[midPoint] hasNoAssignment policy constraint

Pavol Mederly mederly at evolveum.com
Thu Oct 13 19:26:19 CEST 2022 

Hello Stéphane,

I would consider formulating the rule like this: "It is illegal to have 
a role B and not have role A (at the same time)" - forgetting about the 
assignment-oriented, transition-related "assignment" constraint, but 
simply using two object-oriented, state-related ones: hasAssignment, 
hasNoAssignment.

-- 
Pavol Mederly
Software developer
evolveum.com

On 13/10/2022 17:08, Delcourt Stéphane via midPoint wrote:
>
> Hi Pavol,
>
> Thanks for all your suggestions, I did not knew about the third one 
> and give it a try.
>
> IT helps me to understand that my policy constraint did not apply user 
> having assignment to role A but role B having assignment to role A.
>
> I now understand the meaning of “evaluated on” column in the wiki 
> sorry about that.
>
> Then I’m back at the beginning and my main goal is to achieve the 
> opposite of exclusion constraint.
>
> *Stéphane Delcourt*
> Informaticien – Gestionnaire système - Développeur
>
> *From:*midPoint <midpoint-bounces at lists.evolveum.com> *On Behalf Of 
> *Pavol Mederly via midPoint
> *Sent:* Wednesday, 12 October 2022 12:34
> *To:* midpoint at lists.evolveum.com
> *Cc:* Pavol Mederly <mederly at evolveum.com>
> *Subject:* Re: [midPoint] hasNoAssignment policy constraint
>
> Hello, Stéphane,
>
> just a few general comments:
>
>  1. I would search the midPoint sources for <hasNoAssignment> string.
>     We try to do the development seriously, so every feature should
>     have (at least) one test for it. This one is no exception.
>  2. I would search the docs.evolveum.com for "hasNoAssignment". Here
>     the situation is a bit worse. The feature is not quite finished -
>     it was sponsored to some extent; but additional resources are
>     needed to document it properly. However, this work-in-progress
>     document could help:
>     https://docs.evolveum.com/midpoint/devel/design/policy-constraints/
>     <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.evolveum.com%2Fmidpoint%2Fdevel%2Fdesign%2Fpolicy-constraints%2F&data=05%7C01%7Cstephane.delcourt%40ulb.be%7Cd67313fa622d4cb3d66b08daac3d4d2d%7C30a5145e75bd4212bb028ff9c0ea4ae9%7C0%7C0%7C638011676533015639%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=G2WKlpFoj1cbg%2BCV5RdYhI288qgWSL1P5G1yLGx%2BqMQ%3D&reserved=0>.
>     (The formatting problems are due to wiki migration.)
>  3. As for debugging, policy constraints do not have "<tracing>" flag
>     nor the comprehensive troubleshooting methodology (as mappings
>     do). So I use the (experimental) troubleshooting with traces
>     <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.evolveum.com%2Fmidpoint%2Freference%2Fdiag%2Ftroubleshooting%2Ftroubleshooting-with-traces%2F&data=05%7C01%7Cstephane.delcourt%40ulb.be%7Cd67313fa622d4cb3d66b08daac3d4d2d%7C30a5145e75bd4212bb028ff9c0ea4ae9%7C0%7C0%7C638011676533015639%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=DqEIjiYn742xfO0Iw2Gm8VAYKyq4nWa%2B%2B%2BfYx9C2IeQ%3D&reserved=0>to
>     diagnose issues with them.
>  4. Personally, I would be greatly interested in how many
>     installations do use policy rules, and this one in particular.
>
> -- 
> Pavol Mederly
> Software developer
> evolveum.com
>
> On 10/10/2022 12:54, Delcourt Stéphane via midPoint wrote:
>
>     Hi all,
>
>     Does someone know how to deal with this policy constraint ?
>
>     My idea is to use it for role dependency as intended
>     https://jira.evolveum.com/browse/MID-4068
>     <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fjira.evolveum.com%2Fbrowse%2FMID-4068&data=05%7C01%7Cstephane.delcourt%40ulb.be%7Cd67313fa622d4cb3d66b08daac3d4d2d%7C30a5145e75bd4212bb028ff9c0ea4ae9%7C0%7C0%7C638011676533015639%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=xabrJOgYrV6xsahqE%2B6Nb15p2JxU9CxLu4EUyGzpLgE%3D&reserved=0>
>
>     So I want to add policy constraint in role B to block user
>     receiving it if not assigned of role A
>
>     Here’s the code sample I’m using in role B:
>
>         <assignment>
>
>     <policyRule>
>
>     <name>exclude-if-no-role-a</name>
>
>     <policyConstraints>
>
>     <hasNoAssignment>
>
>     <targetRef oid="role_a_oid" type="RoleType"/>
>
>     </hasNoAssignment>
>
>     </policyConstraints>
>
>     <policyActions>
>
>     <enforcement/>
>
>     </policyActions>
>
>     </policyRule>
>
>     </assignment>
>
>     But this does not trigger any error when I try to assign role B to
>     a user not having role A.
>
>     What am I missing here ?
>
>     I don’t even know how to debug this.
>
>     Thanks for your help
>
>     *Stéphane Delcourt*
>     Informaticien – Gestionnaire système - Développeur
>     www.ulb.be
>     <https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.ulb.ac.be%2F&data=05%7C01%7Cstephane.delcourt%40ulb.be%7Cd67313fa622d4cb3d66b08daac3d4d2d%7C30a5145e75bd4212bb028ff9c0ea4ae9%7C0%7C0%7C638011676533015639%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=alGcI06W34wT4LAClRb8ihDmqb3xXexRZLgcOkerWAE%3D&reserved=0>
>     *Département informatique, Service Applications métier*
>     Av. F. Roosevelt 50, CP 251 - 1050 Bruxelles
>
>
>
>     _______________________________________________
>
>     midPoint mailing list
>
>     midPoint at lists.evolveum.com  <mailto:midPoint at lists.evolveum.com>
>
>     https://lists.evolveum.com/mailman/listinfo/midpoint  <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.evolveum.com%2Fmailman%2Flistinfo%2Fmidpoint&data=05%7C01%7Cstephane.delcourt%40ulb.be%7Cd67313fa622d4cb3d66b08daac3d4d2d%7C30a5145e75bd4212bb028ff9c0ea4ae9%7C0%7C0%7C638011676533015639%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=%2F%2BJjNWEaJ41DNgijAvh51jCQfEBXo%2BB%2F3J7D11xv4ew%3D&reserved=0>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20221013/a411efb7/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 15369 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20221013/a411efb7/attachment-0001.jpg>

More information about the midPoint mailing list