[midPoint] hasNoAssignment policy constraint

Delcourt Stéphane stephane.delcourt at ulb.be
Fri Oct 14 10:30:15 CEST 2022 

Thanks a lot and sorry about the misunderstanding  of documentation here.
Found the solution:
I was placing policy rule on role B as assignment instead of inducement.

Stéphane Delcourt
Informaticien - Gestionnaire système - Développeur

From: midPoint <midpoint-bounces at lists.evolveum.com> On Behalf Of Pavol Mederly via midPoint
Sent: Thursday, 13 October 2022 19:26
To: midpoint at lists.evolveum.com
Cc: Pavol Mederly <mederly at evolveum.com>
Subject: Re: [midPoint] hasNoAssignment policy constraint


Hello Stéphane,

I would consider formulating the rule like this: "It is illegal to have a role B and not have role A (at the same time)" - forgetting about the assignment-oriented, transition-related "assignment" constraint, but simply using two object-oriented, state-related ones: hasAssignment, hasNoAssignment.

--

Pavol Mederly

Software developer

evolveum.com
On 13/10/2022 17:08, Delcourt Stéphane via midPoint wrote:
Hi Pavol,

Thanks for all your suggestions, I did not knew about the third one and give it a try.
IT helps me to understand that my policy constraint did not apply user having assignment to role A but role B having assignment to role A.
I now understand the meaning of "evaluated on" column in the wiki sorry about that.

Then I'm back at the beginning and my main goal is to achieve the opposite of exclusion constraint.

Stéphane Delcourt
Informaticien - Gestionnaire système - Développeur

From: midPoint <midpoint-bounces at lists.evolveum.com><mailto:midpoint-bounces at lists.evolveum.com> On Behalf Of Pavol Mederly via midPoint
Sent: Wednesday, 12 October 2022 12:34
To: midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>
Cc: Pavol Mederly <mederly at evolveum.com><mailto:mederly at evolveum.com>
Subject: Re: [midPoint] hasNoAssignment policy constraint


Hello, Stéphane,

just a few general comments:

  1.  I would search the midPoint sources for <hasNoAssignment> string. We try to do the development seriously, so every feature should have (at least) one test for it. This one is no exception.
  2.  I would search the docs.evolveum.com for "hasNoAssignment". Here the situation is a bit worse. The feature is not quite finished - it was sponsored to some extent; but additional resources are needed to document it properly. However, this work-in-progress document could help: https://docs.evolveum.com/midpoint/devel/design/policy-constraints/<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.evolveum.com%2Fmidpoint%2Fdevel%2Fdesign%2Fpolicy-constraints%2F&data=05%7C01%7Cstephane.delcourt%40ulb.be%7Cb0646af7b9ae4ea9c17308daad401051%7C30a5145e75bd4212bb028ff9c0ea4ae9%7C0%7C0%7C638012787927111951%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Re6tROg4dO3nul7syM7JqwoXjmSBgScZr8obXW9wbak%3D&reserved=0>. (The formatting problems are due to wiki migration.)
  3.  As for debugging, policy constraints do not have "<tracing>" flag nor the comprehensive troubleshooting methodology (as mappings do). So I use the (experimental) troubleshooting with traces<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.evolveum.com%2Fmidpoint%2Freference%2Fdiag%2Ftroubleshooting%2Ftroubleshooting-with-traces%2F&data=05%7C01%7Cstephane.delcourt%40ulb.be%7Cb0646af7b9ae4ea9c17308daad401051%7C30a5145e75bd4212bb028ff9c0ea4ae9%7C0%7C0%7C638012787927111951%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Zav91HQESQmUC6czdsLRVOr3IVdM5TKHkPyl1z7omtI%3D&reserved=0> to diagnose issues with them.
  4.  Personally, I would be greatly interested in how many installations do use policy rules, and this one in particular.

--

Pavol Mederly

Software developer

evolveum.com
On 10/10/2022 12:54, Delcourt Stéphane via midPoint wrote:
Hi all,

Does someone know how to deal with this policy constraint ?
My idea is to use it for role dependency as intended https://jira.evolveum.com/browse/MID-4068<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fjira.evolveum.com%2Fbrowse%2FMID-4068&data=05%7C01%7Cstephane.delcourt%40ulb.be%7Cb0646af7b9ae4ea9c17308daad401051%7C30a5145e75bd4212bb028ff9c0ea4ae9%7C0%7C0%7C638012787927111951%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=0S7Qs0gQX5qbsWZb3dVU572g1hS9%2BaVD5m%2FH3YGaoGA%3D&reserved=0>
So I want to add policy constraint in role B to block user receiving it if not assigned of role A
Here's the code sample I'm using in role B:
    <assignment>
        <policyRule>
            <name>exclude-if-no-role-a</name>
            <policyConstraints>
                <hasNoAssignment>
                    <targetRef oid="role_a_oid" type="RoleType"/>
                </hasNoAssignment>
            </policyConstraints>
            <policyActions>
                <enforcement/>
            </policyActions>
        </policyRule>
    </assignment>

But this does not trigger any error when I try to assign role B to a user not having role A.

What am I missing here ?
I don't even know how to debug this.

Thanks for your help
Stéphane Delcourt
Informaticien - Gestionnaire système - Développeur
[www.ulb.be]<https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.ulb.ac.be%2F&data=05%7C01%7Cstephane.delcourt%40ulb.be%7Cb0646af7b9ae4ea9c17308daad401051%7C30a5145e75bd4212bb028ff9c0ea4ae9%7C0%7C0%7C638012787927111951%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=SlLmRQYl5Y%2F5cXW9u7M8UnqNMudZRL7jfsDL%2BBH1kLk%3D&reserved=0>
Département informatique, Service Applications métier
Av. F. Roosevelt 50, CP 251 - 1050 Bruxelles





_______________________________________________

midPoint mailing list

midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>

https://lists.evolveum.com/mailman/listinfo/midpoint<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.evolveum.com%2Fmailman%2Flistinfo%2Fmidpoint&data=05%7C01%7Cstephane.delcourt%40ulb.be%7Cb0646af7b9ae4ea9c17308daad401051%7C30a5145e75bd4212bb028ff9c0ea4ae9%7C0%7C0%7C638012787927111951%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=aqSaLoFI%2B90srt4uNMFTfm1%2FYRYjIQbCGQi78zeJWJo%3D&reserved=0>



_______________________________________________

midPoint mailing list

midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>

https://lists.evolveum.com/mailman/listinfo/midpoint<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.evolveum.com%2Fmailman%2Flistinfo%2Fmidpoint&data=05%7C01%7Cstephane.delcourt%40ulb.be%7Cb0646af7b9ae4ea9c17308daad401051%7C30a5145e75bd4212bb028ff9c0ea4ae9%7C0%7C0%7C638012787927111951%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=aqSaLoFI%2B90srt4uNMFTfm1%2FYRYjIQbCGQi78zeJWJo%3D&reserved=0>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20221014/ba848f1e/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 15369 bytes
Desc: image001.jpg
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20221014/ba848f1e/attachment-0001.jpg>

More information about the midPoint mailing list