[midPoint] SoD works only with one group
Jan Kaspar
Caspi at seznam.cz
Mon Feb 5 08:33:15 CET 2018
Hello,
i tryed to apply SoD for some of groups / orgs. It works only if I specify
only one exluded role.
Here is an example of Org with exlusion of one or two roles. If I uncomment
second exclude definition,
then i am able to assing one of those roles, I got an error only in case
that i tryed to assign both of excluded
roles. Is that an error? I can solve this by specifying multiple policies.
But I think this is not optimal.
<org xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
xmlns:apti="http://midpoint.evolveum.com/xml/ns/public/common/api-types-3"
xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/
resource-schema-3"
xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" oid="5bdac06d-c192-
4569-acf6-d432ad555fc4" version="5">
<name>Admin Accounts</name>
<parentOrgRef oid="a2cd50c1-b115-44ae-88af-792588acc0e4" relation=
"org:default" type="c:OrgType"/>
<parentOrgRef oid="2b538ce4-01e4-4aa1-8dc1-0c2eba8203a9" relation=
"org:default" type="c:OrgType"/>
<assignment>
<targetRef oid="a2cd50c1-b115-44ae-88af-792588acc0e4" relation=
"org:default" type="c:OrgType"/>
<activation>
<effectiveStatus>enabled</effectiveStatus>
</activation>
</assignment>
<roleMembershipRef oid="a2cd50c1-b115-44ae-88af-792588acc0e4" relation
="org:default" type="c:OrgType"/>
<roleMembershipRef oid="2b538ce4-01e4-4aa1-8dc1-0c2eba8203a9" relation
="org:default" type="c:OrgType"/>
<displayName>Admin Accounts</displayName>
<inducement>
<targetRef oid="57713b87-17af-44fe-b4ed-7f158a4fa030" relation=
"org:default" type="c:RoleType"/>
</inducement>
<securityPolicyRef oid="6df80eb2-0a63-11e7-8ced-af0e536f33e1" relation
="org:default" type="c:SecurityPolicyType"/>
<assignment>
<policyRule>
<name>Excluded-Roles!</name>
<policyConstraints>
<exclusion>
<targetRef oid="00000000-0000-0000-0000-000000000004"
type="RoleType"/>
</exclusion>
<!-- <exclusion>
<targetRef oid="00000000-0000-0000-0000-00000000000a" type=
"RoleType"/>
</exclusion> -->
</policyConstraints>
<policyActions>
<enforcement/>
</policyActions>
</policyRule>
</assignment>
</org>
Thanks Jan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180205/138332e3/attachment.htm>
More information about the midPoint
mailing list