[midPoint] How to check indirect assignments with policy constraints?

Arnošt Starosta - AMI Praha a.s. arnost.starosta at ami.cz
Fri May 11 17:36:05 CEST 2018


Hi all,

I want to check the identity has a direct or indirect assignment to a role
in a scripted object state policy constraint. And it almost works .)

The script uses user.roleMembershipRef to determine if a user 'has' a given
role.

In GUI Preview everything works nice, policy matches, roleMembershipRef
contains the assigned roles.

But when you click 'Save', roleMembershipRef does not reflect the new
state, the newly assigned roles are not there as in preview. My policy now
effectively checks the old object state only.

Do you know any other way how to check for directly or indirectly assigned
roles in a policy constraint?

Checking only directly assigned roles seem to work ok with user.assignment
(midpoint.isDirectlyAssigned()). I can't find any way to trigger the policy
after roleMembershipRefs are evaluated.

Thanks!
arnost

-- 

Arnošt Starosta
solution architect

gsm: [+420] 603 794 932
e-mail: arnost.starosta at ami.cz


AMI Praha a.s.
Pláničkova 11
162 00 Praha 6
tel.: [+420] 274 783 239
web: www.ami.cz


[image: AMI Praha a.s.]

[image: AMI Praha a.s.]
<http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>

Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
písemnou formu.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180511/fb5f73fc/attachment.htm>


More information about the midPoint mailing list