[midPoint] hasNoAssignment policy constraint
Delcourt Stéphane
stephane.delcourt at ulb.be
Thu Oct 13 17:08:08 CEST 2022
Hi Pavol,
Thanks for all your suggestions, I did not knew about the third one and give it a try.
IT helps me to understand that my policy constraint did not apply user having assignment to role A but role B having assignment to role A.
I now understand the meaning of "evaluated on" column in the wiki sorry about that.
Then I'm back at the beginning and my main goal is to achieve the opposite of exclusion constraint.
Stéphane Delcourt
Informaticien - Gestionnaire système - Développeur
From: midPoint <midpoint-bounces at lists.evolveum.com> On Behalf Of Pavol Mederly via midPoint
Sent: Wednesday, 12 October 2022 12:34
To: midpoint at lists.evolveum.com
Cc: Pavol Mederly <mederly at evolveum.com>
Subject: Re: [midPoint] hasNoAssignment policy constraint
Hello, Stéphane,
just a few general comments:
1. I would search the midPoint sources for <hasNoAssignment> string. We try to do the development seriously, so every feature should have (at least) one test for it. This one is no exception.
2. I would search the docs.evolveum.com for "hasNoAssignment". Here the situation is a bit worse. The feature is not quite finished - it was sponsored to some extent; but additional resources are needed to document it properly. However, this work-in-progress document could help: https://docs.evolveum.com/midpoint/devel/design/policy-constraints/<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.evolveum.com%2Fmidpoint%2Fdevel%2Fdesign%2Fpolicy-constraints%2F&data=05%7C01%7Cstephane.delcourt%40ulb.be%7Cd67313fa622d4cb3d66b08daac3d4d2d%7C30a5145e75bd4212bb028ff9c0ea4ae9%7C0%7C0%7C638011676533015639%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=G2WKlpFoj1cbg%2BCV5RdYhI288qgWSL1P5G1yLGx%2BqMQ%3D&reserved=0>. (The formatting problems are due to wiki migration.)
3. As for debugging, policy constraints do not have "<tracing>" flag nor the comprehensive troubleshooting methodology (as mappings do). So I use the (experimental) troubleshooting with traces<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.evolveum.com%2Fmidpoint%2Freference%2Fdiag%2Ftroubleshooting%2Ftroubleshooting-with-traces%2F&data=05%7C01%7Cstephane.delcourt%40ulb.be%7Cd67313fa622d4cb3d66b08daac3d4d2d%7C30a5145e75bd4212bb028ff9c0ea4ae9%7C0%7C0%7C638011676533015639%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=DqEIjiYn742xfO0Iw2Gm8VAYKyq4nWa%2B%2B%2BfYx9C2IeQ%3D&reserved=0> to diagnose issues with them.
4. Personally, I would be greatly interested in how many installations do use policy rules, and this one in particular.
--
Pavol Mederly
Software developer
evolveum.com
On 10/10/2022 12:54, Delcourt Stéphane via midPoint wrote:
Hi all,
Does someone know how to deal with this policy constraint ?
My idea is to use it for role dependency as intended https://jira.evolveum.com/browse/MID-4068<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fjira.evolveum.com%2Fbrowse%2FMID-4068&data=05%7C01%7Cstephane.delcourt%40ulb.be%7Cd67313fa622d4cb3d66b08daac3d4d2d%7C30a5145e75bd4212bb028ff9c0ea4ae9%7C0%7C0%7C638011676533015639%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=xabrJOgYrV6xsahqE%2B6Nb15p2JxU9CxLu4EUyGzpLgE%3D&reserved=0>
So I want to add policy constraint in role B to block user receiving it if not assigned of role A
Here's the code sample I'm using in role B:
<assignment>
<policyRule>
<name>exclude-if-no-role-a</name>
<policyConstraints>
<hasNoAssignment>
<targetRef oid="role_a_oid" type="RoleType"/>
</hasNoAssignment>
</policyConstraints>
<policyActions>
<enforcement/>
</policyActions>
</policyRule>
</assignment>
But this does not trigger any error when I try to assign role B to a user not having role A.
What am I missing here ?
I don't even know how to debug this.
Thanks for your help
Stéphane Delcourt
Informaticien - Gestionnaire système - Développeur
[www.ulb.be]<https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.ulb.ac.be%2F&data=05%7C01%7Cstephane.delcourt%40ulb.be%7Cd67313fa622d4cb3d66b08daac3d4d2d%7C30a5145e75bd4212bb028ff9c0ea4ae9%7C0%7C0%7C638011676533015639%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=alGcI06W34wT4LAClRb8ihDmqb3xXexRZLgcOkerWAE%3D&reserved=0>
Département informatique, Service Applications métier
Av. F. Roosevelt 50, CP 251 - 1050 Bruxelles
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
https://lists.evolveum.com/mailman/listinfo/midpoint<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.evolveum.com%2Fmailman%2Flistinfo%2Fmidpoint&data=05%7C01%7Cstephane.delcourt%40ulb.be%7Cd67313fa622d4cb3d66b08daac3d4d2d%7C30a5145e75bd4212bb028ff9c0ea4ae9%7C0%7C0%7C638011676533015639%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=%2F%2BJjNWEaJ41DNgijAvh51jCQfEBXo%2BB%2F3J7D11xv4ew%3D&reserved=0>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20221013/eaa5f850/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 15369 bytes
Desc: image001.jpg
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20221013/eaa5f850/attachment-0001.jpg>
More information about the midPoint
mailing list