[midPoint] SoD works only with one group
Wojciech Staszewski
wojciech.staszewski at diagnostyka.pl
Mon Feb 5 09:26:18 CET 2018
Hi!
I haven't try exclusions yet, so I may be wrong.
Have you tried something like this:
<exclusion>
<targetRef oid="00000000-0000-0000-0000-000000000004" type="RoleType"/>
<targetRef oid="00000000-0000-0000-0000-00000000000a" type="RoleType"/>
</exclusion>
?
Regards,
WS
W dniu 05.02.2018 o 08:33, Jan Kaspar pisze:
> Hello,
>
> i tryed to apply SoD for some of groups / orgs. It works only if I specify only one exluded role.
>
> Here is an example of Org with exlusion of one or two roles. If I uncomment second exclude definition,
> then i am able to assing one of those roles, I got an error only in case that i tryed to assign both of excluded
> roles. Is that an error? I can solve this by specifying multiple policies. But I think this is not optimal.
>
> <org xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> xmlns:apti="http://midpoint.evolveum.com/xml/ns/public/common/api-types-3"
> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
> xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
> xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
> xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
> xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" oid="5bdac06d-c192-4569-acf6-d432ad555fc4" version="5">
> <name>Admin Accounts</name>
> <parentOrgRef oid="a2cd50c1-b115-44ae-88af-792588acc0e4" relation="org:default" type="c:OrgType"/>
> <parentOrgRef oid="2b538ce4-01e4-4aa1-8dc1-0c2eba8203a9" relation="org:default" type="c:OrgType"/>
> <assignment>
> <targetRef oid="a2cd50c1-b115-44ae-88af-792588acc0e4" relation="org:default" type="c:OrgType"/>
> <activation>
> <effectiveStatus>enabled</effectiveStatus>
> </activation>
> </assignment>
> <roleMembershipRef oid="a2cd50c1-b115-44ae-88af-792588acc0e4" relation="org:default" type="c:OrgType"/>
> <roleMembershipRef oid="2b538ce4-01e4-4aa1-8dc1-0c2eba8203a9" relation="org:default" type="c:OrgType"/>
> <displayName>Admin Accounts</displayName>
> <inducement>
> <targetRef oid="57713b87-17af-44fe-b4ed-7f158a4fa030" relation="org:default" type="c:RoleType"/>
> </inducement>
> <securityPolicyRef oid="6df80eb2-0a63-11e7-8ced-af0e536f33e1" relation="org:default" type="c:SecurityPolicyType"/>
> <assignment>
> <policyRule>
> <name>Excluded-Roles!</name>
> <policyConstraints>
> <exclusion>
> <targetRef oid="00000000-0000-0000-0000-000000000004" type="RoleType"/>
> </exclusion>
> <!-- <exclusion>
> <targetRef oid="00000000-0000-0000-0000-00000000000a" type="RoleType"/>
> </exclusion> -->
> </policyConstraints>
> <policyActions>
> <enforcement/>
> </policyActions>
> </policyRule>
> </assignment>
> </org>
>
> Thanks Jan
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
More information about the midPoint
mailing list