[midPoint] Issue with SOD policy if violation comes from OrgType inducement
Yakov Revyakin
yrevyakin at gmail.com
Fri Sep 19 16:23:47 CEST 2025
Hi Everyone,
I have "high-app" role with exclusion of "low-app" role. Exclusion policy
action is "record". Both roles are already assigned. The "high-app" is
assigned indirectly via inducement in "Manila" orgUnit ( "Manila" orgUnit
is assigned to the user). "low-app" is assigned directly via the user's
roles and marked with the "Exclusion violation" mark what is expected.
I select reconcile in the user's options and run preview.
Reconciliation preview shows that Midpoint recognises that "Manilla" is a
source of policy violation and tries to mark the unit as "Exclusion
violation". This is what I expect.
But after that something strange happens - Midpoint unassigns and assigns
again the unit. I suppose that this results in losing information about the
mark - I can't find any policy artefacts in raw xml attached to the unit
assignment after reconciliation.
Any ideas around this issue?
[image: image.png]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20250919/b2ccd7a4/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 62555 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20250919/b2ccd7a4/attachment-0001.png>
More information about the midPoint
mailing list