I've just stumbled upon role assignment attributes, and I thought all my christmases has come at once. Except they haven't.
What I had hoped this would give me would be a way of adding an attribute AND an attribute value to a role, and then when assigning that role I can perform logic in the provisioning policy.
As an example, create a role called "Financial Control - Basic" and add attribute to that role called "Credit Limit". Set the value of that attribute to 100,000. Set a second role called "Financial Control - Approved" and set the Credit Limit attribute to 1000,000.
What this would give me is a way of deriving information from a role that is needed to provision a valid, fully formed account where that information can not be determined from anywhere else within ISIM ( either the owning identity or the account form )
But no, these attributes are set per identity. So whenever an identity is added as a role member, you manually enter the value for each attribute.
I know there are other ways of determining this information, but this would have been a really light touch way and easily referenced way of adding value to an existing service while using standard ISIM functionality. I can't see any value in how this has been implemented.