The Role should assign any resource to a user that is available in the tenant but not fail if there is a resource induced that does not exist. We do not want to duplicate and adapt the role for each tenant. There are possibly a lot of them.
The number of resources actually assigned per tenant might differ:
DEV: only corp-ad-dev assigned
QUAL: no resoure assigned
PROD: both corp-ad-dev and corp-ad-prod assigned.
Therefore we are having one inducements for each resource with a condition that checks existance of the resource. This works well but requires 15 lines of code/xml per inducement. See attachement for example role.
I would like to have one <optional> tag for each inducement that would streamline the solution and replace our custom condition.
Some additional thoughts (not part of this request):
Introducing such optional resouces might also come in handy when we think about testing: Extending this even further with some concept to create "Virtual Shadows" representing what the provisioned resource account would look like if it would be there. With that you can test pretty much the complete provisioning process. While the actual connector tests can be run by their independent unit tests.