[midPoint] How to check indirect assignments with policy constraints?

Pavol Mederly mederly at evolveum.com
Fri May 11 19:07:38 CEST 2018 

Hello Arnošt,

how does your state constraint (and the whole policy rule) look like?

I am aware of some issues related to constraint evaluation, but I think 
this could work.

And, by the way, haven't you considered hasAssignment constraint? It 
should support direct, indirect, and both modes of assignment.

Pavol Mederly
Software developer
evolveum.com

On 11.05.2018 17:36, Arnošt Starosta - AMI Praha a.s. wrote:
> Hi all,
>
> I want to check the identity has a direct or indirect assignment to a 
> role in a scripted object state policy constraint. And it almost works .)
>
> The script uses user.roleMembershipRef to determine if a user 'has' a 
> given role.
>
> In GUI Preview everything works nice, policy matches, 
> roleMembershipRef contains the assigned roles.
>
> But when you click 'Save', roleMembershipRef does not reflect the new 
> state, the newly assigned roles are not there as in preview. My policy 
> now effectively checks the old object state only.
>
> Do you know any other way how to check for directly or indirectly 
> assigned roles in a policy constraint?
>
> Checking only directly assigned roles seem to work ok with 
> user.assignment (midpoint.isDirectlyAssigned()). I can't find any way 
> to trigger the policy after roleMembershipRefs are evaluated.
>
> Thanks!
> arnost
>
> -- 
>
> Arnošt Starosta
> solution architect
>
> gsm: [+420] 603 794 932
> e-mail: arnost.starosta at ami.cz <mailto:arnost.starosta at ami.cz>
>
> 			
>
> AMI Praha a.s.
> Pláničkova 11
> 162 00 Praha 6
> tel.: [+420] 274 783 239
> web: www.ami.cz <http://www.ami.cz/>
>
> 			
>
> AMI Praha a.s.
>
>
> AMI Praha a.s. 
> <http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>
>
> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za 
> společnost AMI Praha a.s.
> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít 
> výhradně písemnou formu.
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180511/5a1aa27b/attachment.htm>

More information about the midPoint mailing list