenameFilter() {
+	      public boolean accept(File dir, String name) {
+	          return name.startsWith(filePrefix);
+	      }
+	  });
+	  if (matchingFiles.length == 0) {
+		  return null;
+	  }
+	  if (matchingFiles.length > 1) {
+		  throw new IllegalStateException("Found more than one output files for "+report+": "+Arrays.toString(matchingFiles));
+	  }
+	  return matchingFiles[0];
+  }
+  
+  
   @Test
   public void test200ReportUserListScript() throws Exception {
 	  final String TEST_NAME = "test200ReportUserListScript";
diff --git a/model/report-impl/src/test/java/com/evolveum/midpoint/report/TestReportSafe.java b/model/report-impl/src/test/java/com/evolveum/midpoint/report/TestReportSafe.java
new file mode 100644
index 00000000000..2489e5855cb
--- /dev/null
+++ b/model/report-impl/src/test/java/com/evolveum/midpoint/report/TestReportSafe.java
@@ -0,0 +1,68 @@
+/**
+ * Copyright (c) 2010-2019 Evolveum
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.evolveum.midpoint.report;
+
+import java.io.File;
+
+import org.springframework.test.annotation.DirtiesContext;
+import org.springframework.test.annotation.DirtiesContext.ClassMode;
+import org.springframework.test.context.ContextConfiguration;
+import org.testng.annotations.Test;
+
+import com.evolveum.midpoint.schema.result.OperationResult;
+import com.evolveum.midpoint.task.api.Task;
+
+/**
+ * Basic report test, using "safe" expression profile.
+ */
+@ContextConfiguration(locations = { "classpath:ctx-report-test-main.xml" })
+@DirtiesContext(classMode = ClassMode.AFTER_CLASS)
+public class TestReportSafe extends TestReport {
+
+	@Override
+	public void initSystem(Task initTask, OperationResult initResult) throws Exception {
+		super.initSystem(initTask, initResult);
+	}
+	
+	@Override
+	protected File getSystemConfigurationFile() {
+		return SYSTEM_CONFIGURATION_SAFE_FILE;
+	}
+	
+	/**
+     * Reports with poisonous operations in the query. This should work with null profile.
+     * But it should fail with safe profile.
+     * Field operations are safe in this report, just the query is poisonous.
+     */
+	@Test
+	@Override
+	public void test112ReportUserListExpressionsPoisonousQueryCsv() throws Exception {
+		final String TEST_NAME = "test110ReportUserListExpressionsCsv";
+		testReportListUsersCsvFailure(TEST_NAME, REPORT_USER_LIST_EXPRESSIONS_POISONOUS_QUERY_CSV_OID);
+	}
+	
+	/**
+	   * Reports with poisonous operations in the field expression. This should work with null profile.
+	   * But it should fail with safe profile.
+	   * Query expression is safe in this report, just fields are poisonous.
+	   */
+	  @Test
+	  public void test114ReportUserListExpressionsPoisonousFieldCsv() throws Exception {
+		  final String TEST_NAME = "test114ReportUserListExpressionsPoisonousFieldCsv";
+		  testReportListUsersCsvFailure(TEST_NAME, REPORT_USER_LIST_EXPRESSIONS_POISONOUS_FIELD_CSV_OID);
+	  }
+	
+}
diff --git a/model/report-impl/src/test/java/com/evolveum/midpoint/report/TestReportWebService.java b/model/report-impl/src/test/java/com/evolveum/midpoint/report/TestReportWebService.java
new file mode 100644
index 00000000000..b44dca7c24d
--- /dev/null
+++ b/model/report-impl/src/test/java/com/evolveum/midpoint/report/TestReportWebService.java
@@ -0,0 +1,174 @@
+/**
+ * Copyright (c) 2010-2019 Evolveum
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.evolveum.midpoint.report;
+
+import static org.testng.AssertJUnit.assertEquals;
+import static org.testng.AssertJUnit.assertNotNull;
+import static org.testng.AssertJUnit.assertNull;
+import static org.testng.AssertJUnit.assertTrue;
+
+import java.io.File;
+import java.io.FilenameFilter;
+import java.io.IOException;
+import java.nio.file.Files;
+import java.nio.file.Paths;
+import java.util.Arrays;
+import java.util.List;
+
+import org.apache.cxf.interceptor.Fault;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.test.annotation.DirtiesContext;
+import org.springframework.test.annotation.DirtiesContext.ClassMode;
+import org.springframework.test.context.ContextConfiguration;
+import org.testng.annotations.Test;
+
+import com.evolveum.midpoint.prism.PrismObject;
+import com.evolveum.midpoint.report.impl.ReportWebService;
+import com.evolveum.midpoint.schema.SearchResultList;
+import com.evolveum.midpoint.schema.result.OperationResult;
+import com.evolveum.midpoint.task.api.Task;
+import com.evolveum.midpoint.test.util.MidPointTestConstants;
+import com.evolveum.midpoint.test.util.TestUtil;
+import com.evolveum.midpoint.util.exception.CommunicationException;
+import com.evolveum.midpoint.util.exception.ConfigurationException;
+import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
+import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
+import com.evolveum.midpoint.util.exception.SchemaException;
+import com.evolveum.midpoint.util.exception.SecurityViolationException;
+import com.evolveum.midpoint.xml.ns._public.common.api_types_3.ObjectListType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ReportType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.TaskType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType;
+import com.evolveum.midpoint.xml.ns._public.report.report_3.RemoteReportParametersType;
+
+/**
+ * Basic report tests.
+ */
+@ContextConfiguration(locations = { "classpath:ctx-report-test-main.xml" })
+@DirtiesContext(classMode = ClassMode.AFTER_CLASS)
+public class TestReportWebService extends AbstractReportIntegrationTest {
+	
+	@Autowired protected ReportWebService reportWebService;
+
+	@Override
+	public void initSystem(Task initTask, OperationResult initResult) throws Exception {
+		super.initSystem(initTask, initResult);
+		
+		repoAddObjectFromFile(REPORT_USER_LIST_EXPRESSIONS_CSV_FILE, ReportType.class, initResult);
+		repoAddObjectFromFile(REPORT_USER_LIST_EXPRESSIONS_POISONOUS_QUERY_CSV_FILE, ReportType.class, initResult);
+		repoAddObjectFromFile(REPORT_USER_LIST_EXPRESSIONS_POISONOUS_FIELD_CSV_FILE, ReportType.class, initResult);
+		
+		// Let's make this more interesting by adding a couple of users
+		importObjectsFromFileNotRaw(USERS_MONKEY_ISLAND_FILE, initTask, initResult);
+	}
+
+	@Test
+	  public void test000Sanity() throws Exception {
+		  final String TEST_NAME = "test000Sanity";
+	      displayTestTitle(TEST_NAME);
+	      
+	      assertNotNull("No web service", reportWebService);
+	}
+	
+	@Test
+	public void test100ProcessReportUserList() throws Exception {
+		final String TEST_NAME = "test100ProcessReportUserList";
+		displayTestTitle(TEST_NAME);
+
+		String query = createAllQueryString(UserType.class);
+		RemoteReportParametersType parameters = createReportParameters();
+            
+		// WHEN
+		displayWhen(TEST_NAME);
+		ObjectListType userList = reportWebService.processReport(REPORT_USER_LIST_EXPRESSIONS_CSV_OID, query, parameters, null);
+		
+		// THEN
+		displayThen(TEST_NAME);
+		display("Returned user list ("+userList.getObject().size()+" objects)", userList);
+		
+		assertUserList(userList);
+	}
+	
+	@Test
+	public void test110ProcessReportUserListNoReportOid() throws Exception {
+		final String TEST_NAME = "test110ProcessReportUserListNoReportOid";
+		displayTestTitle(TEST_NAME);
+
+		String query = createAllQueryString(UserType.class);
+		RemoteReportParametersType parameters = createReportParameters();
+            
+		try {
+			
+			// WHEN
+			displayWhen(TEST_NAME);
+			reportWebService.processReport(null, query, parameters, null);
+			
+			assertNotReached();
+			
+		} catch (Fault f) {
+			// THEN
+			displayThen(TEST_NAME);
+			display("Expected fault", f);
+		}
+	}
+	
+	@Test
+	public void test112ProcessReportUserListInvalidReportOid() throws Exception {
+		final String TEST_NAME = "test112ProcessReportUserListInvalidReportOid";
+		displayTestTitle(TEST_NAME);
+
+		String query = createAllQueryString(UserType.class);
+		RemoteReportParametersType parameters = createReportParameters();
+            
+		try {
+			
+			// WHEN
+			displayWhen(TEST_NAME);
+			reportWebService.processReport("l00n3y", query, parameters, null);
+			
+			assertNotReached();
+			
+		} catch (Fault f) {
+			// THEN
+			displayThen(TEST_NAME);
+			display("Expected fault", f);
+		}
+	}
+	
+	// TODO: test that violates authorization to run report
+	// TODO: test that violates authorization to read report
+	// TODO: test that violates safe profile
+
+	private String createAllQueryString(Class<?> type) {
+		return "<filter><type><type>"+type.getSimpleName()+"</type></type></filter>";
+	}
+
+	private RemoteReportParametersType createReportParameters() {
+		RemoteReportParametersType parameters = new RemoteReportParametersType();
+		return parameters;
+	}
+
+	private void assertUserList(ObjectListType userList) throws SchemaException, ObjectNotFoundException, SecurityViolationException, CommunicationException, ConfigurationException, ExpressionEvaluationException {
+		Task task = createTask("assertUserList");
+		OperationResult result = task.getResult();
+		SearchResultList<PrismObject<UserType>> currentUsers = modelService.searchObjects(UserType.class, null, null, task, result);
+		display("Current users in midPoint ("+currentUsers.size()+" users)", currentUsers.toString());
+		
+		assertEquals("Unexpected number of returned objects", currentUsers.size(), userList.getObject().size());
+	}
+
+	
+}
diff --git a/model/report-impl/src/test/java/com/evolveum/midpoint/report/TestReportWebServiceSafe.java b/model/report-impl/src/test/java/com/evolveum/midpoint/report/TestReportWebServiceSafe.java
new file mode 100644
index 00000000000..838c4a69345
--- /dev/null
+++ b/model/report-impl/src/test/java/com/evolveum/midpoint/report/TestReportWebServiceSafe.java
@@ -0,0 +1,69 @@
+/**
+ * Copyright (c) 2010-2019 Evolveum
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.evolveum.midpoint.report;
+
+import static org.testng.AssertJUnit.assertEquals;
+import static org.testng.AssertJUnit.assertNotNull;
+import static org.testng.AssertJUnit.assertNull;
+import static org.testng.AssertJUnit.assertTrue;
+
+import java.io.File;
+import java.io.FilenameFilter;
+import java.io.IOException;
+import java.nio.file.Files;
+import java.nio.file.Paths;
+import java.util.Arrays;
+import java.util.List;
+
+import org.apache.cxf.interceptor.Fault;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.test.annotation.DirtiesContext;
+import org.springframework.test.annotation.DirtiesContext.ClassMode;
+import org.springframework.test.context.ContextConfiguration;
+import org.testng.annotations.Test;
+
+import com.evolveum.midpoint.prism.PrismObject;
+import com.evolveum.midpoint.report.impl.ReportWebService;
+import com.evolveum.midpoint.schema.SearchResultList;
+import com.evolveum.midpoint.schema.result.OperationResult;
+import com.evolveum.midpoint.task.api.Task;
+import com.evolveum.midpoint.test.util.MidPointTestConstants;
+import com.evolveum.midpoint.test.util.TestUtil;
+import com.evolveum.midpoint.util.exception.CommunicationException;
+import com.evolveum.midpoint.util.exception.ConfigurationException;
+import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
+import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
+import com.evolveum.midpoint.util.exception.SchemaException;
+import com.evolveum.midpoint.util.exception.SecurityViolationException;
+import com.evolveum.midpoint.xml.ns._public.common.api_types_3.ObjectListType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ReportType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.TaskType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType;
+import com.evolveum.midpoint.xml.ns._public.report.report_3.RemoteReportParametersType;
+
+/**
+ * Basic report tests.
+ */
+@ContextConfiguration(locations = { "classpath:ctx-report-test-main.xml" })
+@DirtiesContext(classMode = ClassMode.AFTER_CLASS)
+public class TestReportWebServiceSafe extends TestReportWebService {
+	
+	@Override
+	protected File getSystemConfigurationFile() {
+		return SYSTEM_CONFIGURATION_SAFE_FILE;
+	}
+	
+}
diff --git a/model/report-impl/src/test/resources/common/system-configuration-safe.xml b/model/report-impl/src/test/resources/common/system-configuration-safe.xml
new file mode 100644
index 00000000000..93adfb8c0b1
--- /dev/null
+++ b/model/report-impl/src/test/resources/common/system-configuration-safe.xml
@@ -0,0 +1,168 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<!--
+  ~ Copyright (c) 2010-2019 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+  
+  <!-- Safe expression profile is enabled for all reports. -->
+  
+<systemConfiguration oid="00000000-0000-0000-0000-000000000001" version="0"
+	xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+	xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
+    <name>SystemConfiguration</name>
+    <logging>
+    	<rootLoggerAppender>File Appender</rootLoggerAppender>
+    	<rootLoggerLevel>INFO</rootLoggerLevel>
+        <classLogger>
+	        <level>TRACE</level>
+	        <package>com.evolveum.midpoint.common.LoggingConfigurationManager</package>
+      	</classLogger>
+        <c:classLogger>
+            <c:level>TRACE</c:level>
+            <c:package>com.evolveum.midpoint.notifications</c:package>
+        </c:classLogger>
+        <appender xsi:type="c:FileAppenderConfigurationType" name="File Appender" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+            <pattern>%date [%thread] %-5level \(%logger{46}\): %message%n</pattern>
+            <fileName>target/test.log</fileName>
+            <append>true</append>
+        </appender>
+    </logging>
+    
+    <defaultObjectPolicyConfiguration>
+    	<type>ReportType</type>
+    	<expressionProfile>safe</expressionProfile>
+    </defaultObjectPolicyConfiguration>
+    
+    <expressions>
+    	<expressionProfile>
+    		<identifier>safe</identifier>
+    		<decision>deny</decision> <!-- default decision of those evaluators that are not explicitly enumerated. -->
+    		<evaluator>
+    			<type>asIs</type>
+    			<decision>allow</decision>
+    		</evaluator>
+    		<evaluator>
+    			<type>path</type>
+    			<decision>allow</decision>
+    		</evaluator>
+    		<evaluator>
+    			<type>value</type>
+    			<decision>allow</decision>
+    		</evaluator>
+<!--
+			Const is safe. But we need something to prohibit here.
+    		<evaluator>
+    			<type>const</type>
+    			<decision>allow</decision>
+    		</evaluator>  -->
+    		<evaluator>
+    			<type>script</type>
+    			<decision>deny</decision> <!-- default decision of those script languages that are not explicitly enumerated. -->
+    			<script>
+    				<language>http://midpoint.evolveum.com/xml/ns/public/expression/language#Groovy</language>
+    				<decision>allow</decision>
+    				<typeChecking>true</typeChecking>
+    				<permissionProfile>script-safe</permissionProfile>
+    			</script>
+    		</evaluator>
+    	</expressionProfile>
+	    <permissionProfile>
+	    	<identifier>script-safe</identifier>
+	    	<decision>deny</decision> <!-- Default decision for those classes that are not explicitly enumerated. -->
+	    	<package>
+	    		<name>com.evolveum.midpoint.xml.ns._public.common.common_3</name>
+	    		<description>MidPoint common schema - generated bean classes</description>
+	    		<decision>allow</decision>
+	    	</package>
+	    	<package>
+	    		<name>com.evolveum.prism.xml.ns._public.types_3</name>
+	    		<description>Prism schema - bean classes</description>
+	    		<decision>allow</decision>
+	    	</package>
+	    	<class>
+	    		<name>java.lang.Integer</name>
+    			<decision>allow</decision>
+	    	</class>
+	    	<class>
+	    		<name>java.lang.String</name>
+	    			<description>String operations are generally safe. But Groovy is adding execute() method which is very dangerous.</description>
+	    			<decision>allow</decision> <!-- Default decision for those methods that are not explicitly enumerated. -->
+	    			<method>
+	    				<name>execute</name>
+	    				<decision>deny</decision>
+	    			</method>
+	    	</class>
+	    	<class>
+	    		<name>java.lang.CharSequence</name>
+	    			<decision>allow</decision>
+	    	</class>
+	    	<class>
+	    		<name>java.util.List</name>
+	    			<description>List operations are generally safe. But Groovy is adding execute() method which is very dangerous.</description>
+	    			<decision>allow</decision>
+	    			<method>
+	    				<name>execute</name>
+	    				<decision>deny</decision>
+	    			</method>
+	    	</class>
+	    	<class>
+	    		<name>java.util.Map</name>
+    			<decision>allow</decision>
+	    	</class>
+	    	<class>
+	    		<name>java.util.HashMap</name>
+    			<decision>allow</decision>
+	    	</class>
+	    	<class>
+	    		<name>java.util.Date</name>
+    			<decision>allow</decision>
+	    	</class>
+	    	<class>
+	    		<name>java.lang.System</name>
+	    			<description>Just a few methods of System are safe enough.</description>
+	    			<decision>deny</decision>
+	    			<method>
+	    				<name>currentTimeMillis</name>
+	    				<decision>allow</decision>
+	    			</method>
+	    	</class>
+	    	<class>
+	    		<name>java.lang.IllegalStateException</name>
+	    			<description>Basic Java exception. Also used in test.</description>
+	    			<decision>allow</decision>
+	    	</class>
+	    	<class>
+	    		<name>java.lang.IllegalArgumentException</name>
+	    			<description>Basic Java exception.</description>
+	    			<decision>allow</decision>
+	    	</class>
+	    	<class>
+	    		<name>com.evolveum.midpoint.model.common.expression.functions.BasicExpressionFunctions</name>
+	    		<description>MidPoint basic functions library</description>
+	    		<decision>allow</decision>
+	    	</class>
+	    	<class>
+	    		<name>com.evolveum.midpoint.model.common.expression.functions.LogExpressionFunctions</name>
+	    		<description>MidPoint logging functions library</description>
+	    		<decision>allow</decision>
+	    	</class>
+	    	<class>
+	    		<name>com.evolveum.midpoint.report.impl.ReportFunctions</name>
+	    		<description>MidPoint report functions library</description>
+	    		<decision>allow</decision>
+	    	</class>
+	    </permissionProfile>
+    </expressions>
+   
+</systemConfiguration>
diff --git a/model/report-impl/src/test/resources/common/system-configuration.xml b/model/report-impl/src/test/resources/common/system-configuration.xml
index 9b7f1dba4e4..4bf97b8d569 100644
--- a/model/report-impl/src/test/resources/common/system-configuration.xml
+++ b/model/report-impl/src/test/resources/common/system-configuration.xml
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
 <!--
-  ~ Copyright (c) 2010-2017 Evolveum
+  ~ Copyright (c) 2010-2019 Evolveum
   ~
   ~ Licensed under the Apache License, Version 2.0 (the "License");
   ~ you may not use this file except in compliance with the License.
diff --git a/model/report-impl/src/test/resources/common/users-monkey-island.xml b/model/report-impl/src/test/resources/common/users-monkey-island.xml
new file mode 100644
index 00000000000..77fe4ba8444
--- /dev/null
+++ b/model/report-impl/src/test/resources/common/users-monkey-island.xml
@@ -0,0 +1,211 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright (c) 2010-2019 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+ 
+<objects xmlns='http://midpoint.evolveum.com/xml/ns/public/common/common-3'
+         xmlns:t='http://prism.evolveum.com/xml/ns/public/types-3'
+         xmlns:org='http://midpoint.evolveum.com/xml/ns/public/common/org-3'>
+         
+	<org oid="00000000-8888-6666-0000-100000000001">
+		<name>F0001</name>
+		<description>The office of the most respectful Governor.</description>
+		<displayName>Governor Office</displayName>
+		<identifier>0001</identifier>
+		<subtype>functional</subtype>
+		<costCenter>CC0</costCenter>
+		<locality>The Governor's Mansion</locality>
+	</org>
+
+	<org oid="00000000-8888-6666-0000-100000000002">
+		<name>F0002</name>
+		<description>Defending the scum since the ancient times.</description>
+		<assignment id="1">
+			<targetRef oid="00000000-8888-6666-0000-100000000001" type="OrgType"/>
+		</assignment>
+		<delegable>true</delegable>
+		<displayName>Ministry of Defense</displayName>
+		<identifier>0002</identifier>
+		<subtype>functional</subtype>
+		<locality>The towers, bastions and bars</locality>
+	</org>
+
+	<org oid="00000000-8888-6666-0000-100000000003">
+		<name>F0003</name>
+		<description>Offending. Anyone. Anywhere.</description>
+		<assignment id="1">
+			<targetRef oid="00000000-8888-6666-0000-100000000001" type="OrgType"/>
+		</assignment>
+		<delegable>true</delegable>
+		<displayName>Ministry of Offense</displayName>
+		<identifier>0003</identifier>
+		<subtype>functional</subtype>
+		<costCenter>CC666</costCenter>
+	</org>
+
+	<org oid="00000000-8888-6666-0000-100000000004">
+		<name>F0004</name>
+		<description>Why is the rum always gone?</description>
+		<assignment id="1">
+			<targetRef oid="00000000-8888-6666-0000-100000000001" type="OrgType"/>
+		</assignment>
+		<delegable>true</delegable>
+		<displayName>Ministry of Rum</displayName>
+		<identifier>0004</identifier>
+		<subtype>functional</subtype>
+		<costCenter>CCRUM</costCenter>
+	</org>
+
+	<org oid="00000000-8888-6666-0000-100000000005">
+		<name>F0005</name>
+		<description>Swashing, buckling and insulting. Hard.</description>
+		<assignment id="1">
+			<targetRef oid="00000000-8888-6666-0000-100000000003" type="OrgType"/>
+		</assignment>
+		<delegable>true</delegable>
+		<displayName>Swashbuckler Section</displayName>
+		<identifier>0005</identifier>
+		<subtype>functional</subtype>
+	</org>
+
+	<org oid="00000000-8888-6666-0000-100000000006">
+		<name>F0006</name>
+		<description>Hosting the worst scumm of the Caribbean.</description>
+		<assignment id="1">
+			<targetRef oid="00000000-8888-6666-0000-100000000003" type="OrgType"/>
+		</assignment>
+		<assignment id="2">
+			<targetRef oid="00000000-8888-6666-0000-100000000004" type="OrgType"/>
+		</assignment>
+		<delegable>true</delegable>
+		<displayName>Scumm Bar</displayName>
+		<identifier>0006</identifier>
+		<subtype>functional</subtype>
+		<locality>Mêlée Island</locality>
+	</org>
+         
+
+	<user oid="c0c010c0-d34d-b33f-f00d-111111111116"> 
+	    <name>guybrush</name>
+	    <assignment>
+	    	<targetRef oid="00000000-8888-6666-0000-100000000003" type="OrgType"/>
+	    </assignment>
+	    <fullName>Guybrush Threepwood</fullName>
+	    <givenName>Guybrush</givenName>
+	    <familyName>Threepwood</familyName>
+	    <locality>Melee Island</locality>
+	     <credentials> 
+	         <password> 
+	        	<value> 
+	 	            <clearValue>xM4rksTh3Sp0t</clearValue>
+	             </value>
+	         </password>
+	     </credentials>
+	</user>
+	
+	<user oid="c0c010c0-d34d-b33f-f00d-11111111111e">
+	    <name>elaine</name>
+	    <assignment>
+	    	<targetRef oid="00000000-8888-6666-0000-100000000001" type="OrgType"/>
+	    </assignment>
+	    <fullName>Elaine Marley</fullName>
+	    <givenName>Elaine</givenName>
+	    <familyName>Marley</familyName>
+	    <locality>Melee Island</locality>
+	    <credentials> 
+	         <password>
+	        	<value> 
+	 	            <clearValue>P1ranhaD0GZ</clearValue>
+	             </value>
+	         </password>
+	     </credentials>
+	</user>
+	
+	<user oid="c0c010c0-d34d-b33f-f00d-111111111122">
+	    <name>herman</name>
+	    <assignment>
+	    	<targetRef oid="00000000-8888-6666-0000-100000000004" type="OrgType"/>
+	    </assignment>
+	    <activation>
+			<validFrom>1700-05-30T11:00:00Z</validFrom>
+			<validTo>2233-03-23T18:30:00Z</validTo>
+		</activation>
+	    <fullName>Herman Toothrot</fullName>
+	    <givenName>Herman</givenName>
+	    <familyName>Toothrot</familyName>
+	    <locality>Monkey Island</locality>
+	    <credentials>
+	        <password>
+	        	<value>
+		            <t:clearValue>m0nk3y</t:clearValue>
+	            </value>
+	        </password>
+	    </credentials>
+	</user>
+	
+	<user oid="c0c010c0-d34d-b33f-f00d-111111111118">
+	    <name>largo</name>
+	    <assignment>
+	    	<targetRef oid="00000000-8888-6666-0000-100000000005" type="OrgType"/>
+	    </assignment>
+		<fullName>Largo LaGrande</fullName>
+	    <givenName>Largo</givenName>
+	    <familyName>LaGrande</familyName>
+		<activation>
+			<validFrom>1777-05-30T14:15:00Z</validFrom>
+			<validTo>2222-02-22T08:30:42Z</validTo>
+		</activation>
+		 <credentials>
+	        <password>
+	        	<value>
+		            <clearValue>dead123</clearValue>
+	            </value>
+	        </password>
+	    </credentials>
+	</user>
+	
+	<user oid="c0c010c0-d34d-b33f-f00d-11111111c008">
+	    <name>rapp</name>
+	    <assignment>
+	    	<targetRef oid="00000000-8888-6666-0000-100000000006" type="OrgType"/>
+	    </assignment>
+		<fullName>Rapp Scallion</fullName>
+	    <givenName>Rapp</givenName>
+	    <familyName>Scallion</familyName>
+	    <employeeNumber>D3ADB33F</employeeNumber>
+	</user>
+	
+	<user oid="c0c010c0-d34d-b33f-f00d-11c1c1c1c11c">
+	    <name>capsize</name>
+	    <assignment>
+	    	<targetRef oid="00000000-8888-6666-0000-100000000004" type="OrgType"/>
+	    </assignment>
+	    <activation>
+	    	<administrativeStatus>disabled</administrativeStatus>
+	    </activation>
+	    <fullName>Kate Capsize</fullName>
+	    <givenName>Kate</givenName>
+	    <familyName>Capsize</familyName>
+	    <honorificPrefix>Captain</honorificPrefix>
+	    <credentials>
+	        <password>
+	        	<value>
+		            <clearValue>noTrespaSSing</clearValue>
+	            </value>
+	        </password>
+	    </credentials>
+	</user>
+	
+</objects>
diff --git a/model/report-impl/src/test/resources/logback-test.xml b/model/report-impl/src/test/resources/logback-test.xml
index 90996845962..51da356823a 100644
--- a/model/report-impl/src/test/resources/logback-test.xml
+++ b/model/report-impl/src/test/resources/logback-test.xml
@@ -26,6 +26,8 @@
     <logger name="org.hibernate.engine.jdbc.spi.SqlExceptionHelper" level="OFF"/>
     <logger name="java.sql.DatabaseMetaData" level="WARN"/>
     <logger name="com.evolveum.midpoint.report" level="TRACE"/>
+    <logger name="com.evolveum.midpoint.repo.common.expression" level="TRACE"/>
+    <logger name="com.evolveum.midpoint.model.common.expression" level="TRACE"/>
     <logger name="PROFILING" level="OFF" />
 
 	<root level="INFO">
diff --git a/model/report-impl/src/test/resources/reports/report-user-list-expressions-csv.xml b/model/report-impl/src/test/resources/reports/report-user-list-expressions-csv.xml
new file mode 100644
index 00000000000..208d8c11cd4
--- /dev/null
+++ b/model/report-impl/src/test/resources/reports/report-user-list-expressions-csv.xml
@@ -0,0 +1,34 @@
+<!--
+  ~ Copyright (c) 2010-2019 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+<report oid="8fa48180-4f17-11e9-9eed-3fb4721a135e" 
+		xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+        xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+        xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
+        xmlns:xsd="http://www.w3.org/2001/XMLSchema">
+   <name>Users in MidPoint - report with expressions</name>
+   <description>Users listed in MidPoint.</description>
+   
+   <!-- No archetype here. Default expression profile. -->
+   
+   <parent>true</parent>
+   <template>UEQ5NGJXd2dkbVZ5YzJsdmJqMGlNUzR3SWlCbGJtTnZaR2x1WnowaVZWUkdMVGdpUHo0S1BHcGhjM0JsY2xKbGNHOXlkQ0I0Yld4dWN6MGlhSFIwY0RvdkwycGhjM0JsY25KbGNHOXlkSE11YzI5MWNtTmxabTl5WjJVdWJtVjBMMnBoYzNCbGNuSmxjRzl5ZEhNaUlIaHRiRzV6T25oemFUMGlhSFIwY0RvdkwzZDNkeTUzTXk1dmNtY3ZNakF3TVM5WVRVeFRZMmhsYldFdGFXNXpkR0Z1WTJVaUlIaHphVHB6WTJobGJXRk1iMk5oZEdsdmJqMGlhSFIwY0RvdkwycGhjM0JsY25KbGNHOXlkSE11YzI5MWNtTmxabTl5WjJVdWJtVjBMMnBoYzNCbGNuSmxjRzl5ZEhNZ2FIUjBjRG92TDJwaGMzQmxjbkpsY0c5eWRITXVjMjkxY21ObFptOXlaMlV1Ym1WMEwzaHpaQzlxWVhOd1pYSnlaWEJ2Y25RdWVITmtJaUJ1WVcxbFBTSnlaWEJ2Y25SVmMyVnlUR2x6ZENJZ2NHRm5aVmRwWkhSb1BTSXhNVEl3SWlCd1lXZGxTR1ZwWjJoMFBTSTFPVFVpSUc5eWFXVnVkR0YwYVc5dVBTSk1ZVzVrYzJOaGNHVWlJSGRvWlc1T2IwUmhkR0ZVZVhCbFBTSkJiR3hUWldOMGFXOXVjMDV2UkdWMFlXbHNJaUJqYjJ4MWJXNVhhV1IwYUQwaU1UQTRNQ0lnYkdWbWRFMWhjbWRwYmowaU1qQWlJSEpwWjJoMFRXRnlaMmx1UFNJeU1DSWdkRzl3VFdGeVoybHVQU0l6TUNJZ1ltOTBkRzl0VFdGeVoybHVQU0l6TUNJZ2RYVnBaRDBpTmpkbE5EWTFZelV0TkRabFlTMDBNR1F5TFdKbFlUQXRORFk1WXpaalpqTTRPVE0zSWo0S0NUeHdjbTl3WlhKMGVTQnVZVzFsUFNKdVpYUXVjMll1YW1GemNHVnljbVZ3YjNKMGN5NXdjbWx1ZEM1clpXVndMbVoxYkd3dWRHVjRkQ0lnZG1Gc2RXVTlJblJ5ZFdVaUx6NEtDVHh3Y205d1pYSjBlU0J1WVcxbFBTSnVaWFF1YzJZdWFtRnpjR1Z5Y21Wd2IzSjBjeTVsZUhCdmNuUXVlR3h6TG5KbGJXOTJaUzVsYlhCMGVTNXpjR0ZqWlM1aVpYUjNaV1Z1TG1OdmJIVnRibk1pSUhaaGJIVmxQU0owY25WbElpOCtDZ2s4Y0hKdmNHVnlkSGtnYm1GdFpUMGlibVYwTG5ObUxtcGhjM0JsY25KbGNHOXlkSE11Wlhod2IzSjBMbmhzY3k1eVpXMXZkbVV1Wlcxd2RIa3VjM0JoWTJVdVltVjBkMlZsYmk1eWIzZHpJaUIyWVd4MVpUMGlkSEoxWlNJdlBnb0pQSEJ5YjNCbGNuUjVJRzVoYldVOUltNWxkQzV6Wmk1cVlYTndaWEp5WlhCdmNuUnpMbVY0Y0c5eWRDNXdaR1l1Wm05eVkyVXViR2x1WldKeVpXRnJMbkJ2YkdsamVTSWdkbUZzZFdVOUluUnlkV1VpTHo0S0NUeHdjbTl3WlhKMGVTQnVZVzFsUFNKdVpYUXVjMll1YW1GemNHVnljbVZ3YjNKMGN5NWxlSEJ2Y25RdVkzTjJMbVY0WTJ4MVpHVXViM0pwWjJsdUxtSmhibVF1TVNJZ2RtRnNkV1U5SW5ScGRHeGxJaTgrQ2drOGNISnZjR1Z5ZEhrZ2JtRnRaVDBpYm1WMExuTm1MbXBoYzNCbGNuSmxjRzl5ZEhNdVpYaHdiM0owTG1OemRpNWxlR05zZFdSbExtOXlhV2RwYmk1aVlXNWtMaklpSUhaaGJIVmxQU0p3WVdkbFJtOXZkR1Z5SWk4K0NnazhjSEp2Y0dWeWRIa2dibUZ0WlQwaWJtVjBMbk5tTG1waGMzQmxjbkpsY0c5eWRITXVaWGh3YjNKMExuaHNjeTVsZUdOc2RXUmxMbTl5YVdkcGJpNWlZVzVrTGpFaUlIWmhiSFZsUFNKd1lXZGxTR1ZoWkdWeUlpOCtDZ2s4Y0hKdmNHVnlkSGtnYm1GdFpUMGlibVYwTG5ObUxtcGhjM0JsY25KbGNHOXlkSE11Wlhod2IzSjBMbmhzY3k1bGVHTnNkV1JsTG05eWFXZHBiaTVpWVc1a0xqSWlJSFpoYkhWbFBTSndZV2RsUm05dmRHVnlJaTgrQ2drOGNISnZjR1Z5ZEhrZ2JtRnRaVDBpYm1WMExuTm1MbXBoYzNCbGNuSmxjRzl5ZEhNdVpYaHdiM0owTG5oc2N5NWxlR05zZFdSbExtOXlhV2RwYmk1clpXVndMbVpwY25OMExtSmhibVF1TWlJZ2RtRnNkV1U5SW1OdmJIVnRia2hsWVdSbGNpSXZQZ29KUEhCeWIzQmxjblI1SUc1aGJXVTlJbTVsZEM1elppNXFZWE53WlhKeVpYQnZjblJ6TG1WNGNHOXlkQzU0YkhNdVpHVjBaV04wTG1ObGJHd3VkSGx3WlNJZ2RtRnNkV1U5SW5SeWRXVWlMejRLQ1R4d2NtOXdaWEowZVNCdVlXMWxQU0p1WlhRdWMyWXVhbUZ6Y0dWeWNtVndiM0owY3k1bGVIQnZjblF1ZUd4ekxuZHlZWEF1ZEdWNGRDSWdkbUZzZFdVOUluUnlkV1VpTHo0S0NUeHdjbTl3WlhKMGVTQnVZVzFsUFNKdVpYUXVjMll1YW1GemNHVnljbVZ3YjNKMGN5NWxlSEJ2Y25RdWVHeHpMbUYxZEc4dVptbDBMbkp2ZHlJZ2RtRnNkV1U5SW5SeWRXVWlMejRLQ1R4d2NtOXdaWEowZVNCdVlXMWxQU0p1WlhRdWMyWXVhbUZ6Y0dWeWNtVndiM0owY3k1bGVIQnZjblF1ZUd4ekxtRjFkRzh1Wm1sMExtTnZiSFZ0YmlJZ2RtRnNkV1U5SW5SeWRXVWlMejRLQ1R4d2NtOXdaWEowZVNCdVlXMWxQU0p1WlhRdWMyWXVhbUZ6Y0dWeWNtVndiM0owY3k1aGQzUXVhV2R1YjNKbExtMXBjM05wYm1jdVptOXVkQ0lnZG1Gc2RXVTlJblJ5ZFdVaUx6NEtDVHh3Y205d1pYSjBlU0J1WVcxbFBTSnBjbVZ3YjNKMExucHZiMjBpSUhaaGJIVmxQU0l4TGpBaUx6NEtDVHh3Y205d1pYSjBlU0J1WVcxbFBTSnBjbVZ3YjNKMExuZ2lJSFpoYkhWbFBTSXhOaUl2UGdvSlBIQnliM0JsY25SNUlHNWhiV1U5SW1seVpYQnZjblF1ZVNJZ2RtRnNkV1U5SWpFMElpOCtDZ2s4Y0hKdmNHVnlkSGtnYm1GdFpUMGlZMjl0TG1waGMzQmxjbk52Wm5RdWMzUjFaR2x2TG1SaGRHRXVaR1ZtWVhWc2RHUmhkR0ZoWkdGd2RHVnlJaUIyWVd4MVpUMGliWEZzSWk4K0NnazhhVzF3YjNKMElIWmhiSFZsUFNKamIyMHVaWFp2YkhabGRXMHViV2xrY0c5cGJuUXVjbVZ3YjNKMExtbHRjR3d1VW1Wd2IzSjBWWFJwYkhNaUx6NEtDVHh6ZFdKRVlYUmhjMlYwSUc1aGJXVTlJbkp2YkdWelJHRjBZWE5sZENJZ2RYVnBaRDBpTmpVNVpETm1ZbUV0WkRBelpDMDBNMkpqTFRoa1kyUXROVEF5WkRBek5EUXpaV0psSWo0S0NRazhjR0Z5WVcxbGRHVnlJRzVoYldVOUltRnpjMmxuYm0xbGJuUWlJR05zWVhOelBTSnFZWFpoTG5WMGFXd3VUR2x6ZENJdlBnb0pDVHh4ZFdWeWVWTjBjbWx1WnlCc1lXNW5kV0ZuWlQwaWJYRnNJajRLQ1FrSlBDRmJRMFJCVkVGYlBHTnZaR1UrYVdZZ0tHRnpjMmxuYm0xbGJuUWdJVDBnYm5Wc2JDbDdjbVZ3YjNKMExuSmxjMjlzZG1WU2IyeGxjeWhoYzNOcFoyNXRaVzUwS1gwOEwyTnZaR1UrWFYwK0Nna0pQQzl4ZFdWeWVWTjBjbWx1Wno0S0NRazhabWxsYkdRZ2JtRnRaVDBpYm1GdFpTSWdZMnhoYzNNOUltcGhkbUV1YkdGdVp5NVRkSEpwYm1jaUx6NEtDVHd2YzNWaVJHRjBZWE5sZEQ0S0NUeHpkV0pFWVhSaGMyVjBJRzVoYldVOUltOXlaM05FWVhSaGMyVjBJaUIxZFdsa1BTSTJOR0UxWXprMFlTMWpZbU0yTFRReU5qZ3RZbU5pTXkwd1kyVm1Nek5oWVRWbE1ESWlQZ29KQ1R4d1lYSmhiV1YwWlhJZ2JtRnRaVDBpWVhOemFXZHViV1Z1ZENJZ1kyeGhjM005SW1waGRtRXVkWFJwYkM1TWFYTjBJaTgrQ2drSlBIRjFaWEo1VTNSeWFXNW5JR3hoYm1kMVlXZGxQU0p0Y1d3aVBnb0pDUWs4SVZ0RFJFRlVRVnM4WTI5a1pUNEtDUWtKQ1FscFppQW9ZWE56YVdkdWJXVnVkQ0FoUFNCdWRXeHNLWHNLQ1FrSkNRbHlaWEJ2Y25RdWNtVnpiMngyWlU5eVozTW9ZWE56YVdkdWJXVnVkQ2tLQ1FrSkNRbDlDZ2tKQ1FrOEwyTnZaR1UrWFYwK0Nna0pQQzl4ZFdWeWVWTjBjbWx1Wno0S0NRazhabWxsYkdRZ2JtRnRaVDBpYm1GdFpTSWdZMnhoYzNNOUltcGhkbUV1YkdGdVp5NVRkSEpwYm1jaUx6NEtDVHd2YzNWaVJHRjBZWE5sZEQ0S0NUeHpkV0pFWVhSaGMyVjBJRzVoYldVOUltRmpZMjkxYm5SelJHRjBZWE5sZENJZ2RYVnBaRDBpWXpSa09EUTBaVGN0TVRSak5DMDBPV0k0TFdKbU1URXRZemt5TVdRMU9HRXhaRFF3SWo0S0NRazhjR0Z5WVcxbGRHVnlJRzVoYldVOUltOWlhbVZqZEZKbFppSWdZMnhoYzNNOUltcGhkbUV1ZFhScGJDNUJjbkpoZVV4cGMzUWlMejRLQ1FrOGNYVmxjbmxUZEhKcGJtY2diR0Z1WjNWaFoyVTlJbTF4YkNJK0Nna0pDVHdoVzBORVFWUkJXenhtYVd4MFpYSStDaUFnSUNBZ0lDQWdJQ0FnSUNBZ0lDQThkSGx3WlQ0S0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQThkSGx3WlQ1VGFHRmtiM2RVZVhCbFBDOTBlWEJsUGdvZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lEeG1hV3gwWlhJK0NpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUR4cGJrOXBaRDRLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUR4bGVIQnlaWE56YVc5dVBpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQW9nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lEeHpZM0pwY0hRK0NpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lEeHlaWFIxY201VWVYQmxQbXhwYzNROEwzSmxkSFZ5YmxSNWNHVStDaUFnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJRHhqYjJSbFBnb2dJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnWW1GemFXTXVaMlYwVDJsa2N5aHZZbXBsWTNSU1pXWXBPd29nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0E4TDJOdlpHVStDaUFnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ1BDOXpZM0pwY0hRK0NpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQThMMlY0Y0hKbGMzTnBiMjQrQ2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJRHd2YVc1UGFXUStDaUFnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnUEM5bWFXeDBaWEkrQ2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0E4TDNSNWNHVStDaUFnSUNBZ0lDQWdJQ0FnSUR3dlptbHNkR1Z5UGwxZFBnb0pDVHd2Y1hWbGNubFRkSEpwYm1jK0Nna0pQR1pwWld4a0lHNWhiV1U5SW01aGJXVWlJR05zWVhOelBTSnFZWFpoTG14aGJtY3VVM1J5YVc1bklpOCtDZ2tKUEdacFpXeGtJRzVoYldVOUluSmxjMjkxY21ObFVtVm1JaUJqYkdGemN6MGlZMjl0TG1WMmIyeDJaWFZ0TG0xcFpIQnZhVzUwTG5odGJDNXVjeTVmY0hWaWJHbGpMbU52YlcxdmJpNWpiMjF0YjI1Zk15NVBZbXBsWTNSU1pXWmxjbVZ1WTJWVWVYQmxJaTgrQ2drOEwzTjFZa1JoZEdGelpYUStDZ2s4Y0dGeVlXMWxkR1Z5SUc1aGJXVTlJbUZqZEdsMllYUnBiMjRpSUdOc1lYTnpQU0pqYjIwdVpYWnZiSFpsZFcwdWJXbGtjRzlwYm5RdWVHMXNMbTV6TGw5d2RXSnNhV011WTI5dGJXOXVMbU52YlcxdmJsOHpMa0ZqZEdsMllYUnBiMjVUZEdGMGRYTlVlWEJsSWk4K0NnazhjR0Z5WVcxbGRHVnlJRzVoYldVOUltOXlaMkZ1YVhwaGRHbHZiaUlnWTJ4aGMzTTlJbXBoZG1FdWJHRnVaeTVUZEhKcGJtY2lMejRLQ1R4d1lYSmhiV1YwWlhJZ2JtRnRaVDBpY205c1pTSWdZMnhoYzNNOUltcGhkbUV1YkdGdVp5NVRkSEpwYm1jaUx6NEtDVHh3WVhKaGJXVjBaWElnYm1GdFpUMGljbVZ6YjNWeVkyVWlJR05zWVhOelBTSnFZWFpoTG14aGJtY3VVM1J5YVc1bklqNEtDUWs4Y0hKdmNHVnlkSGtnYm1GdFpUMGlhMlY1SWlCMllXeDFaVDBpYjJsa0lpOCtDZ2tKUEhCeWIzQmxjblI1SUc1aGJXVTlJbXhoWW1Wc0lpQjJZV3gxWlQwaWJtRnRaU0l2UGdvSkNUeHdjbTl3WlhKMGVTQnVZVzFsUFNKMFlYSm5aWFJVZVhCbElpQjJZV3gxWlQwaVkyOXRMbVYyYjJ4MlpYVnRMbTFwWkhCdmFXNTBMbmh0YkM1dWN5NWZjSFZpYkdsakxtTnZiVzF2Ymk1amIyMXRiMjVmTXk1U1pYTnZkWEpqWlZSNWNHVWlMejRLQ1R3dmNHRnlZVzFsZEdWeVBnb0pQSEYxWlhKNVUzUnlhVzVuSUd4aGJtZDFZV2RsUFNKdGNXd2lQZ29KQ1R3aFcwTkVRVlJCV3p4bWFXeDBaWEkrRFFvZ0lDQWdQSFI1Y0dVK0RRb2dJQ0FnSUNBZ0lEeDBlWEJsUGxWelpYSlVlWEJsUEM5MGVYQmxQZzBLSUNBZ0lDQWdJQ0E4Wm1sc2RHVnlQZzBLSUNBZ0lDQWdJQ0FnSUNBZ1BHRnVaRDROQ2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0E4WlhGMVlXdytEUW9nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUR4d1lYUm9QbUZqZEdsMllYUnBiMjR2WVdSdGFXNXBjM1J5WVhScGRtVlRkR0YwZFhNOEwzQmhkR2crRFFvZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lEeGxlSEJ5WlhOemFXOXVQZzBLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdQSEYxWlhKNVNXNTBaWEp3Y21WMFlYUnBiMjVQWms1dlZtRnNkV1UrWm1sc2RHVnlRV3hzUEM5eGRXVnllVWx1ZEdWeWNISmxkR0YwYVc5dVQyWk9iMVpoYkhWbFBnMEtJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ1BIQmhkR2crSkdGamRHbDJZWFJwYjI0OEwzQmhkR2crRFFvZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lEd3ZaWGh3Y21WemMybHZiajROQ2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0E4TDJWeGRXRnNQZzBLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJRHh5WldZK0RRb2dJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJRHh3WVhSb1BtRnpjMmxuYm0xbGJuUXZkR0Z5WjJWMFVtVm1QQzl3WVhSb1BnMEtJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0E4Wlhod2NtVnpjMmx2Ymo0TkNpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUR4eGRXVnllVWx1ZEdWeWNISmxkR0YwYVc5dVQyWk9iMVpoYkhWbFBtWnBiSFJsY2tGc2JEd3ZjWFZsY25sSmJuUmxjbkJ5WlhSaGRHbHZiazltVG05V1lXeDFaVDROQ2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJRHh6WTNKcGNIUStEUW9nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnUEdOdlpHVStEUW9nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lHbHRjRzl5ZENCamIyMHVaWFp2YkhabGRXMHViV2xrY0c5cGJuUXVlRzFzTG01ekxsOXdkV0pzYVdNdVkyOXRiVzl1TG1OdmJXMXZibDh6TGs5eVoxUjVjR1U3RFFvZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJR2x0Y0c5eWRDQmpiMjB1WlhadmJIWmxkVzB1Yldsa2NHOXBiblF1ZUcxc0xtNXpMbDl3ZFdKc2FXTXVZMjl0Ylc5dUxtTnZiVzF2Ymw4ekxrOWlhbVZqZEZKbFptVnlaVzVqWlZSNWNHVTdEUW9nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lBMEtJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNCcFppQW9JVzl5WjJGdWFYcGhkR2x2YmlrZ2V3MEtJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdjbVYwZFhKdUlHNTFiR3c3RFFvZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJSDBOQ2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdEUW9nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lFOWlhbVZqZEZKbFptVnlaVzVqWlZSNWNHVWdiM0owSUQwZ2JtVjNJRTlpYW1WamRGSmxabVZ5Wlc1alpWUjVjR1VvS1RzZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUEwS0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0J2Y25RdWMyVjBUMmxrS0c5eVoyRnVhWHBoZEdsdmJpazdEUW9nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lHOXlkQzV6WlhSVWVYQmxLRTl5WjFSNWNHVXVRMDlOVUV4RldGOVVXVkJGS1RzTkNpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnY21WMGRYSnVJRzl5ZERzTkNpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQThMMk52WkdVK0lDQWdJQ0FnRFFvZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0E4TDNOamNtbHdkRDROQ2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ1BDOWxlSEJ5WlhOemFXOXVQZzBLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJRHd2Y21WbVBnMEtJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lEeHlaV1krRFFvZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lEeHdZWFJvUG1GemMybG5ibTFsYm5RdmRHRnlaMlYwVW1WbVBDOXdZWFJvUGcwS0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQThaWGh3Y21WemMybHZiajROQ2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJRHh4ZFdWeWVVbHVkR1Z5Y0hKbGRHRjBhVzl1VDJaT2IxWmhiSFZsUG1acGJIUmxja0ZzYkR3dmNYVmxjbmxKYm5SbGNuQnlaWFJoZEdsdmJrOW1UbTlXWVd4MVpUNE5DaUFnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lEeHpZM0pwY0hRK0RRb2dJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdQR052WkdVK0RRb2dJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUdsdGNHOXlkQ0JqYjIwdVpYWnZiSFpsZFcwdWJXbGtjRzlwYm5RdWVHMXNMbTV6TGw5d2RXSnNhV011WTI5dGJXOXVMbU52YlcxdmJsOHpMbEp2YkdWVWVYQmxPdzBLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQnBiWEJ2Y25RZ1kyOXRMbVYyYjJ4MlpYVnRMbTFwWkhCdmFXNTBMbmh0YkM1dWN5NWZjSFZpYkdsakxtTnZiVzF2Ymk1amIyMXRiMjVmTXk1UFltcGxZM1JTWldabGNtVnVZMlZVZVhCbE93MEtJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBTkNpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnYVdZZ0tDRnliMnhsS1NCN0RRb2dJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQnlaWFIxY200Z2JuVnNiRHNOQ2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdmUTBLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQU5DaUFnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ1QySnFaV04wVW1WbVpYSmxibU5sVkhsd1pTQnZjblFnUFNCdVpYY2dUMkpxWldOMFVtVm1aWEpsYm1ObFZIbHdaU2dwT3lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnRFFvZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJRzl5ZEM1elpYUlBhV1FvY205c1pTazdEUW9nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lHOXlkQzV6WlhSVWVYQmxLRkp2YkdWVWVYQmxMa05QVFZCTVJWaGZWRmxRUlNrN0RRb2dJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUhKbGRIVnliaUJ2Y25RN0RRb2dJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdQQzlqYjJSbFBpQWdJQ0FnSUEwS0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnUEM5elkzSnBjSFErRFFvZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lEd3ZaWGh3Y21WemMybHZiajROQ2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0E4TDNKbFpqNGdJQTBLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJRHh5WldZK0RRb2dJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJRHh3WVhSb1BtRnpjMmxuYm0xbGJuUXZZMjl1YzNSeWRXTjBhVzl1TDNKbGMyOTFjbU5sVW1WbVBDOXdZWFJvUGcwS0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQThaWGh3Y21WemMybHZiajROQ2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJRHh4ZFdWeWVVbHVkR1Z5Y0hKbGRHRjBhVzl1VDJaT2IxWmhiSFZsUG1acGJIUmxja0ZzYkR3dmNYVmxjbmxKYm5SbGNuQnlaWFJoZEdsdmJrOW1UbTlXWVd4MVpUNE5DaUFnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lEeHpZM0pwY0hRK0RRb2dJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdQR052WkdVK0RRb2dJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUdsdGNHOXlkQ0JqYjIwdVpYWnZiSFpsZFcwdWJXbGtjRzlwYm5RdWVHMXNMbTV6TGw5d2RXSnNhV011WTI5dGJXOXVMbU52YlcxdmJsOHpMbEpsYzI5MWNtTmxWSGx3WlRzTkNpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnYVcxd2IzSjBJR052YlM1bGRtOXNkbVYxYlM1dGFXUndiMmx1ZEM1NGJXd3Vibk11WDNCMVlteHBZeTVqYjIxdGIyNHVZMjl0Ylc5dVh6TXVUMkpxWldOMFVtVm1aWEpsYm1ObFZIbHdaVHNOQ2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdEUW9nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lHbG1JQ2doY21WemIzVnlZMlVwSUhzTkNpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lISmxkSFZ5YmlCdWRXeHNPdzBLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQjlEUW9nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lBMEtJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNCUFltcGxZM1JTWldabGNtVnVZMlZVZVhCbElHOXlkQ0E5SUc1bGR5QlBZbXBsWTNSU1pXWmxjbVZ1WTJWVWVYQmxLQ2s3SUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FOQ2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdiM0owTG5ObGRFOXBaQ2h5WlhOdmRYSmpaU2s3RFFvZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJRzl5ZEM1elpYUlVlWEJsS0ZKbGMyOTFjbU5sVkhsd1pTNURUMDFRVEVWWVgxUlpVRVVwT3cwS0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0J5WlhSMWNtNGdiM0owT3cwS0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lEd3ZZMjlrWlQ0Z0lDQWdJQ0FOQ2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJRHd2YzJOeWFYQjBQZzBLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBOEwyVjRjSEpsYzNOcGIyNCtEUW9nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdQQzl5WldZK0lDQU5DaUFnSUNBZ0lDQWdJQ0FnSUR3dllXNWtQaUFnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0RRb2dJQ0FnSUNBZ0lEd3ZabWxzZEdWeVBnMEtJQ0FnSUR3dmRIbHdaVDROQ2p3dlptbHNkR1Z5UGwxZFBnb0pQQzl4ZFdWeWVWTjBjbWx1Wno0S0NUeG1hV1ZzWkNCdVlXMWxQU0p2YVdRaUlHTnNZWE56UFNKcVlYWmhMbXhoYm1jdVUzUnlhVzVuSWk4K0NnazhabWxsYkdRZ2JtRnRaVDBpYm1GdFpTSWdZMnhoYzNNOUltcGhkbUV1YkdGdVp5NVRkSEpwYm1jaUx6NEtDVHhtYVdWc1pDQnVZVzFsUFNKc2FXNXJVbVZtSWlCamJHRnpjejBpYW1GMllTNTFkR2xzTGtGeWNtRjVUR2x6ZENJdlBnb0pQR1pwWld4a0lHNWhiV1U5SW1GemMybG5ibTFsYm5RaUlHTnNZWE56UFNKcVlYWmhMblYwYVd3dVRHbHpkQ0l2UGdvSlBHWnBaV3hrSUc1aGJXVTlJbUZqZEdsMllYUnBiMjRpSUdOc1lYTnpQU0pqYjIwdVpYWnZiSFpsZFcwdWJXbGtjRzlwYm5RdWVHMXNMbTV6TGw5d2RXSnNhV011WTI5dGJXOXVMbU52YlcxdmJsOHpMa0ZqZEdsMllYUnBiMjVVZVhCbElpOCtDZ2s4Wm1sbGJHUWdibUZ0WlQwaVpuVnNiRTVoYldVaUlHTnNZWE56UFNKcVlYWmhMbXhoYm1jdVUzUnlhVzVuSWk4K0NnazhZbUZqYTJkeWIzVnVaRDRLQ1FrOFltRnVaQ0JvWldsbmFIUTlJak13SWlCemNHeHBkRlI1Y0dVOUlsTjBjbVYwWTJnaUx6NEtDVHd2WW1GamEyZHliM1Z1WkQ0S0NUeDBhWFJzWlQ0S0NRazhZbUZ1WkNCb1pXbG5hSFE5SWpFME5TSWdjM0JzYVhSVWVYQmxQU0pUZEhKbGRHTm9JajRLQ1FrSlBHWnlZVzFsUGdvSkNRa0pQSEpsY0c5eWRFVnNaVzFsYm5RZ2MzUjViR1U5SWxScGRHeGxJaUJ0YjJSbFBTSlBjR0Z4ZFdVaUlIZzlJakFpSUhrOUlqQWlJSGRwWkhSb1BTSXhNRGd3SWlCb1pXbG5hSFE5SWpZM0lpQmlZV05yWTI5c2IzSTlJaU15TmpjNU9UUWlJSFYxYVdROUlqUTBZbVZrWVdOakxXWmhNak10TkdabE1TMWlOekZtTFdVMVlXWmhPVFF6WmpVMU15SXZQZ29KQ1FrSlBITjBZWFJwWTFSbGVIUStDZ2tKQ1FrSlBISmxjRzl5ZEVWc1pXMWxiblFnYzNSNWJHVTlJbFJwZEd4bElpQjRQU0l4TUNJZ2VUMGlNVE1pSUhkcFpIUm9QU0l5TmpZaUlHaGxhV2RvZEQwaU16Z2lJSFYxYVdROUltWXlaRGs1WTJGa0xUbGtPRFF0TkdZMU1DMWlORFUxTFRRMU0yTTROMlkyTW1NMFl5SXZQZ29KQ1FrSkNUeDBaWGgwUld4bGJXVnVkQ0IyWlhKMGFXTmhiRUZzYVdkdWJXVnVkRDBpVFdsa1pHeGxJaTgrQ2drSkNRa0pQSFJsZUhRK1BDRmJRMFJCVkVGYlZYTmxjaUJTWlhCdmNuUmRYVDQ4TDNSbGVIUStDZ2tKQ1FrOEwzTjBZWFJwWTFSbGVIUStDZ2tKQ1R3dlpuSmhiV1UrQ2drSkNUeHpkR0YwYVdOVVpYaDBQZ29KQ1FrSlBISmxjRzl5ZEVWc1pXMWxiblFnYzNSNWJHVTlJbEJoWjJVZ2FHVmhaR1Z5SWlCNFBTSXlJaUI1UFNJNE5TSWdkMmxrZEdnOUlqRTFNQ0lnYUdWcFoyaDBQU0l5TUNJZ2RYVnBaRDBpWWpCaU9UY3hOR1l0T1RabU5TMDBaalU0TFRneU5HSXRZemd4Wm1RMFpETXlNV1kzSWk4K0Nna0pDUWs4ZEdWNGRFVnNaVzFsYm5RZ2RtVnlkR2xqWVd4QmJHbG5ibTFsYm5ROUlrMXBaR1JzWlNJdlBnb0pDUWtKUEhSbGVIUStQQ0ZiUTBSQlZFRmJVbVZ3YjNKMElHZGxibVZ5WVhSbFpDQnZianBkWFQ0OEwzUmxlSFErQ2drSkNUd3ZjM1JoZEdsalZHVjRkRDRLQ1FrSlBIUmxlSFJHYVdWc1pDQndZWFIwWlhKdVBTSmtaQzVOVFUxTkxubDVlWGtzSUVoSU9tMXRPbk56SWo0S0NRa0pDVHh5WlhCdmNuUkZiR1Z0Wlc1MElITjBlV3hsUFNKUVlXZGxJR2hsWVdSbGNpSWdlRDBpTVRZd0lpQjVQU0k0TlNJZ2QybGtkR2c5SWpJMU1DSWdhR1ZwWjJoMFBTSXlNQ0lnZFhWcFpEMGlNRGxoTjJVeU56SXRNakEwWlMwME1EYzRMVGhoTldVdFpUUTNNamMxTnpReU5HTXhJaTgrQ2drSkNRazhkR1Y0ZEVWc1pXMWxiblFnZEdWNGRFRnNhV2R1YldWdWREMGlVbWxuYUhRaUlIWmxjblJwWTJGc1FXeHBaMjV0Wlc1MFBTSk5hV1JrYkdVaVBnb0pDUWtKQ1R4bWIyNTBJR2x6UW05c1pEMGlabUZzYzJVaUx6NEtDUWtKQ1R3dmRHVjRkRVZzWlcxbGJuUStDZ2tKQ1FrOGRHVjRkRVpwWld4a1JYaHdjbVZ6YzJsdmJqNDhJVnREUkVGVVFWdHVaWGNnYW1GMllTNTFkR2xzTGtSaGRHVW9LVjFkUGp3dmRHVjRkRVpwWld4a1JYaHdjbVZ6YzJsdmJqNEtDUWtKUEM5MFpYaDBSbWxsYkdRK0Nna0pDVHh6ZEdGMGFXTlVaWGgwUGdvSkNRa0pQSEpsY0c5eWRFVnNaVzFsYm5RZ2MzUjViR1U5SWxCaFoyVWdhR1ZoWkdWeUlpQjRQU0l5SWlCNVBTSXhNVFVpSUhkcFpIUm9QU0l4TlRBaUlHaGxhV2RvZEQwaU1qQWlJSFYxYVdROUlqTm1aamM0Wm1KbUxUaG1ZMlV0TkRBM01pMWlOamt4TFRkaFpqQTBOMlZoT1RKaE55SXZQZ29KQ1FrSlBIUmxlSFJGYkdWdFpXNTBJSFpsY25ScFkyRnNRV3hwWjI1dFpXNTBQU0pOYVdSa2JHVWlMejRLQ1FrSkNUeDBaWGgwUGp3aFcwTkVRVlJCVzA1MWJXSmxjaUJ2WmlCeVpXTnZjbVJ6T2wxZFBqd3ZkR1Y0ZEQ0S0NRa0pQQzl6ZEdGMGFXTlVaWGgwUGdvSkNRazhkR1Y0ZEVacFpXeGtJR1YyWVd4MVlYUnBiMjVVYVcxbFBTSlNaWEJ2Y25RaUlHbHpRbXhoYm10WGFHVnVUblZzYkQwaWRISjFaU0krQ2drSkNRazhjbVZ3YjNKMFJXeGxiV1Z1ZENCemRIbHNaVDBpVUdGblpTQm9aV0ZrWlhJaUlIZzlJakUyTUNJZ2VUMGlNVEUxSWlCM2FXUjBhRDBpTWpVd0lpQm9aV2xuYUhROUlqSXdJaUIxZFdsa1BTSTRPVEkxTVRJeE1TMHpaalE1TFRRM01XUXRZamc0WkMwMU5UWTBZekZpWkRBMFpERWlMejRLQ1FrSkNUeDBaWGgwUld4bGJXVnVkQ0IwWlhoMFFXeHBaMjV0Wlc1MFBTSlNhV2RvZENJZ2RtVnlkR2xqWVd4QmJHbG5ibTFsYm5ROUlrMXBaR1JzWlNJK0Nna0pDUWtKUEdadmJuUWdhWE5DYjJ4a1BTSm1ZV3h6WlNJdlBnb0pDUWtKUEM5MFpYaDBSV3hsYldWdWRENEtDUWtKQ1R4MFpYaDBSbWxsYkdSRmVIQnlaWE56YVc5dVBqd2hXME5FUVZSQld5UldlMUpGVUU5U1ZGOURUMVZPVkgxZFhUNDhMM1JsZUhSR2FXVnNaRVY0Y0hKbGMzTnBiMjQrQ2drSkNUd3ZkR1Y0ZEVacFpXeGtQZ29KQ1R3dlltRnVaRDRLQ1R3dmRHbDBiR1UrQ2drOGNHRm5aVWhsWVdSbGNqNEtDUWs4WW1GdVpDQnpjR3hwZEZSNWNHVTlJbE4wY21WMFkyZ2lMejRLQ1R3dmNHRm5aVWhsWVdSbGNqNEtDVHhqYjJ4MWJXNUlaV0ZrWlhJK0Nna0pQR0poYm1RZ2FHVnBaMmgwUFNJeE9TSWdjM0JzYVhSVWVYQmxQU0pUZEhKbGRHTm9JajRLQ1FrSlBITjBZWFJwWTFSbGVIUStDZ2tKQ1FrOGNtVndiM0owUld4bGJXVnVkQ0J6ZEhsc1pUMGlRMjlzZFcxdUlHaGxZV1JsY2lJZ2VEMGlNQ0lnZVQwaU1DSWdkMmxrZEdnOUlqSTBNQ0lnYUdWcFoyaDBQU0l4T0NJZ2RYVnBaRDBpTURRNU9Ea3dPV0l0WkROak5TMDBaV1V6TFdJNFl6a3RaakF3WVRnd09HVm1ZVGRoSWk4K0Nna0pDUWs4ZEdWNGRFVnNaVzFsYm5RZ2RtVnlkR2xqWVd4QmJHbG5ibTFsYm5ROUlrMXBaR1JzWlNJdlBnb0pDUWtKUEhSbGVIUStQQ0ZiUTBSQlZFRmJUbUZ0WlYxZFBqd3ZkR1Y0ZEQ0S0NRa0pQQzl6ZEdGMGFXTlVaWGgwUGdvSkNRazhjM1JoZEdsalZHVjRkRDRLQ1FrSkNUeHlaWEJ2Y25SRmJHVnRaVzUwSUhOMGVXeGxQU0pEYjJ4MWJXNGdhR1ZoWkdWeUlpQjRQU0l5TkRBaUlIazlJakFpSUhkcFpIUm9QU0l5TWpBaUlHaGxhV2RvZEQwaU1UZ2lJSFYxYVdROUlqZzJZemMwWW1WaUxXSmtaR1F0TkRoall5MDVORFZoTFRFMk4ySXlOakZpTVdVd1lpSXZQZ29KQ1FrSlBIUmxlSFJGYkdWdFpXNTBJSFpsY25ScFkyRnNRV3hwWjI1dFpXNTBQU0pOYVdSa2JHVWlMejRLQ1FrSkNUeDBaWGgwUGp3aFcwTkVRVlJCVzBaMWJHd2dibUZ0WlYxZFBqd3ZkR1Y0ZEQ0S0NRa0pQQzl6ZEdGMGFXTlVaWGgwUGdvSkNRazhjM1JoZEdsalZHVjRkRDRLQ1FrSkNUeHlaWEJ2Y25SRmJHVnRaVzUwSUhOMGVXeGxQU0pEYjJ4MWJXNGdhR1ZoWkdWeUlpQjRQU0kwTmpBaUlIazlJakFpSUhkcFpIUm9QU0l4TURBaUlHaGxhV2RvZEQwaU1UZ2lJSFYxYVdROUlqZzJZemMwWW1WaUxXSmtaR1F0TkRoall5MDVORFZoTFRFMk4ySXlOakZpTVdVd1lpSXZQZ29KQ1FrSlBIUmxlSFJGYkdWdFpXNTBJSFpsY25ScFkyRnNRV3hwWjI1dFpXNTBQU0pOYVdSa2JHVWlMejRLQ1FrSkNUeDBaWGgwUGp3aFcwTkVRVlJCVzBGamRHbDJZWFJwYjI1ZFhUNDhMM1JsZUhRK0Nna0pDVHd2YzNSaGRHbGpWR1Y0ZEQ0S0NRa0pQSE4wWVhScFkxUmxlSFErQ2drSkNRazhjbVZ3YjNKMFJXeGxiV1Z1ZENCemRIbHNaVDBpUTI5c2RXMXVJR2hsWVdSbGNpSWdlRDBpTlRZd0lpQjVQU0l3SWlCM2FXUjBhRDBpTVRRd0lpQm9aV2xuYUhROUlqRTRJaUIxZFdsa1BTSXlabVprTWpJNFlpMDRZamczTFRSaVl6WXRZVGxrTWkwek1XVTRZVEprTldSaVlqY2lMejRLQ1FrSkNUeDBaWGgwUld4bGJXVnVkQ0IyWlhKMGFXTmhiRUZzYVdkdWJXVnVkRDBpVFdsa1pHeGxJaTgrQ2drSkNRazhkR1Y0ZEQ0OElWdERSRUZVUVZ0U2IyeGxYVjArUEM5MFpYaDBQZ29KQ1FrOEwzTjBZWFJwWTFSbGVIUStDZ2tKQ1R4emRHRjBhV05VWlhoMFBnb0pDUWtKUEhKbGNHOXlkRVZzWlcxbGJuUWdjM1I1YkdVOUlrTnZiSFZ0YmlCb1pXRmtaWElpSUhnOUlqY3dNQ0lnZVQwaU1DSWdkMmxrZEdnOUlqRTBNQ0lnYUdWcFoyaDBQU0l4T0NJZ2RYVnBaRDBpTW1NMFptRmxZak10WkRFNVl5MDBZekZsTFdKbVltWXRNV0l4TUdObFkyVTRZV1U0SWk4K0Nna0pDUWs4ZEdWNGRFVnNaVzFsYm5RZ2RtVnlkR2xqWVd4QmJHbG5ibTFsYm5ROUlrMXBaR1JzWlNJdlBnb0pDUWtKUEhSbGVIUStQQ0ZiUTBSQlZFRmJUM0puWVc1cGVtRjBhVzl1WFYwK1BDOTBaWGgwUGdvSkNRazhMM04wWVhScFkxUmxlSFErQ2drSkNUeHpkR0YwYVdOVVpYaDBQZ29KQ1FrSlBISmxjRzl5ZEVWc1pXMWxiblFnYzNSNWJHVTlJa052YkhWdGJpQm9aV0ZrWlhJaUlIZzlJamcwTUNJZ2VUMGlNQ0lnZDJsa2RHZzlJakkwTUNJZ2FHVnBaMmgwUFNJeE9DSWdkWFZwWkQwaU0yVTBaVEl6TVRrdE1qVXdNaTAwWVRVekxXRTJZalF0WXpjNU5qZzFNakZtTm1JNElpOCtDZ2tKQ1FrOGRHVjRkRVZzWlcxbGJuUWdkbVZ5ZEdsallXeEJiR2xuYm0xbGJuUTlJazFwWkdSc1pTSXZQZ29KQ1FrSlBIUmxlSFErUENGYlEwUkJWRUZiUVdOamIzVnVkRjFkUGp3dmRHVjRkRDRLQ1FrSlBDOXpkR0YwYVdOVVpYaDBQZ29KQ1R3dlltRnVaRDRLQ1R3dlkyOXNkVzF1U0dWaFpHVnlQZ29KUEdSbGRHRnBiRDRLQ1FrOFltRnVaQ0JvWldsbmFIUTlJakkxSWlCemNHeHBkRlI1Y0dVOUlsTjBjbVYwWTJnaVBnb0pDUWs4Wm5KaGJXVStDZ2tKQ1FrOGNtVndiM0owUld4bGJXVnVkQ0J6ZEhsc1pUMGlSR1YwWVdsc0lpQnpkSEpsZEdOb1ZIbHdaVDBpVW1Wc1lYUnBkbVZVYjFSaGJHeGxjM1JQWW1wbFkzUWlJRzF2WkdVOUlrOXdZWEYxWlNJZ2VEMGlNQ0lnZVQwaU1DSWdkMmxrZEdnOUlqRXdPREFpSUdobGFXZG9kRDBpTWpRaUlIVjFhV1E5SWpnMlpHSTJOVE0zTFRneFpqQXROREppTVMxaU56UmhMV1F5WW1VM01Ea3lOekZqWkNJdlBnb0pDUWtKUEhSbGVIUkdhV1ZzWkNCcGMxTjBjbVYwWTJoWGFYUm9UM1psY21ac2IzYzlJblJ5ZFdVaUlHbHpRbXhoYm10WGFHVnVUblZzYkQwaWRISjFaU0krQ2drSkNRa0pQSEpsY0c5eWRFVnNaVzFsYm5RZ2VEMGlNQ0lnZVQwaU1DSWdkMmxrZEdnOUlqSTRNQ0lnYUdWcFoyaDBQU0l5TUNJZ2RYVnBaRDBpTTJNMk5qaGxaV1V0WTJRelpTMDBOamszTFdGbVpUTXRaV1JpTnpnNU5EVXlOV05qSWk4K0Nna0pDUWtKUEhSbGVIUkdhV1ZzWkVWNGNISmxjM05wYjI0K1BDRmJRMFJCVkVGYkpFWjdibUZ0WlgxZFhUNDhMM1JsZUhSR2FXVnNaRVY0Y0hKbGMzTnBiMjQrQ2drSkNRazhMM1JsZUhSR2FXVnNaRDRLQ1FrSkNUeDBaWGgwUm1sbGJHUWdhWE5UZEhKbGRHTm9WMmwwYUU5MlpYSm1iRzkzUFNKMGNuVmxJaUJwYzBKc1lXNXJWMmhsYms1MWJHdzlJblJ5ZFdVaVBnb0pDUWtKQ1R4eVpYQnZjblJGYkdWdFpXNTBJSGc5SWpJNE1DSWdlVDBpTUNJZ2QybGtkR2c5SWpFNE1DSWdhR1ZwWjJoMFBTSXlNQ0lnZFhWcFpEMGlZemc1TkRoak9EVXRaV016TVMwMFlqTTVMVGc0T1dFdE5ETmpZbU5sTnpCbU4yWTRJaTgrQ2drSkNRa0pQSFJsZUhSR2FXVnNaRVY0Y0hKbGMzTnBiMjQrUENGYlEwUkJWRUZiSkVaN1puVnNiRTVoYldWOVhWMCtQQzkwWlhoMFJtbGxiR1JGZUhCeVpYTnphVzl1UGdvSkNRa0pQQzkwWlhoMFJtbGxiR1ErQ2drSkNRazhkR1Y0ZEVacFpXeGtJR2x6VTNSeVpYUmphRmRwZEdoUGRtVnlabXh2ZHowaWRISjFaU0lnYVhOQ2JHRnVhMWRvWlc1T2RXeHNQU0owY25WbElqNEtDUWtKQ1FrOGNtVndiM0owUld4bGJXVnVkQ0I0UFNJME5qQWlJSGs5SWpBaUlIZHBaSFJvUFNJeE1EQWlJR2hsYVdkb2REMGlNakFpSUhWMWFXUTlJamc1T1dJd05qWmtMV1E0WTJZdE5EVTVOQzA0TTJJMExURmhNelZoT1RVME1UWTBPQ0l2UGdvSkNRa0pDVHgwWlhoMFJtbGxiR1JGZUhCeVpYTnphVzl1UGp3aFcwTkVRVlJCV3lSR2UyRmpkR2wyWVhScGIyNTlMbWRsZEVGa2JXbHVhWE4wY21GMGFYWmxVM1JoZEhWektDbGRYVDQ4TDNSbGVIUkdhV1ZzWkVWNGNISmxjM05wYjI0K0Nna0pDUWs4TDNSbGVIUkdhV1ZzWkQ0S0NRa0pDVHhqYjIxd2IyNWxiblJGYkdWdFpXNTBQZ29KQ1FrSkNUeHlaWEJ2Y25SRmJHVnRaVzUwSUhnOUlqVTJNQ0lnZVQwaU1DSWdkMmxrZEdnOUlqRTBNQ0lnYUdWcFoyaDBQU0l4T1NJZ2RYVnBaRDBpTkRKaE4yWXdNV1l0TXpVNFlTMDBZVEJrTFdFMllXRXROR001WXpBNU0ySmxNMk0ySWk4K0Nna0pDUWtKUEdweU9teHBjM1FnZUcxc2JuTTZhbkk5SW1oMGRIQTZMeTlxWVhOd1pYSnlaWEJ2Y25SekxuTnZkWEpqWldadmNtZGxMbTVsZEM5cVlYTndaWEp5WlhCdmNuUnpMMk52YlhCdmJtVnVkSE1pSUhoemFUcHpZMmhsYldGTWIyTmhkR2x2YmowaWFIUjBjRG92TDJwaGMzQmxjbkpsY0c5eWRITXVjMjkxY21ObFptOXlaMlV1Ym1WMEwycGhjM0JsY25KbGNHOXlkSE12WTI5dGNHOXVaVzUwY3lCb2RIUndPaTh2YW1GemNHVnljbVZ3YjNKMGN5NXpiM1Z5WTJWbWIzSm5aUzV1WlhRdmVITmtMMk52YlhCdmJtVnVkSE11ZUhOa0lpQndjbWx1ZEU5eVpHVnlQU0pJYjNKcGVtOXVkR0ZzSWo0S0NRa0pDUWtKUEdSaGRHRnpaWFJTZFc0Z2MzVmlSR0YwWVhObGREMGljbTlzWlhORVlYUmhjMlYwSWlCMWRXbGtQU0l6TURBMU9EWmtOaTB3WmpNeUxUUmhaamt0WWpJM1ppMWhZams1TVRZM05UQXhaRFVpUGdvSkNRa0pDUWtKUEhCaGNtRnRaWFJsY25OTllYQkZlSEJ5WlhOemFXOXVQandoVzBORVFWUkJXMjVsZHlCSVlYTm9UV0Z3S0NSUWUxSkZVRTlTVkY5UVFWSkJUVVZVUlZKVFgwMUJVSDBwWFYwK1BDOXdZWEpoYldWMFpYSnpUV0Z3Ulhod2NtVnpjMmx2Ymo0S0NRa0pDUWtKQ1R4a1lYUmhjMlYwVUdGeVlXMWxkR1Z5SUc1aGJXVTlJbUZ6YzJsbmJtMWxiblFpUGdvSkNRa0pDUWtKQ1R4a1lYUmhjMlYwVUdGeVlXMWxkR1Z5Ulhod2NtVnpjMmx2Ymo0OElWdERSRUZVUVZza1JudGhjM05wWjI1dFpXNTBmVjFkUGp3dlpHRjBZWE5sZEZCaGNtRnRaWFJsY2tWNGNISmxjM05wYjI0K0Nna0pDUWtKQ1FrOEwyUmhkR0Z6WlhSUVlYSmhiV1YwWlhJK0Nna0pDUWtKQ1FrOFkyOXVibVZqZEdsdmJrVjRjSEpsYzNOcGIyNCtQQ0ZiUTBSQlZFRmJKRkI3VWtWUVQxSlVYME5QVGs1RlExUkpUMDU5WFYwK1BDOWpiMjV1WldOMGFXOXVSWGh3Y21WemMybHZiajRLQ1FrSkNRa0pQQzlrWVhSaGMyVjBVblZ1UGdvSkNRa0pDUWs4YW5JNmJHbHpkRU52Ym5SbGJuUnpJR2hsYVdkb2REMGlNVGdpSUhkcFpIUm9QU0l4TkRBaVBnb0pDUWtKQ1FrSlBIUmxlSFJHYVdWc1pDQnBjMU4wY21WMFkyaFhhWFJvVDNabGNtWnNiM2M5SW5SeWRXVWlJR2x6UW14aGJtdFhhR1Z1VG5Wc2JEMGlkSEoxWlNJK0Nna0pDUWtKQ1FrSlBISmxjRzl5ZEVWc1pXMWxiblFnZUQwaU1DSWdlVDBpTUNJZ2QybGtkR2c5SWpFME1DSWdhR1ZwWjJoMFBTSXhPQ0lnZFhWcFpEMGlOakZrWXprME1HVXRNV1JtTkMwME56TmtMV0V4WmpVdFl6SXhaR1kyTmpabE9HRXhJaTgrQ2drSkNRa0pDUWtKUEhSbGVIUkdhV1ZzWkVWNGNISmxjM05wYjI0K1BDRmJRMFJCVkVGYkpFWjdibUZ0WlgxZFhUNDhMM1JsZUhSR2FXVnNaRVY0Y0hKbGMzTnBiMjQrQ2drSkNRa0pDUWs4TDNSbGVIUkdhV1ZzWkQ0S0NRa0pDUWtKUEM5cWNqcHNhWE4wUTI5dWRHVnVkSE0rQ2drSkNRa0pQQzlxY2pwc2FYTjBQZ29KQ1FrSlBDOWpiMjF3YjI1bGJuUkZiR1Z0Wlc1MFBnb0pDUWtKUEdOdmJYQnZibVZ1ZEVWc1pXMWxiblErQ2drSkNRa0pQSEpsY0c5eWRFVnNaVzFsYm5RZ2VEMGlOekF3SWlCNVBTSXdJaUIzYVdSMGFEMGlNVFF3SWlCb1pXbG5hSFE5SWpFNUlpQjFkV2xrUFNKbE4yWTJOamhtTXkwNU5qWTBMVFEyTmpBdE9HSXhOaTB3WkRJMVpHWTNaRE5sTW1RaUx6NEtDUWtKQ1FrOGFuSTZiR2x6ZENCNGJXeHVjenBxY2owaWFIUjBjRG92TDJwaGMzQmxjbkpsY0c5eWRITXVjMjkxY21ObFptOXlaMlV1Ym1WMEwycGhjM0JsY25KbGNHOXlkSE12WTI5dGNHOXVaVzUwY3lJZ2VITnBPbk5qYUdWdFlVeHZZMkYwYVc5dVBTSm9kSFJ3T2k4dmFtRnpjR1Z5Y21Wd2IzSjBjeTV6YjNWeVkyVm1iM0puWlM1dVpYUXZhbUZ6Y0dWeWNtVndiM0owY3k5amIyMXdiMjVsYm5SeklHaDBkSEE2THk5cVlYTndaWEp5WlhCdmNuUnpMbk52ZFhKalpXWnZjbWRsTG01bGRDOTRjMlF2WTI5dGNHOXVaVzUwY3k1NGMyUWlJSEJ5YVc1MFQzSmtaWEk5SWtodmNtbDZiMjUwWVd3aVBnb0pDUWtKQ1FrOFpHRjBZWE5sZEZKMWJpQnpkV0pFWVhSaGMyVjBQU0p2Y21kelJHRjBZWE5sZENJZ2RYVnBaRDBpWVdZMk5HTXhOMk10TURKbFpTMDBNRFEwTFdFNVkyVXRPVEZoT1RCaE4yRTBaVEE0SWo0S0NRa0pDUWtKQ1R4d1lYSmhiV1YwWlhKelRXRndSWGh3Y21WemMybHZiajQ4SVZ0RFJFRlVRVnR1WlhjZ1NHRnphRTFoY0Nna1VIdFNSVkJQVWxSZlVFRlNRVTFGVkVWU1UxOU5RVkI5S1YxZFBqd3ZjR0Z5WVcxbGRHVnljMDFoY0VWNGNISmxjM05wYjI0K0Nna0pDUWtKQ1FrOFpHRjBZWE5sZEZCaGNtRnRaWFJsY2lCdVlXMWxQU0poYzNOcFoyNXRaVzUwSWo0S0NRa0pDUWtKQ1FrOFpHRjBZWE5sZEZCaGNtRnRaWFJsY2tWNGNISmxjM05wYjI0K1BDRmJRMFJCVkVGYkpFWjdZWE56YVdkdWJXVnVkSDFkWFQ0OEwyUmhkR0Z6WlhSUVlYSmhiV1YwWlhKRmVIQnlaWE56YVc5dVBnb0pDUWtKQ1FrSlBDOWtZWFJoYzJWMFVHRnlZVzFsZEdWeVBnb0pDUWtKQ1FrSlBHTnZibTVsWTNScGIyNUZlSEJ5WlhOemFXOXVQandoVzBORVFWUkJXeVJRZTFKRlVFOVNWRjlEVDA1T1JVTlVTVTlPZlYxZFBqd3ZZMjl1Ym1WamRHbHZia1Y0Y0hKbGMzTnBiMjQrQ2drSkNRa0pDVHd2WkdGMFlYTmxkRkoxYmo0S0NRa0pDUWtKUEdweU9teHBjM1JEYjI1MFpXNTBjeUJvWldsbmFIUTlJakU1SWlCM2FXUjBhRDBpTVRRd0lqNEtDUWtKQ1FrSkNUeDBaWGgwUm1sbGJHUWdhWE5UZEhKbGRHTm9WMmwwYUU5MlpYSm1iRzkzUFNKMGNuVmxJaUJwYzBKc1lXNXJWMmhsYms1MWJHdzlJblJ5ZFdVaVBnb0pDUWtKQ1FrSkNUeHlaWEJ2Y25SRmJHVnRaVzUwSUhnOUlqQWlJSGs5SWpBaUlIZHBaSFJvUFNJeE5EQWlJR2hsYVdkb2REMGlNVGtpSUhWMWFXUTlJamxtTkRnNU5HWXpMVFJrWVdNdE5EZ3hNeTA0TUdObUxXRmtPVGN3T0RNMll6QmxZU0l2UGdvSkNRa0pDUWtKQ1R4MFpYaDBSbWxsYkdSRmVIQnlaWE56YVc5dVBqd2hXME5FUVZSQld5UkdlMjVoYldWOVhWMCtQQzkwWlhoMFJtbGxiR1JGZUhCeVpYTnphVzl1UGdvSkNRa0pDUWtKUEM5MFpYaDBSbWxsYkdRK0Nna0pDUWtKQ1R3dmFuSTZiR2x6ZEVOdmJuUmxiblJ6UGdvSkNRa0pDVHd2YW5JNmJHbHpkRDRLQ1FrSkNUd3ZZMjl0Y0c5dVpXNTBSV3hsYldWdWRENEtDUWtKQ1R4amIyMXdiMjVsYm5SRmJHVnRaVzUwUGdvSkNRa0pDVHh5WlhCdmNuUkZiR1Z0Wlc1MElIZzlJamcwTUNJZ2VUMGlNQ0lnZDJsa2RHZzlJakkwTUNJZ2FHVnBaMmgwUFNJeE9TSWdkWFZwWkQwaVlUaGpaVEkxTURBdFpEYzVPUzAwT0dOakxXRXpNekV0TkdNeE0yRXlZV1kyTnpRMElpOCtDZ2tKQ1FrSlBHcHlPbXhwYzNRZ2VHMXNibk02YW5JOUltaDBkSEE2THk5cVlYTndaWEp5WlhCdmNuUnpMbk52ZFhKalpXWnZjbWRsTG01bGRDOXFZWE53WlhKeVpYQnZjblJ6TDJOdmJYQnZibVZ1ZEhNaUlIaHphVHB6WTJobGJXRk1iMk5oZEdsdmJqMGlhSFIwY0RvdkwycGhjM0JsY25KbGNHOXlkSE11YzI5MWNtTmxabTl5WjJVdWJtVjBMMnBoYzNCbGNuSmxjRzl5ZEhNdlkyOXRjRzl1Wlc1MGN5Qm9kSFJ3T2k4dmFtRnpjR1Z5Y21Wd2IzSjBjeTV6YjNWeVkyVm1iM0puWlM1dVpYUXZlSE5rTDJOdmJYQnZibVZ1ZEhNdWVITmtJaUJ3Y21sdWRFOXlaR1Z5UFNKSWIzSnBlbTl1ZEdGc0lqNEtDUWtKQ1FrSlBHUmhkR0Z6WlhSU2RXNGdjM1ZpUkdGMFlYTmxkRDBpWVdOamIzVnVkSE5FWVhSaGMyVjBJaUIxZFdsa1BTSTJaakU0TldZME9DMWtZbU13TFRRM01ETXRPR05tTWkwMVpqbGpNbU0zTkRCa09UY2lQZ29KQ1FrSkNRa0pQSEJoY21GdFpYUmxjbk5OWVhCRmVIQnlaWE56YVc5dVBqd2hXME5FUVZSQlcyNWxkeUJJWVhOb1RXRndLQ1JRZTFKRlVFOVNWRjlRUVZKQlRVVlVSVkpUWDAxQlVIMHBYVjArUEM5d1lYSmhiV1YwWlhKelRXRndSWGh3Y21WemMybHZiajRLQ1FrSkNRa0pDVHhrWVhSaGMyVjBVR0Z5WVcxbGRHVnlJRzVoYldVOUltOWlhbVZqZEZKbFppSStDZ2tKQ1FrSkNRa0pQR1JoZEdGelpYUlFZWEpoYldWMFpYSkZlSEJ5WlhOemFXOXVQandoVzBORVFWUkJXeVJHZTJ4cGJtdFNaV1o5WFYwK1BDOWtZWFJoYzJWMFVHRnlZVzFsZEdWeVJYaHdjbVZ6YzJsdmJqNEtDUWtKQ1FrSkNUd3ZaR0YwWVhObGRGQmhjbUZ0WlhSbGNqNEtDUWtKQ1FrSkNUeGpiMjV1WldOMGFXOXVSWGh3Y21WemMybHZiajQ4SVZ0RFJFRlVRVnNrVUh0U1JWQlBVbFJmUTA5T1RrVkRWRWxQVG4xZFhUNDhMMk52Ym01bFkzUnBiMjVGZUhCeVpYTnphVzl1UGdvSkNRa0pDUWs4TDJSaGRHRnpaWFJTZFc0K0Nna0pDUWtKQ1R4cWNqcHNhWE4wUTI5dWRHVnVkSE1nYUdWcFoyaDBQU0l4T1NJZ2QybGtkR2c5SWpJME1DSStDZ2tKQ1FrSkNRazhkR1Y0ZEVacFpXeGtJR2x6VTNSeVpYUmphRmRwZEdoUGRtVnlabXh2ZHowaWRISjFaU0lnYVhOQ2JHRnVhMWRvWlc1T2RXeHNQU0owY25WbElqNEtDUWtKQ1FrSkNRazhjbVZ3YjNKMFJXeGxiV1Z1ZENCNFBTSXdJaUI1UFNJd0lpQjNhV1IwYUQwaU1qUXdJaUJvWldsbmFIUTlJakU1SWlCMWRXbGtQU0kwWlRVNU9EbGtaaTAzTXpSakxUUXhZV1F0T0RRM01pMWlObUUyWmpnNU16bGlNamdpTHo0S0NRa0pDUWtKQ1FrOGRHVjRkRVpwWld4a1JYaHdjbVZ6YzJsdmJqNDhJVnREUkVGVVFWc2tSbnR1WVcxbGZTc2lJQ2hTWlhOdmRYSmpaVG9nSWlza1JudHlaWE52ZFhKalpWSmxabjB1WjJWMFZHRnlaMlYwVG1GdFpTZ3BLeUlwSWwxZFBqd3ZkR1Y0ZEVacFpXeGtSWGh3Y21WemMybHZiajRLQ1FrSkNRa0pDVHd2ZEdWNGRFWnBaV3hrUGdvSkNRa0pDUWs4TDJweU9teHBjM1JEYjI1MFpXNTBjejRLQ1FrSkNRazhMMnB5T214cGMzUStDZ2tKQ1FrOEwyTnZiWEJ2Ym1WdWRFVnNaVzFsYm5RK0Nna0pDUWs4YkdsdVpUNEtDUWtKQ1FrOGNtVndiM0owUld4bGJXVnVkQ0J3YjNOcGRHbHZibFI1Y0dVOUlrWnBlRkpsYkdGMGFYWmxWRzlDYjNSMGIyMGlJRzF2WkdVOUlrOXdZWEYxWlNJZ2VEMGlNQ0lnZVQwaU1Ua2lJSGRwWkhSb1BTSXhNRGd3SWlCb1pXbG5hSFE5SWpFaUlHWnZjbVZqYjJ4dmNqMGlJek16TXpNek15SWdkWFZwWkQwaU5EZG1PVEU0TURFdFkyWTFaaTAwWW1Wa0xXSXhPV010WTJFek9UTXhZMkptT1Roa0lpOCtDZ2tKQ1FrOEwyeHBibVUrQ2drSkNUd3ZabkpoYldVK0Nna0pQQzlpWVc1a1Bnb0pQQzlrWlhSaGFXdytDZ2s4WTI5c2RXMXVSbTl2ZEdWeVBnb0pDVHhpWVc1a0lHaGxhV2RvZEQwaU55SWdjM0JzYVhSVWVYQmxQU0pUZEhKbGRHTm9JajRLQ1FrSlBHeHBibVUrQ2drSkNRazhjbVZ3YjNKMFJXeGxiV1Z1ZENCd2IzTnBkR2x2YmxSNWNHVTlJa1pwZUZKbGJHRjBhWFpsVkc5Q2IzUjBiMjBpSUhnOUlqQWlJSGs5SWpNaUlIZHBaSFJvUFNJeE1EZ3dJaUJvWldsbmFIUTlJakVpSUhWMWFXUTlJbUUxT1RGa05HTXhMVEZqWVdRdE5HUmhNaTA1Wmpsa0xUQTRNV1kxTXpsbE9UQTBNeUl2UGdvSkNRa0pQR2R5WVhCb2FXTkZiR1Z0Wlc1MFBnb0pDUWtKQ1R4d1pXNGdiR2x1WlZkcFpIUm9QU0l3TGpVaUlHeHBibVZEYjJ4dmNqMGlJems1T1RrNU9TSXZQZ29KQ1FrSlBDOW5jbUZ3YUdsalJXeGxiV1Z1ZEQ0S0NRa0pQQzlzYVc1bFBnb0pDVHd2WW1GdVpENEtDVHd2WTI5c2RXMXVSbTl2ZEdWeVBnb0pQSEJoWjJWR2IyOTBaWEkrQ2drSlBHSmhibVFnYUdWcFoyaDBQU0l6TWlJZ2MzQnNhWFJVZVhCbFBTSlRkSEpsZEdOb0lqNEtDUWtKUEdaeVlXMWxQZ29KQ1FrSlBISmxjRzl5ZEVWc1pXMWxiblFnYzNSNWJHVTlJbEJoWjJVZ1ptOXZkR1Z5SWlCdGIyUmxQU0pVY21GdWMzQmhjbVZ1ZENJZ2VEMGlNQ0lnZVQwaU1TSWdkMmxrZEdnOUlqRXdPREFpSUdobGFXZG9kRDBpTWpRaUlIVjFhV1E5SW1aaVpUaGhZV1UwTFRZMU1EQXRORFk0WVMxaU1XVTRMVGN3TUdJMU5qa3hNemxoTVNJdlBnb0pDUWtKUEhSbGVIUkdhV1ZzWkNCd1lYUjBaWEp1UFNKa1pDNU5UVTFOVFM1NWVYbDVJajRLQ1FrSkNRazhjbVZ3YjNKMFJXeGxiV1Z1ZENCemRIbHNaVDBpVUdGblpTQm1iMjkwWlhJaUlIZzlJaklpSUhrOUlqRWlJSGRwWkhSb1BTSXhPVGNpSUdobGFXZG9kRDBpTWpBaUlIVjFhV1E5SWpJNFltSTVZalEzTFdFMk9XTXRORGhsTVMwNU1EY3pMV1ExTkdRNU1qWXlOREpsT0NJdlBnb0pDUWtKQ1R4MFpYaDBSV3hsYldWdWRDQjJaWEowYVdOaGJFRnNhV2R1YldWdWREMGlUV2xrWkd4bElpOCtDZ2tKQ1FrSlBIUmxlSFJHYVdWc1pFVjRjSEpsYzNOcGIyNCtQQ0ZiUTBSQlZFRmJibVYzSUdwaGRtRXVkWFJwYkM1RVlYUmxLQ2xkWFQ0OEwzUmxlSFJHYVdWc1pFVjRjSEpsYzNOcGIyNCtDZ2tKQ1FrOEwzUmxlSFJHYVdWc1pENEtDUWtKQ1R4MFpYaDBSbWxsYkdRK0Nna0pDUWtKUEhKbGNHOXlkRVZzWlcxbGJuUWdjM1I1YkdVOUlsQmhaMlVnWm05dmRHVnlJaUI0UFNJNU5qQWlJSGs5SWpFaUlIZHBaSFJvUFNJNE1DSWdhR1ZwWjJoMFBTSXlNQ0lnZFhWcFpEMGlOV013TmpKak5qWXRZbUUwTlMwME1qZzRMVGxrWTJRdE1qUTJaVEk0WXpWaFpqYzFJaTgrQ2drSkNRa0pQSFJsZUhSRmJHVnRaVzUwSUhSbGVIUkJiR2xuYm0xbGJuUTlJbEpwWjJoMElpQjJaWEowYVdOaGJFRnNhV2R1YldWdWREMGlUV2xrWkd4bElpOCtDZ2tKQ1FrSlBIUmxlSFJHYVdWc1pFVjRjSEpsYzNOcGIyNCtQQ0ZiUTBSQlZFRmJJbEJoWjJVZ0lpc2tWbnRRUVVkRlgwNVZUVUpGVW4wcklpQnZaaUpkWFQ0OEwzUmxlSFJHYVdWc1pFVjRjSEpsYzNOcGIyNCtDZ2tKQ1FrOEwzUmxlSFJHYVdWc1pENEtDUWtKQ1R4MFpYaDBSbWxsYkdRZ1pYWmhiSFZoZEdsdmJsUnBiV1U5SWxKbGNHOXlkQ0krQ2drSkNRa0pQSEpsY0c5eWRFVnNaVzFsYm5RZ2MzUjViR1U5SWxCaFoyVWdabTl2ZEdWeUlpQjRQU0l4TURRd0lpQjVQU0l4SWlCM2FXUjBhRDBpTkRBaUlHaGxhV2RvZEQwaU1qQWlJSFYxYVdROUlqa3pOR0l4Tm1VNExXTXpaV0l0TkRBeE55MDROalpoTFRCaU56Y3pOV0ptTWpreE55SXZQZ29KQ1FrSkNUeDBaWGgwUld4bGJXVnVkQ0IyWlhKMGFXTmhiRUZzYVdkdWJXVnVkRDBpVFdsa1pHeGxJaTgrQ2drSkNRa0pQSFJsZUhSR2FXVnNaRVY0Y0hKbGMzTnBiMjQrUENGYlEwUkJWRUZiSWlBaUlDc2dKRlo3VUVGSFJWOU9WVTFDUlZKOVhWMCtQQzkwWlhoMFJtbGxiR1JGZUhCeVpYTnphVzl1UGdvSkNRa0pQQzkwWlhoMFJtbGxiR1ErQ2drSkNUd3ZabkpoYldVK0Nna0pQQzlpWVc1a1Bnb0pQQzl3WVdkbFJtOXZkR1Z5UGdvOEwycGhjM0JsY2xKbGNHOXlkRDRL</template>
+   <templateStyle>UEQ5NGJXd2dkbVZ5YzJsdmJqMGlNUzR3SWo4K0RRbzhJVVJQUTFSWlVFVWdhbUZ6Y0dWeVZHVnRjR3hoZEdVTkNpQWdVRlZDVEVsRElDSXRMeTlLWVhOd1pYSlNaWEJ2Y25Sekx5OUVWRVFnVkdWdGNHeGhkR1V2TDBWT0lnMEtJQ0FpYUhSMGNEb3ZMMnBoYzNCbGNuSmxjRzl5ZEhNdWMyOTFjbU5sWm05eVoyVXVibVYwTDJSMFpITXZhbUZ6Y0dWeWRHVnRjR3hoZEdVdVpIUmtJajROQ2p4cVlYTndaWEpVWlcxd2JHRjBaVDROQ2lBZ0lDQWdJQ0FnQ1R4emRIbHNaU0JtYjI1MFRtRnRaVDBpUkdWcVlWWjFJRk5oYm5NaUlHWnZiblJUYVhwbFBTSXhNQ0lnYUVGc2FXZHVQU0pNWldaMElpQnBjMFJsWm1GMWJIUTlJblJ5ZFdVaUlHbHpVR1JtUlcxaVpXUmtaV1E5SW5SeWRXVWlJQTBLQ1FrSkNTQWdJRzVoYldVOUlrSmhjMlVpSUhCa1prVnVZMjlrYVc1blBTSkpaR1Z1ZEdsMGVTMUlJaUJ3WkdaR2IyNTBUbUZ0WlQwaVJHVnFZVloxVTJGdWN5NTBkR1lpSUhaQmJHbG5iajBpVFdsa1pHeGxJajROQ2drSkNUd3ZjM1I1YkdVK0RRb0pDUWs4YzNSNWJHVWdZbUZqYTJOdmJHOXlQU0lqTWpZM09UazBJaUJtYjI1MFUybDZaVDBpTWpZaUlHWnZjbVZqYjJ4dmNqMGlJMFpHUmtaR1JpSWdhWE5FWldaaGRXeDBQU0ptWVd4elpTSU5DaUFnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0J0YjJSbFBTSlBjR0Z4ZFdVaUlHNWhiV1U5SWxScGRHeGxJaUJ6ZEhsc1pUMGlRbUZ6WlNJdlBpQU5DZ2tKQ1R4emRIbHNaU0JtYjI1MFUybDZaVDBpTVRJaUlHWnZjbVZqYjJ4dmNqMGlJekF3TURBd01DSWdhWE5FWldaaGRXeDBQU0ptWVd4elpTSWdibUZ0WlQwaVVHRm5aU0JvWldGa1pYSWlEUW9nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnYzNSNWJHVTlJa0poYzJVaUx6NE5DZ2tKQ1R4emRIbHNaU0JpWVdOclkyOXNiM0k5SWlNek16TXpNek1pSUdadmJuUlRhWHBsUFNJeE1pSWdabTl5WldOdmJHOXlQU0lqUmtaR1JrWkdJaUJvUVd4cFoyNDlJa05sYm5SbGNpSU5DaUFnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0JwYzBSbFptRjFiSFE5SW1aaGJITmxJaUJ0YjJSbFBTSlBjR0Z4ZFdVaUlHNWhiV1U5SWtOdmJIVnRiaUJvWldGa1pYSWlJSE4wZVd4bFBTSkNZWE5sSWk4K0RRb0pDUWs4YzNSNWJHVWdhWE5DYjJ4a1BTSm1ZV3h6WlNJZ2FYTkVaV1poZFd4MFBTSm1ZV3h6WlNJZ2JtRnRaVDBpUkdWMFlXbHNJaUJ6ZEhsc1pUMGlRbUZ6WlNJdlBnMEtJQ0FnSUNBZ0lDQWdJQ0FnUEhOMGVXeGxJR2x6UW05c1pEMGlabUZzYzJVaUlHbHpSR1ZtWVhWc2REMGlabUZzYzJVaUlHNWhiV1U5SWtOdlpHVWlJSE4wZVd4bFBTSkNZWE5sSWlCbWIyNTBVMmw2WlQwaU9TSXZQZzBLQ1FrSlBITjBlV3hsSUdadmJuUlRhWHBsUFNJNUlpQm1iM0psWTI5c2IzSTlJaU13TURBd01EQWlJR2x6UkdWbVlYVnNkRDBpWm1Gc2MyVWlJRzVoYldVOUlsQmhaMlVnWm05dmRHVnlJZzBLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUhOMGVXeGxQU0pDWVhObElpOCtEUW9KQ1R3dmFtRnpjR1Z5VkdWdGNHeGhkR1Ur</templateStyle>
+   <export>csv</export>
+   <virtualizer>JRSwapFileVirtualizer</virtualizer>
+   <virtualizerKickOn>300</virtualizerKickOn>
+   <maxPages>10000</maxPages>
+   <timeout>300000</timeout>
+</report>
diff --git a/model/report-impl/src/test/resources/reports/report-user-list-expressions-poisonous-field-csv.xml b/model/report-impl/src/test/resources/reports/report-user-list-expressions-poisonous-field-csv.xml
new file mode 100644
index 00000000000..07704c11892
--- /dev/null
+++ b/model/report-impl/src/test/resources/reports/report-user-list-expressions-poisonous-field-csv.xml
@@ -0,0 +1,34 @@
+<!--
+  ~ Copyright (c) 2010-2019 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+<report oid="76c58132-4fe9-11e9-86fe-ff36d221f673" 
+		xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+        xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+        xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
+        xmlns:xsd="http://www.w3.org/2001/XMLSchema">
+   <name>Users in MidPoint - report with poisonous field expressions</name>
+   <description>Users listed in MidPoint.</description>
+   
+   <!-- No archetype here. Default expression profile. -->
+   
+   <parent>true</parent>
+   <template>UEQ5NGJXd2dkbVZ5YzJsdmJqMGlNUzR3SWlCbGJtTnZaR2x1WnowaVZWUkdMVGdpUHo0S1BHcGhjM0JsY2xKbGNHOXlkQ0I0Yld4dWN6MGlhSFIwY0RvdkwycGhjM0JsY25KbGNHOXlkSE11YzI5MWNtTmxabTl5WjJVdWJtVjBMMnBoYzNCbGNuSmxjRzl5ZEhNaUlIaHRiRzV6T25oemFUMGlhSFIwY0RvdkwzZDNkeTUzTXk1dmNtY3ZNakF3TVM5WVRVeFRZMmhsYldFdGFXNXpkR0Z1WTJVaUlIaHphVHB6WTJobGJXRk1iMk5oZEdsdmJqMGlhSFIwY0RvdkwycGhjM0JsY25KbGNHOXlkSE11YzI5MWNtTmxabTl5WjJVdWJtVjBMMnBoYzNCbGNuSmxjRzl5ZEhNZ2FIUjBjRG92TDJwaGMzQmxjbkpsY0c5eWRITXVjMjkxY21ObFptOXlaMlV1Ym1WMEwzaHpaQzlxWVhOd1pYSnlaWEJ2Y25RdWVITmtJaUJ1WVcxbFBTSnlaWEJ2Y25SVmMyVnlUR2x6ZENJZ2NHRm5aVmRwWkhSb1BTSXhNVEl3SWlCd1lXZGxTR1ZwWjJoMFBTSTFPVFVpSUc5eWFXVnVkR0YwYVc5dVBTSk1ZVzVrYzJOaGNHVWlJSGRvWlc1T2IwUmhkR0ZVZVhCbFBTSkJiR3hUWldOMGFXOXVjMDV2UkdWMFlXbHNJaUJqYjJ4MWJXNVhhV1IwYUQwaU1UQTRNQ0lnYkdWbWRFMWhjbWRwYmowaU1qQWlJSEpwWjJoMFRXRnlaMmx1UFNJeU1DSWdkRzl3VFdGeVoybHVQU0l6TUNJZ1ltOTBkRzl0VFdGeVoybHVQU0l6TUNJZ2RYVnBaRDBpTmpkbE5EWTFZelV0TkRabFlTMDBNR1F5TFdKbFlUQXRORFk1WXpaalpqTTRPVE0zSWo0S0NUeHdjbTl3WlhKMGVTQnVZVzFsUFNKdVpYUXVjMll1YW1GemNHVnljbVZ3YjNKMGN5NXdjbWx1ZEM1clpXVndMbVoxYkd3dWRHVjRkQ0lnZG1Gc2RXVTlJblJ5ZFdVaUx6NEtDVHh3Y205d1pYSjBlU0J1WVcxbFBTSnVaWFF1YzJZdWFtRnpjR1Z5Y21Wd2IzSjBjeTVsZUhCdmNuUXVlR3h6TG5KbGJXOTJaUzVsYlhCMGVTNXpjR0ZqWlM1aVpYUjNaV1Z1TG1OdmJIVnRibk1pSUhaaGJIVmxQU0owY25WbElpOCtDZ2s4Y0hKdmNHVnlkSGtnYm1GdFpUMGlibVYwTG5ObUxtcGhjM0JsY25KbGNHOXlkSE11Wlhod2IzSjBMbmhzY3k1eVpXMXZkbVV1Wlcxd2RIa3VjM0JoWTJVdVltVjBkMlZsYmk1eWIzZHpJaUIyWVd4MVpUMGlkSEoxWlNJdlBnb0pQSEJ5YjNCbGNuUjVJRzVoYldVOUltNWxkQzV6Wmk1cVlYTndaWEp5WlhCdmNuUnpMbVY0Y0c5eWRDNXdaR1l1Wm05eVkyVXViR2x1WldKeVpXRnJMbkJ2YkdsamVTSWdkbUZzZFdVOUluUnlkV1VpTHo0S0NUeHdjbTl3WlhKMGVTQnVZVzFsUFNKdVpYUXVjMll1YW1GemNHVnljbVZ3YjNKMGN5NWxlSEJ2Y25RdVkzTjJMbVY0WTJ4MVpHVXViM0pwWjJsdUxtSmhibVF1TVNJZ2RtRnNkV1U5SW5ScGRHeGxJaTgrQ2drOGNISnZjR1Z5ZEhrZ2JtRnRaVDBpYm1WMExuTm1MbXBoYzNCbGNuSmxjRzl5ZEhNdVpYaHdiM0owTG1OemRpNWxlR05zZFdSbExtOXlhV2RwYmk1aVlXNWtMaklpSUhaaGJIVmxQU0p3WVdkbFJtOXZkR1Z5SWk4K0NnazhjSEp2Y0dWeWRIa2dibUZ0WlQwaWJtVjBMbk5tTG1waGMzQmxjbkpsY0c5eWRITXVaWGh3YjNKMExuaHNjeTVsZUdOc2RXUmxMbTl5YVdkcGJpNWlZVzVrTGpFaUlIWmhiSFZsUFNKd1lXZGxTR1ZoWkdWeUlpOCtDZ2s4Y0hKdmNHVnlkSGtnYm1GdFpUMGlibVYwTG5ObUxtcGhjM0JsY25KbGNHOXlkSE11Wlhod2IzSjBMbmhzY3k1bGVHTnNkV1JsTG05eWFXZHBiaTVpWVc1a0xqSWlJSFpoYkhWbFBTSndZV2RsUm05dmRHVnlJaTgrQ2drOGNISnZjR1Z5ZEhrZ2JtRnRaVDBpYm1WMExuTm1MbXBoYzNCbGNuSmxjRzl5ZEhNdVpYaHdiM0owTG5oc2N5NWxlR05zZFdSbExtOXlhV2RwYmk1clpXVndMbVpwY25OMExtSmhibVF1TWlJZ2RtRnNkV1U5SW1OdmJIVnRia2hsWVdSbGNpSXZQZ29KUEhCeWIzQmxjblI1SUc1aGJXVTlJbTVsZEM1elppNXFZWE53WlhKeVpYQnZjblJ6TG1WNGNHOXlkQzU0YkhNdVpHVjBaV04wTG1ObGJHd3VkSGx3WlNJZ2RtRnNkV1U5SW5SeWRXVWlMejRLQ1R4d2NtOXdaWEowZVNCdVlXMWxQU0p1WlhRdWMyWXVhbUZ6Y0dWeWNtVndiM0owY3k1bGVIQnZjblF1ZUd4ekxuZHlZWEF1ZEdWNGRDSWdkbUZzZFdVOUluUnlkV1VpTHo0S0NUeHdjbTl3WlhKMGVTQnVZVzFsUFNKdVpYUXVjMll1YW1GemNHVnljbVZ3YjNKMGN5NWxlSEJ2Y25RdWVHeHpMbUYxZEc4dVptbDBMbkp2ZHlJZ2RtRnNkV1U5SW5SeWRXVWlMejRLQ1R4d2NtOXdaWEowZVNCdVlXMWxQU0p1WlhRdWMyWXVhbUZ6Y0dWeWNtVndiM0owY3k1bGVIQnZjblF1ZUd4ekxtRjFkRzh1Wm1sMExtTnZiSFZ0YmlJZ2RtRnNkV1U5SW5SeWRXVWlMejRLQ1R4d2NtOXdaWEowZVNCdVlXMWxQU0p1WlhRdWMyWXVhbUZ6Y0dWeWNtVndiM0owY3k1aGQzUXVhV2R1YjNKbExtMXBjM05wYm1jdVptOXVkQ0lnZG1Gc2RXVTlJblJ5ZFdVaUx6NEtDVHh3Y205d1pYSjBlU0J1WVcxbFBTSnBjbVZ3YjNKMExucHZiMjBpSUhaaGJIVmxQU0l4TGpBaUx6NEtDVHh3Y205d1pYSjBlU0J1WVcxbFBTSnBjbVZ3YjNKMExuZ2lJSFpoYkhWbFBTSXhOaUl2UGdvSlBIQnliM0JsY25SNUlHNWhiV1U5SW1seVpYQnZjblF1ZVNJZ2RtRnNkV1U5SWpFMElpOCtDZ2s4Y0hKdmNHVnlkSGtnYm1GdFpUMGlZMjl0TG1waGMzQmxjbk52Wm5RdWMzUjFaR2x2TG1SaGRHRXVaR1ZtWVhWc2RHUmhkR0ZoWkdGd2RHVnlJaUIyWVd4MVpUMGliWEZzSWk4K0NnazhhVzF3YjNKMElIWmhiSFZsUFNKamIyMHVaWFp2YkhabGRXMHViV2xrY0c5cGJuUXVjbVZ3YjNKMExtbHRjR3d1VW1Wd2IzSjBWWFJwYkhNaUx6NEtDVHh6ZFdKRVlYUmhjMlYwSUc1aGJXVTlJbkp2YkdWelJHRjBZWE5sZENJZ2RYVnBaRDBpTmpVNVpETm1ZbUV0WkRBelpDMDBNMkpqTFRoa1kyUXROVEF5WkRBek5EUXpaV0psSWo0S0NRazhjR0Z5WVcxbGRHVnlJRzVoYldVOUltRnpjMmxuYm0xbGJuUWlJR05zWVhOelBTSnFZWFpoTG5WMGFXd3VUR2x6ZENJdlBnb0pDVHh4ZFdWeWVWTjBjbWx1WnlCc1lXNW5kV0ZuWlQwaWJYRnNJajRLQ1FrSlBDRmJRMFJCVkVGYlBHTnZaR1UrYVdZZ0tHRnpjMmxuYm0xbGJuUWdJVDBnYm5Wc2JDbDdjbVZ3YjNKMExuSmxjMjlzZG1WU2IyeGxjeWhoYzNOcFoyNXRaVzUwS1gwOEwyTnZaR1UrWFYwK0Nna0pQQzl4ZFdWeWVWTjBjbWx1Wno0S0NRazhabWxsYkdRZ2JtRnRaVDBpYm1GdFpTSWdZMnhoYzNNOUltcGhkbUV1YkdGdVp5NVRkSEpwYm1jaUx6NEtDVHd2YzNWaVJHRjBZWE5sZEQ0S0NUeHpkV0pFWVhSaGMyVjBJRzVoYldVOUltOXlaM05FWVhSaGMyVjBJaUIxZFdsa1BTSTJOR0UxWXprMFlTMWpZbU0yTFRReU5qZ3RZbU5pTXkwd1kyVm1Nek5oWVRWbE1ESWlQZ29KQ1R4d1lYSmhiV1YwWlhJZ2JtRnRaVDBpWVhOemFXZHViV1Z1ZENJZ1kyeGhjM005SW1waGRtRXVkWFJwYkM1TWFYTjBJaTgrQ2drSlBIRjFaWEo1VTNSeWFXNW5JR3hoYm1kMVlXZGxQU0p0Y1d3aVBnb0pDUWs4SVZ0RFJFRlVRVnM4WTI5a1pUNEtDUWtKQ1FscFppQW9ZWE56YVdkdWJXVnVkQ0FoUFNCdWRXeHNLWHNLQ1FrSkNRbHlaWEJ2Y25RdWNtVnpiMngyWlU5eVozTW9ZWE56YVdkdWJXVnVkQ2tLQ1FrSkNRbDlDZ2tKQ1FrOEwyTnZaR1UrWFYwK0Nna0pQQzl4ZFdWeWVWTjBjbWx1Wno0S0NRazhabWxsYkdRZ2JtRnRaVDBpYm1GdFpTSWdZMnhoYzNNOUltcGhkbUV1YkdGdVp5NVRkSEpwYm1jaUx6NEtDVHd2YzNWaVJHRjBZWE5sZEQ0S0NUeHpkV0pFWVhSaGMyVjBJRzVoYldVOUltRmpZMjkxYm5SelJHRjBZWE5sZENJZ2RYVnBaRDBpWXpSa09EUTBaVGN0TVRSak5DMDBPV0k0TFdKbU1URXRZemt5TVdRMU9HRXhaRFF3SWo0S0NRazhjR0Z5WVcxbGRHVnlJRzVoYldVOUltOWlhbVZqZEZKbFppSWdZMnhoYzNNOUltcGhkbUV1ZFhScGJDNUJjbkpoZVV4cGMzUWlMejRLQ1FrOGNYVmxjbmxUZEhKcGJtY2diR0Z1WjNWaFoyVTlJbTF4YkNJK0Nna0pDVHdoVzBORVFWUkJXenhtYVd4MFpYSStDaUFnSUNBZ0lDQWdJQ0FnSUNBZ0lDQThkSGx3WlQ0S0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQThkSGx3WlQ1VGFHRmtiM2RVZVhCbFBDOTBlWEJsUGdvZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lEeG1hV3gwWlhJK0NpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUR4cGJrOXBaRDRLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUR4bGVIQnlaWE56YVc5dVBpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQW9nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lEeHpZM0pwY0hRK0NpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lEeHlaWFIxY201VWVYQmxQbXhwYzNROEwzSmxkSFZ5YmxSNWNHVStDaUFnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJRHhqYjJSbFBnb2dJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnWW1GemFXTXVaMlYwVDJsa2N5aHZZbXBsWTNSU1pXWXBPd29nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0E4TDJOdlpHVStDaUFnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ1BDOXpZM0pwY0hRK0NpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQThMMlY0Y0hKbGMzTnBiMjQrQ2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJRHd2YVc1UGFXUStDaUFnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnUEM5bWFXeDBaWEkrQ2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0E4TDNSNWNHVStDaUFnSUNBZ0lDQWdJQ0FnSUR3dlptbHNkR1Z5UGwxZFBnb0pDVHd2Y1hWbGNubFRkSEpwYm1jK0Nna0pQR1pwWld4a0lHNWhiV1U5SW01aGJXVWlJR05zWVhOelBTSnFZWFpoTG14aGJtY3VVM1J5YVc1bklpOCtDZ2tKUEdacFpXeGtJRzVoYldVOUluSmxjMjkxY21ObFVtVm1JaUJqYkdGemN6MGlZMjl0TG1WMmIyeDJaWFZ0TG0xcFpIQnZhVzUwTG5odGJDNXVjeTVmY0hWaWJHbGpMbU52YlcxdmJpNWpiMjF0YjI1Zk15NVBZbXBsWTNSU1pXWmxjbVZ1WTJWVWVYQmxJaTgrQ2drOEwzTjFZa1JoZEdGelpYUStDZ2s4Y0dGeVlXMWxkR1Z5SUc1aGJXVTlJbUZqZEdsMllYUnBiMjRpSUdOc1lYTnpQU0pqYjIwdVpYWnZiSFpsZFcwdWJXbGtjRzlwYm5RdWVHMXNMbTV6TGw5d2RXSnNhV011WTI5dGJXOXVMbU52YlcxdmJsOHpMa0ZqZEdsMllYUnBiMjVUZEdGMGRYTlVlWEJsSWk4K0NnazhjR0Z5WVcxbGRHVnlJRzVoYldVOUltOXlaMkZ1YVhwaGRHbHZiaUlnWTJ4aGMzTTlJbXBoZG1FdWJHRnVaeTVUZEhKcGJtY2lMejRLQ1R4d1lYSmhiV1YwWlhJZ2JtRnRaVDBpY205c1pTSWdZMnhoYzNNOUltcGhkbUV1YkdGdVp5NVRkSEpwYm1jaUx6NEtDVHh3WVhKaGJXVjBaWElnYm1GdFpUMGljbVZ6YjNWeVkyVWlJR05zWVhOelBTSnFZWFpoTG14aGJtY3VVM1J5YVc1bklqNEtDUWs4Y0hKdmNHVnlkSGtnYm1GdFpUMGlhMlY1SWlCMllXeDFaVDBpYjJsa0lpOCtDZ2tKUEhCeWIzQmxjblI1SUc1aGJXVTlJbXhoWW1Wc0lpQjJZV3gxWlQwaWJtRnRaU0l2UGdvSkNUeHdjbTl3WlhKMGVTQnVZVzFsUFNKMFlYSm5aWFJVZVhCbElpQjJZV3gxWlQwaVkyOXRMbVYyYjJ4MlpYVnRMbTFwWkhCdmFXNTBMbmh0YkM1dWN5NWZjSFZpYkdsakxtTnZiVzF2Ymk1amIyMXRiMjVmTXk1U1pYTnZkWEpqWlZSNWNHVWlMejRLQ1R3dmNHRnlZVzFsZEdWeVBnb0pQSEYxWlhKNVUzUnlhVzVuSUd4aGJtZDFZV2RsUFNKdGNXd2lQZ29KQ1R3aFcwTkVRVlJCV3p4bWFXeDBaWEkrRFFvZ0lDQWdQSFI1Y0dVK0RRb2dJQ0FnSUNBZ0lEeDBlWEJsUGxWelpYSlVlWEJsUEM5MGVYQmxQZzBLSUNBZ0lDQWdJQ0E4Wm1sc2RHVnlQZzBLSUNBZ0lDQWdJQ0FnSUNBZ1BHRnVaRDROQ2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0E4WlhGMVlXdytEUW9nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUR4d1lYUm9QbUZqZEdsMllYUnBiMjR2WVdSdGFXNXBjM1J5WVhScGRtVlRkR0YwZFhNOEwzQmhkR2crRFFvZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lEeGxlSEJ5WlhOemFXOXVQZzBLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdQSEYxWlhKNVNXNTBaWEp3Y21WMFlYUnBiMjVQWms1dlZtRnNkV1UrWm1sc2RHVnlRV3hzUEM5eGRXVnllVWx1ZEdWeWNISmxkR0YwYVc5dVQyWk9iMVpoYkhWbFBnMEtJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ1BIQmhkR2crSkdGamRHbDJZWFJwYjI0OEwzQmhkR2crRFFvZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lEd3ZaWGh3Y21WemMybHZiajROQ2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0E4TDJWeGRXRnNQZzBLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJRHh5WldZK0RRb2dJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJRHh3WVhSb1BtRnpjMmxuYm0xbGJuUXZkR0Z5WjJWMFVtVm1QQzl3WVhSb1BnMEtJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0E4Wlhod2NtVnpjMmx2Ymo0TkNpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUR4eGRXVnllVWx1ZEdWeWNISmxkR0YwYVc5dVQyWk9iMVpoYkhWbFBtWnBiSFJsY2tGc2JEd3ZjWFZsY25sSmJuUmxjbkJ5WlhSaGRHbHZiazltVG05V1lXeDFaVDROQ2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJRHh6WTNKcGNIUStEUW9nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnUEdOdlpHVStEUW9nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lHbHRjRzl5ZENCamIyMHVaWFp2YkhabGRXMHViV2xrY0c5cGJuUXVlRzFzTG01ekxsOXdkV0pzYVdNdVkyOXRiVzl1TG1OdmJXMXZibDh6TGs5eVoxUjVjR1U3RFFvZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJR2x0Y0c5eWRDQmpiMjB1WlhadmJIWmxkVzB1Yldsa2NHOXBiblF1ZUcxc0xtNXpMbDl3ZFdKc2FXTXVZMjl0Ylc5dUxtTnZiVzF2Ymw4ekxrOWlhbVZqZEZKbFptVnlaVzVqWlZSNWNHVTdEUW9nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lBMEtJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNCcFppQW9JVzl5WjJGdWFYcGhkR2x2YmlrZ2V3MEtJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdjbVYwZFhKdUlHNTFiR3c3RFFvZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJSDBOQ2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdEUW9nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lFOWlhbVZqZEZKbFptVnlaVzVqWlZSNWNHVWdiM0owSUQwZ2JtVjNJRTlpYW1WamRGSmxabVZ5Wlc1alpWUjVjR1VvS1RzZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUEwS0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0J2Y25RdWMyVjBUMmxrS0c5eVoyRnVhWHBoZEdsdmJpazdEUW9nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lHOXlkQzV6WlhSVWVYQmxLRTl5WjFSNWNHVXVRMDlOVUV4RldGOVVXVkJGS1RzTkNpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnY21WMGRYSnVJRzl5ZERzTkNpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQThMMk52WkdVK0lDQWdJQ0FnRFFvZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0E4TDNOamNtbHdkRDROQ2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ1BDOWxlSEJ5WlhOemFXOXVQZzBLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJRHd2Y21WbVBnMEtJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lEeHlaV1krRFFvZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lEeHdZWFJvUG1GemMybG5ibTFsYm5RdmRHRnlaMlYwVW1WbVBDOXdZWFJvUGcwS0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQThaWGh3Y21WemMybHZiajROQ2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJRHh4ZFdWeWVVbHVkR1Z5Y0hKbGRHRjBhVzl1VDJaT2IxWmhiSFZsUG1acGJIUmxja0ZzYkR3dmNYVmxjbmxKYm5SbGNuQnlaWFJoZEdsdmJrOW1UbTlXWVd4MVpUNE5DaUFnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lEeHpZM0pwY0hRK0RRb2dJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdQR052WkdVK0RRb2dJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUdsdGNHOXlkQ0JqYjIwdVpYWnZiSFpsZFcwdWJXbGtjRzlwYm5RdWVHMXNMbTV6TGw5d2RXSnNhV011WTI5dGJXOXVMbU52YlcxdmJsOHpMbEp2YkdWVWVYQmxPdzBLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQnBiWEJ2Y25RZ1kyOXRMbVYyYjJ4MlpYVnRMbTFwWkhCdmFXNTBMbmh0YkM1dWN5NWZjSFZpYkdsakxtTnZiVzF2Ymk1amIyMXRiMjVmTXk1UFltcGxZM1JTWldabGNtVnVZMlZVZVhCbE93MEtJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBTkNpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnYVdZZ0tDRnliMnhsS1NCN0RRb2dJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQnlaWFIxY200Z2JuVnNiRHNOQ2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdmUTBLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQU5DaUFnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ1QySnFaV04wVW1WbVpYSmxibU5sVkhsd1pTQnZjblFnUFNCdVpYY2dUMkpxWldOMFVtVm1aWEpsYm1ObFZIbHdaU2dwT3lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnRFFvZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJRzl5ZEM1elpYUlBhV1FvY205c1pTazdEUW9nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lHOXlkQzV6WlhSVWVYQmxLRkp2YkdWVWVYQmxMa05QVFZCTVJWaGZWRmxRUlNrN0RRb2dJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUhKbGRIVnliaUJ2Y25RN0RRb2dJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdQQzlqYjJSbFBpQWdJQ0FnSUEwS0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnUEM5elkzSnBjSFErRFFvZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lEd3ZaWGh3Y21WemMybHZiajROQ2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0E4TDNKbFpqNGdJQTBLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJRHh5WldZK0RRb2dJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJRHh3WVhSb1BtRnpjMmxuYm0xbGJuUXZZMjl1YzNSeWRXTjBhVzl1TDNKbGMyOTFjbU5sVW1WbVBDOXdZWFJvUGcwS0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQThaWGh3Y21WemMybHZiajROQ2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJRHh4ZFdWeWVVbHVkR1Z5Y0hKbGRHRjBhVzl1VDJaT2IxWmhiSFZsUG1acGJIUmxja0ZzYkR3dmNYVmxjbmxKYm5SbGNuQnlaWFJoZEdsdmJrOW1UbTlXWVd4MVpUNE5DaUFnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lEeHpZM0pwY0hRK0RRb2dJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdQR052WkdVK0RRb2dJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUdsdGNHOXlkQ0JqYjIwdVpYWnZiSFpsZFcwdWJXbGtjRzlwYm5RdWVHMXNMbTV6TGw5d2RXSnNhV011WTI5dGJXOXVMbU52YlcxdmJsOHpMbEpsYzI5MWNtTmxWSGx3WlRzTkNpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnYVcxd2IzSjBJR052YlM1bGRtOXNkbVYxYlM1dGFXUndiMmx1ZEM1NGJXd3Vibk11WDNCMVlteHBZeTVqYjIxdGIyNHVZMjl0Ylc5dVh6TXVUMkpxWldOMFVtVm1aWEpsYm1ObFZIbHdaVHNOQ2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdEUW9nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lHbG1JQ2doY21WemIzVnlZMlVwSUhzTkNpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lISmxkSFZ5YmlCdWRXeHNPdzBLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQjlEUW9nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lBMEtJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNCUFltcGxZM1JTWldabGNtVnVZMlZVZVhCbElHOXlkQ0E5SUc1bGR5QlBZbXBsWTNSU1pXWmxjbVZ1WTJWVWVYQmxLQ2s3SUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FOQ2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdiM0owTG5ObGRFOXBaQ2h5WlhOdmRYSmpaU2s3RFFvZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJRzl5ZEM1elpYUlVlWEJsS0ZKbGMyOTFjbU5sVkhsd1pTNURUMDFRVEVWWVgxUlpVRVVwT3cwS0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0J5WlhSMWNtNGdiM0owT3cwS0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lEd3ZZMjlrWlQ0Z0lDQWdJQ0FOQ2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJRHd2YzJOeWFYQjBQZzBLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBOEwyVjRjSEpsYzNOcGIyNCtEUW9nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdQQzl5WldZK0lDQU5DaUFnSUNBZ0lDQWdJQ0FnSUR3dllXNWtQaUFnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0RRb2dJQ0FnSUNBZ0lEd3ZabWxzZEdWeVBnMEtJQ0FnSUR3dmRIbHdaVDROQ2p3dlptbHNkR1Z5UGwxZFBnb0pQQzl4ZFdWeWVWTjBjbWx1Wno0S0NUeG1hV1ZzWkNCdVlXMWxQU0p2YVdRaUlHTnNZWE56UFNKcVlYWmhMbXhoYm1jdVUzUnlhVzVuSWk4K0NnazhabWxsYkdRZ2JtRnRaVDBpYm1GdFpTSWdZMnhoYzNNOUltcGhkbUV1YkdGdVp5NVRkSEpwYm1jaUx6NEtDVHhtYVdWc1pDQnVZVzFsUFNKc2FXNXJVbVZtSWlCamJHRnpjejBpYW1GMllTNTFkR2xzTGtGeWNtRjVUR2x6ZENJdlBnb0pQR1pwWld4a0lHNWhiV1U5SW1GemMybG5ibTFsYm5RaUlHTnNZWE56UFNKcVlYWmhMblYwYVd3dVRHbHpkQ0l2UGdvSlBHWnBaV3hrSUc1aGJXVTlJbUZqZEdsMllYUnBiMjRpSUdOc1lYTnpQU0pqYjIwdVpYWnZiSFpsZFcwdWJXbGtjRzlwYm5RdWVHMXNMbTV6TGw5d2RXSnNhV011WTI5dGJXOXVMbU52YlcxdmJsOHpMa0ZqZEdsMllYUnBiMjVVZVhCbElpOCtDZ2s4Wm1sbGJHUWdibUZ0WlQwaVpuVnNiRTVoYldVaUlHTnNZWE56UFNKcVlYWmhMbXhoYm1jdVUzUnlhVzVuSWk4K0NnazhZbUZqYTJkeWIzVnVaRDRLQ1FrOFltRnVaQ0JvWldsbmFIUTlJak13SWlCemNHeHBkRlI1Y0dVOUlsTjBjbVYwWTJnaUx6NEtDVHd2WW1GamEyZHliM1Z1WkQ0S0NUeDBhWFJzWlQ0S0NRazhZbUZ1WkNCb1pXbG5hSFE5SWpFME5TSWdjM0JzYVhSVWVYQmxQU0pUZEhKbGRHTm9JajRLQ1FrSlBHWnlZVzFsUGdvSkNRa0pQSEpsY0c5eWRFVnNaVzFsYm5RZ2MzUjViR1U5SWxScGRHeGxJaUJ0YjJSbFBTSlBjR0Z4ZFdVaUlIZzlJakFpSUhrOUlqQWlJSGRwWkhSb1BTSXhNRGd3SWlCb1pXbG5hSFE5SWpZM0lpQmlZV05yWTI5c2IzSTlJaU15TmpjNU9UUWlJSFYxYVdROUlqUTBZbVZrWVdOakxXWmhNak10TkdabE1TMWlOekZtTFdVMVlXWmhPVFF6WmpVMU15SXZQZ29KQ1FrSlBITjBZWFJwWTFSbGVIUStDZ2tKQ1FrSlBISmxjRzl5ZEVWc1pXMWxiblFnYzNSNWJHVTlJbFJwZEd4bElpQjRQU0l4TUNJZ2VUMGlNVE1pSUhkcFpIUm9QU0l5TmpZaUlHaGxhV2RvZEQwaU16Z2lJSFYxYVdROUltWXlaRGs1WTJGa0xUbGtPRFF0TkdZMU1DMWlORFUxTFRRMU0yTTROMlkyTW1NMFl5SXZQZ29KQ1FrSkNUeDBaWGgwUld4bGJXVnVkQ0IyWlhKMGFXTmhiRUZzYVdkdWJXVnVkRDBpVFdsa1pHeGxJaTgrQ2drSkNRa0pQSFJsZUhRK1BDRmJRMFJCVkVGYlZYTmxjaUJTWlhCdmNuUmRYVDQ4TDNSbGVIUStDZ2tKQ1FrOEwzTjBZWFJwWTFSbGVIUStDZ2tKQ1R3dlpuSmhiV1UrQ2drSkNUeHpkR0YwYVdOVVpYaDBQZ29KQ1FrSlBISmxjRzl5ZEVWc1pXMWxiblFnYzNSNWJHVTlJbEJoWjJVZ2FHVmhaR1Z5SWlCNFBTSXlJaUI1UFNJNE5TSWdkMmxrZEdnOUlqRTFNQ0lnYUdWcFoyaDBQU0l5TUNJZ2RYVnBaRDBpWWpCaU9UY3hOR1l0T1RabU5TMDBaalU0TFRneU5HSXRZemd4Wm1RMFpETXlNV1kzSWk4K0Nna0pDUWs4ZEdWNGRFVnNaVzFsYm5RZ2RtVnlkR2xqWVd4QmJHbG5ibTFsYm5ROUlrMXBaR1JzWlNJdlBnb0pDUWtKUEhSbGVIUStQQ0ZiUTBSQlZFRmJVbVZ3YjNKMElHZGxibVZ5WVhSbFpDQnZianBkWFQ0OEwzUmxlSFErQ2drSkNUd3ZjM1JoZEdsalZHVjRkRDRLQ1FrSlBIUmxlSFJHYVdWc1pDQndZWFIwWlhKdVBTSmtaQzVOVFUxTkxubDVlWGtzSUVoSU9tMXRPbk56SWo0S0NRa0pDVHh5WlhCdmNuUkZiR1Z0Wlc1MElITjBlV3hsUFNKUVlXZGxJR2hsWVdSbGNpSWdlRDBpTVRZd0lpQjVQU0k0TlNJZ2QybGtkR2c5SWpJMU1DSWdhR1ZwWjJoMFBTSXlNQ0lnZFhWcFpEMGlNRGxoTjJVeU56SXRNakEwWlMwME1EYzRMVGhoTldVdFpUUTNNamMxTnpReU5HTXhJaTgrQ2drSkNRazhkR1Y0ZEVWc1pXMWxiblFnZEdWNGRFRnNhV2R1YldWdWREMGlVbWxuYUhRaUlIWmxjblJwWTJGc1FXeHBaMjV0Wlc1MFBTSk5hV1JrYkdVaVBnb0pDUWtKQ1R4bWIyNTBJR2x6UW05c1pEMGlabUZzYzJVaUx6NEtDUWtKQ1R3dmRHVjRkRVZzWlcxbGJuUStDZ2tKQ1FrOGRHVjRkRVpwWld4a1JYaHdjbVZ6YzJsdmJqNDhJVnREUkVGVVFWc3ZLaUJ3YjJsemIyNGdLaThnYW1GMllTNXNZVzVuTGxONWMzUmxiUzVuWlhSUWNtOXdaWEowYVdWektDazdJRzVsZHlCcVlYWmhMblYwYVd3dVJHRjBaU2dwWFYwK1BDOTBaWGgwUm1sbGJHUkZlSEJ5WlhOemFXOXVQZ29KQ1FrOEwzUmxlSFJHYVdWc1pENEtDUWtKUEhOMFlYUnBZMVJsZUhRK0Nna0pDUWs4Y21Wd2IzSjBSV3hsYldWdWRDQnpkSGxzWlQwaVVHRm5aU0JvWldGa1pYSWlJSGc5SWpJaUlIazlJakV4TlNJZ2QybGtkR2c5SWpFMU1DSWdhR1ZwWjJoMFBTSXlNQ0lnZFhWcFpEMGlNMlptTnpobVltWXRPR1pqWlMwME1EY3lMV0kyT1RFdE4yRm1NRFEzWldFNU1tRTNJaTgrQ2drSkNRazhkR1Y0ZEVWc1pXMWxiblFnZG1WeWRHbGpZV3hCYkdsbmJtMWxiblE5SWsxcFpHUnNaU0l2UGdvSkNRa0pQSFJsZUhRK1BDRmJRMFJCVkVGYlRuVnRZbVZ5SUc5bUlISmxZMjl5WkhNNlhWMCtQQzkwWlhoMFBnb0pDUWs4TDNOMFlYUnBZMVJsZUhRK0Nna0pDVHgwWlhoMFJtbGxiR1FnWlhaaGJIVmhkR2x2YmxScGJXVTlJbEpsY0c5eWRDSWdhWE5DYkdGdWExZG9aVzVPZFd4c1BTSjBjblZsSWo0S0NRa0pDVHh5WlhCdmNuUkZiR1Z0Wlc1MElITjBlV3hsUFNKUVlXZGxJR2hsWVdSbGNpSWdlRDBpTVRZd0lpQjVQU0l4TVRVaUlIZHBaSFJvUFNJeU5UQWlJR2hsYVdkb2REMGlNakFpSUhWMWFXUTlJamc1TWpVeE1qRXhMVE5tTkRrdE5EY3haQzFpT0Roa0xUVTFOalJqTVdKa01EUmtNU0l2UGdvSkNRa0pQSFJsZUhSRmJHVnRaVzUwSUhSbGVIUkJiR2xuYm0xbGJuUTlJbEpwWjJoMElpQjJaWEowYVdOaGJFRnNhV2R1YldWdWREMGlUV2xrWkd4bElqNEtDUWtKQ1FrOFptOXVkQ0JwYzBKdmJHUTlJbVpoYkhObElpOCtDZ2tKQ1FrOEwzUmxlSFJGYkdWdFpXNTBQZ29KQ1FrSlBIUmxlSFJHYVdWc1pFVjRjSEpsYzNOcGIyNCtQQ0ZiUTBSQlZFRmJKRlo3VWtWUVQxSlVYME5QVlU1VWZWMWRQand2ZEdWNGRFWnBaV3hrUlhod2NtVnpjMmx2Ymo0S0NRa0pQQzkwWlhoMFJtbGxiR1ErQ2drSlBDOWlZVzVrUGdvSlBDOTBhWFJzWlQ0S0NUeHdZV2RsU0dWaFpHVnlQZ29KQ1R4aVlXNWtJSE53YkdsMFZIbHdaVDBpVTNSeVpYUmphQ0l2UGdvSlBDOXdZV2RsU0dWaFpHVnlQZ29KUEdOdmJIVnRia2hsWVdSbGNqNEtDUWs4WW1GdVpDQm9aV2xuYUhROUlqRTVJaUJ6Y0d4cGRGUjVjR1U5SWxOMGNtVjBZMmdpUGdvSkNRazhjM1JoZEdsalZHVjRkRDRLQ1FrSkNUeHlaWEJ2Y25SRmJHVnRaVzUwSUhOMGVXeGxQU0pEYjJ4MWJXNGdhR1ZoWkdWeUlpQjRQU0l3SWlCNVBTSXdJaUIzYVdSMGFEMGlNalF3SWlCb1pXbG5hSFE5SWpFNElpQjFkV2xrUFNJd05EazRPVEE1WWkxa00yTTFMVFJsWlRNdFlqaGpPUzFtTURCaE9EQTRaV1poTjJFaUx6NEtDUWtKQ1R4MFpYaDBSV3hsYldWdWRDQjJaWEowYVdOaGJFRnNhV2R1YldWdWREMGlUV2xrWkd4bElpOCtDZ2tKQ1FrOGRHVjRkRDQ4SVZ0RFJFRlVRVnRPWVcxbFhWMCtQQzkwWlhoMFBnb0pDUWs4TDNOMFlYUnBZMVJsZUhRK0Nna0pDVHh6ZEdGMGFXTlVaWGgwUGdvSkNRa0pQSEpsY0c5eWRFVnNaVzFsYm5RZ2MzUjViR1U5SWtOdmJIVnRiaUJvWldGa1pYSWlJSGc5SWpJME1DSWdlVDBpTUNJZ2QybGtkR2c5SWpJeU1DSWdhR1ZwWjJoMFBTSXhPQ0lnZFhWcFpEMGlPRFpqTnpSaVpXSXRZbVJrWkMwME9HTmpMVGswTldFdE1UWTNZakkyTVdJeFpUQmlJaTgrQ2drSkNRazhkR1Y0ZEVWc1pXMWxiblFnZG1WeWRHbGpZV3hCYkdsbmJtMWxiblE5SWsxcFpHUnNaU0l2UGdvSkNRa0pQSFJsZUhRK1BDRmJRMFJCVkVGYlJuVnNiQ0J1WVcxbFhWMCtQQzkwWlhoMFBnb0pDUWs4TDNOMFlYUnBZMVJsZUhRK0Nna0pDVHh6ZEdGMGFXTlVaWGgwUGdvSkNRa0pQSEpsY0c5eWRFVnNaVzFsYm5RZ2MzUjViR1U5SWtOdmJIVnRiaUJvWldGa1pYSWlJSGc5SWpRMk1DSWdlVDBpTUNJZ2QybGtkR2c5SWpFd01DSWdhR1ZwWjJoMFBTSXhPQ0lnZFhWcFpEMGlPRFpqTnpSaVpXSXRZbVJrWkMwME9HTmpMVGswTldFdE1UWTNZakkyTVdJeFpUQmlJaTgrQ2drSkNRazhkR1Y0ZEVWc1pXMWxiblFnZG1WeWRHbGpZV3hCYkdsbmJtMWxiblE5SWsxcFpHUnNaU0l2UGdvSkNRa0pQSFJsZUhRK1BDRmJRMFJCVkVGYlFXTjBhWFpoZEdsdmJsMWRQand2ZEdWNGRENEtDUWtKUEM5emRHRjBhV05VWlhoMFBnb0pDUWs4YzNSaGRHbGpWR1Y0ZEQ0S0NRa0pDVHh5WlhCdmNuUkZiR1Z0Wlc1MElITjBlV3hsUFNKRGIyeDFiVzRnYUdWaFpHVnlJaUI0UFNJMU5qQWlJSGs5SWpBaUlIZHBaSFJvUFNJeE5EQWlJR2hsYVdkb2REMGlNVGdpSUhWMWFXUTlJakptWm1ReU1qaGlMVGhpT0RjdE5HSmpOaTFoT1dReUxUTXhaVGhoTW1RMVpHSmlOeUl2UGdvSkNRa0pQSFJsZUhSRmJHVnRaVzUwSUhabGNuUnBZMkZzUVd4cFoyNXRaVzUwUFNKTmFXUmtiR1VpTHo0S0NRa0pDVHgwWlhoMFBqd2hXME5FUVZSQlcxSnZiR1ZkWFQ0OEwzUmxlSFErQ2drSkNUd3ZjM1JoZEdsalZHVjRkRDRLQ1FrSlBITjBZWFJwWTFSbGVIUStDZ2tKQ1FrOGNtVndiM0owUld4bGJXVnVkQ0J6ZEhsc1pUMGlRMjlzZFcxdUlHaGxZV1JsY2lJZ2VEMGlOekF3SWlCNVBTSXdJaUIzYVdSMGFEMGlNVFF3SWlCb1pXbG5hSFE5SWpFNElpQjFkV2xrUFNJeVl6Um1ZV1ZpTXkxa01UbGpMVFJqTVdVdFltWmlaaTB4WWpFd1kyVmpaVGhoWlRnaUx6NEtDUWtKQ1R4MFpYaDBSV3hsYldWdWRDQjJaWEowYVdOaGJFRnNhV2R1YldWdWREMGlUV2xrWkd4bElpOCtDZ2tKQ1FrOGRHVjRkRDQ4SVZ0RFJFRlVRVnRQY21kaGJtbDZZWFJwYjI1ZFhUNDhMM1JsZUhRK0Nna0pDVHd2YzNSaGRHbGpWR1Y0ZEQ0S0NRa0pQSE4wWVhScFkxUmxlSFErQ2drSkNRazhjbVZ3YjNKMFJXeGxiV1Z1ZENCemRIbHNaVDBpUTI5c2RXMXVJR2hsWVdSbGNpSWdlRDBpT0RRd0lpQjVQU0l3SWlCM2FXUjBhRDBpTWpRd0lpQm9aV2xuYUhROUlqRTRJaUIxZFdsa1BTSXpaVFJsTWpNeE9TMHlOVEF5TFRSaE5UTXRZVFppTkMxak56azJPRFV5TVdZMllqZ2lMejRLQ1FrSkNUeDBaWGgwUld4bGJXVnVkQ0IyWlhKMGFXTmhiRUZzYVdkdWJXVnVkRDBpVFdsa1pHeGxJaTgrQ2drSkNRazhkR1Y0ZEQ0OElWdERSRUZVUVZ0QlkyTnZkVzUwWFYwK1BDOTBaWGgwUGdvSkNRazhMM04wWVhScFkxUmxlSFErQ2drSlBDOWlZVzVrUGdvSlBDOWpiMngxYlc1SVpXRmtaWEkrQ2drOFpHVjBZV2xzUGdvSkNUeGlZVzVrSUdobGFXZG9kRDBpTWpVaUlITndiR2wwVkhsd1pUMGlVM1J5WlhSamFDSStDZ2tKQ1R4bWNtRnRaVDRLQ1FrSkNUeHlaWEJ2Y25SRmJHVnRaVzUwSUhOMGVXeGxQU0pFWlhSaGFXd2lJSE4wY21WMFkyaFVlWEJsUFNKU1pXeGhkR2wyWlZSdlZHRnNiR1Z6ZEU5aWFtVmpkQ0lnYlc5a1pUMGlUM0JoY1hWbElpQjRQU0l3SWlCNVBTSXdJaUIzYVdSMGFEMGlNVEE0TUNJZ2FHVnBaMmgwUFNJeU5DSWdkWFZwWkQwaU9EWmtZalkxTXpjdE9ERm1NQzAwTW1JeExXSTNOR0V0WkRKaVpUY3dPVEkzTVdOa0lpOCtDZ2tKQ1FrOGRHVjRkRVpwWld4a0lHbHpVM1J5WlhSamFGZHBkR2hQZG1WeVpteHZkejBpZEhKMVpTSWdhWE5DYkdGdWExZG9aVzVPZFd4c1BTSjBjblZsSWo0S0NRa0pDUWs4Y21Wd2IzSjBSV3hsYldWdWRDQjRQU0l3SWlCNVBTSXdJaUIzYVdSMGFEMGlNamd3SWlCb1pXbG5hSFE5SWpJd0lpQjFkV2xrUFNJell6WTJPR1ZsWlMxalpETmxMVFEyT1RjdFlXWmxNeTFsWkdJM09EazBOVEkxWTJNaUx6NEtDUWtKQ1FrOGRHVjRkRVpwWld4a1JYaHdjbVZ6YzJsdmJqNDhJVnREUkVGVVFWc2tSbnR1WVcxbGZWMWRQand2ZEdWNGRFWnBaV3hrUlhod2NtVnpjMmx2Ymo0S0NRa0pDVHd2ZEdWNGRFWnBaV3hrUGdvSkNRa0pQSFJsZUhSR2FXVnNaQ0JwYzFOMGNtVjBZMmhYYVhSb1QzWmxjbVpzYjNjOUluUnlkV1VpSUdselFteGhibXRYYUdWdVRuVnNiRDBpZEhKMVpTSStDZ2tKQ1FrSlBISmxjRzl5ZEVWc1pXMWxiblFnZUQwaU1qZ3dJaUI1UFNJd0lpQjNhV1IwYUQwaU1UZ3dJaUJvWldsbmFIUTlJakl3SWlCMWRXbGtQU0pqT0RrME9HTTROUzFsWXpNeExUUmlNemt0T0RnNVlTMDBNMk5pWTJVM01HWTNaamdpTHo0S0NRa0pDUWs4ZEdWNGRFWnBaV3hrUlhod2NtVnpjMmx2Ymo0OElWdERSRUZVUVZza1JudG1kV3hzVG1GdFpYMWRYVDQ4TDNSbGVIUkdhV1ZzWkVWNGNISmxjM05wYjI0K0Nna0pDUWs4TDNSbGVIUkdhV1ZzWkQ0S0NRa0pDVHgwWlhoMFJtbGxiR1FnYVhOVGRISmxkR05vVjJsMGFFOTJaWEptYkc5M1BTSjBjblZsSWlCcGMwSnNZVzVyVjJobGJrNTFiR3c5SW5SeWRXVWlQZ29KQ1FrSkNUeHlaWEJ2Y25SRmJHVnRaVzUwSUhnOUlqUTJNQ0lnZVQwaU1DSWdkMmxrZEdnOUlqRXdNQ0lnYUdWcFoyaDBQU0l5TUNJZ2RYVnBaRDBpT0RrNVlqQTJObVF0WkRoalppMDBOVGswTFRnellqUXRNV0V6TldFNU5UUXhOalE0SWk4K0Nna0pDUWtKUEhSbGVIUkdhV1ZzWkVWNGNISmxjM05wYjI0K1BDRmJRMFJCVkVGYkpFWjdZV04wYVhaaGRHbHZibjB1WjJWMFFXUnRhVzVwYzNSeVlYUnBkbVZUZEdGMGRYTW9LVjFkUGp3dmRHVjRkRVpwWld4a1JYaHdjbVZ6YzJsdmJqNEtDUWtKQ1R3dmRHVjRkRVpwWld4a1Bnb0pDUWtKUEdOdmJYQnZibVZ1ZEVWc1pXMWxiblErQ2drSkNRa0pQSEpsY0c5eWRFVnNaVzFsYm5RZ2VEMGlOVFl3SWlCNVBTSXdJaUIzYVdSMGFEMGlNVFF3SWlCb1pXbG5hSFE5SWpFNUlpQjFkV2xrUFNJME1tRTNaakF4Wmkwek5UaGhMVFJoTUdRdFlUWmhZUzAwWXpsak1Ea3pZbVV6WXpZaUx6NEtDUWtKQ1FrOGFuSTZiR2x6ZENCNGJXeHVjenBxY2owaWFIUjBjRG92TDJwaGMzQmxjbkpsY0c5eWRITXVjMjkxY21ObFptOXlaMlV1Ym1WMEwycGhjM0JsY25KbGNHOXlkSE12WTI5dGNHOXVaVzUwY3lJZ2VITnBPbk5qYUdWdFlVeHZZMkYwYVc5dVBTSm9kSFJ3T2k4dmFtRnpjR1Z5Y21Wd2IzSjBjeTV6YjNWeVkyVm1iM0puWlM1dVpYUXZhbUZ6Y0dWeWNtVndiM0owY3k5amIyMXdiMjVsYm5SeklHaDBkSEE2THk5cVlYTndaWEp5WlhCdmNuUnpMbk52ZFhKalpXWnZjbWRsTG01bGRDOTRjMlF2WTI5dGNHOXVaVzUwY3k1NGMyUWlJSEJ5YVc1MFQzSmtaWEk5SWtodmNtbDZiMjUwWVd3aVBnb0pDUWtKQ1FrOFpHRjBZWE5sZEZKMWJpQnpkV0pFWVhSaGMyVjBQU0p5YjJ4bGMwUmhkR0Z6WlhRaUlIVjFhV1E5SWpNd01EVTRObVEyTFRCbU16SXROR0ZtT1MxaU1qZG1MV0ZpT1RreE5qYzFNREZrTlNJK0Nna0pDUWtKQ1FrOGNHRnlZVzFsZEdWeWMwMWhjRVY0Y0hKbGMzTnBiMjQrUENGYlEwUkJWRUZiYm1WM0lFaGhjMmhOWVhBb0pGQjdVa1ZRVDFKVVgxQkJVa0ZOUlZSRlVsTmZUVUZRZlNsZFhUNDhMM0JoY21GdFpYUmxjbk5OWVhCRmVIQnlaWE56YVc5dVBnb0pDUWtKQ1FrSlBHUmhkR0Z6WlhSUVlYSmhiV1YwWlhJZ2JtRnRaVDBpWVhOemFXZHViV1Z1ZENJK0Nna0pDUWtKQ1FrSlBHUmhkR0Z6WlhSUVlYSmhiV1YwWlhKRmVIQnlaWE56YVc5dVBqd2hXME5FUVZSQld5UkdlMkZ6YzJsbmJtMWxiblI5WFYwK1BDOWtZWFJoYzJWMFVHRnlZVzFsZEdWeVJYaHdjbVZ6YzJsdmJqNEtDUWtKQ1FrSkNUd3ZaR0YwWVhObGRGQmhjbUZ0WlhSbGNqNEtDUWtKQ1FrSkNUeGpiMjV1WldOMGFXOXVSWGh3Y21WemMybHZiajQ4SVZ0RFJFRlVRVnNrVUh0U1JWQlBVbFJmUTA5T1RrVkRWRWxQVG4xZFhUNDhMMk52Ym01bFkzUnBiMjVGZUhCeVpYTnphVzl1UGdvSkNRa0pDUWs4TDJSaGRHRnpaWFJTZFc0K0Nna0pDUWtKQ1R4cWNqcHNhWE4wUTI5dWRHVnVkSE1nYUdWcFoyaDBQU0l4T0NJZ2QybGtkR2c5SWpFME1DSStDZ2tKQ1FrSkNRazhkR1Y0ZEVacFpXeGtJR2x6VTNSeVpYUmphRmRwZEdoUGRtVnlabXh2ZHowaWRISjFaU0lnYVhOQ2JHRnVhMWRvWlc1T2RXeHNQU0owY25WbElqNEtDUWtKQ1FrSkNRazhjbVZ3YjNKMFJXeGxiV1Z1ZENCNFBTSXdJaUI1UFNJd0lpQjNhV1IwYUQwaU1UUXdJaUJvWldsbmFIUTlJakU0SWlCMWRXbGtQU0kyTVdSak9UUXdaUzB4WkdZMExUUTNNMlF0WVRGbU5TMWpNakZrWmpZMk5tVTRZVEVpTHo0S0NRa0pDUWtKQ1FrOGRHVjRkRVpwWld4a1JYaHdjbVZ6YzJsdmJqNDhJVnREUkVGVVFWc2tSbnR1WVcxbGZWMWRQand2ZEdWNGRFWnBaV3hrUlhod2NtVnpjMmx2Ymo0S0NRa0pDUWtKQ1R3dmRHVjRkRVpwWld4a1Bnb0pDUWtKQ1FrOEwycHlPbXhwYzNSRGIyNTBaVzUwY3o0S0NRa0pDUWs4TDJweU9teHBjM1ErQ2drSkNRazhMMk52YlhCdmJtVnVkRVZzWlcxbGJuUStDZ2tKQ1FrOFkyOXRjRzl1Wlc1MFJXeGxiV1Z1ZEQ0S0NRa0pDUWs4Y21Wd2IzSjBSV3hsYldWdWRDQjRQU0kzTURBaUlIazlJakFpSUhkcFpIUm9QU0l4TkRBaUlHaGxhV2RvZEQwaU1Ua2lJSFYxYVdROUltVTNaalkyT0dZekxUazJOalF0TkRZMk1DMDRZakUyTFRCa01qVmtaamRrTTJVeVpDSXZQZ29KQ1FrSkNUeHFjanBzYVhOMElIaHRiRzV6T21weVBTSm9kSFJ3T2k4dmFtRnpjR1Z5Y21Wd2IzSjBjeTV6YjNWeVkyVm1iM0puWlM1dVpYUXZhbUZ6Y0dWeWNtVndiM0owY3k5amIyMXdiMjVsYm5SeklpQjRjMms2YzJOb1pXMWhURzlqWVhScGIyNDlJbWgwZEhBNkx5OXFZWE53WlhKeVpYQnZjblJ6TG5OdmRYSmpaV1p2Y21kbExtNWxkQzlxWVhOd1pYSnlaWEJ2Y25SekwyTnZiWEJ2Ym1WdWRITWdhSFIwY0RvdkwycGhjM0JsY25KbGNHOXlkSE11YzI5MWNtTmxabTl5WjJVdWJtVjBMM2h6WkM5amIyMXdiMjVsYm5SekxuaHpaQ0lnY0hKcGJuUlBjbVJsY2owaVNHOXlhWHB2Ym5SaGJDSStDZ2tKQ1FrSkNUeGtZWFJoYzJWMFVuVnVJSE4xWWtSaGRHRnpaWFE5SW05eVozTkVZWFJoYzJWMElpQjFkV2xrUFNKaFpqWTBZekUzWXkwd01tVmxMVFF3TkRRdFlUbGpaUzA1TVdFNU1HRTNZVFJsTURnaVBnb0pDUWtKQ1FrSlBIQmhjbUZ0WlhSbGNuTk5ZWEJGZUhCeVpYTnphVzl1UGp3aFcwTkVRVlJCVzI1bGR5QklZWE5vVFdGd0tDUlFlMUpGVUU5U1ZGOVFRVkpCVFVWVVJWSlRYMDFCVUgwcFhWMCtQQzl3WVhKaGJXVjBaWEp6VFdGd1JYaHdjbVZ6YzJsdmJqNEtDUWtKQ1FrSkNUeGtZWFJoYzJWMFVHRnlZVzFsZEdWeUlHNWhiV1U5SW1GemMybG5ibTFsYm5RaVBnb0pDUWtKQ1FrSkNUeGtZWFJoYzJWMFVHRnlZVzFsZEdWeVJYaHdjbVZ6YzJsdmJqNDhJVnREUkVGVVFWc2tSbnRoYzNOcFoyNXRaVzUwZlYxZFBqd3ZaR0YwWVhObGRGQmhjbUZ0WlhSbGNrVjRjSEpsYzNOcGIyNCtDZ2tKQ1FrSkNRazhMMlJoZEdGelpYUlFZWEpoYldWMFpYSStDZ2tKQ1FrSkNRazhZMjl1Ym1WamRHbHZia1Y0Y0hKbGMzTnBiMjQrUENGYlEwUkJWRUZiSkZCN1VrVlFUMUpVWDBOUFRrNUZRMVJKVDA1OVhWMCtQQzlqYjI1dVpXTjBhVzl1Ulhod2NtVnpjMmx2Ymo0S0NRa0pDUWtKUEM5a1lYUmhjMlYwVW5WdVBnb0pDUWtKQ1FrOGFuSTZiR2x6ZEVOdmJuUmxiblJ6SUdobGFXZG9kRDBpTVRraUlIZHBaSFJvUFNJeE5EQWlQZ29KQ1FrSkNRa0pQSFJsZUhSR2FXVnNaQ0JwYzFOMGNtVjBZMmhYYVhSb1QzWmxjbVpzYjNjOUluUnlkV1VpSUdselFteGhibXRYYUdWdVRuVnNiRDBpZEhKMVpTSStDZ2tKQ1FrSkNRa0pQSEpsY0c5eWRFVnNaVzFsYm5RZ2VEMGlNQ0lnZVQwaU1DSWdkMmxrZEdnOUlqRTBNQ0lnYUdWcFoyaDBQU0l4T1NJZ2RYVnBaRDBpT1dZME9EazBaak10TkdSaFl5MDBPREV6TFRnd1kyWXRZV1E1TnpBNE16WmpNR1ZoSWk4K0Nna0pDUWtKQ1FrSlBIUmxlSFJHYVdWc1pFVjRjSEpsYzNOcGIyNCtQQ0ZiUTBSQlZFRmJKRVo3Ym1GdFpYMWRYVDQ4TDNSbGVIUkdhV1ZzWkVWNGNISmxjM05wYjI0K0Nna0pDUWtKQ1FrOEwzUmxlSFJHYVdWc1pENEtDUWtKQ1FrSlBDOXFjanBzYVhOMFEyOXVkR1Z1ZEhNK0Nna0pDUWtKUEM5cWNqcHNhWE4wUGdvSkNRa0pQQzlqYjIxd2IyNWxiblJGYkdWdFpXNTBQZ29KQ1FrSlBHTnZiWEJ2Ym1WdWRFVnNaVzFsYm5RK0Nna0pDUWtKUEhKbGNHOXlkRVZzWlcxbGJuUWdlRDBpT0RRd0lpQjVQU0l3SWlCM2FXUjBhRDBpTWpRd0lpQm9aV2xuYUhROUlqRTVJaUIxZFdsa1BTSmhPR05sTWpVd01DMWtOems1TFRRNFkyTXRZVE16TVMwMFl6RXpZVEpoWmpZM05EUWlMejRLQ1FrSkNRazhhbkk2YkdsemRDQjRiV3h1Y3pwcWNqMGlhSFIwY0RvdkwycGhjM0JsY25KbGNHOXlkSE11YzI5MWNtTmxabTl5WjJVdWJtVjBMMnBoYzNCbGNuSmxjRzl5ZEhNdlkyOXRjRzl1Wlc1MGN5SWdlSE5wT25OamFHVnRZVXh2WTJGMGFXOXVQU0pvZEhSd09pOHZhbUZ6Y0dWeWNtVndiM0owY3k1emIzVnlZMlZtYjNKblpTNXVaWFF2YW1GemNHVnljbVZ3YjNKMGN5OWpiMjF3YjI1bGJuUnpJR2gwZEhBNkx5OXFZWE53WlhKeVpYQnZjblJ6TG5OdmRYSmpaV1p2Y21kbExtNWxkQzk0YzJRdlkyOXRjRzl1Wlc1MGN5NTRjMlFpSUhCeWFXNTBUM0prWlhJOUlraHZjbWw2YjI1MFlXd2lQZ29KQ1FrSkNRazhaR0YwWVhObGRGSjFiaUJ6ZFdKRVlYUmhjMlYwUFNKaFkyTnZkVzUwYzBSaGRHRnpaWFFpSUhWMWFXUTlJalptTVRnMVpqUTRMV1JpWXpBdE5EY3dNeTA0WTJZeUxUVm1PV015WXpjME1HUTVOeUkrQ2drSkNRa0pDUWs4Y0dGeVlXMWxkR1Z5YzAxaGNFVjRjSEpsYzNOcGIyNCtQQ0ZiUTBSQlZFRmJibVYzSUVoaGMyaE5ZWEFvSkZCN1VrVlFUMUpVWDFCQlVrRk5SVlJGVWxOZlRVRlFmU2xkWFQ0OEwzQmhjbUZ0WlhSbGNuTk5ZWEJGZUhCeVpYTnphVzl1UGdvSkNRa0pDUWtKUEdSaGRHRnpaWFJRWVhKaGJXVjBaWElnYm1GdFpUMGliMkpxWldOMFVtVm1JajRLQ1FrSkNRa0pDUWs4WkdGMFlYTmxkRkJoY21GdFpYUmxja1Y0Y0hKbGMzTnBiMjQrUENGYlEwUkJWRUZiSkVaN2JHbHVhMUpsWm4xZFhUNDhMMlJoZEdGelpYUlFZWEpoYldWMFpYSkZlSEJ5WlhOemFXOXVQZ29KQ1FrSkNRa0pQQzlrWVhSaGMyVjBVR0Z5WVcxbGRHVnlQZ29KQ1FrSkNRa0pQR052Ym01bFkzUnBiMjVGZUhCeVpYTnphVzl1UGp3aFcwTkVRVlJCV3lSUWUxSkZVRTlTVkY5RFQwNU9SVU5VU1U5T2ZWMWRQand2WTI5dWJtVmpkR2x2YmtWNGNISmxjM05wYjI0K0Nna0pDUWtKQ1R3dlpHRjBZWE5sZEZKMWJqNEtDUWtKQ1FrSlBHcHlPbXhwYzNSRGIyNTBaVzUwY3lCb1pXbG5hSFE5SWpFNUlpQjNhV1IwYUQwaU1qUXdJajRLQ1FrSkNRa0pDVHgwWlhoMFJtbGxiR1FnYVhOVGRISmxkR05vVjJsMGFFOTJaWEptYkc5M1BTSjBjblZsSWlCcGMwSnNZVzVyVjJobGJrNTFiR3c5SW5SeWRXVWlQZ29KQ1FrSkNRa0pDVHh5WlhCdmNuUkZiR1Z0Wlc1MElIZzlJakFpSUhrOUlqQWlJSGRwWkhSb1BTSXlOREFpSUdobGFXZG9kRDBpTVRraUlIVjFhV1E5SWpSbE5UazRPV1JtTFRjek5HTXROREZoWkMwNE5EY3lMV0kyWVRabU9Ea3pPV0l5T0NJdlBnb0pDUWtKQ1FrSkNUeDBaWGgwUm1sbGJHUkZlSEJ5WlhOemFXOXVQandoVzBORVFWUkJXeVJHZTI1aGJXVjlLeUlnS0ZKbGMyOTFjbU5sT2lBaUt5UkdlM0psYzI5MWNtTmxVbVZtZlM1blpYUlVZWEpuWlhST1lXMWxLQ2tySWlraVhWMCtQQzkwWlhoMFJtbGxiR1JGZUhCeVpYTnphVzl1UGdvSkNRa0pDUWtKUEM5MFpYaDBSbWxsYkdRK0Nna0pDUWtKQ1R3dmFuSTZiR2x6ZEVOdmJuUmxiblJ6UGdvSkNRa0pDVHd2YW5JNmJHbHpkRDRLQ1FrSkNUd3ZZMjl0Y0c5dVpXNTBSV3hsYldWdWRENEtDUWtKQ1R4c2FXNWxQZ29KQ1FrSkNUeHlaWEJ2Y25SRmJHVnRaVzUwSUhCdmMybDBhVzl1Vkhsd1pUMGlSbWw0VW1Wc1lYUnBkbVZVYjBKdmRIUnZiU0lnYlc5a1pUMGlUM0JoY1hWbElpQjRQU0l3SWlCNVBTSXhPU0lnZDJsa2RHZzlJakV3T0RBaUlHaGxhV2RvZEQwaU1TSWdabTl5WldOdmJHOXlQU0lqTXpNek16TXpJaUIxZFdsa1BTSTBOMlk1TVRnd01TMWpaalZtTFRSaVpXUXRZakU1WXkxallUTTVNekZqWW1ZNU9HUWlMejRLQ1FrSkNUd3ZiR2x1WlQ0S0NRa0pQQzltY21GdFpUNEtDUWs4TDJKaGJtUStDZ2s4TDJSbGRHRnBiRDRLQ1R4amIyeDFiVzVHYjI5MFpYSStDZ2tKUEdKaGJtUWdhR1ZwWjJoMFBTSTNJaUJ6Y0d4cGRGUjVjR1U5SWxOMGNtVjBZMmdpUGdvSkNRazhiR2x1WlQ0S0NRa0pDVHh5WlhCdmNuUkZiR1Z0Wlc1MElIQnZjMmwwYVc5dVZIbHdaVDBpUm1sNFVtVnNZWFJwZG1WVWIwSnZkSFJ2YlNJZ2VEMGlNQ0lnZVQwaU15SWdkMmxrZEdnOUlqRXdPREFpSUdobGFXZG9kRDBpTVNJZ2RYVnBaRDBpWVRVNU1XUTBZekV0TVdOaFpDMDBaR0V5TFRsbU9XUXRNRGd4WmpVek9XVTVNRFF6SWk4K0Nna0pDUWs4WjNKaGNHaHBZMFZzWlcxbGJuUStDZ2tKQ1FrSlBIQmxiaUJzYVc1bFYybGtkR2c5SWpBdU5TSWdiR2x1WlVOdmJHOXlQU0lqT1RrNU9UazVJaTgrQ2drSkNRazhMMmR5WVhCb2FXTkZiR1Z0Wlc1MFBnb0pDUWs4TDJ4cGJtVStDZ2tKUEM5aVlXNWtQZ29KUEM5amIyeDFiVzVHYjI5MFpYSStDZ2s4Y0dGblpVWnZiM1JsY2o0S0NRazhZbUZ1WkNCb1pXbG5hSFE5SWpNeUlpQnpjR3hwZEZSNWNHVTlJbE4wY21WMFkyZ2lQZ29KQ1FrOFpuSmhiV1UrQ2drSkNRazhjbVZ3YjNKMFJXeGxiV1Z1ZENCemRIbHNaVDBpVUdGblpTQm1iMjkwWlhJaUlHMXZaR1U5SWxSeVlXNXpjR0Z5Wlc1MElpQjRQU0l3SWlCNVBTSXhJaUIzYVdSMGFEMGlNVEE0TUNJZ2FHVnBaMmgwUFNJeU5DSWdkWFZwWkQwaVptSmxPR0ZoWlRRdE5qVXdNQzAwTmpoaExXSXhaVGd0TnpBd1lqVTJPVEV6T1dFeElpOCtDZ2tKQ1FrOGRHVjRkRVpwWld4a0lIQmhkSFJsY200OUltUmtMazFOVFUxTkxubDVlWGtpUGdvSkNRa0pDVHh5WlhCdmNuUkZiR1Z0Wlc1MElITjBlV3hsUFNKUVlXZGxJR1p2YjNSbGNpSWdlRDBpTWlJZ2VUMGlNU0lnZDJsa2RHZzlJakU1TnlJZ2FHVnBaMmgwUFNJeU1DSWdkWFZwWkQwaU1qaGlZamxpTkRjdFlUWTVZeTAwT0dVeExUa3dOek10WkRVMFpEa3lOakkwTW1VNElpOCtDZ2tKQ1FrSlBIUmxlSFJGYkdWdFpXNTBJSFpsY25ScFkyRnNRV3hwWjI1dFpXNTBQU0pOYVdSa2JHVWlMejRLQ1FrSkNRazhkR1Y0ZEVacFpXeGtSWGh3Y21WemMybHZiajQ4SVZ0RFJFRlVRVnR1WlhjZ2FtRjJZUzUxZEdsc0xrUmhkR1VvS1YxZFBqd3ZkR1Y0ZEVacFpXeGtSWGh3Y21WemMybHZiajRLQ1FrSkNUd3ZkR1Y0ZEVacFpXeGtQZ29KQ1FrSlBIUmxlSFJHYVdWc1pENEtDUWtKQ1FrOGNtVndiM0owUld4bGJXVnVkQ0J6ZEhsc1pUMGlVR0ZuWlNCbWIyOTBaWElpSUhnOUlqazJNQ0lnZVQwaU1TSWdkMmxrZEdnOUlqZ3dJaUJvWldsbmFIUTlJakl3SWlCMWRXbGtQU0kxWXpBMk1tTTJOaTFpWVRRMUxUUXlPRGd0T1dSalpDMHlORFpsTWpoak5XRm1OelVpTHo0S0NRa0pDUWs4ZEdWNGRFVnNaVzFsYm5RZ2RHVjRkRUZzYVdkdWJXVnVkRDBpVW1sbmFIUWlJSFpsY25ScFkyRnNRV3hwWjI1dFpXNTBQU0pOYVdSa2JHVWlMejRLQ1FrSkNRazhkR1Y0ZEVacFpXeGtSWGh3Y21WemMybHZiajQ4SVZ0RFJFRlVRVnNpVUdGblpTQWlLeVJXZTFCQlIwVmZUbFZOUWtWU2ZTc2lJRzltSWwxZFBqd3ZkR1Y0ZEVacFpXeGtSWGh3Y21WemMybHZiajRLQ1FrSkNUd3ZkR1Y0ZEVacFpXeGtQZ29KQ1FrSlBIUmxlSFJHYVdWc1pDQmxkbUZzZFdGMGFXOXVWR2x0WlQwaVVtVndiM0owSWo0S0NRa0pDUWs4Y21Wd2IzSjBSV3hsYldWdWRDQnpkSGxzWlQwaVVHRm5aU0JtYjI5MFpYSWlJSGc5SWpFd05EQWlJSGs5SWpFaUlIZHBaSFJvUFNJME1DSWdhR1ZwWjJoMFBTSXlNQ0lnZFhWcFpEMGlPVE0wWWpFMlpUZ3RZek5sWWkwME1ERTNMVGcyTm1FdE1HSTNOek0xWW1ZeU9URTNJaTgrQ2drSkNRa0pQSFJsZUhSRmJHVnRaVzUwSUhabGNuUnBZMkZzUVd4cFoyNXRaVzUwUFNKTmFXUmtiR1VpTHo0S0NRa0pDUWs4ZEdWNGRFWnBaV3hrUlhod2NtVnpjMmx2Ymo0OElWdERSRUZVUVZzaUlDSWdLeUFrVm50UVFVZEZYMDVWVFVKRlVuMWRYVDQ4TDNSbGVIUkdhV1ZzWkVWNGNISmxjM05wYjI0K0Nna0pDUWs4TDNSbGVIUkdhV1ZzWkQ0S0NRa0pQQzltY21GdFpUNEtDUWs4TDJKaGJtUStDZ2s4TDNCaFoyVkdiMjkwWlhJK0Nqd3ZhbUZ6Y0dWeVVtVndiM0owUGdvPQ==</template>
+   <templateStyle>UEQ5NGJXd2dkbVZ5YzJsdmJqMGlNUzR3SWo4K0RRbzhJVVJQUTFSWlVFVWdhbUZ6Y0dWeVZHVnRjR3hoZEdVTkNpQWdVRlZDVEVsRElDSXRMeTlLWVhOd1pYSlNaWEJ2Y25Sekx5OUVWRVFnVkdWdGNHeGhkR1V2TDBWT0lnMEtJQ0FpYUhSMGNEb3ZMMnBoYzNCbGNuSmxjRzl5ZEhNdWMyOTFjbU5sWm05eVoyVXVibVYwTDJSMFpITXZhbUZ6Y0dWeWRHVnRjR3hoZEdVdVpIUmtJajROQ2p4cVlYTndaWEpVWlcxd2JHRjBaVDROQ2lBZ0lDQWdJQ0FnQ1R4emRIbHNaU0JtYjI1MFRtRnRaVDBpUkdWcVlWWjFJRk5oYm5NaUlHWnZiblJUYVhwbFBTSXhNQ0lnYUVGc2FXZHVQU0pNWldaMElpQnBjMFJsWm1GMWJIUTlJblJ5ZFdVaUlHbHpVR1JtUlcxaVpXUmtaV1E5SW5SeWRXVWlJQTBLQ1FrSkNTQWdJRzVoYldVOUlrSmhjMlVpSUhCa1prVnVZMjlrYVc1blBTSkpaR1Z1ZEdsMGVTMUlJaUJ3WkdaR2IyNTBUbUZ0WlQwaVJHVnFZVloxVTJGdWN5NTBkR1lpSUhaQmJHbG5iajBpVFdsa1pHeGxJajROQ2drSkNUd3ZjM1I1YkdVK0RRb0pDUWs4YzNSNWJHVWdZbUZqYTJOdmJHOXlQU0lqTWpZM09UazBJaUJtYjI1MFUybDZaVDBpTWpZaUlHWnZjbVZqYjJ4dmNqMGlJMFpHUmtaR1JpSWdhWE5FWldaaGRXeDBQU0ptWVd4elpTSU5DaUFnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0J0YjJSbFBTSlBjR0Z4ZFdVaUlHNWhiV1U5SWxScGRHeGxJaUJ6ZEhsc1pUMGlRbUZ6WlNJdlBpQU5DZ2tKQ1R4emRIbHNaU0JtYjI1MFUybDZaVDBpTVRJaUlHWnZjbVZqYjJ4dmNqMGlJekF3TURBd01DSWdhWE5FWldaaGRXeDBQU0ptWVd4elpTSWdibUZ0WlQwaVVHRm5aU0JvWldGa1pYSWlEUW9nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnYzNSNWJHVTlJa0poYzJVaUx6NE5DZ2tKQ1R4emRIbHNaU0JpWVdOclkyOXNiM0k5SWlNek16TXpNek1pSUdadmJuUlRhWHBsUFNJeE1pSWdabTl5WldOdmJHOXlQU0lqUmtaR1JrWkdJaUJvUVd4cFoyNDlJa05sYm5SbGNpSU5DaUFnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0JwYzBSbFptRjFiSFE5SW1aaGJITmxJaUJ0YjJSbFBTSlBjR0Z4ZFdVaUlHNWhiV1U5SWtOdmJIVnRiaUJvWldGa1pYSWlJSE4wZVd4bFBTSkNZWE5sSWk4K0RRb0pDUWs4YzNSNWJHVWdhWE5DYjJ4a1BTSm1ZV3h6WlNJZ2FYTkVaV1poZFd4MFBTSm1ZV3h6WlNJZ2JtRnRaVDBpUkdWMFlXbHNJaUJ6ZEhsc1pUMGlRbUZ6WlNJdlBnMEtJQ0FnSUNBZ0lDQWdJQ0FnUEhOMGVXeGxJR2x6UW05c1pEMGlabUZzYzJVaUlHbHpSR1ZtWVhWc2REMGlabUZzYzJVaUlHNWhiV1U5SWtOdlpHVWlJSE4wZVd4bFBTSkNZWE5sSWlCbWIyNTBVMmw2WlQwaU9TSXZQZzBLQ1FrSlBITjBlV3hsSUdadmJuUlRhWHBsUFNJNUlpQm1iM0psWTI5c2IzSTlJaU13TURBd01EQWlJR2x6UkdWbVlYVnNkRDBpWm1Gc2MyVWlJRzVoYldVOUlsQmhaMlVnWm05dmRHVnlJZzBLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUhOMGVXeGxQU0pDWVhObElpOCtEUW9KQ1R3dmFtRnpjR1Z5VkdWdGNHeGhkR1Ur</templateStyle>
+   <export>csv</export>
+   <virtualizer>JRSwapFileVirtualizer</virtualizer>
+   <virtualizerKickOn>300</virtualizerKickOn>
+   <maxPages>10000</maxPages>
+   <timeout>300000</timeout>
+</report>
diff --git a/model/report-impl/src/test/resources/reports/report-user-list-expressions-poisonous-query-csv.xml b/model/report-impl/src/test/resources/reports/report-user-list-expressions-poisonous-query-csv.xml
new file mode 100644
index 00000000000..65e174146b5
--- /dev/null
+++ b/model/report-impl/src/test/resources/reports/report-user-list-expressions-poisonous-query-csv.xml
@@ -0,0 +1,35 @@
+<!--
+  ~ Copyright (c) 2010-2019 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+<report oid="5c5af02a-4fe9-11e9-bb07-7b4e52fe05cd" 
+		xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+        xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+        xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
+        xmlns:xsd="http://www.w3.org/2001/XMLSchema">
+   <name>Users in MidPoint - report with poisonous query expressions</name>
+   <description>Users listed in MidPoint.</description>
+   
+   <!-- No archetype here. Default expression profile. -->
+   
+   <parent>true</parent>
+   <!-- Expression query is trying to access java.lang.System.getProperties() -->
+   <template>UEQ5NGJXd2dkbVZ5YzJsdmJqMGlNUzR3SWlCbGJtTnZaR2x1WnowaVZWUkdMVGdpUHo0S1BHcGhjM0JsY2xKbGNHOXlkQ0I0Yld4dWN6MGlhSFIwY0RvdkwycGhjM0JsY25KbGNHOXlkSE11YzI5MWNtTmxabTl5WjJVdWJtVjBMMnBoYzNCbGNuSmxjRzl5ZEhNaUlIaHRiRzV6T25oemFUMGlhSFIwY0RvdkwzZDNkeTUzTXk1dmNtY3ZNakF3TVM5WVRVeFRZMmhsYldFdGFXNXpkR0Z1WTJVaUlIaHphVHB6WTJobGJXRk1iMk5oZEdsdmJqMGlhSFIwY0RvdkwycGhjM0JsY25KbGNHOXlkSE11YzI5MWNtTmxabTl5WjJVdWJtVjBMMnBoYzNCbGNuSmxjRzl5ZEhNZ2FIUjBjRG92TDJwaGMzQmxjbkpsY0c5eWRITXVjMjkxY21ObFptOXlaMlV1Ym1WMEwzaHpaQzlxWVhOd1pYSnlaWEJ2Y25RdWVITmtJaUJ1WVcxbFBTSnlaWEJ2Y25SVmMyVnlUR2x6ZENJZ2NHRm5aVmRwWkhSb1BTSXhNVEl3SWlCd1lXZGxTR1ZwWjJoMFBTSTFPVFVpSUc5eWFXVnVkR0YwYVc5dVBTSk1ZVzVrYzJOaGNHVWlJSGRvWlc1T2IwUmhkR0ZVZVhCbFBTSkJiR3hUWldOMGFXOXVjMDV2UkdWMFlXbHNJaUJqYjJ4MWJXNVhhV1IwYUQwaU1UQTRNQ0lnYkdWbWRFMWhjbWRwYmowaU1qQWlJSEpwWjJoMFRXRnlaMmx1UFNJeU1DSWdkRzl3VFdGeVoybHVQU0l6TUNJZ1ltOTBkRzl0VFdGeVoybHVQU0l6TUNJZ2RYVnBaRDBpTmpkbE5EWTFZelV0TkRabFlTMDBNR1F5TFdKbFlUQXRORFk1WXpaalpqTTRPVE0zSWo0S0NUeHdjbTl3WlhKMGVTQnVZVzFsUFNKdVpYUXVjMll1YW1GemNHVnljbVZ3YjNKMGN5NXdjbWx1ZEM1clpXVndMbVoxYkd3dWRHVjRkQ0lnZG1Gc2RXVTlJblJ5ZFdVaUx6NEtDVHh3Y205d1pYSjBlU0J1WVcxbFBTSnVaWFF1YzJZdWFtRnpjR1Z5Y21Wd2IzSjBjeTVsZUhCdmNuUXVlR3h6TG5KbGJXOTJaUzVsYlhCMGVTNXpjR0ZqWlM1aVpYUjNaV1Z1TG1OdmJIVnRibk1pSUhaaGJIVmxQU0owY25WbElpOCtDZ2s4Y0hKdmNHVnlkSGtnYm1GdFpUMGlibVYwTG5ObUxtcGhjM0JsY25KbGNHOXlkSE11Wlhod2IzSjBMbmhzY3k1eVpXMXZkbVV1Wlcxd2RIa3VjM0JoWTJVdVltVjBkMlZsYmk1eWIzZHpJaUIyWVd4MVpUMGlkSEoxWlNJdlBnb0pQSEJ5YjNCbGNuUjVJRzVoYldVOUltNWxkQzV6Wmk1cVlYTndaWEp5WlhCdmNuUnpMbVY0Y0c5eWRDNXdaR1l1Wm05eVkyVXViR2x1WldKeVpXRnJMbkJ2YkdsamVTSWdkbUZzZFdVOUluUnlkV1VpTHo0S0NUeHdjbTl3WlhKMGVTQnVZVzFsUFNKdVpYUXVjMll1YW1GemNHVnljbVZ3YjNKMGN5NWxlSEJ2Y25RdVkzTjJMbVY0WTJ4MVpHVXViM0pwWjJsdUxtSmhibVF1TVNJZ2RtRnNkV1U5SW5ScGRHeGxJaTgrQ2drOGNISnZjR1Z5ZEhrZ2JtRnRaVDBpYm1WMExuTm1MbXBoYzNCbGNuSmxjRzl5ZEhNdVpYaHdiM0owTG1OemRpNWxlR05zZFdSbExtOXlhV2RwYmk1aVlXNWtMaklpSUhaaGJIVmxQU0p3WVdkbFJtOXZkR1Z5SWk4K0NnazhjSEp2Y0dWeWRIa2dibUZ0WlQwaWJtVjBMbk5tTG1waGMzQmxjbkpsY0c5eWRITXVaWGh3YjNKMExuaHNjeTVsZUdOc2RXUmxMbTl5YVdkcGJpNWlZVzVrTGpFaUlIWmhiSFZsUFNKd1lXZGxTR1ZoWkdWeUlpOCtDZ2s4Y0hKdmNHVnlkSGtnYm1GdFpUMGlibVYwTG5ObUxtcGhjM0JsY25KbGNHOXlkSE11Wlhod2IzSjBMbmhzY3k1bGVHTnNkV1JsTG05eWFXZHBiaTVpWVc1a0xqSWlJSFpoYkhWbFBTSndZV2RsUm05dmRHVnlJaTgrQ2drOGNISnZjR1Z5ZEhrZ2JtRnRaVDBpYm1WMExuTm1MbXBoYzNCbGNuSmxjRzl5ZEhNdVpYaHdiM0owTG5oc2N5NWxlR05zZFdSbExtOXlhV2RwYmk1clpXVndMbVpwY25OMExtSmhibVF1TWlJZ2RtRnNkV1U5SW1OdmJIVnRia2hsWVdSbGNpSXZQZ29KUEhCeWIzQmxjblI1SUc1aGJXVTlJbTVsZEM1elppNXFZWE53WlhKeVpYQnZjblJ6TG1WNGNHOXlkQzU0YkhNdVpHVjBaV04wTG1ObGJHd3VkSGx3WlNJZ2RtRnNkV1U5SW5SeWRXVWlMejRLQ1R4d2NtOXdaWEowZVNCdVlXMWxQU0p1WlhRdWMyWXVhbUZ6Y0dWeWNtVndiM0owY3k1bGVIQnZjblF1ZUd4ekxuZHlZWEF1ZEdWNGRDSWdkbUZzZFdVOUluUnlkV1VpTHo0S0NUeHdjbTl3WlhKMGVTQnVZVzFsUFNKdVpYUXVjMll1YW1GemNHVnljbVZ3YjNKMGN5NWxlSEJ2Y25RdWVHeHpMbUYxZEc4dVptbDBMbkp2ZHlJZ2RtRnNkV1U5SW5SeWRXVWlMejRLQ1R4d2NtOXdaWEowZVNCdVlXMWxQU0p1WlhRdWMyWXVhbUZ6Y0dWeWNtVndiM0owY3k1bGVIQnZjblF1ZUd4ekxtRjFkRzh1Wm1sMExtTnZiSFZ0YmlJZ2RtRnNkV1U5SW5SeWRXVWlMejRLQ1R4d2NtOXdaWEowZVNCdVlXMWxQU0p1WlhRdWMyWXVhbUZ6Y0dWeWNtVndiM0owY3k1aGQzUXVhV2R1YjNKbExtMXBjM05wYm1jdVptOXVkQ0lnZG1Gc2RXVTlJblJ5ZFdVaUx6NEtDVHh3Y205d1pYSjBlU0J1WVcxbFBTSnBjbVZ3YjNKMExucHZiMjBpSUhaaGJIVmxQU0l4TGpBaUx6NEtDVHh3Y205d1pYSjBlU0J1WVcxbFBTSnBjbVZ3YjNKMExuZ2lJSFpoYkhWbFBTSXhOaUl2UGdvSlBIQnliM0JsY25SNUlHNWhiV1U5SW1seVpYQnZjblF1ZVNJZ2RtRnNkV1U5SWpFMElpOCtDZ2s4Y0hKdmNHVnlkSGtnYm1GdFpUMGlZMjl0TG1waGMzQmxjbk52Wm5RdWMzUjFaR2x2TG1SaGRHRXVaR1ZtWVhWc2RHUmhkR0ZoWkdGd2RHVnlJaUIyWVd4MVpUMGliWEZzSWk4K0NnazhhVzF3YjNKMElIWmhiSFZsUFNKamIyMHVaWFp2YkhabGRXMHViV2xrY0c5cGJuUXVjbVZ3YjNKMExtbHRjR3d1VW1Wd2IzSjBWWFJwYkhNaUx6NEtDVHh6ZFdKRVlYUmhjMlYwSUc1aGJXVTlJbkp2YkdWelJHRjBZWE5sZENJZ2RYVnBaRDBpTmpVNVpETm1ZbUV0WkRBelpDMDBNMkpqTFRoa1kyUXROVEF5WkRBek5EUXpaV0psSWo0S0NRazhjR0Z5WVcxbGRHVnlJRzVoYldVOUltRnpjMmxuYm0xbGJuUWlJR05zWVhOelBTSnFZWFpoTG5WMGFXd3VUR2x6ZENJdlBnb0pDVHh4ZFdWeWVWTjBjbWx1WnlCc1lXNW5kV0ZuWlQwaWJYRnNJajRLQ1FrSlBDRmJRMFJCVkVGYlBHTnZaR1UrYVdZZ0tHRnpjMmxuYm0xbGJuUWdJVDBnYm5Wc2JDbDdjbVZ3YjNKMExuSmxjMjlzZG1WU2IyeGxjeWhoYzNOcFoyNXRaVzUwS1gwOEwyTnZaR1UrWFYwK0Nna0pQQzl4ZFdWeWVWTjBjbWx1Wno0S0NRazhabWxsYkdRZ2JtRnRaVDBpYm1GdFpTSWdZMnhoYzNNOUltcGhkbUV1YkdGdVp5NVRkSEpwYm1jaUx6NEtDVHd2YzNWaVJHRjBZWE5sZEQ0S0NUeHpkV0pFWVhSaGMyVjBJRzVoYldVOUltOXlaM05FWVhSaGMyVjBJaUIxZFdsa1BTSTJOR0UxWXprMFlTMWpZbU0yTFRReU5qZ3RZbU5pTXkwd1kyVm1Nek5oWVRWbE1ESWlQZ29KQ1R4d1lYSmhiV1YwWlhJZ2JtRnRaVDBpWVhOemFXZHViV1Z1ZENJZ1kyeGhjM005SW1waGRtRXVkWFJwYkM1TWFYTjBJaTgrQ2drSlBIRjFaWEo1VTNSeWFXNW5JR3hoYm1kMVlXZGxQU0p0Y1d3aVBnb0pDUWs4SVZ0RFJFRlVRVnM4WTI5a1pUNEtDUWtKQ1FscFppQW9ZWE56YVdkdWJXVnVkQ0FoUFNCdWRXeHNLWHNLQ1FrSkNRbHlaWEJ2Y25RdWNtVnpiMngyWlU5eVozTW9ZWE56YVdkdWJXVnVkQ2tLQ1FrSkNRbDlDZ2tKQ1FrOEwyTnZaR1UrWFYwK0Nna0pQQzl4ZFdWeWVWTjBjbWx1Wno0S0NRazhabWxsYkdRZ2JtRnRaVDBpYm1GdFpTSWdZMnhoYzNNOUltcGhkbUV1YkdGdVp5NVRkSEpwYm1jaUx6NEtDVHd2YzNWaVJHRjBZWE5sZEQ0S0NUeHpkV0pFWVhSaGMyVjBJRzVoYldVOUltRmpZMjkxYm5SelJHRjBZWE5sZENJZ2RYVnBaRDBpWXpSa09EUTBaVGN0TVRSak5DMDBPV0k0TFdKbU1URXRZemt5TVdRMU9HRXhaRFF3SWo0S0NRazhjR0Z5WVcxbGRHVnlJRzVoYldVOUltOWlhbVZqZEZKbFppSWdZMnhoYzNNOUltcGhkbUV1ZFhScGJDNUJjbkpoZVV4cGMzUWlMejRLQ1FrOGNYVmxjbmxUZEhKcGJtY2diR0Z1WjNWaFoyVTlJbTF4YkNJK0Nna0pDVHdoVzBORVFWUkJXenhtYVd4MFpYSStDaUFnSUNBZ0lDQWdJQ0FnSUNBZ0lDQThkSGx3WlQ0S0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQThkSGx3WlQ1VGFHRmtiM2RVZVhCbFBDOTBlWEJsUGdvZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lEeG1hV3gwWlhJK0NpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUR4cGJrOXBaRDRLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUR4bGVIQnlaWE56YVc5dVBpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQW9nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lEeHpZM0pwY0hRK0NpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lEeHlaWFIxY201VWVYQmxQbXhwYzNROEwzSmxkSFZ5YmxSNWNHVStDaUFnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJRHhqYjJSbFBnb2dJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnWW1GemFXTXVaMlYwVDJsa2N5aHZZbXBsWTNSU1pXWXBPd29nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0E4TDJOdlpHVStDaUFnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ1BDOXpZM0pwY0hRK0NpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQThMMlY0Y0hKbGMzTnBiMjQrQ2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJRHd2YVc1UGFXUStDaUFnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnUEM5bWFXeDBaWEkrQ2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0E4TDNSNWNHVStDaUFnSUNBZ0lDQWdJQ0FnSUR3dlptbHNkR1Z5UGwxZFBnb0pDVHd2Y1hWbGNubFRkSEpwYm1jK0Nna0pQR1pwWld4a0lHNWhiV1U5SW01aGJXVWlJR05zWVhOelBTSnFZWFpoTG14aGJtY3VVM1J5YVc1bklpOCtDZ2tKUEdacFpXeGtJRzVoYldVOUluSmxjMjkxY21ObFVtVm1JaUJqYkdGemN6MGlZMjl0TG1WMmIyeDJaWFZ0TG0xcFpIQnZhVzUwTG5odGJDNXVjeTVmY0hWaWJHbGpMbU52YlcxdmJpNWpiMjF0YjI1Zk15NVBZbXBsWTNSU1pXWmxjbVZ1WTJWVWVYQmxJaTgrQ2drOEwzTjFZa1JoZEdGelpYUStDZ2s4Y0dGeVlXMWxkR1Z5SUc1aGJXVTlJbUZqZEdsMllYUnBiMjRpSUdOc1lYTnpQU0pqYjIwdVpYWnZiSFpsZFcwdWJXbGtjRzlwYm5RdWVHMXNMbTV6TGw5d2RXSnNhV011WTI5dGJXOXVMbU52YlcxdmJsOHpMa0ZqZEdsMllYUnBiMjVUZEdGMGRYTlVlWEJsSWk4K0NnazhjR0Z5WVcxbGRHVnlJRzVoYldVOUltOXlaMkZ1YVhwaGRHbHZiaUlnWTJ4aGMzTTlJbXBoZG1FdWJHRnVaeTVUZEhKcGJtY2lMejRLQ1R4d1lYSmhiV1YwWlhJZ2JtRnRaVDBpY205c1pTSWdZMnhoYzNNOUltcGhkbUV1YkdGdVp5NVRkSEpwYm1jaUx6NEtDVHh3WVhKaGJXVjBaWElnYm1GdFpUMGljbVZ6YjNWeVkyVWlJR05zWVhOelBTSnFZWFpoTG14aGJtY3VVM1J5YVc1bklqNEtDUWs4Y0hKdmNHVnlkSGtnYm1GdFpUMGlhMlY1SWlCMllXeDFaVDBpYjJsa0lpOCtDZ2tKUEhCeWIzQmxjblI1SUc1aGJXVTlJbXhoWW1Wc0lpQjJZV3gxWlQwaWJtRnRaU0l2UGdvSkNUeHdjbTl3WlhKMGVTQnVZVzFsUFNKMFlYSm5aWFJVZVhCbElpQjJZV3gxWlQwaVkyOXRMbVYyYjJ4MlpYVnRMbTFwWkhCdmFXNTBMbmh0YkM1dWN5NWZjSFZpYkdsakxtTnZiVzF2Ymk1amIyMXRiMjVmTXk1U1pYTnZkWEpqWlZSNWNHVWlMejRLQ1R3dmNHRnlZVzFsZEdWeVBnb0pQSEYxWlhKNVUzUnlhVzVuSUd4aGJtZDFZV2RsUFNKdGNXd2lQZ29KQ1R3aFcwTkVRVlJCV3p4bWFXeDBaWEkrRFFvZ0lDQWdQSFI1Y0dVK0RRb2dJQ0FnSUNBZ0lEeDBlWEJsUGxWelpYSlVlWEJsUEM5MGVYQmxQZzBLSUNBZ0lDQWdJQ0E4Wm1sc2RHVnlQZzBLSUNBZ0lDQWdJQ0FnSUNBZ1BHRnVaRDROQ2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0E4WlhGMVlXdytEUW9nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUR4d1lYUm9QbUZqZEdsMllYUnBiMjR2WVdSdGFXNXBjM1J5WVhScGRtVlRkR0YwZFhNOEwzQmhkR2crRFFvZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lEeGxlSEJ5WlhOemFXOXVQZzBLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdQSEYxWlhKNVNXNTBaWEp3Y21WMFlYUnBiMjVQWms1dlZtRnNkV1UrWm1sc2RHVnlRV3hzUEM5eGRXVnllVWx1ZEdWeWNISmxkR0YwYVc5dVQyWk9iMVpoYkhWbFBnMEtJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ1BIQmhkR2crSkdGamRHbDJZWFJwYjI0OEwzQmhkR2crRFFvZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lEd3ZaWGh3Y21WemMybHZiajROQ2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0E4TDJWeGRXRnNQZzBLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJRHh5WldZK0RRb2dJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJRHh3WVhSb1BtRnpjMmxuYm0xbGJuUXZkR0Z5WjJWMFVtVm1QQzl3WVhSb1BnMEtJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0E4Wlhod2NtVnpjMmx2Ymo0TkNpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUR4eGRXVnllVWx1ZEdWeWNISmxkR0YwYVc5dVQyWk9iMVpoYkhWbFBtWnBiSFJsY2tGc2JEd3ZjWFZsY25sSmJuUmxjbkJ5WlhSaGRHbHZiazltVG05V1lXeDFaVDROQ2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJRHh6WTNKcGNIUStEUW9nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnUEdOdlpHVStEUW9nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lHbHRjRzl5ZENCamIyMHVaWFp2YkhabGRXMHViV2xrY0c5cGJuUXVlRzFzTG01ekxsOXdkV0pzYVdNdVkyOXRiVzl1TG1OdmJXMXZibDh6TGs5eVoxUjVjR1U3RFFvZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJR2x0Y0c5eWRDQmpiMjB1WlhadmJIWmxkVzB1Yldsa2NHOXBiblF1ZUcxc0xtNXpMbDl3ZFdKc2FXTXVZMjl0Ylc5dUxtTnZiVzF2Ymw4ekxrOWlhbVZqZEZKbFptVnlaVzVqWlZSNWNHVTdEUW9nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lBMEtJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBdkx5QlFUMGxUVDA0NklFeGxkQ2R6SUhSdmRXTm9JSGRvWVhRZ2QyVWdZWEpsSUc1dmRDQnpkWEJ3YjNObFpDQjBieUIwYjNWamFBMEtJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNCa1pXWWdjSEp2Y0hNZ1BTQnFZWFpoTG14aGJtY3VVM2x6ZEdWdExtZGxkRkJ5YjNCbGNuUnBaWE1vS1EwS0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0JzYjJjdWRISmhZMlVvSWtwaGRtRWdjSEp2Y0dWeWRHbGxjeUJtY205dElIRjFaWEo1SUhOamNtbHdkRG9nZTMwaUxDQndjbTl3Y3lrTkNpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnRFFvZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJR2xtSUNnaGIzSm5ZVzVwZW1GMGFXOXVLU0I3RFFvZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNCeVpYUjFjbTRnYm5Wc2JEc05DaUFnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ2ZRMEtJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBTkNpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnVDJKcVpXTjBVbVZtWlhKbGJtTmxWSGx3WlNCdmNuUWdQU0J1WlhjZ1QySnFaV04wVW1WbVpYSmxibU5sVkhsd1pTZ3BPeUFnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdEUW9nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lHOXlkQzV6WlhSUGFXUW9iM0puWVc1cGVtRjBhVzl1S1RzTkNpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnYjNKMExuTmxkRlI1Y0dVb1QzSm5WSGx3WlM1RFQwMVFURVZZWDFSWlVFVXBPdzBLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQnlaWFIxY200Z2IzSjBPdzBLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUR3dlkyOWtaVDRnSUNBZ0lDQU5DaUFnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lEd3ZjMk55YVhCMFBnMEtJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0E4TDJWNGNISmxjM05wYjI0K0RRb2dJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ1BDOXlaV1krRFFvZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnUEhKbFpqNE5DaUFnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnUEhCaGRHZytZWE56YVdkdWJXVnVkQzkwWVhKblpYUlNaV1k4TDNCaGRHZytEUW9nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUR4bGVIQnlaWE56YVc5dVBnMEtJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ1BIRjFaWEo1U1c1MFpYSndjbVYwWVhScGIyNVBaazV2Vm1Gc2RXVStabWxzZEdWeVFXeHNQQzl4ZFdWeWVVbHVkR1Z5Y0hKbGRHRjBhVzl1VDJaT2IxWmhiSFZsUGcwS0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnUEhOamNtbHdkRDROQ2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBOFkyOWtaVDROQ2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdhVzF3YjNKMElHTnZiUzVsZG05c2RtVjFiUzV0YVdSd2IybHVkQzU0Yld3dWJuTXVYM0IxWW14cFl5NWpiMjF0YjI0dVkyOXRiVzl1WHpNdVVtOXNaVlI1Y0dVN0RRb2dJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUdsdGNHOXlkQ0JqYjIwdVpYWnZiSFpsZFcwdWJXbGtjRzlwYm5RdWVHMXNMbTV6TGw5d2RXSnNhV011WTI5dGJXOXVMbU52YlcxdmJsOHpMazlpYW1WamRGSmxabVZ5Wlc1alpWUjVjR1U3RFFvZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQTBLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQnBaaUFvSVhKdmJHVXBJSHNOQ2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUhKbGRIVnliaUJ1ZFd4c093MEtJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNCOURRb2dJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUEwS0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0JQWW1wbFkzUlNaV1psY21WdVkyVlVlWEJsSUc5eWRDQTlJRzVsZHlCUFltcGxZM1JTWldabGNtVnVZMlZVZVhCbEtDazdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQU5DaUFnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ2IzSjBMbk5sZEU5cFpDaHliMnhsS1RzTkNpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnYjNKMExuTmxkRlI1Y0dVb1VtOXNaVlI1Y0dVdVEwOU5VRXhGV0Y5VVdWQkZLVHNOQ2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdjbVYwZFhKdUlHOXlkRHNOQ2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBOEwyTnZaR1UrSUNBZ0lDQWdEUW9nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQThMM05qY21sd2RENE5DaUFnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnUEM5bGVIQnlaWE56YVc5dVBnMEtJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lEd3ZjbVZtUGlBZ0RRb2dJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ1BISmxaajROQ2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ1BIQmhkR2crWVhOemFXZHViV1Z1ZEM5amIyNXpkSEoxWTNScGIyNHZjbVZ6YjNWeVkyVlNaV1k4TDNCaGRHZytEUW9nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUR4bGVIQnlaWE56YVc5dVBnMEtJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ1BIRjFaWEo1U1c1MFpYSndjbVYwWVhScGIyNVBaazV2Vm1Gc2RXVStabWxzZEdWeVFXeHNQQzl4ZFdWeWVVbHVkR1Z5Y0hKbGRHRjBhVzl1VDJaT2IxWmhiSFZsUGcwS0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnUEhOamNtbHdkRDROQ2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBOFkyOWtaVDROQ2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdhVzF3YjNKMElHTnZiUzVsZG05c2RtVjFiUzV0YVdSd2IybHVkQzU0Yld3dWJuTXVYM0IxWW14cFl5NWpiMjF0YjI0dVkyOXRiVzl1WHpNdVVtVnpiM1Z5WTJWVWVYQmxPdzBLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQnBiWEJ2Y25RZ1kyOXRMbVYyYjJ4MlpYVnRMbTFwWkhCdmFXNTBMbmh0YkM1dWN5NWZjSFZpYkdsakxtTnZiVzF2Ymk1amIyMXRiMjVmTXk1UFltcGxZM1JTWldabGNtVnVZMlZVZVhCbE93MEtJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBTkNpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnYVdZZ0tDRnlaWE52ZFhKalpTa2dldzBLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnY21WMGRYSnVJRzUxYkd3N0RRb2dJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUgwTkNpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnRFFvZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJRTlpYW1WamRGSmxabVZ5Wlc1alpWUjVjR1VnYjNKMElEMGdibVYzSUU5aWFtVmpkRkpsWm1WeVpXNWpaVlI1Y0dVb0tUc2dJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lBMEtJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNCdmNuUXVjMlYwVDJsa0tISmxjMjkxY21ObEtUc05DaUFnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ2IzSjBMbk5sZEZSNWNHVW9VbVZ6YjNWeVkyVlVlWEJsTGtOUFRWQk1SVmhmVkZsUVJTazdEUW9nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lISmxkSFZ5YmlCdmNuUTdEUW9nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnUEM5amIyUmxQaUFnSUNBZ0lBMEtJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ1BDOXpZM0pwY0hRK0RRb2dJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJRHd2Wlhod2NtVnpjMmx2Ymo0TkNpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBOEwzSmxaajRnSUEwS0lDQWdJQ0FnSUNBZ0lDQWdQQzloYm1RK0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FOQ2lBZ0lDQWdJQ0FnUEM5bWFXeDBaWEkrRFFvZ0lDQWdQQzkwZVhCbFBnMEtQQzltYVd4MFpYSStYVjArQ2drOEwzRjFaWEo1VTNSeWFXNW5QZ29KUEdacFpXeGtJRzVoYldVOUltOXBaQ0lnWTJ4aGMzTTlJbXBoZG1FdWJHRnVaeTVUZEhKcGJtY2lMejRLQ1R4bWFXVnNaQ0J1WVcxbFBTSnVZVzFsSWlCamJHRnpjejBpYW1GMllTNXNZVzVuTGxOMGNtbHVaeUl2UGdvSlBHWnBaV3hrSUc1aGJXVTlJbXhwYm10U1pXWWlJR05zWVhOelBTSnFZWFpoTG5WMGFXd3VRWEp5WVhsTWFYTjBJaTgrQ2drOFptbGxiR1FnYm1GdFpUMGlZWE56YVdkdWJXVnVkQ0lnWTJ4aGMzTTlJbXBoZG1FdWRYUnBiQzVNYVhOMElpOCtDZ2s4Wm1sbGJHUWdibUZ0WlQwaVlXTjBhWFpoZEdsdmJpSWdZMnhoYzNNOUltTnZiUzVsZG05c2RtVjFiUzV0YVdSd2IybHVkQzU0Yld3dWJuTXVYM0IxWW14cFl5NWpiMjF0YjI0dVkyOXRiVzl1WHpNdVFXTjBhWFpoZEdsdmJsUjVjR1VpTHo0S0NUeG1hV1ZzWkNCdVlXMWxQU0ptZFd4c1RtRnRaU0lnWTJ4aGMzTTlJbXBoZG1FdWJHRnVaeTVUZEhKcGJtY2lMejRLQ1R4aVlXTnJaM0p2ZFc1a1Bnb0pDVHhpWVc1a0lHaGxhV2RvZEQwaU16QWlJSE53YkdsMFZIbHdaVDBpVTNSeVpYUmphQ0l2UGdvSlBDOWlZV05yWjNKdmRXNWtQZ29KUEhScGRHeGxQZ29KQ1R4aVlXNWtJR2hsYVdkb2REMGlNVFExSWlCemNHeHBkRlI1Y0dVOUlsTjBjbVYwWTJnaVBnb0pDUWs4Wm5KaGJXVStDZ2tKQ1FrOGNtVndiM0owUld4bGJXVnVkQ0J6ZEhsc1pUMGlWR2wwYkdVaUlHMXZaR1U5SWs5d1lYRjFaU0lnZUQwaU1DSWdlVDBpTUNJZ2QybGtkR2c5SWpFd09EQWlJR2hsYVdkb2REMGlOamNpSUdKaFkydGpiMnh2Y2owaUl6STJOems1TkNJZ2RYVnBaRDBpTkRSaVpXUmhZMk10Wm1FeU15MDBabVV4TFdJM01XWXRaVFZoWm1FNU5ETm1OVFV6SWk4K0Nna0pDUWs4YzNSaGRHbGpWR1Y0ZEQ0S0NRa0pDUWs4Y21Wd2IzSjBSV3hsYldWdWRDQnpkSGxzWlQwaVZHbDBiR1VpSUhnOUlqRXdJaUI1UFNJeE15SWdkMmxrZEdnOUlqSTJOaUlnYUdWcFoyaDBQU0l6T0NJZ2RYVnBaRDBpWmpKa09UbGpZV1F0T1dRNE5DMDBaalV3TFdJME5UVXRORFV6WXpnM1pqWXlZelJqSWk4K0Nna0pDUWtKUEhSbGVIUkZiR1Z0Wlc1MElIWmxjblJwWTJGc1FXeHBaMjV0Wlc1MFBTSk5hV1JrYkdVaUx6NEtDUWtKQ1FrOGRHVjRkRDQ4SVZ0RFJFRlVRVnRWYzJWeUlGSmxjRzl5ZEYxZFBqd3ZkR1Y0ZEQ0S0NRa0pDVHd2YzNSaGRHbGpWR1Y0ZEQ0S0NRa0pQQzltY21GdFpUNEtDUWtKUEhOMFlYUnBZMVJsZUhRK0Nna0pDUWs4Y21Wd2IzSjBSV3hsYldWdWRDQnpkSGxzWlQwaVVHRm5aU0JvWldGa1pYSWlJSGc5SWpJaUlIazlJamcxSWlCM2FXUjBhRDBpTVRVd0lpQm9aV2xuYUhROUlqSXdJaUIxZFdsa1BTSmlNR0k1TnpFMFppMDVObVkxTFRSbU5UZ3RPREkwWWkxak9ERm1aRFJrTXpJeFpqY2lMejRLQ1FrSkNUeDBaWGgwUld4bGJXVnVkQ0IyWlhKMGFXTmhiRUZzYVdkdWJXVnVkRDBpVFdsa1pHeGxJaTgrQ2drSkNRazhkR1Y0ZEQ0OElWdERSRUZVUVZ0U1pYQnZjblFnWjJWdVpYSmhkR1ZrSUc5dU9sMWRQand2ZEdWNGRENEtDUWtKUEM5emRHRjBhV05VWlhoMFBnb0pDUWs4ZEdWNGRFWnBaV3hrSUhCaGRIUmxjbTQ5SW1Sa0xrMU5UVTB1ZVhsNWVTd2dTRWc2YlcwNmMzTWlQZ29KQ1FrSlBISmxjRzl5ZEVWc1pXMWxiblFnYzNSNWJHVTlJbEJoWjJVZ2FHVmhaR1Z5SWlCNFBTSXhOakFpSUhrOUlqZzFJaUIzYVdSMGFEMGlNalV3SWlCb1pXbG5hSFE5SWpJd0lpQjFkV2xrUFNJd09XRTNaVEkzTWkweU1EUmxMVFF3TnpndE9HRTFaUzFsTkRjeU56VTNOREkwWXpFaUx6NEtDUWtKQ1R4MFpYaDBSV3hsYldWdWRDQjBaWGgwUVd4cFoyNXRaVzUwUFNKU2FXZG9kQ0lnZG1WeWRHbGpZV3hCYkdsbmJtMWxiblE5SWsxcFpHUnNaU0krQ2drSkNRa0pQR1p2Ym5RZ2FYTkNiMnhrUFNKbVlXeHpaU0l2UGdvSkNRa0pQQzkwWlhoMFJXeGxiV1Z1ZEQ0S0NRa0pDVHgwWlhoMFJtbGxiR1JGZUhCeVpYTnphVzl1UGp3aFcwTkVRVlJCVzI1bGR5QnFZWFpoTG5WMGFXd3VSR0YwWlNncFhWMCtQQzkwWlhoMFJtbGxiR1JGZUhCeVpYTnphVzl1UGdvSkNRazhMM1JsZUhSR2FXVnNaRDRLQ1FrSlBITjBZWFJwWTFSbGVIUStDZ2tKQ1FrOGNtVndiM0owUld4bGJXVnVkQ0J6ZEhsc1pUMGlVR0ZuWlNCb1pXRmtaWElpSUhnOUlqSWlJSGs5SWpFeE5TSWdkMmxrZEdnOUlqRTFNQ0lnYUdWcFoyaDBQU0l5TUNJZ2RYVnBaRDBpTTJabU56aG1ZbVl0T0daalpTMDBNRGN5TFdJMk9URXROMkZtTURRM1pXRTVNbUUzSWk4K0Nna0pDUWs4ZEdWNGRFVnNaVzFsYm5RZ2RtVnlkR2xqWVd4QmJHbG5ibTFsYm5ROUlrMXBaR1JzWlNJdlBnb0pDUWtKUEhSbGVIUStQQ0ZiUTBSQlZFRmJUblZ0WW1WeUlHOW1JSEpsWTI5eVpITTZYVjArUEM5MFpYaDBQZ29KQ1FrOEwzTjBZWFJwWTFSbGVIUStDZ2tKQ1R4MFpYaDBSbWxsYkdRZ1pYWmhiSFZoZEdsdmJsUnBiV1U5SWxKbGNHOXlkQ0lnYVhOQ2JHRnVhMWRvWlc1T2RXeHNQU0owY25WbElqNEtDUWtKQ1R4eVpYQnZjblJGYkdWdFpXNTBJSE4wZVd4bFBTSlFZV2RsSUdobFlXUmxjaUlnZUQwaU1UWXdJaUI1UFNJeE1UVWlJSGRwWkhSb1BTSXlOVEFpSUdobGFXZG9kRDBpTWpBaUlIVjFhV1E5SWpnNU1qVXhNakV4TFRObU5Ea3RORGN4WkMxaU9EaGtMVFUxTmpSak1XSmtNRFJrTVNJdlBnb0pDUWtKUEhSbGVIUkZiR1Z0Wlc1MElIUmxlSFJCYkdsbmJtMWxiblE5SWxKcFoyaDBJaUIyWlhKMGFXTmhiRUZzYVdkdWJXVnVkRDBpVFdsa1pHeGxJajRLQ1FrSkNRazhabTl1ZENCcGMwSnZiR1E5SW1aaGJITmxJaTgrQ2drSkNRazhMM1JsZUhSRmJHVnRaVzUwUGdvSkNRa0pQSFJsZUhSR2FXVnNaRVY0Y0hKbGMzTnBiMjQrUENGYlEwUkJWRUZiSkZaN1VrVlFUMUpVWDBOUFZVNVVmVjFkUGp3dmRHVjRkRVpwWld4a1JYaHdjbVZ6YzJsdmJqNEtDUWtKUEM5MFpYaDBSbWxsYkdRK0Nna0pQQzlpWVc1a1Bnb0pQQzkwYVhSc1pUNEtDVHh3WVdkbFNHVmhaR1Z5UGdvSkNUeGlZVzVrSUhOd2JHbDBWSGx3WlQwaVUzUnlaWFJqYUNJdlBnb0pQQzl3WVdkbFNHVmhaR1Z5UGdvSlBHTnZiSFZ0YmtobFlXUmxjajRLQ1FrOFltRnVaQ0JvWldsbmFIUTlJakU1SWlCemNHeHBkRlI1Y0dVOUlsTjBjbVYwWTJnaVBnb0pDUWs4YzNSaGRHbGpWR1Y0ZEQ0S0NRa0pDVHh5WlhCdmNuUkZiR1Z0Wlc1MElITjBlV3hsUFNKRGIyeDFiVzRnYUdWaFpHVnlJaUI0UFNJd0lpQjVQU0l3SWlCM2FXUjBhRDBpTWpRd0lpQm9aV2xuYUhROUlqRTRJaUIxZFdsa1BTSXdORGs0T1RBNVlpMWtNMk0xTFRSbFpUTXRZamhqT1MxbU1EQmhPREE0WldaaE4yRWlMejRLQ1FrSkNUeDBaWGgwUld4bGJXVnVkQ0IyWlhKMGFXTmhiRUZzYVdkdWJXVnVkRDBpVFdsa1pHeGxJaTgrQ2drSkNRazhkR1Y0ZEQ0OElWdERSRUZVUVZ0T1lXMWxYVjArUEM5MFpYaDBQZ29KQ1FrOEwzTjBZWFJwWTFSbGVIUStDZ2tKQ1R4emRHRjBhV05VWlhoMFBnb0pDUWtKUEhKbGNHOXlkRVZzWlcxbGJuUWdjM1I1YkdVOUlrTnZiSFZ0YmlCb1pXRmtaWElpSUhnOUlqSTBNQ0lnZVQwaU1DSWdkMmxrZEdnOUlqSXlNQ0lnYUdWcFoyaDBQU0l4T0NJZ2RYVnBaRDBpT0Raak56UmlaV0l0WW1Sa1pDMDBPR05qTFRrME5XRXRNVFkzWWpJMk1XSXhaVEJpSWk4K0Nna0pDUWs4ZEdWNGRFVnNaVzFsYm5RZ2RtVnlkR2xqWVd4QmJHbG5ibTFsYm5ROUlrMXBaR1JzWlNJdlBnb0pDUWtKUEhSbGVIUStQQ0ZiUTBSQlZFRmJSblZzYkNCdVlXMWxYVjArUEM5MFpYaDBQZ29KQ1FrOEwzTjBZWFJwWTFSbGVIUStDZ2tKQ1R4emRHRjBhV05VWlhoMFBnb0pDUWtKUEhKbGNHOXlkRVZzWlcxbGJuUWdjM1I1YkdVOUlrTnZiSFZ0YmlCb1pXRmtaWElpSUhnOUlqUTJNQ0lnZVQwaU1DSWdkMmxrZEdnOUlqRXdNQ0lnYUdWcFoyaDBQU0l4T0NJZ2RYVnBaRDBpT0Raak56UmlaV0l0WW1Sa1pDMDBPR05qTFRrME5XRXRNVFkzWWpJMk1XSXhaVEJpSWk4K0Nna0pDUWs4ZEdWNGRFVnNaVzFsYm5RZ2RtVnlkR2xqWVd4QmJHbG5ibTFsYm5ROUlrMXBaR1JzWlNJdlBnb0pDUWtKUEhSbGVIUStQQ0ZiUTBSQlZFRmJRV04wYVhaaGRHbHZibDFkUGp3dmRHVjRkRDRLQ1FrSlBDOXpkR0YwYVdOVVpYaDBQZ29KQ1FrOGMzUmhkR2xqVkdWNGRENEtDUWtKQ1R4eVpYQnZjblJGYkdWdFpXNTBJSE4wZVd4bFBTSkRiMngxYlc0Z2FHVmhaR1Z5SWlCNFBTSTFOakFpSUhrOUlqQWlJSGRwWkhSb1BTSXhOREFpSUdobGFXZG9kRDBpTVRnaUlIVjFhV1E5SWpKbVptUXlNamhpTFRoaU9EY3ROR0pqTmkxaE9XUXlMVE14WlRoaE1tUTFaR0ppTnlJdlBnb0pDUWtKUEhSbGVIUkZiR1Z0Wlc1MElIWmxjblJwWTJGc1FXeHBaMjV0Wlc1MFBTSk5hV1JrYkdVaUx6NEtDUWtKQ1R4MFpYaDBQandoVzBORVFWUkJXMUp2YkdWZFhUNDhMM1JsZUhRK0Nna0pDVHd2YzNSaGRHbGpWR1Y0ZEQ0S0NRa0pQSE4wWVhScFkxUmxlSFErQ2drSkNRazhjbVZ3YjNKMFJXeGxiV1Z1ZENCemRIbHNaVDBpUTI5c2RXMXVJR2hsWVdSbGNpSWdlRDBpTnpBd0lpQjVQU0l3SWlCM2FXUjBhRDBpTVRRd0lpQm9aV2xuYUhROUlqRTRJaUIxZFdsa1BTSXlZelJtWVdWaU15MWtNVGxqTFRSak1XVXRZbVppWmkweFlqRXdZMlZqWlRoaFpUZ2lMejRLQ1FrSkNUeDBaWGgwUld4bGJXVnVkQ0IyWlhKMGFXTmhiRUZzYVdkdWJXVnVkRDBpVFdsa1pHeGxJaTgrQ2drSkNRazhkR1Y0ZEQ0OElWdERSRUZVUVZ0UGNtZGhibWw2WVhScGIyNWRYVDQ4TDNSbGVIUStDZ2tKQ1R3dmMzUmhkR2xqVkdWNGRENEtDUWtKUEhOMFlYUnBZMVJsZUhRK0Nna0pDUWs4Y21Wd2IzSjBSV3hsYldWdWRDQnpkSGxzWlQwaVEyOXNkVzF1SUdobFlXUmxjaUlnZUQwaU9EUXdJaUI1UFNJd0lpQjNhV1IwYUQwaU1qUXdJaUJvWldsbmFIUTlJakU0SWlCMWRXbGtQU0l6WlRSbE1qTXhPUzB5TlRBeUxUUmhOVE10WVRaaU5DMWpOemsyT0RVeU1XWTJZamdpTHo0S0NRa0pDVHgwWlhoMFJXeGxiV1Z1ZENCMlpYSjBhV05oYkVGc2FXZHViV1Z1ZEQwaVRXbGtaR3hsSWk4K0Nna0pDUWs4ZEdWNGRENDhJVnREUkVGVVFWdEJZMk52ZFc1MFhWMCtQQzkwWlhoMFBnb0pDUWs4TDNOMFlYUnBZMVJsZUhRK0Nna0pQQzlpWVc1a1Bnb0pQQzlqYjJ4MWJXNUlaV0ZrWlhJK0NnazhaR1YwWVdsc1Bnb0pDVHhpWVc1a0lHaGxhV2RvZEQwaU1qVWlJSE53YkdsMFZIbHdaVDBpVTNSeVpYUmphQ0krQ2drSkNUeG1jbUZ0WlQ0S0NRa0pDVHh5WlhCdmNuUkZiR1Z0Wlc1MElITjBlV3hsUFNKRVpYUmhhV3dpSUhOMGNtVjBZMmhVZVhCbFBTSlNaV3hoZEdsMlpWUnZWR0ZzYkdWemRFOWlhbVZqZENJZ2JXOWtaVDBpVDNCaGNYVmxJaUI0UFNJd0lpQjVQU0l3SWlCM2FXUjBhRDBpTVRBNE1DSWdhR1ZwWjJoMFBTSXlOQ0lnZFhWcFpEMGlPRFprWWpZMU16Y3RPREZtTUMwME1tSXhMV0kzTkdFdFpESmlaVGN3T1RJM01XTmtJaTgrQ2drSkNRazhkR1Y0ZEVacFpXeGtJR2x6VTNSeVpYUmphRmRwZEdoUGRtVnlabXh2ZHowaWRISjFaU0lnYVhOQ2JHRnVhMWRvWlc1T2RXeHNQU0owY25WbElqNEtDUWtKQ1FrOGNtVndiM0owUld4bGJXVnVkQ0I0UFNJd0lpQjVQU0l3SWlCM2FXUjBhRDBpTWpnd0lpQm9aV2xuYUhROUlqSXdJaUIxZFdsa1BTSXpZelkyT0dWbFpTMWpaRE5sTFRRMk9UY3RZV1psTXkxbFpHSTNPRGswTlRJMVkyTWlMejRLQ1FrSkNRazhkR1Y0ZEVacFpXeGtSWGh3Y21WemMybHZiajQ4SVZ0RFJFRlVRVnNrUm50dVlXMWxmVjFkUGp3dmRHVjRkRVpwWld4a1JYaHdjbVZ6YzJsdmJqNEtDUWtKQ1R3dmRHVjRkRVpwWld4a1Bnb0pDUWtKUEhSbGVIUkdhV1ZzWkNCcGMxTjBjbVYwWTJoWGFYUm9UM1psY21ac2IzYzlJblJ5ZFdVaUlHbHpRbXhoYm10WGFHVnVUblZzYkQwaWRISjFaU0krQ2drSkNRa0pQSEpsY0c5eWRFVnNaVzFsYm5RZ2VEMGlNamd3SWlCNVBTSXdJaUIzYVdSMGFEMGlNVGd3SWlCb1pXbG5hSFE5SWpJd0lpQjFkV2xrUFNKak9EazBPR000TlMxbFl6TXhMVFJpTXprdE9EZzVZUzAwTTJOaVkyVTNNR1kzWmpnaUx6NEtDUWtKQ1FrOGRHVjRkRVpwWld4a1JYaHdjbVZ6YzJsdmJqNDhJVnREUkVGVVFWc2tSbnRtZFd4c1RtRnRaWDFkWFQ0OEwzUmxlSFJHYVdWc1pFVjRjSEpsYzNOcGIyNCtDZ2tKQ1FrOEwzUmxlSFJHYVdWc1pENEtDUWtKQ1R4MFpYaDBSbWxsYkdRZ2FYTlRkSEpsZEdOb1YybDBhRTkyWlhKbWJHOTNQU0owY25WbElpQnBjMEpzWVc1clYyaGxiazUxYkd3OUluUnlkV1VpUGdvSkNRa0pDVHh5WlhCdmNuUkZiR1Z0Wlc1MElIZzlJalEyTUNJZ2VUMGlNQ0lnZDJsa2RHZzlJakV3TUNJZ2FHVnBaMmgwUFNJeU1DSWdkWFZwWkQwaU9EazVZakEyTm1RdFpEaGpaaTAwTlRrMExUZ3pZalF0TVdFek5XRTVOVFF4TmpRNElpOCtDZ2tKQ1FrSlBIUmxlSFJHYVdWc1pFVjRjSEpsYzNOcGIyNCtQQ0ZiUTBSQlZFRmJKRVo3WVdOMGFYWmhkR2x2Ym4wdVoyVjBRV1J0YVc1cGMzUnlZWFJwZG1WVGRHRjBkWE1vS1YxZFBqd3ZkR1Y0ZEVacFpXeGtSWGh3Y21WemMybHZiajRLQ1FrSkNUd3ZkR1Y0ZEVacFpXeGtQZ29KQ1FrSlBHTnZiWEJ2Ym1WdWRFVnNaVzFsYm5RK0Nna0pDUWtKUEhKbGNHOXlkRVZzWlcxbGJuUWdlRDBpTlRZd0lpQjVQU0l3SWlCM2FXUjBhRDBpTVRRd0lpQm9aV2xuYUhROUlqRTVJaUIxZFdsa1BTSTBNbUUzWmpBeFppMHpOVGhoTFRSaE1HUXRZVFpoWVMwMFl6bGpNRGt6WW1Vell6WWlMejRLQ1FrSkNRazhhbkk2YkdsemRDQjRiV3h1Y3pwcWNqMGlhSFIwY0RvdkwycGhjM0JsY25KbGNHOXlkSE11YzI5MWNtTmxabTl5WjJVdWJtVjBMMnBoYzNCbGNuSmxjRzl5ZEhNdlkyOXRjRzl1Wlc1MGN5SWdlSE5wT25OamFHVnRZVXh2WTJGMGFXOXVQU0pvZEhSd09pOHZhbUZ6Y0dWeWNtVndiM0owY3k1emIzVnlZMlZtYjNKblpTNXVaWFF2YW1GemNHVnljbVZ3YjNKMGN5OWpiMjF3YjI1bGJuUnpJR2gwZEhBNkx5OXFZWE53WlhKeVpYQnZjblJ6TG5OdmRYSmpaV1p2Y21kbExtNWxkQzk0YzJRdlkyOXRjRzl1Wlc1MGN5NTRjMlFpSUhCeWFXNTBUM0prWlhJOUlraHZjbWw2YjI1MFlXd2lQZ29KQ1FrSkNRazhaR0YwWVhObGRGSjFiaUJ6ZFdKRVlYUmhjMlYwUFNKeWIyeGxjMFJoZEdGelpYUWlJSFYxYVdROUlqTXdNRFU0Tm1RMkxUQm1Nekl0TkdGbU9TMWlNamRtTFdGaU9Ua3hOamMxTURGa05TSStDZ2tKQ1FrSkNRazhjR0Z5WVcxbGRHVnljMDFoY0VWNGNISmxjM05wYjI0K1BDRmJRMFJCVkVGYmJtVjNJRWhoYzJoTllYQW9KRkI3VWtWUVQxSlVYMUJCVWtGTlJWUkZVbE5mVFVGUWZTbGRYVDQ4TDNCaGNtRnRaWFJsY25OTllYQkZlSEJ5WlhOemFXOXVQZ29KQ1FrSkNRa0pQR1JoZEdGelpYUlFZWEpoYldWMFpYSWdibUZ0WlQwaVlYTnphV2R1YldWdWRDSStDZ2tKQ1FrSkNRa0pQR1JoZEdGelpYUlFZWEpoYldWMFpYSkZlSEJ5WlhOemFXOXVQandoVzBORVFWUkJXeVJHZTJGemMybG5ibTFsYm5SOVhWMCtQQzlrWVhSaGMyVjBVR0Z5WVcxbGRHVnlSWGh3Y21WemMybHZiajRLQ1FrSkNRa0pDVHd2WkdGMFlYTmxkRkJoY21GdFpYUmxjajRLQ1FrSkNRa0pDVHhqYjI1dVpXTjBhVzl1Ulhod2NtVnpjMmx2Ymo0OElWdERSRUZVUVZza1VIdFNSVkJQVWxSZlEwOU9Ua1ZEVkVsUFRuMWRYVDQ4TDJOdmJtNWxZM1JwYjI1RmVIQnlaWE56YVc5dVBnb0pDUWtKQ1FrOEwyUmhkR0Z6WlhSU2RXNCtDZ2tKQ1FrSkNUeHFjanBzYVhOMFEyOXVkR1Z1ZEhNZ2FHVnBaMmgwUFNJeE9DSWdkMmxrZEdnOUlqRTBNQ0krQ2drSkNRa0pDUWs4ZEdWNGRFWnBaV3hrSUdselUzUnlaWFJqYUZkcGRHaFBkbVZ5Wm14dmR6MGlkSEoxWlNJZ2FYTkNiR0Z1YTFkb1pXNU9kV3hzUFNKMGNuVmxJajRLQ1FrSkNRa0pDUWs4Y21Wd2IzSjBSV3hsYldWdWRDQjRQU0l3SWlCNVBTSXdJaUIzYVdSMGFEMGlNVFF3SWlCb1pXbG5hSFE5SWpFNElpQjFkV2xrUFNJMk1XUmpPVFF3WlMweFpHWTBMVFEzTTJRdFlURm1OUzFqTWpGa1pqWTJObVU0WVRFaUx6NEtDUWtKQ1FrSkNRazhkR1Y0ZEVacFpXeGtSWGh3Y21WemMybHZiajQ4SVZ0RFJFRlVRVnNrUm50dVlXMWxmVjFkUGp3dmRHVjRkRVpwWld4a1JYaHdjbVZ6YzJsdmJqNEtDUWtKQ1FrSkNUd3ZkR1Y0ZEVacFpXeGtQZ29KQ1FrSkNRazhMMnB5T214cGMzUkRiMjUwWlc1MGN6NEtDUWtKQ1FrOEwycHlPbXhwYzNRK0Nna0pDUWs4TDJOdmJYQnZibVZ1ZEVWc1pXMWxiblErQ2drSkNRazhZMjl0Y0c5dVpXNTBSV3hsYldWdWRENEtDUWtKQ1FrOGNtVndiM0owUld4bGJXVnVkQ0I0UFNJM01EQWlJSGs5SWpBaUlIZHBaSFJvUFNJeE5EQWlJR2hsYVdkb2REMGlNVGtpSUhWMWFXUTlJbVUzWmpZMk9HWXpMVGsyTmpRdE5EWTJNQzA0WWpFMkxUQmtNalZrWmpka00yVXlaQ0l2UGdvSkNRa0pDVHhxY2pwc2FYTjBJSGh0Ykc1ek9tcHlQU0pvZEhSd09pOHZhbUZ6Y0dWeWNtVndiM0owY3k1emIzVnlZMlZtYjNKblpTNXVaWFF2YW1GemNHVnljbVZ3YjNKMGN5OWpiMjF3YjI1bGJuUnpJaUI0YzJrNmMyTm9aVzFoVEc5allYUnBiMjQ5SW1oMGRIQTZMeTlxWVhOd1pYSnlaWEJ2Y25SekxuTnZkWEpqWldadmNtZGxMbTVsZEM5cVlYTndaWEp5WlhCdmNuUnpMMk52YlhCdmJtVnVkSE1nYUhSMGNEb3ZMMnBoYzNCbGNuSmxjRzl5ZEhNdWMyOTFjbU5sWm05eVoyVXVibVYwTDNoelpDOWpiMjF3YjI1bGJuUnpMbmh6WkNJZ2NISnBiblJQY21SbGNqMGlTRzl5YVhwdmJuUmhiQ0krQ2drSkNRa0pDVHhrWVhSaGMyVjBVblZ1SUhOMVlrUmhkR0Z6WlhROUltOXlaM05FWVhSaGMyVjBJaUIxZFdsa1BTSmhaalkwWXpFM1l5MHdNbVZsTFRRd05EUXRZVGxqWlMwNU1XRTVNR0UzWVRSbE1EZ2lQZ29KQ1FrSkNRa0pQSEJoY21GdFpYUmxjbk5OWVhCRmVIQnlaWE56YVc5dVBqd2hXME5FUVZSQlcyNWxkeUJJWVhOb1RXRndLQ1JRZTFKRlVFOVNWRjlRUVZKQlRVVlVSVkpUWDAxQlVIMHBYVjArUEM5d1lYSmhiV1YwWlhKelRXRndSWGh3Y21WemMybHZiajRLQ1FrSkNRa0pDVHhrWVhSaGMyVjBVR0Z5WVcxbGRHVnlJRzVoYldVOUltRnpjMmxuYm0xbGJuUWlQZ29KQ1FrSkNRa0pDVHhrWVhSaGMyVjBVR0Z5WVcxbGRHVnlSWGh3Y21WemMybHZiajQ4SVZ0RFJFRlVRVnNrUm50aGMzTnBaMjV0Wlc1MGZWMWRQand2WkdGMFlYTmxkRkJoY21GdFpYUmxja1Y0Y0hKbGMzTnBiMjQrQ2drSkNRa0pDUWs4TDJSaGRHRnpaWFJRWVhKaGJXVjBaWEkrQ2drSkNRa0pDUWs4WTI5dWJtVmpkR2x2YmtWNGNISmxjM05wYjI0K1BDRmJRMFJCVkVGYkpGQjdVa1ZRVDFKVVgwTlBUazVGUTFSSlQwNTlYVjArUEM5amIyNXVaV04wYVc5dVJYaHdjbVZ6YzJsdmJqNEtDUWtKQ1FrSlBDOWtZWFJoYzJWMFVuVnVQZ29KQ1FrSkNRazhhbkk2YkdsemRFTnZiblJsYm5SeklHaGxhV2RvZEQwaU1Ua2lJSGRwWkhSb1BTSXhOREFpUGdvSkNRa0pDUWtKUEhSbGVIUkdhV1ZzWkNCcGMxTjBjbVYwWTJoWGFYUm9UM1psY21ac2IzYzlJblJ5ZFdVaUlHbHpRbXhoYm10WGFHVnVUblZzYkQwaWRISjFaU0krQ2drSkNRa0pDUWtKUEhKbGNHOXlkRVZzWlcxbGJuUWdlRDBpTUNJZ2VUMGlNQ0lnZDJsa2RHZzlJakUwTUNJZ2FHVnBaMmgwUFNJeE9TSWdkWFZwWkQwaU9XWTBPRGswWmpNdE5HUmhZeTAwT0RFekxUZ3dZMll0WVdRNU56QTRNelpqTUdWaElpOCtDZ2tKQ1FrSkNRa0pQSFJsZUhSR2FXVnNaRVY0Y0hKbGMzTnBiMjQrUENGYlEwUkJWRUZiSkVaN2JtRnRaWDFkWFQ0OEwzUmxlSFJHYVdWc1pFVjRjSEpsYzNOcGIyNCtDZ2tKQ1FrSkNRazhMM1JsZUhSR2FXVnNaRDRLQ1FrSkNRa0pQQzlxY2pwc2FYTjBRMjl1ZEdWdWRITStDZ2tKQ1FrSlBDOXFjanBzYVhOMFBnb0pDUWtKUEM5amIyMXdiMjVsYm5SRmJHVnRaVzUwUGdvSkNRa0pQR052YlhCdmJtVnVkRVZzWlcxbGJuUStDZ2tKQ1FrSlBISmxjRzl5ZEVWc1pXMWxiblFnZUQwaU9EUXdJaUI1UFNJd0lpQjNhV1IwYUQwaU1qUXdJaUJvWldsbmFIUTlJakU1SWlCMWRXbGtQU0poT0dObE1qVXdNQzFrTnprNUxUUTRZMk10WVRNek1TMDBZekV6WVRKaFpqWTNORFFpTHo0S0NRa0pDUWs4YW5JNmJHbHpkQ0I0Yld4dWN6cHFjajBpYUhSMGNEb3ZMMnBoYzNCbGNuSmxjRzl5ZEhNdWMyOTFjbU5sWm05eVoyVXVibVYwTDJwaGMzQmxjbkpsY0c5eWRITXZZMjl0Y0c5dVpXNTBjeUlnZUhOcE9uTmphR1Z0WVV4dlkyRjBhVzl1UFNKb2RIUndPaTh2YW1GemNHVnljbVZ3YjNKMGN5NXpiM1Z5WTJWbWIzSm5aUzV1WlhRdmFtRnpjR1Z5Y21Wd2IzSjBjeTlqYjIxd2IyNWxiblJ6SUdoMGRIQTZMeTlxWVhOd1pYSnlaWEJ2Y25SekxuTnZkWEpqWldadmNtZGxMbTVsZEM5NGMyUXZZMjl0Y0c5dVpXNTBjeTU0YzJRaUlIQnlhVzUwVDNKa1pYSTlJa2h2Y21sNmIyNTBZV3dpUGdvSkNRa0pDUWs4WkdGMFlYTmxkRkoxYmlCemRXSkVZWFJoYzJWMFBTSmhZMk52ZFc1MGMwUmhkR0Z6WlhRaUlIVjFhV1E5SWpabU1UZzFaalE0TFdSaVl6QXRORGN3TXkwNFkyWXlMVFZtT1dNeVl6YzBNR1E1TnlJK0Nna0pDUWtKQ1FrOGNHRnlZVzFsZEdWeWMwMWhjRVY0Y0hKbGMzTnBiMjQrUENGYlEwUkJWRUZiYm1WM0lFaGhjMmhOWVhBb0pGQjdVa1ZRVDFKVVgxQkJVa0ZOUlZSRlVsTmZUVUZRZlNsZFhUNDhMM0JoY21GdFpYUmxjbk5OWVhCRmVIQnlaWE56YVc5dVBnb0pDUWtKQ1FrSlBHUmhkR0Z6WlhSUVlYSmhiV1YwWlhJZ2JtRnRaVDBpYjJKcVpXTjBVbVZtSWo0S0NRa0pDUWtKQ1FrOFpHRjBZWE5sZEZCaGNtRnRaWFJsY2tWNGNISmxjM05wYjI0K1BDRmJRMFJCVkVGYkpFWjdiR2x1YTFKbFpuMWRYVDQ4TDJSaGRHRnpaWFJRWVhKaGJXVjBaWEpGZUhCeVpYTnphVzl1UGdvSkNRa0pDUWtKUEM5a1lYUmhjMlYwVUdGeVlXMWxkR1Z5UGdvSkNRa0pDUWtKUEdOdmJtNWxZM1JwYjI1RmVIQnlaWE56YVc5dVBqd2hXME5FUVZSQld5UlFlMUpGVUU5U1ZGOURUMDVPUlVOVVNVOU9mVjFkUGp3dlkyOXVibVZqZEdsdmJrVjRjSEpsYzNOcGIyNCtDZ2tKQ1FrSkNUd3ZaR0YwWVhObGRGSjFiajRLQ1FrSkNRa0pQR3B5T214cGMzUkRiMjUwWlc1MGN5Qm9aV2xuYUhROUlqRTVJaUIzYVdSMGFEMGlNalF3SWo0S0NRa0pDUWtKQ1R4MFpYaDBSbWxsYkdRZ2FYTlRkSEpsZEdOb1YybDBhRTkyWlhKbWJHOTNQU0owY25WbElpQnBjMEpzWVc1clYyaGxiazUxYkd3OUluUnlkV1VpUGdvSkNRa0pDUWtKQ1R4eVpYQnZjblJGYkdWdFpXNTBJSGc5SWpBaUlIazlJakFpSUhkcFpIUm9QU0l5TkRBaUlHaGxhV2RvZEQwaU1Ua2lJSFYxYVdROUlqUmxOVGs0T1dSbUxUY3pOR010TkRGaFpDMDRORGN5TFdJMllUWm1PRGt6T1dJeU9DSXZQZ29KQ1FrSkNRa0pDVHgwWlhoMFJtbGxiR1JGZUhCeVpYTnphVzl1UGp3aFcwTkVRVlJCV3lSR2UyNWhiV1Y5S3lJZ0tGSmxjMjkxY21ObE9pQWlLeVJHZTNKbGMyOTFjbU5sVW1WbWZTNW5aWFJVWVhKblpYUk9ZVzFsS0Nrcklpa2lYVjArUEM5MFpYaDBSbWxsYkdSRmVIQnlaWE56YVc5dVBnb0pDUWtKQ1FrSlBDOTBaWGgwUm1sbGJHUStDZ2tKQ1FrSkNUd3Zhbkk2YkdsemRFTnZiblJsYm5SelBnb0pDUWtKQ1R3dmFuSTZiR2x6ZEQ0S0NRa0pDVHd2WTI5dGNHOXVaVzUwUld4bGJXVnVkRDRLQ1FrSkNUeHNhVzVsUGdvSkNRa0pDVHh5WlhCdmNuUkZiR1Z0Wlc1MElIQnZjMmwwYVc5dVZIbHdaVDBpUm1sNFVtVnNZWFJwZG1WVWIwSnZkSFJ2YlNJZ2JXOWtaVDBpVDNCaGNYVmxJaUI0UFNJd0lpQjVQU0l4T1NJZ2QybGtkR2c5SWpFd09EQWlJR2hsYVdkb2REMGlNU0lnWm05eVpXTnZiRzl5UFNJak16TXpNek16SWlCMWRXbGtQU0kwTjJZNU1UZ3dNUzFqWmpWbUxUUmlaV1F0WWpFNVl5MWpZVE01TXpGalltWTVPR1FpTHo0S0NRa0pDVHd2YkdsdVpUNEtDUWtKUEM5bWNtRnRaVDRLQ1FrOEwySmhibVErQ2drOEwyUmxkR0ZwYkQ0S0NUeGpiMngxYlc1R2IyOTBaWEkrQ2drSlBHSmhibVFnYUdWcFoyaDBQU0kzSWlCemNHeHBkRlI1Y0dVOUlsTjBjbVYwWTJnaVBnb0pDUWs4YkdsdVpUNEtDUWtKQ1R4eVpYQnZjblJGYkdWdFpXNTBJSEJ2YzJsMGFXOXVWSGx3WlQwaVJtbDRVbVZzWVhScGRtVlViMEp2ZEhSdmJTSWdlRDBpTUNJZ2VUMGlNeUlnZDJsa2RHZzlJakV3T0RBaUlHaGxhV2RvZEQwaU1TSWdkWFZwWkQwaVlUVTVNV1EwWXpFdE1XTmhaQzAwWkdFeUxUbG1PV1F0TURneFpqVXpPV1U1TURReklpOCtDZ2tKQ1FrOFozSmhjR2hwWTBWc1pXMWxiblErQ2drSkNRa0pQSEJsYmlCc2FXNWxWMmxrZEdnOUlqQXVOU0lnYkdsdVpVTnZiRzl5UFNJak9UazVPVGs1SWk4K0Nna0pDUWs4TDJkeVlYQm9hV05GYkdWdFpXNTBQZ29KQ1FrOEwyeHBibVUrQ2drSlBDOWlZVzVrUGdvSlBDOWpiMngxYlc1R2IyOTBaWEkrQ2drOGNHRm5aVVp2YjNSbGNqNEtDUWs4WW1GdVpDQm9aV2xuYUhROUlqTXlJaUJ6Y0d4cGRGUjVjR1U5SWxOMGNtVjBZMmdpUGdvSkNRazhabkpoYldVK0Nna0pDUWs4Y21Wd2IzSjBSV3hsYldWdWRDQnpkSGxzWlQwaVVHRm5aU0JtYjI5MFpYSWlJRzF2WkdVOUlsUnlZVzV6Y0dGeVpXNTBJaUI0UFNJd0lpQjVQU0l4SWlCM2FXUjBhRDBpTVRBNE1DSWdhR1ZwWjJoMFBTSXlOQ0lnZFhWcFpEMGlabUpsT0dGaFpUUXROalV3TUMwME5qaGhMV0l4WlRndE56QXdZalUyT1RFek9XRXhJaTgrQ2drSkNRazhkR1Y0ZEVacFpXeGtJSEJoZEhSbGNtNDlJbVJrTGsxTlRVMU5Mbmw1ZVhraVBnb0pDUWtKQ1R4eVpYQnZjblJGYkdWdFpXNTBJSE4wZVd4bFBTSlFZV2RsSUdadmIzUmxjaUlnZUQwaU1pSWdlVDBpTVNJZ2QybGtkR2c5SWpFNU55SWdhR1ZwWjJoMFBTSXlNQ0lnZFhWcFpEMGlNamhpWWpsaU5EY3RZVFk1WXkwME9HVXhMVGt3TnpNdFpEVTBaRGt5TmpJME1tVTRJaTgrQ2drSkNRa0pQSFJsZUhSRmJHVnRaVzUwSUhabGNuUnBZMkZzUVd4cFoyNXRaVzUwUFNKTmFXUmtiR1VpTHo0S0NRa0pDUWs4ZEdWNGRFWnBaV3hrUlhod2NtVnpjMmx2Ymo0OElWdERSRUZVUVZ0dVpYY2dhbUYyWVM1MWRHbHNMa1JoZEdVb0tWMWRQand2ZEdWNGRFWnBaV3hrUlhod2NtVnpjMmx2Ymo0S0NRa0pDVHd2ZEdWNGRFWnBaV3hrUGdvSkNRa0pQSFJsZUhSR2FXVnNaRDRLQ1FrSkNRazhjbVZ3YjNKMFJXeGxiV1Z1ZENCemRIbHNaVDBpVUdGblpTQm1iMjkwWlhJaUlIZzlJamsyTUNJZ2VUMGlNU0lnZDJsa2RHZzlJamd3SWlCb1pXbG5hSFE5SWpJd0lpQjFkV2xrUFNJMVl6QTJNbU0yTmkxaVlUUTFMVFF5T0RndE9XUmpaQzB5TkRabE1qaGpOV0ZtTnpVaUx6NEtDUWtKQ1FrOGRHVjRkRVZzWlcxbGJuUWdkR1Y0ZEVGc2FXZHViV1Z1ZEQwaVVtbG5hSFFpSUhabGNuUnBZMkZzUVd4cFoyNXRaVzUwUFNKTmFXUmtiR1VpTHo0S0NRa0pDUWs4ZEdWNGRFWnBaV3hrUlhod2NtVnpjMmx2Ymo0OElWdERSRUZVUVZzaVVHRm5aU0FpS3lSV2UxQkJSMFZmVGxWTlFrVlNmU3NpSUc5bUlsMWRQand2ZEdWNGRFWnBaV3hrUlhod2NtVnpjMmx2Ymo0S0NRa0pDVHd2ZEdWNGRFWnBaV3hrUGdvSkNRa0pQSFJsZUhSR2FXVnNaQ0JsZG1Gc2RXRjBhVzl1VkdsdFpUMGlVbVZ3YjNKMElqNEtDUWtKQ1FrOGNtVndiM0owUld4bGJXVnVkQ0J6ZEhsc1pUMGlVR0ZuWlNCbWIyOTBaWElpSUhnOUlqRXdOREFpSUhrOUlqRWlJSGRwWkhSb1BTSTBNQ0lnYUdWcFoyaDBQU0l5TUNJZ2RYVnBaRDBpT1RNMFlqRTJaVGd0WXpObFlpMDBNREUzTFRnMk5tRXRNR0kzTnpNMVltWXlPVEUzSWk4K0Nna0pDUWtKUEhSbGVIUkZiR1Z0Wlc1MElIWmxjblJwWTJGc1FXeHBaMjV0Wlc1MFBTSk5hV1JrYkdVaUx6NEtDUWtKQ1FrOGRHVjRkRVpwWld4a1JYaHdjbVZ6YzJsdmJqNDhJVnREUkVGVVFWc2lJQ0lnS3lBa1ZudFFRVWRGWDA1VlRVSkZVbjFkWFQ0OEwzUmxlSFJHYVdWc1pFVjRjSEpsYzNOcGIyNCtDZ2tKQ1FrOEwzUmxlSFJHYVdWc1pENEtDUWtKUEM5bWNtRnRaVDRLQ1FrOEwySmhibVErQ2drOEwzQmhaMlZHYjI5MFpYSStDand2YW1GemNHVnlVbVZ3YjNKMFBnbz0=</template>
+   <templateStyle>UEQ5NGJXd2dkbVZ5YzJsdmJqMGlNUzR3SWo4K0RRbzhJVVJQUTFSWlVFVWdhbUZ6Y0dWeVZHVnRjR3hoZEdVTkNpQWdVRlZDVEVsRElDSXRMeTlLWVhOd1pYSlNaWEJ2Y25Sekx5OUVWRVFnVkdWdGNHeGhkR1V2TDBWT0lnMEtJQ0FpYUhSMGNEb3ZMMnBoYzNCbGNuSmxjRzl5ZEhNdWMyOTFjbU5sWm05eVoyVXVibVYwTDJSMFpITXZhbUZ6Y0dWeWRHVnRjR3hoZEdVdVpIUmtJajROQ2p4cVlYTndaWEpVWlcxd2JHRjBaVDROQ2lBZ0lDQWdJQ0FnQ1R4emRIbHNaU0JtYjI1MFRtRnRaVDBpUkdWcVlWWjFJRk5oYm5NaUlHWnZiblJUYVhwbFBTSXhNQ0lnYUVGc2FXZHVQU0pNWldaMElpQnBjMFJsWm1GMWJIUTlJblJ5ZFdVaUlHbHpVR1JtUlcxaVpXUmtaV1E5SW5SeWRXVWlJQTBLQ1FrSkNTQWdJRzVoYldVOUlrSmhjMlVpSUhCa1prVnVZMjlrYVc1blBTSkpaR1Z1ZEdsMGVTMUlJaUJ3WkdaR2IyNTBUbUZ0WlQwaVJHVnFZVloxVTJGdWN5NTBkR1lpSUhaQmJHbG5iajBpVFdsa1pHeGxJajROQ2drSkNUd3ZjM1I1YkdVK0RRb0pDUWs4YzNSNWJHVWdZbUZqYTJOdmJHOXlQU0lqTWpZM09UazBJaUJtYjI1MFUybDZaVDBpTWpZaUlHWnZjbVZqYjJ4dmNqMGlJMFpHUmtaR1JpSWdhWE5FWldaaGRXeDBQU0ptWVd4elpTSU5DaUFnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0J0YjJSbFBTSlBjR0Z4ZFdVaUlHNWhiV1U5SWxScGRHeGxJaUJ6ZEhsc1pUMGlRbUZ6WlNJdlBpQU5DZ2tKQ1R4emRIbHNaU0JtYjI1MFUybDZaVDBpTVRJaUlHWnZjbVZqYjJ4dmNqMGlJekF3TURBd01DSWdhWE5FWldaaGRXeDBQU0ptWVd4elpTSWdibUZ0WlQwaVVHRm5aU0JvWldGa1pYSWlEUW9nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnYzNSNWJHVTlJa0poYzJVaUx6NE5DZ2tKQ1R4emRIbHNaU0JpWVdOclkyOXNiM0k5SWlNek16TXpNek1pSUdadmJuUlRhWHBsUFNJeE1pSWdabTl5WldOdmJHOXlQU0lqUmtaR1JrWkdJaUJvUVd4cFoyNDlJa05sYm5SbGNpSU5DaUFnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0JwYzBSbFptRjFiSFE5SW1aaGJITmxJaUJ0YjJSbFBTSlBjR0Z4ZFdVaUlHNWhiV1U5SWtOdmJIVnRiaUJvWldGa1pYSWlJSE4wZVd4bFBTSkNZWE5sSWk4K0RRb0pDUWs4YzNSNWJHVWdhWE5DYjJ4a1BTSm1ZV3h6WlNJZ2FYTkVaV1poZFd4MFBTSm1ZV3h6WlNJZ2JtRnRaVDBpUkdWMFlXbHNJaUJ6ZEhsc1pUMGlRbUZ6WlNJdlBnMEtJQ0FnSUNBZ0lDQWdJQ0FnUEhOMGVXeGxJR2x6UW05c1pEMGlabUZzYzJVaUlHbHpSR1ZtWVhWc2REMGlabUZzYzJVaUlHNWhiV1U5SWtOdlpHVWlJSE4wZVd4bFBTSkNZWE5sSWlCbWIyNTBVMmw2WlQwaU9TSXZQZzBLQ1FrSlBITjBlV3hsSUdadmJuUlRhWHBsUFNJNUlpQm1iM0psWTI5c2IzSTlJaU13TURBd01EQWlJR2x6UkdWbVlYVnNkRDBpWm1Gc2MyVWlJRzVoYldVOUlsQmhaMlVnWm05dmRHVnlJZzBLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUhOMGVXeGxQU0pDWVhObElpOCtEUW9KQ1R3dmFtRnpjR1Z5VkdWdGNHeGhkR1Ur</templateStyle>
+   <export>csv</export>
+   <virtualizer>JRSwapFileVirtualizer</virtualizer>
+   <virtualizerKickOn>300</virtualizerKickOn>
+   <maxPages>10000</maxPages>
+   <timeout>300000</timeout>
+</report>
diff --git a/model/report-impl/src/test/resources/reports/reportAuditLogs-with-datasource.xml b/model/report-impl/src/test/resources/reports/reportAuditLogs-with-datasource.xml
deleted file mode 100644
index 1e634828192..00000000000
--- a/model/report-impl/src/test/resources/reports/reportAuditLogs-with-datasource.xml
+++ /dev/null
@@ -1,114 +0,0 @@
-<!--
-  ~ Copyright (c) 2010-2017 Evolveum
-  ~
-  ~ Licensed under the Apache License, Version 2.0 (the "License");
-  ~ you may not use this file except in compliance with the License.
-  ~ You may obtain a copy of the License at
-  ~
-  ~     http://www.apache.org/licenses/LICENSE-2.0
-  ~
-  ~ Unless required by applicable law or agreed to in writing, software
-  ~ distributed under the License is distributed on an "AS IS" BASIS,
-  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-  ~ See the License for the specific language governing permissions and
-  ~ limitations under the License.
-  -->
-<report xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
-        xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
-        xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
-        xmlns:xsd="http://www.w3.org/2001/XMLSchema"
-		oid="AUDITLOG-3333-3333-TEST-1DATASOURCE"
-        version="0">
-	<name>
-		<orig xmlns="http://prism.evolveum.com/xml/ns/public/types-3">Audit logs report with datasource</orig>
-		<norm xmlns="http://prism.evolveum.com/xml/ns/public/types-3">Audit logs report with datasource</norm>
-	</name>
-	<description>Report made from audit records. With special datasource</description>
-	<reportOrientation>landscape</reportOrientation>
-	
-	<reportField>
-		<nameReportField>timestamp</nameReportField>
-		<nameHeaderField>Timestamp</nameHeaderField>
-		<itemPathField>c:timestamp</itemPathField>
-		<sortOrderNumber>1</sortOrderNumber>
-		<sortOrder>ascending</sortOrder>
-		<widthField>12</widthField>
-		<classTypeField>xsd:dateTime</classTypeField>
-   </reportField>
-   <reportField>
-		<nameReportField>initiatorName</nameReportField>
-		<nameHeaderField>Initiator</nameHeaderField>
-		<itemPathField>c:initiatorName</itemPathField>
-		<widthField>10</widthField>
-		<classTypeField>xsd:string</classTypeField>
-	</reportField>
-	<reportField>
-		<nameReportField>eventType</nameReportField>
-		<nameHeaderField>Event Type</nameHeaderField>
-		<itemPathField>c:eventType</itemPathField>
-		<widthField>12</widthField>
-		<classTypeField>c:AuditEventType</classTypeField>
-	</reportField>
-	<reportField>
-		<nameReportField>eventStage</nameReportField>
-		<nameHeaderField>Event Stage</nameHeaderField>
-		<itemPathField>c:eventStage</itemPathField>
-		<widthField>12</widthField>
-		<classTypeField>c:AuditEventStage</classTypeField>
-	</reportField>
-	<reportField>
-		<nameReportField>targetName</nameReportField>
-		<nameHeaderField>Target</nameHeaderField>
-		<itemPathField>c:targetName</itemPathField>
-		<widthField>10</widthField>
-		<classTypeField>xsd:string</classTypeField>
-	</reportField>
-	<reportField>
-		<nameReportField>outcome</nameReportField>
-		<nameHeaderField>Outcome</nameHeaderField>
-		<itemPathField>c:outcome</itemPathField>
-		<widthField>12</widthField>
-		<classTypeField>c:OperationResultStatusType</classTypeField>
-	</reportField>
-	<reportField>
-		<nameReportField>message</nameReportField>
-		<nameHeaderField>Message</nameHeaderField>
-		<itemPathField>c:message</itemPathField>
-		<widthField>20</widthField>
-		<classTypeField>xsd:string</classTypeField>
-	</reportField>
-	<reportField>
-		<nameReportField>delta</nameReportField>
-		<nameHeaderField>Delta</nameHeaderField>
-		<itemPathField>c:delta</itemPathField>
-		<widthField>12</widthField>
-		<classTypeField>xsd:string</classTypeField>
-	</reportField>
-	<reportParameter>
-        <nameParameter>LOGO_PATH</nameParameter>
-        <valueParameter>src/test/resources/reports/logo.jpg</valueParameter>
-        <classTypeParameter>xsd:string</classTypeParameter>
-    </reportParameter>
-    <reportParameter>
-        <nameParameter>BaseTemplateStyles</nameParameter>
-        <valueParameter>src/test/resources/styles/midpoint_base_styles.jrtx</valueParameter>
-        <classTypeParameter>xsd:string</classTypeParameter>
-    </reportParameter>
-	<reportParameter>
-        <nameParameter>DATA_FROM</nameParameter>
-        <valueParameter>2000-01-01</valueParameter>
-        <classTypeParameter>xsd:dateTime</classTypeParameter>
-    </reportParameter>
-    <reportParameter>
-        <nameParameter>DATA_TO</nameParameter>
-        <valueParameter>2020-12-31</valueParameter>
-        <classTypeParameter>xsd:dateTime</classTypeParameter>
-    </reportParameter>
-	<reportParameter>
-        <nameParameter>EVENT_TYPE</nameParameter>
-        <valueParameter>"ALL"</valueParameter>
-        <classTypeParameter>xsd:string</classTypeParameter>
-    </reportParameter>
-	
-	
-</report>
diff --git a/model/report-impl/src/test/resources/reports/reportAuditLogs.jrxml b/model/report-impl/src/test/resources/reports/reportAuditLogs.jrxml
deleted file mode 100644
index b56afb45639..00000000000
--- a/model/report-impl/src/test/resources/reports/reportAuditLogs.jrxml
+++ /dev/null
@@ -1,228 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<jasperReport xmlns="http://jasperreports.sourceforge.net/jasperreports" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://jasperreports.sourceforge.net/jasperreports http://jasperreports.sourceforge.net/xsd/jasperreport.xsd" name="report2" pageWidth="842" pageHeight="595" orientation="Landscape" whenNoDataType="AllSectionsNoDetail" columnWidth="802" leftMargin="20" rightMargin="20" topMargin="20" bottomMargin="20" uuid="67e465c5-46ea-40d2-bea0-469c6cf38937">
-	<property name="ireport.zoom" value="1.6105100000000019"/>
-	<property name="ireport.x" value="0"/>
-	<property name="ireport.y" value="0"/>
-	<property name="net.sf.jasperreports.awt.ignore.missing.font" value="true"/>
-    <property name="net.sf.jasperreports.export.pdf.force.linebreak.policy" value="true"/>
-	<import value="com.evolveum.midpoint.report.impl.ReportUtils"/>
-	<template><![CDATA[$P{BaseTemplateStyles}]]></template>
-	<parameter name="BaseTemplateStyles" class="java.lang.String"/>
-	<parameter name="LOGO_PATH" class="java.lang.String"/>
-	<parameter name="DATE_FROM" class="java.sql.Timestamp"/>
-	<parameter name="DATE_TO" class="java.sql.Timestamp"/>
-	<parameter name="EVENT_TYPE" class="java.lang.Integer"/>
-	<parameter name="EVENT_TYPE_DESC" class="java.lang.String"/>
-	<parameter name="QUERY_STRING" class="java.lang.String"/>
-	<queryString language="hql"><![CDATA[$P!{QUERY_STRING}]]></queryString>
-	<field name="timestamp" class="java.sql.Timestamp"/>
-	<field name="initiator" class="java.lang.String"/>
-	<field name="eventType" class="com.evolveum.midpoint.repo.sql.data.audit.RAuditEventType">
-		<fieldDescription><![CDATA[eventType]]></fieldDescription>
-	</field>
-	<field name="eventStage" class="com.evolveum.midpoint.repo.sql.data.audit.RAuditEventStage">
-		<fieldDescription><![CDATA[eventStage]]></fieldDescription>
-	</field>
-	<field name="targetName" class="java.lang.String"/>
-	<field name="targetType" class="com.evolveum.midpoint.repo.sql.data.common.other.RObjectType">
-		<fieldDescription><![CDATA[targetType]]></fieldDescription>
-	</field>
-	<field name="targetOwnerName" class="java.lang.String"/>
-	<field name="outcome" class="com.evolveum.midpoint.repo.sql.data.common.enums.ROperationResultStatus">
-		<fieldDescription><![CDATA[outcome]]></fieldDescription>
-	</field>
-	<field name="message" class="java.lang.String"/>
-	<field name="delta" class="java.lang.String"/>
-	<background>
-		<band splitType="Stretch"/>
-	</background>
-	<title>
-		<band height="168" splitType="Stretch">
-			<frame>
-				<reportElement uuid="44bedacc-fa23-4fe1-b71f-e5afa943f553" style="Title" mode="Opaque" x="0" y="0" width="800" height="67" backcolor="#267994"/>
-				<staticText>
-					<reportElement uuid="f2d99cad-9d84-4f50-b455-453c87f62c4c" style="Title" x="10" y="13" width="266" height="38"/>
-					<textElement verticalAlignment="Middle"/>
-					<text><![CDATA[Audit Log Report]]></text>
-				</staticText>
-				<image>
-					<reportElement uuid="b0a76e6a-8f61-4d60-8dcd-3e51adb4cd4c" style="Title" x="589" y="13" width="203" height="45"/>
-					<imageExpression><![CDATA[$P{LOGO_PATH}]]></imageExpression>
-				</image>
-			</frame>
-			<staticText>
-				<reportElement uuid="e035dbd5-dc2f-45cb-936c-a08e9c011e43" style="Page header" x="2" y="85" width="100" height="20"/>
-				<textElement verticalAlignment="Middle"/>
-				<text><![CDATA[From:]]></text>
-			</staticText>
-			<textField pattern="EEEEE dd MMMMM yyyy, HH:mm:ss">
-				<reportElement uuid="28bb9b47-a69c-48e1-9073-d54d926242e8" style="Page header" isPrintRepeatedValues="false" x="110" y="85" width="644" height="20"/>
-				<textElement verticalAlignment="Middle">
-					<font isBold="false"/>
-				</textElement>
-				<textFieldExpression><![CDATA[$P{DATE_FROM}]]></textFieldExpression>
-			</textField>
-			<staticText>
-				<reportElement uuid="e035dbd5-dc2f-45cb-936c-a08e9c011e43" style="Page header" x="2" y="115" width="100" height="20"/>
-				<textElement verticalAlignment="Middle"/>
-				<text><![CDATA[To:]]></text>
-			</staticText>
-			<textField pattern="EEEEE dd MMMMM yyyy, HH:mm:ss">
-				<reportElement uuid="28bb9b47-a69c-48e1-9073-d54d926242e8" style="Page header" isPrintRepeatedValues="false" x="110" y="115" width="644" height="20"/>
-				<textElement verticalAlignment="Middle">
-					<font isBold="false"/>
-				</textElement>
-				<textFieldExpression><![CDATA[$P{DATE_TO}]]></textFieldExpression>
-			</textField>
-			<staticText>
-				<reportElement uuid="e035dbd5-dc2f-45cb-936c-a08e9c011e43" style="Page header" x="2" y="145" width="100" height="20"/>
-				<textElement verticalAlignment="Middle"/>
-				<text><![CDATA[Event Type:]]></text>
-			</staticText>
-			<textField>
-				<reportElement uuid="28bb9b47-a69c-48e1-9073-d54d926242e8" style="Page header" isPrintRepeatedValues="false" x="110" y="145" width="644" height="20"/>
-				<textElement verticalAlignment="Middle">
-					<font isBold="false"/>
-				</textElement>
-				<textFieldExpression><![CDATA[$P{EVENT_TYPE_DESC}]]></textFieldExpression>
-			</textField>
-		</band>
-	</title>
-	<pageHeader>
-		<band splitType="Stretch"/>
-	</pageHeader>
-	<columnHeader>
-		<band height="24" splitType="Stretch">
-			<frame>
-				<reportElement uuid="3e8fdd6d-a6ff-4407-9a1e-5d6b4706300a" style="Column header" mode="Transparent" x="0" y="1" width="800" height="19" isRemoveLineWhenBlank="true"/>
-				<staticText>
-					<reportElement uuid="86c74beb-bddd-48cc-945a-167b261b1e0b" style="Column header" x="0" y="0" width="80" height="18"/>
-					<textElement textAlignment="Center" verticalAlignment="Middle"/>
-					<text><![CDATA[Timestamp]]></text>
-				</staticText>
-				<staticText>
-					<reportElement uuid="86c74beb-bddd-48cc-945a-167b261b1e0b" style="Column header" x="80" y="0" width="80" height="18"/>
-					<textElement textAlignment="Center" verticalAlignment="Middle"/>
-					<text><![CDATA[Initiator]]></text>
-				</staticText>
-				<staticText>
-					<reportElement uuid="86c74beb-bddd-48cc-945a-167b261b1e0b" style="Column header" x="160" y="0" width="90" height="18"/>
-					<textElement textAlignment="Center" verticalAlignment="Middle"/>
-					<text><![CDATA[Event Type]]></text>
-				</staticText>
-				<staticText>
-					<reportElement uuid="86c74beb-bddd-48cc-945a-167b261b1e0b" style="Column header" x="250" y="0" width="90" height="18"/>
-					<textElement textAlignment="Center" verticalAlignment="Middle"/>
-					<text><![CDATA[Event Stage]]></text>
-				</staticText>
-				<staticText>
-					<reportElement uuid="86c74beb-bddd-48cc-945a-167b261b1e0b" style="Column header" x="340" y="0" width="100" height="18"/>
-					<textElement textAlignment="Center" verticalAlignment="Middle"/>
-					<text><![CDATA[Target]]></text>
-				</staticText>
-				<staticText>
-					<reportElement uuid="86c74beb-bddd-48cc-945a-167b261b1e0b" style="Column header" x="440" y="0" width="80" height="18"/>
-					<textElement textAlignment="Center" verticalAlignment="Middle"/>
-					<text><![CDATA[Outcome]]></text>
-				</staticText>
-				<staticText>
-					<reportElement uuid="86c74beb-bddd-48cc-945a-167b261b1e0b" style="Column header" x="520" y="0" width="180" height="18"/>
-					<textElement textAlignment="Center" verticalAlignment="Middle"/>
-					<text><![CDATA[Message]]></text>
-				</staticText>
-				<staticText>
-					<reportElement uuid="86c74beb-bddd-48cc-945a-167b261b1e0b" style="Column header" x="700" y="0" width="100" height="18"/>
-					<textElement textAlignment="Center" verticalAlignment="Middle"/>
-					<text><![CDATA[Delta]]></text>
-				</staticText>
-			</frame>
-		</band>
-	</columnHeader>
-	<detail>
-		<band height="15" splitType="Stretch">
-			<frame>
-				<reportElement uuid="3e8fdd6d-a6ff-4407-9a1e-5d6b4706300a" style="Detail" mode="Opaque" x="0" y="0" width="800" height="14"/>
-				<textField isStretchWithOverflow="true" pattern="dd.MM.yy, HH:mm:ss">
-					<reportElement uuid="28bb9b47-a69c-48e1-9073-d54d926242e8" style="Detail" x="0" y="0" width="80" height="13" isPrintWhenDetailOverflows="true"/>
-					<textElement verticalAlignment="Middle"/>
-					<textFieldExpression><![CDATA[$F{timestamp}]]></textFieldExpression>
-				</textField>
-				<textField isStretchWithOverflow="true" isBlankWhenNull="true">
-					<reportElement uuid="28bb9b47-a69c-48e1-9073-d54d926242e8" style="Detail" x="80" y="0" width="80" height="13" isPrintWhenDetailOverflows="true"/>
-					<textElement verticalAlignment="Middle"/>
-					<textFieldExpression><![CDATA[$F{initiator}]]></textFieldExpression>
-				</textField>
-				<textField isStretchWithOverflow="true" isBlankWhenNull="true">
-					<reportElement uuid="28bb9b47-a69c-48e1-9073-d54d926242e8" style="Detail" x="160" y="0" width="90" height="13" isPrintWhenDetailOverflows="true"/>
-					<textElement textAlignment="Center" verticalAlignment="Middle"/>
-					<textFieldExpression><![CDATA[$F{eventType}.getType()]]></textFieldExpression>
-				</textField>
-				<textField isStretchWithOverflow="true" isBlankWhenNull="true">
-					<reportElement uuid="28bb9b47-a69c-48e1-9073-d54d926242e8" style="Detail" x="250" y="0" width="90" height="13" isPrintWhenDetailOverflows="true"/>
-					<textElement textAlignment="Center" verticalAlignment="Middle"/>
-					<textFieldExpression><![CDATA[$F{eventStage}.getStage()]]></textFieldExpression>
-				</textField>
-				<textField isStretchWithOverflow="true" isBlankWhenNull="true">
-					<reportElement uuid="28bb9b47-a69c-48e1-9073-d54d926242e8" style="Detail" x="340" y="0" width="100" height="13" isPrintWhenDetailOverflows="true">
-						<printWhenExpression><![CDATA[!$F{targetType}.equals(null)]]></printWhenExpression>
-					</reportElement>
-					<textElement verticalAlignment="Middle"/>
-					<textFieldExpression><![CDATA[$F{targetName} + " (" + $F{targetType} + ") "]]></textFieldExpression>
-				</textField>
-				<textField isStretchWithOverflow="true" isBlankWhenNull="true">
-					<reportElement uuid="28bb9b47-a69c-48e1-9073-d54d926242e8" style="Detail" x="440" y="0" width="80" height="13" isPrintWhenDetailOverflows="true"/>
-					<textElement textAlignment="Center" verticalAlignment="Middle"/>
-					<textFieldExpression><![CDATA[$F{outcome}.getSchemaValue()]]></textFieldExpression>
-				</textField>
-				<textField isStretchWithOverflow="true" isBlankWhenNull="true">
-					<reportElement uuid="28bb9b47-a69c-48e1-9073-d54d926242e8" style="Detail" x="520" y="0" width="180" height="13" isPrintWhenDetailOverflows="true"/>
-					<textElement verticalAlignment="Middle"/>
-					<textFieldExpression><![CDATA[$F{message}]]></textFieldExpression>
-				</textField>
-				<textField isStretchWithOverflow="true" isBlankWhenNull="true">
-					<reportElement uuid="28bb9b47-a69c-48e1-9073-d54d926242e8" style="Detail" x="700" y="0" width="100" height="13" isPrintWhenDetailOverflows="true"/>
-					<textElement verticalAlignment="Middle"/>
-					<textFieldExpression class="java.lang.String"><![CDATA[ReportUtils.getDeltaAudit($F{delta})]]></textFieldExpression>
-				</textField>
-				<line>
-					<reportElement uuid="47f91801-cf5f-4bed-b19c-ca3931cbf98d" positionType="FixRelativeToBottom" mode="Opaque" x="0" y="13" width="800" height="1" forecolor="#333333"/>
-				</line>
-			</frame>
-		</band>
-	</detail>
-	<columnFooter>
-		<band height="7" splitType="Stretch">
-			<line>
-				<reportElement uuid="a591d4c1-1cad-4da2-9f9d-081f539e9043" positionType="FixRelativeToBottom" x="0" y="3" width="800" height="1"/>
-				<graphicElement>
-					<pen lineWidth="0.5" lineColor="#999999"/>
-				</graphicElement>
-			</line>
-		</band>
-	</columnFooter>
-	<pageFooter>
-		<band height="32" splitType="Stretch">
-			<frame>
-				<reportElement uuid="fbe8aae4-6500-468a-b1e8-700b569139a1" style="Page footer" mode="Transparent" x="0" y="1" width="800" height="24" forecolor="#000000" backcolor="#267994"/>
-				<textField pattern="EEEEE dd MMMMM yyyy">
-					<reportElement uuid="28bb9b47-a69c-48e1-9073-d54d926242e8" style="Page footer" x="2" y="1" width="197" height="20"/>
-					<textElement verticalAlignment="Middle"/>
-					<textFieldExpression><![CDATA[new java.util.Date()]]></textFieldExpression>
-				</textField>
-				<textField>
-					<reportElement uuid="5c062c66-ba45-4288-9dcd-246e28c5af75" style="Page footer" x="680" y="1" width="80" height="20"/>
-					<textElement textAlignment="Right" verticalAlignment="Middle"/>
-					<textFieldExpression><![CDATA["Page "+$V{PAGE_NUMBER}+" of"]]></textFieldExpression>
-				</textField>
-				<textField evaluationTime="Report">
-					<reportElement uuid="934b16e8-c3eb-4017-866a-0b7735bf2917" style="Page footer" x="760" y="1" width="40" height="20"/>
-					<textElement verticalAlignment="Middle"/>
-					<textFieldExpression><![CDATA[" " + $V{PAGE_NUMBER}]]></textFieldExpression>
-				</textField>
-			</frame>
-		</band>
-	</pageFooter>
-	<summary>
-		<band splitType="Stretch"/>
-	</summary>
-</jasperReport>
diff --git a/model/report-impl/src/test/resources/reports/reportAuditLogs.xml b/model/report-impl/src/test/resources/reports/reportAuditLogs.xml
deleted file mode 100644
index ca2279332c0..00000000000
--- a/model/report-impl/src/test/resources/reports/reportAuditLogs.xml
+++ /dev/null
@@ -1,233 +0,0 @@
-<!--
-  ~ Copyright (c) 2010-2017 Evolveum
-  ~
-  ~ Licensed under the Apache License, Version 2.0 (the "License");
-  ~ you may not use this file except in compliance with the License.
-  ~ You may obtain a copy of the License at
-  ~
-  ~     http://www.apache.org/licenses/LICENSE-2.0
-  ~
-  ~ Unless required by applicable law or agreed to in writing, software
-  ~ distributed under the License is distributed on an "AS IS" BASIS,
-  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-  ~ See the License for the specific language governing permissions and
-  ~ limitations under the License.
-  -->
-<report xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
-        xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
-        xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
-        xmlns:xsd="http://www.w3.org/2001/XMLSchema"
-		oid="AUDITLOG-3333-3333-TEST-10000000000"
-        version="0">
-	<name>Audit logs report</name>
-	<description>Report made from audit records.</description>
-	<!-- flag if this report is "parent" report, used for gui -->
-	<parent>true</parent>
-	<template>UEdwaGMzQmxjbEpsY0c5eWRDQU5DaUFnSUNBSkNYaHRiRzV6UFNKb2RIUndPaTh2YW1GemNHVnljbVZ3YjNKMGN5NXpiM1Z5WTJWbWIzSm5aUzV1WlhRdmFtRnpjR1Z5Y21Wd2IzSjBjeUlnRFFvSkNRbDRiV3h1Y3pwNGMyazlJbWgwZEhBNkx5OTNkM2N1ZHpNdWIzSm5Mekl3TURFdldFMU1VMk5vWlcxaExXbHVjM1JoYm1ObElpQU5DZ2tKQ1hoemFUcHpZMmhsYldGTWIyTmhkR2x2YmowaWFIUjBjRG92TDJwaGMzQmxjbkpsY0c5eWRITXVjMjkxY21ObFptOXlaMlV1Ym1WMEwycGhjM0JsY25KbGNHOXlkSE1nYUhSMGNEb3ZMMnBoYzNCbGNuSmxjRzl5ZEhNdWMyOTFjbU5sWm05eVoyVXVibVYwTDNoelpDOXFZWE53WlhKeVpYQnZjblF1ZUhOa0lpQU5DZ2tKQ1c1aGJXVTlJbkpsY0c5eWRFRjFaR2wwVEc5bmN5SWdEUW9KQ1Fsd1lXZGxWMmxrZEdnOUlqZzBNaUlnRFFvSkNRbHdZV2RsU0dWcFoyaDBQU0kxT1RVaUlBMEtDUWtKYjNKcFpXNTBZWFJwYjI0OUlreGhibVJ6WTJGd1pTSWdEUW9KQ1FsM2FHVnVUbTlFWVhSaFZIbHdaVDBpUVd4c1UyVmpkR2x2Ym5OT2IwUmxkR0ZwYkNJZ0RRb0pDUWxqYjJ4MWJXNVhhV1IwYUQwaU9EQXlJaUFOQ2drSkNXeGxablJOWVhKbmFXNDlJakl3SWlBTkNna0pDWEpwWjJoMFRXRnlaMmx1UFNJeU1DSWdEUW9KQ1FsMGIzQk5ZWEpuYVc0OUlqSXdJaUFOQ2drSkNXSnZkSFJ2YlUxaGNtZHBiajBpTWpBaUlBMEtDUWtKZFhWcFpEMGlOamRsTkRZMVl6VXRORFpsWVMwME1HUXlMV0psWVRBdE5EWTVZelpqWmpNNE9UTTNJajROQ2drSkNUeHdjbTl3WlhKMGVTQnVZVzFsUFNKdVpYUXVjMll1YW1GemNHVnljbVZ3YjNKMGN5NWhkM1F1YVdkdWIzSmxMbTFwYzNOcGJtY3VabTl1ZENJZ2RtRnNkV1U5SW5SeWRXVWlMejROQ2drSkNUeHdjbTl3WlhKMGVTQnVZVzFsUFNKdVpYUXVjMll1YW1GemNHVnljbVZ3YjNKMGN5NWxlSEJ2Y25RdWNHUm1MbVp2Y21ObExteHBibVZpY21WaGF5NXdiMnhwWTNraUlIWmhiSFZsUFNKMGNuVmxJaTgrRFFvSkNRazhjSEp2Y0dWeWRIa2dibUZ0WlQwaWJtVjBMbk5tTG1waGMzQmxjbkpsY0c5eWRITXVaWGh3YjNKMExtTnpkaTVsZUdOc2RXUmxMbTl5YVdkcGJpNWlZVzVrTGpFaUlIWmhiSFZsUFNKMGFYUnNaU0l2UGcwS0NRa0pQSEJ5YjNCbGNuUjVJRzVoYldVOUltNWxkQzV6Wmk1cVlYTndaWEp5WlhCdmNuUnpMbVY0Y0c5eWRDNWpjM1l1WlhoamJIVmtaUzV2Y21sbmFXNHVZbUZ1WkM0eUlpQjJZV3gxWlQwaWNHRm5aVVp2YjNSbGNpSXZQZzBLQ1FrSlBHbHRjRzl5ZENCMllXeDFaVDBpWTI5dExtVjJiMngyWlhWdExtMXBaSEJ2YVc1MExuSmxjRzl5ZEM1cGJYQnNMbEpsY0c5eWRGVjBhV3h6SWk4K0RRb0pDUWs4Y0dGeVlXMWxkR1Z5SUc1aGJXVTlJbVp5YjIwaUlHTnNZWE56UFNKcVlYWmhMbk54YkM1VWFXMWxjM1JoYlhBaUx6NE5DZ2tKQ1R4d1lYSmhiV1YwWlhJZ2JtRnRaVDBpZEc4aUlHTnNZWE56UFNKcVlYWmhMbk54YkM1VWFXMWxjM1JoYlhBaUx6NE5DZ2tKQ1R4d1lYSmhiV1YwWlhJZ2JtRnRaVDBpYUhGc1VYVmxjbmtpSUdOc1lYTnpQU0pxWVhaaExteGhibWN1VTNSeWFXNW5JaTgrRFFvSkNRazhjR0Z5WVcxbGRHVnlJRzVoYldVOUltVjJaVzUwVkhsd1pTSWdZMnhoYzNNOUltcGhkbUV1YkdGdVp5NUpiblJsWjJWeUlpOCtEUW9KQ1FrOGNHRnlZVzFsZEdWeUlHNWhiV1U5SW1WMlpXNTBSR1Z6WTNKcGNIUnBiMjRpSUdOc1lYTnpQU0pxWVhaaExteGhibWN1VTNSeWFXNW5JaTgrRFFvSkNRazhjWFZsY25sVGRISnBibWNnYkdGdVozVmhaMlU5SW1oeGJDSStQQ0ZiUTBSQlZFRmJKRkFoZTJoeGJGRjFaWEo1ZlYxZFBqd3ZjWFZsY25sVGRISnBibWMrRFFvSkNRazhabWxsYkdRZ2JtRnRaVDBpZEdsdFpYTjBZVzF3SWlCamJHRnpjejBpYW1GMllTNXpjV3d1VkdsdFpYTjBZVzF3SWk4K0RRb0pDUWs4Wm1sbGJHUWdibUZ0WlQwaWFXNXBkR2xoZEc5eUlpQmpiR0Z6Y3owaWFtRjJZUzVzWVc1bkxsTjBjbWx1WnlJdlBnMEtDUWtKUEdacFpXeGtJRzVoYldVOUltVjJaVzUwVkhsd1pTSWdZMnhoYzNNOUltTnZiUzVsZG05c2RtVjFiUzV0YVdSd2IybHVkQzV5WlhCdkxuTnhiQzVrWVhSaExtRjFaR2wwTGxKQmRXUnBkRVYyWlc1MFZIbHdaU0krRFFvSkNRa0pQR1pwWld4a1JHVnpZM0pwY0hScGIyNCtQQ0ZiUTBSQlZFRmJaWFpsYm5SVWVYQmxYVjArUEM5bWFXVnNaRVJsYzJOeWFYQjBhVzl1UGcwS0NRa0pQQzltYVdWc1pENE5DZ2tKQ1R4bWFXVnNaQ0J1WVcxbFBTSmxkbVZ1ZEZOMFlXZGxJaUJqYkdGemN6MGlZMjl0TG1WMmIyeDJaWFZ0TG0xcFpIQnZhVzUwTG5KbGNHOHVjM0ZzTG1SaGRHRXVZWFZrYVhRdVVrRjFaR2wwUlhabGJuUlRkR0ZuWlNJK0RRb0pDUWtKUEdacFpXeGtSR1Z6WTNKcGNIUnBiMjQrUENGYlEwUkJWRUZiWlhabGJuUlRkR0ZuWlYxZFBqd3ZabWxsYkdSRVpYTmpjbWx3ZEdsdmJqNE5DZ2tKQ1R3dlptbGxiR1ErRFFvSkNRazhabWxsYkdRZ2JtRnRaVDBpZEdGeVoyVjBUbUZ0WlNJZ1kyeGhjM005SW1waGRtRXViR0Z1Wnk1VGRISnBibWNpTHo0TkNna0pDVHhtYVdWc1pDQnVZVzFsUFNKMFlYSm5aWFJVZVhCbElpQmpiR0Z6Y3owaVkyOXRMbVYyYjJ4MlpYVnRMbTFwWkhCdmFXNTBMbkpsY0c4dWMzRnNMbVJoZEdFdVkyOXRiVzl1TG05MGFHVnlMbEpQWW1wbFkzUlVlWEJsSWo0TkNna0pDUWs4Wm1sbGJHUkVaWE5qY21sd2RHbHZiajQ4SVZ0RFJFRlVRVnQwWVhKblpYUlVlWEJsWFYwK1BDOW1hV1ZzWkVSbGMyTnlhWEIwYVc5dVBnMEtDUWtKUEM5bWFXVnNaRDROQ2drSkNUeG1hV1ZzWkNCdVlXMWxQU0owWVhKblpYUlBkMjVsY2s1aGJXVWlJR05zWVhOelBTSnFZWFpoTG14aGJtY3VVM1J5YVc1bklpOCtEUW9KQ1FrOFptbGxiR1FnYm1GdFpUMGliM1YwWTI5dFpTSWdZMnhoYzNNOUltTnZiUzVsZG05c2RtVjFiUzV0YVdSd2IybHVkQzV5WlhCdkxuTnhiQzVrWVhSaExtTnZiVzF2Ymk1bGJuVnRjeTVTVDNCbGNtRjBhVzl1VW1WemRXeDBVM1JoZEhWeklqNE5DZ2tKQ1FrOFptbGxiR1JFWlhOamNtbHdkR2x2Ymo0OElWdERSRUZVUVZ0dmRYUmpiMjFsWFYwK1BDOW1hV1ZzWkVSbGMyTnlhWEIwYVc5dVBnMEtDUWtKUEM5bWFXVnNaRDROQ2drSkNUeG1hV1ZzWkNCdVlXMWxQU0p0WlhOellXZGxJaUJqYkdGemN6MGlhbUYyWVM1c1lXNW5MbE4wY21sdVp5SXZQZzBLQ1FrSlBHWnBaV3hrSUc1aGJXVTlJbVJsYkhSaElpQmpiR0Z6Y3owaWFtRjJZUzVzWVc1bkxsTjBjbWx1WnlJdlBnMEtDUWtKUEdKaFkydG5jbTkxYm1RK0RRb0pDUWtKUEdKaGJtUWdjM0JzYVhSVWVYQmxQU0pUZEhKbGRHTm9JaTgrRFFvSkNRazhMMkpoWTJ0bmNtOTFibVErRFFvSkNRazhkR2wwYkdVK0RRb0pDUWtKUEdKaGJtUWdhR1ZwWjJoMFBTSXhOamdpSUhOd2JHbDBWSGx3WlQwaVUzUnlaWFJqYUNJK0RRb0pDUWtKQ1R4bWNtRnRaVDROQ2drSkNRa0pDVHh5WlhCdmNuUkZiR1Z0Wlc1MElIVjFhV1E5SWpRMFltVmtZV05qTFdaaE1qTXROR1psTVMxaU56Rm1MV1UxWVdaaE9UUXpaalUxTXlJZ2MzUjViR1U5SWxScGRHeGxJaUJ0YjJSbFBTSlBjR0Z4ZFdVaUlIZzlJakFpSUhrOUlqQWlJSGRwWkhSb1BTSTRNREFpSUdobGFXZG9kRDBpTmpjaUlHSmhZMnRqYjJ4dmNqMGlJekkyTnprNU5DSXZQZzBLQ1FrSkNRa0pQSE4wWVhScFkxUmxlSFErRFFvSkNRa0pDUWtKUEhKbGNHOXlkRVZzWlcxbGJuUWdkWFZwWkQwaVpqSmtPVGxqWVdRdE9XUTROQzAwWmpVd0xXSTBOVFV0TkRVell6ZzNaall5WXpSaklpQnpkSGxzWlQwaVZHbDBiR1VpSUhnOUlqRXdJaUI1UFNJeE15SWdkMmxrZEdnOUlqSTJOaUlnYUdWcFoyaDBQU0l6T0NJdlBnMEtDUWtKQ1FrSkNUeDBaWGgwUld4bGJXVnVkQ0IyWlhKMGFXTmhiRUZzYVdkdWJXVnVkRDBpVFdsa1pHeGxJaTgrRFFvSkNRa0pDUWtKUEhSbGVIUStQQ0ZiUTBSQlZFRmJRWFZrYVhRZ1RHOW5JRkpsY0c5eWRGMWRQand2ZEdWNGRENE5DZ2tKQ1FrSkNUd3ZjM1JoZEdsalZHVjRkRDROQ2drSkNRa0pQQzltY21GdFpUNE5DZ2tKQ1FrSlBITjBZWFJwWTFSbGVIUStEUW9KQ1FrSkNRazhjbVZ3YjNKMFJXeGxiV1Z1ZENCMWRXbGtQU0psTURNMVpHSmtOUzFrWXpKbUxUUTFZMkl0T1RNMll5MWhNRGhsT1dNd01URmxORE1pSUhOMGVXeGxQU0pRWVdkbElHaGxZV1JsY2lJZ2VEMGlNaUlnZVQwaU9EVWlJSGRwWkhSb1BTSXhNREFpSUdobGFXZG9kRDBpTWpBaUx6NE5DZ2tKQ1FrSkNUeDBaWGgwUld4bGJXVnVkQ0IyWlhKMGFXTmhiRUZzYVdkdWJXVnVkRDBpVFdsa1pHeGxJaTgrRFFvSkNRa0pDUWs4ZEdWNGRENDhJVnREUkVGVVFWdEdjbTl0T2wxZFBqd3ZkR1Y0ZEQ0TkNna0pDUWtKUEM5emRHRjBhV05VWlhoMFBnMEtDUWtKQ1FrOGRHVjRkRVpwWld4a0lIQmhkSFJsY200OUlrVkZSVVZGSUdSa0lFMU5UVTFOSUhsNWVYa3NJRWhJT20xdE9uTnpJajROQ2drSkNRa0pDVHh5WlhCdmNuUkZiR1Z0Wlc1MElIVjFhV1E5SWpJNFltSTVZalEzTFdFMk9XTXRORGhsTVMwNU1EY3pMV1ExTkdRNU1qWXlOREpsT0NJZ2MzUjViR1U5SWxCaFoyVWdhR1ZoWkdWeUlpQnBjMUJ5YVc1MFVtVndaV0YwWldSV1lXeDFaWE05SW1aaGJITmxJaUI0UFNJeE1UQWlJSGs5SWpnMUlpQjNhV1IwYUQwaU5qUTBJaUJvWldsbmFIUTlJakl3SWk4K0RRb0pDUWtKQ1FrOGRHVjRkRVZzWlcxbGJuUWdkbVZ5ZEdsallXeEJiR2xuYm0xbGJuUTlJazFwWkdSc1pTSStEUW9KQ1FrSkNRa0pQR1p2Ym5RZ2FYTkNiMnhrUFNKbVlXeHpaU0l2UGcwS0NRa0pDUWtKUEM5MFpYaDBSV3hsYldWdWRENE5DZ2tKQ1FrSkNUeDBaWGgwUm1sbGJHUkZlSEJ5WlhOemFXOXVQandoVzBORVFWUkJXeVJRZTJaeWIyMTlYVjArUEM5MFpYaDBSbWxsYkdSRmVIQnlaWE56YVc5dVBnMEtDUWtKQ1FrOEwzUmxlSFJHYVdWc1pENE5DZ2tKQ1FrSlBITjBZWFJwWTFSbGVIUStEUW9KQ1FrSkNRazhjbVZ3YjNKMFJXeGxiV1Z1ZENCMWRXbGtQU0psTURNMVpHSmtOUzFrWXpKbUxUUTFZMkl0T1RNMll5MWhNRGhsT1dNd01URmxORE1pSUhOMGVXeGxQU0pRWVdkbElHaGxZV1JsY2lJZ2VEMGlNaUlnZVQwaU1URTFJaUIzYVdSMGFEMGlNVEF3SWlCb1pXbG5hSFE5SWpJd0lpOCtEUW9KQ1FrSkNRazhkR1Y0ZEVWc1pXMWxiblFnZG1WeWRHbGpZV3hCYkdsbmJtMWxiblE5SWsxcFpHUnNaU0l2UGcwS0NRa0pDUWtKUEhSbGVIUStQQ0ZiUTBSQlZFRmJWRzg2WFYwK1BDOTBaWGgwUGcwS0NRa0pDUWs4TDNOMFlYUnBZMVJsZUhRK0RRb0pDUWtKQ1R4MFpYaDBSbWxsYkdRZ2NHRjBkR1Z5YmowaVJVVkZSVVVnWkdRZ1RVMU5UVTBnZVhsNWVTd2dTRWc2YlcwNmMzTWlQZzBLQ1FrSkNRa0pQSEpsY0c5eWRFVnNaVzFsYm5RZ2RYVnBaRDBpTWpoaVlqbGlORGN0WVRZNVl5MDBPR1V4TFRrd056TXRaRFUwWkRreU5qSTBNbVU0SWlCemRIbHNaVDBpVUdGblpTQm9aV0ZrWlhJaUlHbHpVSEpwYm5SU1pYQmxZWFJsWkZaaGJIVmxjejBpWm1Gc2MyVWlJSGc5SWpFeE1DSWdlVDBpTVRFMUlpQjNhV1IwYUQwaU5qUTBJaUJvWldsbmFIUTlJakl3SWk4K0RRb0pDUWtKQ1FrOGRHVjRkRVZzWlcxbGJuUWdkbVZ5ZEdsallXeEJiR2xuYm0xbGJuUTlJazFwWkdSc1pTSStEUW9KQ1FrSkNRa0pQR1p2Ym5RZ2FYTkNiMnhrUFNKbVlXeHpaU0l2UGcwS0NRa0pDUWtKUEM5MFpYaDBSV3hsYldWdWRENE5DZ2tKQ1FrSkNUeDBaWGgwUm1sbGJHUkZlSEJ5WlhOemFXOXVQandoVzBORVFWUkJXeVJRZTNSdmZWMWRQand2ZEdWNGRFWnBaV3hrUlhod2NtVnpjMmx2Ymo0TkNna0pDUWtKUEM5MFpYaDBSbWxsYkdRK0RRb0pDUWtKQ1R4emRHRjBhV05VWlhoMFBnMEtDUWtKQ1FrSlBISmxjRzl5ZEVWc1pXMWxiblFnZFhWcFpEMGlaVEF6TldSaVpEVXRaR015WmkwME5XTmlMVGt6Tm1NdFlUQTRaVGxqTURFeFpUUXpJaUJ6ZEhsc1pUMGlVR0ZuWlNCb1pXRmtaWElpSUhnOUlqSWlJSGs5SWpFME5TSWdkMmxrZEdnOUlqRXdNQ0lnYUdWcFoyaDBQU0l5TUNJdlBnMEtDUWtKQ1FrSlBIUmxlSFJGYkdWdFpXNTBJSFpsY25ScFkyRnNRV3hwWjI1dFpXNTBQU0pOYVdSa2JHVWlMejROQ2drSkNRa0pDVHgwWlhoMFBqd2hXME5FUVZSQlcwVjJaVzUwSUZSNWNHVTZYVjArUEM5MFpYaDBQZzBLQ1FrSkNRazhMM04wWVhScFkxUmxlSFErRFFvSkNRa0pDVHgwWlhoMFJtbGxiR1ErRFFvSkNRa0pDUWs4Y21Wd2IzSjBSV3hsYldWdWRDQjFkV2xrUFNJeU9HSmlPV0kwTnkxaE5qbGpMVFE0WlRFdE9UQTNNeTFrTlRSa09USTJNalF5WlRnaUlITjBlV3hsUFNKUVlXZGxJR2hsWVdSbGNpSWdhWE5RY21sdWRGSmxjR1ZoZEdWa1ZtRnNkV1Z6UFNKbVlXeHpaU0lnZUQwaU1URXdJaUI1UFNJeE5EVWlJSGRwWkhSb1BTSTJORFFpSUdobGFXZG9kRDBpTWpBaUx6NE5DZzBLQ1FrSkNRa0pQSFJsZUhSRmJHVnRaVzUwSUhabGNuUnBZMkZzUVd4cFoyNXRaVzUwUFNKTmFXUmtiR1VpUGcwS0NRa0pDUWtKQ1R4bWIyNTBJR2x6UW05c1pEMGlabUZzYzJVaUx6NE5DZ2tKQ1FrSkNUd3ZkR1Y0ZEVWc1pXMWxiblErRFFvSkNRa0pDUWs4ZEdWNGRFWnBaV3hrUlhod2NtVnpjMmx2Ymo0OElWdERSRUZVUVZza1VIdGxkbVZ1ZEZSNWNHVjlJQ0U5SUc1MWJHd2dQeUFrVUh0bGRtVnVkRVJsYzJOeWFYQjBhVzl1ZlNBNklDSkJiR3dpWFYwK1BDOTBaWGgwUm1sbGJHUkZlSEJ5WlhOemFXOXVQZzBLQ1FrSkNRazhMM1JsZUhSR2FXVnNaRDROQ2drSkNRazhMMkpoYm1RK0RRb0pDUWs4TDNScGRHeGxQZzBLQ1FrSlBIQmhaMlZJWldGa1pYSStEUW9KQ1FrSlBHSmhibVFnYzNCc2FYUlVlWEJsUFNKVGRISmxkR05vSWk4K0RRb0pDUWs4TDNCaFoyVklaV0ZrWlhJK0RRb0pDUWs4WTI5c2RXMXVTR1ZoWkdWeVBnMEtDUWtKQ1R4aVlXNWtJR2hsYVdkb2REMGlNalFpSUhOd2JHbDBWSGx3WlQwaVUzUnlaWFJqYUNJK0RRb0pDUWtKQ1R4bWNtRnRaVDROQ2drSkNRa0pDVHh5WlhCdmNuUkZiR1Z0Wlc1MElIVjFhV1E5SWpObE9HWmtaRFprTFdFMlptWXRORFF3TnkwNVlURmxMVFZrTm1JME56QTJNekF3WVNJZ2MzUjViR1U5SWtOdmJIVnRiaUJvWldGa1pYSWlJRzF2WkdVOUlsUnlZVzV6Y0dGeVpXNTBJaUI0UFNJd0lpQjVQU0l4SWlCM2FXUjBhRDBpT0RBd0lpQm9aV2xuYUhROUlqRTVJaUJwYzFKbGJXOTJaVXhwYm1WWGFHVnVRbXhoYm1zOUluUnlkV1VpTHo0TkNna0pDUWtKQ1R4emRHRjBhV05VWlhoMFBnMEtDUWtKQ1FrSkNUeHlaWEJ2Y25SRmJHVnRaVzUwSUhWMWFXUTlJamcyWXpjMFltVmlMV0prWkdRdE5EaGpZeTA1TkRWaExURTJOMkl5TmpGaU1XVXdZaUlnYzNSNWJHVTlJa052YkhWdGJpQm9aV0ZrWlhJaUlIZzlJakFpSUhrOUlqQWlJSGRwWkhSb1BTSXhNREFpSUdobGFXZG9kRDBpTVRnaUx6NE5DZ2tKQ1FrSkNRazhkR1Y0ZEVWc1pXMWxiblFnZEdWNGRFRnNhV2R1YldWdWREMGlRMlZ1ZEdWeUlpQjJaWEowYVdOaGJFRnNhV2R1YldWdWREMGlUV2xrWkd4bElpOCtEUW9KQ1FrSkNRa0pQSFJsZUhRK1BDRmJRMFJCVkVGYlZHbHRaWE4wWVcxd1hWMCtQQzkwWlhoMFBnMEtDUWtKQ1FrSlBDOXpkR0YwYVdOVVpYaDBQZzBLQ1FrSkNRa0pQSE4wWVhScFkxUmxlSFErRFFvSkNRa0pDUWtKUEhKbGNHOXlkRVZzWlcxbGJuUWdkWFZwWkQwaU9EWmpOelJpWldJdFltUmtaQzAwT0dOakxUazBOV0V0TVRZM1lqSTJNV0l4WlRCaUlpQnpkSGxzWlQwaVEyOXNkVzF1SUdobFlXUmxjaUlnZUQwaU1UQXdJaUI1UFNJd0lpQjNhV1IwYUQwaU9EQWlJR2hsYVdkb2REMGlNVGdpTHo0TkNna0pDUWtKQ1FrOGRHVjRkRVZzWlcxbGJuUWdkR1Y0ZEVGc2FXZHViV1Z1ZEQwaVEyVnVkR1Z5SWlCMlpYSjBhV05oYkVGc2FXZHViV1Z1ZEQwaVRXbGtaR3hsSWk4K0RRb0pDUWtKQ1FrSlBIUmxlSFErUENGYlEwUkJWRUZiU1c1cGRHbGhkRzl5WFYwK1BDOTBaWGgwUGcwS0NRa0pDUWtKUEM5emRHRjBhV05VWlhoMFBnMEtDUWtKQ1FrSlBITjBZWFJwWTFSbGVIUStEUW9KQ1FrSkNRa0pQSEpsY0c5eWRFVnNaVzFsYm5RZ2RYVnBaRDBpT0Raak56UmlaV0l0WW1Sa1pDMDBPR05qTFRrME5XRXRNVFkzWWpJMk1XSXhaVEJpSWlCemRIbHNaVDBpUTI5c2RXMXVJR2hsWVdSbGNpSWdlRDBpTVRnd0lpQjVQU0l3SWlCM2FXUjBhRDBpT1RBaUlHaGxhV2RvZEQwaU1UZ2lMejROQ2drSkNRa0pDUWs4ZEdWNGRFVnNaVzFsYm5RZ2RHVjRkRUZzYVdkdWJXVnVkRDBpUTJWdWRHVnlJaUIyWlhKMGFXTmhiRUZzYVdkdWJXVnVkRDBpVFdsa1pHeGxJaTgrRFFvSkNRa0pDUWtKUEhSbGVIUStQQ0ZiUTBSQlZFRmJSWFpsYm5RZ1ZIbHdaVjFkUGp3dmRHVjRkRDROQ2drSkNRa0pDVHd2YzNSaGRHbGpWR1Y0ZEQ0TkNna0pDUWtKQ1R4emRHRjBhV05VWlhoMFBnMEtDUWtKQ1FrSkNUeHlaWEJ2Y25SRmJHVnRaVzUwSUhWMWFXUTlJamcyWXpjMFltVmlMV0prWkdRdE5EaGpZeTA1TkRWaExURTJOMkl5TmpGaU1XVXdZaUlnYzNSNWJHVTlJa052YkhWdGJpQm9aV0ZrWlhJaUlIZzlJakkzTUNJZ2VUMGlNQ0lnZDJsa2RHZzlJamt3SWlCb1pXbG5hSFE5SWpFNElpOCtEUW9KQ1FrSkNRa0pQSFJsZUhSRmJHVnRaVzUwSUhSbGVIUkJiR2xuYm0xbGJuUTlJa05sYm5SbGNpSWdkbVZ5ZEdsallXeEJiR2xuYm0xbGJuUTlJazFwWkdSc1pTSXZQZzBLQ1FrSkNRa0pDVHgwWlhoMFBqd2hXME5FUVZSQlcwVjJaVzUwSUZOMFlXZGxYVjArUEM5MFpYaDBQZzBLQ1FrSkNRa0pQQzl6ZEdGMGFXTlVaWGgwUGcwS0NRa0pDUWtKUEhOMFlYUnBZMVJsZUhRK0RRb0pDUWtKQ1FrSlBISmxjRzl5ZEVWc1pXMWxiblFnZFhWcFpEMGlPRFpqTnpSaVpXSXRZbVJrWkMwME9HTmpMVGswTldFdE1UWTNZakkyTVdJeFpUQmlJaUJ6ZEhsc1pUMGlRMjlzZFcxdUlHaGxZV1JsY2lJZ2VEMGlNell3SWlCNVBTSXdJaUIzYVdSMGFEMGlNVEF3SWlCb1pXbG5hSFE5SWpFNElpOCtEUW9KQ1FrSkNRa0pQSFJsZUhSRmJHVnRaVzUwSUhSbGVIUkJiR2xuYm0xbGJuUTlJa05sYm5SbGNpSWdkbVZ5ZEdsallXeEJiR2xuYm0xbGJuUTlJazFwWkdSc1pTSXZQZzBLQ1FrSkNRa0pDVHgwWlhoMFBqd2hXME5FUVZSQlcxUmhjbWRsZEYxZFBqd3ZkR1Y0ZEQ0TkNna0pDUWtKQ1R3dmMzUmhkR2xqVkdWNGRENE5DZ2tKQ1FrSkNUeHpkR0YwYVdOVVpYaDBQZzBLQ1FrSkNRa0pDVHh5WlhCdmNuUkZiR1Z0Wlc1MElIVjFhV1E5SWpnMll6YzBZbVZpTFdKa1pHUXRORGhqWXkwNU5EVmhMVEUyTjJJeU5qRmlNV1V3WWlJZ2MzUjViR1U5SWtOdmJIVnRiaUJvWldGa1pYSWlJSGc5SWpRMk1DSWdlVDBpTUNJZ2QybGtkR2c5SWpnd0lpQm9aV2xuYUhROUlqRTRJaTgrRFFvSkNRa0pDUWtKUEhSbGVIUkZiR1Z0Wlc1MElIUmxlSFJCYkdsbmJtMWxiblE5SWtObGJuUmxjaUlnZG1WeWRHbGpZV3hCYkdsbmJtMWxiblE5SWsxcFpHUnNaU0l2UGcwS0NRa0pDUWtKQ1R4MFpYaDBQandoVzBORVFWUkJXMDkxZEdOdmJXVmRYVDQ4TDNSbGVIUStEUW9KQ1FrSkNRazhMM04wWVhScFkxUmxlSFErRFFvSkNRa0pDUWs4YzNSaGRHbGpWR1Y0ZEQ0TkNna0pDUWtKQ1FrOGNtVndiM0owUld4bGJXVnVkQ0IxZFdsa1BTSTRObU0zTkdKbFlpMWlaR1JrTFRRNFkyTXRPVFExWVMweE5qZGlNall4WWpGbE1HSWlJSE4wZVd4bFBTSkRiMngxYlc0Z2FHVmhaR1Z5SWlCNFBTSTFOREFpSUhrOUlqQWlJSGRwWkhSb1BTSXhOakFpSUdobGFXZG9kRDBpTVRnaUx6NE5DZ2tKQ1FrSkNRazhkR1Y0ZEVWc1pXMWxiblFnZEdWNGRFRnNhV2R1YldWdWREMGlRMlZ1ZEdWeUlpQjJaWEowYVdOaGJFRnNhV2R1YldWdWREMGlUV2xrWkd4bElpOCtEUW9KQ1FrSkNRa0pQSFJsZUhRK1BDRmJRMFJCVkVGYlRXVnpjMkZuWlYxZFBqd3ZkR1Y0ZEQ0TkNna0pDUWtKQ1R3dmMzUmhkR2xqVkdWNGRENE5DZ2tKQ1FrSkNUeHpkR0YwYVdOVVpYaDBQZzBLQ1FrSkNRa0pDVHh5WlhCdmNuUkZiR1Z0Wlc1MElIVjFhV1E5SWpnMll6YzBZbVZpTFdKa1pHUXRORGhqWXkwNU5EVmhMVEUyTjJJeU5qRmlNV1V3WWlJZ2MzUjViR1U5SWtOdmJIVnRiaUJvWldGa1pYSWlJSGc5SWpjd01DSWdlVDBpTUNJZ2QybGtkR2c5SWpFd01DSWdhR1ZwWjJoMFBTSXhPQ0l2UGcwS0NRa0pDUWtKQ1R4MFpYaDBSV3hsYldWdWRDQjBaWGgwUVd4cFoyNXRaVzUwUFNKRFpXNTBaWElpSUhabGNuUnBZMkZzUVd4cFoyNXRaVzUwUFNKTmFXUmtiR1VpTHo0TkNna0pDUWtKQ1FrOGRHVjRkRDQ4SVZ0RFJFRlVRVnRFWld4MFlWMWRQand2ZEdWNGRENE5DZ2tKQ1FrSkNUd3ZjM1JoZEdsalZHVjRkRDROQ2drSkNRa0pQQzltY21GdFpUNE5DZ2tKQ1FrOEwySmhibVErRFFvSkNRazhMMk52YkhWdGJraGxZV1JsY2o0TkNna0pDVHhrWlhSaGFXdytEUW9KQ1FrSlBHSmhibVFnYUdWcFoyaDBQU0l4TlNJZ2MzQnNhWFJVZVhCbFBTSlRkSEpsZEdOb0lqNE5DZ2tKQ1FrSlBHWnlZVzFsUGcwS0NRa0pDUWtKUEhKbGNHOXlkRVZzWlcxbGJuUWdkWFZwWkQwaU0yVTRabVJrTm1RdFlUWm1aaTAwTkRBM0xUbGhNV1V0TldRMllqUTNNRFl6TURCaElpQnpkSGxzWlQwaVJHVjBZV2xzSWlCdGIyUmxQU0pQY0dGeGRXVWlJSGc5SWpBaUlIazlJakFpSUhkcFpIUm9QU0k0TURBaUlHaGxhV2RvZEQwaU1UUWlMejROQ2drSkNRa0pDVHgwWlhoMFJtbGxiR1FnYVhOVGRISmxkR05vVjJsMGFFOTJaWEptYkc5M1BTSjBjblZsSWlCd1lYUjBaWEp1UFNKa1pDNU5UUzU1ZVN3Z1NFZzZiVzA2YzNNaVBnMEtDUWtKQ1FrSkNUeHlaWEJ2Y25SRmJHVnRaVzUwSUhWMWFXUTlJakk0WW1JNVlqUTNMV0UyT1dNdE5EaGxNUzA1TURjekxXUTFOR1E1TWpZeU5ESmxPQ0lnYzNSNWJHVTlJa1JsZEdGcGJDSWdlRDBpTUNJZ2VUMGlNQ0lnZDJsa2RHZzlJakV3TUNJZ2FHVnBaMmgwUFNJeE15SWdhWE5RY21sdWRGZG9aVzVFWlhSaGFXeFBkbVZ5Wm14dmQzTTlJblJ5ZFdVaUx6NE5DZ2tKQ1FrSkNRazhkR1Y0ZEVWc1pXMWxiblFnZG1WeWRHbGpZV3hCYkdsbmJtMWxiblE5SWsxcFpHUnNaU0l2UGcwS0NRa0pDUWtKQ1R4MFpYaDBSbWxsYkdSRmVIQnlaWE56YVc5dVBqd2hXME5FUVZSQld5UkdlM1JwYldWemRHRnRjSDFkWFQ0OEwzUmxlSFJHYVdWc1pFVjRjSEpsYzNOcGIyNCtEUW9KQ1FrSkNRazhMM1JsZUhSR2FXVnNaRDROQ2drSkNRa0pDVHgwWlhoMFJtbGxiR1FnYVhOVGRISmxkR05vVjJsMGFFOTJaWEptYkc5M1BTSjBjblZsSWlCcGMwSnNZVzVyVjJobGJrNTFiR3c5SW5SeWRXVWlQZzBLQ1FrSkNRa0pDVHh5WlhCdmNuUkZiR1Z0Wlc1MElIVjFhV1E5SWpJNFltSTVZalEzTFdFMk9XTXRORGhsTVMwNU1EY3pMV1ExTkdRNU1qWXlOREpsT0NJZ2MzUjViR1U5SWtSbGRHRnBiQ0lnZUQwaU1UQXdJaUI1UFNJd0lpQjNhV1IwYUQwaU9EQWlJR2hsYVdkb2REMGlNVE1pSUdselVISnBiblJYYUdWdVJHVjBZV2xzVDNabGNtWnNiM2R6UFNKMGNuVmxJaTgrRFFvSkNRa0pDUWtKUEhSbGVIUkZiR1Z0Wlc1MElIWmxjblJwWTJGc1FXeHBaMjV0Wlc1MFBTSk5hV1JrYkdVaUx6NE5DZ2tKQ1FrSkNRazhkR1Y0ZEVacFpXeGtSWGh3Y21WemMybHZiajQ4SVZ0RFJFRlVRVnNrUm50cGJtbDBhV0YwYjNKOVhWMCtQQzkwWlhoMFJtbGxiR1JGZUhCeVpYTnphVzl1UGcwS0NRa0pDUWtKUEM5MFpYaDBSbWxsYkdRK0RRb0pDUWtKQ1FrOGRHVjRkRVpwWld4a0lHbHpVM1J5WlhSamFGZHBkR2hQZG1WeVpteHZkejBpZEhKMVpTSWdhWE5DYkdGdWExZG9aVzVPZFd4c1BTSjBjblZsSWo0TkNna0pDUWtKQ1FrOGNtVndiM0owUld4bGJXVnVkQ0IxZFdsa1BTSXlPR0ppT1dJME55MWhOamxqTFRRNFpURXRPVEEzTXkxa05UUmtPVEkyTWpReVpUZ2lJSE4wZVd4bFBTSkVaWFJoYVd3aUlIZzlJakU0TUNJZ2VUMGlNQ0lnZDJsa2RHZzlJamt3SWlCb1pXbG5hSFE5SWpFeklpQnBjMUJ5YVc1MFYyaGxia1JsZEdGcGJFOTJaWEptYkc5M2N6MGlkSEoxWlNJdlBnMEtDUWtKQ1FrSkNUeDBaWGgwUld4bGJXVnVkQ0IwWlhoMFFXeHBaMjV0Wlc1MFBTSkRaVzUwWlhJaUlIWmxjblJwWTJGc1FXeHBaMjV0Wlc1MFBTSk5hV1JrYkdVaUx6NE5DZ2tKQ1FrSkNRazhkR1Y0ZEVacFpXeGtSWGh3Y21WemMybHZiajQ4SVZ0RFJFRlVRVnNrUm50bGRtVnVkRlI1Y0dWOUxtZGxkRlI1Y0dVb0tWMWRQand2ZEdWNGRFWnBaV3hrUlhod2NtVnpjMmx2Ymo0TkNna0pDUWtKQ1R3dmRHVjRkRVpwWld4a1BnMEtDUWtKQ1FrSlBIUmxlSFJHYVdWc1pDQnBjMU4wY21WMFkyaFhhWFJvVDNabGNtWnNiM2M5SW5SeWRXVWlJR2x6UW14aGJtdFhhR1Z1VG5Wc2JEMGlkSEoxWlNJK0RRb0pDUWtKQ1FrSlBISmxjRzl5ZEVWc1pXMWxiblFnZFhWcFpEMGlNamhpWWpsaU5EY3RZVFk1WXkwME9HVXhMVGt3TnpNdFpEVTBaRGt5TmpJME1tVTRJaUJ6ZEhsc1pUMGlSR1YwWVdsc0lpQjRQU0l5TnpBaUlIazlJakFpSUhkcFpIUm9QU0k1TUNJZ2FHVnBaMmgwUFNJeE15SWdhWE5RY21sdWRGZG9aVzVFWlhSaGFXeFBkbVZ5Wm14dmQzTTlJblJ5ZFdVaUx6NE5DZ2tKQ1FrSkNRazhkR1Y0ZEVWc1pXMWxiblFnZEdWNGRFRnNhV2R1YldWdWREMGlRMlZ1ZEdWeUlpQjJaWEowYVdOaGJFRnNhV2R1YldWdWREMGlUV2xrWkd4bElpOCtEUW9KQ1FrSkNRa0pQSFJsZUhSR2FXVnNaRVY0Y0hKbGMzTnBiMjQrUENGYlEwUkJWRUZiSkVaN1pYWmxiblJUZEdGblpYMHVaMlYwVTNSaFoyVW9LVjFkUGp3dmRHVjRkRVpwWld4a1JYaHdjbVZ6YzJsdmJqNE5DZ2tKQ1FrSkNUd3ZkR1Y0ZEVacFpXeGtQZzBLQ1FrSkNRa0pQSFJsZUhSR2FXVnNaQ0JwYzFOMGNtVjBZMmhYYVhSb1QzWmxjbVpzYjNjOUluUnlkV1VpSUdselFteGhibXRYYUdWdVRuVnNiRDBpZEhKMVpTSStEUW9KQ1FrSkNRa0pQSEpsY0c5eWRFVnNaVzFsYm5RZ2RYVnBaRDBpTWpoaVlqbGlORGN0WVRZNVl5MDBPR1V4TFRrd056TXRaRFUwWkRreU5qSTBNbVU0SWlCemRIbHNaVDBpUkdWMFlXbHNJaUI0UFNJek5qQWlJSGs5SWpBaUlIZHBaSFJvUFNJeE1EQWlJR2hsYVdkb2REMGlNVE1pSUdselVISnBiblJYYUdWdVJHVjBZV2xzVDNabGNtWnNiM2R6UFNKMGNuVmxJajROQ2drSkNRa0pDUWtKUEhCeWFXNTBWMmhsYmtWNGNISmxjM05wYjI0K1BDRmJRMFJCVkVGYklTUkdlM1JoY21kbGRGUjVjR1Y5TG1WeGRXRnNjeWh1ZFd4c0tWMWRQand2Y0hKcGJuUlhhR1Z1Ulhod2NtVnpjMmx2Ymo0TkNna0pDUWtKQ1FrOEwzSmxjRzl5ZEVWc1pXMWxiblErRFFvSkNRa0pDUWtKUEhSbGVIUkZiR1Z0Wlc1MElIWmxjblJwWTJGc1FXeHBaMjV0Wlc1MFBTSk5hV1JrYkdVaUx6NE5DZ2tKQ1FrSkNRazhkR1Y0ZEVacFpXeGtSWGh3Y21WemMybHZiajQ4SVZ0RFJFRlVRVnNrUm50MFlYSm5aWFJPWVcxbGZTQXJJQ0lnS0NJZ0t5QWtSbnQwWVhKblpYUlVlWEJsZlNBcklDSXBJQ0pkWFQ0OEwzUmxlSFJHYVdWc1pFVjRjSEpsYzNOcGIyNCtEUW9KQ1FrSkNRazhMM1JsZUhSR2FXVnNaRDROQ2drSkNRa0pDVHgwWlhoMFJtbGxiR1FnYVhOVGRISmxkR05vVjJsMGFFOTJaWEptYkc5M1BTSjBjblZsSWlCcGMwSnNZVzVyVjJobGJrNTFiR3c5SW5SeWRXVWlQZzBLQ1FrSkNRa0pDVHh5WlhCdmNuUkZiR1Z0Wlc1MElIVjFhV1E5SWpJNFltSTVZalEzTFdFMk9XTXRORGhsTVMwNU1EY3pMV1ExTkdRNU1qWXlOREpsT0NJZ2MzUjViR1U5SWtSbGRHRnBiQ0lnZUQwaU5EWXdJaUI1UFNJd0lpQjNhV1IwYUQwaU9EQWlJR2hsYVdkb2REMGlNVE1pSUdselVISnBiblJYYUdWdVJHVjBZV2xzVDNabGNtWnNiM2R6UFNKMGNuVmxJaTgrRFFvSkNRa0pDUWtKUEhSbGVIUkZiR1Z0Wlc1MElIUmxlSFJCYkdsbmJtMWxiblE5SWtObGJuUmxjaUlnZG1WeWRHbGpZV3hCYkdsbmJtMWxiblE5SWsxcFpHUnNaU0l2UGcwS0NRa0pDUWtKQ1R4MFpYaDBSbWxsYkdSRmVIQnlaWE56YVc5dVBqd2hXME5FUVZSQld5UkdlMjkxZEdOdmJXVjlMbWRsZEZOamFHVnRZVlpoYkhWbEtDbGRYVDQ4TDNSbGVIUkdhV1ZzWkVWNGNISmxjM05wYjI0K0RRb0pDUWtKQ1FrOEwzUmxlSFJHYVdWc1pENE5DZ2tKQ1FrSkNUeDBaWGgwUm1sbGJHUWdhWE5UZEhKbGRHTm9WMmwwYUU5MlpYSm1iRzkzUFNKMGNuVmxJaUJwYzBKc1lXNXJWMmhsYms1MWJHdzlJblJ5ZFdVaVBnMEtDUWtKQ1FrSkNUeHlaWEJ2Y25SRmJHVnRaVzUwSUhWMWFXUTlJakk0WW1JNVlqUTNMV0UyT1dNdE5EaGxNUzA1TURjekxXUTFOR1E1TWpZeU5ESmxPQ0lnYzNSNWJHVTlJa1JsZEdGcGJDSWdlRDBpTlRRd0lpQjVQU0l3SWlCM2FXUjBhRDBpTVRZd0lpQm9aV2xuYUhROUlqRXpJaUJwYzFCeWFXNTBWMmhsYmtSbGRHRnBiRTkyWlhKbWJHOTNjejBpZEhKMVpTSXZQZzBLQ1FrSkNRa0pDVHgwWlhoMFJXeGxiV1Z1ZENCMlpYSjBhV05oYkVGc2FXZHViV1Z1ZEQwaVRXbGtaR3hsSWk4K0RRb0pDUWtKQ1FrSlBIUmxlSFJHYVdWc1pFVjRjSEpsYzNOcGIyNCtQQ0ZiUTBSQlZFRmJKRVo3YldWemMyRm5aWDFkWFQ0OEwzUmxlSFJHYVdWc1pFVjRjSEpsYzNOcGIyNCtEUW9KQ1FrSkNRazhMM1JsZUhSR2FXVnNaRDROQ2drSkNRa0pDVHgwWlhoMFJtbGxiR1FnYVhOVGRISmxkR05vVjJsMGFFOTJaWEptYkc5M1BTSjBjblZsSWlCcGMwSnNZVzVyVjJobGJrNTFiR3c5SW5SeWRXVWlQZzBLQ1FrSkNRa0pDVHh5WlhCdmNuUkZiR1Z0Wlc1MElIVjFhV1E5SWpJNFltSTVZalEzTFdFMk9XTXRORGhsTVMwNU1EY3pMV1ExTkdRNU1qWXlOREpsT0NJZ2MzUjViR1U5SWtSbGRHRnBiQ0lnZUQwaU56QXdJaUI1UFNJd0lpQjNhV1IwYUQwaU1UQXdJaUJvWldsbmFIUTlJakV6SWlCcGMxQnlhVzUwVjJobGJrUmxkR0ZwYkU5MlpYSm1iRzkzY3owaWRISjFaU0l2UGcwS0NRa0pDUWtKQ1R4MFpYaDBSV3hsYldWdWRDQjJaWEowYVdOaGJFRnNhV2R1YldWdWREMGlUV2xrWkd4bElpOCtEUW9KQ1FrSkNRa0pQSFJsZUhSR2FXVnNaRVY0Y0hKbGMzTnBiMjRnWTJ4aGMzTTlJbXBoZG1FdWJHRnVaeTVUZEhKcGJtY2lQandoVzBORVFWUkJXMUpsY0c5eWRGVjBhV3h6TG1kbGRFUmxiSFJoUVhWa2FYUW9KRVo3WkdWc2RHRjlLVjFkUGp3dmRHVjRkRVpwWld4a1JYaHdjbVZ6YzJsdmJqNE5DZ2tKQ1FrSkNUd3ZkR1Y0ZEVacFpXeGtQZzBLQ1FrSkNRa0pQR3hwYm1VK0RRb0pDUWtKQ1FrSlBISmxjRzl5ZEVWc1pXMWxiblFnZFhWcFpEMGlORGRtT1RFNE1ERXRZMlkxWmkwMFltVmtMV0l4T1dNdFkyRXpPVE14WTJKbU9UaGtJaUJ3YjNOcGRHbHZibFI1Y0dVOUlrWnBlRkpsYkdGMGFYWmxWRzlDYjNSMGIyMGlJRzF2WkdVOUlrOXdZWEYxWlNJZ2VEMGlNQ0lnZVQwaU1UTWlJSGRwWkhSb1BTSTRNREFpSUdobGFXZG9kRDBpTVNJZ1ptOXlaV052Ykc5eVBTSWpNek16TXpNeklpOCtEUW9KQ1FrSkNRazhMMnhwYm1VK0RRb0pDUWtKQ1R3dlpuSmhiV1UrRFFvSkNRa0pQQzlpWVc1a1BnMEtDUWtKUEM5a1pYUmhhV3crRFFvSkNRazhZMjlzZFcxdVJtOXZkR1Z5UGcwS0NRa0pDVHhpWVc1a0lHaGxhV2RvZEQwaU55SWdjM0JzYVhSVWVYQmxQU0pUZEhKbGRHTm9JajROQ2drSkNRa0pQR3hwYm1VK0RRb0pDUWtKQ1FrOGNtVndiM0owUld4bGJXVnVkQ0IxZFdsa1BTSmhOVGt4WkRSak1TMHhZMkZrTFRSa1lUSXRPV1k1WkMwd09ERm1OVE01WlRrd05ETWlJSEJ2YzJsMGFXOXVWSGx3WlQwaVJtbDRVbVZzWVhScGRtVlViMEp2ZEhSdmJTSWdlRDBpTUNJZ2VUMGlNeUlnZDJsa2RHZzlJamd3TUNJZ2FHVnBaMmgwUFNJeElpOCtEUW9KQ1FrSkNRazhaM0poY0docFkwVnNaVzFsYm5RK0RRb0pDUWtKQ1FrSlBIQmxiaUJzYVc1bFYybGtkR2c5SWpBdU5TSWdiR2x1WlVOdmJHOXlQU0lqT1RrNU9UazVJaTgrRFFvSkNRa0pDUWs4TDJkeVlYQm9hV05GYkdWdFpXNTBQZzBLQ1FrSkNRazhMMnhwYm1VK0RRb0pDUWtKUEM5aVlXNWtQZzBLQ1FrSlBDOWpiMngxYlc1R2IyOTBaWEkrRFFvSkNRazhjR0ZuWlVadmIzUmxjajROQ2drSkNRazhZbUZ1WkNCb1pXbG5hSFE5SWpNeUlpQnpjR3hwZEZSNWNHVTlJbE4wY21WMFkyZ2lQZzBLQ1FrSkNRazhabkpoYldVK0RRb0pDUWtKQ1FrOGNtVndiM0owUld4bGJXVnVkQ0IxZFdsa1BTSm1ZbVU0WVdGbE5DMDJOVEF3TFRRMk9HRXRZakZsT0MwM01EQmlOVFk1TVRNNVlURWlJSE4wZVd4bFBTSlFZV2RsSUdadmIzUmxjaUlnYlc5a1pUMGlWSEpoYm5Od1lYSmxiblFpSUhnOUlqQWlJSGs5SWpFaUlIZHBaSFJvUFNJNE1EQWlJR2hsYVdkb2REMGlNalFpSUdadmNtVmpiMnh2Y2owaUl6QXdNREF3TUNJZ1ltRmphMk52Ykc5eVBTSWpNalkzT1RrMElpOCtEUW9KQ1FrSkNRazhkR1Y0ZEVacFpXeGtJSEJoZEhSbGNtNDlJa1ZGUlVWRklHUmtJRTFOVFUxTklIbDVlWGtpUGcwS0NRa0pDUWtKQ1R4eVpYQnZjblJGYkdWdFpXNTBJSFYxYVdROUlqSTRZbUk1WWpRM0xXRTJPV010TkRobE1TMDVNRGN6TFdRMU5HUTVNall5TkRKbE9DSWdjM1I1YkdVOUlsQmhaMlVnWm05dmRHVnlJaUI0UFNJeUlpQjVQU0l4SWlCM2FXUjBhRDBpTVRrM0lpQm9aV2xuYUhROUlqSXdJaTgrRFFvSkNRa0pDUWtKUEhSbGVIUkZiR1Z0Wlc1MElIWmxjblJwWTJGc1FXeHBaMjV0Wlc1MFBTSk5hV1JrYkdVaUx6NE5DZ2tKQ1FrSkNRazhkR1Y0ZEVacFpXeGtSWGh3Y21WemMybHZiajQ4SVZ0RFJFRlVRVnR1WlhjZ2FtRjJZUzUxZEdsc0xrUmhkR1VvS1YxZFBqd3ZkR1Y0ZEVacFpXeGtSWGh3Y21WemMybHZiajROQ2drSkNRa0pDVHd2ZEdWNGRFWnBaV3hrUGcwS0NRa0pDUWtKUEhSbGVIUkdhV1ZzWkQ0TkNna0pDUWtKQ1FrOGNtVndiM0owUld4bGJXVnVkQ0IxZFdsa1BTSTFZekEyTW1NMk5pMWlZVFExTFRReU9EZ3RPV1JqWkMweU5EWmxNamhqTldGbU56VWlJSE4wZVd4bFBTSlFZV2RsSUdadmIzUmxjaUlnZUQwaU5qZ3dJaUI1UFNJeElpQjNhV1IwYUQwaU9EQWlJR2hsYVdkb2REMGlNakFpTHo0TkNna0pDUWtKQ1FrOGRHVjRkRVZzWlcxbGJuUWdkR1Y0ZEVGc2FXZHViV1Z1ZEQwaVVtbG5hSFFpSUhabGNuUnBZMkZzUVd4cFoyNXRaVzUwUFNKTmFXUmtiR1VpTHo0TkNna0pDUWtKQ1FrOGRHVjRkRVpwWld4a1JYaHdjbVZ6YzJsdmJqNDhJVnREUkVGVVFWc2lVR0ZuWlNBaUt5UldlMUJCUjBWZlRsVk5Ra1ZTZlNzaUlHOW1JbDFkUGp3dmRHVjRkRVpwWld4a1JYaHdjbVZ6YzJsdmJqNE5DZ2tKQ1FrSkNUd3ZkR1Y0ZEVacFpXeGtQZzBLQ1FrSkNRa0pQSFJsZUhSR2FXVnNaQ0JsZG1Gc2RXRjBhVzl1VkdsdFpUMGlVbVZ3YjNKMElqNE5DZ2tKQ1FrSkNRazhjbVZ3YjNKMFJXeGxiV1Z1ZENCMWRXbGtQU0k1TXpSaU1UWmxPQzFqTTJWaUxUUXdNVGN0T0RZMllTMHdZamMzTXpWaVpqSTVNVGNpSUhOMGVXeGxQU0pRWVdkbElHWnZiM1JsY2lJZ2VEMGlOell3SWlCNVBTSXhJaUIzYVdSMGFEMGlOREFpSUdobGFXZG9kRDBpTWpBaUx6NE5DZ2tKQ1FrSkNRazhkR1Y0ZEVWc1pXMWxiblFnZG1WeWRHbGpZV3hCYkdsbmJtMWxiblE5SWsxcFpHUnNaU0l2UGcwS0NRa0pDUWtKQ1R4MFpYaDBSbWxsYkdSRmVIQnlaWE56YVc5dVBqd2hXME5FUVZSQld5SWdJaUFySUNSV2UxQkJSMFZmVGxWTlFrVlNmVjFkUGp3dmRHVjRkRVpwWld4a1JYaHdjbVZ6YzJsdmJqNE5DZ2tKQ1FrSkNUd3ZkR1Y0ZEVacFpXeGtQZzBLQ1FrSkNRazhMMlp5WVcxbFBnMEtDUWtKQ1R3dlltRnVaRDROQ2drSkNUd3ZjR0ZuWlVadmIzUmxjajROQ2drSkNUeHpkVzF0WVhKNVBnMEtDUWtKQ1R4aVlXNWtJSE53YkdsMFZIbHdaVDBpVTNSeVpYUmphQ0l2UGcwS0NRa0pQQzl6ZFcxdFlYSjVQZzBLQ1FrOEwycGhjM0JsY2xKbGNHOXlkRDQ9</template>
-   <templateStyle>UEQ5NGJXd2dkbVZ5YzJsdmJqMGlNUzR3SWo4K0RRbzhJVVJQUTFSWlVFVWdhbUZ6Y0dWeVZHVnRjR3hoZEdVTkNpQWdVRlZDVEVsRElDSXRMeTlLWVhOd1pYSlNaWEJ2Y25Sekx5OUVWRVFnVkdWdGNHeGhkR1V2TDBWT0lnMEtJQ0FpYUhSMGNEb3ZMMnBoYzNCbGNuSmxjRzl5ZEhNdWMyOTFjbU5sWm05eVoyVXVibVYwTDJSMFpITXZhbUZ6Y0dWeWRHVnRjR3hoZEdVdVpIUmtJajROQ2p4cVlYTndaWEpVWlcxd2JHRjBaVDROQ2lBZ0lDQUpDVHh6ZEhsc1pTQm1iMjUwVG1GdFpUMGlSR1ZxWVZaMUlGTmhibk1pSUdadmJuUlRhWHBsUFNJeE1DSWdhRUZzYVdkdVBTSk1aV1owSWlCcGMwUmxabUYxYkhROUluUnlkV1VpSUdselVHUm1SVzFpWldSa1pXUTlJblJ5ZFdVaUlBMEtDUWtKQ1NBZ0lHNWhiV1U5SWtKaGMyVWlJSEJrWmtWdVkyOWthVzVuUFNKSlpHVnVkR2wwZVMxSUlpQndaR1pHYjI1MFRtRnRaVDBpUkdWcVlWWjFVMkZ1Y3k1MGRHWWlJSFpCYkdsbmJqMGlUV2xrWkd4bElqNE5DZ2tKQ1R3dmMzUjViR1UrRFFvSkNRazhjM1I1YkdVZ1ltRmphMk52Ykc5eVBTSWpNalkzT1RrMElpQm1iMjUwVTJsNlpUMGlNallpSUdadmNtVmpiMnh2Y2owaUkwWkdSa1pHUmlJZ2FYTkVaV1poZFd4MFBTSm1ZV3h6WlNJTkNpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQnRiMlJsUFNKUGNHRnhkV1VpSUc1aGJXVTlJbFJwZEd4bElpQnpkSGxzWlQwaVFtRnpaU0l2UGlBTkNna0pDVHh6ZEhsc1pTQm1iMjUwVTJsNlpUMGlNVElpSUdadmNtVmpiMnh2Y2owaUl6QXdNREF3TUNJZ2FYTkVaV1poZFd4MFBTSm1ZV3h6WlNJZ2JtRnRaVDBpVUdGblpTQm9aV0ZrWlhJaURRb2dJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdjM1I1YkdVOUlrSmhjMlVpTHo0TkNna0pDVHh6ZEhsc1pTQmlZV05yWTI5c2IzSTlJaU16TXpNek16TWlJR1p2Ym5SVGFYcGxQU0l4TWlJZ1ptOXlaV052Ykc5eVBTSWpSa1pHUmtaR0lpQm9RV3hwWjI0OUlrTmxiblJsY2lJTkNpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQnBjMFJsWm1GMWJIUTlJbVpoYkhObElpQnRiMlJsUFNKUGNHRnhkV1VpSUc1aGJXVTlJa052YkhWdGJpQm9aV0ZrWlhJaUlITjBlV3hsUFNKQ1lYTmxJaTgrRFFvSkNRazhjM1I1YkdVZ2FYTkNiMnhrUFNKbVlXeHpaU0lnYVhORVpXWmhkV3gwUFNKbVlXeHpaU0lnYm1GdFpUMGlSR1YwWVdsc0lpQnpkSGxzWlQwaVFtRnpaU0l2UGcwS0NRa0pQSE4wZVd4bElHWnZiblJUYVhwbFBTSTVJaUJtYjNKbFkyOXNiM0k5SWlNd01EQXdNREFpSUdselJHVm1ZWFZzZEQwaVptRnNjMlVpSUc1aGJXVTlJbEJoWjJVZ1ptOXZkR1Z5SWcwS0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lITjBlV3hsUFNKQ1lYTmxJaTgrRFFvSkNUd3ZhbUZ6Y0dWeVZHVnRjR3hoZEdVKw==</templateStyle>
-	<orientation>landscape</orientation>
-	<export>pdf</export>
-	<!-- set to true if report needs hibernate session (e.g. hql query is used) -->
-	<useHibernateSession>true</useHibernateSession>
-	<field>
-		<nameReport>timestamp</nameReport>
-		<nameHeader>Timestamp</nameHeader>
-		<itemPath>c:timestamp</itemPath>
-		<sortOrderNumber>1</sortOrderNumber>
-		<sortOrder>ascending</sortOrder>
-		<width>12</width>
-		<classType>xsd:dateTime</classType>
-	</field>
-	<field>
-		<nameReport>initiatorName</nameReport>
-		<nameHeader>Initiator</nameHeader>
-		<itemPath>c:initiatorName</itemPath>
-		<width>10</width>
-		<classType>xsd:string</classType>
-	</field>
-	<field>
-		<nameReport>eventType</nameReport>
-		<nameHeader>Event Type</nameHeader>
-		<itemPath>c:eventType</itemPath>
-		<width>12</width>
-		<classType>c:AuditEventType</classType>
-	</field>
-	<field>
-		<nameReport>eventStage</nameReport>
-		<nameHeader>Event Stage</nameHeader>
-		<itemPath>c:eventStage</itemPath>
-		<width>12</width>
-		<classType>c:AuditEventStage</classType>
-	</field>
-	<field>
-		<nameReport>targetName</nameReport>
-		<nameHeader>Target</nameHeader>
-		<itemPath>c:targetName</itemPath>
-		<width>10</width>
-		<classType>xsd:string</classType>
-	</field>
-	<field>
-		<nameReport>outcome</nameReport>
-		<nameHeader>Outcome</nameHeader>
-		<itemPath>c:outcome</itemPath>
-		<width>12</width>
-		<classType>c:OperationResultStatusType</classType>
-	</field>
-	<field>
-		<nameReport>message</nameReport>
-		<nameHeader>Message</nameHeader>
-		<itemPath>c:message</itemPath>
-		<width>20</width>
-		<classType>xsd:string</classType>
-	</field>
-	<field>
-		<nameReport>delta</nameReport>
-		<nameHeader>Delta</nameHeader>
-		<itemPath>c:delta</itemPath>
-		<width>12</width>
-		<classType>xsd:string</classType>
-	</field>
-	<!-- configuration properties -->
-	<configuration xmlns:r="http://midpoint.evolveum.com/xml/ns/public/report">
-		<r:hqlQuery>select aer.timestamp as timestamp, 
-					aer.initiatorName as initiator, 
-					aer.eventType as eventType, 
-					aer.eventStage as eventStage, 
-					aer.targetName as targetName, 
-					aer.targetType as targetType, 
-					aer.targetOwnerName as targetOwnerName,
-					aer.outcome as outcome, 
-					aer.message as message, 
-					odo.delta as delta 
-					from RObjectDeltaOperation as odo 
-					join odo.record as aer 
-					where ($P{eventType} = null or aer.eventType = $P{eventType}) and aer.timestamp &gt;= $P{from} and aer.timestamp &lt;= $P{to} 
-					order by aer.timestamp
-		</r:hqlQuery>
-		<r:from>2000-01-01T00:00:00</r:from>
-		<r:to>2020-12-31T00:00:00</r:to>
-	</configuration>
-	<!-- report parameters configuration schema sample with different options -->
-	<configurationSchema>
-		<definition>
-			<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema"
-                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-                    xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
-                    xmlns:a="http://prism.evolveum.com/xml/ns/public/annotation-3"
-                    xmlns:r="http://midpoint.evolveum.com/xml/ns/public/report"
-                    elementFormDefault="qualified"
-                    targetNamespace="http://midpoint.evolveum.com/xml/ns/public/report">
-
-				<xsd:import namespace="http://midpoint.evolveum.com/xml/ns/public/common/common-3"/>
-				<xsd:import namespace="http://prism.evolveum.com/xml/ns/public/annotation-3"/>
-				<xsd:import namespace="http://prism.evolveum.com/xml/ns/public/query-3"/>
-
-				<xsd:complexType name="ConfigurationType">
-					<xsd:annotation>
-						<xsd:appinfo>
-							<a:container/>
-						</xsd:appinfo>
-					</xsd:annotation>
-					<xsd:sequence>
-
-						<!-- HQL query for jasper design (queryString element) -->
-						<xsd:element name="hqlQuery" type="xsd:string"/>
-
-						<!-- special audit configuration -->
-						<xsd:element name="from" type="xsd:dateTime">
-							<xsd:annotation>
-								<xsd:appinfo>
-									<a:displayName>From:</a:displayName>
-								</xsd:appinfo>
-							</xsd:annotation>
-						</xsd:element>
-
-						<xsd:element name="to" type="xsd:dateTime">
-							<xsd:annotation>
-								<xsd:appinfo>
-									<a:displayName>To:</a:displayName>
-								</xsd:appinfo>
-							</xsd:annotation>
-						</xsd:element>
-						<xsd:element name="eventType" type="r:EventType"/>
-						
-						<xsd:element name="eventDescription" type="xsd:string">
-							<xsd:annotation>
-								<xsd:appinfo>
-									<a:displayName>Event Type:</a:displayName>
-								</xsd:appinfo>
-							</xsd:annotation>
-						</xsd:element>
-					</xsd:sequence>
-				</xsd:complexType>
-
-				<xsd:simpleType name="EventType">
-					<xsd:restriction base="xsd:int">
-						<xsd:enumeration value="null">
-							<xsd:annotation>
-								<xsd:appinfo>All</xsd:appinfo>
-							</xsd:annotation>
-						</xsd:enumeration>
-						<xsd:enumeration value="0">
-							<xsd:annotation>
-								<xsd:appinfo>Get object</xsd:appinfo>
-							</xsd:annotation>
-						</xsd:enumeration>
-						<xsd:enumeration value="1">
-							<xsd:annotation>
-								<xsd:appinfo>Add object</xsd:appinfo>
-							</xsd:annotation>
-						</xsd:enumeration>
-						<xsd:enumeration value="2">
-							<xsd:annotation>
-								<xsd:appinfo>Modify object</xsd:appinfo>
-							</xsd:annotation>
-						</xsd:enumeration>
-						<xsd:enumeration value="3">
-							<xsd:annotation>
-								<xsd:appinfo>Delete object</xsd:appinfo>
-							</xsd:annotation>
-						</xsd:enumeration>
-						<xsd:enumeration value="4">
-							<xsd:annotation>
-								<xsd:appinfo>Execute changes raw</xsd:appinfo>
-							</xsd:annotation>
-						</xsd:enumeration>
-						<xsd:enumeration value="5">
-							<xsd:annotation>
-								<xsd:appinfo>Synchronization</xsd:appinfo>
-							</xsd:annotation>
-						</xsd:enumeration>
-						<xsd:enumeration value="6">
-							<xsd:annotation>
-								<xsd:appinfo>Create session</xsd:appinfo>
-							</xsd:annotation>
-						</xsd:enumeration>
-						<xsd:enumeration value="7">
-							<xsd:annotation>
-								<xsd:appinfo>Terminate session</xsd:appinfo>
-							</xsd:annotation>
-						</xsd:enumeration>
-						<xsd:enumeration value="8">
-							<xsd:annotation>
-								<xsd:appinfo>Work item</xsd:appinfo>
-							</xsd:annotation>
-						</xsd:enumeration>
-						<xsd:enumeration value="9">
-							<xsd:annotation>
-								<xsd:appinfo>Workflow process instance</xsd:appinfo>
-							</xsd:annotation>
-						</xsd:enumeration>
-						<xsd:enumeration value="10">
-							<xsd:annotation>
-								<xsd:appinfo>Reconciliation</xsd:appinfo>
-							</xsd:annotation>
-						</xsd:enumeration>
-					</xsd:restriction>
-				</xsd:simpleType>
-
-				<xsd:element name="configuration" type="r:ConfigurationType"/>
-			</xsd:schema>
-		</definition>
-	</configurationSchema>
-</report>
diff --git a/model/report-impl/src/test/resources/reports/reportDataSourceTest.jrxml b/model/report-impl/src/test/resources/reports/reportDataSourceTest.jrxml
deleted file mode 100644
index d5ba757e1be..00000000000
--- a/model/report-impl/src/test/resources/reports/reportDataSourceTest.jrxml
+++ /dev/null
@@ -1,162 +0,0 @@
-<jasperReport 
-	xmlns="http://jasperreports.sourceforge.net/jasperreports" 
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
-	xsi:schemaLocation="http://jasperreports.sourceforge.net/jasperreports http://jasperreports.sourceforge.net/xsd/jasperreport.xsd" 
-	name="reportDataSourceTest" 
-	pageWidth="842" 
-	pageHeight="595" 
-	orientation="Landscape" 
-	whenNoDataType="AllSectionsNoDetail" 
-	columnWidth="802" 
-	leftMargin="20" 
-	rightMargin="20" 
-	topMargin="20" 
-	bottomMargin="20" 
-	uuid="67e465c5-46ea-40d2-bea0-469c6cf38937">
-	<template><![CDATA[$P{baseTemplateStyles}]]></template>
-	<parameter name="baseTemplateStyles" class="java.lang.String"/>
-	<parameter name="logoPath" class="java.lang.String"/>
-	<field name="Name" class="java.lang.String"/>
-	<field name="FirstName" class="java.lang.String"/>
-	<field name="LastName" class="java.lang.String"/>
-	<field name="Activation" class="java.lang.String"/>
-	<sortField name="Name"/>
-	<background>
-		<band height="30" splitType="Stretch"/>
-	</background>
-	<title>
-		<band height="110" splitType="Stretch">
-			<frame>
-				<reportElement style="Title" mode="Opaque" x="1" y="0" width="799" height="67" backcolor="#267994" uuid="44bedacc-fa23-4fe1-b71f-e5afa943f553"/>
-				<staticText>
-					<reportElement style="Title" x="10" y="13" width="266" height="38" uuid="f2d99cad-9d84-4f50-b455-453c87f62c4c"/>
-					<textElement verticalAlignment="Middle"/>
-					<text><![CDATA[User Report]]></text>
-				</staticText>
-				<image>
-					<reportElement style="Title" x="589" y="13" width="203" height="45" uuid="b0a76e6a-8f61-4d60-8dcd-3e51adb4cd4c"/>
-					<imageExpression><![CDATA[$P{logoPath}]]></imageExpression>
-				</image>
-			</frame>
-			<staticText>
-				<reportElement style="Page header" x="400" y="87" width="150" height="20" uuid="3ff78fbf-8fce-4072-b691-7af047ea92a7"/>
-				<textElement verticalAlignment="Middle"/>
-				<text><![CDATA[Number of records:]]></text>
-			</staticText>
-			<textField pattern="EEEEE dd MMMMM yyyy, HH:mm:ss">
-				<reportElement style="Page header" x="550" y="67" width="250" height="20" uuid="09a7e272-204e-4078-8a5e-e472757424c1"/>
-				<textElement textAlignment="Right" verticalAlignment="Middle">
-					<font isBold="false"/>
-				</textElement>
-				<textFieldExpression><![CDATA[new java.util.Date()]]></textFieldExpression>
-			</textField>
-			<staticText>
-				<reportElement style="Page header" x="400" y="67" width="150" height="20" uuid="b0b9714f-96f5-4f58-824b-c81fd4d321f7"/>
-				<textElement verticalAlignment="Middle"/>
-				<text><![CDATA[Report generated on:]]></text>
-			</staticText>
-			<textField evaluationTime="Report" isBlankWhenNull="true">
-				<reportElement style="Page header" x="550" y="87" width="250" height="20" uuid="89251211-3f49-471d-b88d-5564c1bd04d1"/>
-				<textElement textAlignment="Right" verticalAlignment="Middle">
-					<font isBold="false"/>
-				</textElement>
-				<textFieldExpression><![CDATA[$V{REPORT_COUNT}]]></textFieldExpression>
-			</textField>
-		</band>
-	</title>
-	<pageHeader>
-		<band splitType="Stretch"/>
-	</pageHeader>
-	<columnHeader>
-		<band height="24" splitType="Stretch">
-			<frame>
-				<reportElement style="Column header" mode="Transparent" x="1" y="5" width="800" height="19" isRemoveLineWhenBlank="true" uuid="3e8fdd6d-a6ff-4407-9a1e-5d6b4706300a"/>
-				<staticText>
-					<reportElement style="Column header" x="0" y="0" width="119" height="18" uuid="86c74beb-bddd-48cc-945a-167b261b1e0b"/>
-					<textElement verticalAlignment="Middle"/>
-					<text><![CDATA[Name]]></text>
-				</staticText>
-				<staticText>
-					<reportElement style="Column header" x="119" y="0" width="100" height="18" uuid="86c74beb-bddd-48cc-945a-167b261b1e0b"/>
-					<textElement verticalAlignment="Middle"/>
-					<text><![CDATA[First name]]></text>
-				</staticText>
-				<staticText>
-					<reportElement style="Column header" x="219" y="0" width="100" height="18" uuid="86c74beb-bddd-48cc-945a-167b261b1e0b"/>
-					<textElement verticalAlignment="Middle"/>
-					<text><![CDATA[Last name]]></text>
-				</staticText>
-				<staticText>
-					<reportElement style="Column header" x="319" y="0" width="100" height="18" uuid="86c74beb-bddd-48cc-945a-167b261b1e0b"/>
-					<textElement verticalAlignment="Middle"/>
-					<text><![CDATA[Activation]]></text>
-				</staticText>
-			</frame>
-		</band>
-	</columnHeader>
-	<detail>
-		<band height="20" splitType="Prevent">
-			<frame>
-				<reportElement style="Detail" x="0" y="1" width="800" height="19" uuid="3e8fdd6d-a6ff-4407-9a1e-5d6b4706300a"/>
-				<textField isStretchWithOverflow="true" isBlankWhenNull="true">
-					<reportElement style="Detail" x="0" y="1" width="120" height="18" uuid="ebaef16d-2903-4029-9a6b-d4d244558ae9"/>
-					<textElement verticalAlignment="Middle"/>
-					<textFieldExpression><![CDATA[$F{Name}]]></textFieldExpression>
-				</textField>
-				<textField isStretchWithOverflow="true" isBlankWhenNull="true">
-					<reportElement style="Detail" x="120" y="1" width="100" height="18" uuid="28bb9b47-a69c-48e1-9073-d54d926242e8"/>
-					<textElement verticalAlignment="Middle"/>
-					<textFieldExpression><![CDATA[$F{FirstName}]]></textFieldExpression>
-				</textField>
-				<textField isStretchWithOverflow="true" isBlankWhenNull="true">
-					<reportElement style="Detail" x="220" y="1" width="100" height="18" uuid="28bb9b47-a69c-48e1-9073-d54d926242e8"/>
-					<textElement verticalAlignment="Middle"/>
-					<textFieldExpression><![CDATA[$F{LastName}]]></textFieldExpression>
-				</textField>
-				<textField isStretchWithOverflow="true" isBlankWhenNull="true">
-					<reportElement style="Detail" x="320" y="1" width="100" height="18" uuid="28bb9b47-a69c-48e1-9073-d54d926242e8"/>
-					<textElement verticalAlignment="Middle"/>
-					<textFieldExpression><![CDATA[$F{Activation}]]></textFieldExpression>
-				</textField>
-				<line>
-					<reportElement positionType="FixRelativeToBottom" x="0" y="17" width="800" height="1" uuid="a591d4c1-1cad-4da2-9f9d-081f539e9043"/>
-					<graphicElement>
-						<pen lineWidth="0.5" lineColor="#999999"/>
-					</graphicElement>
-				</line>
-			</frame>
-		</band>
-	</detail>
-	<columnFooter>
-		<band height="7" splitType="Stretch">
-			<line>
-				<reportElement positionType="FixRelativeToBottom" x="0" y="3" width="800" height="1" uuid="a591d4c1-1cad-4da2-9f9d-081f539e9043"/>
-				<graphicElement>
-					<pen lineWidth="0.5" lineColor="#999999"/>
-				</graphicElement>
-			</line>
-		</band>
-	</columnFooter>
-	<pageFooter>
-		<band height="32" splitType="Stretch">
-			<frame>
-				<reportElement style="Page footer" mode="Transparent" x="0" y="1" width="800" height="24" uuid="fbe8aae4-6500-468a-b1e8-700b569139a1"/>
-				<textField>
-					<reportElement style="Page footer" x="680" y="1" width="80" height="20" uuid="5c062c66-ba45-4288-9dcd-246e28c5af75"/>
-					<textElement textAlignment="Right" verticalAlignment="Middle"/>
-					<textFieldExpression><![CDATA["Page "+$V{PAGE_NUMBER}+" of"]]></textFieldExpression>
-				</textField>
-				<textField pattern="EEEEE dd MMMMM yyyy">
-					<reportElement style="Page footer" x="2" y="1" width="197" height="20" uuid="28bb9b47-a69c-48e1-9073-d54d926242e8"/>
-					<textElement verticalAlignment="Middle"/>
-					<textFieldExpression><![CDATA[new java.util.Date()]]></textFieldExpression>
-				</textField>
-				<textField evaluationTime="Report">
-					<reportElement style="Page footer" x="760" y="1" width="40" height="20" uuid="934b16e8-c3eb-4017-866a-0b7735bf2917"/>
-					<textElement verticalAlignment="Middle"/>
-					<textFieldExpression><![CDATA[" " + $V{PAGE_NUMBER}]]></textFieldExpression>
-				</textField>
-			</frame>
-		</band>
-	</pageFooter>
-</jasperReport>
\ No newline at end of file
diff --git a/model/report-impl/src/test/resources/reports/reportReconciliation.xml b/model/report-impl/src/test/resources/reports/reportReconciliation.xml
deleted file mode 100644
index f0b757054f6..00000000000
--- a/model/report-impl/src/test/resources/reports/reportReconciliation.xml
+++ /dev/null
@@ -1,139 +0,0 @@
-<!--
-  ~ Copyright (c) 2010-2017 Evolveum
-  ~
-  ~ Licensed under the Apache License, Version 2.0 (the "License");
-  ~ you may not use this file except in compliance with the License.
-  ~ You may obtain a copy of the License at
-  ~
-  ~     http://www.apache.org/licenses/LICENSE-2.0
-  ~
-  ~ Unless required by applicable law or agreed to in writing, software
-  ~ distributed under the License is distributed on an "AS IS" BASIS,
-  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-  ~ See the License for the specific language governing permissions and
-  ~ limitations under the License.
-  -->
-<report xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
-        xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
-        xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
-        xmlns:xsd="http://www.w3.org/2001/XMLSchema"
-		xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
-		oid="RECONCIL-3333-3333-TEST-10000000000"
-        version="0">
-	<name>Reconciliation report</name>
-	<description>Reconciliation report for selected resource.</description>
-	<!-- flag if this report is "parent" report, used for gui -->
-	<parent>true</parent>
-	<template>UEdwaGMzQmxjbEpsY0c5eWRDQU5DaUFnSUNBSkNYaHRiRzV6UFNKb2RIUndPaTh2YW1GemNHVnljbVZ3YjNKMGN5NXpiM1Z5WTJWbWIzSm5aUzV1WlhRdmFtRnpjR1Z5Y21Wd2IzSjBjeUlnRFFvSkNRbDRiV3h1Y3pwNGMyazlJbWgwZEhBNkx5OTNkM2N1ZHpNdWIzSm5Mekl3TURFdldFMU1VMk5vWlcxaExXbHVjM1JoYm1ObElpQU5DZ2tKQ1hoemFUcHpZMmhsYldGTWIyTmhkR2x2YmowaWFIUjBjRG92TDJwaGMzQmxjbkpsY0c5eWRITXVjMjkxY21ObFptOXlaMlV1Ym1WMEwycGhjM0JsY25KbGNHOXlkSE1nYUhSMGNEb3ZMMnBoYzNCbGNuSmxjRzl5ZEhNdWMyOTFjbU5sWm05eVoyVXVibVYwTDNoelpDOXFZWE53WlhKeVpYQnZjblF1ZUhOa0lpQU5DZ2tKQ1c1aGJXVTlJbkpsY0c5eWRGSmxZMjl1WTJsc2FXRjBhVzl1SWlBTkNna0pDWEJoWjJWWGFXUjBhRDBpT0RReUlpQU5DZ2tKQ1hCaFoyVklaV2xuYUhROUlqVTVOU0lnRFFvSkNRbHZjbWxsYm5SaGRHbHZiajBpVEdGdVpITmpZWEJsSWlBTkNna0pDWGRvWlc1T2IwUmhkR0ZVZVhCbFBTSkJiR3hUWldOMGFXOXVjMDV2UkdWMFlXbHNJaUFOQ2drSkNXTnZiSFZ0YmxkcFpIUm9QU0k0TURJaUlBMEtDUWtKYkdWbWRFMWhjbWRwYmowaU1qQWlJQTBLQ1FrSmNtbG5hSFJOWVhKbmFXNDlJakl3SWlBTkNna0pDWFJ2Y0UxaGNtZHBiajBpTWpBaUlBMEtDUWtKWW05MGRHOXRUV0Z5WjJsdVBTSXlNQ0lnRFFvSkNRbDFkV2xrUFNJMk4yVTBOalZqTlMwME5tVmhMVFF3WkRJdFltVmhNQzAwTmpsak5tTm1Nemc1TXpjaVBnMEtDUWtKUEhCeWIzQmxjblI1SUc1aGJXVTlJbTVsZEM1elppNXFZWE53WlhKeVpYQnZjblJ6TG1GM2RDNXBaMjV2Y21VdWJXbHpjMmx1Wnk1bWIyNTBJaUIyWVd4MVpUMGlkSEoxWlNJdlBnMEtDUWtKUEhCeWIzQmxjblI1SUc1aGJXVTlJbTVsZEM1elppNXFZWE53WlhKeVpYQnZjblJ6TG1WNGNHOXlkQzV3WkdZdVptOXlZMlV1YkdsdVpXSnlaV0ZyTG5CdmJHbGplU0lnZG1Gc2RXVTlJblJ5ZFdVaUx6NE5DZ2tKQ1R4d2NtOXdaWEowZVNCdVlXMWxQU0p1WlhRdWMyWXVhbUZ6Y0dWeWNtVndiM0owY3k1bGVIQnZjblF1WTNOMkxtVjRZMngxWkdVdWIzSnBaMmx1TG1KaGJtUXVNU0lnZG1Gc2RXVTlJblJwZEd4bElpOCtEUW9KQ1FrOGNISnZjR1Z5ZEhrZ2JtRnRaVDBpYm1WMExuTm1MbXBoYzNCbGNuSmxjRzl5ZEhNdVpYaHdiM0owTG1OemRpNWxlR05zZFdSbExtOXlhV2RwYmk1aVlXNWtMaklpSUhaaGJIVmxQU0p3WVdkbFJtOXZkR1Z5SWk4K0RRb0pDUWs4Y0dGeVlXMWxkR1Z5SUc1aGJXVTlJbWh4YkZGMVpYSjVJaUJqYkdGemN6MGlhbUYyWVM1c1lXNW5MbE4wY21sdVp5SXZQZzBLQ1FrSlBIQmhjbUZ0WlhSbGNpQnVZVzFsUFNKeVpYTnZkWEpqWlU5cFpDSWdZMnhoYzNNOUltcGhkbUV1YkdGdVp5NVRkSEpwYm1jaUx6NE5DZ2tKQ1R4d1lYSmhiV1YwWlhJZ2JtRnRaVDBpY21WemIzVnlZMlZPWVcxbElpQmpiR0Z6Y3owaWFtRjJZUzVzWVc1bkxsTjBjbWx1WnlJdlBnMEtDUWtKUEhCaGNtRnRaWFJsY2lCdVlXMWxQU0p2WW1wbFkzUkRiR0Z6Y3lJZ1kyeGhjM005SW1waGRtRXViR0Z1Wnk1VGRISnBibWNpTHo0TkNna0pDVHh3WVhKaGJXVjBaWElnYm1GdFpUMGlhVzUwWlc1MElpQmpiR0Z6Y3owaWFtRjJZUzVzWVc1bkxsTjBjbWx1WnlJdlBnMEtDUWtKUEhGMVpYSjVVM1J5YVc1bklHeGhibWQxWVdkbFBTSm9jV3dpUGp3aFcwTkVRVlJCV3lSUUlYdG9jV3hSZFdWeWVYMWRYVDQ4TDNGMVpYSjVVM1J5YVc1blBnMEtDUWtKUEdacFpXeGtJRzVoYldVOUluVnpaWEp1WVcxbElpQmpiR0Z6Y3owaWFtRjJZUzVzWVc1bkxsTjBjbWx1WnlJdlBnMEtDUWtKUEdacFpXeGtJRzVoYldVOUltNWhiV1VpSUdOc1lYTnpQU0pxWVhaaExteGhibWN1VTNSeWFXNW5JaTgrRFFvSkNRazhabWxsYkdRZ2JtRnRaVDBpYzJsMGRXRjBhVzl1SWlCamJHRnpjejBpWTI5dExtVjJiMngyWlhWdExtMXBaSEJ2YVc1MExuSmxjRzh1YzNGc0xtUmhkR0V1WTI5dGJXOXVMbVZ1ZFcxekxsSlRlVzVqYUhKdmJtbDZZWFJwYjI1VGFYUjFZWFJwYjI0aVBnMEtDUWtKQ1R4bWFXVnNaRVJsYzJOeWFYQjBhVzl1UGp3aFcwTkVRVlJCVzNOcGRIVmhkR2x2YmwxZFBqd3ZabWxsYkdSRVpYTmpjbWx3ZEdsdmJqNE5DZ2tKQ1R3dlptbGxiR1ErRFFvSkNRazhabWxsYkdRZ2JtRnRaVDBpYzJsMGRXRjBhVzl1VkdsdFpYTjBZVzF3SWlCamJHRnpjejBpYW1GMllYZ3VlRzFzTG1SaGRHRjBlWEJsTGxoTlRFZHlaV2R2Y21saGJrTmhiR1Z1WkdGeUlpOCtEUW9KQ1FrOFltRmphMmR5YjNWdVpENE5DZ2tKQ1FrOFltRnVaQ0J6Y0d4cGRGUjVjR1U5SWxOMGNtVjBZMmdpTHo0TkNna0pDVHd2WW1GamEyZHliM1Z1WkQ0TkNna0pDVHgwYVhSc1pUNE5DZ2tKQ1FrOFltRnVaQ0JvWldsbmFIUTlJakV6T0NJZ2MzQnNhWFJVZVhCbFBTSlRkSEpsZEdOb0lqNE5DZ2tKQ1FrSlBHWnlZVzFsUGcwS0NRa0pDUWtKUEhKbGNHOXlkRVZzWlcxbGJuUWdkWFZwWkQwaU5EUmlaV1JoWTJNdFptRXlNeTAwWm1VeExXSTNNV1l0WlRWaFptRTVORE5tTlRVeklpQnpkSGxzWlQwaVZHbDBiR1VpSUcxdlpHVTlJazl3WVhGMVpTSWdlRDBpTUNJZ2VUMGlNQ0lnZDJsa2RHZzlJamd3TUNJZ2FHVnBaMmgwUFNJMk55SWdZbUZqYTJOdmJHOXlQU0lqTWpZM09UazBJaTgrRFFvSkNRa0pDUWs4YzNSaGRHbGpWR1Y0ZEQ0TkNna0pDUWtKQ1FrOGNtVndiM0owUld4bGJXVnVkQ0IxZFdsa1BTSm1NbVE1T1dOaFpDMDVaRGcwTFRSbU5UQXRZalExTlMwME5UTmpPRGRtTmpKak5HTWlJSE4wZVd4bFBTSlVhWFJzWlNJZ2VEMGlNVEFpSUhrOUlqRXpJaUIzYVdSMGFEMGlNalkySWlCb1pXbG5hSFE5SWpNNElpOCtEUW9KQ1FrSkNRa0pQSFJsZUhSRmJHVnRaVzUwSUhabGNuUnBZMkZzUVd4cFoyNXRaVzUwUFNKTmFXUmtiR1VpTHo0TkNna0pDUWtKQ1FrOGRHVjRkRDQ4SVZ0RFJFRlVRVnRTWldOdmJtTnBiR2xoZEdsdmJpQlNaWEJ2Y25SZFhUNDhMM1JsZUhRK0RRb0pDUWtKQ1FrOEwzTjBZWFJwWTFSbGVIUStEUW9KQ1FrSkNUd3ZabkpoYldVK0RRb0pDUWtKQ1R4emRHRjBhV05VWlhoMFBnMEtDUWtKQ1FrSlBISmxjRzl5ZEVWc1pXMWxiblFnZFhWcFpEMGlaVEF6TldSaVpEVXRaR015WmkwME5XTmlMVGt6Tm1NdFlUQTRaVGxqTURFeFpUUXpJaUJ6ZEhsc1pUMGlVR0ZuWlNCb1pXRmtaWElpSUhnOUlqSWlJSGs5SWpjd0lpQjNhV1IwYUQwaU1UQXdJaUJvWldsbmFIUTlJakl3SWk4K0RRb0pDUWtKQ1FrOGRHVjRkRVZzWlcxbGJuUWdkbVZ5ZEdsallXeEJiR2xuYm0xbGJuUTlJazFwWkdSc1pTSXZQZzBLQ1FrSkNRa0pQSFJsZUhRK1BDRmJRMFJCVkVGYlVtVnpiM1Z5WTJVNlhWMCtQQzkwWlhoMFBnMEtDUWtKQ1FrOEwzTjBZWFJwWTFSbGVIUStEUW9KQ1FrSkNUeDBaWGgwUm1sbGJHUWdhWE5DYkdGdWExZG9aVzVPZFd4c1BTSjBjblZsSWo0TkNna0pDUWtKQ1R4eVpYQnZjblJGYkdWdFpXNTBJSFYxYVdROUlqSTRZbUk1WWpRM0xXRTJPV010TkRobE1TMDVNRGN6TFdRMU5HUTVNall5TkRKbE9DSWdjM1I1YkdVOUlsQmhaMlVnYUdWaFpHVnlJaUI0UFNJeE1ESWlJSGs5SWpjd0lpQjNhV1IwYUQwaU1qZ3dJaUJvWldsbmFIUTlJakl3SWk4K0RRb0pDUWtKQ1FrOGRHVjRkRVZzWlcxbGJuUWdkbVZ5ZEdsallXeEJiR2xuYm0xbGJuUTlJazFwWkdSc1pTSStEUW9KQ1FrSkNRa0pQR1p2Ym5RZ2FYTkNiMnhrUFNKbVlXeHpaU0l2UGcwS0NRa0pDUWtKUEM5MFpYaDBSV3hsYldWdWRENE5DZ2tKQ1FrSkNUeDBaWGgwUm1sbGJHUkZlSEJ5WlhOemFXOXVQandoVzBORVFWUkJXeVJRZTNKbGMyOTFjbU5sVG1GdFpYMWRYVDQ4TDNSbGVIUkdhV1ZzWkVWNGNISmxjM05wYjI0K0RRb0pDUWtKQ1R3dmRHVjRkRVpwWld4a1BnMEtDUWtKQ1FrOGMzUmhkR2xqVkdWNGRENE5DZ2tKQ1FrSkNUeHlaWEJ2Y25SRmJHVnRaVzUwSUhWMWFXUTlJbVV3TXpWa1ltUTFMV1JqTW1ZdE5EVmpZaTA1TXpaakxXRXdPR1U1WXpBeE1XVTBNeUlnYzNSNWJHVTlJbEJoWjJVZ2FHVmhaR1Z5SWlCNFBTSXlJaUI1UFNJNU1DSWdkMmxrZEdnOUlqRXdNQ0lnYUdWcFoyaDBQU0l5TUNJdlBnMEtDUWtKQ1FrSlBIUmxlSFJGYkdWdFpXNTBJSFpsY25ScFkyRnNRV3hwWjI1dFpXNTBQU0pOYVdSa2JHVWlMejROQ2drSkNRa0pDVHgwWlhoMFBqd2hXME5FUVZSQlcwbHVkR1Z1ZERwZFhUNDhMM1JsZUhRK0RRb0pDUWtKQ1R3dmMzUmhkR2xqVkdWNGRENE5DZ2tKQ1FrSlBIUmxlSFJHYVdWc1pDQnBjMEpzWVc1clYyaGxiazUxYkd3OUluUnlkV1VpUGcwS0NRa0pDUWtKUEhKbGNHOXlkRVZzWlcxbGJuUWdkWFZwWkQwaU1qaGlZamxpTkRjdFlUWTVZeTAwT0dVeExUa3dOek10WkRVMFpEa3lOakkwTW1VNElpQnpkSGxzWlQwaVVHRm5aU0JvWldGa1pYSWlJSGc5SWpFd01pSWdlVDBpT1RBaUlIZHBaSFJvUFNJeE5UQWlJR2hsYVdkb2REMGlNakFpTHo0TkNna0pDUWtKQ1R4MFpYaDBSV3hsYldWdWRDQjJaWEowYVdOaGJFRnNhV2R1YldWdWREMGlUV2xrWkd4bElqNE5DZ2tKQ1FrSkNRazhabTl1ZENCcGMwSnZiR1E5SW1aaGJITmxJaTgrRFFvSkNRa0pDUWs4TDNSbGVIUkZiR1Z0Wlc1MFBnMEtDUWtKQ1FrSlBIUmxlSFJHYVdWc1pFVjRjSEpsYzNOcGIyNCtQQ0ZiUTBSQlZFRmJKRkI3YVc1MFpXNTBmVjFkUGp3dmRHVjRkRVpwWld4a1JYaHdjbVZ6YzJsdmJqNE5DZ2tKQ1FrSlBDOTBaWGgwUm1sbGJHUStEUW9KQ1FrSkNUeHpkR0YwYVdOVVpYaDBQZzBLQ1FrSkNRa0pQSEpsY0c5eWRFVnNaVzFsYm5RZ2RYVnBaRDBpWlRBek5XUmlaRFV0WkdNeVppMDBOV05pTFRrek5tTXRZVEE0WlRsak1ERXhaVFF6SWlCemRIbHNaVDBpVUdGblpTQm9aV0ZrWlhJaUlIZzlJaklpSUhrOUlqRXhNQ0lnZDJsa2RHZzlJakV3TUNJZ2FHVnBaMmgwUFNJeU1DSXZQZzBLQ1FrSkNRa0pQSFJsZUhSRmJHVnRaVzUwSUhabGNuUnBZMkZzUVd4cFoyNXRaVzUwUFNKTmFXUmtiR1VpTHo0TkNna0pDUWtKQ1R4MFpYaDBQandoVzBORVFWUkJXMDlpYW1WamRDQkRiR0Z6Y3pwZFhUNDhMM1JsZUhRK0RRb0pDUWtKQ1R3dmMzUmhkR2xqVkdWNGRENE5DZ2tKQ1FrSlBIUmxlSFJHYVdWc1pDQnBjMEpzWVc1clYyaGxiazUxYkd3OUluUnlkV1VpUGcwS0NRa0pDUWtKUEhKbGNHOXlkRVZzWlcxbGJuUWdkWFZwWkQwaU1qaGlZamxpTkRjdFlUWTVZeTAwT0dVeExUa3dOek10WkRVMFpEa3lOakkwTW1VNElpQnpkSGxzWlQwaVVHRm5aU0JvWldGa1pYSWlJSGc5SWpFd01pSWdlVDBpTVRFd0lpQjNhV1IwYUQwaU1UVXdJaUJvWldsbmFIUTlJakl3SWk4K0RRb0pDUWtKQ1FrOGRHVjRkRVZzWlcxbGJuUWdkbVZ5ZEdsallXeEJiR2xuYm0xbGJuUTlJazFwWkdSc1pTSStEUW9KQ1FrSkNRa0pQR1p2Ym5RZ2FYTkNiMnhrUFNKbVlXeHpaU0l2UGcwS0NRa0pDUWtKUEM5MFpYaDBSV3hsYldWdWRENE5DZ2tKQ1FrSkNUeDBaWGgwUm1sbGJHUkZlSEJ5WlhOemFXOXVQandoVzBORVFWUkJXeVJRZTI5aWFtVmpkRU5zWVhOemZWMWRQand2ZEdWNGRFWnBaV3hrUlhod2NtVnpjMmx2Ymo0TkNna0pDUWtKUEM5MFpYaDBSbWxsYkdRK0RRb0pDUWtKQ1R4emRHRjBhV05VWlhoMFBnMEtDUWtKQ1FrSlBISmxjRzl5ZEVWc1pXMWxiblFnZFhWcFpEMGlaVEF6TldSaVpEVXRaR015WmkwME5XTmlMVGt6Tm1NdFlUQTRaVGxqTURFeFpUUXpJaUJ6ZEhsc1pUMGlVR0ZuWlNCb1pXRmtaWElpSUhnOUlqUXdNQ0lnZVQwaU56QWlJSGRwWkhSb1BTSXhOVEFpSUdobGFXZG9kRDBpTWpBaUx6NE5DZ2tKQ1FrSkNUeDBaWGgwUld4bGJXVnVkQ0IyWlhKMGFXTmhiRUZzYVdkdWJXVnVkRDBpVFdsa1pHeGxJaTgrRFFvSkNRa0pDUWs4ZEdWNGRENDhJVnREUkVGVVFWdFNaWEJ2Y25RZ1oyVnVaWEpoZEdWa0lHOXVPbDFkUGp3dmRHVjRkRDROQ2drSkNRa0pQQzl6ZEdGMGFXTlVaWGgwUGcwS0NRa0pDUWs4ZEdWNGRFWnBaV3hrSUhCaGRIUmxjbTQ5SWtWRlJVVkZJR1JrSUUxTlRVMU5JSGw1ZVhrc0lFaElPbTF0T25OeklqNE5DZ2tKQ1FrSkNUeHlaWEJ2Y25SRmJHVnRaVzUwSUhWMWFXUTlJakk0WW1JNVlqUTNMV0UyT1dNdE5EaGxNUzA1TURjekxXUTFOR1E1TWpZeU5ESmxPQ0lnYzNSNWJHVTlJbEJoWjJVZ2FHVmhaR1Z5SWlCNFBTSTFOVEFpSUhrOUlqY3dJaUIzYVdSMGFEMGlNalV3SWlCb1pXbG5hSFE5SWpJd0lpOCtEUW9KQ1FrSkNRazhkR1Y0ZEVWc1pXMWxiblFnZEdWNGRFRnNhV2R1YldWdWREMGlVbWxuYUhRaUlIWmxjblJwWTJGc1FXeHBaMjV0Wlc1MFBTSk5hV1JrYkdVaVBnMEtDUWtKQ1FrSkNUeG1iMjUwSUdselFtOXNaRDBpWm1Gc2MyVWlMejROQ2drSkNRa0pDVHd2ZEdWNGRFVnNaVzFsYm5RK0RRb0pDUWtKQ1FrOGRHVjRkRVpwWld4a1JYaHdjbVZ6YzJsdmJqNDhJVnREUkVGVVFWdHVaWGNnYW1GMllTNTFkR2xzTGtSaGRHVW9LVjFkUGp3dmRHVjRkRVpwWld4a1JYaHdjbVZ6YzJsdmJqNE5DZ2tKQ1FrSlBDOTBaWGgwUm1sbGJHUStEUW9KQ1FrSkNUeHpkR0YwYVdOVVpYaDBQZzBLQ1FrSkNRa0pQSEpsY0c5eWRFVnNaVzFsYm5RZ2RYVnBaRDBpT0RVNU9XSXlZelV0TTJFeU5DMDBOVGswTFRrNFlqa3ROV0l6WmpNNFpqTTVaVEkwSWlCemRIbHNaVDBpVUdGblpTQm9aV0ZrWlhJaUlIZzlJalF3TUNJZ2VUMGlPVEFpSUhkcFpIUm9QU0l4TlRBaUlHaGxhV2RvZEQwaU1qQWlMejROQ2drSkNRa0pDVHgwWlhoMFJXeGxiV1Z1ZENCMlpYSjBhV05oYkVGc2FXZHViV1Z1ZEQwaVRXbGtaR3hsSWk4K0RRb0pDUWtKQ1FrOGRHVjRkRDQ4SVZ0RFJFRlVRVnRPZFcxaVpYSWdiMllnY21WamIzSmtjenBkWFQ0OEwzUmxlSFErRFFvSkNRa0pDVHd2YzNSaGRHbGpWR1Y0ZEQ0TkNna0pDUWtKUEhSbGVIUkdhV1ZzWkNCbGRtRnNkV0YwYVc5dVZHbHRaVDBpVW1Wd2IzSjBJaUJwYzBKc1lXNXJWMmhsYms1MWJHdzlJblJ5ZFdVaVBnMEtDUWtKQ1FrSlBISmxjRzl5ZEVWc1pXMWxiblFnZFhWcFpEMGlaalppTURFd01UWXRNalF3TmkwME1UazFMVGhpTTJJdE16VmtZMkV5TXpKalpUWTRJaUJ6ZEhsc1pUMGlVR0ZuWlNCb1pXRmtaWElpSUhnOUlqVTFNQ0lnZVQwaU9UQWlJSGRwWkhSb1BTSXlOVEFpSUdobGFXZG9kRDBpTWpBaUx6NE5DZ2tKQ1FrSkNUeDBaWGgwUld4bGJXVnVkQ0IwWlhoMFFXeHBaMjV0Wlc1MFBTSlNhV2RvZENJZ2RtVnlkR2xqWVd4QmJHbG5ibTFsYm5ROUlrMXBaR1JzWlNJK0RRb0pDUWtKQ1FrSlBHWnZiblFnYVhOQ2IyeGtQU0ptWVd4elpTSXZQZzBLQ1FrSkNRa0pQQzkwWlhoMFJXeGxiV1Z1ZEQ0TkNna0pDUWtKQ1R4MFpYaDBSbWxsYkdSRmVIQnlaWE56YVc5dVBqd2hXME5FUVZSQld5UldlMUpGVUU5U1ZGOURUMVZPVkgxZFhUNDhMM1JsZUhSR2FXVnNaRVY0Y0hKbGMzTnBiMjQrRFFvSkNRa0pDVHd2ZEdWNGRFWnBaV3hrUGcwS0NRa0pDVHd2WW1GdVpENE5DZ2tKQ1R3dmRHbDBiR1UrRFFvSkNRazhjR0ZuWlVobFlXUmxjajROQ2drSkNRazhZbUZ1WkNCemNHeHBkRlI1Y0dVOUlsTjBjbVYwWTJnaUx6NE5DZ2tKQ1R3dmNHRm5aVWhsWVdSbGNqNE5DZ2tKQ1R4amIyeDFiVzVJWldGa1pYSStEUW9KQ1FrSlBHSmhibVFnYUdWcFoyaDBQU0l5TkNJZ2MzQnNhWFJVZVhCbFBTSlRkSEpsZEdOb0lqNE5DZ2tKQ1FrSlBHWnlZVzFsUGcwS0NRa0pDUWtKUEhKbGNHOXlkRVZzWlcxbGJuUWdkWFZwWkQwaU0yVTRabVJrTm1RdFlUWm1aaTAwTkRBM0xUbGhNV1V0TldRMllqUTNNRFl6TURCaElpQnpkSGxzWlQwaVEyOXNkVzF1SUdobFlXUmxjaUlnYlc5a1pUMGlWSEpoYm5Od1lYSmxiblFpSUhnOUlqQWlJSGs5SWpFaUlIZHBaSFJvUFNJNE1EQWlJR2hsYVdkb2REMGlNVGtpSUdselVtVnRiM1psVEdsdVpWZG9aVzVDYkdGdWF6MGlkSEoxWlNJdlBnMEtDUWtKQ1FrSlBITjBZWFJwWTFSbGVIUStEUW9KQ1FrSkNRa0pQSEpsY0c5eWRFVnNaVzFsYm5RZ2RYVnBaRDBpT0Raak56UmlaV0l0WW1Sa1pDMDBPR05qTFRrME5XRXRNVFkzWWpJMk1XSXhaVEJpSWlCemRIbHNaVDBpUTI5c2RXMXVJR2hsWVdSbGNpSWdlRDBpTUNJZ2VUMGlNQ0lnZDJsa2RHZzlJak13TUNJZ2FHVnBaMmgwUFNJeE9DSXZQZzBLQ1FrSkNRa0pDVHgwWlhoMFJXeGxiV1Z1ZENCMFpYaDBRV3hwWjI1dFpXNTBQU0pEWlc1MFpYSWlJSFpsY25ScFkyRnNRV3hwWjI1dFpXNTBQU0pOYVdSa2JHVWlMejROQ2drSkNRa0pDUWs4ZEdWNGRENDhJVnREUkVGVVFWdE9ZVzFsWFYwK1BDOTBaWGgwUGcwS0NRa0pDUWtKUEM5emRHRjBhV05VWlhoMFBnMEtDUWtKQ1FrSlBITjBZWFJwWTFSbGVIUStEUW9KQ1FrSkNRa0pQSEpsY0c5eWRFVnNaVzFsYm5RZ2RYVnBaRDBpT0Raak56UmlaV0l0WW1Sa1pDMDBPR05qTFRrME5XRXRNVFkzWWpJMk1XSXhaVEJpSWlCemRIbHNaVDBpUTI5c2RXMXVJR2hsWVdSbGNpSWdlRDBpTXpBd0lpQjVQU0l3SWlCM2FXUjBhRDBpTVRVd0lpQm9aV2xuYUhROUlqRTRJaTgrRFFvSkNRa0pDUWtKUEhSbGVIUkZiR1Z0Wlc1MElIUmxlSFJCYkdsbmJtMWxiblE5SWtObGJuUmxjaUlnZG1WeWRHbGpZV3hCYkdsbmJtMWxiblE5SWsxcFpHUnNaU0l2UGcwS0NRa0pDUWtKQ1R4MFpYaDBQandoVzBORVFWUkJXMU5wZEhWaGRHbHZibDFkUGp3dmRHVjRkRDROQ2drSkNRa0pDVHd2YzNSaGRHbGpWR1Y0ZEQ0TkNna0pDUWtKQ1R4emRHRjBhV05VWlhoMFBnMEtDUWtKQ1FrSkNUeHlaWEJ2Y25SRmJHVnRaVzUwSUhWMWFXUTlJamcyWXpjMFltVmlMV0prWkdRdE5EaGpZeTA1TkRWaExURTJOMkl5TmpGaU1XVXdZaUlnYzNSNWJHVTlJa052YkhWdGJpQm9aV0ZrWlhJaUlIZzlJalExTUNJZ2VUMGlNQ0lnZDJsa2RHZzlJakl3TUNJZ2FHVnBaMmgwUFNJeE9DSXZQZzBLQ1FrSkNRa0pDVHgwWlhoMFJXeGxiV1Z1ZENCMFpYaDBRV3hwWjI1dFpXNTBQU0pEWlc1MFpYSWlJSFpsY25ScFkyRnNRV3hwWjI1dFpXNTBQU0pOYVdSa2JHVWlMejROQ2drSkNRa0pDUWs4ZEdWNGRENDhJVnREUkVGVVFWdFBkMjVsY2wxZFBqd3ZkR1Y0ZEQ0TkNna0pDUWtKQ1R3dmMzUmhkR2xqVkdWNGRENE5DZ2tKQ1FrSkNUeHpkR0YwYVdOVVpYaDBQZzBLQ1FrSkNRa0pDVHh5WlhCdmNuUkZiR1Z0Wlc1MElIVjFhV1E5SWpnMll6YzBZbVZpTFdKa1pHUXRORGhqWXkwNU5EVmhMVEUyTjJJeU5qRmlNV1V3WWlJZ2MzUjViR1U5SWtOdmJIVnRiaUJvWldGa1pYSWlJSGc5SWpZMU1DSWdlVDBpTUNJZ2QybGtkR2c5SWpFMU1DSWdhR1ZwWjJoMFBTSXhPQ0l2UGcwS0NRa0pDUWtKQ1R4MFpYaDBSV3hsYldWdWRDQjBaWGgwUVd4cFoyNXRaVzUwUFNKRFpXNTBaWElpSUhabGNuUnBZMkZzUVd4cFoyNXRaVzUwUFNKTmFXUmtiR1VpTHo0TkNna0pDUWtKQ1FrOGRHVjRkRDQ4SVZ0RFJFRlVRVnRVYVcxbGMzUmhiWEJkWFQ0OEwzUmxlSFErRFFvSkNRa0pDUWs4TDNOMFlYUnBZMVJsZUhRK0RRb0pDUWtKQ1R3dlpuSmhiV1UrRFFvSkNRa0pQQzlpWVc1a1BnMEtDUWtKUEM5amIyeDFiVzVJWldGa1pYSStEUW9KQ1FrOFpHVjBZV2xzUGcwS0NRa0pDVHhpWVc1a0lHaGxhV2RvZEQwaU1UVWlJSE53YkdsMFZIbHdaVDBpVTNSeVpYUmphQ0krRFFvSkNRa0pDVHhtY21GdFpUNE5DZ2tKQ1FrSkNUeHlaWEJ2Y25SRmJHVnRaVzUwSUhWMWFXUTlJak5sT0daa1pEWmtMV0UyWm1ZdE5EUXdOeTA1WVRGbExUVmtObUkwTnpBMk16QXdZU0lnYzNSNWJHVTlJa1JsZEdGcGJDSWdjM1J5WlhSamFGUjVjR1U5SWxKbGJHRjBhWFpsVkc5VVlXeHNaWE4wVDJKcVpXTjBJaUJ0YjJSbFBTSlBjR0Z4ZFdVaUlIZzlJakFpSUhrOUlqQWlJSGRwWkhSb1BTSTRNREFpSUdobGFXZG9kRDBpTVRRaUx6NE5DZ2tKQ1FrSkNUeDBaWGgwUm1sbGJHUWdhWE5UZEhKbGRHTm9WMmwwYUU5MlpYSm1iRzkzUFNKMGNuVmxJaUJwYzBKc1lXNXJWMmhsYms1MWJHdzlJblJ5ZFdVaVBnMEtDUWtKQ1FrSkNUeHlaWEJ2Y25SRmJHVnRaVzUwSUhWMWFXUTlJakk0WW1JNVlqUTNMV0UyT1dNdE5EaGxNUzA1TURjekxXUTFOR1E1TWpZeU5ESmxPQ0lnYzNSNWJHVTlJa1JsZEdGcGJDSWdjM1J5WlhSamFGUjVjR1U5SWxKbGJHRjBhWFpsVkc5VVlXeHNaWE4wVDJKcVpXTjBJaUI0UFNJd0lpQjVQU0l3SWlCM2FXUjBhRDBpTXpBd0lpQm9aV2xuYUhROUlqRXpJaUJwYzFCeWFXNTBWMmhsYmtSbGRHRnBiRTkyWlhKbWJHOTNjejBpZEhKMVpTSXZQZzBLQ1FrSkNRa0pDVHgwWlhoMFJXeGxiV1Z1ZENCMlpYSjBhV05oYkVGc2FXZHViV1Z1ZEQwaVRXbGtaR3hsSWk4K0RRb0pDUWtKQ1FrSlBIUmxlSFJHYVdWc1pFVjRjSEpsYzNOcGIyNCtQQ0ZiUTBSQlZFRmJKRVo3Ym1GdFpYMWRYVDQ4TDNSbGVIUkdhV1ZzWkVWNGNISmxjM05wYjI0K0RRb0pDUWtKQ1FrOEwzUmxlSFJHYVdWc1pENE5DZ2tKQ1FrSkNUeDBaWGgwUm1sbGJHUWdhWE5UZEhKbGRHTm9WMmwwYUU5MlpYSm1iRzkzUFNKMGNuVmxJaUJwYzBKc1lXNXJWMmhsYms1MWJHdzlJblJ5ZFdVaVBnMEtDUWtKQ1FrSkNUeHlaWEJ2Y25SRmJHVnRaVzUwSUhWMWFXUTlJakk0WW1JNVlqUTNMV0UyT1dNdE5EaGxNUzA1TURjekxXUTFOR1E1TWpZeU5ESmxPQ0lnYzNSNWJHVTlJa1JsZEdGcGJDSWdjM1J5WlhSamFGUjVjR1U5SWxKbGJHRjBhWFpsVkc5VVlXeHNaWE4wVDJKcVpXTjBJaUI0UFNJek1EQWlJSGs5SWpBaUlIZHBaSFJvUFNJeE5UQWlJR2hsYVdkb2REMGlNVE1pSUdselVISnBiblJYYUdWdVJHVjBZV2xzVDNabGNtWnNiM2R6UFNKMGNuVmxJaTgrRFFvSkNRa0pDUWtKUEhSbGVIUkZiR1Z0Wlc1MElIUmxlSFJCYkdsbmJtMWxiblE5SWtObGJuUmxjaUlnZG1WeWRHbGpZV3hCYkdsbmJtMWxiblE5SWsxcFpHUnNaU0l2UGcwS0NRa0pDUWtKQ1R4MFpYaDBSbWxsYkdSRmVIQnlaWE56YVc5dVBqd2hXME5FUVZSQld5UkdlM05wZEhWaGRHbHZibjB1WjJWMFUyTm9aVzFoVm1Gc2RXVW9LVjFkUGp3dmRHVjRkRVpwWld4a1JYaHdjbVZ6YzJsdmJqNE5DZ2tKQ1FrSkNUd3ZkR1Y0ZEVacFpXeGtQZzBLQ1FrSkNRa0pQSFJsZUhSR2FXVnNaQ0JwYzFOMGNtVjBZMmhYYVhSb1QzWmxjbVpzYjNjOUluUnlkV1VpSUdselFteGhibXRYYUdWdVRuVnNiRDBpZEhKMVpTSStEUW9KQ1FrSkNRa0pQSEpsY0c5eWRFVnNaVzFsYm5RZ2RYVnBaRDBpTWpoaVlqbGlORGN0WVRZNVl5MDBPR1V4TFRrd056TXRaRFUwWkRreU5qSTBNbVU0SWlCemRIbHNaVDBpUkdWMFlXbHNJaUJ6ZEhKbGRHTm9WSGx3WlQwaVVtVnNZWFJwZG1WVWIxUmhiR3hsYzNSUFltcGxZM1FpSUhnOUlqUTFNQ0lnZVQwaU1DSWdkMmxrZEdnOUlqSXdNQ0lnYUdWcFoyaDBQU0l4TXlJZ2FYTlFjbWx1ZEZkb1pXNUVaWFJoYVd4UGRtVnlabXh2ZDNNOUluUnlkV1VpTHo0TkNna0pDUWtKQ1FrOGRHVjRkRVZzWlcxbGJuUWdkbVZ5ZEdsallXeEJiR2xuYm0xbGJuUTlJazFwWkdSc1pTSXZQZzBLQ1FrSkNRa0pDVHgwWlhoMFJtbGxiR1JGZUhCeVpYTnphVzl1UGp3aFcwTkVRVlJCV3lSR2UzVnpaWEp1WVcxbGZWMWRQand2ZEdWNGRFWnBaV3hrUlhod2NtVnpjMmx2Ymo0TkNna0pDUWtKQ1R3dmRHVjRkRVpwWld4a1BnMEtDUWtKQ1FrSlBIUmxlSFJHYVdWc1pDQnBjMU4wY21WMFkyaFhhWFJvVDNabGNtWnNiM2M5SW5SeWRXVWlJSEJoZEhSbGNtNDlJbVJrTGsxTkxubDVMQ0JJU0RwdGJUcHpjeUlnYVhOQ2JHRnVhMWRvWlc1T2RXeHNQU0owY25WbElqNE5DZ2tKQ1FrSkNRazhjbVZ3YjNKMFJXeGxiV1Z1ZENCMWRXbGtQU0l5T0dKaU9XSTBOeTFoTmpsakxUUTRaVEV0T1RBM015MWtOVFJrT1RJMk1qUXlaVGdpSUhOMGVXeGxQU0pFWlhSaGFXd2lJSE4wY21WMFkyaFVlWEJsUFNKU1pXeGhkR2wyWlZSdlZHRnNiR1Z6ZEU5aWFtVmpkQ0lnZUQwaU5qVXdJaUI1UFNJd0lpQjNhV1IwYUQwaU1UVXdJaUJvWldsbmFIUTlJakV6SWlCcGMxQnlhVzUwVjJobGJrUmxkR0ZwYkU5MlpYSm1iRzkzY3owaWRISjFaU0l2UGcwS0NRa0pDUWtKQ1R4MFpYaDBSV3hsYldWdWRDQjBaWGgwUVd4cFoyNXRaVzUwUFNKRFpXNTBaWElpSUhabGNuUnBZMkZzUVd4cFoyNXRaVzUwUFNKTmFXUmtiR1VpTHo0TkNna0pDUWtKQ1FrOGRHVjRkRVpwWld4a1JYaHdjbVZ6YzJsdmJqNDhJVnREUkVGVVFWc2tSbnR6YVhSMVlYUnBiMjVVYVcxbGMzUmhiWEI5TG5SdlIzSmxaMjl5YVdGdVEyRnNaVzVrWVhJb0tTNW5aWFJVYVcxbEtDbGRYVDQ4TDNSbGVIUkdhV1ZzWkVWNGNISmxjM05wYjI0K0RRb0pDUWtKQ1FrOEwzUmxlSFJHYVdWc1pENE5DZ2tKQ1FrSkNUeHNhVzVsUGcwS0NRa0pDUWtKQ1R4eVpYQnZjblJGYkdWdFpXNTBJSFYxYVdROUlqUTNaamt4T0RBeExXTm1OV1l0TkdKbFpDMWlNVGxqTFdOaE16a3pNV05pWmprNFpDSWdjRzl6YVhScGIyNVVlWEJsUFNKR2FYaFNaV3hoZEdsMlpWUnZRbTkwZEc5dElpQnRiMlJsUFNKUGNHRnhkV1VpSUhnOUlqQWlJSGs5SWpFeklpQjNhV1IwYUQwaU9EQXdJaUJvWldsbmFIUTlJakVpSUdadmNtVmpiMnh2Y2owaUl6TXpNek16TXlJdlBnMEtDUWtKQ1FrSlBDOXNhVzVsUGcwS0NRa0pDUWs4TDJaeVlXMWxQZzBLQ1FrSkNUd3ZZbUZ1WkQ0TkNna0pDVHd2WkdWMFlXbHNQZzBLQ1FrSlBHTnZiSFZ0YmtadmIzUmxjajROQ2drSkNRazhZbUZ1WkNCb1pXbG5hSFE5SWpjaUlITndiR2wwVkhsd1pUMGlVM1J5WlhSamFDSStEUW9KQ1FrSkNUeHNhVzVsUGcwS0NRa0pDUWtKUEhKbGNHOXlkRVZzWlcxbGJuUWdkWFZwWkQwaVlUVTVNV1EwWXpFdE1XTmhaQzAwWkdFeUxUbG1PV1F0TURneFpqVXpPV1U1TURReklpQndiM05wZEdsdmJsUjVjR1U5SWtacGVGSmxiR0YwYVhabFZHOUNiM1IwYjIwaUlIZzlJakFpSUhrOUlqTWlJSGRwWkhSb1BTSTRNREFpSUdobGFXZG9kRDBpTVNJdlBnMEtDUWtKQ1FrSlBHZHlZWEJvYVdORmJHVnRaVzUwUGcwS0NRa0pDUWtKQ1R4d1pXNGdiR2x1WlZkcFpIUm9QU0l3TGpVaUlHeHBibVZEYjJ4dmNqMGlJems1T1RrNU9TSXZQZzBLQ1FrSkNRa0pQQzluY21Gd2FHbGpSV3hsYldWdWRENE5DZ2tKQ1FrSlBDOXNhVzVsUGcwS0NRa0pDVHd2WW1GdVpENE5DZ2tKQ1R3dlkyOXNkVzF1Um05dmRHVnlQZzBLQ1FrSlBIQmhaMlZHYjI5MFpYSStEUW9KQ1FrSlBHSmhibVFnYUdWcFoyaDBQU0l6TWlJZ2MzQnNhWFJVZVhCbFBTSlRkSEpsZEdOb0lqNE5DZ2tKQ1FrSlBHWnlZVzFsUGcwS0NRa0pDUWtKUEhKbGNHOXlkRVZzWlcxbGJuUWdkWFZwWkQwaVptSmxPR0ZoWlRRdE5qVXdNQzAwTmpoaExXSXhaVGd0TnpBd1lqVTJPVEV6T1dFeElpQnpkSGxzWlQwaVVHRm5aU0JtYjI5MFpYSWlJRzF2WkdVOUlsUnlZVzV6Y0dGeVpXNTBJaUI0UFNJd0lpQjVQU0l4SWlCM2FXUjBhRDBpT0RBd0lpQm9aV2xuYUhROUlqSTBJaUJtYjNKbFkyOXNiM0k5SWlNd01EQXdNREFpSUdKaFkydGpiMnh2Y2owaUl6STJOems1TkNJdlBnMEtDUWtKQ1FrSlBIUmxlSFJHYVdWc1pENE5DZ2tKQ1FrSkNRazhjbVZ3YjNKMFJXeGxiV1Z1ZENCMWRXbGtQU0kxWXpBMk1tTTJOaTFpWVRRMUxUUXlPRGd0T1dSalpDMHlORFpsTWpoak5XRm1OelVpSUhOMGVXeGxQU0pRWVdkbElHWnZiM1JsY2lJZ2VEMGlOamd3SWlCNVBTSXhJaUIzYVdSMGFEMGlPREFpSUdobGFXZG9kRDBpTWpBaUx6NE5DZ2tKQ1FrSkNRazhkR1Y0ZEVWc1pXMWxiblFnZEdWNGRFRnNhV2R1YldWdWREMGlVbWxuYUhRaUlIWmxjblJwWTJGc1FXeHBaMjV0Wlc1MFBTSk5hV1JrYkdVaVBnMEtDUWtKQ1FrSkNRazhabTl1ZENCemFYcGxQU0k1SWlCcGMwSnZiR1E5SW5SeWRXVWlMejROQ2drSkNRa0pDUWs4TDNSbGVIUkZiR1Z0Wlc1MFBnMEtDUWtKQ1FrSkNUeDBaWGgwUm1sbGJHUkZlSEJ5WlhOemFXOXVQandoVzBORVFWUkJXeUpRWVdkbElDSXJKRlo3VUVGSFJWOU9WVTFDUlZKOUt5SWdiMllpWFYwK1BDOTBaWGgwUm1sbGJHUkZlSEJ5WlhOemFXOXVQZzBLQ1FrSkNRa0pQQzkwWlhoMFJtbGxiR1ErRFFvSkNRa0pDUWs4ZEdWNGRFWnBaV3hrSUhCaGRIUmxjbTQ5SWtWRlJVVkZJR1JrSUUxTlRVMU5JSGw1ZVhraVBnMEtDUWtKQ1FrSkNUeHlaWEJ2Y25SRmJHVnRaVzUwSUhWMWFXUTlJakk0WW1JNVlqUTNMV0UyT1dNdE5EaGxNUzA1TURjekxXUTFOR1E1TWpZeU5ESmxPQ0lnYzNSNWJHVTlJbEJoWjJVZ1ptOXZkR1Z5SWlCNFBTSXlJaUI1UFNJeElpQjNhV1IwYUQwaU1UazNJaUJvWldsbmFIUTlJakl3SWk4K0RRb0pDUWtKQ1FrSlBIUmxlSFJGYkdWdFpXNTBJSFpsY25ScFkyRnNRV3hwWjI1dFpXNTBQU0pOYVdSa2JHVWlQZzBLQ1FrSkNRa0pDUWs4Wm05dWRDQnphWHBsUFNJNUlpQnBjMEp2YkdROUluUnlkV1VpTHo0TkNna0pDUWtKQ1FrOEwzUmxlSFJGYkdWdFpXNTBQZzBLQ1FrSkNRa0pDVHgwWlhoMFJtbGxiR1JGZUhCeVpYTnphVzl1UGp3aFcwTkVRVlJCVzI1bGR5QnFZWFpoTG5WMGFXd3VSR0YwWlNncFhWMCtQQzkwWlhoMFJtbGxiR1JGZUhCeVpYTnphVzl1UGcwS0NRa0pDUWtKUEM5MFpYaDBSbWxsYkdRK0RRb0pDUWtKQ1FrOGRHVjRkRVpwWld4a0lHVjJZV3gxWVhScGIyNVVhVzFsUFNKU1pYQnZjblFpUGcwS0NRa0pDUWtKQ1R4eVpYQnZjblJGYkdWdFpXNTBJSFYxYVdROUlqa3pOR0l4Tm1VNExXTXpaV0l0TkRBeE55MDROalpoTFRCaU56Y3pOV0ptTWpreE55SWdjM1I1YkdVOUlsQmhaMlVnWm05dmRHVnlJaUI0UFNJM05qQWlJSGs5SWpFaUlIZHBaSFJvUFNJME1DSWdhR1ZwWjJoMFBTSXlNQ0l2UGcwS0NRa0pDUWtKQ1R4MFpYaDBSV3hsYldWdWRDQjJaWEowYVdOaGJFRnNhV2R1YldWdWREMGlUV2xrWkd4bElqNE5DZ2tKQ1FrSkNRa0pQR1p2Ym5RZ2MybDZaVDBpT1NJZ2FYTkNiMnhrUFNKMGNuVmxJaTgrRFFvSkNRa0pDUWtKUEM5MFpYaDBSV3hsYldWdWRENE5DZ2tKQ1FrSkNRazhkR1Y0ZEVacFpXeGtSWGh3Y21WemMybHZiajQ4SVZ0RFJFRlVRVnNpSUNJZ0t5QWtWbnRRUVVkRlgwNVZUVUpGVW4xZFhUNDhMM1JsZUhSR2FXVnNaRVY0Y0hKbGMzTnBiMjQrRFFvSkNRa0pDUWs4TDNSbGVIUkdhV1ZzWkQ0TkNna0pDUWtKUEM5bWNtRnRaVDROQ2drSkNRazhMMkpoYm1RK0RRb0pDUWs4TDNCaFoyVkdiMjkwWlhJK0RRb0pDUWs4YzNWdGJXRnllVDROQ2drSkNRazhZbUZ1WkNCemNHeHBkRlI1Y0dVOUlsTjBjbVYwWTJnaUx6NE5DZ2tKQ1R3dmMzVnRiV0Z5ZVQ0TkNna0pQQzlxWVhOd1pYSlNaWEJ2Y25RKw==</template>
-   <templateStyle>UEQ5NGJXd2dkbVZ5YzJsdmJqMGlNUzR3SWo4K0RRbzhJVVJQUTFSWlVFVWdhbUZ6Y0dWeVZHVnRjR3hoZEdVTkNpQWdVRlZDVEVsRElDSXRMeTlLWVhOd1pYSlNaWEJ2Y25Sekx5OUVWRVFnVkdWdGNHeGhkR1V2TDBWT0lnMEtJQ0FpYUhSMGNEb3ZMMnBoYzNCbGNuSmxjRzl5ZEhNdWMyOTFjbU5sWm05eVoyVXVibVYwTDJSMFpITXZhbUZ6Y0dWeWRHVnRjR3hoZEdVdVpIUmtJajROQ2p4cVlYTndaWEpVWlcxd2JHRjBaVDROQ2lBZ0lDQUpDVHh6ZEhsc1pTQm1iMjUwVG1GdFpUMGlSR1ZxWVZaMUlGTmhibk1pSUdadmJuUlRhWHBsUFNJeE1DSWdhRUZzYVdkdVBTSk1aV1owSWlCcGMwUmxabUYxYkhROUluUnlkV1VpSUdselVHUm1SVzFpWldSa1pXUTlJblJ5ZFdVaUlBMEtDUWtKQ1NBZ0lHNWhiV1U5SWtKaGMyVWlJSEJrWmtWdVkyOWthVzVuUFNKSlpHVnVkR2wwZVMxSUlpQndaR1pHYjI1MFRtRnRaVDBpUkdWcVlWWjFVMkZ1Y3k1MGRHWWlJSFpCYkdsbmJqMGlUV2xrWkd4bElqNE5DZ2tKQ1R3dmMzUjViR1UrRFFvSkNRazhjM1I1YkdVZ1ltRmphMk52Ykc5eVBTSWpNalkzT1RrMElpQm1iMjUwVTJsNlpUMGlNallpSUdadmNtVmpiMnh2Y2owaUkwWkdSa1pHUmlJZ2FYTkVaV1poZFd4MFBTSm1ZV3h6WlNJTkNpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQnRiMlJsUFNKUGNHRnhkV1VpSUc1aGJXVTlJbFJwZEd4bElpQnpkSGxzWlQwaVFtRnpaU0l2UGlBTkNna0pDVHh6ZEhsc1pTQm1iMjUwVTJsNlpUMGlNVElpSUdadmNtVmpiMnh2Y2owaUl6QXdNREF3TUNJZ2FYTkVaV1poZFd4MFBTSm1ZV3h6WlNJZ2JtRnRaVDBpVUdGblpTQm9aV0ZrWlhJaURRb2dJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdjM1I1YkdVOUlrSmhjMlVpTHo0TkNna0pDVHh6ZEhsc1pTQmlZV05yWTI5c2IzSTlJaU16TXpNek16TWlJR1p2Ym5SVGFYcGxQU0l4TWlJZ1ptOXlaV052Ykc5eVBTSWpSa1pHUmtaR0lpQm9RV3hwWjI0OUlrTmxiblJsY2lJTkNpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQnBjMFJsWm1GMWJIUTlJbVpoYkhObElpQnRiMlJsUFNKUGNHRnhkV1VpSUc1aGJXVTlJa052YkhWdGJpQm9aV0ZrWlhJaUlITjBlV3hsUFNKQ1lYTmxJaTgrRFFvSkNRazhjM1I1YkdVZ2FYTkNiMnhrUFNKbVlXeHpaU0lnYVhORVpXWmhkV3gwUFNKbVlXeHpaU0lnYm1GdFpUMGlSR1YwWVdsc0lpQnpkSGxzWlQwaVFtRnpaU0l2UGcwS0NRa0pQSE4wZVd4bElHWnZiblJUYVhwbFBTSTVJaUJtYjNKbFkyOXNiM0k5SWlNd01EQXdNREFpSUdselJHVm1ZWFZzZEQwaVptRnNjMlVpSUc1aGJXVTlJbEJoWjJVZ1ptOXZkR1Z5SWcwS0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lITjBlV3hsUFNKQ1lYTmxJaTgrRFFvSkNUd3ZhbUZ6Y0dWeVZHVnRjR3hoZEdVKw==</templateStyle>
-	<orientation>landscape</orientation>
-	<export>pdf</export>
-	<!-- set to true if report needs hibernate session (e.g. hql query is used) -->
-	<useHibernateSession>true</useHibernateSession>
-	<field>
-		<nameReport>name</nameReport>
-		<nameHeader>Name</nameHeader>
-		<itemPath>c:name</itemPath>
-		<sortOrderNumber>2</sortOrderNumber>
-		<sortOrder>ascending</sortOrder>
-		<width>30</width>
-		<classType>t:PolyString</classType>
-	</field>
-	<field>
-		<nameReport>situation</nameReport>
-		<nameHeader>Situation</nameHeader>
-		<itemPath>c:synchronizationSituation</itemPath>
-		<sortOrderNumber>1</sortOrderNumber>
-		<sortOrder>ascending</sortOrder>
-		<width>20</width>
-		<classType>c:SynchronizationSituationType</classType>
-	</field>
-	<field>
-		<nameReport>username</nameReport>
-		<nameHeader>Owner</nameHeader>
-		<itemPath>c:name</itemPath>
-		<width>30</width>
-		<classType>t:PolyString</classType>
-	</field>
-	<field>
-		<nameReport>situationTimestamp</nameReport>
-		<nameHeader>Timestamp</nameHeader>
-		<itemPath>c:synchronizationTimestamp</itemPath>
-		<width>20</width>
-		<classType>xsd:dateTime</classType>
-	</field>
-	<!-- configuration properties -->
-	<configuration xmlns:r="http://midpoint.evolveum.com/xml/ns/public/report">
-		<r:hqlQuery>select 
-			(select u.name.orig from RUser as u join u.linkRef as ref where ref.targetOid = s.oid) as username, 
-			s.name.orig as name, 
-			s.synchronizationSituation as situation, 
-			s.synchronizationTimestamp as situationTimestamp 
-			from RShadow as s join s.resourceRef as resRef 
-			where s.objectClass = $P{objectClass} and resRef.targetOid = $P{resourceOid} and resRef.type = 5 and s.kind = 0 
-			order by s.synchronizationSituation, s.name.orig
-		</r:hqlQuery>
-		<r:objectClass>http://midpoint.evolveum.com/xml/ns/public/resource/instance-3#AccountObjectClass</r:objectClass>
-		<r:resourceOid>ef2bc95b-76e0-48e2-86d6-3d4f02d3e1a2</r:resourceOid>
-		<r:resourceName>OpenDJ resource</r:resourceName>
-		<r:intent>default</r:intent>
-	</configuration>
-	<!-- report parameters configuration schema sample with different options -->
-	<configurationSchema>
-		<definition>
-			<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema"
-                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-                    xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
-                    xmlns:a="http://prism.evolveum.com/xml/ns/public/annotation-3"
-                    xmlns:r="http://midpoint.evolveum.com/xml/ns/public/report"
-                    elementFormDefault="qualified"
-                    targetNamespace="http://midpoint.evolveum.com/xml/ns/public/report">
-
-				<xsd:import namespace="http://midpoint.evolveum.com/xml/ns/public/common/common-3"/>
-				<xsd:import namespace="http://prism.evolveum.com/xml/ns/public/annotation-3"/>
-				<xsd:import namespace="http://prism.evolveum.com/xml/ns/public/query-3"/>
-
-				<xsd:complexType name="ConfigurationType">
-					<xsd:annotation>
-						<xsd:appinfo>
-							<a:container/>
-						</xsd:appinfo>
-					</xsd:annotation>
-					<xsd:sequence>
-
-						<!-- HQL query for jasper design (queryString element) -->
-						<xsd:element name="hqlQuery" type="xsd:string"/>
-
-						<!-- special reconciliation configuration -->
-						<xsd:element name="objectClass" type="xsd:string">
-							<xsd:annotation>
-								<xsd:appinfo>
-									<a:displayName>Object Class:</a:displayName>
-								</xsd:appinfo>
-							</xsd:annotation>
-						</xsd:element>
-
-						<xsd:element name="resourceOid" type="xsd:string"/>
-			
-						<xsd:element name="resourceName" type="xsd:string">
-							<xsd:annotation>
-								<xsd:appinfo>
-									<a:displayName>Resource:</a:displayName>
-								</xsd:appinfo>
-							</xsd:annotation>
-						</xsd:element>
-						
-						<xsd:element name="intent" type="xsd:string">
-							<xsd:annotation>
-								<xsd:appinfo>
-									<a:displayName>Intent:</a:displayName>
-								</xsd:appinfo>
-							</xsd:annotation>
-						</xsd:element>
-					</xsd:sequence>
-				</xsd:complexType>
-				<xsd:element name="configuration" type="r:ConfigurationType"/>
-			</xsd:schema>
-		</definition>
-	</configurationSchema>
-</report>
diff --git a/model/report-impl/src/test/resources/reports/reportUserAccounts.xml b/model/report-impl/src/test/resources/reports/reportUserAccounts.xml
deleted file mode 100644
index 91b58926c01..00000000000
--- a/model/report-impl/src/test/resources/reports/reportUserAccounts.xml
+++ /dev/null
@@ -1,80 +0,0 @@
-<!--
-  ~ Copyright (c) 2010-2017 Evolveum
-  ~
-  ~ Licensed under the Apache License, Version 2.0 (the "License");
-  ~ you may not use this file except in compliance with the License.
-  ~ You may obtain a copy of the License at
-  ~
-  ~     http://www.apache.org/licenses/LICENSE-2.0
-  ~
-  ~ Unless required by applicable law or agreed to in writing, software
-  ~ distributed under the License is distributed on an "AS IS" BASIS,
-  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-  ~ See the License for the specific language governing permissions and
-  ~ limitations under the License.
-  -->
-<report xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
-        xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
-        xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
-        xmlns:xsd="http://www.w3.org/2001/XMLSchema"
-		oid="USERACCO-3333-3333-TEST-10000000000"
-        version="0">
-	<name>User accounts subreport</name>
-	<description>User accounts subreport for midpoint users.</description>
-	<!-- flag if this report is "parent" report, used for gui -->
-	<parent>false</parent>
-	<template>UEdwaGMzQmxjbEpsY0c5eWRDQU5DaUFnSUNBSkNYaHRiRzV6UFNKb2RIUndPaTh2YW1GemNHVnljbVZ3YjNKMGN5NXpiM1Z5WTJWbWIzSm5aUzV1WlhRdmFtRnpjR1Z5Y21Wd2IzSjBjeUlnRFFvSkNRbDRiV3h1Y3pwNGMyazlJbWgwZEhBNkx5OTNkM2N1ZHpNdWIzSm5Mekl3TURFdldFMU1VMk5vWlcxaExXbHVjM1JoYm1ObElpQU5DZ2tKQ1hoemFUcHpZMmhsYldGTWIyTmhkR2x2YmowaWFIUjBjRG92TDJwaGMzQmxjbkpsY0c5eWRITXVjMjkxY21ObFptOXlaMlV1Ym1WMEwycGhjM0JsY25KbGNHOXlkSE1nYUhSMGNEb3ZMMnBoYzNCbGNuSmxjRzl5ZEhNdWMyOTFjbU5sWm05eVoyVXVibVYwTDNoelpDOXFZWE53WlhKeVpYQnZjblF1ZUhOa0lpQU5DZ2tKQ1c1aGJXVTlJbkpsY0c5eWRGVnpaWEpCWTJOdmRXNTBjeUlnRFFvSkNRbGpiMngxYlc1RGIzVnVkRDBpTWlJZ0RRb0pDUWx3WVdkbFYybGtkR2c5SWpFNE1DSWdEUW9KQ1Fsd1lXZGxTR1ZwWjJoMFBTSXhPQ0lnRFFvSkNRbDNhR1Z1VG05RVlYUmhWSGx3WlQwaVFXeHNVMlZqZEdsdmJuTk9iMFJsZEdGcGJDSWdEUW9KQ1FsamIyeDFiVzVYYVdSMGFEMGlPRGtpSUEwS0NRa0pZMjlzZFcxdVUzQmhZMmx1WnowaU1TSWdEUW9KQ1Fsc1pXWjBUV0Z5WjJsdVBTSXdJaUFOQ2drSkNYSnBaMmgwVFdGeVoybHVQU0l3SWlBTkNna0pDWFJ2Y0UxaGNtZHBiajBpTUNJZ0RRb0pDUWxpYjNSMGIyMU5ZWEpuYVc0OUlqQWlJQTBLQ1FrSmRYVnBaRDBpTmpkbE5EWTFZelV0TkRabFlTMDBNR1F5TFdKbFlUQXRORFk1WXpaalpqTTRPVE0zSWo0TkNna0pDVHh3Y205d1pYSjBlU0J1WVcxbFBTSnVaWFF1YzJZdWFtRnpjR1Z5Y21Wd2IzSjBjeTVoZDNRdWFXZHViM0psTG0xcGMzTnBibWN1Wm05dWRDSWdkbUZzZFdVOUluUnlkV1VpTHo0TkNna0pDVHh3Y205d1pYSjBlU0J1WVcxbFBTSnVaWFF1YzJZdWFtRnpjR1Z5Y21Wd2IzSjBjeTVsZUhCdmNuUXVjR1JtTG1admNtTmxMbXhwYm1WaWNtVmhheTV3YjJ4cFkza2lJSFpoYkhWbFBTSjBjblZsSWk4K0RRb0pDUWs4YzNSNWJHVWdabTl1ZEU1aGJXVTlJa1JsYW1GV2RTQlRZVzV6SWlCbWIyNTBVMmw2WlQwaU1UQWlJR2hCYkdsbmJqMGlUR1ZtZENJZ2FYTkVaV1poZFd4MFBTSjBjblZsSWlCcGMxQmtaa1Z0WW1Wa1pHVmtQU0owY25WbElpQU5DZ2tKQ1FrZ0lDQnVZVzFsUFNKQ1lYTmxJaUJ3WkdaRmJtTnZaR2x1WnowaVNXUmxiblJwZEhrdFNDSWdjR1JtUm05dWRFNWhiV1U5SWtSbGFtRldkVk5oYm5NdWRIUm1JaUIyUVd4cFoyNDlJazFwWkdSc1pTSStEUW9KQ1FrOEwzTjBlV3hsUGcwS0NRa0pEUW9KQ1FrOGNHRnlZVzFsZEdWeUlHNWhiV1U5SW5WelpYSlBhV1FpSUdOc1lYTnpQU0pxWVhaaExteGhibWN1VTNSeWFXNW5JaTgrRFFvSkNRazhjR0Z5WVcxbGRHVnlJRzVoYldVOUluTm9ZV1J2ZDA5cFpITWlJR05zWVhOelBTSnFZWFpoTG5WMGFXd3VUR2x6ZENJdlBnMEtDUWtKUEhCaGNtRnRaWFJsY2lCdVlXMWxQU0pvY1d4UmRXVnllVUZqWTI5MWJuUnpJaUJqYkdGemN6MGlhbUYyWVM1c1lXNW5MbE4wY21sdVp5SXZQZzBLQ1FrSlBIRjFaWEo1VTNSeWFXNW5JR3hoYm1kMVlXZGxQU0p0Y1d3aVBnMEtDUWtKQ1R3aFcwTkVRVlJCV3cwS0NRa0pDVHhtYVd4MFpYSStEUW9KQ1FrSkNUeDBlWEJsUGcwS0NRa0pDUWtKUEhSNWNHVStZenBUYUdGa2IzZFVXWEJsUEM5MGVYQmxQZzBLQ1FrSkNRa0pQR1Z4ZFdGc1BnMEtDUWtKQ1FrSkNUeHdZWFJvUG05cFpEd3ZjR0YwYUQ0TkNna0pDUWtKQ1FrOFpYaHdjbVZ6YzJsdmJqNE5DZ2tKQ1FrSkNRa0pQSEJoZEdnK0pITm9ZV1J2ZDA5cFpITThMM0JoZEdnK0RRb0pDUWtKQ1FrSlBDOWxlSEJ5WlhOemFXOXVQZzBLQ1FrSkNRa0pQQzlsY1hWaGJENE5DZ2tKQ1FrSlBDOTBlWEJsUGcwS0NRa0pDVHd2Wm1sc2RHVnlQZzBLQ1FrSkNWMWRQZzBLQ1FrSlBDOXhkV1Z5ZVZOMGNtbHVaejROQ2drSkNUeG1hV1ZzWkNCdVlXMWxQU0poWTJOdmRXNTBUbUZ0WlNJZ1kyeGhjM005SW1waGRtRXViR0Z1Wnk1VGRISnBibWNpTHo0TkNna0pDVHhtYVdWc1pDQnVZVzFsUFNKeVpYTnZkWEpqWlU1aGJXVWlJR05zWVhOelBTSnFZWFpoTG14aGJtY3VVM1J5YVc1bklpOCtEUW9KQ1FrOFpHVjBZV2xzUGcwS0NRa0pDVHhpWVc1a0lHaGxhV2RvZEQwaU1UZ2lJSE53YkdsMFZIbHdaVDBpVTNSeVpYUmphQ0krRFFvSkNRa0pDVHhtY21GdFpUNE5DZ2tKQ1FrSkNUeHlaWEJ2Y25SRmJHVnRaVzUwSUhWMWFXUTlJak5sT0daa1pEWmtMV0UyWm1ZdE5EUXdOeTA1WVRGbExUVmtObUkwTnpBMk16QXdZU0lnY0c5emFYUnBiMjVVZVhCbFBTSkdiRzloZENJZ2JXOWtaVDBpVDNCaGNYVmxJaUI0UFNJd0lpQjVQU0l4SWlCM2FXUjBhRDBpTVRnd0lpQm9aV2xuYUhROUlqRTNJaTgrRFFvSkNRa0pDUWs4YkdsdVpUNE5DZ2tKQ1FrSkNRazhjbVZ3YjNKMFJXeGxiV1Z1ZENCMWRXbGtQU0kwTjJZNU1UZ3dNUzFqWmpWbUxUUmlaV1F0WWpFNVl5MWpZVE01TXpGalltWTVPR1FpSUhCdmMybDBhVzl1Vkhsd1pUMGlSbWw0VW1Wc1lYUnBkbVZVYjFSdmNDSWdlRDBpTUNJZ2VUMGlNQ0lnZDJsa2RHZzlJakU0TUNJZ2FHVnBaMmgwUFNJeElpQm1iM0psWTI5c2IzSTlJaU16TXpNek16TWlQZzBLQ1FrSkNRa0pDUWs4Y0hKcGJuUlhhR1Z1Ulhod2NtVnpjMmx2Ymo0OElWdERSRUZVUVZ0dVpYY2dhbUYyWVM1c1lXNW5Ma0p2YjJ4bFlXNG9LR2x1ZENra1ZudFNSVkJQVWxSZlEwOVZUbFI5TG1sdWRGWmhiSFZsS0NraFBURXBYVjArUEM5d2NtbHVkRmRvWlc1RmVIQnlaWE56YVc5dVBnMEtDUWtKQ1FrSkNUd3ZjbVZ3YjNKMFJXeGxiV1Z1ZEQ0TkNna0pDUWtKQ1FrOFozSmhjR2hwWTBWc1pXMWxiblErRFFvSkNRa0pDUWtKQ1R4d1pXNGdiR2x1WlZkcFpIUm9QU0l3TGpVaUlHeHBibVZEYjJ4dmNqMGlJems1T1RrNU9TSXZQZzBLQ1FrSkNRa0pDVHd2WjNKaGNHaHBZMFZzWlcxbGJuUStEUW9KQ1FrSkNRazhMMnhwYm1VK0RRb0pDUWtKQ1FrOGRHVjRkRVpwWld4a0lHbHpVM1J5WlhSamFGZHBkR2hQZG1WeVpteHZkejBpZEhKMVpTSStEUW9KQ1FrSkNRa0pQSEpsY0c5eWRFVnNaVzFsYm5RZ2RYVnBaRDBpWldKaFpXWXhObVF0TWprd015MDBNREk1TFRsaE5tSXRaRFJrTWpRME5UVTRZV1U1SWlCd2IzTnBkR2x2YmxSNWNHVTlJa1pzYjJGMElpQnpkSEpsZEdOb1ZIbHdaVDBpVW1Wc1lYUnBkbVZVYjFSaGJHeGxjM1JQWW1wbFkzUWlJSGc5SWpBaUlIazlJaklpSUhkcFpIUm9QU0l4T0RBaUlHaGxhV2RvZEQwaU1UTWlMejROQ2drSkNRa0pDUWs4ZEdWNGRFVnNaVzFsYm5RZ2RtVnlkR2xqWVd4QmJHbG5ibTFsYm5ROUlrMXBaR1JzWlNJdlBpQU5DZ2tKQ1FrSkNRazhkR1Y0ZEVacFpXeGtSWGh3Y21WemMybHZiajQ4SVZ0RFJFRlVRVnNrUm50eVpYTnZkWEpqWlU1aGJXVjlLeUFpT2lBaUlDc2dKRVo3WVdOamIzVnVkRTVoYldWOVhWMCtQQzkwWlhoMFJtbGxiR1JGZUhCeVpYTnphVzl1UGcwS0NRa0pDUWtKUEM5MFpYaDBSbWxsYkdRK0RRb0pDUWtKQ1R3dlpuSmhiV1UrRFFvSkNRa0pQQzlpWVc1a1BnMEtDUWtKUEM5a1pYUmhhV3crRFFvSkNUd3ZhbUZ6Y0dWeVVtVndiM0owUGc9PQ==</template>
-	<orientation>landscape</orientation>
-	<export>pdf</export>
-	<!-- set to true if report needs hibernate session (e.g. hql query is used) -->
-	<useHibernateSession>true</useHibernateSession>
-	<field>
-		<nameReport>accountName</nameReport>
-		<nameHeader>Name</nameHeader>
-		<itemPath>c:name</itemPath>
-		<width>100</width>
-		<classType>t:PolyStringType</classType>
-	</field>
-	<!-- configuration properties -->
-	<configuration xmlns:r="http://midpoint.evolveum.com/xml/ns/public/report">
-		<r:hqlQueryAccounts>
-			select r.name.orig as resourceName, 
-			s.name.orig as accountName 
-			from RObjectReference as o, 
-			RShadow as s, 
-			RResource as r 
-			where s.resourceRef.targetOid = r.oid and o.owner.oid = $P{userOid} and o.type = 6 and o.targetOid = s.oid and s.kind = 0 
-			order by r.name.orig, s.name.orig
-		</r:hqlQueryAccounts>
-	</configuration>			
-	<!-- report parameters configuration schema sample with different options -->
-	<configurationSchema>
-		<definition>
-			<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema"
-                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-                    xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
-                    xmlns:a="http://prism.evolveum.com/xml/ns/public/annotation-3"
-                    xmlns:r="http://midpoint.evolveum.com/xml/ns/public/report"
-                    elementFormDefault="qualified"
-                    targetNamespace="http://midpoint.evolveum.com/xml/ns/public/report">
-
-				<xsd:import namespace="http://midpoint.evolveum.com/xml/ns/public/common/common-3"/>
-				<xsd:import namespace="http://prism.evolveum.com/xml/ns/public/annotation-3"/>
-				<xsd:import namespace="http://prism.evolveum.com/xml/ns/public/query-3"/>
-
-				<xsd:complexType name="ConfigurationType">
-					<xsd:annotation>
-						<xsd:appinfo>
-							<a:container/>
-						</xsd:appinfo>
-					</xsd:annotation>
-					<xsd:sequence>
-						<!-- HQL query for jasper design (queryString element) -->
-						<xsd:element name="hqlQueryAccounts" type="xsd:string"/>
-					</xsd:sequence>
-				</xsd:complexType>
-				<xsd:element name="configuration" type="r:ConfigurationType"/>
-			</xsd:schema>
-		</definition>
-	</configurationSchema>
-</report>
diff --git a/model/report-impl/src/test/resources/reports/reportUserList.xml b/model/report-impl/src/test/resources/reports/reportUserList.xml
deleted file mode 100644
index cbb65e425b5..00000000000
--- a/model/report-impl/src/test/resources/reports/reportUserList.xml
+++ /dev/null
@@ -1,128 +0,0 @@
-<!--
-  ~ Copyright (c) 2010-2017 Evolveum
-  ~
-  ~ Licensed under the Apache License, Version 2.0 (the "License");
-  ~ you may not use this file except in compliance with the License.
-  ~ You may obtain a copy of the License at
-  ~
-  ~     http://www.apache.org/licenses/LICENSE-2.0
-  ~
-  ~ Unless required by applicable law or agreed to in writing, software
-  ~ distributed under the License is distributed on an "AS IS" BASIS,
-  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-  ~ See the License for the specific language governing permissions and
-  ~ limitations under the License.
-  -->
-<report xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
-        xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
-        xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
-        xmlns:xsd="http://www.w3.org/2001/XMLSchema"
-		oid="USERLIST-3333-3333-TEST-10000000000"
-        version="0">
-	<name>Users in MidPoint</name>
-	<description>Users listed in MidPoint.</description>
-	<!-- flag if this report is "parent" report, used for gui -->
-	<parent>true</parent>
-	<!-- subreport reference sample, name will be used as parameters name for report and for hql string 
-		for example name_report, name_hqlQuery-->
-	<subreport>
-		<name>role</name>
-		<reportRef oid="USERROLE-3333-3333-TEST-10000000000" type="c:ReportType"/>
-	</subreport>
-	<subreport>
-		<name>org</name>
-		<reportRef oid="USERORGS-3333-3333-TEST-10000000000" type="c:ReportType"/>
-	</subreport>
-	<subreport>
-		<name>account</name>
-		<reportRef oid="USERACCO-3333-3333-TEST-10000000000" type="c:ReportType"/>
-	</subreport>
-	<template>UEdwaGMzQmxjbEpsY0c5eWRDQU5DaUFnSUNBSkNYaHRiRzV6UFNKb2RIUndPaTh2YW1GemNHVnljbVZ3YjNKMGN5NXpiM1Z5WTJWbWIzSm5aUzV1WlhRdmFtRnpjR1Z5Y21Wd2IzSjBjeUlnRFFvSkNRbDRiV3h1Y3pwNGMyazlJbWgwZEhBNkx5OTNkM2N1ZHpNdWIzSm5Mekl3TURFdldFMU1VMk5vWlcxaExXbHVjM1JoYm1ObElpQU5DZ2tKQ1hoemFUcHpZMmhsYldGTWIyTmhkR2x2YmowaWFIUjBjRG92TDJwaGMzQmxjbkpsY0c5eWRITXVjMjkxY21ObFptOXlaMlV1Ym1WMEwycGhjM0JsY25KbGNHOXlkSE1nYUhSMGNEb3ZMMnBoYzNCbGNuSmxjRzl5ZEhNdWMyOTFjbU5sWm05eVoyVXVibVYwTDNoelpDOXFZWE53WlhKeVpYQnZjblF1ZUhOa0lpQU5DZ2tKQ1c1aGJXVTlJbkpsY0c5eWRGVnpaWEpNYVhOMElpQU5DZ2tKQ1hCaFoyVlhhV1IwYUQwaU9EUXlJaUFOQ2drSkNYQmhaMlZJWldsbmFIUTlJalU1TlNJZ0RRb0pDUWx2Y21sbGJuUmhkR2x2YmowaVRHRnVaSE5qWVhCbElpQU5DZ2tKQ1hkb1pXNU9iMFJoZEdGVWVYQmxQU0pCYkd4VFpXTjBhVzl1YzA1dlJHVjBZV2xzSWlBTkNna0pDV052YkhWdGJsZHBaSFJvUFNJNE1ESWlJQTBLQ1FrSmJHVm1kRTFoY21kcGJqMGlNakFpSUEwS0NRa0pjbWxuYUhSTllYSm5hVzQ5SWpJd0lpQU5DZ2tKQ1hSdmNFMWhjbWRwYmowaU1qQWlJQTBLQ1FrSlltOTBkRzl0VFdGeVoybHVQU0l5TUNJZ0RRb0pDUWwxZFdsa1BTSTJOMlUwTmpWak5TMDBObVZoTFRRd1pESXRZbVZoTUMwME5qbGpObU5tTXpnNU16Y2lQZzBLQ1FrSlBIQnliM0JsY25SNUlHNWhiV1U5SW01bGRDNXpaaTVxWVhOd1pYSnlaWEJ2Y25SekxtRjNkQzVwWjI1dmNtVXViV2x6YzJsdVp5NW1iMjUwSWlCMllXeDFaVDBpZEhKMVpTSXZQZzBLQ1FrSlBIQnliM0JsY25SNUlHNWhiV1U5SW01bGRDNXpaaTVxWVhOd1pYSnlaWEJ2Y25SekxtVjRjRzl5ZEM1d1pHWXVabTl5WTJVdWJHbHVaV0p5WldGckxuQnZiR2xqZVNJZ2RtRnNkV1U5SW5SeWRXVWlMejROQ2drSkNUeHdjbTl3WlhKMGVTQnVZVzFsUFNKdVpYUXVjMll1YW1GemNHVnljbVZ3YjNKMGN5NWxlSEJ2Y25RdVkzTjJMbVY0WTJ4MVpHVXViM0pwWjJsdUxtSmhibVF1TVNJZ2RtRnNkV1U5SW5ScGRHeGxJaTgrRFFvSkNRazhjSEp2Y0dWeWRIa2dibUZ0WlQwaWJtVjBMbk5tTG1waGMzQmxjbkpsY0c5eWRITXVaWGh3YjNKMExtTnpkaTVsZUdOc2RXUmxMbTl5YVdkcGJpNWlZVzVrTGpJaUlIWmhiSFZsUFNKd1lXZGxSbTl2ZEdWeUlpOCtEUW9KQ1FrOGNHRnlZVzFsZEdWeUlHNWhiV1U5SW1GamRHbDJZWFJwYjI0aUlHTnNZWE56UFNKcVlYWmhMbXhoYm1jdVNXNTBaV2RsY2lJdlBnMEtDUWtKUEhCaGNtRnRaWFJsY2lCdVlXMWxQU0poWTNScGRtRjBhVzl1UkdWelkzSnBjSFJwYjI0aUlHTnNZWE56UFNKcVlYWmhMbXhoYm1jdVUzUnlhVzVuSWk4K0RRb0pDUWs4Y0dGeVlXMWxkR1Z5SUc1aGJXVTlJblZ6WlhKT1lXMWxJaUJqYkdGemN6MGlhbUYyWVM1c1lXNW5MbE4wY21sdVp5SXZQZzBLQ1FrSlBIQmhjbUZ0WlhSbGNpQnVZVzFsUFNKeWIyeGxJaUJqYkdGemN6MGlibVYwTG5ObUxtcGhjM0JsY25KbGNHOXlkSE11Wlc1bmFXNWxMa3BoYzNCbGNsSmxjRzl5ZENJZ2FYTkdiM0pRY205dGNIUnBibWM5SW1aaGJITmxJaTgrRFFvSkNRazhjR0Z5WVcxbGRHVnlJRzVoYldVOUltOXlaeUlnWTJ4aGMzTTlJbTVsZEM1elppNXFZWE53WlhKeVpYQnZjblJ6TG1WdVoybHVaUzVLWVhOd1pYSlNaWEJ2Y25RaUlHbHpSbTl5VUhKdmJYQjBhVzVuUFNKbVlXeHpaU0l2UGcwS0NRa0pQSEJoY21GdFpYUmxjaUJ1WVcxbFBTSmhZMk52ZFc1MElpQmpiR0Z6Y3owaWJtVjBMbk5tTG1waGMzQmxjbkpsY0c5eWRITXVaVzVuYVc1bExrcGhjM0JsY2xKbGNHOXlkQ0lnYVhOR2IzSlFjbTl0Y0hScGJtYzlJbVpoYkhObElpOCtEUW9KQ1FrOGNHRnlZVzFsZEdWeUlHNWhiV1U5SW1oeGJGRjFaWEo1VW05c1pYTWlJR05zWVhOelBTSnFZWFpoTG14aGJtY3VVM1J5YVc1bklpQnBjMFp2Y2xCeWIyMXdkR2x1WnowaVptRnNjMlVpTHo0TkNna0pDVHh3WVhKaGJXVjBaWElnYm1GdFpUMGlhSEZzVVhWbGNubEJZMk52ZFc1MGN5SWdZMnhoYzNNOUltcGhkbUV1YkdGdVp5NVRkSEpwYm1jaUlHbHpSbTl5VUhKdmJYQjBhVzVuUFNKbVlXeHpaU0l2UGcwS0NRa0pQSEJoY21GdFpYUmxjaUJ1WVcxbFBTSm9jV3hSZFdWeWVVOXlaM01pSUdOc1lYTnpQU0pxWVhaaExteGhibWN1VTNSeWFXNW5JaUJwYzBadmNsQnliMjF3ZEdsdVp6MGlabUZzYzJVaUx6NE5DZ2tKQ1R4d1lYSmhiV1YwWlhJZ2JtRnRaVDBpYUhGc1VYVmxjbmtpSUdOc1lYTnpQU0pxWVhaaExteGhibWN1VTNSeWFXNW5JaUJwYzBadmNsQnliMjF3ZEdsdVp6MGlabUZzYzJVaUx6NE5DZ2tKQ1EwS0NRa0pQSEYxWlhKNVUzUnlhVzVuSUd4aGJtZDFZV2RsUFNKdGNXd2lQZzBLQ1FrSkNUd2hXME5FUVZSQld3MEtDUWtKQ1FrOFptbHNkR1Z5SUhodGJHNXpPbU05SW1oMGRIQTZMeTl0YVdSd2IybHVkQzVsZG05c2RtVjFiUzVqYjIwdmVHMXNMMjV6TDNCMVlteHBZeTlqYjIxdGIyNHZZMjl0Ylc5dUxUTWlQZzBLQ1FrSkNRa0pQSFI1Y0dVK0RRb0pDUWtKQ1FrSlBIUjVjR1UrWXpwVmMyVnlWSGx3WlR3dmRIbHdaVDROQ2drSkNRa0pDVHd2ZEhsd1pUNE5DZ2tKQ1FrSkNRMEtDUWtKQ1FrOEwyWnBiSFJsY2o0TkNna0pDUWxkWFQ0TkNna0pDVHd2Y1hWbGNubFRkSEpwYm1jK0RRb0pDUWs4Wm1sbGJHUWdibUZ0WlQwaWRYTmxjazlwWkNJZ1kyeGhjM005SW1waGRtRXViR0Z1Wnk1VGRISnBibWNpTHo0TkNna0pDVHhtYVdWc1pDQnVZVzFsUFNKdVlXMWxJaUJqYkdGemN6MGlZMjl0TG1WMmIyeDJaWFZ0TG0xcFpIQnZhVzUwTG5CeWFYTnRMbkJ2YkhsemRISnBibWN1VUc5c2VWTjBjbWx1WnlJdlBnMEtDUWtKUEdacFpXeGtJRzVoYldVOUltZHBkbVZ1VG1GdFpTSWdZMnhoYzNNOUltTnZiUzVsZG05c2RtVjFiUzV0YVdSd2IybHVkQzV3Y21semJTNXdiMng1YzNSeWFXNW5MbEJ2YkhsVGRISnBibWNpTHo0TkNna0pDVHhtYVdWc1pDQnVZVzFsUFNKbVlXMXBiSGxPWVcxbElpQmpiR0Z6Y3owaVkyOXRMbVYyYjJ4MlpYVnRMbTFwWkhCdmFXNTBMbkJ5YVhOdExuQnZiSGx6ZEhKcGJtY3VVRzlzZVZOMGNtbHVaeUl2UGcwS0NRa0pQR1pwWld4a0lHNWhiV1U5SW14cGJtc2lJR05zWVhOelBTSnFZWFpoTG5WMGFXd3VUR2x6ZENJdlBnMEtDUWtKUEdacFpXeGtJRzVoYldVOUltRmpkR2wyWVhScGIyNHZZV1J0YVc1cGMzUnlZWFJwZG1WVGRHRjBkWE1pSUdOc1lYTnpQU0pxWVhaaExteGhibWN1VTNSeWFXNW5JajROQ2drSkNRazhabWxsYkdSRVpYTmpjbWx3ZEdsdmJqNDhJVnREUkVGVVFWdGhZM1JwZG1GMGFXOXVSbWxsYkdSZFhUNDhMMlpwWld4a1JHVnpZM0pwY0hScGIyNCtEUW9KQ1FrOEwyWnBaV3hrUGcwS0NRa0pQR0poWTJ0bmNtOTFibVErRFFvSkNRa0pQR0poYm1RZ2FHVnBaMmgwUFNJek1DSWdjM0JzYVhSVWVYQmxQU0pUZEhKbGRHTm9JaTgrRFFvSkNRazhMMkpoWTJ0bmNtOTFibVErRFFvSkNRazhkR2wwYkdVK0RRb0pDUWtKUEdKaGJtUWdhR1ZwWjJoMFBTSXhNVEFpSUhOd2JHbDBWSGx3WlQwaVUzUnlaWFJqYUNJK0RRb0pDUWtKQ1R4bWNtRnRaVDROQ2drSkNRa0pDVHh5WlhCdmNuUkZiR1Z0Wlc1MElDQWdiVzlrWlQwaVQzQmhjWFZsSWlCNFBTSXhJaUI1UFNJd0lpQjNhV1IwYUQwaU56azVJaUJvWldsbmFIUTlJalkzSWlCaVlXTnJZMjlzYjNJOUlpTXlOamM1T1RRaUlIVjFhV1E5SWpRMFltVmtZV05qTFdaaE1qTXROR1psTVMxaU56Rm1MV1UxWVdaaE9UUXpaalUxTXlJdlBnMEtDUWtKQ1FrSlBITjBZWFJwWTFSbGVIUStEUW9KQ1FrSkNRa0pQSEpsY0c5eWRFVnNaVzFsYm5RZ0lDQjRQU0l4TUNJZ2VUMGlNVE1pSUhkcFpIUm9QU0l5TmpZaUlHaGxhV2RvZEQwaU16Z2lJSFYxYVdROUltWXlaRGs1WTJGa0xUbGtPRFF0TkdZMU1DMWlORFUxTFRRMU0yTTROMlkyTW1NMFl5SXZQZzBLQ1FrSkNRa0pDVHgwWlhoMFJXeGxiV1Z1ZENCMlpYSjBhV05oYkVGc2FXZHViV1Z1ZEQwaVRXbGtaR3hsSWk4K0RRb0pDUWtKQ1FrSlBIUmxlSFErUENGYlEwUkJWRUZiVlhObGNpQlNaWEJ2Y25SZFhUNDhMM1JsZUhRK0RRb0pDUWtKQ1FrOEwzTjBZWFJwWTFSbGVIUStEUW9KQ1FrSkNUd3ZabkpoYldVK0RRb0pDUWtKQ1R4emRHRjBhV05VWlhoMFBnMEtDUWtKQ1FrSlBISmxjRzl5ZEVWc1pXMWxiblFnSUNCNFBTSTBNREFpSUhrOUlqZzNJaUIzYVdSMGFEMGlNVFV3SWlCb1pXbG5hSFE5SWpJd0lpQjFkV2xrUFNJelptWTNPR1ppWmkwNFptTmxMVFF3TnpJdFlqWTVNUzAzWVdZd05EZGxZVGt5WVRjaUx6NE5DZ2tKQ1FrSkNUeDBaWGgwUld4bGJXVnVkQ0IyWlhKMGFXTmhiRUZzYVdkdWJXVnVkRDBpVFdsa1pHeGxJaTgrRFFvSkNRa0pDUWs4ZEdWNGRENDhJVnREUkVGVVFWdE9kVzFpWlhJZ2IyWWdjbVZqYjNKa2N6cGRYVDQ4TDNSbGVIUStEUW9KQ1FrSkNUd3ZjM1JoZEdsalZHVjRkRDROQ2drSkNRa0pQSFJsZUhSR2FXVnNaQ0J3WVhSMFpYSnVQU0pGUlVWRlJTQmtaQ0JOVFUxTlRTQjVlWGw1TENCSVNEcHRiVHB6Y3lJK0RRb0pDUWtKQ1FrOGNtVndiM0owUld4bGJXVnVkQ0FnSUhnOUlqVTFNQ0lnZVQwaU5qY2lJSGRwWkhSb1BTSXlOVEFpSUdobGFXZG9kRDBpTWpBaUlIVjFhV1E5SWpBNVlUZGxNamN5TFRJd05HVXROREEzT0MwNFlUVmxMV1UwTnpJM05UYzBNalJqTVNJdlBnMEtDUWtKQ1FrSlBIUmxlSFJGYkdWdFpXNTBJSFJsZUhSQmJHbG5ibTFsYm5ROUlsSnBaMmgwSWlCMlpYSjBhV05oYkVGc2FXZHViV1Z1ZEQwaVRXbGtaR3hsSWo0TkNna0pDUWtKQ1FrOFptOXVkQ0JwYzBKdmJHUTlJbVpoYkhObElpOCtEUW9KQ1FrSkNRazhMM1JsZUhSRmJHVnRaVzUwUGcwS0NRa0pDUWtKUEhSbGVIUkdhV1ZzWkVWNGNISmxjM05wYjI0K1BDRmJRMFJCVkVGYmJtVjNJR3BoZG1FdWRYUnBiQzVFWVhSbEtDbGRYVDQ4TDNSbGVIUkdhV1ZzWkVWNGNISmxjM05wYjI0K0RRb0pDUWtKQ1R3dmRHVjRkRVpwWld4a1BnMEtDUWtKQ1FrOGMzUmhkR2xqVkdWNGRENE5DZ2tKQ1FrSkNUeHlaWEJ2Y25SRmJHVnRaVzUwSUNBZ2VEMGlOREF3SWlCNVBTSTJOeUlnZDJsa2RHZzlJakUxTUNJZ2FHVnBaMmgwUFNJeU1DSWdkWFZwWkQwaVlqQmlPVGN4TkdZdE9UWm1OUzAwWmpVNExUZ3lOR0l0WXpneFptUTBaRE15TVdZM0lpOCtEUW9KQ1FrSkNRazhkR1Y0ZEVWc1pXMWxiblFnZG1WeWRHbGpZV3hCYkdsbmJtMWxiblE5SWsxcFpHUnNaU0l2UGcwS0NRa0pDUWtKUEhSbGVIUStQQ0ZiUTBSQlZFRmJVbVZ3YjNKMElHZGxibVZ5WVhSbFpDQnZianBkWFQ0OEwzUmxlSFErRFFvSkNRa0pDVHd2YzNSaGRHbGpWR1Y0ZEQ0TkNna0pDUWtKUEhSbGVIUkdhV1ZzWkNCbGRtRnNkV0YwYVc5dVZHbHRaVDBpVW1Wd2IzSjBJaUJwYzBKc1lXNXJWMmhsYms1MWJHdzlJblJ5ZFdVaVBnMEtDUWtKQ1FrSlBISmxjRzl5ZEVWc1pXMWxiblFnSUNCNFBTSTFOVEFpSUhrOUlqZzNJaUIzYVdSMGFEMGlNalV3SWlCb1pXbG5hSFE5SWpJd0lpQjFkV2xrUFNJNE9USTFNVEl4TVMwelpqUTVMVFEzTVdRdFlqZzRaQzAxTlRZMFl6RmlaREEwWkRFaUx6NE5DZ2tKQ1FrSkNUeDBaWGgwUld4bGJXVnVkQ0IwWlhoMFFXeHBaMjV0Wlc1MFBTSlNhV2RvZENJZ2RtVnlkR2xqWVd4QmJHbG5ibTFsYm5ROUlrMXBaR1JzWlNJK0RRb0pDUWtKQ1FrSlBHWnZiblFnYVhOQ2IyeGtQU0ptWVd4elpTSXZQZzBLQ1FrSkNRa0pQQzkwWlhoMFJXeGxiV1Z1ZEQ0TkNna0pDUWtKQ1R4MFpYaDBSbWxsYkdSRmVIQnlaWE56YVc5dVBqd2hXME5FUVZSQld5UldlMUpGVUU5U1ZGOURUMVZPVkgxZFhUNDhMM1JsZUhSR2FXVnNaRVY0Y0hKbGMzTnBiMjQrRFFvSkNRa0pDVHd2ZEdWNGRFWnBaV3hrUGcwS0NRa0pDUWtOQ2drSkNRazhMMkpoYm1RK0RRb0pDUWs4TDNScGRHeGxQZzBLQ1FrSlBIQmhaMlZJWldGa1pYSStEUW9KQ1FrSlBHSmhibVFnYzNCc2FYUlVlWEJsUFNKVGRISmxkR05vSWk4K0RRb0pDUWs4TDNCaFoyVklaV0ZrWlhJK0RRb0pDUWs4WTI5c2RXMXVTR1ZoWkdWeVBnMEtDUWtKQ1R4aVlXNWtJR2hsYVdkb2REMGlNalFpSUhOd2JHbDBWSGx3WlQwaVUzUnlaWFJqYUNJK0RRb0pDUWtKQ1R4bWNtRnRaVDROQ2drSkNRa0pDVHh5WlhCdmNuUkZiR1Z0Wlc1MElDQWdiVzlrWlQwaVZISmhibk53WVhKbGJuUWlJSGc5SWpFaUlIazlJalVpSUhkcFpIUm9QU0k0TURBaUlHaGxhV2RvZEQwaU1Ua2lJR2x6VW1WdGIzWmxUR2x1WlZkb1pXNUNiR0Z1YXowaWRISjFaU0lnZFhWcFpEMGlNMlU0Wm1Sa05tUXRZVFptWmkwME5EQTNMVGxoTVdVdE5XUTJZalEzTURZek1EQmhJaTgrRFFvSkNRa0pDUWs4YzNSaGRHbGpWR1Y0ZEQ0TkNna0pDUWtKQ1FrOGNtVndiM0owUld4bGJXVnVkQ0FnSUhnOUlqQWlJSGs5SWpBaUlIZHBaSFJvUFNJeE1Ua2lJR2hsYVdkb2REMGlNVGdpSUhWMWFXUTlJamcyWXpjMFltVmlMV0prWkdRdE5EaGpZeTA1TkRWaExURTJOMkl5TmpGaU1XVXdZaUl2UGcwS0NRa0pDUWtKQ1R4MFpYaDBSV3hsYldWdWRDQjJaWEowYVdOaGJFRnNhV2R1YldWdWREMGlUV2xrWkd4bElpOCtEUW9KQ1FrSkNRa0pQSFJsZUhRK1BDRmJRMFJCVkVGYlRtRnRaVjFkUGp3dmRHVjRkRDROQ2drSkNRa0pDVHd2YzNSaGRHbGpWR1Y0ZEQ0TkNna0pDUWtKQ1R4emRHRjBhV05VWlhoMFBnMEtDUWtKQ1FrSkNUeHlaWEJ2Y25SRmJHVnRaVzUwSUNBZ2VEMGlNVEU1SWlCNVBTSXdJaUIzYVdSMGFEMGlNVEF3SWlCb1pXbG5hSFE5SWpFNElpQjFkV2xrUFNJNE5tTTNOR0psWWkxaVpHUmtMVFE0WTJNdE9UUTFZUzB4TmpkaU1qWXhZakZsTUdJaUx6NE5DZ2tKQ1FrSkNRazhkR1Y0ZEVWc1pXMWxiblFnZG1WeWRHbGpZV3hCYkdsbmJtMWxiblE5SWsxcFpHUnNaU0l2UGcwS0NRa0pDUWtKQ1R4MFpYaDBQandoVzBORVFWUkJXMFpwY25OMElHNWhiV1ZkWFQ0OEwzUmxlSFErRFFvSkNRa0pDUWs4TDNOMFlYUnBZMVJsZUhRK0RRb0pDUWtKQ1FrOGMzUmhkR2xqVkdWNGRENE5DZ2tKQ1FrSkNRazhjbVZ3YjNKMFJXeGxiV1Z1ZENBZ0lIZzlJakl4T1NJZ2VUMGlNQ0lnZDJsa2RHZzlJakV3TUNJZ2FHVnBaMmgwUFNJeE9DSWdkWFZwWkQwaU9EWmpOelJpWldJdFltUmtaQzAwT0dOakxUazBOV0V0TVRZM1lqSTJNV0l4WlRCaUlpOCtEUW9KQ1FrSkNRa0pQSFJsZUhSRmJHVnRaVzUwSUhabGNuUnBZMkZzUVd4cFoyNXRaVzUwUFNKTmFXUmtiR1VpTHo0TkNna0pDUWtKQ1FrOGRHVjRkRDQ4SVZ0RFJFRlVRVnRNWVhOMElHNWhiV1ZkWFQ0OEwzUmxlSFErRFFvSkNRa0pDUWs4TDNOMFlYUnBZMVJsZUhRK0RRb0pDUWtKQ1FrOGMzUmhkR2xqVkdWNGRENE5DZ2tKQ1FrSkNRazhjbVZ3YjNKMFJXeGxiV1Z1ZENBZ0lIZzlJak14T1NJZ2VUMGlNQ0lnZDJsa2RHZzlJakV3TUNJZ2FHVnBaMmgwUFNJeE9DSWdkWFZwWkQwaU9EWmpOelJpWldJdFltUmtaQzAwT0dOakxUazBOV0V0TVRZM1lqSTJNV0l4WlRCaUlpOCtEUW9KQ1FrSkNRa0pQSFJsZUhSRmJHVnRaVzUwSUhabGNuUnBZMkZzUVd4cFoyNXRaVzUwUFNKTmFXUmtiR1VpTHo0TkNna0pDUWtKQ1FrOGRHVjRkRDQ4SVZ0RFJFRlVRVnRCWTNScGRtRjBhVzl1WFYwK1BDOTBaWGgwUGcwS0NRa0pDUWtKUEM5emRHRjBhV05VWlhoMFBnMEtDUWtKQ1FrSlBITjBZWFJwWTFSbGVIUStEUW9KQ1FrSkNRa0pQSEpsY0c5eWRFVnNaVzFsYm5RZ0lDQjRQU0kwTVRraUlIazlJakFpSUhkcFpIUm9QU0l4TURBaUlHaGxhV2RvZEQwaU1UZ2lJSFYxYVdROUlqSm1abVF5TWpoaUxUaGlPRGN0TkdKak5pMWhPV1F5TFRNeFpUaGhNbVExWkdKaU55SXZQZzBLQ1FrSkNRa0pDVHgwWlhoMFJXeGxiV1Z1ZENCMlpYSjBhV05oYkVGc2FXZHViV1Z1ZEQwaVRXbGtaR3hsSWk4K0RRb0pDUWtKQ1FrSlBIUmxlSFErUENGYlEwUkJWRUZiVW05c1pWMWRQand2ZEdWNGRENE5DZ2tKQ1FrSkNUd3ZjM1JoZEdsalZHVjRkRDROQ2drSkNRa0pDVHh6ZEdGMGFXTlVaWGgwUGcwS0NRa0pDUWtKQ1R4eVpYQnZjblJGYkdWdFpXNTBJQ0FnZUQwaU5URTVJaUI1UFNJd0lpQjNhV1IwYUQwaU1UQXdJaUJvWldsbmFIUTlJakU0SWlCMWRXbGtQU0l5WXpSbVlXVmlNeTFrTVRsakxUUmpNV1V0WW1aaVppMHhZakV3WTJWalpUaGhaVGdpTHo0TkNna0pDUWtKQ1FrOGRHVjRkRVZzWlcxbGJuUWdkbVZ5ZEdsallXeEJiR2xuYm0xbGJuUTlJazFwWkdSc1pTSXZQZzBLQ1FrSkNRa0pDVHgwWlhoMFBqd2hXME5FUVZSQlcwOXlaMkZ1YVhwaGRHbHZibDFkUGp3dmRHVjRkRDROQ2drSkNRa0pDVHd2YzNSaGRHbGpWR1Y0ZEQ0TkNna0pDUWtKQ1R4emRHRjBhV05VWlhoMFBnMEtDUWtKQ1FrSkNUeHlaWEJ2Y25SRmJHVnRaVzUwSUNBZ2VEMGlOakU1SWlCNVBTSXdJaUIzYVdSMGFEMGlNVGd4SWlCb1pXbG5hSFE5SWpFNElpQjFkV2xrUFNJME5ESmxaV0l5TkMwMlpUUTJMVFE0WmpjdE9HRmhNQzFqWWpOaFlqTmlPR05pT0RNaUx6NE5DZ2tKQ1FrSkNRazhkR1Y0ZEVWc1pXMWxiblFnZG1WeWRHbGpZV3hCYkdsbmJtMWxiblE5SWsxcFpHUnNaU0l2UGcwS0NRa0pDUWtKQ1R4MFpYaDBQandoVzBORVFWUkJXMEZqWTI5MWJuUnpYVjArUEM5MFpYaDBQZzBLQ1FrSkNRa0pQQzl6ZEdGMGFXTlVaWGgwUGcwS0NRa0pDUWs4TDJaeVlXMWxQZzBLQ1FrSkNUd3ZZbUZ1WkQ0TkNna0pDVHd2WTI5c2RXMXVTR1ZoWkdWeVBnMEtDUWtKUEdSbGRHRnBiRDROQ2drSkNRazhZbUZ1WkNCb1pXbG5hSFE5SWpJd0lpQnpjR3hwZEZSNWNHVTlJbE4wY21WMFkyZ2lQZzBLQ1FrSkNRazhabkpoYldVK0RRb0pDUWtKQ1FrOGNtVndiM0owUld4bGJXVnVkQ0FnSUhnOUlqQWlJSGs5SWpFaUlIZHBaSFJvUFNJNE1EQWlJR2hsYVdkb2REMGlNVGtpSUhWMWFXUTlJak5sT0daa1pEWmtMV0UyWm1ZdE5EUXdOeTA1WVRGbExUVmtObUkwTnpBMk16QXdZU0l2UGcwS0NRa0pDUWtKUEhSbGVIUkdhV1ZzWkNCcGMxTjBjbVYwWTJoWGFYUm9UM1psY21ac2IzYzlJblJ5ZFdVaUlHbHpRbXhoYm10WGFHVnVUblZzYkQwaWRISjFaU0krRFFvSkNRa0pDUWtKUEhKbGNHOXlkRVZzWlcxbGJuUWdJQ0I0UFNJd0lpQjVQU0l4SWlCM2FXUjBhRDBpTVRJd0lpQm9aV2xuYUhROUlqRTRJaUIxZFdsa1BTSmxZbUZsWmpFMlpDMHlPVEF6TFRRd01qa3RPV0UyWWkxa05HUXlORFExTlRoaFpUa2lMejROQ2drSkNRa0pDUWs4ZEdWNGRFVnNaVzFsYm5RZ2RtVnlkR2xqWVd4QmJHbG5ibTFsYm5ROUlrMXBaR1JzWlNJdlBnMEtDUWtKQ1FrSkNUeDBaWGgwUm1sbGJHUkZlSEJ5WlhOemFXOXVQandoVzBORVFWUkJXeVJHZTI1aGJXVjlYVjArUEM5MFpYaDBSbWxsYkdSRmVIQnlaWE56YVc5dVBnMEtDUWtKQ1FrSlBDOTBaWGgwUm1sbGJHUStEUW9KQ1FrSkNRazhkR1Y0ZEVacFpXeGtJR2x6VTNSeVpYUmphRmRwZEdoUGRtVnlabXh2ZHowaWRISjFaU0lnYVhOQ2JHRnVhMWRvWlc1T2RXeHNQU0owY25WbElqNE5DZ2tKQ1FrSkNRazhjbVZ3YjNKMFJXeGxiV1Z1ZENBZ0lIZzlJakV5TUNJZ2VUMGlNU0lnZDJsa2RHZzlJakV3TUNJZ2FHVnBaMmgwUFNJeE9DSWdkWFZwWkQwaU1qaGlZamxpTkRjdFlUWTVZeTAwT0dVeExUa3dOek10WkRVMFpEa3lOakkwTW1VNElpOCtEUW9KQ1FrSkNRa0pQSFJsZUhSRmJHVnRaVzUwSUhabGNuUnBZMkZzUVd4cFoyNXRaVzUwUFNKTmFXUmtiR1VpTHo0TkNna0pDUWtKQ1FrOGRHVjRkRVpwWld4a1JYaHdjbVZ6YzJsdmJqNDhJVnREUkVGVVFWc2tSbnRuYVhabGJrNWhiV1Y5WFYwK1BDOTBaWGgwUm1sbGJHUkZlSEJ5WlhOemFXOXVQZzBLQ1FrSkNRa0pQQzkwWlhoMFJtbGxiR1ErRFFvSkNRa0pDUWs4ZEdWNGRFWnBaV3hrSUdselUzUnlaWFJqYUZkcGRHaFBkbVZ5Wm14dmR6MGlkSEoxWlNJZ2FYTkNiR0Z1YTFkb1pXNU9kV3hzUFNKMGNuVmxJajROQ2drSkNRa0pDUWs4Y21Wd2IzSjBSV3hsYldWdWRDQWdJSGc5SWpJeU1DSWdlVDBpTVNJZ2QybGtkR2c5SWpFd01DSWdhR1ZwWjJoMFBTSXhPQ0lnZFhWcFpEMGlNamhpWWpsaU5EY3RZVFk1WXkwME9HVXhMVGt3TnpNdFpEVTBaRGt5TmpJME1tVTRJaTgrRFFvSkNRa0pDUWtKUEhSbGVIUkZiR1Z0Wlc1MElIWmxjblJwWTJGc1FXeHBaMjV0Wlc1MFBTSk5hV1JrYkdVaUx6NE5DZ2tKQ1FrSkNRazhkR1Y0ZEVacFpXeGtSWGh3Y21WemMybHZiajQ4SVZ0RFJFRlVRVnNrUm50bVlXMXBiSGxPWVcxbGZWMWRQand2ZEdWNGRFWnBaV3hrUlhod2NtVnpjMmx2Ymo0TkNna0pDUWtKQ1R3dmRHVjRkRVpwWld4a1BnMEtDUWtKQ1FrSkRRb0pDUWtKQ1FrOGMzVmljbVZ3YjNKMElHbHpWWE5wYm1kRFlXTm9aVDBpZEhKMVpTSStEUW9KQ1FrSkNRa0pQSEpsY0c5eWRFVnNaVzFsYm5RZ2NHOXphWFJwYjI1VWVYQmxQU0pHYkc5aGRDSWdlRDBpTkRJd0lpQjVQU0l3SWlCM2FXUjBhRDBpTVRBd0lpQm9aV2xuYUhROUlqRTRJaUJwYzFCeWFXNTBWMmhsYmtSbGRHRnBiRTkyWlhKbWJHOTNjejBpZEhKMVpTSWdkWFZwWkQwaU5qQXlPREl6TTJVdE4yVTJaUzAwWXprMkxXSTBObU10WVdKbVlXUmlaRGt6Tm1ZNUlpOCtEUW9KQ1FrSkNRa0pEUW9KQ1FrSkNRa0pQSE4xWW5KbGNHOXlkRkJoY21GdFpYUmxjaUJ1WVcxbFBTSnphR0ZrYjNkUGFXUnpJajROQ2drSkNRa0pDUWtKUEhOMVluSmxjRzl5ZEZCaGNtRnRaWFJsY2tWNGNISmxjM05wYjI0K1BDRmJRMFJCVkVGYkpFWjdiR2x1YTMxZFhUNDhMM04xWW5KbGNHOXlkRkJoY21GdFpYUmxja1Y0Y0hKbGMzTnBiMjQrRFFvSkNRa0pDUWtKUEM5emRXSnlaWEJ2Y25SUVlYSmhiV1YwWlhJK0RRb0pDUWtKQ1FrSkRRb0pDUWtKQ1FrOEwzTjFZbkpsY0c5eWRENE5DZ2tKQ1FrSkNUeHNhVzVsUGcwS0NRa0pDUWtKQ1R4eVpYQnZjblJGYkdWdFpXNTBJSEJ2YzJsMGFXOXVWSGx3WlQwaVJtbDRVbVZzWVhScGRtVlViMEp2ZEhSdmJTSWdlRDBpTUNJZ2VUMGlNVGNpSUhkcFpIUm9QU0k0TURBaUlHaGxhV2RvZEQwaU1TSWdkWFZwWkQwaVlUVTVNV1EwWXpFdE1XTmhaQzAwWkdFeUxUbG1PV1F0TURneFpqVXpPV1U1TURReklpOCtEUW9KQ1FrSkNRa0pQR2R5WVhCb2FXTkZiR1Z0Wlc1MFBnMEtDUWtKQ1FrSkNRazhjR1Z1SUd4cGJtVlhhV1IwYUQwaU1DNDFJaUJzYVc1bFEyOXNiM0k5SWlNNU9UazVPVGtpTHo0TkNna0pDUWtKQ1FrOEwyZHlZWEJvYVdORmJHVnRaVzUwUGcwS0NRa0pDUWtKUEM5c2FXNWxQZzBLQ1FrSkNRazhMMlp5WVcxbFBnMEtDUWtKQ1R3dlltRnVaRDROQ2drSkNUd3ZaR1YwWVdsc1BnMEtDUWtKUEdOdmJIVnRia1p2YjNSbGNqNE5DZ2tKQ1FrOFltRnVaQ0JvWldsbmFIUTlJamNpSUhOd2JHbDBWSGx3WlQwaVUzUnlaWFJqYUNJK0RRb0pDUWtKQ1R4c2FXNWxQZzBLQ1FrSkNRa0pQSEpsY0c5eWRFVnNaVzFsYm5RZ2NHOXphWFJwYjI1VWVYQmxQU0pHYVhoU1pXeGhkR2wyWlZSdlFtOTBkRzl0SWlCNFBTSXdJaUI1UFNJeklpQjNhV1IwYUQwaU9EQXdJaUJvWldsbmFIUTlJakVpSUhWMWFXUTlJbUUxT1RGa05HTXhMVEZqWVdRdE5HUmhNaTA1Wmpsa0xUQTRNV1kxTXpsbE9UQTBNeUl2UGcwS0NRa0pDUWtKUEdkeVlYQm9hV05GYkdWdFpXNTBQZzBLQ1FrSkNRa0pDVHh3Wlc0Z2JHbHVaVmRwWkhSb1BTSXdMalVpSUd4cGJtVkRiMnh2Y2owaUl6azVPVGs1T1NJdlBnMEtDUWtKQ1FrSlBDOW5jbUZ3YUdsalJXeGxiV1Z1ZEQ0TkNna0pDUWtKUEM5c2FXNWxQZzBLQ1FrSkNUd3ZZbUZ1WkQ0TkNna0pDVHd2WTI5c2RXMXVSbTl2ZEdWeVBnMEtDUWtKUEhCaFoyVkdiMjkwWlhJK0RRb0pDUWtKUEdKaGJtUWdhR1ZwWjJoMFBTSXpNaUlnYzNCc2FYUlVlWEJsUFNKVGRISmxkR05vSWo0TkNna0pDUWtKUEdaeVlXMWxQZzBLQ1FrSkNRa0pQSEpsY0c5eWRFVnNaVzFsYm5RZ0lDQnRiMlJsUFNKVWNtRnVjM0JoY21WdWRDSWdlRDBpTUNJZ2VUMGlNU0lnZDJsa2RHZzlJamd3TUNJZ2FHVnBaMmgwUFNJeU5DSWdkWFZwWkQwaVptSmxPR0ZoWlRRdE5qVXdNQzAwTmpoaExXSXhaVGd0TnpBd1lqVTJPVEV6T1dFeElpOCtEUW9KQ1FrSkNRazhkR1Y0ZEVacFpXeGtQZzBLQ1FrSkNRa0pDVHh5WlhCdmNuUkZiR1Z0Wlc1MElDQWdlRDBpTmpnd0lpQjVQU0l4SWlCM2FXUjBhRDBpT0RBaUlHaGxhV2RvZEQwaU1qQWlJSFYxYVdROUlqVmpNRFl5WXpZMkxXSmhORFV0TkRJNE9DMDVaR05rTFRJME5tVXlPR00xWVdZM05TSXZQZzBLQ1FrSkNRa0pDVHgwWlhoMFJXeGxiV1Z1ZENCMFpYaDBRV3hwWjI1dFpXNTBQU0pTYVdkb2RDSWdkbVZ5ZEdsallXeEJiR2xuYm0xbGJuUTlJazFwWkdSc1pTSXZQZzBLQ1FrSkNRa0pDVHgwWlhoMFJtbGxiR1JGZUhCeVpYTnphVzl1UGp3aFcwTkVRVlJCV3lKUVlXZGxJQ0lySkZaN1VFRkhSVjlPVlUxQ1JWSjlLeUlnYjJZaVhWMCtQQzkwWlhoMFJtbGxiR1JGZUhCeVpYTnphVzl1UGcwS0NRa0pDUWtKUEM5MFpYaDBSbWxsYkdRK0RRb0pDUWtKQ1FrOGRHVjRkRVpwWld4a0lIQmhkSFJsY200OUlrVkZSVVZGSUdSa0lFMU5UVTFOSUhsNWVYa2lQZzBLQ1FrSkNRa0pDVHh5WlhCdmNuUkZiR1Z0Wlc1MElDQWdlRDBpTWlJZ2VUMGlNU0lnZDJsa2RHZzlJakU1TnlJZ2FHVnBaMmgwUFNJeU1DSWdkWFZwWkQwaU1qaGlZamxpTkRjdFlUWTVZeTAwT0dVeExUa3dOek10WkRVMFpEa3lOakkwTW1VNElpOCtEUW9KQ1FrSkNRa0pQSFJsZUhSRmJHVnRaVzUwSUhabGNuUnBZMkZzUVd4cFoyNXRaVzUwUFNKTmFXUmtiR1VpTHo0TkNna0pDUWtKQ1FrOGRHVjRkRVpwWld4a1JYaHdjbVZ6YzJsdmJqNDhJVnREUkVGVVFWdHVaWGNnYW1GMllTNTFkR2xzTGtSaGRHVW9LVjFkUGp3dmRHVjRkRVpwWld4a1JYaHdjbVZ6YzJsdmJqNE5DZ2tKQ1FrSkNUd3ZkR1Y0ZEVacFpXeGtQZzBLQ1FrSkNRa0pQSFJsZUhSR2FXVnNaQ0JsZG1Gc2RXRjBhVzl1VkdsdFpUMGlVbVZ3YjNKMElqNE5DZ2tKQ1FrSkNRazhjbVZ3YjNKMFJXeGxiV1Z1ZENBZ0lIZzlJamMyTUNJZ2VUMGlNU0lnZDJsa2RHZzlJalF3SWlCb1pXbG5hSFE5SWpJd0lpQjFkV2xrUFNJNU16UmlNVFpsT0Mxak0yVmlMVFF3TVRjdE9EWTJZUzB3WWpjM016Vmlaakk1TVRjaUx6NE5DZ2tKQ1FrSkNRazhkR1Y0ZEVWc1pXMWxiblFnZG1WeWRHbGpZV3hCYkdsbmJtMWxiblE5SWsxcFpHUnNaU0l2UGcwS0NRa0pDUWtKQ1R4MFpYaDBSbWxsYkdSRmVIQnlaWE56YVc5dVBqd2hXME5FUVZSQld5SWdJaUFySUNSV2UxQkJSMFZmVGxWTlFrVlNmVjFkUGp3dmRHVjRkRVpwWld4a1JYaHdjbVZ6YzJsdmJqNE5DZ2tKQ1FrSkNUd3ZkR1Y0ZEVacFpXeGtQZzBLQ1FrSkNRazhMMlp5WVcxbFBnMEtDUWtKQ1R3dlltRnVaRDROQ2drSkNUd3ZjR0ZuWlVadmIzUmxjajROQ2drSlBDOXFZWE53WlhKU1pYQnZjblEr</template>
-   <templateStyle>UEQ5NGJXd2dkbVZ5YzJsdmJqMGlNUzR3SWo4K0RRbzhJVVJQUTFSWlVFVWdhbUZ6Y0dWeVZHVnRjR3hoZEdVTkNpQWdVRlZDVEVsRElDSXRMeTlLWVhOd1pYSlNaWEJ2Y25Sekx5OUVWRVFnVkdWdGNHeGhkR1V2TDBWT0lnMEtJQ0FpYUhSMGNEb3ZMMnBoYzNCbGNuSmxjRzl5ZEhNdWMyOTFjbU5sWm05eVoyVXVibVYwTDJSMFpITXZhbUZ6Y0dWeWRHVnRjR3hoZEdVdVpIUmtJajROQ2p4cVlYTndaWEpVWlcxd2JHRjBaVDROQ2lBZ0lDQUpDVHh6ZEhsc1pTQm1iMjUwVTJsNlpUMGlNVEFpSUdoQmJHbG5iajBpVEdWbWRDSWdhWE5FWldaaGRXeDBQU0owY25WbElpQnBjMUJrWmtWdFltVmtaR1ZrUFNKbVlXeHpaU0lnYm1GdFpUMGlRbUZ6WlNJTkNna0pDUWtnSUNCd1pHWkZibU52WkdsdVp6MGlRM0F4TWpVeUlnMEtDUWtKQ1NBZ0lIQmtaa1p2Ym5ST1lXMWxQU0pJWld4MlpYUnBZMkVpRFFvZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ2RrRnNhV2R1UFNKTmFXUmtiR1VpTHo0TkNna0pDVHh6ZEhsc1pTQmlZV05yWTI5c2IzSTlJaU15TmpjNU9UUWlJR1p2Ym5SVGFYcGxQU0l5TmlJZ1ptOXlaV052Ykc5eVBTSWpSa1pHUmtaR0lpQnBjMFJsWm1GMWJIUTlJbVpoYkhObElnMEtJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJRzF2WkdVOUlrOXdZWEYxWlNJTkNpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQnVZVzFsUFNKVWFYUnNaU0lOQ2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNCemRIbHNaVDBpUW1GelpTSXZQZzBLQ1FrSlBITjBlV3hsSUdadmJuUlRhWHBsUFNJeE1pSWdabTl5WldOdmJHOXlQU0lqTURBd01EQXdJaUJwYzBSbFptRjFiSFE5SW1aaGJITmxJaUJ1WVcxbFBTSlFZV2RsSUdobFlXUmxjaUlOQ2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNCemRIbHNaVDBpUW1GelpTSXZQZzBLQ1FrSlBITjBlV3hsSUdKaFkydGpiMnh2Y2owaUl6TXpNek16TXlJZ1ptOXVkRk5wZW1VOUlqRXlJaUJtYjNKbFkyOXNiM0k5SWlOR1JrWkdSa1lpSUdoQmJHbG5iajBpUTJWdWRHVnlJZzBLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUdselJHVm1ZWFZzZEQwaVptRnNjMlVpRFFvZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ2JXOWtaVDBpVDNCaGNYVmxJZzBLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUc1aGJXVTlJa052YkhWdGJpQm9aV0ZrWlhJaURRb2dJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdjM1I1YkdVOUlrSmhjMlVpTHo0TkNna0pDVHh6ZEhsc1pTQnBjMEp2YkdROUltWmhiSE5sSWlCcGMwUmxabUYxYkhROUltWmhiSE5sSWlCdVlXMWxQU0pFWlhSaGFXd2lJSE4wZVd4bFBTSkNZWE5sSWk4K0RRb0pDUWs4YzNSNWJHVWdabTl1ZEZOcGVtVTlJamtpSUdadmNtVmpiMnh2Y2owaUl6QXdNREF3TUNJZ2FYTkVaV1poZFd4MFBTSm1ZV3h6WlNJZ2JtRnRaVDBpVUdGblpTQm1iMjkwWlhJaURRb2dJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdjM1I1YkdVOUlrSmhjMlVpTHo0TkNna0pQQzlxWVhOd1pYSlVaVzF3YkdGMFpUND0=</templateStyle>
-	<orientation>landscape</orientation>
-	<export>pdf</export>
-	<!-- set to true if report needs hibernate session (e.g. hql query is used) -->
-	<field>
-		<nameReport>Name</nameReport>
-		<nameHeader>Name</nameHeader>
-		<itemPath>c:name</itemPath>
-		<sortOrderNumber>1</sortOrderNumber>
-		<sortOrder>ascending</sortOrder>
-		<width>10</width>
-		<classType>t:PolyStringType</classType>
-	</field>
-	<field>
-		<nameReport>FirstName</nameReport>
-		<nameHeader>First Name</nameHeader>
-		<itemPath>c:givenName</itemPath>
-		<width>10</width>
-		<classType>t:PolyStringType</classType>
-	</field>
-	<field>
-		<nameReport>LastName</nameReport>
-		<nameHeader>Last Name</nameHeader>
-		<itemPath>c:familyName</itemPath>
-		<width>10</width>
-		<classType>t:PolyStringType</classType>
-	</field>
-	<field>
-		<nameReport>Activation</nameReport>
-		<nameHeader>Activation</nameHeader>
-		<itemPath>c:activation/c:administrativeStatus</itemPath>
-		<width>10</width>
-		<classType>c:ActivationStatusType</classType>
-	</field>
-	<field>
-		<nameReport>role</nameReport>
-		<nameHeader>Role</nameHeader>
-		<itemPath>c:Name</itemPath>
-		<width>10</width>
-		<classType>t:PolyString</classType>
-	</field>
-	<field>
-		<nameReport>organization</nameReport>
-		<nameHeader>Organization</nameHeader>
-		<itemPath>c:Name</itemPath>
-		<width>10</width>
-		<classType>t:PolyString</classType>
-	</field>
-	<field>
-		<nameReport>accounts</nameReport>
-		<nameHeader>Accounts</nameHeader>
-		<itemPath>c:Name</itemPath>
-		<width>20</width>
-		<classType>t:PolyString</classType>
-	</field>
-	<!-- configuration properties -->
-	
-	<!-- report parameters configuration schema sample with different options -->
-	<configurationSchema>
-		<definition>
-			<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema"
-                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-                    xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
-                    xmlns:a="http://prism.evolveum.com/xml/ns/public/annotation-3"
-                    xmlns:r="http://midpoint.evolveum.com/xml/ns/public/report"
-                    elementFormDefault="qualified"
-                    targetNamespace="http://midpoint.evolveum.com/xml/ns/public/report">
-
-				<xsd:import namespace="http://midpoint.evolveum.com/xml/ns/public/common/common-3"/>
-				<xsd:import namespace="http://prism.evolveum.com/xml/ns/public/annotation-3"/>
-				<xsd:import namespace="http://prism.evolveum.com/xml/ns/public/query-3"/>
-
-				<xsd:complexType name="ConfigurationType">
-					<xsd:annotation>
-						<xsd:appinfo>
-							<a:container/>
-						</xsd:appinfo>
-					</xsd:annotation>
-					<xsd:sequence>
-						<!-- HQL query for jasper design (queryString element) -->
-						<xsd:element name="hqlQuery" type="xsd:string"/>
-					</xsd:sequence>
-				</xsd:complexType>
-				<xsd:element name="configuration" type="r:ConfigurationType"/>
-			</xsd:schema>
-		</definition>
-	</configurationSchema>
-</report>
diff --git a/model/report-impl/src/test/resources/reports/reportUserOrgs.xml b/model/report-impl/src/test/resources/reports/reportUserOrgs.xml
deleted file mode 100644
index e7725be3ca3..00000000000
--- a/model/report-impl/src/test/resources/reports/reportUserOrgs.xml
+++ /dev/null
@@ -1,77 +0,0 @@
-<!--
-  ~ Copyright (c) 2010-2017 Evolveum
-  ~
-  ~ Licensed under the Apache License, Version 2.0 (the "License");
-  ~ you may not use this file except in compliance with the License.
-  ~ You may obtain a copy of the License at
-  ~
-  ~     http://www.apache.org/licenses/LICENSE-2.0
-  ~
-  ~ Unless required by applicable law or agreed to in writing, software
-  ~ distributed under the License is distributed on an "AS IS" BASIS,
-  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-  ~ See the License for the specific language governing permissions and
-  ~ limitations under the License.
-  -->
-<report xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
-        xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
-        xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
-        xmlns:xsd="http://www.w3.org/2001/XMLSchema"
-		oid="USERORGS-3333-3333-TEST-10000000000"
-        version="0">
-	<name>User orgs subreport</name>
-	<description>User orgs subreport for midpoint users.</description>
-	<!-- flag if this report is "parent" report, used for gui -->
-	<parent>false</parent>
-	<template>UEdwaGMzQmxjbEpsY0c5eWRDQU5DaUFnSUNBSkNYaHRiRzV6UFNKb2RIUndPaTh2YW1GemNHVnljbVZ3YjNKMGN5NXpiM1Z5WTJWbWIzSm5aUzV1WlhRdmFtRnpjR1Z5Y21Wd2IzSjBjeUlnRFFvSkNRbDRiV3h1Y3pwNGMyazlJbWgwZEhBNkx5OTNkM2N1ZHpNdWIzSm5Mekl3TURFdldFMU1VMk5vWlcxaExXbHVjM1JoYm1ObElpQU5DZ2tKQ1hoemFUcHpZMmhsYldGTWIyTmhkR2x2YmowaWFIUjBjRG92TDJwaGMzQmxjbkpsY0c5eWRITXVjMjkxY21ObFptOXlaMlV1Ym1WMEwycGhjM0JsY25KbGNHOXlkSE1nYUhSMGNEb3ZMMnBoYzNCbGNuSmxjRzl5ZEhNdWMyOTFjbU5sWm05eVoyVXVibVYwTDNoelpDOXFZWE53WlhKeVpYQnZjblF1ZUhOa0lpQU5DZ2tKQ1c1aGJXVTlJbkpsY0c5eWRGVnpaWEpQY21keklpQU5DZ2tKQ1dOdmJIVnRia052ZFc1MFBTSXlJaUFOQ2drSkNYQmhaMlZYYVdSMGFEMGlNVEV3SWlBTkNna0pDWEJoWjJWSVpXbG5hSFE5SWpFNElpQU5DZ2tKQ1hkb1pXNU9iMFJoZEdGVWVYQmxQU0pCYkd4VFpXTjBhVzl1YzA1dlJHVjBZV2xzSWlBTkNna0pDV052YkhWdGJsZHBaSFJvUFNJMU5DSWdEUW9KQ1FsamIyeDFiVzVUY0dGamFXNW5QU0l4SWlBTkNna0pDV3hsWm5STllYSm5hVzQ5SWpBaUlBMEtDUWtKY21sbmFIUk5ZWEpuYVc0OUlqQWlJQTBLQ1FrSmRHOXdUV0Z5WjJsdVBTSXdJaUFOQ2drSkNXSnZkSFJ2YlUxaGNtZHBiajBpTUNJZ0RRb0pDUWwxZFdsa1BTSTJOMlUwTmpWak5TMDBObVZoTFRRd1pESXRZbVZoTUMwME5qbGpObU5tTXpnNU16Y2lQZzBLQ1FrSlBIQnliM0JsY25SNUlHNWhiV1U5SW01bGRDNXpaaTVxWVhOd1pYSnlaWEJ2Y25SekxtRjNkQzVwWjI1dmNtVXViV2x6YzJsdVp5NW1iMjUwSWlCMllXeDFaVDBpZEhKMVpTSXZQZzBLQ1FrSlBIQnliM0JsY25SNUlHNWhiV1U5SW01bGRDNXpaaTVxWVhOd1pYSnlaWEJ2Y25SekxtVjRjRzl5ZEM1d1pHWXVabTl5WTJVdWJHbHVaV0p5WldGckxuQnZiR2xqZVNJZ2RtRnNkV1U5SW5SeWRXVWlMejROQ2drSkNUeHpkSGxzWlNCbWIyNTBUbUZ0WlQwaVJHVnFZVloxSUZOaGJuTWlJR1p2Ym5SVGFYcGxQU0l4TUNJZ2FFRnNhV2R1UFNKTVpXWjBJaUJwYzBSbFptRjFiSFE5SW5SeWRXVWlJR2x6VUdSbVJXMWlaV1JrWldROUluUnlkV1VpSUEwS0NRa0pDU0FnSUc1aGJXVTlJa0poYzJVaUlIQmtaa1Z1WTI5a2FXNW5QU0pKWkdWdWRHbDBlUzFJSWlCd1pHWkdiMjUwVG1GdFpUMGlSR1ZxWVZaMVUyRnVjeTUwZEdZaUlIWkJiR2xuYmowaVRXbGtaR3hsSWo0TkNna0pDVHd2YzNSNWJHVStEUW9KQ1FrOGMzUjViR1VnYVhOQ2IyeGtQU0ptWVd4elpTSWdhWE5FWldaaGRXeDBQU0ptWVd4elpTSWdibUZ0WlQwaVJHVjBZV2xzSWlCemRIbHNaVDBpUW1GelpTSXZQZzBLQ1FrSlBIQmhjbUZ0WlhSbGNpQnVZVzFsUFNKMWMyVnlUMmxrSWlCamJHRnpjejBpYW1GMllTNXNZVzVuTGxOMGNtbHVaeUl2UGcwS0NRa0pQSEJoY21GdFpYUmxjaUJ1WVcxbFBTSm9jV3hSZFdWeWVVOXlaM01pSUdOc1lYTnpQU0pxWVhaaExteGhibWN1VTNSeWFXNW5JaTgrRFFvSkNRazhjWFZsY25sVGRISnBibWNnYkdGdVozVmhaMlU5SW1oeGJDSStQQ0ZiUTBSQlZFRmJKRkFoZTJoeGJGRjFaWEo1VDNKbmMzMWRYVDQ4TDNGMVpYSjVVM1J5YVc1blBnMEtDUWtKUEdacFpXeGtJRzVoYldVOUltOXlaMDVoYldVaUlHTnNZWE56UFNKcVlYWmhMbXhoYm1jdVUzUnlhVzVuSWk4K0RRb0pDUWs4WkdWMFlXbHNQZzBLQ1FrSkNUeGlZVzVrSUdobGFXZG9kRDBpTVRnaUlITndiR2wwVkhsd1pUMGlVM1J5WlhSamFDSStEUW9KQ1FrSkNUeG1jbUZ0WlQ0TkNna0pDUWtKQ1R4eVpYQnZjblJGYkdWdFpXNTBJSFYxYVdROUlqTmxPR1prWkRaa0xXRTJabVl0TkRRd055MDVZVEZsTFRWa05tSTBOekEyTXpBd1lTSWdjRzl6YVhScGIyNVVlWEJsUFNKR2JHOWhkQ0lnYzNSNWJHVTlJa1JsZEdGcGJDSWdiVzlrWlQwaVQzQmhjWFZsSWlCNFBTSXdJaUI1UFNJeElpQjNhV1IwYUQwaU1UQXdJaUJvWldsbmFIUTlJakUzSWk4K0RRb0pDUWtKQ1FrOGJHbHVaVDROQ2drSkNRa0pDUWs4Y21Wd2IzSjBSV3hsYldWdWRDQjFkV2xrUFNJME4yWTVNVGd3TVMxalpqVm1MVFJpWldRdFlqRTVZeTFqWVRNNU16RmpZbVk1T0dRaUlIQnZjMmwwYVc5dVZIbHdaVDBpUm1sNFVtVnNZWFJwZG1WVWIxUnZjQ0lnYlc5a1pUMGlUM0JoY1hWbElpQjRQU0l3SWlCNVBTSXdJaUIzYVdSMGFEMGlNVEF3SWlCb1pXbG5hSFE5SWpFaUlHWnZjbVZqYjJ4dmNqMGlJek16TXpNek15SStEUW9KQ1FrSkNRa0pDVHh3Y21sdWRGZG9aVzVGZUhCeVpYTnphVzl1UGp3aFcwTkVRVlJCVzI1bGR5QnFZWFpoTG14aGJtY3VRbTl2YkdWaGJpZ29hVzUwS1NSV2UxSkZVRTlTVkY5RFQxVk9WSDB1YVc1MFZtRnNkV1VvS1NFOU1TbGRYVDQ4TDNCeWFXNTBWMmhsYmtWNGNISmxjM05wYjI0K0RRb0pDUWtKQ1FrSlBDOXlaWEJ2Y25SRmJHVnRaVzUwUGcwS0NRa0pDUWtKQ1R4bmNtRndhR2xqUld4bGJXVnVkRDROQ2drSkNRa0pDUWtKUEhCbGJpQnNhVzVsVjJsa2RHZzlJakF1TlNJZ2JHbHVaVU52Ykc5eVBTSWpPVGs1T1RrNUlpOCtEUW9KQ1FrSkNRa0pQQzluY21Gd2FHbGpSV3hsYldWdWRENE5DZ2tKQ1FrSkNUd3ZiR2x1WlQ0TkNna0pDUWtKQ1R4MFpYaDBSbWxsYkdRZ2FYTlRkSEpsZEdOb1YybDBhRTkyWlhKbWJHOTNQU0owY25WbElqNE5DZ2tKQ1FrSkNRazhjbVZ3YjNKMFJXeGxiV1Z1ZENCMWRXbGtQU0psWW1GbFpqRTJaQzB5T1RBekxUUXdNamt0T1dFMllpMWtOR1F5TkRRMU5UaGhaVGtpSUhOMGVXeGxQU0pFWlhSaGFXd2lJSGc5SWpBaUlIazlJaklpSUhkcFpIUm9QU0l4TURBaUlHaGxhV2RvZEQwaU1UTWlMejROQ2drSkNRa0pDUWs4ZEdWNGRFVnNaVzFsYm5RZ2RtVnlkR2xqWVd4QmJHbG5ibTFsYm5ROUlrMXBaR1JzWlNJdlBnMEtDUWtKQ1FrSkNUeDBaWGgwUm1sbGJHUkZlSEJ5WlhOemFXOXVQandoVzBORVFWUkJXeVJHZTI5eVowNWhiV1Y5WFYwK1BDOTBaWGgwUm1sbGJHUkZlSEJ5WlhOemFXOXVQaUFOQ2drSkNRa0pDVHd2ZEdWNGRFWnBaV3hrUGcwS0NRa0pDUWs4TDJaeVlXMWxQZzBLQ1FrSkNUd3ZZbUZ1WkQ0TkNna0pDVHd2WkdWMFlXbHNQZzBLQ1FrOEwycGhjM0JsY2xKbGNHOXlkRDQ9</template>
-	<orientation>landscape</orientation>
-	<export>pdf</export>
-	<!-- set to true if report needs hibernate session (e.g. hql query is used) -->
-	<useHibernateSession>true</useHibernateSession>
-	<field>
-		<nameReport>orgName</nameReport>
-		<nameHeader>Name</nameHeader>
-		<itemPath>c:name</itemPath>
-		<width>100</width>
-		<classType>t:PolyStringType</classType>
-	</field>
-	<!-- configuration properties -->
-	<configuration xmlns:r="http://midpoint.evolveum.com/xml/ns/public/report">
-		<r:hqlQueryOrgs>
-			select o.displayName.orig as orgName 
-			from RAssignment as a, 
-			ROrg as o 
-			where a.targetRef.type = 15 and a.targetRef.targetOid = o.oid and a.owner.oid = $P{userOid}
-		</r:hqlQueryOrgs>
-	</configuration>
-	<!-- report parameters configuration schema sample with different options -->
-	<configurationSchema>
-		<definition>
-			<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema"
-                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-                    xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
-                    xmlns:a="http://prism.evolveum.com/xml/ns/public/annotation-3"
-                    xmlns:r="http://midpoint.evolveum.com/xml/ns/public/report"
-                    elementFormDefault="qualified"
-                    targetNamespace="http://midpoint.evolveum.com/xml/ns/public/report">
-
-				<xsd:import namespace="http://midpoint.evolveum.com/xml/ns/public/common/common-3"/>
-				<xsd:import namespace="http://prism.evolveum.com/xml/ns/public/annotation-3"/>
-				<xsd:import namespace="http://prism.evolveum.com/xml/ns/public/query-3"/>
-
-				<xsd:complexType name="ConfigurationType">
-					<xsd:annotation>
-						<xsd:appinfo>
-							<a:container/>
-						</xsd:appinfo>
-					</xsd:annotation>
-					<xsd:sequence>
-						<!-- HQL query for jasper design (queryString element) -->
-						<xsd:element name="hqlQueryOrgs" type="xsd:string"/>
-					</xsd:sequence>
-				</xsd:complexType>
-				<xsd:element name="configuration" type="r:ConfigurationType"/>
-			</xsd:schema>
-		</definition>
-	</configurationSchema>
-</report>
diff --git a/model/report-impl/src/test/resources/reports/reportUserRoles.xml b/model/report-impl/src/test/resources/reports/reportUserRoles.xml
deleted file mode 100644
index 13481a9d3ab..00000000000
--- a/model/report-impl/src/test/resources/reports/reportUserRoles.xml
+++ /dev/null
@@ -1,76 +0,0 @@
-<!--
-  ~ Copyright (c) 2010-2017 Evolveum
-  ~
-  ~ Licensed under the Apache License, Version 2.0 (the "License");
-  ~ you may not use this file except in compliance with the License.
-  ~ You may obtain a copy of the License at
-  ~
-  ~     http://www.apache.org/licenses/LICENSE-2.0
-  ~
-  ~ Unless required by applicable law or agreed to in writing, software
-  ~ distributed under the License is distributed on an "AS IS" BASIS,
-  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-  ~ See the License for the specific language governing permissions and
-  ~ limitations under the License.
-  -->
-<report xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
-        xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
-        xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
-        xmlns:xsd="http://www.w3.org/2001/XMLSchema"
-		oid="USERROLE-3333-3333-TEST-10000000000"
-        version="0">
-	<name>User roles subreport</name>
-	<description>User roles subreport for midpoint users.</description>
-	<!-- flag if this report is "parent" report, used for gui -->
-	<parent>false</parent>
-	<template>UEdwaGMzQmxjbEpsY0c5eWRDQU5DaUFnSUNBSkNYaHRiRzV6UFNKb2RIUndPaTh2YW1GemNHVnljbVZ3YjNKMGN5NXpiM1Z5WTJWbWIzSm5aUzV1WlhRdmFtRnpjR1Z5Y21Wd2IzSjBjeUlnRFFvSkNRbDRiV3h1Y3pwNGMyazlJbWgwZEhBNkx5OTNkM2N1ZHpNdWIzSm5Mekl3TURFdldFMU1VMk5vWlcxaExXbHVjM1JoYm1ObElpQU5DZ2tKQ1hoemFUcHpZMmhsYldGTWIyTmhkR2x2YmowaWFIUjBjRG92TDJwaGMzQmxjbkpsY0c5eWRITXVjMjkxY21ObFptOXlaMlV1Ym1WMEwycGhjM0JsY25KbGNHOXlkSE1nYUhSMGNEb3ZMMnBoYzNCbGNuSmxjRzl5ZEhNdWMyOTFjbU5sWm05eVoyVXVibVYwTDNoelpDOXFZWE53WlhKeVpYQnZjblF1ZUhOa0lpQU5DZ2tKQ1c1aGJXVTlJbkpsY0c5eWRGVnpaWEpTYjJ4bGN5SWdEUW9KQ1FsamIyeDFiVzVEYjNWdWREMGlNaUlnRFFvSkNRbHdZV2RsVjJsa2RHZzlJakV4TUNJZ0RRb0pDUWx3WVdkbFNHVnBaMmgwUFNJeE9DSWdEUW9KQ1FsM2FHVnVUbTlFWVhSaFZIbHdaVDBpUVd4c1UyVmpkR2x2Ym5OT2IwUmxkR0ZwYkNJZ0RRb0pDUWxqYjJ4MWJXNVhhV1IwYUQwaU5UUWlJQTBLQ1FrSlkyOXNkVzF1VTNCaFkybHVaejBpTVNJZ0RRb0pDUWxzWldaMFRXRnlaMmx1UFNJd0lpQU5DZ2tKQ1hKcFoyaDBUV0Z5WjJsdVBTSXdJaUFOQ2drSkNYUnZjRTFoY21kcGJqMGlNQ0lnRFFvSkNRbGliM1IwYjIxTllYSm5hVzQ5SWpBaUlBMEtDUWtKZFhWcFpEMGlOamRsTkRZMVl6VXRORFpsWVMwME1HUXlMV0psWVRBdE5EWTVZelpqWmpNNE9UTTNJajROQ2drSkNUeHdjbTl3WlhKMGVTQnVZVzFsUFNKdVpYUXVjMll1YW1GemNHVnljbVZ3YjNKMGN5NWhkM1F1YVdkdWIzSmxMbTFwYzNOcGJtY3VabTl1ZENJZ2RtRnNkV1U5SW5SeWRXVWlMejROQ2drSkNUeHdjbTl3WlhKMGVTQnVZVzFsUFNKdVpYUXVjMll1YW1GemNHVnljbVZ3YjNKMGN5NWxlSEJ2Y25RdWNHUm1MbVp2Y21ObExteHBibVZpY21WaGF5NXdiMnhwWTNraUlIWmhiSFZsUFNKMGNuVmxJaTgrRFFvSkNRazhjM1I1YkdVZ1ptOXVkRTVoYldVOUlrUmxhbUZXZFNCVFlXNXpJaUJtYjI1MFUybDZaVDBpTVRBaUlHaEJiR2xuYmowaVRHVm1kQ0lnYVhORVpXWmhkV3gwUFNKMGNuVmxJaUJwYzFCa1prVnRZbVZrWkdWa1BTSjBjblZsSWlBTkNna0pDUWtnSUNCdVlXMWxQU0pDWVhObElpQndaR1pGYm1OdlpHbHVaejBpU1dSbGJuUnBkSGt0U0NJZ2NHUm1SbTl1ZEU1aGJXVTlJa1JsYW1GV2RWTmhibk11ZEhSbUlpQjJRV3hwWjI0OUlrMXBaR1JzWlNJK0RRb0pDUWs4TDNOMGVXeGxQZzBLQ1FrSlBITjBlV3hsSUdselFtOXNaRDBpWm1Gc2MyVWlJR2x6UkdWbVlYVnNkRDBpWm1Gc2MyVWlJRzVoYldVOUlrUmxkR0ZwYkNJZ2MzUjViR1U5SWtKaGMyVWlMejROQ2drSkNUeHdZWEpoYldWMFpYSWdibUZ0WlQwaWRYTmxjazlwWkNJZ1kyeGhjM005SW1waGRtRXViR0Z1Wnk1VGRISnBibWNpTHo0TkNna0pDVHh3WVhKaGJXVjBaWElnYm1GdFpUMGlhSEZzVVhWbGNubFNiMnhsY3lJZ1kyeGhjM005SW1waGRtRXViR0Z1Wnk1VGRISnBibWNpTHo0TkNna0pDVHh4ZFdWeWVWTjBjbWx1WnlCc1lXNW5kV0ZuWlQwaWFIRnNJajQ4SVZ0RFJFRlVRVnNrVUNGN2FIRnNVWFZsY25sU2IyeGxjMzFkWFQ0OEwzRjFaWEo1VTNSeWFXNW5QZzBLQ1FrSlBHWnBaV3hrSUc1aGJXVTlJbkp2YkdWT1lXMWxJaUJqYkdGemN6MGlhbUYyWVM1c1lXNW5MbE4wY21sdVp5SXZQZzBLQ1FrSlBHUmxkR0ZwYkQ0TkNna0pDUWs4WW1GdVpDQm9aV2xuYUhROUlqRTRJaUJ6Y0d4cGRGUjVjR1U5SWxOMGNtVjBZMmdpUGcwS0NRa0pDUWs4Wm5KaGJXVStEUW9KQ1FrSkNRazhjbVZ3YjNKMFJXeGxiV1Z1ZENCMWRXbGtQU0l6WlRobVpHUTJaQzFoTm1abUxUUTBNRGN0T1dFeFpTMDFaRFppTkRjd05qTXdNR0VpSUhCdmMybDBhVzl1Vkhsd1pUMGlSbXh2WVhRaUlITjBlV3hsUFNKRVpYUmhhV3dpSUcxdlpHVTlJazl3WVhGMVpTSWdlRDBpTUNJZ2VUMGlNU0lnZDJsa2RHZzlJakV3TUNJZ2FHVnBaMmgwUFNJeE55SXZQZzBLQ1FrSkNRa0pQR3hwYm1VK0RRb0pDUWtKQ1FrSlBISmxjRzl5ZEVWc1pXMWxiblFnZFhWcFpEMGlORGRtT1RFNE1ERXRZMlkxWmkwMFltVmtMV0l4T1dNdFkyRXpPVE14WTJKbU9UaGtJaUJ3YjNOcGRHbHZibFI1Y0dVOUlrWnBlRkpsYkdGMGFYWmxWRzlVYjNBaUlHMXZaR1U5SWs5d1lYRjFaU0lnZUQwaU1DSWdlVDBpTUNJZ2QybGtkR2c5SWpFd01DSWdhR1ZwWjJoMFBTSXhJaUJtYjNKbFkyOXNiM0k5SWlNek16TXpNek1pUGcwS0NRa0pDUWtKQ1FrOGNISnBiblJYYUdWdVJYaHdjbVZ6YzJsdmJqNDhJVnREUkVGVVFWdHVaWGNnYW1GMllTNXNZVzVuTGtKdmIyeGxZVzRvS0dsdWRDa2tWbnRTUlZCUFVsUmZRMDlWVGxSOUxtbHVkRlpoYkhWbEtDa2hQVEVwWFYwK1BDOXdjbWx1ZEZkb1pXNUZlSEJ5WlhOemFXOXVQZzBLQ1FrSkNRa0pDVHd2Y21Wd2IzSjBSV3hsYldWdWRENE5DZ2tKQ1FrSkNRazhaM0poY0docFkwVnNaVzFsYm5RK0RRb0pDUWtKQ1FrSkNUeHdaVzRnYkdsdVpWZHBaSFJvUFNJd0xqVWlJR3hwYm1WRGIyeHZjajBpSXprNU9UazVPU0l2UGcwS0NRa0pDUWtKQ1R3dlozSmhjR2hwWTBWc1pXMWxiblErRFFvSkNRa0pDUWs4TDJ4cGJtVStEUW9KQ1FrSkNRazhkR1Y0ZEVacFpXeGtJR2x6VTNSeVpYUmphRmRwZEdoUGRtVnlabXh2ZHowaWRISjFaU0krRFFvSkNRa0pDUWtKUEhKbGNHOXlkRVZzWlcxbGJuUWdkWFZwWkQwaVpXSmhaV1l4Tm1RdE1qa3dNeTAwTURJNUxUbGhObUl0WkRSa01qUTBOVFU0WVdVNUlpQnpkSGxzWlQwaVJHVjBZV2xzSWlCNFBTSXdJaUI1UFNJeUlpQjNhV1IwYUQwaU1UQXdJaUJvWldsbmFIUTlJakV6SWk4K0RRb0pDUWtKQ1FrSlBIUmxlSFJGYkdWdFpXNTBJSFpsY25ScFkyRnNRV3hwWjI1dFpXNTBQU0pOYVdSa2JHVWlMejROQ2drSkNRa0pDUWs4ZEdWNGRFWnBaV3hrUlhod2NtVnpjMmx2Ymo0OElWdERSRUZVUVZza1JudHliMnhsVG1GdFpYMWRYVDQ4TDNSbGVIUkdhV1ZzWkVWNGNISmxjM05wYjI0K0RRb0pDUWtKQ1FrOEwzUmxlSFJHYVdWc1pENE5DZ2tKQ1FrSlBDOW1jbUZ0WlQ0TkNna0pDUWs4TDJKaGJtUStEUW9KQ1FrOEwyUmxkR0ZwYkQ0TkNna0pQQzlxWVhOd1pYSlNaWEJ2Y25RKw==</template>
-	<orientation>landscape</orientation>
-	<export>pdf</export>
-	<!-- set to true if report needs hibernate session (e.g. hql query is used) -->
-	<useHibernateSession>true</useHibernateSession>
-	<field>
-		<nameReport>roleName</nameReport>
-		<nameHeader>Name</nameHeader>
-		<itemPath>c:name</itemPath>
-		<width>100</width>
-		<classType>t:PolyStringType</classType>
-	</field>
-	<!-- configuration properties -->
-	<configuration xmlns:r="http://midpoint.evolveum.com/xml/ns/public/report">
-		<r:hqlQueryRoles>
-			select r.name.orig as roleName 
-			from RAssignment as a, RRole as r 
-			where a.targetRef.type = 7 and a.targetRef.targetOid = r.oid and a.owner.oid = $P{userOid}
-		</r:hqlQueryRoles>
-	</configuration>
-	<!-- report parameters configuration schema sample with different options -->
-	<configurationSchema>
-		<definition>
-			<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema"
-                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-                    xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
-                    xmlns:a="http://prism.evolveum.com/xml/ns/public/annotation-3"
-                    xmlns:r="http://midpoint.evolveum.com/xml/ns/public/report"
-                    elementFormDefault="qualified"
-                    targetNamespace="http://midpoint.evolveum.com/xml/ns/public/report">
-
-				<xsd:import namespace="http://midpoint.evolveum.com/xml/ns/public/common/common-3"/>
-				<xsd:import namespace="http://prism.evolveum.com/xml/ns/public/annotation-3"/>
-				<xsd:import namespace="http://prism.evolveum.com/xml/ns/public/query-3"/>
-
-				<xsd:complexType name="ConfigurationType">
-					<xsd:annotation>
-						<xsd:appinfo>
-							<a:container/>
-						</xsd:appinfo>
-					</xsd:annotation>
-					<xsd:sequence>
-						<!-- HQL query for jasper design (queryString element) -->
-						<xsd:element name="hqlQueryRoles" type="xsd:string"/>
-					</xsd:sequence>
-				</xsd:complexType>
-				<xsd:element name="configuration" type="r:ConfigurationType"/>
-			</xsd:schema>
-		</definition>
-	</configurationSchema>
-</report>
diff --git a/model/report-impl/testng-integration.xml b/model/report-impl/testng-integration.xml
index 2cf3b85d5fd..054209cc004 100644
--- a/model/report-impl/testng-integration.xml
+++ b/model/report-impl/testng-integration.xml
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
 
 <!--
-  ~ Copyright (c) 2010-2017 Evolveum
+  ~ Copyright (c) 2010-2019 Evolveum
   ~
   ~ Licensed under the Apache License, Version 2.0 (the "License");
   ~ you may not use this file except in compliance with the License.
@@ -20,6 +20,9 @@
     <test name="Default" preserve-order="true" parallel="false" verbose="10" enabled="true">
         <classes>
              <class name="com.evolveum.midpoint.report.TestReport"/>
+             <class name="com.evolveum.midpoint.report.TestReportSafe"/>
+             <class name="com.evolveum.midpoint.report.TestReportWebService"/>
+             <class name="com.evolveum.midpoint.report.TestReportWebServiceSafe"/>
         </classes>
     </test>
 </suite>
diff --git a/model/workflow-impl/src/main/java/com/evolveum/midpoint/wf/impl/processes/common/WfExpressionEvaluationHelper.java b/model/workflow-impl/src/main/java/com/evolveum/midpoint/wf/impl/processes/common/WfExpressionEvaluationHelper.java
index e67453607f2..89a0df10021 100644
--- a/model/workflow-impl/src/main/java/com/evolveum/midpoint/wf/impl/processes/common/WfExpressionEvaluationHelper.java
+++ b/model/workflow-impl/src/main/java/com/evolveum/midpoint/wf/impl/processes/common/WfExpressionEvaluationHelper.java
@@ -23,6 +23,7 @@
 import com.evolveum.midpoint.repo.common.expression.*;
 import com.evolveum.midpoint.schema.constants.SchemaConstants;
 import com.evolveum.midpoint.schema.result.OperationResult;
+import com.evolveum.midpoint.schema.util.MiscSchemaUtil;
 import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.util.DOMUtil;
 import com.evolveum.midpoint.util.MiscUtil;
@@ -89,7 +90,7 @@ public <T> List<T> evaluateExpression(ExpressionType expressionType, ExpressionV
 		if (multiValued) {
 			resultDef.setMaxOccurs(-1);
 		}
-		Expression<?,?> expression = expressionFactory.makeExpression(expressionType, resultDef, contextDescription, task, result);
+		Expression<?,?> expression = expressionFactory.makeExpression(expressionType, resultDef, MiscSchemaUtil.getExpressionProfile(), contextDescription, task, result);
 		ExpressionEvaluationContext context = new ExpressionEvaluationContext(null, variables, contextDescription, task, result);
 		context.setAdditionalConvertor(additionalConvertor);
 		PrismValueDeltaSetTriple<?> exprResultTriple = ModelExpressionThreadLocalHolder
diff --git a/model/workflow-impl/src/main/java/com/evolveum/midpoint/wf/impl/processes/common/WfStageComputeHelper.java b/model/workflow-impl/src/main/java/com/evolveum/midpoint/wf/impl/processes/common/WfStageComputeHelper.java
index 08e0314132b..b4a12cdd3f5 100644
--- a/model/workflow-impl/src/main/java/com/evolveum/midpoint/wf/impl/processes/common/WfStageComputeHelper.java
+++ b/model/workflow-impl/src/main/java/com/evolveum/midpoint/wf/impl/processes/common/WfStageComputeHelper.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2017 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -69,7 +69,7 @@ public ExpressionVariables getDefaultVariables(@Nullable DelegateExecution execu
 		ExpressionVariables variables = getDefaultVariables(wfTask.getWorkflowContext(), wfTask.getChannel(), result);
 		// Activiti process instance variables (use with care)
 		if (execution != null) {
-			execution.getVariables().forEach((key, value) -> variables.addVariableDefinition(new QName("_" + key), value));
+			execution.getVariables().forEach((key, value) -> variables.put("_" + key, value, value.getClass()));
 		}
 		return variables;
 	}
@@ -81,15 +81,15 @@ public ExpressionVariables getDefaultVariables(WfContextType wfContext, String r
 
 		ExpressionVariables variables = new ExpressionVariables();
 
-		variables.addVariableDefinition(C_REQUESTER,
-				miscDataUtil.resolveObjectReference(wfContext.getRequesterRef(), result));
+		variables.put(ExpressionConstants.VAR_REQUESTER,
+				miscDataUtil.resolveTypedObjectReference(wfContext.getRequesterRef(), result));
 
-		variables.addVariableDefinition(C_OBJECT,
-				miscDataUtil.resolveObjectReference(wfContext.getObjectRef(), result));
+		variables.put(ExpressionConstants.VAR_OBJECT,
+				miscDataUtil.resolveTypedObjectReference(wfContext.getObjectRef(), result));
 
 		// might be null
-		variables.addVariableDefinition(C_TARGET,
-				miscDataUtil.resolveObjectReference(wfContext.getTargetRef(), result));
+		variables.put(ExpressionConstants.VAR_TARGET,
+				miscDataUtil.resolveTypedObjectReference(wfContext.getTargetRef(), result));
 
 		ObjectDelta objectDelta;
 		try {
@@ -97,11 +97,11 @@ public ExpressionVariables getDefaultVariables(WfContextType wfContext, String r
 		} catch (JAXBException e) {
 			throw new SchemaException("Couldn't get object delta: " + e.getMessage(), e);
 		}
-		variables.addVariableDefinition(SchemaConstants.T_OBJECT_DELTA, objectDelta);
+		variables.put(ExpressionConstants.VAR_OBJECT_DELTA, objectDelta, ObjectDelta.class);
 
-		variables.addVariableDefinition(ExpressionConstants.VAR_CHANNEL, requestChannel);
+		variables.put(ExpressionConstants.VAR_CHANNEL, requestChannel, String.class);
 
-		variables.addVariableDefinition(ExpressionConstants.VAR_WORKFLOW_CONTEXT, wfContext);
+		variables.put(ExpressionConstants.VAR_WORKFLOW_CONTEXT, wfContext, WfContextType.class);
 		// todo other variables?
 
 		return variables;
@@ -143,7 +143,7 @@ public ComputationResult computeStageApprovers(ApprovalStageDefinitionType stage
 		ExpressionVariables expressionVariables = null;
 		VariablesProvider enhancedVariablesProvider = () -> {
 			ExpressionVariables variables = variablesProvider.get();
-			variables.addVariableDefinition(ExpressionConstants.VAR_STAGE_DEFINITION, stageDef);
+			variables.put(ExpressionConstants.VAR_STAGE_DEFINITION, stageDef, ApprovalStageDefinitionType.class);
 			return variables;
 		};
 
diff --git a/model/workflow-impl/src/main/java/com/evolveum/midpoint/wf/impl/processes/common/WfTimedActionTriggerHandler.java b/model/workflow-impl/src/main/java/com/evolveum/midpoint/wf/impl/processes/common/WfTimedActionTriggerHandler.java
index 1492087128b..78bdbb6a302 100644
--- a/model/workflow-impl/src/main/java/com/evolveum/midpoint/wf/impl/processes/common/WfTimedActionTriggerHandler.java
+++ b/model/workflow-impl/src/main/java/com/evolveum/midpoint/wf/impl/processes/common/WfTimedActionTriggerHandler.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2017 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -21,6 +21,7 @@
 import com.evolveum.midpoint.model.impl.trigger.TriggerHandlerRegistry;
 import com.evolveum.midpoint.prism.PrismObject;
 import com.evolveum.midpoint.prism.util.CloneUtil;
+import com.evolveum.midpoint.schema.constants.ExpressionConstants;
 import com.evolveum.midpoint.schema.constants.SchemaConstants;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.schema.util.ObjectTypeUtil;
@@ -172,7 +173,7 @@ private List<ObjectReferenceType> computeDelegateTo(DelegateWorkItemActionType d
 		rv.addAll(CloneUtil.cloneCollectionMembers(delegateAction.getApproverRef()));
 		if (!delegateAction.getApproverExpression().isEmpty()) {
 			ExpressionVariables variables = stageComputeHelper.getDefaultVariables(null, wfTask, result);
-			variables.addVariableDefinition(SchemaConstants.C_WORK_ITEM, workItem);
+			variables.put(ExpressionConstants.VAR_WORK_ITEM, workItem, WorkItemType.class);
 			rv.addAll(evaluationHelper.evaluateRefExpressions(delegateAction.getApproverExpression(),
 					variables, "computing delegates", triggerScannerTask, result));
 		}
diff --git a/model/workflow-impl/src/main/java/com/evolveum/midpoint/wf/impl/processors/general/GcpExpressionHelper.java b/model/workflow-impl/src/main/java/com/evolveum/midpoint/wf/impl/processors/general/GcpExpressionHelper.java
index 0ef395fa416..7b4bc20f1d7 100644
--- a/model/workflow-impl/src/main/java/com/evolveum/midpoint/wf/impl/processors/general/GcpExpressionHelper.java
+++ b/model/workflow-impl/src/main/java/com/evolveum/midpoint/wf/impl/processors/general/GcpExpressionHelper.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2017 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -26,8 +26,10 @@
 import com.evolveum.midpoint.prism.PrismPropertyDefinition;
 import com.evolveum.midpoint.prism.PrismPropertyValue;
 import com.evolveum.midpoint.prism.delta.PrismValueDeltaSetTriple;
+import com.evolveum.midpoint.schema.constants.ExpressionConstants;
 import com.evolveum.midpoint.schema.constants.SchemaConstants;
 import com.evolveum.midpoint.schema.result.OperationResult;
+import com.evolveum.midpoint.schema.util.MiscSchemaUtil;
 import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.util.DOMUtil;
 import com.evolveum.midpoint.util.exception.CommunicationException;
@@ -68,7 +70,9 @@ boolean evaluateActivationCondition(GeneralChangeProcessorScenarioType scenarioT
         }
 
         ExpressionVariables variables = new ExpressionVariables();
-        variables.addVariableDefinition(new QName(SchemaConstants.NS_C, "context"), context);
+        variables.put(ExpressionConstants.VAR_MODEL_CONTEXT, context, ModelContext.class);
+        // This should perhaps be modelContext and not just context
+        variables.put(ExpressionConstants.VAR_CONTEXT, context, ModelContext.class);
 
         boolean start;
         try {
@@ -84,7 +88,7 @@ private boolean evaluateBooleanExpression(ExpressionType expressionType, Express
         PrismContext prismContext = expressionFactory.getPrismContext();
         QName resultName = new QName(SchemaConstants.NS_C, "result");
         PrismPropertyDefinition<Boolean> resultDef = prismContext.definitionFactory().createPropertyDefinition(resultName, DOMUtil.XSD_BOOLEAN);
-        Expression<PrismPropertyValue<Boolean>,PrismPropertyDefinition<Boolean>> expression = expressionFactory.makeExpression(expressionType, resultDef, opContext, taskFromModel, result);
+        Expression<PrismPropertyValue<Boolean>,PrismPropertyDefinition<Boolean>> expression = expressionFactory.makeExpression(expressionType, resultDef, MiscSchemaUtil.getExpressionProfile(), opContext, taskFromModel, result);
         ExpressionEvaluationContext params = new ExpressionEvaluationContext(null, expressionVariables, opContext, taskFromModel, result);
         PrismValueDeltaSetTriple<PrismPropertyValue<Boolean>> exprResultTriple = ModelExpressionThreadLocalHolder
 				.evaluateExpressionInContext(expression, params, taskFromModel, result);
diff --git a/model/workflow-impl/src/main/java/com/evolveum/midpoint/wf/impl/processors/primary/aspect/BasePrimaryChangeAspect.java b/model/workflow-impl/src/main/java/com/evolveum/midpoint/wf/impl/processors/primary/aspect/BasePrimaryChangeAspect.java
index b9924b04405..83f0fa24c36 100644
--- a/model/workflow-impl/src/main/java/com/evolveum/midpoint/wf/impl/processors/primary/aspect/BasePrimaryChangeAspect.java
+++ b/model/workflow-impl/src/main/java/com/evolveum/midpoint/wf/impl/processors/primary/aspect/BasePrimaryChangeAspect.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2017 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -35,7 +35,9 @@
 import com.evolveum.midpoint.schema.ObjectTreeDeltas;
 import com.evolveum.midpoint.schema.RelationRegistry;
 import com.evolveum.midpoint.schema.SearchResultList;
+import com.evolveum.midpoint.schema.expression.ExpressionProfile;
 import com.evolveum.midpoint.schema.result.OperationResult;
+import com.evolveum.midpoint.schema.util.MiscSchemaUtil;
 import com.evolveum.midpoint.schema.util.ObjectTypeUtil;
 import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.util.DebugUtil;
@@ -183,11 +185,11 @@ private <O extends ObjectType, F extends ObjectType> List<ObjectReferenceType> r
 		try {
 
 			PrismObject<SystemConfigurationType> systemConfiguration = systemObjectCache.getSystemConfiguration(result);
-			ExpressionVariables variables = ModelImplUtils.getDefaultExpressionVariables(getFocusObjectable(lensContext), null, null, systemConfiguration.asObjectable());
+			ExpressionVariables variables = ModelImplUtils.getDefaultExpressionVariables(getFocusObjectable(lensContext), null, null, systemConfiguration.asObjectable(), prismContext);
 
 			ObjectFilter origFilter = prismContext.getQueryConverter().parseFilter(filter, clazz);
 			ObjectFilter evaluatedFilter = ExpressionUtil
-					.evaluateFilterExpressions(origFilter, variables, mappingFactory.getExpressionFactory(), prismContext, " evaluating approverRef filter expression ", task, result);
+					.evaluateFilterExpressions(origFilter, variables, MiscSchemaUtil.getExpressionProfile(), mappingFactory.getExpressionFactory(), prismContext, " evaluating approverRef filter expression ", task, result);
 
 			if (evaluatedFilter == null) {
 				throw new SchemaException("Filter could not be evaluated in approverRef in "+sourceDescription+"; original filter = "+origFilter);
diff --git a/model/workflow-impl/src/main/java/com/evolveum/midpoint/wf/impl/processors/primary/aspect/PrimaryChangeAspectHelper.java b/model/workflow-impl/src/main/java/com/evolveum/midpoint/wf/impl/processors/primary/aspect/PrimaryChangeAspectHelper.java
index 900ff28987f..ada65728066 100644
--- a/model/workflow-impl/src/main/java/com/evolveum/midpoint/wf/impl/processors/primary/aspect/PrimaryChangeAspectHelper.java
+++ b/model/workflow-impl/src/main/java/com/evolveum/midpoint/wf/impl/processors/primary/aspect/PrimaryChangeAspectHelper.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2017 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -28,8 +28,10 @@
 import com.evolveum.midpoint.repo.api.RepositoryService;
 import com.evolveum.midpoint.schema.GetOperationOptions;
 import com.evolveum.midpoint.schema.SelectorOptions;
+import com.evolveum.midpoint.schema.constants.ExpressionConstants;
 import com.evolveum.midpoint.schema.constants.SchemaConstants;
 import com.evolveum.midpoint.schema.result.OperationResult;
+import com.evolveum.midpoint.schema.util.MiscSchemaUtil;
 import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.util.DOMUtil;
 import com.evolveum.midpoint.util.exception.CommunicationException;
@@ -322,8 +324,8 @@ public boolean evaluateApplicabilityCondition(PcpAspectConfigurationType config,
         PrismPropertyDefinition<Boolean> resultDef = prismContext.definitionFactory().createPropertyDefinition(resultName, DOMUtil.XSD_BOOLEAN);
 
         ExpressionVariables expressionVariables = new ExpressionVariables();
-        expressionVariables.addVariableDefinition(SchemaConstants.C_MODEL_CONTEXT, modelContext);
-        expressionVariables.addVariableDefinition(SchemaConstants.C_ITEM_TO_APPROVE, itemToApprove);
+        expressionVariables.put(ExpressionConstants.VAR_MODEL_CONTEXT, modelContext, ModelContext.class);
+        expressionVariables.put(ExpressionConstants.VAR_ITEM_TO_APPROVE, itemToApprove, itemToApprove.getClass());
         if (additionalVariables != null) {
             expressionVariables.addVariableDefinitions(additionalVariables);
         }
@@ -331,7 +333,7 @@ public boolean evaluateApplicabilityCondition(PcpAspectConfigurationType config,
         PrismValueDeltaSetTriple<PrismPropertyValue<Boolean>> exprResultTriple;
         try {
             Expression<PrismPropertyValue<Boolean>,PrismPropertyDefinition<Boolean>> expression =
-                    expressionFactory.makeExpression(expressionType, resultDef,
+                    expressionFactory.makeExpression(expressionType, resultDef, MiscSchemaUtil.getExpressionProfile(),
                             "applicability condition expression", task, result);
             ExpressionEvaluationContext params = new ExpressionEvaluationContext(null, expressionVariables,
                     "applicability condition expression", task, result);
diff --git a/model/workflow-impl/src/main/java/com/evolveum/midpoint/wf/impl/processors/primary/entitlements/AddAssociationAspect.java b/model/workflow-impl/src/main/java/com/evolveum/midpoint/wf/impl/processors/primary/entitlements/AddAssociationAspect.java
index e97dd54d1fe..c6a06742e4f 100644
--- a/model/workflow-impl/src/main/java/com/evolveum/midpoint/wf/impl/processors/primary/entitlements/AddAssociationAspect.java
+++ b/model/workflow-impl/src/main/java/com/evolveum/midpoint/wf/impl/processors/primary/entitlements/AddAssociationAspect.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2018 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -25,6 +25,7 @@
 import com.evolveum.midpoint.prism.delta.ItemDelta;
 import com.evolveum.midpoint.prism.delta.ObjectDelta;
 import com.evolveum.midpoint.schema.ResourceShadowDiscriminator;
+import com.evolveum.midpoint.schema.constants.ExpressionConstants;
 import com.evolveum.midpoint.schema.constants.SchemaConstants;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.schema.util.ObjectTypeUtil;
@@ -290,8 +291,8 @@ private boolean isAssociationRelevant(PcpAspectConfigurationType config, Associa
             ResourceShadowDiscriminator rsd, ModelContext<?> modelContext, Task task, OperationResult result) {
         LOGGER.trace(" - considering: {}", itemToApprove);
         ExpressionVariables variables = new ExpressionVariables();
-        variables.addVariableDefinition(SchemaConstants.C_ASSOCIATION, itemToApprove.getAssociation());
-        variables.addVariableDefinition(SchemaConstants.C_SHADOW_DISCRIMINATOR, rsd);
+        variables.put(ExpressionConstants.VAR_ASSOCIATION, itemToApprove.getAssociation(), ShadowAssociationType.class);
+        variables.put(ExpressionConstants.VAR_SHADOW_DISCRIMINATOR, rsd, ResourceShadowDiscriminator.class);
         boolean applicable = primaryChangeAspectHelper.evaluateApplicabilityCondition(
                 config, modelContext, itemToApprove, variables, this, task, result);
         LOGGER.trace("   - result: applicable = {}", applicable);
diff --git a/model/workflow-impl/src/main/java/com/evolveum/midpoint/wf/impl/processors/primary/policy/PolicyRuleBasedAspect.java b/model/workflow-impl/src/main/java/com/evolveum/midpoint/wf/impl/processors/primary/policy/PolicyRuleBasedAspect.java
index e67fd9e6673..ca0cbc16382 100644
--- a/model/workflow-impl/src/main/java/com/evolveum/midpoint/wf/impl/processors/primary/policy/PolicyRuleBasedAspect.java
+++ b/model/workflow-impl/src/main/java/com/evolveum/midpoint/wf/impl/processors/primary/policy/PolicyRuleBasedAspect.java
@@ -27,6 +27,7 @@
 import com.evolveum.midpoint.prism.util.CloneUtil;
 import com.evolveum.midpoint.schema.ObjectTreeDeltas;
 import com.evolveum.midpoint.schema.constants.ExpressionConstants;
+import com.evolveum.midpoint.schema.expression.VariablesMap;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.schema.util.LocalizationUtil;
 import com.evolveum.midpoint.util.LocalizableMessage;
@@ -142,19 +143,27 @@ private LocalizableMessage processNameFromApprovalActions(ApprovalSchemaBuilder.
 		if (schemaBuilderResult.approvalDisplayName == null) {
 			return null;
 		}
-		Map<QName, Object> variables = new HashMap<>();
-		variables.put(ExpressionConstants.VAR_OBJECT, getFocusObjectNewOrOld(ctx.modelContext));
-		variables.put(ExpressionConstants.VAR_OBJECT_DISPLAY_INFORMATION, createLocalizableMessageType(createDisplayInformation(asPrismObject(getFocusObjectNewOrOld(ctx.modelContext)), false)));
+		VariablesMap variables = new VariablesMap();
+		ObjectType focusType = getFocusObjectNewOrOld(ctx.modelContext);
+		variables.put(ExpressionConstants.VAR_OBJECT, focusType, focusType.asPrismObject().getDefinition());
+		variables.put(ExpressionConstants.VAR_OBJECT_DISPLAY_INFORMATION, 
+				createLocalizableMessageType(createDisplayInformation(asPrismObject(focusType), false)),
+				LocalizableMessageType.class);
 		if (evaluatedAssignment != null) {
-			variables.put(ExpressionConstants.VAR_TARGET, evaluatedAssignment.getTarget());
-			variables.put(ExpressionConstants.VAR_TARGET_DISPLAY_INFORMATION, createLocalizableMessageType(createDisplayInformation(evaluatedAssignment.getTarget(), false)));
-			variables.put(ExpressionConstants.VAR_EVALUATED_ASSIGNMENT, evaluatedAssignment);
-			variables.put(ExpressionConstants.VAR_ASSIGNMENT, evaluatedAssignment.getAssignmentType());
+			variables.put(ExpressionConstants.VAR_TARGET, evaluatedAssignment.getTarget(), evaluatedAssignment.getTarget().getDefinition());
+			variables.put(ExpressionConstants.VAR_TARGET_DISPLAY_INFORMATION,
+					createLocalizableMessageType(createDisplayInformation(evaluatedAssignment.getTarget(), false)),
+					LocalizableMessageType.class);
+			variables.put(ExpressionConstants.VAR_EVALUATED_ASSIGNMENT, evaluatedAssignment, EvaluatedAssignment.class);
+			// Wrong ... but this will get reworked in 4.0 anyway.
+			variables.put(ExpressionConstants.VAR_ASSIGNMENT, evaluatedAssignment.getAssignmentType(), AssignmentType.class);
 		} else {
-			variables.put(ExpressionConstants.VAR_TARGET, null);
-			variables.put(ExpressionConstants.VAR_TARGET_DISPLAY_INFORMATION, null);
-			variables.put(ExpressionConstants.VAR_EVALUATED_ASSIGNMENT, null);
-			variables.put(ExpressionConstants.VAR_ASSIGNMENT, null);
+			// Wrong ... but this will get reworked in 4.0 anyway.
+			variables.put(ExpressionConstants.VAR_TARGET, null, ObjectType.class);
+			variables.put(ExpressionConstants.VAR_TARGET_DISPLAY_INFORMATION, null, LocalizableMessageType.class);
+			variables.put(ExpressionConstants.VAR_EVALUATED_ASSIGNMENT, null, EvaluatedAssignment.class);
+			// Wrong ... but this will get reworked in 4.0 anyway.
+			variables.put(ExpressionConstants.VAR_ASSIGNMENT, null, AssignmentType.class);
 		}
 		LocalizableMessageType localizableMessageType;
 		try {
diff --git a/model/workflow-impl/src/main/java/com/evolveum/midpoint/wf/impl/util/MiscDataUtil.java b/model/workflow-impl/src/main/java/com/evolveum/midpoint/wf/impl/util/MiscDataUtil.java
index 6d7a848887e..6f0207c38c4 100644
--- a/model/workflow-impl/src/main/java/com/evolveum/midpoint/wf/impl/util/MiscDataUtil.java
+++ b/model/workflow-impl/src/main/java/com/evolveum/midpoint/wf/impl/util/MiscDataUtil.java
@@ -34,6 +34,7 @@
 import com.evolveum.midpoint.schema.ObjectTreeDeltas;
 import com.evolveum.midpoint.schema.ResourceShadowDiscriminator;
 import com.evolveum.midpoint.schema.constants.SchemaConstants;
+import com.evolveum.midpoint.schema.expression.TypedValue;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.schema.util.ObjectTypeUtil;
 import com.evolveum.midpoint.schema.util.OidUtil;
@@ -413,6 +414,16 @@ public boolean matches(ObjectReferenceType groupRef, ObjectReferenceType targetR
 	public PrismObject resolveObjectReference(ObjectReferenceType ref, OperationResult result) {
 		return resolveObjectReference(ref, false, result);
 	}
+	
+	public TypedValue<PrismObject> resolveTypedObjectReference(ObjectReferenceType ref, OperationResult result) {
+		PrismObject resolvedObject = resolveObjectReference(ref, false, result);
+		if (resolvedObject == null) {
+			PrismObjectDefinition<ObjectType> def = prismContext.getSchemaRegistry().findObjectDefinitionByCompileTimeClass(ObjectType.class);
+			return new TypedValue<>(null, def);
+		} else {
+			return new TypedValue<>(resolvedObject);
+		}
+	}
 
 	public PrismObject resolveAndStoreObjectReference(ObjectReferenceType ref, OperationResult result) {
 		return resolveObjectReference(ref, true, result);
diff --git a/model/workflow-impl/src/main/java/com/evolveum/midpoint/wf/impl/util/PerformerCommentsFormatterImpl.java b/model/workflow-impl/src/main/java/com/evolveum/midpoint/wf/impl/util/PerformerCommentsFormatterImpl.java
index a431d77a21c..05f92193561 100644
--- a/model/workflow-impl/src/main/java/com/evolveum/midpoint/wf/impl/util/PerformerCommentsFormatterImpl.java
+++ b/model/workflow-impl/src/main/java/com/evolveum/midpoint/wf/impl/util/PerformerCommentsFormatterImpl.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2018 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -72,10 +72,10 @@ private String formatComment(ObjectReferenceType performerRef, AbstractWorkItemO
 		}
 		ObjectType performer = getPerformer(performerRef, result);
 		ExpressionVariables variables = new ExpressionVariables();
-		variables.addVariableDefinition(ExpressionConstants.VAR_PERFORMER, performer);
-		variables.addVariableDefinition(ExpressionConstants.VAR_OUTPUT, output);
-		variables.addVariableDefinition(ExpressionConstants.VAR_WORK_ITEM, workItem);
-		variables.addVariableDefinition(ExpressionConstants.VAR_EVENT, event);
+		variables.put(ExpressionConstants.VAR_PERFORMER, performer, performer.asPrismObject().getDefinition());
+		variables.put(ExpressionConstants.VAR_OUTPUT, output, AbstractWorkItemOutputType.class);
+		variables.put(ExpressionConstants.VAR_WORK_ITEM, workItem, AbstractWorkItemType.class);
+		variables.put(ExpressionConstants.VAR_EVENT, event, WorkItemCompletionEventType.class);
 		if (formatting.getCondition() != null) {
 			try {
 				boolean condition = expressionEvaluationHelper.evaluateBooleanExpression(formatting.getCondition(), variables,
diff --git a/provisioning/provisioning-impl/src/main/java/com/evolveum/midpoint/provisioning/impl/ResourceManager.java b/provisioning/provisioning-impl/src/main/java/com/evolveum/midpoint/provisioning/impl/ResourceManager.java
index c62df1179f9..f63a7cea916 100644
--- a/provisioning/provisioning-impl/src/main/java/com/evolveum/midpoint/provisioning/impl/ResourceManager.java
+++ b/provisioning/provisioning-impl/src/main/java/com/evolveum/midpoint/provisioning/impl/ResourceManager.java
@@ -664,7 +664,7 @@ private <T> void evaluateExpression(PrismProperty<T> configurationProperty, Pris
 			}
 			ExpressionType expressionType = (ExpressionType) expressionWrapper.getExpression();
 
-			Expression<PrismPropertyValue<T>, PrismPropertyDefinition<T>> expression = expressionFactory.makeExpression(expressionType, propDef, shortDesc, task, result);
+			Expression<PrismPropertyValue<T>, PrismPropertyDefinition<T>> expression = expressionFactory.makeExpression(expressionType, propDef, MiscSchemaUtil.getExpressionProfile(), shortDesc, task, result);
 			ExpressionVariables variables = new ExpressionVariables();
 			
 			// TODO: populate variables
diff --git a/provisioning/provisioning-impl/src/main/java/com/evolveum/midpoint/provisioning/impl/ResourceObjectReferenceResolver.java b/provisioning/provisioning-impl/src/main/java/com/evolveum/midpoint/provisioning/impl/ResourceObjectReferenceResolver.java
index eab5757a574..c627a5e9904 100644
--- a/provisioning/provisioning-impl/src/main/java/com/evolveum/midpoint/provisioning/impl/ResourceObjectReferenceResolver.java
+++ b/provisioning/provisioning-impl/src/main/java/com/evolveum/midpoint/provisioning/impl/ResourceObjectReferenceResolver.java
@@ -47,6 +47,7 @@
 import com.evolveum.midpoint.schema.processor.ResourceAttribute;
 import com.evolveum.midpoint.schema.processor.ResourceObjectIdentification;
 import com.evolveum.midpoint.schema.result.OperationResult;
+import com.evolveum.midpoint.schema.util.MiscSchemaUtil;
 import com.evolveum.midpoint.schema.util.ObjectQueryUtil;
 import com.evolveum.midpoint.schema.util.ResourceTypeUtil;
 import com.evolveum.midpoint.schema.util.ShadowUtil;
@@ -117,7 +118,7 @@ PrismObject<ShadowType> resolve(ProvisioningContext ctx, ResourceObjectReference
 		ObjectQuery refQuery = prismContext.getQueryConverter().createObjectQuery(ShadowType.class, resourceObjectReference.getFilter());
 		// No variables. At least not now. We expect that mostly constants will be used here.
 		ExpressionVariables variables = new ExpressionVariables();
-		ObjectQuery evaluatedRefQuery = ExpressionUtil.evaluateQueryExpressions(refQuery, variables, expressionFactory, prismContext, desc, ctx.getTask(), result);
+		ObjectQuery evaluatedRefQuery = ExpressionUtil.evaluateQueryExpressions(refQuery, variables, MiscSchemaUtil.getExpressionProfile(), expressionFactory, prismContext, desc, ctx.getTask(), result);
 		ObjectFilter baseFilter = ObjectQueryUtil.createResourceAndObjectClassFilter(ctx.getResource().getOid(), objectClass, prismContext);
 		ObjectFilter filter = prismContext.queryFactory().createAnd(baseFilter, evaluatedRefQuery.getFilter());
 		ObjectQuery query = prismContext.queryFactory().createQuery(filter);
diff --git a/provisioning/provisioning-impl/src/main/java/com/evolveum/midpoint/provisioning/util/UcfExpressionEvaluatorImpl.java b/provisioning/provisioning-impl/src/main/java/com/evolveum/midpoint/provisioning/util/UcfExpressionEvaluatorImpl.java
index a68d1d42c1b..78de7f7ba7e 100644
--- a/provisioning/provisioning-impl/src/main/java/com/evolveum/midpoint/provisioning/util/UcfExpressionEvaluatorImpl.java
+++ b/provisioning/provisioning-impl/src/main/java/com/evolveum/midpoint/provisioning/util/UcfExpressionEvaluatorImpl.java
@@ -24,7 +24,9 @@
 import com.evolveum.midpoint.repo.common.expression.ExpressionEvaluationContext;
 import com.evolveum.midpoint.repo.common.expression.ExpressionFactory;
 import com.evolveum.midpoint.repo.common.expression.ExpressionVariables;
+import com.evolveum.midpoint.schema.expression.VariablesMap;
 import com.evolveum.midpoint.schema.result.OperationResult;
+import com.evolveum.midpoint.schema.util.MiscSchemaUtil;
 import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.task.api.TaskManager;
 import com.evolveum.midpoint.util.annotation.Experimental;
@@ -37,7 +39,6 @@
 import javax.xml.namespace.QName;
 import java.util.ArrayList;
 import java.util.List;
-import java.util.Map;
 
 /**
  *
@@ -51,7 +52,7 @@ public class UcfExpressionEvaluatorImpl implements UcfExpressionEvaluator {
 
 	@NotNull
 	@Override
-	public <O> List<O> evaluate(ExpressionType expressionBean, Map<QName, Object> variables, QName outputPropertyName,
+	public <O> List<O> evaluate(ExpressionType expressionBean, VariablesMap variables, QName outputPropertyName,
 			String ctxDesc) throws SchemaException, ObjectNotFoundException, SecurityViolationException, CommunicationException,
 			ConfigurationException, ExpressionEvaluationException {
 		// TODO consider getting the task instance from the caller
@@ -59,9 +60,9 @@ public <O> List<O> evaluate(ExpressionType expressionBean, Map<QName, Object> va
 		OperationResult result = task.getResult();
 
 		Expression<PrismPropertyValue<O>, PrismPropertyDefinition<O>> expression =
-				expressionFactory.makePropertyExpression(expressionBean, outputPropertyName, ctxDesc, task, result);
+				expressionFactory.makePropertyExpression(expressionBean, outputPropertyName, MiscSchemaUtil.getExpressionProfile(), ctxDesc, task, result);
 		ExpressionVariables exprVariables = new ExpressionVariables();
-		exprVariables.addVariableDefinitions(variables);
+		exprVariables.putAll(variables);
 		ExpressionEvaluationContext context = new ExpressionEvaluationContext(null, exprVariables, ctxDesc, task, result);
 		PrismValueDeltaSetTriple<PrismPropertyValue<O>> exprResultTriple = expression.evaluate(context);
 		List<O> list = new ArrayList<>();
diff --git a/provisioning/ucf-api/src/main/java/com/evolveum/midpoint/provisioning/ucf/api/UcfExpressionEvaluator.java b/provisioning/ucf-api/src/main/java/com/evolveum/midpoint/provisioning/ucf/api/UcfExpressionEvaluator.java
index 8d5e9b86b3f..a0c9d7799fa 100644
--- a/provisioning/ucf-api/src/main/java/com/evolveum/midpoint/provisioning/ucf/api/UcfExpressionEvaluator.java
+++ b/provisioning/ucf-api/src/main/java/com/evolveum/midpoint/provisioning/ucf/api/UcfExpressionEvaluator.java
@@ -16,13 +16,13 @@
 
 package com.evolveum.midpoint.provisioning.ucf.api;
 
+import com.evolveum.midpoint.schema.expression.VariablesMap;
 import com.evolveum.midpoint.util.annotation.Experimental;
 import com.evolveum.midpoint.util.exception.*;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ExpressionType;
 
 import javax.xml.namespace.QName;
 import java.util.List;
-import java.util.Map;
 
 /**
  *
@@ -33,7 +33,7 @@ public interface UcfExpressionEvaluator {
 	/**
 	 * Evaluates given expression.
 	 */
-	<O> List<O> evaluate(ExpressionType expressionBean, Map<QName, Object> variables, QName outputPropertyName,
+	<O> List<O> evaluate(ExpressionType expressionBean, VariablesMap variables, QName outputPropertyName,
 			String contextDescription)
 			throws SchemaException, ObjectNotFoundException, SecurityViolationException, CommunicationException,
 			ConfigurationException, ExpressionEvaluationException;
diff --git a/provisioning/ucf-impl-builtin/src/main/java/com/evolveum/midpoint/provisioning/ucf/impl/builtin/async/TransformationalAsyncUpdateMessageListener.java b/provisioning/ucf-impl-builtin/src/main/java/com/evolveum/midpoint/provisioning/ucf/impl/builtin/async/TransformationalAsyncUpdateMessageListener.java
index 3dc3620b0ac..081bbede5e3 100644
--- a/provisioning/ucf-impl-builtin/src/main/java/com/evolveum/midpoint/provisioning/ucf/impl/builtin/async/TransformationalAsyncUpdateMessageListener.java
+++ b/provisioning/ucf-impl-builtin/src/main/java/com/evolveum/midpoint/provisioning/ucf/impl/builtin/async/TransformationalAsyncUpdateMessageListener.java
@@ -27,6 +27,7 @@
 import com.evolveum.midpoint.provisioning.ucf.api.ChangeListener;
 import com.evolveum.midpoint.schema.DeltaConvertor;
 import com.evolveum.midpoint.schema.SchemaConstantsGenerated;
+import com.evolveum.midpoint.schema.expression.VariablesMap;
 import com.evolveum.midpoint.schema.processor.ObjectClassComplexTypeDefinition;
 import com.evolveum.midpoint.schema.processor.ResourceAttribute;
 import com.evolveum.midpoint.schema.processor.ResourceAttributeDefinition;
@@ -60,7 +61,7 @@ public class TransformationalAsyncUpdateMessageListener implements AsyncUpdateMe
 
 	private static final Trace LOGGER = TraceManager.getTrace(TransformationalAsyncUpdateMessageListener.class);
 
-	private static final QName VAR_MESSAGE = new QName("message");
+	private static final String VAR_MESSAGE = "message";
 
 	@NotNull private final ChangeListener changeListener;
 	@Nullable private final Authentication authentication;
@@ -83,8 +84,8 @@ public boolean onMessage(AsyncUpdateMessageType message) throws SchemaException
 		try {
 			securityContextManager.setupPreAuthenticatedSecurityContext(authentication);
 
-			Map<QName, Object> variables = new HashMap<>();
-			variables.put(VAR_MESSAGE, message);
+			VariablesMap variables = new VariablesMap();
+			variables.put(VAR_MESSAGE, message, AsyncUpdateMessageType.class);
 			List<UcfChangeType> changeBeans;
 			try {
 				ExpressionType transformExpression = connectorInstance.getTransformExpression();
diff --git a/repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/commandline/CommandLineScriptExecutor.java b/repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/commandline/CommandLineScriptExecutor.java
index 9dae2895f15..f46dfd40a4e 100644
--- a/repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/commandline/CommandLineScriptExecutor.java
+++ b/repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/commandline/CommandLineScriptExecutor.java
@@ -36,7 +36,9 @@
 import com.evolveum.midpoint.repo.common.expression.Source;
 import com.evolveum.midpoint.schema.constants.ExpressionConstants;
 import com.evolveum.midpoint.schema.constants.SchemaConstants;
+import com.evolveum.midpoint.schema.expression.TypedValue;
 import com.evolveum.midpoint.schema.result.OperationResult;
+import com.evolveum.midpoint.schema.util.MiscSchemaUtil;
 import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.util.DOMUtil;
 import com.evolveum.midpoint.util.exception.CommunicationException;
@@ -101,28 +103,30 @@ private String expandMacros(CommandLineScriptType scriptType, ExpressionVariable
     				ExpressionConstants.OUTPUT_ELEMENT_NAME, DOMUtil.XSD_STRING);
     		outputDefinition.setMaxOccurs(1);
     		Expression<PrismPropertyValue<String>, PrismPropertyDefinition<String>> expression = expressionFactory
-    				.makeExpression(macroDef, outputDefinition, shortDesc, task, result);
+    				.makeExpression(macroDef, outputDefinition, MiscSchemaUtil.getExpressionProfile(), shortDesc, task, result);
 
     		Collection<Source<?, ?>> sources = new ArrayList<>(1);
     		ExpressionEvaluationContext context = new ExpressionEvaluationContext(sources, variables, shortDesc, task,
     				result);
     		
-    		Object defaultObject = variables.get(macroQName);
-    		if (defaultObject != null) {
+    		
+    		TypedValue defaultObjectValAndDef = variables.get(macroName);
+    		if (defaultObjectValAndDef != null) {
+    			Object defaultObjectVal = defaultObjectValAndDef.getValue();
 	    		Item sourceItem;
-	    		if (defaultObject instanceof Item) {
-	    			sourceItem = (Item)defaultObject;
-	    		} else if (defaultObject instanceof String) {
+	    		if (defaultObjectVal instanceof Item) {
+	    			sourceItem = (Item)defaultObjectVal;
+	    		} else if (defaultObjectVal instanceof String) {
 	    			MutablePrismPropertyDefinition<String> sourceDefinition = prismContext.definitionFactory().createPropertyDefinition(
 	        				ExpressionConstants.OUTPUT_ELEMENT_NAME, DOMUtil.XSD_STRING);
 	    			sourceDefinition.setMaxOccurs(1);
 	    			PrismProperty<String> sourceProperty = sourceDefinition.instantiate();
-	    			sourceProperty.setRealValue(defaultObject==null?null:defaultObject.toString());
+	    			sourceProperty.setRealValue(defaultObjectVal==null?null:defaultObjectVal.toString());
 	    			sourceItem = sourceProperty;
 	    		} else {
 	    			sourceItem = null;
 	    		}
-				Source<?, ?> defaultSource = new Source<>(sourceItem, null, sourceItem, macroQName);
+				Source<?, ?> defaultSource = new Source<>(sourceItem, null, sourceItem, macroQName, defaultObjectValAndDef.getDefinition());
 				context.setDefaultSource(defaultSource);
 				sources.add(defaultSource);
     		}
diff --git a/repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/expression/Expression.java b/repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/expression/Expression.java
index e502783bb04..6786b84adce 100644
--- a/repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/expression/Expression.java
+++ b/repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/expression/Expression.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2018 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -21,10 +21,15 @@
 import java.util.Map.Entry;
 
 import javax.xml.bind.JAXBElement;
-import javax.xml.namespace.QName;
 
+import com.evolveum.midpoint.prism.path.ItemName;
 import com.evolveum.midpoint.prism.path.ItemPath;
+import com.evolveum.midpoint.schema.AccessDecision;
 import com.evolveum.midpoint.schema.constants.ExpressionConstants;
+import com.evolveum.midpoint.schema.constants.SchemaConstants;
+import com.evolveum.midpoint.schema.expression.ExpressionEvaluatorProfile;
+import com.evolveum.midpoint.schema.expression.ExpressionProfile;
+import com.evolveum.midpoint.schema.expression.TypedValue;
 import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectReferenceType;
 
@@ -33,6 +38,8 @@
 import org.w3c.dom.Element;
 
 import com.evolveum.midpoint.prism.ItemDefinition;
+import com.evolveum.midpoint.prism.MutablePrismPropertyDefinition;
+import com.evolveum.midpoint.prism.PrimitiveType;
 import com.evolveum.midpoint.prism.PrismContext;
 import com.evolveum.midpoint.prism.PrismValue;
 import com.evolveum.midpoint.prism.delta.PrismValueDeltaSetTriple;
@@ -41,6 +48,7 @@
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.security.api.SecurityContextManager;
 import com.evolveum.midpoint.util.MiscUtil;
+import com.evolveum.midpoint.util.PrettyPrinter;
 import com.evolveum.midpoint.util.exception.CommunicationException;
 import com.evolveum.midpoint.util.exception.ConfigurationException;
 import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
@@ -65,6 +73,7 @@ public class Expression<V extends PrismValue,D extends ItemDefinition> {
 
 	final private ExpressionType expressionType;
 	final private D outputDefinition;
+	final private ExpressionProfile expressionProfile;
 	final private PrismContext prismContext;
 	final private ObjectResolver objectResolver;
 	final private SecurityContextManager securityContextManager;
@@ -72,19 +81,20 @@ public class Expression<V extends PrismValue,D extends ItemDefinition> {
 
 	private static final Trace LOGGER = TraceManager.getTrace(Expression.class);
 
-	public Expression(ExpressionType expressionType, D outputDefinition, ObjectResolver objectResolver, SecurityContextManager securityContextManager, PrismContext prismContext) {
+	public Expression(ExpressionType expressionType, D outputDefinition, ExpressionProfile expressionProfile, ObjectResolver objectResolver, SecurityContextManager securityContextManager, PrismContext prismContext) {
 		//Validate.notNull(outputDefinition, "null outputDefinition");
 		Validate.notNull(objectResolver, "null objectResolver");
 		Validate.notNull(prismContext, "null prismContext");
 		this.expressionType = expressionType;
 		this.outputDefinition = outputDefinition;
+		this.expressionProfile = expressionProfile;
 		this.objectResolver = objectResolver;
 		this.prismContext = prismContext;
 		this.securityContextManager = securityContextManager;
 	}
 
 	public void parse(ExpressionFactory factory, String contextDescription, Task task, OperationResult result)
-			throws SchemaException, ObjectNotFoundException {
+			throws SchemaException, ObjectNotFoundException, SecurityViolationException {
 		if (expressionType == null) {
 			evaluators.add(createDefaultEvaluator(factory, contextDescription, task, result));
 			return;
@@ -104,7 +114,7 @@ public void parse(ExpressionFactory factory, String contextDescription, Task tas
 
 	private ExpressionEvaluator<V,D> createEvaluator(Collection<JAXBElement<?>> evaluatorElements, ExpressionFactory factory,
 													 String contextDescription, Task task, OperationResult result)
-			throws SchemaException, ObjectNotFoundException {
+			throws SchemaException, ObjectNotFoundException, SecurityViolationException {
 		if (evaluatorElements.isEmpty()) {
 			throw new SchemaException("Empty evaluator list in "+contextDescription);
 		}
@@ -113,22 +123,26 @@ private ExpressionEvaluator<V,D> createEvaluator(Collection<JAXBElement<?>> eval
 		if (evaluatorFactory == null) {
 			throw new SchemaException("Unknown expression evaluator element "+fistEvaluatorElement.getName()+" in "+contextDescription);
 		}
-		return evaluatorFactory.createEvaluator(evaluatorElements, outputDefinition, factory, contextDescription, task, result);
+		return evaluatorFactory.createEvaluator(evaluatorElements, outputDefinition, expressionProfile, factory, contextDescription, task, result);
 	}
 
 	private ExpressionEvaluator<V,D> createDefaultEvaluator(ExpressionFactory factory, String contextDescription,
-															Task task, OperationResult result) throws SchemaException, ObjectNotFoundException {
+															Task task, OperationResult result) throws SchemaException, ObjectNotFoundException, SecurityViolationException {
 		ExpressionEvaluatorFactory evaluatorFactory = factory.getDefaultEvaluatorFactory();
 		if (evaluatorFactory == null) {
 			throw new SystemException("Internal error: No default expression evaluator factory");
 		}
-		return evaluatorFactory.createEvaluator(null, outputDefinition, factory,  contextDescription, task, result);
+		return evaluatorFactory.createEvaluator(null, outputDefinition, expressionProfile, factory,  contextDescription, task, result);
 	}
 
 	public PrismValueDeltaSetTriple<V> evaluate(ExpressionEvaluationContext context) throws SchemaException,
 			ExpressionEvaluationException, ObjectNotFoundException, CommunicationException, ConfigurationException, SecurityViolationException {
 
 		ExpressionVariables processedVariables = null;
+		
+		if (context.getExpressionProfile() == null) {
+			context.setExpressionProfile(expressionProfile);
+		}
 
 		try {
 
@@ -210,7 +224,10 @@ private PrismValueDeltaSetTriple<V> evaluateExpressionEvaluators(ExpressionEvalu
 			throws SchemaException, ExpressionEvaluationException, ObjectNotFoundException, CommunicationException, ConfigurationException, SecurityViolationException {
 
 		for (ExpressionEvaluator<?,?> evaluator: evaluators) {
+			processEvaluatorProfile(contextWithProcessedVariables, evaluator);
+			
 			PrismValueDeltaSetTriple<V> outputTriple = (PrismValueDeltaSetTriple<V>) evaluator.evaluate(contextWithProcessedVariables);
+			
 			if (outputTriple != null) {
 				boolean allowEmptyRealValues = false;
 				if (expressionType != null) {
@@ -232,6 +249,25 @@ private PrismValueDeltaSetTriple<V> evaluateExpressionEvaluators(ExpressionEvalu
 
 	}
 
+	private void processEvaluatorProfile(ExpressionEvaluationContext context, ExpressionEvaluator<?, ?> evaluator) throws SecurityViolationException {
+		ExpressionProfile expressionProfile = context.getExpressionProfile();
+		if (expressionProfile == null) {
+			context.setExpressionEvaluatorProfile(null);
+		} else {
+			ExpressionEvaluatorProfile evaluatorProfile = expressionProfile.getEvaluatorProfile(evaluator.getElementName());
+			if (evaluatorProfile == null) {
+				if (expressionProfile.getDecision() == AccessDecision.ALLOW) {
+					context.setExpressionEvaluatorProfile(null);
+				} else {
+					throw new SecurityViolationException("Access to expression evaluator "+evaluator.shortDebugDump()+
+							" not allowed (expression profile: "+expressionProfile.getIdentifier()+") in "+context.getContextDescription());
+				}
+			} else {
+				context.setExpressionEvaluatorProfile(evaluatorProfile);
+			}
+		}
+	}
+
 	private void traceSuccess(ExpressionEvaluationContext context, ExpressionVariables processedVariables, PrismValueDeltaSetTriple<V> outputTriple) {
 		if (!isTrace()) {
 			return;
@@ -296,6 +332,9 @@ private void appendTraceHeader(StringBuilder sb, ExpressionEvaluationContext con
 			sb.append(processedVariables.debugDump(1));
 		}
 		sb.append("\nOutput definition: ").append(MiscUtil.toString(outputDefinition));
+		if (context.getExpressionProfile() != null) {
+			sb.append("\nExpression profile: ").append(context.getExpressionProfile().getIdentifier());
+		}
 		sb.append("\nEvaluators: ");
 		sb.append(shortDebugDump());
 	}
@@ -304,8 +343,9 @@ private void appendTraceFooter(StringBuilder sb) {
 		sb.append("\n------------------------------------------------------");
 	}
 
-	private ExpressionVariables processInnerVariables(ExpressionVariables variables, String contextDescription,
-													  Task task, OperationResult result) throws SchemaException, ObjectNotFoundException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
+	private ExpressionVariables processInnerVariables(
+			ExpressionVariables variables, String contextDescription, Task task, OperationResult result)
+					throws SchemaException, ObjectNotFoundException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
 		if (expressionType == null) {
 			// shortcut
 			return variables;
@@ -313,18 +353,18 @@ private ExpressionVariables processInnerVariables(ExpressionVariables variables,
 		ExpressionVariables newVariables = new ExpressionVariables();
 
 		// We need to add actor variable before we switch user identity (runAs)
-		ExpressionUtil.addActorVariable(newVariables, securityContextManager);
+		ExpressionUtil.addActorVariable(newVariables, securityContextManager, prismContext);
 		boolean actorDefined = newVariables.get(ExpressionConstants.VAR_ACTOR) != null;
 
-		for (Entry<QName,Object> entry: variables.entrySet()) {
+		for (Entry<String,TypedValue> entry: variables.entrySet()) {
 			if (ExpressionConstants.VAR_ACTOR.equals(entry.getKey()) && actorDefined) {
 				continue;			// avoid pointless warning about redefined value of actor
 			}
-			newVariables.addVariableDefinition(entry.getKey(), entry.getValue());
+			newVariables.put(entry.getKey(), entry.getValue());
 		}
 
 		for (ExpressionVariableDefinitionType variableDefType: expressionType.getVariable()) {
-			QName varName = variableDefType.getName();
+			String varName = variableDefType.getName().getLocalPart();
 			if (varName == null) {
 				throw new SchemaException("No variable name in expression in "+contextDescription);
 			}
@@ -332,23 +372,30 @@ private ExpressionVariables processInnerVariables(ExpressionVariables variables,
                 ObjectReferenceType ref = variableDefType.getObjectRef();
                 ref.setType(prismContext.getSchemaRegistry().qualifyTypeName(ref.getType()));
 				ObjectType varObject = objectResolver.resolve(ref, ObjectType.class, null, "variable "+varName+" in "+contextDescription, task, result);
-				newVariables.addVariableDefinition(varName, varObject);
+				newVariables.addVariableDefinition(varName, varObject, varObject.asPrismObject().getDefinition());
 			} else if (variableDefType.getValue() != null) {
 				// Only string is supported now
 				Object valueObject = variableDefType.getValue();
 				if (valueObject instanceof String) {
-					newVariables.addVariableDefinition(varName, valueObject);
+					MutablePrismPropertyDefinition<Object> def = prismContext.definitionFactory().createPropertyDefinition(
+							new ItemName(SchemaConstants.NS_C, varName), PrimitiveType.STRING.getQname());
+					newVariables.addVariableDefinition(varName, valueObject, def);
 				} else if (valueObject instanceof Element) {
-					newVariables.addVariableDefinition(varName, ((Element)valueObject).getTextContent());
+					MutablePrismPropertyDefinition<Object> def = prismContext.definitionFactory().createPropertyDefinition(
+							new ItemName(SchemaConstants.NS_C, varName), PrimitiveType.STRING.getQname());
+					newVariables.addVariableDefinition(varName, ((Element)valueObject).getTextContent(), def);
 				} else if (valueObject instanceof RawType) {
-					newVariables.addVariableDefinition(varName, ((RawType) valueObject).getParsedValue(null, varName));
+					ItemName varQName = new ItemName(SchemaConstants.NS_C, varName);
+					MutablePrismPropertyDefinition<Object> def = prismContext.definitionFactory().createPropertyDefinition(
+							varQName, PrimitiveType.STRING.getQname());
+					newVariables.addVariableDefinition(varName, ((RawType) valueObject).getParsedValue(null, varQName), def);
 				} else {
 					throw new SchemaException("Unexpected type "+valueObject.getClass()+" in variable definition "+varName+" in "+contextDescription);
 				}
 			} else if (variableDefType.getPath() != null) {
 				ItemPath itemPath = variableDefType.getPath().getItemPath();
-				Object resolvedValue = ExpressionUtil.resolvePath(itemPath, variables, false, null, objectResolver, contextDescription, task, result);
-				newVariables.addVariableDefinition(varName, resolvedValue);
+				TypedValue resolvedValueAndDefinition = ExpressionUtil.resolvePathGetTypedValue(itemPath, variables, false, null, objectResolver, prismContext, contextDescription, task, result);
+				newVariables.put(varName, resolvedValueAndDefinition);
 			} else {
 				throw new SchemaException("No value for variable "+varName+" in "+contextDescription);
 			}
diff --git a/repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/expression/ExpressionEvaluationContext.java b/repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/expression/ExpressionEvaluationContext.java
index 2e72e6dba90..f135f0afa29 100644
--- a/repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/expression/ExpressionEvaluationContext.java
+++ b/repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/expression/ExpressionEvaluationContext.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2017 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -22,6 +22,8 @@
 
 import com.evolveum.midpoint.common.refinery.RefinedObjectClassDefinition;
 import com.evolveum.midpoint.prism.PrismObjectDefinition;
+import com.evolveum.midpoint.schema.expression.ExpressionEvaluatorProfile;
+import com.evolveum.midpoint.schema.expression.ExpressionProfile;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.task.api.Task;
 
@@ -51,6 +53,13 @@ public class ExpressionEvaluationContext {
 	private Function<Object, Object> additionalConvertor;
 	private VariableProducer variableProducer;
 
+	/**
+	 * Optional. If not specified then it will be added at the star of evaluation.
+	 * Might be used to override the profile.
+	 */
+	private ExpressionProfile expressionProfile;
+	private ExpressionEvaluatorProfile expressionEvaluatorProfile;
+	
 	public ExpressionEvaluationContext(Collection<Source<?,?>> sources,
 			ExpressionVariables variables, String contextDescription, Task task,
 			OperationResult result) {
@@ -101,6 +110,22 @@ public boolean isSkipEvaluationMinus() {
 	public void setSkipEvaluationMinus(boolean skipEvaluationMinus) {
 		this.skipEvaluationMinus = skipEvaluationMinus;
 	}
+	
+	public ExpressionProfile getExpressionProfile() {
+		return expressionProfile;
+	}
+
+	public void setExpressionProfile(ExpressionProfile expressionProfile) {
+		this.expressionProfile = expressionProfile;
+	}
+
+	public ExpressionEvaluatorProfile getExpressionEvaluatorProfile() {
+		return expressionEvaluatorProfile;
+	}
+
+	public void setExpressionEvaluatorProfile(ExpressionEvaluatorProfile expressionEvaluatorProfile) {
+		this.expressionEvaluatorProfile = expressionEvaluatorProfile;
+	}
 
 	public ValuePolicyResolver getValuePolicyResolver() {
 		return valuePolicyResolver;
@@ -186,6 +211,7 @@ public ExpressionEvaluationContext shallowClone() {
 		ExpressionEvaluationContext clone = new ExpressionEvaluationContext(sources, variables, contextDescription, task, result);
 		clone.skipEvaluationMinus = this.skipEvaluationMinus;
 		clone.skipEvaluationPlus = this.skipEvaluationPlus;
+		clone.expressionProfile = this.expressionProfile;
 		clone.valuePolicyResolver = this.valuePolicyResolver;
 		clone.expressionFactory = this.expressionFactory;
 		clone.defaultSource = this.defaultSource;
diff --git a/repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/expression/ExpressionEvaluator.java b/repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/expression/ExpressionEvaluator.java
index 2357260af3b..fd1e9d21801 100644
--- a/repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/expression/ExpressionEvaluator.java
+++ b/repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/expression/ExpressionEvaluator.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2017 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -15,6 +15,8 @@
  */
 package com.evolveum.midpoint.repo.common.expression;
 
+import javax.xml.namespace.QName;
+
 import com.evolveum.midpoint.prism.ItemDefinition;
 import com.evolveum.midpoint.prism.PrismValue;
 import com.evolveum.midpoint.prism.delta.PrismValueDeltaSetTriple;
@@ -30,6 +32,8 @@
  *
  */
 public interface ExpressionEvaluator<V extends PrismValue, D extends ItemDefinition> {
+	
+	QName getElementName();
 
 	PrismValueDeltaSetTriple<V> evaluate(ExpressionEvaluationContext context)
 			throws SchemaException, ExpressionEvaluationException, ObjectNotFoundException, CommunicationException, ConfigurationException, SecurityViolationException;
diff --git a/repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/expression/ExpressionEvaluatorFactory.java b/repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/expression/ExpressionEvaluatorFactory.java
index 399d9b3619b..e69eb859a6b 100644
--- a/repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/expression/ExpressionEvaluatorFactory.java
+++ b/repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/expression/ExpressionEvaluatorFactory.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2015 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -22,10 +22,12 @@
 
 import com.evolveum.midpoint.prism.ItemDefinition;
 import com.evolveum.midpoint.prism.PrismValue;
+import com.evolveum.midpoint.schema.expression.ExpressionProfile;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
 import com.evolveum.midpoint.util.exception.SchemaException;
+import com.evolveum.midpoint.util.exception.SecurityViolationException;
 
 
 /**
@@ -36,8 +38,12 @@ public interface ExpressionEvaluatorFactory {
 
 	QName getElementName();
 
-	<V extends PrismValue,D extends ItemDefinition> ExpressionEvaluator<V,D> createEvaluator(Collection<JAXBElement<?>> evaluatorElements,
-																							 D outputDefinition, ExpressionFactory factory, String contextDescription, Task task, OperationResult result)
-					throws SchemaException, ObjectNotFoundException;
+	<V extends PrismValue,D extends ItemDefinition> ExpressionEvaluator<V,D> createEvaluator(
+			Collection<JAXBElement<?>> evaluatorElements,
+			D outputDefinition,
+			ExpressionProfile expressionProfile,
+			ExpressionFactory factory,
+			String contextDescription, Task task, OperationResult result)
+					throws SchemaException, ObjectNotFoundException, SecurityViolationException;
 
 }
diff --git a/repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/expression/ExpressionFactory.java b/repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/expression/ExpressionFactory.java
index df9b37062e0..8abb503f590 100644
--- a/repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/expression/ExpressionFactory.java
+++ b/repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/expression/ExpressionFactory.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2017 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -26,11 +26,13 @@
 import com.evolveum.midpoint.repo.common.CacheRegistry;
 import com.evolveum.midpoint.repo.common.Cacheable;
 import com.evolveum.midpoint.repo.common.ObjectResolver;
+import com.evolveum.midpoint.schema.expression.ExpressionProfile;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.security.api.SecurityContextManager;
 import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
 import com.evolveum.midpoint.util.exception.SchemaException;
+import com.evolveum.midpoint.util.exception.SecurityViolationException;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ExpressionType;
 
 /**
@@ -83,29 +85,29 @@ public void register() {
 	}
 	
 	public <V extends PrismValue,D extends ItemDefinition> Expression<V,D> makeExpression(ExpressionType expressionType,
-			D outputDefinition, String shortDesc, Task task, OperationResult result)
-					throws SchemaException, ObjectNotFoundException {
+			D outputDefinition, ExpressionProfile expressionProfile, String shortDesc, Task task, OperationResult result)
+					throws SchemaException, ObjectNotFoundException, SecurityViolationException {
 		ExpressionIdentifier eid = new ExpressionIdentifier(expressionType, outputDefinition);
 		Expression<V,D> expression = (Expression<V,D>) cache.get(eid);
 		if (expression == null) {
-			expression = createExpression(expressionType, outputDefinition, shortDesc, task, result);
+			expression = createExpression(expressionType, outputDefinition, expressionProfile, shortDesc, task, result);
 			cache.put(eid, expression);
 		}
 		return expression;
 	}
 
 	public <T> Expression<PrismPropertyValue<T>,PrismPropertyDefinition<T>> makePropertyExpression(
-			ExpressionType expressionType, QName outputPropertyName, String shortDesc, Task task, OperationResult result)
-					throws SchemaException, ObjectNotFoundException {
+			ExpressionType expressionType, QName outputPropertyName, ExpressionProfile expressionProfile, String shortDesc, Task task, OperationResult result)
+					throws SchemaException, ObjectNotFoundException, SecurityViolationException {
 		//noinspection unchecked
 		PrismPropertyDefinition<T> outputDefinition = prismContext.getSchemaRegistry().findPropertyDefinitionByElementName(outputPropertyName);
-		return makeExpression(expressionType, outputDefinition, shortDesc, task, result);
+		return makeExpression(expressionType, outputDefinition, expressionProfile, shortDesc, task, result);
 	}
 
 	private <V extends PrismValue,D extends ItemDefinition> Expression<V,D> createExpression(ExpressionType expressionType,
-			D outputDefinition, String shortDesc, Task task, OperationResult result)
-					throws SchemaException, ObjectNotFoundException {
-		Expression<V,D> expression = new Expression<>(expressionType, outputDefinition, objectResolver, securityContextManager, prismContext);
+			D outputDefinition, ExpressionProfile expressionProfile, String shortDesc, Task task, OperationResult result)
+					throws SchemaException, ObjectNotFoundException, SecurityViolationException {
+		Expression<V,D> expression = new Expression<>(expressionType, outputDefinition, expressionProfile, objectResolver, securityContextManager, prismContext);
 		expression.parse(this, shortDesc, task, result);
 		return expression;
 	}
diff --git a/repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/expression/ExpressionUtil.java b/repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/expression/ExpressionUtil.java
index 8ae7b0b444f..1d925de6629 100644
--- a/repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/expression/ExpressionUtil.java
+++ b/repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/expression/ExpressionUtil.java
@@ -18,24 +18,61 @@
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
-import java.util.HashMap;
 import java.util.List;
-import java.util.Map;
-import java.util.Map.Entry;
 import java.util.function.Function;
 
 import javax.xml.namespace.QName;
 
-import com.evolveum.midpoint.prism.*;
+import org.jetbrains.annotations.NotNull;
+import org.jetbrains.annotations.Nullable;
+
+import com.evolveum.midpoint.prism.ComplexTypeDefinition;
+import com.evolveum.midpoint.prism.Containerable;
+import com.evolveum.midpoint.prism.ExpressionWrapper;
+import com.evolveum.midpoint.prism.Item;
+import com.evolveum.midpoint.prism.ItemDefinition;
+import com.evolveum.midpoint.prism.MutablePrismPropertyDefinition;
+import com.evolveum.midpoint.prism.Objectable;
+import com.evolveum.midpoint.prism.PartiallyResolvedItem;
+import com.evolveum.midpoint.prism.PrimitiveType;
+import com.evolveum.midpoint.prism.PrismContainer;
+import com.evolveum.midpoint.prism.PrismContainerDefinition;
+import com.evolveum.midpoint.prism.PrismContainerValue;
+import com.evolveum.midpoint.prism.PrismContext;
+import com.evolveum.midpoint.prism.PrismObject;
+import com.evolveum.midpoint.prism.PrismObjectDefinition;
+import com.evolveum.midpoint.prism.PrismProperty;
+import com.evolveum.midpoint.prism.PrismPropertyDefinition;
+import com.evolveum.midpoint.prism.PrismPropertyValue;
+import com.evolveum.midpoint.prism.PrismReference;
+import com.evolveum.midpoint.prism.PrismReferenceDefinition;
+import com.evolveum.midpoint.prism.PrismReferenceValue;
+import com.evolveum.midpoint.prism.PrismValue;
+import com.evolveum.midpoint.prism.PrismValueCollectionsUtil;
+import com.evolveum.midpoint.prism.Referencable;
+import com.evolveum.midpoint.prism.Structured;
 import com.evolveum.midpoint.prism.Visitor;
 import com.evolveum.midpoint.prism.crypto.EncryptionException;
 import com.evolveum.midpoint.prism.crypto.Protector;
 import com.evolveum.midpoint.prism.delta.ItemDelta;
 import com.evolveum.midpoint.prism.delta.PlusMinusZero;
 import com.evolveum.midpoint.prism.delta.PrismValueDeltaSetTriple;
-import com.evolveum.midpoint.prism.path.*;
+import com.evolveum.midpoint.prism.path.ItemName;
+import com.evolveum.midpoint.prism.path.ItemPath;
 import com.evolveum.midpoint.prism.polystring.PolyString;
-import com.evolveum.midpoint.prism.query.*;
+import com.evolveum.midpoint.prism.query.AllFilter;
+import com.evolveum.midpoint.prism.query.ExistsFilter;
+import com.evolveum.midpoint.prism.query.FilterCreationUtil;
+import com.evolveum.midpoint.prism.query.FullTextFilter;
+import com.evolveum.midpoint.prism.query.InOidFilter;
+import com.evolveum.midpoint.prism.query.LogicalFilter;
+import com.evolveum.midpoint.prism.query.NoneFilter;
+import com.evolveum.midpoint.prism.query.ObjectFilter;
+import com.evolveum.midpoint.prism.query.ObjectQuery;
+import com.evolveum.midpoint.prism.query.OrgFilter;
+import com.evolveum.midpoint.prism.query.TypeFilter;
+import com.evolveum.midpoint.prism.query.UndefinedFilter;
+import com.evolveum.midpoint.prism.query.ValueFilter;
 import com.evolveum.midpoint.prism.util.ItemDeltaItem;
 import com.evolveum.midpoint.prism.util.JavaTypeConverter;
 import com.evolveum.midpoint.prism.util.ObjectDeltaObject;
@@ -43,8 +80,15 @@
 import com.evolveum.midpoint.prism.xml.XmlTypeConverter;
 import com.evolveum.midpoint.prism.xml.XsdTypeMapper;
 import com.evolveum.midpoint.repo.common.ObjectResolver;
+import com.evolveum.midpoint.schema.AccessDecision;
 import com.evolveum.midpoint.schema.constants.ExpressionConstants;
+import com.evolveum.midpoint.schema.constants.SchemaConstants;
+import com.evolveum.midpoint.schema.expression.ExpressionEvaluatorProfile;
+import com.evolveum.midpoint.schema.expression.ExpressionProfile;
+import com.evolveum.midpoint.schema.expression.TypedValue;
+import com.evolveum.midpoint.schema.expression.VariablesMap;
 import com.evolveum.midpoint.schema.result.OperationResult;
+import com.evolveum.midpoint.schema.util.MiscSchemaUtil;
 import com.evolveum.midpoint.security.api.MidPointPrincipal;
 import com.evolveum.midpoint.security.api.SecurityContextManager;
 import com.evolveum.midpoint.task.api.Task;
@@ -71,8 +115,6 @@
 import com.evolveum.midpoint.xml.ns._public.common.common_3.VariableBindingDefinitionType;
 import com.evolveum.prism.xml.ns._public.types_3.ItemPathType;
 import com.evolveum.prism.xml.ns._public.types_3.ProtectedStringType;
-import org.jetbrains.annotations.NotNull;
-import org.jetbrains.annotations.Nullable;
 
 /**
  * @author semancik
@@ -171,6 +213,17 @@ public static <I, O> O convertValue(Class<O> finalExpectedJavaType, Function<Obj
 		return convertedVal;
 	}
 
+	// TODO: do we need this?
+	public static Object resolvePathGetValue(ItemPath path, ExpressionVariables variables, boolean normalizeValuesToDelete,
+			TypedValue defaultContext, ObjectResolver objectResolver, PrismContext prismContext, String shortDesc, Task task, OperationResult result)
+					throws SchemaException, ObjectNotFoundException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
+		TypedValue typedValue = resolvePathGetTypedValue(path, variables, normalizeValuesToDelete, defaultContext, objectResolver, prismContext, shortDesc, task, result);
+		if (typedValue == null) {
+			return null;
+		}
+		return typedValue.getValue();
+	}
+	
 	/**
 	 * normalizeValuesToDelete: Whether to normalize container values that are to be deleted, i.e. convert them
 	 * from id-only to full data (MID-4863).
@@ -178,22 +231,22 @@ public static <I, O> O convertValue(Class<O> finalExpectedJavaType, Function<Obj
 	 * 1. consider setting this parameter to true at some other places where it might be relevant
 	 * 2. consider normalizing delete deltas earlier in the clockwork, probably at the very beginning of the operation
 	 */
-	public static Object resolvePath(ItemPath path, ExpressionVariables variables, boolean normalizeValuesToDelete,
-			Object defaultContext, ObjectResolver objectResolver, String shortDesc, Task task, OperationResult result)
+	public static TypedValue resolvePathGetTypedValue(ItemPath path, ExpressionVariables variables, boolean normalizeValuesToDelete,
+			TypedValue defaultContext, ObjectResolver objectResolver, PrismContext prismContext, String shortDesc, Task task, OperationResult result)
 					throws SchemaException, ObjectNotFoundException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
 
-		Object root = defaultContext;
+		TypedValue root = defaultContext;
 		ItemPath relativePath = path;
 		Object first = path.first();
-		String varDesc = "default context";
+		String topVarDesc = "default context";
 		if (ItemPath.isVariable(first)) {
-			QName varName = ItemPath.toVariableName(first);
-			varDesc = "variable " + PrettyPrinter.prettyPrint(varName);
+			String topVarName = ItemPath.toVariableName(first).getLocalPart();
+			topVarDesc = "variable " + PrettyPrinter.prettyPrint(topVarName);
 			relativePath = path.rest();
-			if (variables.containsKey(varName)) {
-				root = variables.get(varName);
+			if (variables.containsKey(topVarName)) {
+				root = variables.get(topVarName);
 			} else {
-				throw new SchemaException("No variable with name " + varName + " in " + shortDesc);
+				throw new SchemaException("No variable with name " + topVarName + " in " + shortDesc);
 			}
 		}
 		if (root == null) {
@@ -207,38 +260,143 @@ public static Object resolvePath(ItemPath path, ExpressionVariables variables, b
 			root = normalizeValuesToDelete(root);
 		}
 
-		if (root instanceof ObjectReferenceType) {
-			root = resolveReference((ObjectReferenceType) root, objectResolver, varDesc, shortDesc, task,
+		if (root.getValue() instanceof ObjectReferenceType) {
+			root = resolveReference((TypedValue<ObjectReferenceType>) root, objectResolver, topVarDesc, shortDesc, task,
 					result);
 		}
 
-		if (root instanceof Objectable) {
-			return (((Objectable) root).asPrismObject()).find(relativePath);
-		}
-		if (root instanceof PrismObject<?>) {
-			return ((PrismObject<?>) root).find(relativePath);
-		} else if (root instanceof PrismContainer<?>) {
-			return ((PrismContainer<?>) root).find(relativePath);
-		} else if (root instanceof PrismContainerValue<?>) {
-			return ((PrismContainerValue<?>) root).find(relativePath);
-		} else if (root instanceof Item<?, ?>) {
+		String lastPathSegmentName = relativePath.lastName().getLocalPart();
+		
+		Object rootValue = root.getValue();
+		if (rootValue == null) {
+			// The result value is going to be null, but we still need a definition. Try to determine that from root definition.
+			if (root.getDefinition() == null) {
+				throw new IllegalArgumentException("No definition for path "+path+": "+root);
+			}
+			// Relative path is not empty here. Therefore the root must be a container.
+			ItemDefinition subitemDefinition = ((PrismContainerDefinition<?>)root.getDefinition()).findItemDefinition(relativePath);
+			if (subitemDefinition == null) {
+				// this must be something dynamic, e.g. assignment extension. Just assume string here. Not completely correct. But what can we do?
+				subitemDefinition = prismContext.definitionFactory().createPropertyDefinition(relativePath.lastName(), PrimitiveType.STRING.getQname());
+			}
+			return new TypedValue<>(null, subitemDefinition);
+		}
+		
+		if (rootValue instanceof Objectable) {
+			return determineTypedValue(prismContext, lastPathSegmentName, ((Objectable) rootValue).asPrismObject(), relativePath);
+		}
+		if (rootValue instanceof PrismObject<?>) {
+			return determineTypedValue(prismContext, lastPathSegmentName, (PrismObject<?>) rootValue, relativePath);
+		} else if (rootValue instanceof PrismContainer<?>) {
+			return determineTypedValue(prismContext, lastPathSegmentName, (PrismContainer<?>) rootValue, relativePath);
+		} else if (rootValue instanceof PrismContainerValue<?>) {
+			return determineTypedValue(prismContext, lastPathSegmentName, (PrismContainerValue<?>) rootValue, relativePath);
+		} else if (rootValue instanceof Item<?, ?>) {
 			// Except for container (which is handled above)
 			throw new SchemaException(
 					"Cannot apply path " + relativePath + " to " + root + " in " + shortDesc);
-		} else if (root instanceof ObjectDeltaObject<?>) {
-			return ((ObjectDeltaObject<?>) root).findIdi(relativePath);
-		} else if (root instanceof ItemDeltaItem<?, ?>) {
-			return ((ItemDeltaItem<?, ?>) root).findIdi(relativePath);
+		} else if (rootValue instanceof ObjectDeltaObject<?>) {
+			return determineTypedValueOdo(prismContext, lastPathSegmentName, root, relativePath);
+		} else if (rootValue instanceof ItemDeltaItem<?, ?>) {
+			return determineTypedValue(prismContext, lastPathSegmentName, (ItemDeltaItem<?,?>) rootValue, relativePath);
 		} else {
 			throw new IllegalArgumentException(
-					"Unexpected root " + root + " (relative path:" + relativePath + ") in " + shortDesc);
+					"Unexpected root " + rootValue + " (relative path:" + relativePath + ") in " + shortDesc);
 		}
 	}
-
-	private static Object normalizeValuesToDelete(Object root) {
-		if (root instanceof ObjectDeltaObject<?>) {
-			return ((ObjectDeltaObject<?>) root).normalizeValuesToDelete(true);
-		} else if (root instanceof ItemDeltaItem<?, ?>) {
+	
+	private static  <T> TypedValue<T> determineTypedValue(PrismContext prismContext, String name, PrismContainer<?> rootContainer, ItemPath relativePath) throws SchemaException {
+		Object value;
+		PartiallyResolvedItem<PrismValue,ItemDefinition> partiallyResolvedItem = rootContainer.findPartial(relativePath);
+		if (partiallyResolvedItem == null) {
+			value = null;
+		} else {
+			if (partiallyResolvedItem.getResidualPath() == null) {
+				value = partiallyResolvedItem.getItem();
+			} else {
+				Object parentValue = partiallyResolvedItem.getItem().getRealValue();
+				if (parentValue instanceof Structured) {
+					value = ((Structured)parentValue).resolve(partiallyResolvedItem.getResidualPath());
+				} else {
+					throw new SchemaException("No subpath "+partiallyResolvedItem.getResidualPath()+" in "+partiallyResolvedItem.getItem());
+				}
+			}
+		}
+		ItemDefinition def = determineItemDefinition(rootContainer.getDefinition(), relativePath);
+		if (def == null) {
+			throw new IllegalArgumentException("Cannot determine definition for '"+relativePath+"' from "+rootContainer+", value: "+value);
+		}
+		return new TypedValue<>((T)value, def);
+	}
+	
+	private static  <T> TypedValue<T> determineTypedValue(PrismContext prismContext, String name, PrismContainerValue<?> rootContainerValue, ItemPath relativePath) throws SchemaException {
+		Item<PrismValue,ItemDefinition> value = rootContainerValue.findItem(relativePath);
+		ItemDefinition def = determineItemDefinition(rootContainerValue.getDefinition(), relativePath);
+		if (def == null) {
+			throw new IllegalArgumentException("Cannot determine definition for '"+relativePath+"' from "+rootContainerValue+", value: "+value);
+		}
+		return new TypedValue<>((T)value, def);
+	}
+	
+	private static  <T> TypedValue<T> determineTypedValue(PrismContext prismContext, String name, ItemDeltaItem<?,?> rootIdi, ItemPath relativePath) throws SchemaException {
+		ItemDeltaItem<PrismValue, ItemDefinition> value = rootIdi.findIdi(relativePath);
+		ItemDefinition def = determineItemDefinition((PrismContainerDefinition)rootIdi.getDefinition(), relativePath);
+		if (def == null) {
+			throw new IllegalArgumentException("Cannot determine definition for '"+relativePath+"' from "+rootIdi+", value: "+value);
+		}
+		return new TypedValue<>((T)value, def);
+	}
+	
+	private static  <T,O extends ObjectType> TypedValue<T> determineTypedValueOdo(PrismContext prismContext, String name, TypedValue<O> root, ItemPath relativePath) throws SchemaException {
+		ObjectDeltaObject<O> rootOdo = (ObjectDeltaObject<O>) root.getValue();
+		ItemDeltaItem<PrismValue, ItemDefinition> subValue = rootOdo.findIdi(relativePath);
+		PrismObjectDefinition<O> rootDefinition = root.getDefinition();
+		if (rootDefinition == null) {
+			rootDefinition = rootOdo.getDefinition();
+			if (rootDefinition == null) {
+				throw new IllegalArgumentException("Found ODO without a definition while processing variable '"+name+"': "+rootOdo);
+			}
+		}
+		ItemDefinition def = determineItemDefinition(rootDefinition, relativePath);
+		if (def == null) {
+			throw new IllegalArgumentException("Cannot determine definition for '"+relativePath+"' from "+rootOdo+", value: "+subValue);
+		}
+		return new TypedValue<>((T)subValue, def);
+	}
+	
+	private static ItemDefinition determineItemDefinition(PrismContainerDefinition containerDefinition, ItemPath relativePath) {
+		ItemDefinition def = containerDefinition.findItemDefinition(relativePath);
+		if (def != null) {
+			return def;
+		}
+		// This may be a wrong path. Or it may be a path to a "subproperty" of a structured property, such as PolyString/norm.
+		// Let's find out by looking at the parent.
+		ItemPath parentPath = relativePath.allExceptLast();
+		ItemDefinition parentDef = containerDefinition.findItemDefinition(parentPath);
+		if (parentDef == null) {
+			return null;
+		}
+		if (parentDef instanceof PrismContainerDefinition) {
+			if (parentDef.isDynamic() && ((PrismContainerDefinition)parentDef).isEmpty()) {
+				// The case of dynamic schema for which there are no definitions
+				// E.g. assignment extension
+				// just default to single-value strings. Better than nothing. At least for now.
+				return parentDef.getPrismContext().definitionFactory().createPropertyDefinition(relativePath.lastName(), PrimitiveType.STRING.getQname());
+			}
+		} else if ((parentDef instanceof PrismPropertyDefinition)) {
+			if (PrismUtil.isStructuredType(parentDef.getTypeName())) {
+				// All "subproperties" are hardcoded as singlevalue strings
+				return parentDef.getPrismContext().definitionFactory().createPropertyDefinition(relativePath.lastName(), PrimitiveType.STRING.getQname());
+			}
+		}
+		return null;
+	}
+	
+	private static TypedValue normalizeValuesToDelete(TypedValue root) {
+		Object rootValue = root.getValue();
+		if (rootValue instanceof ObjectDeltaObject<?>) {
+			return new TypedValue(((ObjectDeltaObject<?>) rootValue).normalizeValuesToDelete(true), root.getDefinition());
+		} else if (rootValue instanceof ItemDeltaItem<?, ?>) {
 			// TODO normalize as well
 			return root;
 		} else {
@@ -248,7 +406,7 @@ private static Object normalizeValuesToDelete(Object root) {
 
 	public static <V extends PrismValue, F extends FocusType> Collection<V> computeTargetValues(
 			VariableBindingDefinitionType target,
-			Object defaultTargetContext, ExpressionVariables variables, ObjectResolver objectResolver, String contextDesc,
+			TypedValue defaultTargetContext, ExpressionVariables variables, ObjectResolver objectResolver, String contextDesc,
 			PrismContext prismContext, Task task, OperationResult result) throws SchemaException, ObjectNotFoundException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
 		if (target == null) {
 			// Is this correct? What about default targets?
@@ -262,7 +420,7 @@ public static <V extends PrismValue, F extends FocusType> Collection<V> computeT
 		}
 		ItemPath path = itemPathType.getItemPath();
 
-		Object object = resolvePath(path, variables, false, defaultTargetContext, objectResolver, contextDesc, task, result);
+		Object object = resolvePathGetValue(path, variables, false, defaultTargetContext, objectResolver, prismContext, contextDesc, task, result);
 		if (object == null) {
 			return new ArrayList<>();
 		} else if (object instanceof Item) {
@@ -279,82 +437,120 @@ public static <V extends PrismValue, F extends FocusType> Collection<V> computeT
 	}
 
 	// TODO what about collections of values?
-	public static Object convertVariableValue(Object originalValue, String variableName, ObjectResolver objectResolver,
+	public static <T> TypedValue<T> convertVariableValue(TypedValue<T> originalTypedValue, String variableName, ObjectResolver objectResolver,
 			String contextDescription, PrismContext prismContext, Task task, OperationResult result) throws ExpressionSyntaxException, ObjectNotFoundException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
-		if (originalValue instanceof PrismValue) {
-			((PrismValue) originalValue).setPrismContext(prismContext);			// TODO - or revive? Or make sure prismContext is set here?
-		} else if (originalValue instanceof Item) {
-			((Item) originalValue).setPrismContext(prismContext);				// TODO - or revive? Or make sure prismContext is set here?
+		Object valueToConvert = originalTypedValue.getValue();
+		if (valueToConvert == null) {
+			return originalTypedValue;
 		}
-		if (originalValue instanceof ObjectReferenceType) {
+		TypedValue<T> convertedTypeValue = originalTypedValue.createTransformed(valueToConvert);
+		if (valueToConvert instanceof PrismValue) {
+			((PrismValue) valueToConvert).setPrismContext(prismContext);			// TODO - or revive? Or make sure prismContext is set here?
+		} else if (valueToConvert instanceof Item) {
+			((Item) valueToConvert).setPrismContext(prismContext);				// TODO - or revive? Or make sure prismContext is set here?
+		}
+		if (valueToConvert instanceof ObjectReferenceType) {
 			try {
-				originalValue = resolveReference((ObjectReferenceType)originalValue, objectResolver, variableName,
+				convertedTypeValue = (TypedValue<T>) resolveReference((TypedValue<ObjectReferenceType>) originalTypedValue, objectResolver, variableName,
 						contextDescription, task, result);
+				valueToConvert = convertedTypeValue.getValue();
 			} catch (SchemaException e) {
 				throw new ExpressionSyntaxException("Schema error during variable "+variableName+" resolution in "+contextDescription+": "+e.getMessage(), e);
 			}
 		}
-		if (originalValue instanceof PrismObject<?>) {
-			return ((PrismObject<?>)originalValue).asObjectable();
+		if (valueToConvert instanceof PrismObject<?>) {
+			convertedTypeValue.setValue(((PrismObject<?>)valueToConvert).asObjectable());
+			return convertedTypeValue;
 		}
-		if (originalValue instanceof PrismContainerValue<?>) {
-			return ((PrismContainerValue<?>)originalValue).asContainerable();
+		if (valueToConvert instanceof PrismContainerValue<?>) {
+			PrismContainerValue<?> cval = ((PrismContainerValue<?>)valueToConvert);
+			Class<?> containerCompileTimeClass = cval.getCompileTimeClass();
+			if (containerCompileTimeClass == null) {
+				// Dynamic schema. We do not have anything to convert to. Leave it as PrismContainerValue
+				convertedTypeValue.setValue(valueToConvert);
+			} else {
+				convertedTypeValue.setValue(cval.asContainerable());
+			}
+			return convertedTypeValue;
 		}
-		if (originalValue instanceof PrismPropertyValue<?>) {
-			return ((PrismPropertyValue<?>)originalValue).getValue();
+		if (valueToConvert instanceof PrismPropertyValue<?>) {
+			convertedTypeValue.setValue(((PrismPropertyValue<?>)valueToConvert).getValue());
+			return convertedTypeValue;
 		}
-		if (originalValue instanceof PrismReferenceValue) {
-			if (((PrismReferenceValue) originalValue).getDefinition() != null) {
-				return ((PrismReferenceValue) originalValue).asReferencable();
+		if (valueToConvert instanceof PrismReferenceValue) {
+			if (((PrismReferenceValue) valueToConvert).getDefinition() != null) {
+				convertedTypeValue.setValue(((PrismReferenceValue) valueToConvert).asReferencable());
+				return convertedTypeValue;
 			}
 		}
-		if (originalValue instanceof PrismProperty<?>) {
-			PrismProperty<?> prop = (PrismProperty<?>)originalValue;
+		if (valueToConvert instanceof PrismProperty<?>) {
+			PrismProperty<?> prop = (PrismProperty<?>)valueToConvert;
 			PrismPropertyDefinition<?> def = prop.getDefinition();
 			if (def != null) {
 				if (def.isSingleValue()) {
-					return prop.getRealValue();
+					return new TypedValue(prop.getRealValue(), def);
 				} else {
-					return prop.getRealValues();
+					return new TypedValue(prop.getRealValues(), def);
 				}
 			} else {
-				return prop.getValues();
+				// Guess, but we may be wrong
+				def = prismContext.definitionFactory().createPropertyDefinition(prop.getElementName(), PrimitiveType.STRING.getQname());
+				return new TypedValue(prop.getRealValues(), def);
 			}
 		}
-		if (originalValue instanceof PrismReference) {
-			PrismReference prop = (PrismReference)originalValue;
-			PrismReferenceDefinition def = prop.getDefinition();
+		if (valueToConvert instanceof PrismReference) {
+			PrismReference ref = (PrismReference)valueToConvert;
+			PrismReferenceDefinition def = ref.getDefinition();
 			if (def != null) {
 				if (def.isSingleValue()) {
-					return prop.getRealValue();
+					return new TypedValue(ref.getRealValue(), def);
 				} else {
-					return prop.getRealValues();
+					return new TypedValue(ref.getRealValues(), def);
 				}
 			} else {
-				return prop.getValues();
+				def = prismContext.definitionFactory().createReferenceDefinition(ref.getElementName(), ObjectType.COMPLEX_TYPE);
+				return new TypedValue(ref.getRealValues(), def);
 			}
 		}
-		if (originalValue instanceof PrismContainer<?>) {
-			PrismContainer<?> container = (PrismContainer<?>)originalValue;
+		if (valueToConvert instanceof PrismContainer<?>) {
+			PrismContainer<?> container = (PrismContainer<?>)valueToConvert;
 			PrismContainerDefinition<?> def = container.getDefinition();
-			if (def != null) {
-				if (def.isSingleValue()) {
-					return container.getRealValue();
+			Class<?> containerCompileTimeClass = container.getCompileTimeClass();
+			if (containerCompileTimeClass == null) {
+				// Dynamic schema. We do not have anything to convert to. Leave it as PrismContainer
+				if (def != null) {
+					return new TypedValue(container, def);
 				} else {
-					return container.getRealValues();
-
+					return new TypedValue(container, PrismContainer.class);
 				}
 			} else {
-				return container.getValues();
+				if (def != null) {
+					if (def.isSingleValue()) {
+						return new TypedValue(container.getRealValue(), def);
+					} else {
+						return new TypedValue(container.getRealValues(), def);
+	
+					}
+				} else {
+					PrismContainerValue<?> cval = container.getValue();
+					if (cval != null) {
+						Containerable containerable = cval.asContainerable();
+						if (containerable != null) {
+							return new TypedValue(container.getRealValues(), containerable.getClass());
+						}
+					}
+					return new TypedValue(container.getRealValues(), Object.class);
+				}
 			}
 		}
 
-		return originalValue;
+		return convertedTypeValue;
 	}
 
-	private static PrismObject<?> resolveReference(ObjectReferenceType ref, ObjectResolver objectResolver,
+	private static TypedValue<PrismObject<?>> resolveReference(TypedValue<ObjectReferenceType> refAndDef, ObjectResolver objectResolver,
 			String varDesc, String contextDescription, Task task, OperationResult result)
 					throws SchemaException, ObjectNotFoundException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
+		ObjectReferenceType ref = (ObjectReferenceType) refAndDef.getValue();
 		if (ref.getOid() == null) {
 			throw new SchemaException(
 					"Null OID in reference in variable " + varDesc + " in " + contextDescription);
@@ -367,7 +563,7 @@ private static PrismObject<?> resolveReference(ObjectReferenceType ref, ObjectRe
 					throw new IllegalArgumentException(
 							"Resolve returned null for " + ref + " in " + contextDescription);
 				}
-				return objectType.asPrismObject();
+				return new TypedValue<>(objectType.asPrismObject());
 
 			} catch (ObjectNotFoundException e) {
 				throw new ObjectNotFoundException("Object not found during variable " + varDesc
@@ -402,9 +598,10 @@ public static <ID extends ItemDefinition> ID resolveDefinitionPath(@NotNull Item
 		Object first = path.first();
 		if (ItemPath.isVariable(first)) {
 			relativePath = path.rest();
-			QName varName = ItemPath.toVariableName(first);
+			String varName = ItemPath.toVariableName(first).getLocalPart();
 			if (variables.containsKey(varName)) {
-				Object varValue = variables.get(varName);
+				TypedValue typeVarValue = variables.get(varName);
+				Object varValue = typeVarValue.getValue();
 				if (varValue instanceof ItemDeltaItem<?, ?>) {
 					root = ((ItemDeltaItem<?, ?>) varValue).getDefinition();
 				} else if (varValue instanceof Item<?, ?>) {
@@ -419,10 +616,10 @@ public static <ID extends ItemDefinition> ID resolveDefinitionPath(@NotNull Item
 				}
 				if (root == null) {
 					throw new IllegalStateException(
-							"Null definition in content of variable " + varName + ": " + varValue);
+							"Null definition in content of variable '" + varName + "': " + varValue);
 				}
 			} else {
-				throw new SchemaException("No variable with name " + varName + " in " + shortDesc);
+				throw new SchemaException("No variable with name '" + varName + "' in " + shortDesc);
 			}
 		}
 		if (root == null) {
@@ -457,18 +654,18 @@ public static <IV extends PrismValue, ID extends ItemDefinition> ItemDeltaItem<I
 
 		if (object instanceof PrismObject<?>) {
 			return (ItemDeltaItem<IV, ID>) new ObjectDeltaObject((PrismObject<?>) object, null,
-					(PrismObject<?>) object);
+					(PrismObject<?>) object, ((PrismObject) object).getDefinition());
 		} else if (object instanceof Item<?, ?>) {
-			return new ItemDeltaItem<>((Item<IV, ID>) object, null, (Item<IV, ID>) object);
+			return new ItemDeltaItem<>((Item<IV, ID>) object, null, (Item<IV, ID>) object, ((Item<IV, ID>) object).getDefinition());
 		} else if (object instanceof ItemDelta<?, ?>) {
-			return new ItemDeltaItem<>(null, (ItemDelta<IV, ID>) object, null);
+			return new ItemDeltaItem<>(null, (ItemDelta<IV, ID>) object, null, ((ItemDelta<IV, ID>) object).getDefinition());
 		} else {
 			throw new IllegalArgumentException("Unexpected object " + object + " " + object.getClass());
 		}
 
 	}
 
-	public static ObjectQuery evaluateQueryExpressions(ObjectQuery origQuery, ExpressionVariables variables,
+	public static ObjectQuery evaluateQueryExpressions(ObjectQuery origQuery, ExpressionVariables variables, ExpressionProfile expressionProfile,
 			ExpressionFactory expressionFactory, PrismContext prismContext, String shortDesc, Task task,
 			OperationResult result)
 					throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
@@ -476,21 +673,21 @@ public static ObjectQuery evaluateQueryExpressions(ObjectQuery origQuery, Expres
 			return null;
 		}
 		ObjectQuery query = origQuery.clone();
-		ObjectFilter evaluatedFilter = evaluateFilterExpressionsInternal(query.getFilter(), variables,
+		ObjectFilter evaluatedFilter = evaluateFilterExpressionsInternal(query.getFilter(), variables, expressionProfile,
 				expressionFactory, prismContext, shortDesc, task, result);
 		query.setFilter(evaluatedFilter);
 		return query;
 	}
 
 	public static ObjectFilter evaluateFilterExpressions(ObjectFilter origFilter,
-			ExpressionVariables variables, ExpressionFactory expressionFactory, PrismContext prismContext,
+			ExpressionVariables variables, ExpressionProfile expressionProfile, ExpressionFactory expressionFactory, PrismContext prismContext,
 			String shortDesc, Task task, OperationResult result)
 					throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
 		if (origFilter == null) {
 			return null;
 		}
 
-		return evaluateFilterExpressionsInternal(origFilter, variables, expressionFactory, prismContext,
+		return evaluateFilterExpressionsInternal(origFilter, variables, expressionProfile, expressionFactory, prismContext,
 				shortDesc, task, result);
 	}
 
@@ -511,7 +708,7 @@ public static boolean hasExpressions(@Nullable ObjectFilter filter) {
 	}
 
 	private static ObjectFilter evaluateFilterExpressionsInternal(ObjectFilter filter,
-			ExpressionVariables variables, ExpressionFactory expressionFactory, PrismContext prismContext,
+			ExpressionVariables variables, ExpressionProfile expressionProfile, ExpressionFactory expressionFactory, PrismContext prismContext,
 			String shortDesc, Task task, OperationResult result)
 					throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
 		if (filter == null) {
@@ -533,7 +730,7 @@ private static ObjectFilter evaluateFilterExpressionsInternal(ObjectFilter filte
 
 			try {
 				Collection<String> expressionResult = evaluateStringExpression(variables, prismContext,
-						valueExpression, expressionFactory, shortDesc, task, result);
+						valueExpression, expressionProfile, expressionFactory, shortDesc, task, result);
 
 				if (expressionResult == null || expressionResult.isEmpty()) {
 					LOGGER.debug("Result of search filter expression was null or empty. Expression: {}",
@@ -562,7 +759,7 @@ private static ObjectFilter evaluateFilterExpressionsInternal(ObjectFilter filte
 
 			try {
 				Collection<String> expressionResult = evaluateStringExpression(variables, prismContext,
-						valueExpression, expressionFactory, shortDesc, task, result);
+						valueExpression, expressionProfile, expressionFactory, shortDesc, task, result);
 				if (expressionResult == null || expressionResult.isEmpty()) {
 					LOGGER.debug("Result of search filter expression was null or empty. Expression: {}",
 							valueExpression);
@@ -586,7 +783,7 @@ private static ObjectFilter evaluateFilterExpressionsInternal(ObjectFilter filte
 			List<ObjectFilter> conditions = ((LogicalFilter) filter).getConditions();
 			LogicalFilter evaluatedFilter = ((LogicalFilter) filter).cloneEmpty();
 			for (ObjectFilter condition : conditions) {
-				ObjectFilter evaluatedSubFilter = evaluateFilterExpressionsInternal(condition, variables,
+				ObjectFilter evaluatedSubFilter = evaluateFilterExpressionsInternal(condition, variables, expressionProfile,
 						expressionFactory, prismContext, shortDesc, task, result);
 				evaluatedFilter.addCondition(evaluatedSubFilter);
 			}
@@ -607,7 +804,7 @@ private static ObjectFilter evaluateFilterExpressionsInternal(ObjectFilter filte
 			ExpressionType valueExpression = getExpression(expressionWrapper, shortDesc);
 
 			try {
-				PrismValue expressionResult = evaluateExpression(variables, prismContext, valueExpression,
+				PrismValue expressionResult = evaluateExpression(variables, prismContext, valueExpression, expressionProfile,
 						filter, expressionFactory, shortDesc, task, result);
 
 				if (expressionResult == null || expressionResult.isEmpty()) {
@@ -655,13 +852,13 @@ private static ObjectFilter evaluateFilterExpressionsInternal(ObjectFilter filte
 		} else if (filter instanceof ExistsFilter) {
 			ExistsFilter evaluatedFilter = ((ExistsFilter) filter).cloneEmpty();
 			ObjectFilter evaluatedSubFilter = evaluateFilterExpressionsInternal(((ExistsFilter) filter).getFilter(), variables,
-					expressionFactory, prismContext, shortDesc, task, result);
+					expressionProfile, expressionFactory, prismContext, shortDesc, task, result);
 			evaluatedFilter.setFilter(evaluatedSubFilter);
 			return evaluatedFilter;
 		} else if (filter instanceof TypeFilter) {
 			TypeFilter evaluatedFilter = ((TypeFilter) filter).cloneEmpty();
 			ObjectFilter evaluatedSubFilter = evaluateFilterExpressionsInternal(((TypeFilter) filter).getFilter(), variables,
-						expressionFactory, prismContext, shortDesc, task, result);
+						expressionProfile, expressionFactory, prismContext, shortDesc, task, result);
 			evaluatedFilter.setFilter(evaluatedSubFilter);
 			return evaluatedFilter;
 		} else if (filter instanceof OrgFilter) {
@@ -731,7 +928,7 @@ private static ObjectFilter createFilterForNoValue(ObjectFilter filter, Expressi
 	}
 
 	private static <V extends PrismValue> V evaluateExpression(ExpressionVariables variables,
-			PrismContext prismContext, ExpressionType expressionType, ObjectFilter filter,
+			PrismContext prismContext, ExpressionType expressionType, ExpressionProfile expressionProfile, ObjectFilter filter,
 			ExpressionFactory expressionFactory, String shortDesc, Task task, OperationResult parentResult)
 					throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
 
@@ -746,7 +943,7 @@ private static <V extends PrismValue> V evaluateExpression(ExpressionVariables v
 					DOMUtil.XSD_STRING);
 		}
 
-		return (V) evaluateExpression(variables, outputDefinition, expressionType, expressionFactory, shortDesc,
+		return (V) evaluateExpression(variables, outputDefinition, expressionType, expressionProfile, expressionFactory, shortDesc,
 				task, parentResult);
 
 		// String expressionResult =
@@ -755,11 +952,11 @@ private static <V extends PrismValue> V evaluateExpression(ExpressionVariables v
 	}
 
 	public static <V extends PrismValue, D extends ItemDefinition> V evaluateExpression(
-			ExpressionVariables variables, D outputDefinition, ExpressionType expressionType,
+			ExpressionVariables variables, D outputDefinition, ExpressionType expressionType, ExpressionProfile expressionProfile,
 			ExpressionFactory expressionFactory, String shortDesc, Task task, OperationResult parentResult)
 					throws SchemaException, ExpressionEvaluationException, ObjectNotFoundException, CommunicationException, ConfigurationException, SecurityViolationException {
 
-		Expression<V, D> expression = expressionFactory.makeExpression(expressionType, outputDefinition,
+		Expression<V, D> expression = expressionFactory.makeExpression(expressionType, outputDefinition, expressionProfile,
 				shortDesc, task, parentResult);
 
 		ExpressionEvaluationContext context = new ExpressionEvaluationContext(null, variables, shortDesc, task, parentResult);
@@ -787,7 +984,7 @@ public static <V extends PrismValue> V getExpressionOutputValue(PrismValueDeltaS
 	}
 
 	public static Collection<String> evaluateStringExpression(ExpressionVariables variables,
-			PrismContext prismContext, ExpressionType expressionType, ExpressionFactory expressionFactory,
+			PrismContext prismContext, ExpressionType expressionType, ExpressionProfile expressionProfile, ExpressionFactory expressionFactory,
 			String shortDesc, Task task, OperationResult parentResult)
 					throws SchemaException, ExpressionEvaluationException, ObjectNotFoundException, CommunicationException, ConfigurationException, SecurityViolationException {
 
@@ -795,7 +992,7 @@ public static Collection<String> evaluateStringExpression(ExpressionVariables va
 				ExpressionConstants.OUTPUT_ELEMENT_NAME, DOMUtil.XSD_STRING);
 		outputDefinition.setMaxOccurs(-1);
 		Expression<PrismPropertyValue<String>, PrismPropertyDefinition<String>> expression = expressionFactory
-				.makeExpression(expressionType, outputDefinition, shortDesc, task, parentResult);
+				.makeExpression(expressionType, outputDefinition, expressionProfile, shortDesc, task, parentResult);
 
 		ExpressionEvaluationContext context = new ExpressionEvaluationContext(null, variables, shortDesc, task,
 				parentResult);
@@ -816,12 +1013,12 @@ public static Collection<String> evaluateStringExpression(ExpressionVariables va
 	}
 
 	public static PrismPropertyValue<Boolean> evaluateCondition(ExpressionVariables variables,
-			ExpressionType expressionType, ExpressionFactory expressionFactory, String shortDesc, Task task,
+			ExpressionType expressionType, ExpressionProfile expressionProfile, ExpressionFactory expressionFactory, String shortDesc, Task task,
 			OperationResult parentResult)
 					throws SchemaException, ExpressionEvaluationException, ObjectNotFoundException, CommunicationException, ConfigurationException, SecurityViolationException {
 		ItemDefinition outputDefinition = expressionFactory.getPrismContext().definitionFactory().createPropertyDefinition(
 				ExpressionConstants.OUTPUT_ELEMENT_NAME, DOMUtil.XSD_BOOLEAN);
-		return (PrismPropertyValue<Boolean>) evaluateExpression(variables, outputDefinition, expressionType,
+		return (PrismPropertyValue<Boolean>) evaluateExpression(variables, outputDefinition, expressionType, expressionProfile,
 				expressionFactory, shortDesc, task, parentResult);
 	}
 
@@ -836,18 +1033,16 @@ public static boolean getBooleanConditionOutput(PrismPropertyValue<Boolean> cond
 		return value;
 	}
 
-	public static Map<QName, Object> compileVariablesAndSources(ExpressionEvaluationContext params) {
-		Map<QName, Object> variablesAndSources = new HashMap<>();
+	public static VariablesMap compileVariablesAndSources(ExpressionEvaluationContext params) {
+		VariablesMap variablesAndSources = new VariablesMap();
 
 		if (params.getVariables() != null) {
-			for (Entry<QName, Object> entry : params.getVariables().entrySet()) {
-				variablesAndSources.put(entry.getKey(), entry.getValue());
-			}
+			variablesAndSources.putAll(params.getVariables());
 		}
 
 		if (params.getSources() != null) {
 			for (Source<?, ?> source : params.getSources()) {
-				variablesAndSources.put(source.getName(), source);
+				variablesAndSources.put(source.getName().getLocalPart(), source, source.getDefinition());
 			}
 		}
 
@@ -906,7 +1101,7 @@ public static PlusMinusZero computeConditionResultMode(boolean condOld, boolean
 		throw new IllegalStateException("notreached");
 	}
 
-	public static void addActorVariable(ExpressionVariables scriptVariables, SecurityContextManager securityContextManager) {
+	public static void addActorVariable(ExpressionVariables scriptVariables, SecurityContextManager securityContextManager, PrismContext prismContext) {
 		// There can already be a value, because for mappings, we create the
 		// variable before parsing sources.
 		// For other scripts we do it just before the execution, to catch all
@@ -924,7 +1119,8 @@ public static void addActorVariable(ExpressionVariables scriptVariables, Securit
 					// This is most likely evaluation of role
 					// condition before
 					// the authentication is complete.
-					scriptVariables.addVariableDefinition(ExpressionConstants.VAR_ACTOR, null);
+					PrismObjectDefinition<UserType> actorDef = prismContext.getSchemaRegistry().findObjectDefinitionByCompileTimeClass(UserType.class);
+					scriptVariables.addVariableDefinition(ExpressionConstants.VAR_ACTOR, null, actorDef);
 					return;
 				}
 				MidPointPrincipal principal = securityContextManager.getPrincipal();
@@ -942,7 +1138,13 @@ public static void addActorVariable(ExpressionVariables scriptVariables, Securit
 			LoggingUtils.logUnexpectedException(LOGGER,
 					"Couldn't get principal information - the 'actor' variable is set to null", e);
 		}
-		scriptVariables.addVariableDefinition(ExpressionConstants.VAR_ACTOR, actor);
+		PrismObjectDefinition<UserType> actorDef;
+		if (actor == null) {
+			actorDef = prismContext.getSchemaRegistry().findObjectDefinitionByCompileTimeClass(UserType.class);
+		} else {
+			actorDef = actor.getDefinition();
+		}
+		scriptVariables.addVariableDefinition(ExpressionConstants.VAR_ACTOR, actor, actorDef);
 	}
 
 	public static <D extends ItemDefinition> Object convertToOutputValue(Long longValue, D outputDefinition,
@@ -1039,9 +1241,10 @@ public static <T, V extends PrismValue> V convertToPrismValue(T value, ItemDefin
 
 	public static Expression<PrismPropertyValue<Boolean>,PrismPropertyDefinition<Boolean>> createCondition(
 			ExpressionType conditionExpressionType,
+			ExpressionProfile expressionProfile,
 			ExpressionFactory expressionFactory,
-			String shortDesc, Task task, OperationResult result) throws SchemaException, ObjectNotFoundException {
-		return expressionFactory.makeExpression(conditionExpressionType, createConditionOutputDefinition(expressionFactory.getPrismContext()), shortDesc, task, result);
+			String shortDesc, Task task, OperationResult result) throws SchemaException, ObjectNotFoundException, SecurityViolationException {
+		return expressionFactory.makeExpression(conditionExpressionType, createConditionOutputDefinition(expressionFactory.getPrismContext()), expressionProfile, shortDesc, task, result);
 	}
 
 	public static Function<Object, Object> createRefConvertor(QName defaultType) {
@@ -1068,4 +1271,44 @@ public static Function<Object, Object> createRefConvertor(QName defaultType) {
 	public static PrismPropertyDefinition<Boolean> createConditionOutputDefinition(PrismContext prismContext) {
 		return prismContext.definitionFactory().createPropertyDefinition(ExpressionConstants.OUTPUT_ELEMENT_NAME, DOMUtil.XSD_BOOLEAN);
 	}
+	
+	/**
+	 * Used in cases when we do not have a definition.
+	 */
+	public static  ItemDefinition determineDefinitionFromValueClass(PrismContext prismContext, String name, Class<?> valueClass, QName typeQName) {
+		if (valueClass == null) {
+			return null;
+		}
+		if (ObjectType.class.isAssignableFrom(valueClass)) {
+			return prismContext.getSchemaRegistry().findObjectDefinitionByCompileTimeClass((Class<? extends ObjectType>) valueClass);
+		}
+		if (PrismObject.class.isAssignableFrom(valueClass)) {
+			return prismContext.getSchemaRegistry().findObjectDefinitionByCompileTimeClass(ObjectType.class);
+		}
+		if (Containerable.class.isAssignableFrom(valueClass)) {
+			PrismContainerDefinition<? extends Containerable> def = prismContext.getSchemaRegistry().findContainerDefinitionByCompileTimeClass((Class<? extends Containerable>) valueClass);
+			if (def == null) {
+				ComplexTypeDefinition ctd = prismContext.getSchemaRegistry().findComplexTypeDefinitionByCompileTimeClass((Class<? extends Containerable>) valueClass);
+				def = prismContext.definitionFactory().createContainerDefinition(new QName(SchemaConstants.NS_C, name), ctd);
+			}
+			return def;
+		}
+		MutablePrismPropertyDefinition<Object> def = prismContext.definitionFactory().createPropertyDefinition(new QName(SchemaConstants.NS_C, name), typeQName);
+		return def;
+	}
+	
+	/**
+	 * Works only for simple evaluators that do not have any profile settings. 
+	 */
+	public static void checkEvaluatorProfileSimple(ExpressionEvaluator<?,?> evaluator, ExpressionEvaluationContext context) throws SecurityViolationException {
+		ExpressionEvaluatorProfile profile = context.getExpressionEvaluatorProfile();
+		if (profile == null) {
+			return; // no restrictions
+		}
+		if (profile.getDecision() != AccessDecision.ALLOW) {
+			throw new SecurityViolationException("Access to evaluator "+evaluator.shortDebugDump()+
+					" not allowed (expression profile: "+context.getExpressionProfile().getIdentifier()+") in "+context.getContextDescription());
+		}
+	}
+	
 }
diff --git a/repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/expression/ExpressionVariables.java b/repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/expression/ExpressionVariables.java
index 893d039e31b..c7052fc568a 100644
--- a/repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/expression/ExpressionVariables.java
+++ b/repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/expression/ExpressionVariables.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2017 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -15,36 +15,30 @@
  */
 package com.evolveum.midpoint.repo.common.expression;
 
+import com.evolveum.midpoint.prism.ItemDefinition;
+import com.evolveum.midpoint.prism.PrismContext;
 import com.evolveum.midpoint.prism.PrismObject;
+import com.evolveum.midpoint.prism.PrismReferenceDefinition;
 import com.evolveum.midpoint.prism.util.ItemDeltaItem;
 import com.evolveum.midpoint.prism.util.ObjectDeltaObject;
-import com.evolveum.midpoint.schema.util.SchemaDebugUtil;
-import com.evolveum.midpoint.util.DOMUtil;
-import com.evolveum.midpoint.util.DebugDumpable;
-import com.evolveum.midpoint.util.DebugUtil;
-import com.evolveum.midpoint.util.QNameUtil;
+import com.evolveum.midpoint.schema.expression.TypedValue;
+import com.evolveum.midpoint.schema.expression.VariablesMap;
 import com.evolveum.midpoint.util.exception.SchemaException;
 import com.evolveum.midpoint.util.logging.Trace;
 import com.evolveum.midpoint.util.logging.TraceManager;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectReferenceType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
 
-import org.apache.commons.lang.StringUtils;
 import org.jetbrains.annotations.NotNull;
-import org.w3c.dom.Element;
 
-import javax.xml.namespace.QName;
 import java.util.*;
-import java.util.Map.Entry;
 
 import static java.util.Collections.emptySet;
 
 /**
  * @author Radovan Semancik
  */
-public class ExpressionVariables implements DebugDumpable {
-
-    private final Map<QName, Object> variables = new HashMap<>();
+public class ExpressionVariables extends VariablesMap {
 
     private static final Trace LOGGER = TraceManager.getTrace(ExpressionVariables.class);
 
@@ -53,16 +47,17 @@ public class ExpressionVariables implements DebugDumpable {
      * If there are variables with deltas (ObjectDeltaObject) the operation fail because
      * it cannot decide which version to use.
      */
-    public void addVariableDefinitions(Map<QName, Object> extraVariables) {
+    public void addVariableDefinitions(VariablesMap extraVariables) {
     	addVariableDefinitions(extraVariables, emptySet());
     }
 
-    public void addVariableDefinitions(Map<QName, Object> extraVariables, @NotNull Collection<QName> exceptFor) {
-        for (Entry<QName, Object> entry : extraVariables.entrySet()) {
-        	if (QNameUtil.matchAny(entry.getKey(), exceptFor)) {
+    public void addVariableDefinitions(VariablesMap extraVariables, @NotNull Collection<String> exceptFor) {
+        for (Entry<String, TypedValue> entry : extraVariables.entrySet()) {
+        	if (exceptFor != null && exceptFor.contains(entry.getKey())) {
         		continue;
 	        }
-        	Object value = entry.getValue();
+        	TypedValue valueDef = entry.getValue();
+        	Object value = valueDef.getValue();
         	if (!areDeltasAllowed() && value instanceof ObjectDeltaObject<?>) {
         		ObjectDeltaObject<?> odo = (ObjectDeltaObject<?>)value;
         		if (odo.getObjectDelta() != null) {
@@ -70,7 +65,7 @@ public void addVariableDefinitions(Map<QName, Object> extraVariables, @NotNull C
         		}
         		value = odo.getOldObject();
         	}
-            variables.put(entry.getKey(), value);
+            put(entry.getKey(), valueDef.createTransformed(value));
         }
     }
 
@@ -82,22 +77,15 @@ private boolean areDeltasAllowed() {
 		return true;
 	}
 
-	public void addVariableDefinitions(ExpressionVariables extraVariables) {
-    	addVariableDefinitions(extraVariables, emptySet());
-    }
-
-	public void addVariableDefinitions(ExpressionVariables extraVariables, @NotNull Collection<QName> exceptFor) {
-    	addVariableDefinitions(extraVariables.getMap(), exceptFor);
-    }
-
     /**
      * Adds map of extra variables to the expression.
      * If there are variables with deltas (ObjectDeltaObject) it takes the "old" version
      * of the object.
      */
-    public void addVariableDefinitionsOld(Map<QName, Object> extraVariables) {
-        for (Entry<QName, Object> entry : extraVariables.entrySet()) {
-        	Object value = entry.getValue();
+    public void addVariableDefinitionsOld(VariablesMap extraVariables) {
+        for (Entry<String, TypedValue> entry : extraVariables.entrySet()) {
+        	TypedValue valueDef = entry.getValue();
+        	Object value = valueDef.getValue();
         	if (value instanceof ObjectDeltaObject<?>) {
         		ObjectDeltaObject<?> odo = (ObjectDeltaObject<?>)value;
         		value = odo.getOldObject();
@@ -105,22 +93,19 @@ public void addVariableDefinitionsOld(Map<QName, Object> extraVariables) {
         		ItemDeltaItem<?,?> idi = (ItemDeltaItem<?,?>)value;
         		value = idi.getItemOld();
         	}
-            variables.put(entry.getKey(), value);
+            put(entry.getKey(), valueDef.createTransformed(value));
         }
     }
 
-    public void addVariableDefinitionsOld(ExpressionVariables extraVariables) {
-    	addVariableDefinitionsOld(extraVariables.getMap());
-    }
-
     /**
      * Adds map of extra variables to the expression.
      * If there are variables with deltas (ObjectDeltaObject) it takes the "new" version
      * of the object.
      */
-    public void addVariableDefinitionsNew(Map<QName, Object> extraVariables) {
-        for (Entry<QName, Object> entry : extraVariables.entrySet()) {
-        	Object value = entry.getValue();
+    public void addVariableDefinitionsNew(VariablesMap extraVariables) {
+        for (Entry<String, TypedValue> entry : extraVariables.entrySet()) {
+        	TypedValue valueDef = entry.getValue();
+        	Object value = valueDef.getValue();
         	if (value instanceof ObjectDeltaObject<?>) {
         		ObjectDeltaObject<?> odo = (ObjectDeltaObject<?>)value;
         		value = odo.getNewObject();
@@ -128,47 +113,39 @@ public void addVariableDefinitionsNew(Map<QName, Object> extraVariables) {
         		ItemDeltaItem<?,?> idi = (ItemDeltaItem<?,?>)value;
         		value = idi.getItemNew();
         	}
-            variables.put(entry.getKey(), value);
+            put(entry.getKey(), valueDef.createTransformed(value));
         }
     }
 
-    public void addVariableDefinitionsNew(ExpressionVariables extraVariables) {
-    	addVariableDefinitionsNew(extraVariables.getMap());
-    }
-
-    public void setRootNode(ObjectReferenceType objectRef) {
-        addVariableDefinition(null, objectRef);
+    public void setRootNode(ObjectReferenceType objectRef, PrismReferenceDefinition def) {
+        put(null, objectRef, def);
     }
 
-    public void addVariableDefinition(QName name, Object value) {
-        if (variables.containsKey(name)) {
+    // TODO: maybe replace by put?
+    public <D extends ItemDefinition> void addVariableDefinition(String name, Object value, D definition) {
+        if (containsKey(name)) {
             LOGGER.warn("Duplicate definition of variable {}", name);
             return;
         }
-        replaceVariableDefinition(name, value);
+        replaceVariableDefinition(name, value, definition);
     }
     
-    public void replaceVariableDefinition(QName name, Object value) {
-        variables.put(name, value);
-    }
-
-    public boolean hasVariableDefinition(QName name) {
-    	return variables.containsKey(name);
+    // TODO: maybe replace by put?
+    public <D extends ItemDefinition> void replaceVariableDefinition(String name, Object value, D definition) {
+        put(name, value, definition);
     }
 
-    public Object get(QName name) {
-    	if (name != null && StringUtils.isBlank(name.getNamespaceURI())){
-    		QName fullQName = QNameUtil.resolveNs(name, variables.keySet());
-    		if (fullQName != null){
-    			return variables.get(fullQName);
-    		}
+    public Object getValue(String name) {
+    	TypedValue typedValue = get(name);
+    	if (typedValue == null) {
+    		return null;
     	}
-    	return variables.get(name);
+    	return typedValue.getValue();
     }
 
     @SuppressWarnings("unchecked")
-	public <T> T get(QName name, Class<T> type) throws SchemaException {
-    	Object object = get(name);
+	public <T> T getValue(String name, Class<T> type) throws SchemaException {
+    	Object object = getValue(name);
     	if (object == null) {
     		return null;
     	}
@@ -178,8 +155,9 @@ public <T> T get(QName name, Class<T> type) throws SchemaException {
     	throw new SchemaException("Expected type "+type.getSimpleName()+" in variable "+name+", but found type "+object.getClass());
     }
 
-    public <O extends ObjectType> PrismObject<O> getObjectNew(QName name) throws SchemaException {
-    	Object object = get(name);
+    // TODO: do we need this?
+    public <O extends ObjectType> PrismObject<O> getValueNew(String name) throws SchemaException {
+    	Object object = getValue(name);
     	if (object == null) {
     		return null;
     	}
@@ -193,119 +171,24 @@ public <O extends ObjectType> PrismObject<O> getObjectNew(QName name) throws Sch
     	throw new SchemaException("Expected object in variable "+name+", but found type "+object.getClass());
     }
 
-    public Set<Entry<QName,Object>> entrySet() {
-    	return variables.entrySet();
-    }
-
-    public int size() {
-		return variables.size();
-	}
-
-	public boolean isEmpty() {
-		return variables.isEmpty();
-	}
-
-	public boolean containsKey(Object key) {
-		if (key instanceof QName){
-			if (StringUtils.isBlank(((QName) key).getNamespaceURI())){
-				return QNameUtil.matchAny((QName) key, variables.keySet());
-			}
-		}
-		return variables.containsKey(key);
-	}
-
-	public boolean containsValue(Object value) {
-		return variables.containsValue(value);
-	}
-
-	public Set<QName> keySet() {
-		return variables.keySet();
-	}
-
-	public String formatVariables() {
-        StringBuilder sb = new StringBuilder();
-        Iterator<Entry<QName, Object>> i = variables.entrySet().iterator();
-        while (i.hasNext()) {
-            Entry<QName, Object> entry = i.next();
-            SchemaDebugUtil.indentDebugDump(sb, 1);
-            sb.append(SchemaDebugUtil.prettyPrint(entry.getKey())).append(": ");
-            Object value = entry.getValue();
-            if (value instanceof DebugDumpable) {
-            	sb.append("\n");
-            	sb.append(((DebugDumpable)value).debugDump(2));
-            } else if (value instanceof Element) {
-            	sb.append("\n");
-            	sb.append(DOMUtil.serializeDOMToString(((Element)value)));
-            } else {
-            	sb.append(SchemaDebugUtil.prettyPrint(value));
-            }
-            if (i.hasNext()) {
-                sb.append("\n");
-            }
-        }
-        return sb.toString();
-    }
-
     /**
-     * Expects QName-value pairs.
+     * Expects name-value-definition triples.
+     * Definition can be just a type QName.
      *
      * E.g.
-     * create(var1qname, var1value, var2qname, var2value, ...)
+     * create(var1name, var1value, var1type, var2name, var2value, var2type, ...)
      *
      * Mostly for testing. Use at your own risk.
      */
-    public static ExpressionVariables create(Object... parameters) {
+    public static ExpressionVariables create(PrismContext prismContext, Object... parameters) {
     	ExpressionVariables vars = new ExpressionVariables();
-    	for (int i = 0; i < parameters.length; i += 2) {
-    		vars.addVariableDefinition((QName)parameters[i], parameters[i+1]);
-    	}
+    	vars.fillIn(prismContext, parameters);
     	return vars;
     }
-
-    public Map<QName, Object> getMap() {
-    	return variables;
-    }
-
-	@Override
-	public int hashCode() {
-		final int prime = 31;
-		int result = 1;
-		result = prime * result + ((variables == null) ? 0 : variables.hashCode());
-		return result;
-	}
-
-	@Override
-	public boolean equals(Object obj) {
-		if (this == obj)
-			return true;
-		if (obj == null)
-			return false;
-		if (getClass() != obj.getClass())
-			return false;
-		ExpressionVariables other = (ExpressionVariables) obj;
-		if (variables == null) {
-			if (other.variables != null)
-				return false;
-		} else if (!variables.equals(other.variables))
-			return false;
-		return true;
-	}
-
+    
 	@Override
 	public String toString() {
-		return "variables(" + variables + ")";
-	}
-
-	@Override
-	public String debugDump() {
-		return debugDump(0);
-	}
-
-	@Override
-	public String debugDump(int indent) {
-		StringBuilder sb = new StringBuilder();
-		DebugUtil.debugDumpMapMultiLine(sb, variables, 1);
-		return sb.toString();
+		return "variables(" + super.toString() + ")";
 	}
 
 }
diff --git a/repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/expression/Source.java b/repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/expression/Source.java
index 67d0198c18b..67ff2cd3601 100644
--- a/repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/expression/Source.java
+++ b/repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/expression/Source.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2018 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -36,8 +36,8 @@ public class Source<V extends PrismValue,D extends ItemDefinition> extends ItemD
 
 	private QName name;
 
-	public Source(Item<V,D> itemOld, ItemDelta<V,D> delta, Item<V,D> itemNew, QName name) {
-		super(itemOld, delta, itemNew);
+	public Source(Item<V,D> itemOld, ItemDelta<V,D> delta, Item<V,D> itemNew, QName name, D definition) {
+		super(itemOld, delta, itemNew, definition);
 		this.name = name;
 	}
 
@@ -53,7 +53,7 @@ public QName getName() {
 	public void setName(QName name) {
 		this.name = name;
 	}
-
+	
 	public Item<V,D> getEmptyItem() throws SchemaException {
 		ItemDefinition definition = getDefinition();
 		if (definition == null) {
@@ -85,11 +85,9 @@ public String debugDump(int indent) {
 		DebugUtil.indentDebugDump(sb, indent);
 		sb.append("Source ").append(PrettyPrinter.prettyPrint(name));
 		sb.append("\n");
-		DebugUtil.debugDumpWithLabel(sb, "old", getItemOld(), indent +1);
-		sb.append("\n");
-		DebugUtil.debugDumpWithLabel(sb, "delta", getDelta(), indent +1);
-		sb.append("\n");
-		DebugUtil.debugDumpWithLabel(sb, "new", getItemNew(), indent +1);
+		DebugUtil.debugDumpWithLabelLn(sb, "old", getItemOld(), indent +1);
+		DebugUtil.debugDumpWithLabelLn(sb, "delta", getDelta(), indent +1);
+		DebugUtil.debugDumpWithLabelLn(sb, "new", getItemNew(), indent +1);
 		return sb.toString();
 	}
 
diff --git a/repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/expression/SourceTriple.java b/repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/expression/SourceTriple.java
index ef30240a2ee..82c332bf8f6 100644
--- a/repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/expression/SourceTriple.java
+++ b/repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/expression/SourceTriple.java
@@ -60,5 +60,18 @@ public QName getName() {
 	public ItemPath getResidualPath() {
 		return source.getResidualPath();
 	}
+	
+	@Override
+	public void shortDump(StringBuilder sb) {
+		super.shortDump(sb);
+		sb.append(", source=").append(source);
+	}
 
+	@Override
+	public String toString() {
+		StringBuilder sb = new StringBuilder("SourceTriple(");
+		shortDump(sb);
+		sb.append(")");
+		return sb.toString();
+	}
 }
diff --git a/repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/expression/ValueSetDefinition.java b/repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/expression/ValueSetDefinition.java
index 796c8725f3c..630aeebd661 100644
--- a/repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/expression/ValueSetDefinition.java
+++ b/repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/expression/ValueSetDefinition.java
@@ -1,5 +1,5 @@
 /**
- * Copyright (c) 2017 Evolveum
+ * Copyright (c) 2017-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -15,13 +15,13 @@
  */
 package com.evolveum.midpoint.repo.common.expression;
 
-import javax.xml.namespace.QName;
-
+import com.evolveum.midpoint.prism.ItemDefinition;
 import com.evolveum.midpoint.prism.PrismPropertyDefinition;
 import com.evolveum.midpoint.prism.PrismPropertyValue;
 import com.evolveum.midpoint.prism.PrismValue;
 import com.evolveum.midpoint.prism.delta.PrismValueDeltaSetTriple;
 import com.evolveum.midpoint.schema.constants.ExpressionConstants;
+import com.evolveum.midpoint.schema.expression.ExpressionProfile;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.util.exception.CommunicationException;
@@ -40,26 +40,28 @@
  */
 public class ValueSetDefinition {
 
-	private ValueSetDefinitionType setDefinitionType;
-	private String shortDesc;
-	private Task task;
-	private OperationResult result;
-	private QName additionalVariableName;
+	private final ValueSetDefinitionType setDefinitionType;
+	private final ExpressionProfile expressionProfile;
+	private final String shortDesc;
+	private final Task task;
+	private final OperationResult result;
+	private final String additionalVariableName;
 	private ExpressionVariables additionalVariables;
 	private Expression<PrismPropertyValue<Boolean>,PrismPropertyDefinition<Boolean>> condition;
 
-	public ValueSetDefinition(ValueSetDefinitionType setDefinitionType, QName additionalVariableName, String shortDesc, Task task, OperationResult result) {
+	public ValueSetDefinition(ValueSetDefinitionType setDefinitionType, ExpressionProfile expressionProfile, String additionalVariableName, String shortDesc, Task task, OperationResult result) {
 		super();
 		this.setDefinitionType = setDefinitionType;
+		this.expressionProfile = expressionProfile;
 		this.additionalVariableName = additionalVariableName;
 		this.shortDesc = shortDesc;
 		this.task = task;
 		this.result = result;
 	}
 
-	public void init(ExpressionFactory expressionFactory) throws SchemaException, ObjectNotFoundException {
+	public void init(ExpressionFactory expressionFactory) throws SchemaException, ObjectNotFoundException, SecurityViolationException {
 		ExpressionType conditionType = setDefinitionType.getCondition();
-		condition = ExpressionUtil.createCondition(conditionType, expressionFactory, shortDesc, task, result);
+		condition = ExpressionUtil.createCondition(conditionType, expressionProfile, expressionFactory, shortDesc, task, result);
 	}
 
 	public void setAdditionalVariables(ExpressionVariables additionalVariables) {
@@ -67,7 +69,7 @@ public void setAdditionalVariables(ExpressionVariables additionalVariables) {
 	}
 
 	public <IV extends PrismValue> boolean contains(IV pval) throws SchemaException, ExpressionEvaluationException, ObjectNotFoundException, CommunicationException, ConfigurationException, SecurityViolationException {
-		return evalCondition(pval.getRealValue());
+		return evalCondition(pval);
 	}
 
 	/**
@@ -81,11 +83,13 @@ public <IV extends PrismValue> boolean containsTunnel(IV pval) {
 		}
 	}
 
-	private boolean evalCondition(Object value) throws SchemaException, ExpressionEvaluationException, ObjectNotFoundException, CommunicationException, ConfigurationException, SecurityViolationException {
+	private <IV extends PrismValue> boolean evalCondition(IV pval) throws SchemaException, ExpressionEvaluationException, ObjectNotFoundException, CommunicationException, ConfigurationException, SecurityViolationException {
 		ExpressionVariables variables = new ExpressionVariables();
-		variables.addVariableDefinition(ExpressionConstants.VAR_INPUT, value);
+		Object value = pval.getRealValue();
+		ItemDefinition definition = pval.getParent().getDefinition();
+		variables.addVariableDefinition(ExpressionConstants.VAR_INPUT, value, definition);
 		if (additionalVariableName != null) {
-			variables.addVariableDefinition(additionalVariableName, value);
+			variables.addVariableDefinition(additionalVariableName, value, definition);
 		}
 		if (additionalVariables != null) {
 			variables.addVariableDefinitions(additionalVariables, variables.keySet());
@@ -98,6 +102,4 @@ private boolean evalCondition(Object value) throws SchemaException, ExpressionEv
 		return ExpressionUtil.computeConditionResult(outputTriple.getNonNegativeValues());
 	}
 
-
-
 }
diff --git a/repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/expression/evaluator/AbstractExpressionEvaluator.java b/repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/expression/evaluator/AbstractExpressionEvaluator.java
new file mode 100644
index 00000000000..254a4c38f01
--- /dev/null
+++ b/repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/expression/evaluator/AbstractExpressionEvaluator.java
@@ -0,0 +1,82 @@
+/*
+ * Copyright (c) 2010-2019 Evolveum
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.evolveum.midpoint.repo.common.expression.evaluator;
+
+import javax.xml.namespace.QName;
+
+import com.evolveum.midpoint.prism.ItemDefinition;
+import com.evolveum.midpoint.prism.PrismContext;
+import com.evolveum.midpoint.prism.PrismValue;
+import com.evolveum.midpoint.prism.crypto.Protector;
+import com.evolveum.midpoint.repo.common.expression.ExpressionEvaluationContext;
+import com.evolveum.midpoint.repo.common.expression.ExpressionEvaluator;
+import com.evolveum.midpoint.repo.common.expression.ExpressionUtil;
+import com.evolveum.midpoint.util.exception.SecurityViolationException;
+
+/**
+ * @param <E> evaluator prism type
+ * @author Radovan Semancik
+ */
+public abstract class AbstractExpressionEvaluator<V extends PrismValue, D extends ItemDefinition, E> implements ExpressionEvaluator<V,D> {
+
+	private final QName elementName;
+	private final E expressionEvaluatorType;
+	protected final PrismContext prismContext;
+	protected final D outputDefinition;
+	protected final Protector protector;
+
+	public AbstractExpressionEvaluator(QName elementName, E expressionEvaluatorType, D outputDefinition, Protector protector, PrismContext prismContext) {
+		this.elementName = elementName;
+		this.expressionEvaluatorType = expressionEvaluatorType;
+		this.outputDefinition = outputDefinition;
+		this.prismContext = prismContext;
+		this.protector = protector;
+	}
+
+	@Override
+	public QName getElementName() {
+		return elementName;
+	}
+
+	protected E getExpressionEvaluatorType() {
+		return expressionEvaluatorType;
+	}
+	
+	protected PrismContext getPrismContext() {
+		return prismContext;
+	}
+
+	protected D getOutputDefinition() {
+		return outputDefinition;
+	}
+
+	protected Protector getProtector() {
+		return protector;
+	}
+
+	/**
+	 * Check expression profile. Throws security exception if the execution is not allowed by the profile.
+	 * 
+	 * This implementation works only for simple evaluators that do not have any profile settings.
+	 * Complex evaluators should override this method.
+	 * 
+	 * @throws SecurityViolationException expression execution is not allowed by the profile. 
+	 */
+	protected void checkEvaluatorProfile(ExpressionEvaluationContext context) throws SecurityViolationException {
+		ExpressionUtil.checkEvaluatorProfileSimple(this, context);
+	}
+
+}
diff --git a/repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/expression/evaluator/AsIsExpressionEvaluator.java b/repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/expression/evaluator/AsIsExpressionEvaluator.java
index a4721ec8ec3..702c599b0fe 100644
--- a/repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/expression/evaluator/AsIsExpressionEvaluator.java
+++ b/repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/expression/evaluator/AsIsExpressionEvaluator.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2015 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -15,6 +15,8 @@
  */
 package com.evolveum.midpoint.repo.common.expression.evaluator;
 
+import javax.xml.namespace.QName;
+
 import com.evolveum.midpoint.prism.ItemDefinition;
 import com.evolveum.midpoint.prism.PrismContext;
 import com.evolveum.midpoint.prism.PrismValue;
@@ -28,29 +30,23 @@
 import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
 import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
 import com.evolveum.midpoint.util.exception.SchemaException;
+import com.evolveum.midpoint.util.exception.SecurityViolationException;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.AsIsExpressionEvaluatorType;
 
 /**
  * @author Radovan Semancik
  */
-public class AsIsExpressionEvaluator<V extends PrismValue, D extends ItemDefinition> implements ExpressionEvaluator<V,D> {
-
-	private PrismContext prismContext;
-	D outputDefinition;
-	private AsIsExpressionEvaluatorType asIsExpressionEvaluatorType;
-	private Protector protector;
+public class AsIsExpressionEvaluator<V extends PrismValue, D extends ItemDefinition> extends AbstractExpressionEvaluator<V,D,AsIsExpressionEvaluatorType> {
 
-	public AsIsExpressionEvaluator(AsIsExpressionEvaluatorType asIsExpressionEvaluatorType,
-			D outputDefinition, Protector protector, PrismContext prismContext) {
-		this.asIsExpressionEvaluatorType = asIsExpressionEvaluatorType;
-		this.outputDefinition = outputDefinition;
-		this.prismContext = prismContext;
-		this.protector = protector;
+	public AsIsExpressionEvaluator(QName elementName, AsIsExpressionEvaluatorType asIsExpressionEvaluatorType, D outputDefinition, Protector protector, PrismContext prismContext) {
+		super(elementName, asIsExpressionEvaluatorType, outputDefinition, protector, prismContext);
 	}
 
 	@Override
-	public PrismValueDeltaSetTriple<V> evaluate(ExpressionEvaluationContext context) throws SchemaException,
-			ExpressionEvaluationException, ObjectNotFoundException {
+	public PrismValueDeltaSetTriple<V> evaluate(ExpressionEvaluationContext context) 
+			throws SchemaException, ExpressionEvaluationException, ObjectNotFoundException, SecurityViolationException {
+		
+		checkEvaluatorProfile(context);
 
 		Source<V,D> source;
     	if (context.getSources().isEmpty()) {
diff --git a/repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/expression/evaluator/AsIsExpressionEvaluatorFactory.java b/repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/expression/evaluator/AsIsExpressionEvaluatorFactory.java
index 6b1fd4df537..2b1ae76400a 100644
--- a/repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/expression/evaluator/AsIsExpressionEvaluatorFactory.java
+++ b/repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/expression/evaluator/AsIsExpressionEvaluatorFactory.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2017 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -26,6 +26,7 @@
 import com.evolveum.midpoint.prism.crypto.Protector;
 import com.evolveum.midpoint.repo.common.expression.AbstractAutowiredExpressionEvaluatorFactory;
 import com.evolveum.midpoint.repo.common.expression.ExpressionFactory;
+import com.evolveum.midpoint.schema.expression.ExpressionProfile;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.util.exception.SchemaException;
@@ -42,6 +43,8 @@
 @Component
 public class AsIsExpressionEvaluatorFactory extends AbstractAutowiredExpressionEvaluatorFactory {
 
+	private static final QName ELEMENT_NAME = new ObjectFactory().createAsIs(new AsIsExpressionEvaluatorType()).getName(); 
+	
 	@Autowired private PrismContext prismContext;
 	@Autowired private Protector protector;
 
@@ -62,16 +65,19 @@ public AsIsExpressionEvaluatorFactory(PrismContext prismContext, Protector prote
 	 */
 	@Override
 	public QName getElementName() {
-		return new ObjectFactory().createAsIs(new AsIsExpressionEvaluatorType()).getName();
+		return ELEMENT_NAME;
 	}
 
 	/* (non-Javadoc)
 	 * @see com.evolveum.midpoint.common.expression.ExpressionEvaluatorFactory#createEvaluator(javax.xml.bind.JAXBElement)
 	 */
 	@Override
-	public <V extends PrismValue,D extends ItemDefinition> AsIsExpressionEvaluator<V,D> createEvaluator(Collection<JAXBElement<?>> evaluatorElements,
-																										D outputDefinition, ExpressionFactory factory, 
-																										String contextDescription, Task task, OperationResult result) throws SchemaException {
+	public <V extends PrismValue,D extends ItemDefinition> AsIsExpressionEvaluator<V,D> createEvaluator(
+			Collection<JAXBElement<?>> evaluatorElements,
+			D outputDefinition,
+			ExpressionProfile expressionProfile,
+			ExpressionFactory factory, 
+			String contextDescription, Task task, OperationResult result) throws SchemaException {
 
         Validate.notNull(outputDefinition, "output definition must be specified for asIs expression evaluator");
 
@@ -90,8 +96,7 @@ public <V extends PrismValue,D extends ItemDefinition> AsIsExpressionEvaluator<V
         if (evaluatorTypeObject != null && !(evaluatorTypeObject instanceof AsIsExpressionEvaluatorType)) {
             throw new SchemaException("AsIs value constructor cannot handle elements of type " + evaluatorTypeObject.getClass().getName()+" in "+contextDescription);
         }
-        return new AsIsExpressionEvaluator<>((AsIsExpressionEvaluatorType) evaluatorTypeObject,
-            outputDefinition, protector, prismContext);
+        return new AsIsExpressionEvaluator<>(ELEMENT_NAME, (AsIsExpressionEvaluatorType) evaluatorTypeObject, outputDefinition, protector, prismContext);
 	}
 
 }
diff --git a/repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/expression/evaluator/LiteralExpressionEvaluator.java b/repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/expression/evaluator/LiteralExpressionEvaluator.java
index 84f316f11a1..17d233beb1e 100644
--- a/repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/expression/evaluator/LiteralExpressionEvaluator.java
+++ b/repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/expression/evaluator/LiteralExpressionEvaluator.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2013 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -15,14 +15,18 @@
  */
 package com.evolveum.midpoint.repo.common.expression.evaluator;
 
+import javax.xml.namespace.QName;
+
 import com.evolveum.midpoint.prism.ItemDefinition;
 import com.evolveum.midpoint.prism.PrismValue;
 import com.evolveum.midpoint.prism.delta.PrismValueDeltaSetTriple;
 import com.evolveum.midpoint.repo.common.expression.ExpressionEvaluationContext;
 import com.evolveum.midpoint.repo.common.expression.ExpressionEvaluator;
+import com.evolveum.midpoint.repo.common.expression.ExpressionUtil;
 import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
 import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
 import com.evolveum.midpoint.util.exception.SchemaException;
+import com.evolveum.midpoint.util.exception.SecurityViolationException;
 
 /**
  * @author Radovan Semancik
@@ -30,12 +34,14 @@
  */
 public class LiteralExpressionEvaluator<V extends PrismValue,D extends ItemDefinition> implements ExpressionEvaluator<V,D> {
 
-	PrismValueDeltaSetTriple<V> outputTriple;
+	private final QName elementName;
+	private final PrismValueDeltaSetTriple<V> outputTriple;
 
 	/**
 	 * @param deltaSetTriple
 	 */
-	public LiteralExpressionEvaluator(PrismValueDeltaSetTriple<V> outputTriple) {
+	public LiteralExpressionEvaluator(QName elementName, PrismValueDeltaSetTriple<V> outputTriple) {
+		this.elementName = elementName;
 		this.outputTriple = outputTriple;
 	}
 
@@ -43,14 +49,21 @@ public LiteralExpressionEvaluator(PrismValueDeltaSetTriple<V> outputTriple) {
 	 * @see com.evolveum.midpoint.common.expression.ExpressionEvaluator#evaluate(java.util.Collection, java.util.Map, boolean, java.lang.String, com.evolveum.midpoint.schema.result.OperationResult)
 	 */
 	@Override
-	public PrismValueDeltaSetTriple<V> evaluate(ExpressionEvaluationContext context) throws SchemaException,
-			ExpressionEvaluationException, ObjectNotFoundException {
+	public PrismValueDeltaSetTriple<V> evaluate(ExpressionEvaluationContext context) 
+			throws SchemaException, ExpressionEvaluationException, ObjectNotFoundException, SecurityViolationException {
+		ExpressionUtil.checkEvaluatorProfileSimple(this, context);
+		
 		if (outputTriple == null) {
 			return null;
 		}
 		return outputTriple.clone();
 	}
 
+	@Override
+	public QName getElementName() {
+		return elementName;
+	}
+	
 	/* (non-Javadoc)
 	 * @see com.evolveum.midpoint.common.expression.ExpressionEvaluator#shortDebugDump()
 	 */
diff --git a/repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/expression/evaluator/LiteralExpressionEvaluatorFactory.java b/repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/expression/evaluator/LiteralExpressionEvaluatorFactory.java
index 7a763929e81..9c85a461f6f 100644
--- a/repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/expression/evaluator/LiteralExpressionEvaluatorFactory.java
+++ b/repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/expression/evaluator/LiteralExpressionEvaluatorFactory.java
@@ -35,6 +35,7 @@
 import com.evolveum.midpoint.repo.common.expression.AbstractAutowiredExpressionEvaluatorFactory;
 import com.evolveum.midpoint.repo.common.expression.ExpressionEvaluator;
 import com.evolveum.midpoint.repo.common.expression.ExpressionFactory;
+import com.evolveum.midpoint.schema.expression.ExpressionProfile;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.util.exception.SchemaException;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectFactory;
@@ -45,6 +46,8 @@
  */
 @Component
 public class LiteralExpressionEvaluatorFactory extends AbstractAutowiredExpressionEvaluatorFactory {
+	
+	private static final QName ELEMENT_NAME = new ObjectFactory().createValue(null).getName();
 
 	@Autowired private PrismContext prismContext;
 
@@ -61,14 +64,14 @@ public LiteralExpressionEvaluatorFactory(PrismContext prismContext) {
 
 	@Override
 	public QName getElementName() {
-		return new ObjectFactory().createValue(null).getName();
+		return ELEMENT_NAME;
 	}
 
 	/* (non-Javadoc)
 	 * @see com.evolveum.midpoint.common.expression.ExpressionEvaluatorFactory#createEvaluator(javax.xml.bind.JAXBElement, com.evolveum.midpoint.prism.PrismContext)
 	 */
 	@Override
-	public <V extends PrismValue,D extends ItemDefinition> ExpressionEvaluator<V,D> createEvaluator(Collection<JAXBElement<?>> evaluatorElements, D outputDefinition,
+	public <V extends PrismValue,D extends ItemDefinition> ExpressionEvaluator<V,D> createEvaluator(Collection<JAXBElement<?>> evaluatorElements, D outputDefinition, ExpressionProfile expressionProfile,
 																									ExpressionFactory factory, String contextDescription, Task task, OperationResult result) throws SchemaException {
 
         Validate.notNull(outputDefinition, "output definition must be specified for literal expression evaluator");
@@ -77,7 +80,7 @@ public <V extends PrismValue,D extends ItemDefinition> ExpressionEvaluator<V,D>
 
 		PrismValueDeltaSetTriple<V> deltaSetTriple = ItemDeltaUtil.toDeltaSetTriple(output, null, prismContext);
 
-		return new LiteralExpressionEvaluator<>(deltaSetTriple);
+		return new LiteralExpressionEvaluator<>(ELEMENT_NAME, deltaSetTriple);
 	}
 
 }
diff --git a/repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/task/AbstractSearchIterativeResultHandler.java b/repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/task/AbstractSearchIterativeResultHandler.java
index 3d307c8b38b..fecbdbbb293 100644
--- a/repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/task/AbstractSearchIterativeResultHandler.java
+++ b/repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/task/AbstractSearchIterativeResultHandler.java
@@ -21,20 +21,18 @@
 import com.evolveum.midpoint.repo.cache.RepositoryCache;
 import com.evolveum.midpoint.repo.common.util.RepoCommonUtils;
 import com.evolveum.midpoint.schema.constants.SchemaConstants;
+import com.evolveum.midpoint.schema.expression.ExpressionProfile;
 import com.evolveum.midpoint.schema.result.OperationResultStatus;
 import com.evolveum.midpoint.schema.statistics.StatisticsUtil;
 import com.evolveum.midpoint.schema.util.ExceptionUtil;
-import com.evolveum.midpoint.task.api.LightweightTaskHandler;
-import com.evolveum.midpoint.task.api.RunningTask;
-import com.evolveum.midpoint.task.api.TaskManager;
+import com.evolveum.midpoint.schema.util.MiscSchemaUtil;
+import com.evolveum.midpoint.task.api.*;
 import com.evolveum.midpoint.util.exception.SystemException;
 import org.apache.commons.lang.StringUtils;
 
-import com.evolveum.midpoint.common.refinery.RefinedConnectorSchemaImpl;
 import com.evolveum.midpoint.prism.PrismObject;
 import com.evolveum.midpoint.schema.ResultHandler;
 import com.evolveum.midpoint.schema.result.OperationResult;
-import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.util.exception.CommonException;
 import com.evolveum.midpoint.util.exception.CommunicationException;
 import com.evolveum.midpoint.util.exception.ConfigurationException;
@@ -527,6 +525,9 @@ public void createWorkerThreads(RunningTask coordinatorTask, OperationResult opR
 			return;             // nothing to do
 		}
 
+		// remove subtasks that could have been created during processing of previous buckets
+		coordinatorTask.deleteLightweightAsynchronousSubtasks();
+
 		int queueSize = threadsCount*2;				// actually, size of threadsCount should be sufficient but it doesn't hurt if queue is larger
 		requestQueue = new ArrayBlockingQueue<>(queueSize);
 
@@ -566,5 +567,4 @@ protected Integer getWorkerThreadsCount(Task task) {
 		}
 	}
 
-
 }
diff --git a/repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/task/AbstractSearchIterativeTaskHandler.java b/repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/task/AbstractSearchIterativeTaskHandler.java
index 1c89db2a870..ce63a0a1132 100644
--- a/repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/task/AbstractSearchIterativeTaskHandler.java
+++ b/repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/task/AbstractSearchIterativeTaskHandler.java
@@ -43,6 +43,7 @@
 import com.evolveum.midpoint.schema.SelectorOptions;
 import com.evolveum.midpoint.schema.constants.ObjectTypes;
 import com.evolveum.midpoint.schema.constants.SchemaConstants;
+import com.evolveum.midpoint.schema.expression.ExpressionProfile;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.schema.result.OperationResultStatus;
 import com.evolveum.midpoint.schema.util.MiscSchemaUtil;
@@ -651,4 +652,9 @@ public static void logPreviousResultIfNeeded(Task task, TaskWorkBucketProcessing
 			}
 		}
 	}
+	
+	protected ExpressionProfile getExpressionProfile() {
+		// TODO Determine from task object archetype
+		return MiscSchemaUtil.getExpressionProfile();
+	}
 }
diff --git a/repo/repo-common/src/test/java/com/evolveum/midpoint/repo/common/commandline/TestCommandLine.java b/repo/repo-common/src/test/java/com/evolveum/midpoint/repo/common/commandline/TestCommandLine.java
index 6e0d1b22ff0..fd5767336b3 100644
--- a/repo/repo-common/src/test/java/com/evolveum/midpoint/repo/common/commandline/TestCommandLine.java
+++ b/repo/repo-common/src/test/java/com/evolveum/midpoint/repo/common/commandline/TestCommandLine.java
@@ -1,5 +1,5 @@
 /**
- * Copyright (c) 2017 Evolveum
+ * Copyright (c) 2017-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -29,6 +29,7 @@
 import org.testng.annotations.Listeners;
 import org.testng.annotations.Test;
 
+import com.evolveum.midpoint.prism.PrimitiveType;
 import com.evolveum.midpoint.prism.PrismObject;
 import com.evolveum.midpoint.repo.common.expression.ExpressionVariables;
 import com.evolveum.midpoint.schema.constants.SchemaConstants;
@@ -102,8 +103,8 @@ public void test110RedirExecuteEcho() throws Exception {
 		
         CommandLineScriptType scriptType = getScript(REPORT_REDIR_ECHO_FILE);
         
-        ExpressionVariables variables = new ExpressionVariables();
-        variables.addVariableDefinition(VAR_HELLOTEXT, "Hello World");
+        ExpressionVariables variables = ExpressionVariables.create(prismContext,
+        	VAR_HELLOTEXT, "Hello World", PrimitiveType.STRING);
         
 		// WHEN
 		displayWhen(TEST_NAME);
diff --git a/repo/repo-common/src/test/resources/logback-test.xml b/repo/repo-common/src/test/resources/logback-test.xml
index b590d84878d..c7309b82349 100644
--- a/repo/repo-common/src/test/resources/logback-test.xml
+++ b/repo/repo-common/src/test/resources/logback-test.xml
@@ -26,6 +26,7 @@
 	<logger name="com.evolveum.midpoint" level="TRACE" />
 	<logger name="com.evolveum.midpoint.security" level="ALL" />
 	<logger name="com.evolveum.midpoint.repo" level="DEBUG" />
+	<logger name="com.evolveum.midpoint.repo.common" level="TRACE" />
     <logger name="com.evolveum.midpoint.util.ClassPathUtil" level="INFO"/>
     
 	<logger name="PROFILING" level="TRACE" />
diff --git a/repo/repo-test-util/src/main/java/com/evolveum/midpoint/test/AbstractIntegrationTest.java b/repo/repo-test-util/src/main/java/com/evolveum/midpoint/test/AbstractIntegrationTest.java
index dca9f1bbeeb..918cf01df82 100644
--- a/repo/repo-test-util/src/main/java/com/evolveum/midpoint/test/AbstractIntegrationTest.java
+++ b/repo/repo-test-util/src/main/java/com/evolveum/midpoint/test/AbstractIntegrationTest.java
@@ -1814,6 +1814,10 @@ protected void assertSuccess(String message, OperationResult result) {
 		TestUtil.assertSuccess(message, result);
 	}
 	
+	protected void assertSuccess(String message, OperationResultType resultType) {
+		TestUtil.assertSuccess(message, resultType);
+	}
+	
 	protected void assertResultStatus(OperationResult result, OperationResultStatus expectedStatus) {
 		if (result.isUnknown()) {
 			result.computeStatus();
@@ -1839,6 +1843,10 @@ protected void assertFailure(OperationResult result) {
 		}
 		TestUtil.assertFailure(result);
 	}
+	
+	protected void assertFailure(String message, OperationResultType result) {
+		TestUtil.assertFailure(message, result);
+	}
 
 	protected void assertPartialError(OperationResult result) {
 		if (result.isUnknown()) {
@@ -2539,4 +2547,5 @@ protected ItemPath path(Object... components) {
 	protected ItemFactory itemFactory() {
 		return prismContext.itemFactory();
 	}
+	
 }
diff --git a/repo/repo-test-util/src/main/java/com/evolveum/midpoint/test/asserter/prism/DeltaSetTripleAsserter.java b/repo/repo-test-util/src/main/java/com/evolveum/midpoint/test/asserter/prism/DeltaSetTripleAsserter.java
new file mode 100644
index 00000000000..928b3ece7a4
--- /dev/null
+++ b/repo/repo-test-util/src/main/java/com/evolveum/midpoint/test/asserter/prism/DeltaSetTripleAsserter.java
@@ -0,0 +1,141 @@
+/**
+ * Copyright (c) 2019 Evolveum
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.evolveum.midpoint.test.asserter.prism;
+
+import static org.testng.AssertJUnit.assertEquals;
+import static org.testng.AssertJUnit.assertFalse;
+import static org.testng.AssertJUnit.assertNotNull;
+import static org.testng.AssertJUnit.assertNull;
+import static org.testng.AssertJUnit.assertTrue;
+
+import java.util.Collection;
+
+import javax.xml.namespace.QName;
+
+import com.evolveum.midpoint.prism.Containerable;
+import com.evolveum.midpoint.prism.delta.ChangeType;
+import com.evolveum.midpoint.prism.delta.ContainerDelta;
+import com.evolveum.midpoint.prism.delta.DeltaSetTriple;
+import com.evolveum.midpoint.prism.delta.ObjectDelta;
+import com.evolveum.midpoint.prism.path.ItemName;
+import com.evolveum.midpoint.prism.path.ItemPath;
+import com.evolveum.midpoint.test.IntegrationTestTools;
+import com.evolveum.midpoint.test.asserter.AbstractAsserter;
+import com.evolveum.midpoint.test.asserter.ContainerDeltaAsserter;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowType;
+
+/**
+ * @author semancik
+ *
+ */
+public class DeltaSetTripleAsserter<T,D extends DeltaSetTriple<T>,RA> extends AbstractAsserter<RA> {
+	
+	private D triple;
+
+	public DeltaSetTripleAsserter(D triple) {
+		super();
+		this.triple = triple;
+	}
+	
+	public DeltaSetTripleAsserter(D triple, String detail) {
+		super(detail);
+		this.triple = triple;
+	}
+	
+	public DeltaSetTripleAsserter(D triple, RA returnAsserter, String detail) {
+		super(returnAsserter, detail);
+		this.triple = triple;
+	}
+	
+	public static <T> DeltaSetTripleAsserter<T,DeltaSetTriple<T>,Void> forDeltaSetTriple(DeltaSetTriple<T> triple) {
+		return new DeltaSetTripleAsserter<>(triple);
+	}
+	
+	public D getTriple() {
+		return triple;
+	}
+	
+	public DeltaSetTripleSetAsserter<T,? extends DeltaSetTripleAsserter<T,D,RA>> zeroSet() {
+		return createSetAsserter(triple.getZeroSet(), "zero");
+	}
+	
+	public DeltaSetTripleSetAsserter<T,? extends DeltaSetTripleAsserter<T,D,RA>> plusSet() {
+		return createSetAsserter(triple.getPlusSet(), "plus");
+	}
+	
+	public DeltaSetTripleSetAsserter<T,? extends DeltaSetTripleAsserter<T,D,RA>> minusSet() {
+		return createSetAsserter(triple.getMinusSet(), "minus");
+	}
+	
+	private DeltaSetTripleSetAsserter<T,DeltaSetTripleAsserter<T,D,RA>> createSetAsserter(Collection<T> set, String name) {
+		DeltaSetTripleSetAsserter<T,DeltaSetTripleAsserter<T,D,RA>> setAsserter = new DeltaSetTripleSetAsserter<>(set, this, name+" set of "+desc());
+		copySetupTo(setAsserter);
+		return setAsserter;
+	}
+	
+	public DeltaSetTripleAsserter<T,D,RA> assertNullZero() {
+		assertNullSet(triple.getZeroSet(), "zero");
+		return this;
+	}
+	
+	public DeltaSetTripleAsserter<T,D,RA> assertNullPlus() {
+		assertNullSet(triple.getPlusSet(), "plus");
+		return this;
+	}
+	
+	public DeltaSetTripleAsserter<T,D,RA> assertNullMinus() {
+		assertNullSet(triple.getMinusSet(), "minus");
+		return this;
+	}
+	
+	private void assertNullSet(Collection<T> set, String name) {
+		assertNull("Non-null "+name+" set in "+desc(), set);
+	}
+	
+	public DeltaSetTripleAsserter<T,D,RA> assertEmptyZero() {
+		assertEmptySet(triple.getZeroSet(), "zero");
+		return this;
+	}
+	
+	public DeltaSetTripleAsserter<T,D,RA> assertEmptyPlus() {
+		assertEmptySet(triple.getPlusSet(), "plus");
+		return this;
+	}
+	
+	public DeltaSetTripleAsserter<T,D,RA> assertEmptyMinus() {
+		assertEmptySet(triple.getMinusSet(), "minus");
+		return this;
+	}
+	
+	private void assertEmptySet(Collection<T> set, String name) {
+		assertTrue("Non-empty "+name+" set in "+desc(), set.isEmpty());
+	}
+	
+	protected String desc() {
+		return descWithDetails(triple);
+	}
+
+	public DeltaSetTripleAsserter<T,D,RA> display() {
+		display(desc());
+		return this;
+	}
+	
+	public DeltaSetTripleAsserter<T,D,RA> display(String message) {
+		IntegrationTestTools.display(message, triple);
+		return this;
+	}
+}
diff --git a/repo/repo-test-util/src/main/java/com/evolveum/midpoint/test/asserter/prism/DeltaSetTripleSetAsserter.java b/repo/repo-test-util/src/main/java/com/evolveum/midpoint/test/asserter/prism/DeltaSetTripleSetAsserter.java
new file mode 100644
index 00000000000..09219fc4be4
--- /dev/null
+++ b/repo/repo-test-util/src/main/java/com/evolveum/midpoint/test/asserter/prism/DeltaSetTripleSetAsserter.java
@@ -0,0 +1,88 @@
+/**
+ * Copyright (c) 2019 Evolveum
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.evolveum.midpoint.test.asserter.prism;
+
+import static org.testng.AssertJUnit.assertEquals;
+
+import java.util.Collection;
+
+import org.testng.AssertJUnit;
+
+import com.evolveum.midpoint.test.IntegrationTestTools;
+import com.evolveum.midpoint.test.asserter.AbstractAsserter;
+
+/**
+ * @author semancik
+ *
+ */
+public class DeltaSetTripleSetAsserter<T,RA> extends AbstractAsserter<RA> {
+	
+	private Collection<T> set;
+
+	public DeltaSetTripleSetAsserter(Collection<T> set) {
+		super();
+		this.set = set;
+	}
+	
+	public DeltaSetTripleSetAsserter(Collection<T> set, String detail) {
+		super(detail);
+		this.set = set;
+	}
+	
+	public DeltaSetTripleSetAsserter(Collection<T> set, RA returnAsserter, String detail) {
+		super(returnAsserter, detail);
+		this.set = set;
+	}
+	
+	public static <T> DeltaSetTripleSetAsserter<T,Void> forSet(Collection<T> set) {
+		return new DeltaSetTripleSetAsserter<>(set);
+	}
+	
+	public Collection<T> getSet() {
+		return set;
+	}
+	
+	public DeltaSetTripleSetAsserter<T,RA> assertSize(int expected) {
+		assertEquals("Wrong number of values in " + desc(), expected, set.size());
+		return this;
+	}
+	
+	public DeltaSetTripleSetAsserter<T,RA> assertNone() {
+		assertSize(0);
+		return this;
+	}
+	
+	public DeltaSetTripleSetAsserter<T,RA> assertNull() {
+		AssertJUnit.assertNull("Expected null, but found non-null set in " + desc(), set);
+		return this;
+	}
+	
+	// TODO
+	
+	protected String desc() {
+		return descWithDetails(set);
+	}
+
+	public DeltaSetTripleSetAsserter<T,RA> display() {
+		display(desc());
+		return this;
+	}
+	
+	public DeltaSetTripleSetAsserter<T,RA> display(String message) {
+		IntegrationTestTools.display(message, set);
+		return this;
+	}
+}
diff --git a/repo/repo-test-util/src/main/java/com/evolveum/midpoint/test/asserter/prism/PrismContainerAsserter.java b/repo/repo-test-util/src/main/java/com/evolveum/midpoint/test/asserter/prism/PrismContainerAsserter.java
new file mode 100644
index 00000000000..034678ba2a7
--- /dev/null
+++ b/repo/repo-test-util/src/main/java/com/evolveum/midpoint/test/asserter/prism/PrismContainerAsserter.java
@@ -0,0 +1,77 @@
+/**
+ * Copyright (c) 2019 Evolveum
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.evolveum.midpoint.test.asserter.prism;
+
+import static org.testng.AssertJUnit.assertEquals;
+import static org.testng.AssertJUnit.assertFalse;
+import static org.testng.AssertJUnit.assertNotNull;
+import static org.testng.AssertJUnit.assertNull;
+import static org.testng.AssertJUnit.assertTrue;
+
+import java.util.Iterator;
+import java.util.List;
+
+import javax.xml.datatype.XMLGregorianCalendar;
+import javax.xml.namespace.QName;
+
+import com.evolveum.midpoint.prism.Containerable;
+import com.evolveum.midpoint.prism.Item;
+import com.evolveum.midpoint.prism.ItemDefinition;
+import com.evolveum.midpoint.prism.PrismContainer;
+import com.evolveum.midpoint.prism.PrismContainerValue;
+import com.evolveum.midpoint.prism.PrismContext;
+import com.evolveum.midpoint.prism.PrismProperty;
+import com.evolveum.midpoint.prism.PrismReference;
+import com.evolveum.midpoint.prism.PrismReferenceValue;
+import com.evolveum.midpoint.prism.PrismValue;
+import com.evolveum.midpoint.prism.path.ItemName;
+import com.evolveum.midpoint.prism.util.PrismAsserts;
+import com.evolveum.midpoint.test.util.TestUtil;
+import com.evolveum.midpoint.util.PrettyPrinter;
+import com.evolveum.midpoint.util.QNameUtil;
+import com.evolveum.prism.xml.ns._public.types_3.RawType;
+
+/**
+ * @author semancik
+ *
+ */
+public class PrismContainerAsserter<C extends Containerable, RA> extends PrismItemAsserter<PrismContainer<C>, RA> {
+	
+	public PrismContainerAsserter(PrismContainer<C> container) {
+		super(container);
+	}
+	
+	public PrismContainerAsserter(PrismContainer<C> container, String detail) {
+		super(container, detail);
+	}
+	
+	public PrismContainerAsserter(PrismContainer<C> container, RA returnAsserter, String detail) {
+		super(container, returnAsserter, detail);
+	}
+	
+	@Override
+	public PrismContainerAsserter<C,RA> assertSize(int expected) {
+		super.assertSize(expected);
+		return this;
+	}
+	
+	// TODO
+
+	protected String desc() {
+		return getDetails();
+	}
+
+}
diff --git a/repo/repo-test-util/src/main/java/com/evolveum/midpoint/test/asserter/prism/PrismContainerValueAsserter.java b/repo/repo-test-util/src/main/java/com/evolveum/midpoint/test/asserter/prism/PrismContainerValueAsserter.java
index de6a4b2724d..83fbfc02c4a 100644
--- a/repo/repo-test-util/src/main/java/com/evolveum/midpoint/test/asserter/prism/PrismContainerValueAsserter.java
+++ b/repo/repo-test-util/src/main/java/com/evolveum/midpoint/test/asserter/prism/PrismContainerValueAsserter.java
@@ -190,6 +190,14 @@ public <CC extends Containerable> PrismContainerValueAsserter<CC,? extends Prism
 		return asserter;
 	}
 	
+	public <CC extends Containerable> PrismContainerAsserter<CC,? extends PrismContainerValueAsserter<C,RA>> container(QName subcontainerQName) {
+		PrismContainer<CC> container = findContainer(subcontainerQName);
+		assertNotNull("No container "+subcontainerQName+" in "+desc(), container);
+		PrismContainerAsserter<CC,PrismContainerValueAsserter<C,RA>> asserter = new PrismContainerAsserter<>(container, this, subcontainerQName.getLocalPart() + " in " + desc());
+		copySetupTo(asserter);
+		return asserter;
+	}
+	
 	// TODO
 
 	protected String desc() {
diff --git a/repo/repo-test-util/src/main/java/com/evolveum/midpoint/test/asserter/prism/PrismItemAsserter.java b/repo/repo-test-util/src/main/java/com/evolveum/midpoint/test/asserter/prism/PrismItemAsserter.java
new file mode 100644
index 00000000000..3acf88c0162
--- /dev/null
+++ b/repo/repo-test-util/src/main/java/com/evolveum/midpoint/test/asserter/prism/PrismItemAsserter.java
@@ -0,0 +1,67 @@
+/**
+ * Copyright (c) 2019 Evolveum
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.evolveum.midpoint.test.asserter.prism;
+
+import static org.testng.AssertJUnit.assertEquals;
+import static org.testng.AssertJUnit.assertFalse;
+import static org.testng.AssertJUnit.assertNotNull;
+import static org.testng.AssertJUnit.assertNull;
+import static org.testng.AssertJUnit.assertTrue;
+
+import com.evolveum.midpoint.prism.Item;
+import com.evolveum.midpoint.prism.PrismValue;
+import com.evolveum.midpoint.test.asserter.AbstractAsserter;
+
+
+/**
+ * @author semancik
+ *
+ */
+public abstract class PrismItemAsserter<I extends Item, RA> extends AbstractAsserter<RA> {
+	
+	private I item;
+
+	public PrismItemAsserter(I item) {
+		super();
+		this.item = item;
+	}
+	
+	public PrismItemAsserter(I item, String detail) {
+		super(detail);
+		this.item = item;
+	}
+	
+	public PrismItemAsserter(I item, RA returnAsserter, String detail) {
+		super(returnAsserter, detail);
+		this.item = item;
+	}
+	
+	public I getItem() {
+		return item;
+	}
+	
+	public PrismItemAsserter<I,RA> assertSize(int expected) {
+		assertEquals("Wrong number of values in "+desc(), expected, item.size());
+		return this;
+	}
+	
+	// TODO
+
+	protected String desc() {
+		return getDetails();
+	}
+
+}
diff --git a/repo/repo-test-util/src/main/java/com/evolveum/midpoint/test/asserter/prism/PrismPropertyValueAsserter.java b/repo/repo-test-util/src/main/java/com/evolveum/midpoint/test/asserter/prism/PrismPropertyValueAsserter.java
new file mode 100644
index 00000000000..c6e6bcac883
--- /dev/null
+++ b/repo/repo-test-util/src/main/java/com/evolveum/midpoint/test/asserter/prism/PrismPropertyValueAsserter.java
@@ -0,0 +1,77 @@
+/**
+ * Copyright (c) 2019 Evolveum
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.evolveum.midpoint.test.asserter.prism;
+
+import static org.testng.AssertJUnit.assertEquals;
+import static org.testng.AssertJUnit.assertFalse;
+import static org.testng.AssertJUnit.assertNotNull;
+import static org.testng.AssertJUnit.assertNull;
+import static org.testng.AssertJUnit.assertTrue;
+
+import java.util.Iterator;
+import java.util.List;
+
+import javax.xml.datatype.XMLGregorianCalendar;
+import javax.xml.namespace.QName;
+
+import com.evolveum.midpoint.prism.Containerable;
+import com.evolveum.midpoint.prism.Item;
+import com.evolveum.midpoint.prism.ItemDefinition;
+import com.evolveum.midpoint.prism.PrismContainer;
+import com.evolveum.midpoint.prism.PrismContainerValue;
+import com.evolveum.midpoint.prism.PrismContext;
+import com.evolveum.midpoint.prism.PrismProperty;
+import com.evolveum.midpoint.prism.PrismPropertyValue;
+import com.evolveum.midpoint.prism.PrismReference;
+import com.evolveum.midpoint.prism.PrismReferenceValue;
+import com.evolveum.midpoint.prism.PrismValue;
+import com.evolveum.midpoint.prism.path.ItemName;
+import com.evolveum.midpoint.prism.util.PrismAsserts;
+import com.evolveum.midpoint.test.util.TestUtil;
+import com.evolveum.midpoint.util.PrettyPrinter;
+import com.evolveum.midpoint.util.QNameUtil;
+import com.evolveum.prism.xml.ns._public.types_3.RawType;
+
+/**
+ * @author semancik
+ *
+ */
+public class PrismPropertyValueAsserter<T, RA> extends PrismValueAsserter<PrismPropertyValue<T>, RA> {
+	
+	public PrismPropertyValueAsserter(PrismPropertyValue<T> prismValue) {
+		super(prismValue);
+	}
+	
+	public PrismPropertyValueAsserter(PrismPropertyValue<T> prismValue, String detail) {
+		super(prismValue, detail);
+	}
+	
+	public PrismPropertyValueAsserter(PrismPropertyValue<T> prismValue, RA returnAsserter, String detail) {
+		super(prismValue, returnAsserter, detail);
+	}
+	
+	public PrismPropertyValueAsserter<T,RA> assertValue(T expectedValue) {
+		assertEquals("Wrong property value in "+desc(), expectedValue, getPrismValue().getValue());
+		return this;
+	}
+		
+	// TODO
+
+	protected String desc() {
+		return getDetails();
+	}
+
+}
diff --git a/repo/repo-test-util/src/main/java/com/evolveum/midpoint/test/asserter/prism/PrismValueDeltaSetTripleAsserter.java b/repo/repo-test-util/src/main/java/com/evolveum/midpoint/test/asserter/prism/PrismValueDeltaSetTripleAsserter.java
new file mode 100644
index 00000000000..7adef0ab71c
--- /dev/null
+++ b/repo/repo-test-util/src/main/java/com/evolveum/midpoint/test/asserter/prism/PrismValueDeltaSetTripleAsserter.java
@@ -0,0 +1,133 @@
+/**
+ * Copyright (c) 2019 Evolveum
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.evolveum.midpoint.test.asserter.prism;
+
+import static org.testng.AssertJUnit.assertEquals;
+import static org.testng.AssertJUnit.assertFalse;
+import static org.testng.AssertJUnit.assertNotNull;
+import static org.testng.AssertJUnit.assertNull;
+import static org.testng.AssertJUnit.assertTrue;
+
+import java.util.Collection;
+
+import javax.xml.namespace.QName;
+
+import com.evolveum.midpoint.prism.Containerable;
+import com.evolveum.midpoint.prism.PrismValue;
+import com.evolveum.midpoint.prism.delta.ChangeType;
+import com.evolveum.midpoint.prism.delta.ContainerDelta;
+import com.evolveum.midpoint.prism.delta.DeltaSetTriple;
+import com.evolveum.midpoint.prism.delta.ObjectDelta;
+import com.evolveum.midpoint.prism.delta.PrismValueDeltaSetTriple;
+import com.evolveum.midpoint.prism.path.ItemName;
+import com.evolveum.midpoint.prism.path.ItemPath;
+import com.evolveum.midpoint.test.IntegrationTestTools;
+import com.evolveum.midpoint.test.asserter.AbstractAsserter;
+import com.evolveum.midpoint.test.asserter.ContainerDeltaAsserter;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowType;
+
+/**
+ * @author semancik
+ *
+ */
+public class PrismValueDeltaSetTripleAsserter<V extends PrismValue,RA> extends DeltaSetTripleAsserter<V,PrismValueDeltaSetTriple<V>,RA> {
+	
+	public PrismValueDeltaSetTripleAsserter(PrismValueDeltaSetTriple<V> triple) {
+		super(triple);
+	}
+	
+	public PrismValueDeltaSetTripleAsserter(PrismValueDeltaSetTriple<V> triple, String detail) {
+		super(triple, detail);
+	}
+	
+	public PrismValueDeltaSetTripleAsserter(PrismValueDeltaSetTriple<V> triple, RA returnAsserter, String detail) {
+		super(triple, returnAsserter, detail);
+	}
+	
+	public static <V extends PrismValue> PrismValueDeltaSetTripleAsserter<V,Void> forPrismValueDeltaSetTriple(PrismValueDeltaSetTriple<V> triple) {
+		return new PrismValueDeltaSetTripleAsserter<>(triple);
+	}
+	
+	@Override
+	public PrismValueDeltaSetTripleSetAsserter<V,PrismValueDeltaSetTripleAsserter<V,RA>> zeroSet() {
+		return createSetAsserter(getTriple().getZeroSet(), "zero");
+	}
+	
+	@Override
+	public PrismValueDeltaSetTripleSetAsserter<V,PrismValueDeltaSetTripleAsserter<V,RA>> plusSet() {
+		return createSetAsserter(getTriple().getPlusSet(), "plus");
+	}
+	
+	@Override
+	public PrismValueDeltaSetTripleSetAsserter<V,PrismValueDeltaSetTripleAsserter<V,RA>> minusSet() {
+		return createSetAsserter(getTriple().getMinusSet(), "minus");
+	}
+	
+	private PrismValueDeltaSetTripleSetAsserter<V,PrismValueDeltaSetTripleAsserter<V,RA>> createSetAsserter(Collection<V> set, String name) {
+		PrismValueDeltaSetTripleSetAsserter<V,PrismValueDeltaSetTripleAsserter<V,RA>> setAsserter = new PrismValueDeltaSetTripleSetAsserter<>(set, this, name+" set of "+desc());
+		copySetupTo(setAsserter);
+		return setAsserter;
+	}
+	
+	@Override
+	public PrismValueDeltaSetTripleAsserter<V,RA> assertNullZero() {
+		super.assertNullZero();
+		return this;
+	}
+	
+	@Override
+	public PrismValueDeltaSetTripleAsserter<V,RA> assertNullPlus() {
+		super.assertNullPlus();
+		return this;
+	}
+	
+	@Override
+	public PrismValueDeltaSetTripleAsserter<V,RA> assertNullMinus() {
+		super.assertNullMinus();
+		return this;
+	}
+	
+	@Override
+	public PrismValueDeltaSetTripleAsserter<V,RA> assertEmptyZero() {
+		super.assertEmptyZero();
+		return this;
+	}
+	
+	@Override
+	public PrismValueDeltaSetTripleAsserter<V,RA> assertEmptyPlus() {
+		super.assertEmptyPlus();
+		return this;
+	}
+	
+	@Override
+	public PrismValueDeltaSetTripleAsserter<V,RA> assertEmptyMinus() {
+		super.assertEmptyMinus();
+		return this;
+	}
+	
+	@Override
+	public PrismValueDeltaSetTripleAsserter<V,RA> display() {
+		super.display();
+		return this;
+	}
+	
+	@Override
+	public PrismValueDeltaSetTripleAsserter<V,RA> display(String message) {
+		super.display(message);
+		return this;
+	}
+}
diff --git a/repo/repo-test-util/src/main/java/com/evolveum/midpoint/test/asserter/prism/PrismValueDeltaSetTripleSetAsserter.java b/repo/repo-test-util/src/main/java/com/evolveum/midpoint/test/asserter/prism/PrismValueDeltaSetTripleSetAsserter.java
new file mode 100644
index 00000000000..d409d32bb7e
--- /dev/null
+++ b/repo/repo-test-util/src/main/java/com/evolveum/midpoint/test/asserter/prism/PrismValueDeltaSetTripleSetAsserter.java
@@ -0,0 +1,119 @@
+/**
+ * Copyright (c) 2019 Evolveum
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.evolveum.midpoint.test.asserter.prism;
+
+import static org.testng.AssertJUnit.assertEquals;
+import static org.testng.AssertJUnit.assertFalse;
+import static org.testng.AssertJUnit.assertNotNull;
+import static org.testng.AssertJUnit.assertNull;
+import static org.testng.AssertJUnit.assertTrue;
+
+import java.util.Collection;
+
+import javax.xml.namespace.QName;
+
+import org.testng.AssertJUnit;
+
+import com.evolveum.midpoint.prism.Containerable;
+import com.evolveum.midpoint.prism.PrismProperty;
+import com.evolveum.midpoint.prism.PrismPropertyValue;
+import com.evolveum.midpoint.prism.PrismValue;
+import com.evolveum.midpoint.prism.delta.ChangeType;
+import com.evolveum.midpoint.prism.delta.ContainerDelta;
+import com.evolveum.midpoint.prism.delta.DeltaSetTriple;
+import com.evolveum.midpoint.prism.delta.ObjectDelta;
+import com.evolveum.midpoint.prism.path.ItemName;
+import com.evolveum.midpoint.prism.path.ItemPath;
+import com.evolveum.midpoint.test.IntegrationTestTools;
+import com.evolveum.midpoint.test.asserter.AbstractAsserter;
+import com.evolveum.midpoint.test.asserter.ContainerDeltaAsserter;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowType;
+
+/**
+ * @author semancik
+ *
+ */
+public class PrismValueDeltaSetTripleSetAsserter<V extends PrismValue,RA> extends DeltaSetTripleSetAsserter<V,RA> {
+	
+	public PrismValueDeltaSetTripleSetAsserter(Collection<V> set) {
+		super(set);
+	}
+	
+	public PrismValueDeltaSetTripleSetAsserter(Collection<V> set, String detail) {
+		super(set,detail);
+	}
+	
+	public PrismValueDeltaSetTripleSetAsserter(Collection<V> set, RA returnAsserter, String detail) {
+		super(set,returnAsserter, detail);
+	}
+	
+	public static <V extends PrismValue> PrismValueDeltaSetTripleSetAsserter<V,Void> forSPrismValueet(Collection<V> set) {
+		return new PrismValueDeltaSetTripleSetAsserter<>(set);
+	}
+	
+	@Override
+	public PrismValueDeltaSetTripleSetAsserter<V,RA> assertSize(int expected) {
+		super.assertSize(expected);
+		return this;
+	}
+	
+	@Override
+	public PrismValueDeltaSetTripleSetAsserter<V,RA> assertNone() {
+		super.assertNone();
+		return this;
+	}
+	
+	@Override
+	public PrismValueDeltaSetTripleSetAsserter<V,RA> assertNull() {
+		super.assertNull();
+		return this;
+	}
+	
+	public <T> PrismPropertyValueAsserter<T, PrismValueDeltaSetTripleSetAsserter<V,RA>> singlePropertyValue(Class<T> type) {
+		assertSize(1);
+		V val = getSet().iterator().next();
+		if (!(val instanceof PrismPropertyValue)) {
+			fail("Expected that a single value of set will be a property value, but it was "+val+", in " + desc());
+		}
+		PrismPropertyValueAsserter<T, PrismValueDeltaSetTripleSetAsserter<V,RA>> vAsserter = new PrismPropertyValueAsserter<>((PrismPropertyValue<T>)val, this, "single property value in " + desc());
+		copySetupTo(vAsserter);
+		return vAsserter;
+	}
+	
+	public <T> PrismValueDeltaSetTripleSetAsserter<V,RA> assertSinglePropertyValue(T expectedValue) {
+		assertSize(1);
+		V val = getSet().iterator().next();
+		if (!(val instanceof PrismPropertyValue)) {
+			fail("Expected that a single value of set will be a property value, but it was "+val+", in " + desc());
+		}
+		T value = ((PrismPropertyValue<T>)val).getValue();
+		assertEquals("Wrong property value in "+desc(), expectedValue, value);
+		return this;
+	}
+	
+	@Override
+	public PrismValueDeltaSetTripleSetAsserter<V,RA> display() {
+		super.display();
+		return this;
+	}
+	
+	@Override
+	public PrismValueDeltaSetTripleSetAsserter<V,RA> display(String message) {
+		super.display(message);
+		return this;
+	}
+}
diff --git a/repo/security-enforcer-api/src/main/java/com/evolveum/midpoint/security/enforcer/api/AuthorizationParameters.java b/repo/security-enforcer-api/src/main/java/com/evolveum/midpoint/security/enforcer/api/AuthorizationParameters.java
index d4926e1d742..5fd3bb90231 100644
--- a/repo/security-enforcer-api/src/main/java/com/evolveum/midpoint/security/enforcer/api/AuthorizationParameters.java
+++ b/repo/security-enforcer-api/src/main/java/com/evolveum/midpoint/security/enforcer/api/AuthorizationParameters.java
@@ -1,5 +1,5 @@
 /**
- * Copyright (c) 2017-2018 Evolveum
+ * Copyright (c) 2017-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -15,7 +15,6 @@
  */
 package com.evolveum.midpoint.security.enforcer.api;
 
-import java.util.Iterator;
 import java.util.List;
 
 import javax.xml.namespace.QName;
@@ -209,7 +208,8 @@ public AuthorizationParameters<O,T> build() throws SchemaException {
 				if (oldObject == null && delta == null && newObject == null) {
 					return new AuthorizationParameters<>(null, target, relation, orderConstraints);
 				} else {
-					ObjectDeltaObject<O> odo = new ObjectDeltaObject<>(oldObject, delta, newObject);
+					// Non-null content, definition can be determined in ObjectDeltaObject constructor
+					ObjectDeltaObject<O> odo = new ObjectDeltaObject<>(oldObject, delta, newObject, null);
 					odo.recomputeIfNeeded(false);
 					return new AuthorizationParameters<>(odo, target, relation, orderConstraints);
 				}
@@ -220,29 +220,32 @@ public AuthorizationParameters<O,T> build() throws SchemaException {
 		
 		public static <O extends ObjectType> AuthorizationParameters<O,ObjectType> buildObjectAdd(PrismObject<O> object) {
 			// TODO: Do we need to create delta here?
-			ObjectDeltaObject<O> odo = new ObjectDeltaObject<>(null, null, object);
+			ObjectDeltaObject<O> odo = new ObjectDeltaObject<>(null, null, object, object.getDefinition());
 			return new AuthorizationParameters<>(odo, null, null, null);
 		}
 		
 		public static <O extends ObjectType> AuthorizationParameters<O,ObjectType> buildObjectDelete(PrismObject<O> object) {
 			// TODO: Do we need to create delta here?
-			ObjectDeltaObject<O> odo = new ObjectDeltaObject<>(object, null, null);
+			ObjectDeltaObject<O> odo = new ObjectDeltaObject<>(object, null, null, object.getDefinition());
 			return new AuthorizationParameters<>(odo, null, null, null);
 		}
 		
 		public static <O extends ObjectType> AuthorizationParameters<O,ObjectType> buildObjectDelta(PrismObject<O> object, ObjectDelta<O> delta) throws SchemaException {
 			ObjectDeltaObject<O> odo;
 			if (delta != null && delta.isAdd()) {
-				odo = new ObjectDeltaObject<>(null, delta, object);
+				odo = new ObjectDeltaObject<>(null, delta, object, object.getDefinition());
 			} else {
-				odo = new ObjectDeltaObject<>(object, delta, null);
+				odo = new ObjectDeltaObject<>(object, delta, null, object.getDefinition());
 				odo.recomputeIfNeeded(false);
 			}
 			return new AuthorizationParameters<>(odo, null, null, null);
 		}
 
 		public static <O extends ObjectType> AuthorizationParameters<O,ObjectType> buildObject(PrismObject<O> object) {
-			ObjectDeltaObject<O> odo = new ObjectDeltaObject<>(object, null, object);
+			ObjectDeltaObject<O> odo = null;
+			if (object != null) {
+				odo = new ObjectDeltaObject<>(object, null, object, object.getDefinition());
+			}
 			return new AuthorizationParameters<>(odo, null, null, null);
 		}
 		
diff --git a/repo/security-enforcer-api/src/main/java/com/evolveum/midpoint/security/enforcer/api/SecurityEnforcer.java b/repo/security-enforcer-api/src/main/java/com/evolveum/midpoint/security/enforcer/api/SecurityEnforcer.java
index 2613752509a..56ba0400e8d 100644
--- a/repo/security-enforcer-api/src/main/java/com/evolveum/midpoint/security/enforcer/api/SecurityEnforcer.java
+++ b/repo/security-enforcer-api/src/main/java/com/evolveum/midpoint/security/enforcer/api/SecurityEnforcer.java
@@ -24,6 +24,7 @@
 import com.evolveum.midpoint.prism.delta.PlusMinusZero;
 import com.evolveum.midpoint.prism.path.ItemPath;
 import com.evolveum.midpoint.prism.query.ObjectFilter;
+import com.evolveum.midpoint.schema.AccessDecision;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.security.api.MidPointPrincipal;
 import com.evolveum.midpoint.security.api.OwnerResolver;
diff --git a/repo/security-enforcer-impl/src/main/java/com/evolveum/midpoint/security/enforcer/impl/ItemDecisionFunction.java b/repo/security-enforcer-impl/src/main/java/com/evolveum/midpoint/security/enforcer/impl/ItemDecisionFunction.java
index 11e70d07263..d760eb3f403 100644
--- a/repo/security-enforcer-impl/src/main/java/com/evolveum/midpoint/security/enforcer/impl/ItemDecisionFunction.java
+++ b/repo/security-enforcer-impl/src/main/java/com/evolveum/midpoint/security/enforcer/impl/ItemDecisionFunction.java
@@ -16,7 +16,7 @@
 package com.evolveum.midpoint.security.enforcer.impl;
 
 import com.evolveum.midpoint.prism.path.ItemPath;
-import com.evolveum.midpoint.security.enforcer.api.AccessDecision;
+import com.evolveum.midpoint.schema.AccessDecision;
 
 /**
  * @author semancik
diff --git a/repo/security-enforcer-impl/src/main/java/com/evolveum/midpoint/security/enforcer/impl/SecurityEnforcerImpl.java b/repo/security-enforcer-impl/src/main/java/com/evolveum/midpoint/security/enforcer/impl/SecurityEnforcerImpl.java
index f45d24fc6fd..54c6ef4632e 100644
--- a/repo/security-enforcer-impl/src/main/java/com/evolveum/midpoint/security/enforcer/impl/SecurityEnforcerImpl.java
+++ b/repo/security-enforcer-impl/src/main/java/com/evolveum/midpoint/security/enforcer/impl/SecurityEnforcerImpl.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2014-2018 Evolveum
+ * Copyright (c) 2014-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -25,6 +25,7 @@
 import com.evolveum.midpoint.prism.*;
 import com.evolveum.midpoint.prism.path.ItemPath;
 import com.evolveum.midpoint.prism.query.*;
+import com.evolveum.midpoint.schema.AccessDecision;
 import com.evolveum.midpoint.schema.RelationRegistry;
 import org.apache.commons.lang.BooleanUtils;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -51,6 +52,7 @@
 import com.evolveum.midpoint.schema.constants.SchemaConstants;
 import com.evolveum.midpoint.schema.internals.InternalsConfig;
 import com.evolveum.midpoint.schema.result.OperationResult;
+import com.evolveum.midpoint.schema.util.MiscSchemaUtil;
 import com.evolveum.midpoint.schema.util.ObjectQueryUtil;
 import com.evolveum.midpoint.schema.util.SchemaDebugUtil;
 import com.evolveum.midpoint.security.api.Authorization;
@@ -58,7 +60,6 @@
 import com.evolveum.midpoint.security.api.MidPointPrincipal;
 import com.evolveum.midpoint.security.api.OwnerResolver;
 import com.evolveum.midpoint.security.api.SecurityContextManager;
-import com.evolveum.midpoint.security.enforcer.api.AccessDecision;
 import com.evolveum.midpoint.security.enforcer.api.AuthorizationParameters;
 import com.evolveum.midpoint.security.enforcer.api.ItemSecurityConstraints;
 import com.evolveum.midpoint.security.enforcer.api.ObjectSecurityConstraints;
@@ -797,8 +798,14 @@ private ObjectFilterExpressionEvaluator createFilterEvaluator(MidPointPrincipal
 			if (principal != null) {
 				subject = principal.getUser().asPrismObject();
 			}
-			variables.addVariableDefinition(ExpressionConstants.VAR_SUBJECT, subject);
-			return ExpressionUtil.evaluateFilterExpressions(filter, variables, expressionFactory, prismContext, 
+			PrismObjectDefinition<UserType> def;
+			if (subject == null) {
+				def = subject.getDefinition();
+			} else {
+				def = prismContext.getSchemaRegistry().findObjectDefinitionByCompileTimeClass(UserType.class);
+			}
+			variables.addVariableDefinition(ExpressionConstants.VAR_SUBJECT, subject, def);
+			return ExpressionUtil.evaluateFilterExpressions(filter, variables, MiscSchemaUtil.getExpressionProfile(), expressionFactory, prismContext, 
 					"expression in " + objectTargetDesc + " in authorization " + autzHumanReadableDesc, task, result);
 		};
 	}
diff --git a/repo/task-api/src/main/java/com/evolveum/midpoint/task/api/RunningTask.java b/repo/task-api/src/main/java/com/evolveum/midpoint/task/api/RunningTask.java
index 9437404a69a..ee05cb94ac9 100644
--- a/repo/task-api/src/main/java/com/evolveum/midpoint/task/api/RunningTask.java
+++ b/repo/task-api/src/main/java/com/evolveum/midpoint/task/api/RunningTask.java
@@ -98,5 +98,5 @@ public interface RunningTask extends Task {
 
 	void incrementProgressAndStoreStatsIfNeeded();
 
-
+	void deleteLightweightAsynchronousSubtasks();
 }
diff --git a/repo/task-quartz-impl/src/main/java/com/evolveum/midpoint/task/quartzimpl/RunningTaskQuartzImpl.java b/repo/task-quartz-impl/src/main/java/com/evolveum/midpoint/task/quartzimpl/RunningTaskQuartzImpl.java
index 0d157d29674..309265d5af8 100644
--- a/repo/task-quartz-impl/src/main/java/com/evolveum/midpoint/task/quartzimpl/RunningTaskQuartzImpl.java
+++ b/repo/task-quartz-impl/src/main/java/com/evolveum/midpoint/task/quartzimpl/RunningTaskQuartzImpl.java
@@ -51,10 +51,10 @@ public class RunningTaskQuartzImpl extends TaskQuartzImpl implements RunningTask
 	/**
 	 * Lightweight asynchronous subtasks.
 	 * Each task here is a LAT, i.e. transient and with assigned lightweight handler.
-	 * <p>
-	 * This must be concurrent, because interrupt() method uses it.
+	 * Access to this structure should be synchronized because of deleteLightweightAsynchronousSubtasks method.
+	 * (This means we could replace ConcurrentHashMap with plain HashMap but let's keep that just for certainty.)
 	 */
-	private Map<String, RunningTaskQuartzImpl> lightweightAsynchronousSubtasks = new ConcurrentHashMap<>();
+	private final Map<String, RunningTaskQuartzImpl> lightweightAsynchronousSubtasks = new ConcurrentHashMap<>();
 	private RunningTaskQuartzImpl parentForLightweightAsynchronousTask;            // EXPERIMENTAL
 
 	/**
@@ -118,7 +118,9 @@ public RunningTask createSubtask(LightweightTaskHandler handler) {
 		RunningTaskQuartzImpl sub = taskManager.createRunningTask(createSubtask());
 		sub.setLightweightTaskHandler(handler);
 		assert sub.getTaskIdentifier() != null;
-		lightweightAsynchronousSubtasks.put(sub.getTaskIdentifier(), sub);
+		synchronized (lightweightAsynchronousSubtasks) {
+			lightweightAsynchronousSubtasks.put(sub.getTaskIdentifier(), sub);
+		}
 		sub.parentForLightweightAsynchronousTask = this;
 		return sub;
 	}
@@ -147,7 +149,9 @@ public Future getLightweightHandlerFuture() {
 
 	@Override
 	public Collection<? extends RunningTaskQuartzImpl> getLightweightAsynchronousSubtasks() {
-		return Collections.unmodifiableList(new ArrayList<>(lightweightAsynchronousSubtasks.values()));
+		synchronized (lightweightAsynchronousSubtasks) {
+			return Collections.unmodifiableList(new ArrayList<>(lightweightAsynchronousSubtasks.values()));
+		}
 	}
 
 	@Override
@@ -162,6 +166,20 @@ public Collection<? extends RunningTaskQuartzImpl> getRunningLightweightAsynchro
 		return Collections.unmodifiableList(retval);
 	}
 
+	@Override
+	public void deleteLightweightAsynchronousSubtasks() {
+		synchronized (lightweightAsynchronousSubtasks) {
+			List<? extends RunningTask> livingSubtasks = lightweightAsynchronousSubtasks.values().stream()
+					.filter(t -> t.getExecutionStatus() == TaskExecutionStatus.RUNNABLE || t.getExecutionStatus() == TaskExecutionStatus.WAITING)
+					.collect(Collectors.toList());
+			if (!livingSubtasks.isEmpty()) {
+				LOGGER.error("Task {} has {} runnable or waiting lightweight subtasks: {}", this, livingSubtasks.size(), livingSubtasks);
+				throw new IllegalStateException("There are runnable or waiting subtasks in the parent task");
+			}
+			lightweightAsynchronousSubtasks.clear();
+		}
+	}
+
 	@Override
 	public boolean lightweightHandlerStartRequested() {
 		return lightweightHandlerFuture != null;
diff --git a/repo/task-quartz-impl/src/main/java/com/evolveum/midpoint/task/quartzimpl/TaskManagerQuartzImpl.java b/repo/task-quartz-impl/src/main/java/com/evolveum/midpoint/task/quartzimpl/TaskManagerQuartzImpl.java
index f5786467073..2041d03dad2 100644
--- a/repo/task-quartz-impl/src/main/java/com/evolveum/midpoint/task/quartzimpl/TaskManagerQuartzImpl.java
+++ b/repo/task-quartz-impl/src/main/java/com/evolveum/midpoint/task/quartzimpl/TaskManagerQuartzImpl.java
@@ -42,6 +42,7 @@
 import javax.xml.datatype.Duration;
 import javax.xml.datatype.XMLGregorianCalendar;
 
+import com.evolveum.midpoint.prism.util.CloneUtil;
 import com.evolveum.midpoint.schema.util.ObjectTypeUtil;
 import org.apache.commons.lang.StringUtils;
 import org.apache.commons.lang.Validate;
@@ -1234,8 +1235,8 @@ public void startLightweightTask(final RunningTaskQuartzImpl task) {
                 LOGGER.debug("Lightweight task handler shell starting execution; task = {}", task);
 
                 try {
-	                // Setup Spring Security context
-	                securityContextManager.setupPreAuthenticatedSecurityContext(task.getOwner());
+	                // Task owner is cloned because otherwise we get CME's when recomputing the owner user during login process
+	                securityContextManager.setupPreAuthenticatedSecurityContext(CloneUtil.clone(task.getOwner()));
                 } catch (SchemaException | CommunicationException | ConfigurationException | SecurityViolationException | ExpressionEvaluationException e) {
                     LoggingUtils.logUnexpectedException(LOGGER, "Couldn't set up task security context {}", e, task);
                     throw new SystemException(e.getMessage(), e);
diff --git a/testing/story/src/test/java/com/evolveum/midpoint/testing/story/ldap/TestLdapPolyString.java b/testing/story/src/test/java/com/evolveum/midpoint/testing/story/ldap/TestLdapPolyString.java
index f9e000cd15f..6f30efeebdc 100644
--- a/testing/story/src/test/java/com/evolveum/midpoint/testing/story/ldap/TestLdapPolyString.java
+++ b/testing/story/src/test/java/com/evolveum/midpoint/testing/story/ldap/TestLdapPolyString.java
@@ -20,6 +20,8 @@
 import static org.testng.AssertJUnit.assertNull;
 
 import java.io.File;
+import java.util.ArrayList;
+import java.util.List;
 
 import org.opends.server.types.DirectoryException;
 import org.opends.server.types.Entry;
@@ -29,7 +31,13 @@
 import org.testng.annotations.AfterClass;
 import org.testng.annotations.Test;
 
+import com.evolveum.midpoint.prism.Objectable;
+import com.evolveum.midpoint.prism.PrismContainerValue;
 import com.evolveum.midpoint.prism.PrismObject;
+import com.evolveum.midpoint.prism.PrismProperty;
+import com.evolveum.midpoint.prism.delta.ObjectDelta;
+import com.evolveum.midpoint.prism.path.ItemName;
+import com.evolveum.midpoint.prism.path.ItemPath;
 import com.evolveum.midpoint.prism.polystring.PolyString;
 import com.evolveum.midpoint.schema.constants.MidPointConstants;
 import com.evolveum.midpoint.schema.result.OperationResult;
@@ -39,6 +47,8 @@
 import com.evolveum.midpoint.testing.story.TestTrafo;
 import com.evolveum.midpoint.util.DebugUtil;
 import com.evolveum.midpoint.util.MiscUtil;
+import com.evolveum.midpoint.util.exception.SchemaException;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ResourceType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType;
 
@@ -82,6 +92,37 @@ public class TestLdapPolyString extends AbstractLdapTest {
 			"sk", "Kapitán Džek Sperou"
 		};
 
+	private static final String TITLE_CAPTAIN = "captain";
+	private static final String[] TITLE_EN_SK_RU = {
+			"en", "captain",
+			"sk", "kapitán",
+			"ru", "капитан"
+		};
+	private static final String[] TITLE_HR = {
+			"hr", "kapetan"
+		};
+	private static final String[] TITLE_EN_SK_RU_HR = {
+			"en", "captain",
+			"sk", "kapitán",
+			"ru", "капитан",
+			"hr", "kapetan"
+		};
+	private static final String[] TITLE_RU = {
+			"ru", "капитан"
+		};
+	private static final String[] TITLE_EN_SK_HR = {
+			"en", "captain",
+			"sk", "kapitán",
+			"hr", "kapetan"
+		};
+
+	private static final String NS_LDAP = "http://midpoint.evolveum.com/xml/ns/story/ldap/ext";
+	protected static final ItemName TITLE_MAP_QNAME = new ItemName(NS_LDAP, "titleMap");
+	protected static final ItemName TITLE_MAP_KEY_QNAME = new ItemName(NS_LDAP, "key");
+	protected static final ItemName TITLE_MAP_VALUE_QNAME = new ItemName(NS_LDAP, "value");
+	private static final ItemPath PATH_EXTENSION_TITLE_MAP = ItemPath.create(ObjectType.F_EXTENSION, TITLE_MAP_QNAME);
+
+
 	private PrismObject<ResourceType> resourceOpenDj;
 
 	private String accountJackOid;
@@ -147,6 +188,7 @@ public void test050AssignAccountOpenDjSimple() throws Exception {
 		display("Jack LDAP entry", accountEntry);
 		assertCn(accountEntry, USER_JACK_FULL_NAME);
 		assertDescription(accountEntry, USER_JACK_FULL_NAME /* no langs here (yet) */);
+		assertTitle(accountEntry, null /* no langs here (yet) */);
 	}
 	
 	@Test
@@ -243,6 +285,7 @@ public void test110AssignAccountOpenDjLang() throws Exception {
 		display("Jack LDAP entry", accountEntry);
 		assertCn(accountEntry, USER_JACK_FULL_NAME);
 		assertDescription(accountEntry, USER_JACK_FULL_NAME, JACK_FULL_NAME_LANG_EN_SK);
+		assertTitle(accountEntry, null /* no langs here (yet) */);
 	}
 	
 	/**
@@ -280,6 +323,7 @@ public void test112ModifyJackFullNameLangEnSkRuHr() throws Exception {
 		display("Jack LDAP entry", accountEntry);
 		assertCn(accountEntry, USER_JACK_FULL_NAME);
 		assertDescription(accountEntry, USER_JACK_FULL_NAME, JACK_FULL_NAME_LANG_EN_SK_RU_HR);
+		assertTitle(accountEntry, null /* no langs here (yet) */);
 	}
 	
 	/**
@@ -317,6 +361,7 @@ public void test114ModifyJackFullNameLangCzHr() throws Exception {
 		display("Jack LDAP entry", accountEntry);
 		assertCn(accountEntry, USER_JACK_FULL_NAME);
 		assertDescription(accountEntry, USER_JACK_FULL_NAME, JACK_FULL_NAME_LANG_CZ_HR);
+		assertTitle(accountEntry, null /* no langs here (yet) */);
 	}
 	
 	/**
@@ -354,6 +399,7 @@ public void test116ModifyJackFullNameLangCaptain() throws Exception {
 		display("Jack LDAP entry", accountEntry);
 		assertCn(accountEntry, USER_JACK_FULL_NAME_CAPTAIN);
 		assertDescription(accountEntry, USER_JACK_FULL_NAME_CAPTAIN, JACK_FULL_NAME_LANG_CAPTAIN_EN_CZ_SK);
+		assertTitle(accountEntry, null /* no langs here (yet) */);
 	}
 	
 	/**
@@ -389,8 +435,303 @@ public void test118ModifyJackFullNameCaptain() throws Exception {
 		display("Jack LDAP entry", accountEntry);
 		assertCn(accountEntry, USER_JACK_FULL_NAME_CAPTAIN);
 		assertDescription(accountEntry, USER_JACK_FULL_NAME_CAPTAIN /* no langs */);
+		assertTitle(accountEntry, null /* no langs here (yet) */);
+	}
+	
+	@Test
+    public void test119UnassignAccountOpenDjLang() throws Exception {
+		final String TEST_NAME = "test119UnassignAccountOpenDjLang";
+        displayTestTitle(TEST_NAME);
+        Task task = createTask(TEST_NAME);
+        OperationResult result = task.getResult();
+
+        // WHEN
+        displayWhen(TEST_NAME);
+        unassignAccountFromUser(USER_JACK_OID, RESOURCE_OPENDJ_OID, null, task, result);
+
+        // THEN
+        displayThen(TEST_NAME);
+        assertSuccess(result);
+
+		assertUserAfter(USER_JACK_OID)
+			.links()
+				.assertNone();
+		
+		assertNoShadow(accountJackOid);
+		
+		Entry accountEntry = getLdapEntryByUid(USER_JACK_USERNAME);
+		display("Jack LDAP entry", accountEntry);
+		assertNull("Unexpected LDAP entry for jack", accountEntry);
+	}
+	
+	/**
+	 * Things are getting even more interesting here. We set up Jack's title map
+	 * (in the extension), so it can be source of confu...errr..fun later on.
+	 * No provisioning yet. Just to make sure midPoint core works.
+	 */
+	@Test
+    public void test120ModifyJackTitleMap() throws Exception {
+		final String TEST_NAME = "test120ModifyJackTitleMap";
+        displayTestTitle(TEST_NAME);
+        Task task = createTask(TEST_NAME);
+        OperationResult result = task.getResult();
+
+        List<PrismContainerValue<?>> cvals = createTitleMapValues(TITLE_EN_SK_RU);
+        
+        ObjectDelta<UserType> delta = deltaFor(UserType.class)
+        	.item(PATH_EXTENSION_TITLE_MAP)
+        		.replace(cvals)
+    		.asObjectDelta(USER_JACK_OID);
+        
+        // WHEN
+        displayWhen(TEST_NAME);
+        executeChanges(delta, null, task, result);
+
+        // THEN
+        displayThen(TEST_NAME);
+        assertSuccess(result);
+
+        assertUserAfter(USER_JACK_OID)
+        	.extension()
+        		.container(TITLE_MAP_QNAME)
+        			.assertSize(TITLE_EN_SK_RU.length/2)
+        			.end()
+        		.end()
+			.links()
+				.assertNone();
+	}
+	
+	/**
+	 * Assign LDAP account to jack.
+	 * There is titleMap in extension that is mapped to LDAP title attribute.
+	 * There should be a nice polystring in LDAP title.
+	 * MID-5264
+	 */
+	@Test
+    public void test130AssignAccountOpenDjTitleMap() throws Exception {
+		final String TEST_NAME = "test130AssignAccountOpenDjTitleMap";
+        displayTestTitle(TEST_NAME);
+        Task task = createTask(TEST_NAME);
+        OperationResult result = task.getResult();
+
+        // WHEN
+        displayWhen(TEST_NAME);
+        assignAccountToUser(USER_JACK_OID, RESOURCE_OPENDJ_OID, null, task, result);
+
+        // THEN
+        displayThen(TEST_NAME);
+        assertSuccess(result);
+
+		accountJackOid = assertUserAfter(USER_JACK_OID)
+			.fullName()
+        		.assertOrig(USER_JACK_FULL_NAME_CAPTAIN)
+        		.assertNoLangs()
+        		.end()
+    		.extension()
+        		.container(TITLE_MAP_QNAME)
+        			.assertSize(TITLE_EN_SK_RU.length/2)
+        			.end()
+        		.end()
+			.singleLink()
+				.getOid();
+		
+		assertModelShadow(accountJackOid);
+		
+		Entry accountEntry = getLdapEntryByUid(USER_JACK_USERNAME);
+		display("Jack LDAP entry", accountEntry);
+		assertCn(accountEntry, USER_JACK_FULL_NAME_CAPTAIN);
+		assertDescription(accountEntry, USER_JACK_FULL_NAME_CAPTAIN /* no langs */);
+		assertTitle(accountEntry, TITLE_CAPTAIN, TITLE_EN_SK_RU);
+	}
+	
+	/**
+	 * Add some container values.
+	 * MID-5264
+	 */
+	@Test
+    public void test132AssignAccountOpenDjTitleMapAdd() throws Exception {
+		final String TEST_NAME = "test132AssignAccountOpenDjTitleMapAdd";
+        displayTestTitle(TEST_NAME);
+        Task task = createTask(TEST_NAME);
+        OperationResult result = task.getResult();
+
+        List<PrismContainerValue<?>> cvals = createTitleMapValues(TITLE_HR);
+        
+        ObjectDelta<UserType> delta = deltaFor(UserType.class)
+        	.item(PATH_EXTENSION_TITLE_MAP)
+        		.add(cvals)
+    		.asObjectDelta(USER_JACK_OID);
+        
+        // WHEN
+        displayWhen(TEST_NAME);
+        executeChanges(delta, null, task, result);
+
+        // THEN
+        displayThen(TEST_NAME);
+        assertSuccess(result);
+
+		accountJackOid = assertUserAfter(USER_JACK_OID)
+			.fullName()
+        		.assertOrig(USER_JACK_FULL_NAME_CAPTAIN)
+        		.assertNoLangs()
+        		.end()
+    		.extension()
+        		.container(TITLE_MAP_QNAME)
+        			.assertSize(TITLE_EN_SK_RU_HR.length/2)
+        			.end()
+        		.end()
+			.singleLink()
+				.getOid();
+		
+		assertModelShadow(accountJackOid);
+		
+		Entry accountEntry = getLdapEntryByUid(USER_JACK_USERNAME);
+		display("Jack LDAP entry", accountEntry);
+		assertCn(accountEntry, USER_JACK_FULL_NAME_CAPTAIN);
+		assertDescription(accountEntry, USER_JACK_FULL_NAME_CAPTAIN /* no langs */);
+		assertTitle(accountEntry, TITLE_CAPTAIN, TITLE_EN_SK_RU_HR);
+	}
+	
+	/**
+	 * Delete some container values.
+	 * MID-5264
+	 */
+	@Test
+    public void test134AssignAccountOpenDjTitleMapDelete() throws Exception {
+		final String TEST_NAME = "test134AssignAccountOpenDjTitleMapDelete";
+        displayTestTitle(TEST_NAME);
+        Task task = createTask(TEST_NAME);
+        OperationResult result = task.getResult();
+
+        List<PrismContainerValue<?>> cvals = createTitleMapValues(TITLE_RU);
+        
+        ObjectDelta<UserType> delta = deltaFor(UserType.class)
+        	.item(PATH_EXTENSION_TITLE_MAP)
+        		.delete(cvals)
+    		.asObjectDelta(USER_JACK_OID);
+        
+        // WHEN
+        displayWhen(TEST_NAME);
+        executeChanges(delta, null, task, result);
+
+        // THEN
+        displayThen(TEST_NAME);
+        assertSuccess(result);
+
+		accountJackOid = assertUserAfter(USER_JACK_OID)
+			.fullName()
+        		.assertOrig(USER_JACK_FULL_NAME_CAPTAIN)
+        		.assertNoLangs()
+        		.end()
+    		.extension()
+        		.container(TITLE_MAP_QNAME)
+        			.assertSize(TITLE_EN_SK_HR.length/2)
+        			.end()
+        		.end()
+			.singleLink()
+				.getOid();
+		
+		assertModelShadow(accountJackOid);
+		
+		Entry accountEntry = getLdapEntryByUid(USER_JACK_USERNAME);
+		display("Jack LDAP entry", accountEntry);
+		assertCn(accountEntry, USER_JACK_FULL_NAME_CAPTAIN);
+		assertDescription(accountEntry, USER_JACK_FULL_NAME_CAPTAIN /* no langs */);
+		assertTitle(accountEntry, TITLE_CAPTAIN, TITLE_EN_SK_HR);
 	}
 	
+	/**
+	 * Add some container values.
+	 * MID-5264
+	 */
+	@Test
+    public void test138AssignAccountOpenDjTitleMapReplace() throws Exception {
+		final String TEST_NAME = "test138AssignAccountOpenDjTitleMapReplace";
+        displayTestTitle(TEST_NAME);
+        Task task = createTask(TEST_NAME);
+        OperationResult result = task.getResult();
+
+        List<PrismContainerValue<?>> cvals = createTitleMapValues(TITLE_EN_SK_RU);
+        
+        ObjectDelta<UserType> delta = deltaFor(UserType.class)
+        	.item(PATH_EXTENSION_TITLE_MAP)
+        		.replace(cvals)
+    		.asObjectDelta(USER_JACK_OID);
+        
+        // WHEN
+        displayWhen(TEST_NAME);
+        executeChanges(delta, null, task, result);
+
+        // THEN
+        displayThen(TEST_NAME);
+        assertSuccess(result);
+
+		accountJackOid = assertUserAfter(USER_JACK_OID)
+			.fullName()
+        		.assertOrig(USER_JACK_FULL_NAME_CAPTAIN)
+        		.assertNoLangs()
+        		.end()
+    		.extension()
+        		.container(TITLE_MAP_QNAME)
+        			.assertSize(TITLE_EN_SK_RU.length/2)
+        			.end()
+        		.end()
+			.singleLink()
+				.getOid();
+		
+		assertModelShadow(accountJackOid);
+		
+		Entry accountEntry = getLdapEntryByUid(USER_JACK_USERNAME);
+		display("Jack LDAP entry", accountEntry);
+		assertCn(accountEntry, USER_JACK_FULL_NAME_CAPTAIN);
+		assertDescription(accountEntry, USER_JACK_FULL_NAME_CAPTAIN /* no langs */);
+		assertTitle(accountEntry, TITLE_CAPTAIN, TITLE_EN_SK_RU);
+	}
+	
+	@Test
+    public void test139UnassignAccountOpenDjTitleMap() throws Exception {
+		final String TEST_NAME = "test139UnassignAccountOpenDjTitleMap";
+        displayTestTitle(TEST_NAME);
+        Task task = createTask(TEST_NAME);
+        OperationResult result = task.getResult();
+
+        // WHEN
+        displayWhen(TEST_NAME);
+        unassignAccountFromUser(USER_JACK_OID, RESOURCE_OPENDJ_OID, null, task, result);
+
+        // THEN
+        displayThen(TEST_NAME);
+        assertSuccess(result);
+
+		assertUserAfter(USER_JACK_OID)
+			.links()
+				.assertNone();
+		
+		assertNoShadow(accountJackOid);
+		
+		Entry accountEntry = getLdapEntryByUid(USER_JACK_USERNAME);
+		display("Jack LDAP entry", accountEntry);
+		assertNull("Unexpected LDAP entry for jack", accountEntry);
+	}
+	
+	private List<PrismContainerValue<?>> createTitleMapValues(String... params) throws SchemaException {
+		List<PrismContainerValue<?>> cvals = new ArrayList<>();
+		for(int i = 0; i < params.length; i+=2) {
+			PrismContainerValue<?> cval = prismContext.itemFactory().createContainerValue();
+			
+			PrismProperty<String> keyProp = prismContext.itemFactory().createProperty(TITLE_MAP_KEY_QNAME);
+			keyProp.setRealValue(params[i]);
+			cval.add(keyProp);
+			
+			PrismProperty<String> valueProp = prismContext.itemFactory().createProperty(TITLE_MAP_VALUE_QNAME);
+			valueProp.setRealValue(params[i+1]);
+			cval.add(valueProp);
+			
+			cvals.add(cval);
+		}
+		return cvals;
+	}
+
 	private Entry getLdapEntryByUid(String uid) throws DirectoryException {
 		return openDJController.searchSingle("uid="+uid);
 	}
@@ -402,6 +743,10 @@ private void assertCn(Entry entry, String expectedValue) {
 	private void assertDescription(Entry entry, String expectedOrigValue, String... params) {
 		OpenDJController.assertAttributeLang(entry, "description", expectedOrigValue, params);
 	}
+	
+	private void assertTitle(Entry entry, String expectedOrigValue, String... params) {
+		OpenDJController.assertAttributeLang(entry, "title", expectedOrigValue, params);
+	}
 
 
 }
\ No newline at end of file
diff --git a/testing/story/src/test/resources/ldap/polystring/resource-opendj.xml b/testing/story/src/test/resources/ldap/polystring/resource-opendj.xml
index fb7fcd99803..06335623087 100644
--- a/testing/story/src/test/resources/ldap/polystring/resource-opendj.xml
+++ b/testing/story/src/test/resources/ldap/polystring/resource-opendj.xml
@@ -55,6 +55,7 @@
  			<icfcldap:operationalAttributes>ds-pwp-account-disabled</icfcldap:operationalAttributes>
  			<icfcldap:operationalAttributes>isMemberOf</icfcldap:operationalAttributes>
  			<icfcldap:languageTagAttributes>description</icfcldap:languageTagAttributes>
+ 			<icfcldap:languageTagAttributes>title</icfcldap:languageTagAttributes>
 		</icfc:configurationProperties>
 		
 		<icfc:resultsHandlerConfiguration>
@@ -152,6 +153,60 @@
                     </source>
                 </outbound>
             </attribute>
+            
+            <attribute>
+                <ref>ri:title</ref>
+                <limitations>
+                	<!-- Poly-attributes only work with single-value attributes -->
+                	<maxOccurs>1</maxOccurs>
+                </limitations>
+                <!-- PolyString strict matching - to make sure that the langs in polystring get compared. -->
+                <matchingRule>mr:polyStringStrict</matchingRule>
+                <outbound>
+                	<source>
+                		<!-- Source is NOT a polystring here. It is a container. -->
+	                    <path>extension/titleMap</path>
+                    </source>
+                    <expression>
+                    	<script>
+                    		<relativityMode>absolute</relativityMode>
+                    		<code>
+                    			import com.evolveum.midpoint.prism.polystring.PolyString
+                    			import com.evolveum.midpoint.prism.path.ItemName
+                    			
+                    			log.info("MAP:titleMap: {}", titleMap)
+                    			
+                    			if (titleMap == null) {
+                    				return null
+                    			}
+                    			
+                    			assert titleMap instanceof com.evolveum.midpoint.prism.PrismContainer
+                    			
+                    			def poly
+                    			def lang = [:]
+                    			
+                    			titleMap.values.each {
+                    				log.info("MAP:titleMap:value: {}", it)
+                    				assert it instanceof com.evolveum.midpoint.prism.PrismContainerValue
+                    				def key = it.findProperty(new ItemName('key')).realValue
+                    				def value = it.findProperty(new ItemName('value')).realValue
+                    				log.info("MAP:titleMap: {} -> {}", key, value)
+                    				if (key == "en") {
+                    					poly = new PolyString(value)
+                    				}
+                    				lang.put(key, value)
+                    			}
+                    			
+                    			poly.setLang(lang)
+                    			
+                    			log.info("MAP:titleMap:poly: {}", poly.debugDump())
+                    			
+                    			return poly
+                    		</code>
+                    	</script>
+                    </expression>
+                </outbound>
+            </attribute>
 
 			<protected>
        			<filter>
diff --git a/testing/story/src/test/resources/schema/ldap.xsd b/testing/story/src/test/resources/schema/ldap.xsd
new file mode 100644
index 00000000000..f1247792283
--- /dev/null
+++ b/testing/story/src/test/resources/schema/ldap.xsd
@@ -0,0 +1,58 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+
+<!--
+  ~ Copyright (c) 2019 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+<xsd:schema elementFormDefault="qualified"
+            targetNamespace="http://midpoint.evolveum.com/xml/ns/story/ldap/ext"
+            xmlns:tns="http://midpoint.evolveum.com/xml/ns/story/ldap/ext"
+            xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+            xmlns:a="http://prism.evolveum.com/xml/ns/public/annotation-3"
+            xmlns:xsd="http://www.w3.org/2001/XMLSchema">
+
+    <!-- user extension -->
+
+    <xsd:complexType name="UserTypeExtensionType">
+        <xsd:annotation>
+            <xsd:appinfo>
+                <a:extension ref="c:UserType"/>
+            </xsd:appinfo>
+        </xsd:annotation>
+        <xsd:sequence>
+            <xsd:element name="titleMap" type="tns:QuasiMapType" minOccurs="0" maxOccurs="unbounded">
+            	<xsd:annotation>
+            		<xsd:documentation>
+            			Container that somehow simulates polystring. But it is quasi-map form.
+            			Key is language code, value is translated text.
+            			MID-5264
+            		</xsd:documentation>
+            	</xsd:annotation>
+            </xsd:element>
+        </xsd:sequence>
+    </xsd:complexType>
+
+    <xsd:complexType name="QuasiMapType">
+        <xsd:annotation>
+            <xsd:appinfo>
+                <a:container>true</a:container>
+            </xsd:appinfo>
+        </xsd:annotation>
+        <xsd:sequence>
+            <xsd:element name="key" type="xsd:string" minOccurs="1"/>
+            <xsd:element name="value" type="xsd:string" minOccurs="1"/>
+        </xsd:sequence>
+    </xsd:complexType>
+    
+</xsd:schema>