User Application nrfRoles are administered in the Role Administrator web interface but I cannot see any place for a filter (Entitlement service driver style) in case I want to assign some roles automatically. Currently to assign a role automatically you have to have a list of roles and their respective rules listed somewhere such as a mapping table, global definition or an LDAP object. You can also save the data to the nrfRole object itself as an auxilliary attribute but the Role Administrator GUI does not support editing / viewing auxiliary attributes of the nrfRole objects.
As a quick fix I suggest adding multi value string attribute to the nrfRole object supported by Role Administration role editor. This enables additional role definitions including filter information for automatic role assignments.
Future IDM versions could implement native automatic role assignments based on LDAP filters.
I work mostly with universities IDM solutions and at least there 99% of the roles are assigned automatically based on source registry data therefore a place for storing the criteria would be needed.
Point was more on where the filter definitions are kept so that role definitions would be administered on single location. The criteria used in automatic role assignment is part of role information and should be stored in the same location with the rest of role definition.
To create a new role and use dynamic group you should first create it with Role Administrator, then create a new dynamic group and set the filter to it. Compared to writing it all to one place this makes a difference when roles are many and they need administration. Let alone checking if all 100 roles and their definitions are in sync and nobody made human errors.
Hope you get the idea.