[midPoint] How to check indirect assignments with policy constraints? - SOLVED

Arnošt Starosta - AMI Praha a.s. arnost.starosta at ami.cz
Fri May 25 14:13:55 CEST 2018


Made it work in the end thanks to sources, debugging and kind advice.

The key is not to check roleMembershipRef - these references indeed contain
indirect assignments but no sooner than in the SECONDARY stage and policies
must be triggered in PRIMARY.

In PRIMARY stage when the policy is evaluated indirect assignments are
available in ruleEvaluationContext.lensContext.evaluatedAssignmentTriple.

The details on how to navigate this structure (and the whole java
implementation of indirect assignment check) can be found
in com.evolveum.midpoint.model.impl.lens.projector.policy.evaluators.HasAssignmentConstraintEvaluator.evaluate().

Thank you!

arnost

2018-05-11 17:36 GMT+02:00 Arnošt Starosta - AMI Praha a.s. <
arnost.starosta at ami.cz>:

> Hi all,
>
> I want to check the identity has a direct or indirect assignment to a role
> in a scripted object state policy constraint. And it almost works .)
>
> The script uses user.roleMembershipRef to determine if a user 'has' a
> given role.
>
> In GUI Preview everything works nice, policy matches, roleMembershipRef
> contains the assigned roles.
>
> But when you click 'Save', roleMembershipRef does not reflect the new
> state, the newly assigned roles are not there as in preview. My policy now
> effectively checks the old object state only.
>
> Do you know any other way how to check for directly or indirectly assigned
> roles in a policy constraint?
>
> Checking only directly assigned roles seem to work ok with user.assignment
> (midpoint.isDirectlyAssigned()). I can't find any way to trigger the
> policy after roleMembershipRefs are evaluated.
>
> Thanks!
> arnost
>
> --
>
> Arnošt Starosta
> solution architect
>
> gsm: [+420] 603 794 932
> e-mail: arnost.starosta at ami.cz
>
>
> AMI Praha a.s.
> Pláničkova 11
> 162 00 Praha 6
> tel.: [+420] 274 783 239
> web: www.ami.cz
>
>
> [image: AMI Praha a.s.]
>
> [image: AMI Praha a.s.]
> <http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>
>
> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
> společnost AMI Praha a.s.
> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
> písemnou formu.
>
>


-- 

Arnošt Starosta
solution architect

gsm: [+420] 603 794 932
e-mail: arnost.starosta at ami.cz


AMI Praha a.s.
Pláničkova 11
162 00 Praha 6
tel.: [+420] 274 783 239
web: www.ami.cz


[image: AMI Praha a.s.]

[image: AMI Praha a.s.]
<http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>

Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
písemnou formu.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180525/40c5d70c/attachment.htm>


More information about the midPoint mailing list