[midPoint] SoD works only with one group
Oskar Butovič - AMI Praha a.s.
oskar.butovic at ami.cz
Mon Feb 5 10:21:23 CET 2018
Hi you can also use filter like this:
<role xmlns:apti="
http://midpoint.evolveum.com/xml/ns/public/common/api-types-3" xmlns:c="
http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:gen45="
http://prism.evolveum.com/xml/ns/public/debug" xmlns:icfs="
http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3" xmlns:ri="
http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" xmlns:t="
http://prism.evolveum.com/xml/ns/public/types-3" xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance"
oid="sod-meta-role" xmlns="
http://midpoint.evolveum.com/xml/ns/public/common/common-3">
<activation>
<effectiveStatus>enabled</effectiveStatus>
</activation>
<iteration>0</iteration>
<iterationToken/>
<inducement>
<policyRule>
<policyConstraints>
<exclusion>
<targetRef type="RoleType">
<filter>
<q:ref>
<q:path>assignment/targetRef</q:path>
<q:value oid=sod-meta-role" type="RoleType" />
</q:ref>
</filter>
<resolutionTime>run</resolutionTime>
</targetRef>
</exclusion>
</policyConstraints>
<policyActions>
<prune/>
</policyActions>
</policyRule>
</inducement>
</role>
2018-02-05 9:26 GMT+01:00 Wojciech Staszewski <
wojciech.staszewski at diagnostyka.pl>:
> Hi!
> I haven't try exclusions yet, so I may be wrong.
> Have you tried something like this:
>
> <exclusion>
> <targetRef oid="00000000-0000-0000-0000-000000000004" type="RoleType"/>
> <targetRef oid="00000000-0000-0000-0000-00000000000a" type="RoleType"/>
> </exclusion>
>
> ?
>
> Regards,
> WS
>
> W dniu 05.02.2018 o 08:33, Jan Kaspar pisze:
> > Hello,
> >
> > i tryed to apply SoD for some of groups / orgs. It works only if I
> specify only one exluded role.
> >
> > Here is an example of Org with exlusion of one or two roles. If I
> uncomment second exclude definition,
> > then i am able to assing one of those roles, I got an error only in case
> that i tryed to assign both of excluded
> > roles. Is that an error? I can solve this by specifying multiple
> policies. But I think this is not optimal.
> >
> > <org xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> > xmlns:apti="http://midpoint.evolveum.com/xml/ns/public/
> common/api-types-3"
> > xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> > xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/
> connector/icf-1/resource-schema-3"
> > xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
> > xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
> > xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3
> "
> > xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
> > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> oid="5bdac06d-c192-4569-acf6-d432ad555fc4" version="5">
> > <name>Admin Accounts</name>
> > <parentOrgRef oid="a2cd50c1-b115-44ae-88af-792588acc0e4"
> relation="org:default" type="c:OrgType"/>
> > <parentOrgRef oid="2b538ce4-01e4-4aa1-8dc1-0c2eba8203a9"
> relation="org:default" type="c:OrgType"/>
> > <assignment>
> > <targetRef oid="a2cd50c1-b115-44ae-88af-792588acc0e4"
> relation="org:default" type="c:OrgType"/>
> > <activation>
> > <effectiveStatus>enabled</effectiveStatus>
> > </activation>
> > </assignment>
> > <roleMembershipRef oid="a2cd50c1-b115-44ae-88af-792588acc0e4"
> relation="org:default" type="c:OrgType"/>
> > <roleMembershipRef oid="2b538ce4-01e4-4aa1-8dc1-0c2eba8203a9"
> relation="org:default" type="c:OrgType"/>
> > <displayName>Admin Accounts</displayName>
> > <inducement>
> > <targetRef oid="57713b87-17af-44fe-b4ed-7f158a4fa030"
> relation="org:default" type="c:RoleType"/>
> > </inducement>
> > <securityPolicyRef oid="6df80eb2-0a63-11e7-8ced-af0e536f33e1"
> relation="org:default" type="c:SecurityPolicyType"/>
> > <assignment>
> > <policyRule>
> > <name>Excluded-Roles!</name>
> > <policyConstraints>
> > <exclusion>
> > <targetRef oid="00000000-0000-0000-0000-000000000004"
> type="RoleType"/>
> > </exclusion>
> > <!-- <exclusion>
> > <targetRef oid="00000000-0000-0000-0000-00000000000a"
> type="RoleType"/>
> > </exclusion> -->
> > </policyConstraints>
> > <policyActions>
> > <enforcement/>
> > </policyActions>
> > </policyRule>
> > </assignment>
> > </org>
> >
> > Thanks Jan
> >
> >
> > _______________________________________________
> > midPoint mailing list
> > midPoint at lists.evolveum.com
> > http://lists.evolveum.com/mailman/listinfo/midpoint
> >
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
--
Oskar Butovič
solution architect
gsm: [+420] 774 480 101
e-mail: oskar.butovic at ami.cz
AMI Praha a.s.
Pláničkova 11
162 00 Praha 6
tel.: [+420] 274 783 239
web: www.ami.cz
[image: AMI Praha a.s.]
[image: AMI Praha a.s.]
<http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>
Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
písemnou formu.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180205/121efaca/attachment.htm>
More information about the midPoint
mailing list