[midPoint] hasNoAssignment policy constraint

Pavol Mederly mederly at evolveum.com
Wed Oct 12 12:34:01 CEST 2022


Hello, Stéphane,

just a few general comments:

 1. I would search the midPoint sources for <hasNoAssignment> string. We
    try to do the development seriously, so every feature should have
    (at least) one test for it. This one is no exception.
 2. I would search the docs.evolveum.com for "hasNoAssignment". Here the
    situation is a bit worse. The feature is not quite finished - it was
    sponsored to some extent; but additional resources are needed to
    document it properly. However, this work-in-progress document could
    help:
    https://docs.evolveum.com/midpoint/devel/design/policy-constraints/.
    (The formatting problems are due to wiki migration.)
 3. As for debugging, policy constraints do not have "<tracing>" flag
    nor the comprehensive troubleshooting methodology (as mappings do).
    So I use the (experimental) troubleshooting with traces
    <https://docs.evolveum.com/midpoint/reference/diag/troubleshooting/troubleshooting-with-traces/>
    to diagnose issues with them.
 4. Personally, I would be greatly interested in how many installations
    do use policy rules, and this one in particular.

-- 
Pavol Mederly
Software developer
evolveum.com

On 10/10/2022 12:54, Delcourt Stéphane via midPoint wrote:
>
> Hi all,
>
> Does someone know how to deal with this policy constraint ?
>
> My idea is to use it for role dependency as intended 
> https://jira.evolveum.com/browse/MID-4068
>
> So I want to add policy constraint in role B to block user receiving 
> it if not assigned of role A
>
> Here’s the code sample I’m using in role B:
>
>     <assignment>
>
> <policyRule>
>
> <name>exclude-if-no-role-a</name>
>
> <policyConstraints>
>
> <hasNoAssignment>
>
> <targetRef oid="role_a_oid" type="RoleType"/>
>
> </hasNoAssignment>
>
> </policyConstraints>
>
> <policyActions>
>
> <enforcement/>
>
> </policyActions>
>
> </policyRule>
>
>     </assignment>
>
> But this does not trigger any error when I try to assign role B to a 
> user not having role A.
>
> What am I missing here ?
>
> I don’t even know how to debug this.
>
> Thanks for your help
>
> *Stéphane Delcourt*
> Informaticien – Gestionnaire système - Développeur
> www.ulb.be <http://www.ulb.ac.be/>
> *Département informatique, Service Applications métier*
> Av. F. Roosevelt 50, CP 251 - 1050 Bruxelles
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20221012/0748e268/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 15369 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20221012/0748e268/attachment-0001.jpg>


More information about the midPoint mailing list