[midPoint] hasNoAssignment policy constraint
Pavol Mederly
mederly at evolveum.com
Fri Oct 14 11:03:42 CEST 2022
Stéphane,
I am glad you found the solution. And there is no need to apologize! :)
--
Pavol Mederly
Software developer
evolveum.com
On 14/10/2022 10:30, Delcourt Stéphane via midPoint wrote:
>
> Thanks a lot and sorry about the misunderstanding of documentation here.
>
> Found the solution:
>
> I was placing policy rule on role B as assignment instead of inducement.
>
> *Stéphane Delcourt*
> Informaticien – Gestionnaire système - Développeur
>
> *From:*midPoint <midpoint-bounces at lists.evolveum.com> *On Behalf Of
> *Pavol Mederly via midPoint
> *Sent:* Thursday, 13 October 2022 19:26
> *To:* midpoint at lists.evolveum.com
> *Cc:* Pavol Mederly <mederly at evolveum.com>
> *Subject:* Re: [midPoint] hasNoAssignment policy constraint
>
> Hello Stéphane,
>
> I would consider formulating the rule like this: "It is illegal to
> have a role B and not have role A (at the same time)" - forgetting
> about the assignment-oriented, transition-related "assignment"
> constraint, but simply using two object-oriented, state-related ones:
> hasAssignment, hasNoAssignment.
>
> --
> Pavol Mederly
> Software developer
> evolveum.com
>
> On 13/10/2022 17:08, Delcourt Stéphane via midPoint wrote:
>
> Hi Pavol,
>
> Thanks for all your suggestions, I did not knew about the third
> one and give it a try.
>
> IT helps me to understand that my policy constraint did not apply
> user having assignment to role A but role B having assignment to
> role A.
>
> I now understand the meaning of “evaluated on” column in the wiki
> sorry about that.
>
> Then I’m back at the beginning and my main goal is to achieve the
> opposite of exclusion constraint.
>
> *Stéphane Delcourt*
> Informaticien – Gestionnaire système - Développeur
>
> *From:*midPoint <midpoint-bounces at lists.evolveum.com>
> <mailto:midpoint-bounces at lists.evolveum.com> *On Behalf Of *Pavol
> Mederly via midPoint
> *Sent:* Wednesday, 12 October 2022 12:34
> *To:* midpoint at lists.evolveum.com
> *Cc:* Pavol Mederly <mederly at evolveum.com>
> <mailto:mederly at evolveum.com>
> *Subject:* Re: [midPoint] hasNoAssignment policy constraint
>
> Hello, Stéphane,
>
> just a few general comments:
>
> 1. I would search the midPoint sources for <hasNoAssignment>
> string. We try to do the development seriously, so every
> feature should have (at least) one test for it. This one is no
> exception.
> 2. I would search the docs.evolveum.com for "hasNoAssignment".
> Here the situation is a bit worse. The feature is not quite
> finished - it was sponsored to some extent; but additional
> resources are needed to document it properly. However, this
> work-in-progress document could help:
> https://docs.evolveum.com/midpoint/devel/design/policy-constraints/
> <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.evolveum.com%2Fmidpoint%2Fdevel%2Fdesign%2Fpolicy-constraints%2F&data=05%7C01%7Cstephane.delcourt%40ulb.be%7Cb0646af7b9ae4ea9c17308daad401051%7C30a5145e75bd4212bb028ff9c0ea4ae9%7C0%7C0%7C638012787927111951%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Re6tROg4dO3nul7syM7JqwoXjmSBgScZr8obXW9wbak%3D&reserved=0>.
> (The formatting problems are due to wiki migration.)
> 3. As for debugging, policy constraints do not have "<tracing>"
> flag nor the comprehensive troubleshooting methodology (as
> mappings do). So I use the (experimental) troubleshooting with
> traces
> <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.evolveum.com%2Fmidpoint%2Freference%2Fdiag%2Ftroubleshooting%2Ftroubleshooting-with-traces%2F&data=05%7C01%7Cstephane.delcourt%40ulb.be%7Cb0646af7b9ae4ea9c17308daad401051%7C30a5145e75bd4212bb028ff9c0ea4ae9%7C0%7C0%7C638012787927111951%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Zav91HQESQmUC6czdsLRVOr3IVdM5TKHkPyl1z7omtI%3D&reserved=0>to
> diagnose issues with them.
> 4. Personally, I would be greatly interested in how many
> installations do use policy rules, and this one in particular.
>
> --
>
> Pavol Mederly
>
> Software developer
>
> evolveum.com
>
> On 10/10/2022 12:54, Delcourt Stéphane via midPoint wrote:
>
> Hi all,
>
> Does someone know how to deal with this policy constraint ?
>
> My idea is to use it for role dependency as intended
> https://jira.evolveum.com/browse/MID-4068
> <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fjira.evolveum.com%2Fbrowse%2FMID-4068&data=05%7C01%7Cstephane.delcourt%40ulb.be%7Cb0646af7b9ae4ea9c17308daad401051%7C30a5145e75bd4212bb028ff9c0ea4ae9%7C0%7C0%7C638012787927111951%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=0S7Qs0gQX5qbsWZb3dVU572g1hS9%2BaVD5m%2FH3YGaoGA%3D&reserved=0>
>
> So I want to add policy constraint in role B to block user
> receiving it if not assigned of role A
>
> Here’s the code sample I’m using in role B:
>
> <assignment>
>
> <policyRule>
>
> <name>exclude-if-no-role-a</name>
>
> <policyConstraints>
>
> <hasNoAssignment>
>
> <targetRef oid="role_a_oid" type="RoleType"/>
>
> </hasNoAssignment>
>
> </policyConstraints>
>
> <policyActions>
>
> <enforcement/>
>
> </policyActions>
>
> </policyRule>
>
> </assignment>
>
> But this does not trigger any error when I try to assign role
> B to a user not having role A.
>
> What am I missing here ?
>
> I don’t even know how to debug this.
>
> Thanks for your help
>
> *Stéphane Delcourt*
> Informaticien – Gestionnaire système - Développeur
> www.ulb.be
> <https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.ulb.ac.be%2F&data=05%7C01%7Cstephane.delcourt%40ulb.be%7Cb0646af7b9ae4ea9c17308daad401051%7C30a5145e75bd4212bb028ff9c0ea4ae9%7C0%7C0%7C638012787927111951%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=SlLmRQYl5Y%2F5cXW9u7M8UnqNMudZRL7jfsDL%2BBH1kLk%3D&reserved=0>
> *Département informatique, Service Applications métier*
> Av. F. Roosevelt 50, CP 251 - 1050 Bruxelles
>
>
>
>
> _______________________________________________
>
> midPoint mailing list
>
> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>
> https://lists.evolveum.com/mailman/listinfo/midpoint <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.evolveum.com%2Fmailman%2Flistinfo%2Fmidpoint&data=05%7C01%7Cstephane.delcourt%40ulb.be%7Cb0646af7b9ae4ea9c17308daad401051%7C30a5145e75bd4212bb028ff9c0ea4ae9%7C0%7C0%7C638012787927111951%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=aqSaLoFI%2B90srt4uNMFTfm1%2FYRYjIQbCGQi78zeJWJo%3D&reserved=0>
>
>
>
> _______________________________________________
>
> midPoint mailing list
>
> midPoint at lists.evolveum.com
>
> https://lists.evolveum.com/mailman/listinfo/midpoint <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.evolveum.com%2Fmailman%2Flistinfo%2Fmidpoint&data=05%7C01%7Cstephane.delcourt%40ulb.be%7Cb0646af7b9ae4ea9c17308daad401051%7C30a5145e75bd4212bb028ff9c0ea4ae9%7C0%7C0%7C638012787927111951%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=aqSaLoFI%2B90srt4uNMFTfm1%2FYRYjIQbCGQi78zeJWJo%3D&reserved=0>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20221014/294f6700/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 15369 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20221014/294f6700/attachment-0001.jpg>
More information about the midPoint
mailing list