[midPoint] SoD works only with one group

Jan Kaspar Caspi at seznam.cz
Mon Feb 5 08:33:15 CET 2018 

Hello,



i tryed to apply SoD for some of groups / orgs. It works only if I specify 
only one exluded role.




Here is an example of Org with exlusion of one or two roles. If I uncomment 
second exclude definition,

then i am able to assing one of those roles, I got an error only in case 
that i tryed to assign both of excluded

roles. Is that an error? I can solve this by specifying multiple policies. 
But I think this is not optimal.





<org xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3" 

 xmlns:apti="http://midpoint.evolveum.com/xml/ns/public/common/api-types-3" 

 xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" 

 xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/
resource-schema-3" 

 xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3" 

 xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3" 

 xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" 

 xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3" 

 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" oid="5bdac06d-c192-
4569-acf6-d432ad555fc4" version="5">

      <name>Admin Accounts</name>

      <parentOrgRef oid="a2cd50c1-b115-44ae-88af-792588acc0e4" relation=
"org:default" type="c:OrgType"/>

      <parentOrgRef oid="2b538ce4-01e4-4aa1-8dc1-0c2eba8203a9" relation=
"org:default" type="c:OrgType"/>

      <assignment>

         <targetRef oid="a2cd50c1-b115-44ae-88af-792588acc0e4" relation=
"org:default" type="c:OrgType"/>

         <activation>

            <effectiveStatus>enabled</effectiveStatus>

         </activation>

      </assignment>

      <roleMembershipRef oid="a2cd50c1-b115-44ae-88af-792588acc0e4" relation
="org:default" type="c:OrgType"/>

      <roleMembershipRef oid="2b538ce4-01e4-4aa1-8dc1-0c2eba8203a9" relation
="org:default" type="c:OrgType"/>

      <displayName>Admin Accounts</displayName>

      <inducement>

         <targetRef oid="57713b87-17af-44fe-b4ed-7f158a4fa030" relation=
"org:default" type="c:RoleType"/>

      </inducement>

      <securityPolicyRef oid="6df80eb2-0a63-11e7-8ced-af0e536f33e1" relation
="org:default" type="c:SecurityPolicyType"/>

      <assignment>

        <policyRule>

            <name>Excluded-Roles!</name>

            <policyConstraints>

                <exclusion>

                    <targetRef oid="00000000-0000-0000-0000-000000000004" 
type="RoleType"/>

                </exclusion>

<!--                 <exclusion>

                <targetRef oid="00000000-0000-0000-0000-00000000000a" type=
"RoleType"/>

                </exclusion> -->

            </policyConstraints>

            <policyActions>

                <enforcement/>

            </policyActions>

        </policyRule>

    </assignment>

   </org>





Thanks Jan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180205/138332e3/attachment.htm>

More information about the midPoint mailing list