User Application nrfRoles are administered in the Role Administrator web interface but I cannot see any place for a filter (Entitlement service driver style) in case I want to assign some roles automatically. Currently to assign a role automatically you have to have a list of roles and their respective rules listed somewhere such as a mapping table, global definition or an LDAP object. You can also save the data to the nrfRole object itself as an auxilliary attribute but the Role Administrator GUI does not support editing / viewing auxiliary attributes of the nrfRole objects.
As a quick fix I suggest adding multi value string attribute to the nrfRole object supported by Role Administration role editor. This enables additional role definitions including filter information for automatic role assignments.
Future IDM versions could implement native automatic role assignments based on LDAP filters.
I work mostly with universities IDM solutions and at least there 99% of the roles are assigned automatically based on source registry data therefore a place for storing the criteria would be needed.