[midPoint] How to check indirect assignments with policy constraints?
Arnošt Starosta - AMI Praha a.s.
arnost.starosta at ami.cz
Mon May 14 10:54:21 CEST 2018
Hi Pavol,
thank you for the tip, however i can't use hasAssignment as i need to
combine several conditions - check attribute values and possibly multiple
role assignments - that are defined by administrators in GUI simply by
providing role attribute values. The policyRule script then works with
these values, in essence it combines the two functions
from testing/story/src/test/resources/delivery/rules/library.xml.
My simplified policy rule is
<policyRule>
<policyConstraints>
<objectState id="2">
<expression>
<script>
<code>
... check object.roleMembershipRef and other conditions ...
</code>
</script>
</expression>
</objectState>
</policyConstraints>
<policyActions>
<enforcement />
</policyActions>
<evaluationTarget>assignment</evaluationTarget>
</policyRule>
The roleMembershipRef contains one set of refs when preview is clicked and
different one when saved.
Hope i can quick fix this by 'mandatory preview'.
arnost
2018-05-11 19:07 GMT+02:00 Pavol Mederly <mederly at evolveum.com>:
> Hello Arnošt,
>
> how does your state constraint (and the whole policy rule) look like?
>
> I am aware of some issues related to constraint evaluation, but I think
> this could work.
>
> And, by the way, haven't you considered hasAssignment constraint? It
> should support direct, indirect, and both modes of assignment.
>
> Pavol Mederly
> Software developerevolveum.com
>
> On 11.05.2018 17:36, Arnošt Starosta - AMI Praha a.s. wrote:
>
> Hi all,
>
> I want to check the identity has a direct or indirect assignment to a role
> in a scripted object state policy constraint. And it almost works .)
>
> The script uses user.roleMembershipRef to determine if a user 'has' a
> given role.
>
> In GUI Preview everything works nice, policy matches, roleMembershipRef
> contains the assigned roles.
>
> But when you click 'Save', roleMembershipRef does not reflect the new
> state, the newly assigned roles are not there as in preview. My policy now
> effectively checks the old object state only.
>
> Do you know any other way how to check for directly or indirectly assigned
> roles in a policy constraint?
>
> Checking only directly assigned roles seem to work ok with user.assignment
> (midpoint.isDirectlyAssigned()). I can't find any way to trigger the
> policy after roleMembershipRefs are evaluated.
>
> Thanks!
> arnost
>
> --
>
> Arnošt Starosta
> solution architect
>
> gsm: [+420] 603 794 932
> e-mail: arnost.starosta at ami.cz
>
>
> AMI Praha a.s.
> Pláničkova 11
> 162 00 Praha 6
> tel.: [+420] 274 783 239
> web: www.ami.cz
>
>
> [image: AMI Praha a.s.]
>
> [image: AMI Praha a.s.]
> <http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>
>
> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
> společnost AMI Praha a.s.
> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
> písemnou formu.
>
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
--
Arnošt Starosta
solution architect
gsm: [+420] 603 794 932
e-mail: arnost.starosta at ami.cz
AMI Praha a.s.
Pláničkova 11
162 00 Praha 6
tel.: [+420] 274 783 239
web: www.ami.cz
[image: AMI Praha a.s.]
[image: AMI Praha a.s.]
<http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>
Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
písemnou formu.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180514/fedf5167/attachment.htm>
More information about the midPoint
mailing list