[midPoint] SoD works only with one group

Pavol Mederly mederly at evolveum.com
Mon Feb 5 17:45:43 CET 2018 

Hello Jan,

this is by design.

A policy rule contains a set of policy constraints, which are - by 
default - treated as a conjunction (i.e. connected by "and"). It means 
that in order for a rule to fire, all of the constraints must match.

Fortunately, the policy constraints language in 3.7 is quite rich. It 
allows to specify arbitrary logic expressions using "and", "or" and 
"not" operators. Please have a look at 
https://wiki.evolveum.com/display/midPoint/Policy+Constraints. Although 
it is quite unfinished and in progress, most of the ideas were 
implemented in midPoint 3.7. Your case is covered by the first example 
on that page:

|<||policyRule||>|
|||<||name||>criminal exclusion</||name||>|
|||<||policyConstraints||>|
|||<!-- triggers if Judge, Pirate, and/or Thief is assigned in addition 
to the current assignment -->|
||| <||or||>|
|||<||exclusion||>|
|||<||targetRef| |oid||=||"12345111-1111-2222-1111-121212111111"| 
|type||=||"RoleType"||/> ||<!-- Judge -->|
|||</||exclusion||>|
|||<||exclusion||>|
|||<||targetRef| |oid||=||"12345678-d34d-b33f-f00d-555555556666"| 
|type||=||"RoleType"||/> ||<!-- Pirate -->|
|||</||exclusion||>|
|||<||exclusion||>|
|||<||targetRef| |oid||=||"b189fcb8-1ff9-11e5-8912-001e8c717e5b"| 
|type||=||"RoleType"||/> ||<!-- Thief -->|
|||</||exclusion||>|
|||</||or||>|
|||</||policyConstraints||>|
|||<||policyActions||>|
|||<||enforcement||> ... </||enforcement||>|
|||</||policyActions||>|
|</||policyRule||>
|||

Of course, what have Oskar suggested, is valid as well. You can use a 
filter to specify more targets at once. (It is not possible to specify 
more targetRef elements in one exclusion element, though.)

Hope this helps.

Pavol Mederly
Software developer
evolveum.com

On 05.02.2018 8:33, Jan Kaspar wrote:
> Hello,
>
> i tryed to apply SoD for some of groups / orgs. It works only if I 
> specify only one exluded role.
>
> Here is an example of Org with exlusion of one or two roles. If I 
> uncomment second exclude definition,
> then i am able to assing one of those roles, I got an error only in 
> case that i tryed to assign both of excluded
> roles. Is that an error? I can solve this by specifying multiple 
> policies. But I think this is not optimal.
>
> <org xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> xmlns:apti="http://midpoint.evolveum.com/xml/ns/public/common/api-types-3" 
>
> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" 
>
> xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
> xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
> xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
> xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
> oid="5bdac06d-c192-4569-acf6-d432ad555fc4" version="5">
>       <name>Admin Accounts</name>
>       <parentOrgRef oid="a2cd50c1-b115-44ae-88af-792588acc0e4" 
> relation="org:default" type="c:OrgType"/>
>       <parentOrgRef oid="2b538ce4-01e4-4aa1-8dc1-0c2eba8203a9" 
> relation="org:default" type="c:OrgType"/>
>       <assignment>
>          <targetRef oid="a2cd50c1-b115-44ae-88af-792588acc0e4" 
> relation="org:default" type="c:OrgType"/>
>          <activation>
> <effectiveStatus>enabled</effectiveStatus>
>          </activation>
>       </assignment>
>       <roleMembershipRef oid="a2cd50c1-b115-44ae-88af-792588acc0e4" 
> relation="org:default" type="c:OrgType"/>
>       <roleMembershipRef oid="2b538ce4-01e4-4aa1-8dc1-0c2eba8203a9" 
> relation="org:default" type="c:OrgType"/>
>       <displayName>Admin Accounts</displayName>
>       <inducement>
>          <targetRef oid="57713b87-17af-44fe-b4ed-7f158a4fa030" 
> relation="org:default" type="c:RoleType"/>
>       </inducement>
>       <securityPolicyRef oid="6df80eb2-0a63-11e7-8ced-af0e536f33e1" 
> relation="org:default" type="c:SecurityPolicyType"/>
>       <assignment>
>         <policyRule>
>             <name>Excluded-Roles!</name>
>             <policyConstraints>
>                 <exclusion>
>                     <targetRef 
> oid="00000000-0000-0000-0000-000000000004" type="RoleType"/>
>                 </exclusion>
> <!--                 <exclusion>
> <targetRef oid="00000000-0000-0000-0000-00000000000a" type="RoleType"/>
>                 </exclusion> -->
>             </policyConstraints>
>             <policyActions>
>                 <enforcement/>
>             </policyActions>
>         </policyRule>
>     </assignment>
>    </org>
>
> Thanks Jan
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180205/3e248115/attachment.htm>

More information about the midPoint mailing list