[midPoint] SoD works only with one group

Wojciech Staszewski wojciech.staszewski at diagnostyka.pl
Mon Feb 5 09:26:18 CET 2018


Hi!
I haven't try exclusions yet, so I may be wrong.
Have you tried something like this:

<exclusion>
   <targetRef oid="00000000-0000-0000-0000-000000000004" type="RoleType"/>
   <targetRef oid="00000000-0000-0000-0000-00000000000a" type="RoleType"/>
</exclusion>

?

Regards,
WS             	

W dniu 05.02.2018 o 08:33, Jan Kaspar pisze:
> Hello,
> 
> i tryed to apply SoD for some of groups / orgs. It works only if I specify only one exluded role.
> 
> Here is an example of Org with exlusion of one or two roles. If I uncomment second exclude definition,
> then i am able to assing one of those roles, I got an error only in case that i tryed to assign both of excluded
> roles. Is that an error? I can solve this by specifying multiple policies. But I think this is not optimal.
> 
> <org xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3> xmlns:apti="http://midpoint.evolveum.com/xml/ns/public/common/api-types-3> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3> xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3> xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3> xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3> xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3> xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" oid="5bdac06d-c192-4569-acf6-d432ad555fc4" version="5">
>       <name>Admin Accounts</name>
>       <parentOrgRef oid="a2cd50c1-b115-44ae-88af-792588acc0e4" relation="org:default" type="c:OrgType"/>
>       <parentOrgRef oid="2b538ce4-01e4-4aa1-8dc1-0c2eba8203a9" relation="org:default" type="c:OrgType"/>
>       <assignment>
>          <targetRef oid="a2cd50c1-b115-44ae-88af-792588acc0e4" relation="org:default" type="c:OrgType"/>
>          <activation>
>             <effectiveStatus>enabled</effectiveStatus>
>          </activation>
>       </assignment>
>       <roleMembershipRef oid="a2cd50c1-b115-44ae-88af-792588acc0e4" relation="org:default" type="c:OrgType"/>
>       <roleMembershipRef oid="2b538ce4-01e4-4aa1-8dc1-0c2eba8203a9" relation="org:default" type="c:OrgType"/>
>       <displayName>Admin Accounts</displayName>
>       <inducement>
>          <targetRef oid="57713b87-17af-44fe-b4ed-7f158a4fa030" relation="org:default" type="c:RoleType"/>
>       </inducement>
>       <securityPolicyRef oid="6df80eb2-0a63-11e7-8ced-af0e536f33e1" relation="org:default" type="c:SecurityPolicyType"/>
>       <assignment>
>         <policyRule>
>             <name>Excluded-Roles!</name>
>             <policyConstraints>
>                 <exclusion>
>                     <targetRef oid="00000000-0000-0000-0000-000000000004" type="RoleType"/>
>                 </exclusion>
> <!--                 <exclusion>
>                 <targetRef oid="00000000-0000-0000-0000-00000000000a" type="RoleType"/>
>                 </exclusion> -->
>             </policyConstraints>
>             <policyActions>
>                 <enforcement/>
>             </policyActions>
>         </policyRule>
>     </assignment>
>    </org>
> 
> Thanks Jan
> 
> 
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>



More information about the midPoint mailing list