[midPoint] Limiting values that can be set in a user object (via policy?)

Sven Feyerabend Sven.Feyerabend at stuvus.uni-stuttgart.de
Sun Jan 5 00:09:03 CET 2025 

Hi everyone,

I have a setup with delegated administration, which allows different 
admins access to a multi-value property of certain users independently 
of each other.
These admins should only be able to put certain values that match their 
individual responsibility into the property.

Is there a way to limit the modification of properties by their value?
I would imagine there is some way to achieve this using policies.
However, I have been unable to figure out a way to obtain the delta that 
a modification entails in an expression within a policyAction.
My attempt thus far looks like this:

  <globalPolicyRule>
         <name>modify-attr</name>
         <focusSelector>
             <type>UserType</type>
         </focusSelector>
         <policyConstraints>
             <or>
                 <modification>
                     <operation>add</operation>
                     <item>extension/attr</item>
                 </modification>
                 <modification>
                     <operation>modify</operation>
                     <item>extension/attr</item>
                 </modification>
                 <modification>
                     <expression>
                         <script>
                             <code>

                                // Some expression to potentially check 
whether the modification is valid

                             </code>
                         </script>
                     </expression>
                 </modification>
             </or>
         </policyConstraints>
         <policyActions>
            <enforcement>
                <condition>
                    <script>
                        <code>

                           //Some expression to potentially check 
whether the modification is valid...


                        </code>
                    </script>
                </condition>
            </enforcement>
         </policyActions>
     </globalPolicyRule>

Both expressions don't seem to have a variable containing the 
modification itself as input.
Am I missing something?
I would have expected access to the specific modification at least in 
the policyConstraint section.

Any help would be appreciated!

Thanks in advance and regards,

Sven

-- 
Sven Feyerabend
stuvus – Studierendenvertretung Universität Stuttgart
Pfaffenwaldring 5c
70569 Stuttgart
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20250105/ba9c46ea/attachment.htm>

More information about the midPoint mailing list