<div dir="ltr">Hi you can also use filter like this:<div><br></div><div><div><role xmlns:apti="<a href="http://midpoint.evolveum.com/xml/ns/public/common/api-types-3">http://midpoint.evolveum.com/xml/ns/public/common/api-types-3</a>" xmlns:c="<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">http://midpoint.evolveum.com/xml/ns/public/common/common-3</a>" xmlns:gen45="<a href="http://prism.evolveum.com/xml/ns/public/debug">http://prism.evolveum.com/xml/ns/public/debug</a>" xmlns:icfs="<a href="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3">http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3</a>" xmlns:q="<a href="http://prism.evolveum.com/xml/ns/public/query-3">http://prism.evolveum.com/xml/ns/public/query-3</a>" xmlns:ri="<a href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">http://midpoint.evolveum.com/xml/ns/public/resource/instance-3</a>" xmlns:t="<a href="http://prism.evolveum.com/xml/ns/public/types-3">http://prism.evolveum.com/xml/ns/public/types-3</a>" xmlns:xsi="<a href="http://www.w3.org/2001/XMLSchema-instance">http://www.w3.org/2001/XMLSchema-instance</a>" </div><div>oid="sod-meta-role" xmlns="<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">http://midpoint.evolveum.com/xml/ns/public/common/common-3</a>"></div><div>      <activation></div><div>         <effectiveStatus>enabled</effectiveStatus></div><div>      </activation></div><div>      <iteration>0</iteration></div><div>      <iterationToken/></div><div>      <inducement></div><div>        <policyRule></div><div>            <policyConstraints></div><div>                <exclusion></div><div>                    <targetRef type="RoleType"></div><div>                    <span style="white-space:pre"> </span><filter></div><div>                    <span style="white-space:pre">          </span><q:ref></div><div><span style="white-space:pre">                                         </span>        <q:path>assignment/targetRef</q:path></div><div><span style="white-space:pre">                                         </span>        <q:value oid=sod-meta-role" type="RoleType" /></div><div><span style="white-space:pre">                                               </span>    </q:ref></div><div><span style="white-space:pre">                                          </span></filter></div><div><span style="white-space:pre">                                               </span><resolutionTime>run</resolutionTime></div><div>                    </targetRef></div><div>                </exclusion></div><div>            </policyConstraints></div><div>            <policyActions></div><div>                <prune/></div><div>            </policyActions></div><div>        </policyRule></div><div>      </inducement></div><div>   </role></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">2018-02-05 9:26 GMT+01:00 Wojciech Staszewski <span dir="ltr"><<a href="mailto:wojciech.staszewski@diagnostyka.pl" target="_blank">wojciech.staszewski@diagnostyka.pl</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi!<br>
I haven't try exclusions yet, so I may be wrong.<br>
Have you tried something like this:<br>
<span class=""><br>
<exclusion><br>
   <targetRef oid="00000000-0000-0000-0000-<wbr>000000000004" type="RoleType"/><br>
</span><span class="">   <targetRef oid="00000000-0000-0000-0000-<wbr>00000000000a" type="RoleType"/><br>
</exclusion><br>
<br>
</span>?<br>
<br>
Regards,<br>
WS<br>
<br>
W dniu 05.02.2018 o 08:33, Jan Kaspar pisze:<br>
<div><div class="h5">> Hello,<br>
><br>
> i tryed to apply SoD for some of groups / orgs. It works only if I specify only one exluded role.<br>
><br>
> Here is an example of Org with exlusion of one or two roles. If I uncomment second exclude definition,<br>
> then i am able to assing one of those roles, I got an error only in case that i tryed to assign both of excluded<br>
> roles. Is that an error? I can solve this by specifying multiple policies. But I think this is not optimal.<br>
><br>
> <org xmlns="<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3" rel="noreferrer" target="_blank">http://midpoint.<wbr>evolveum.com/xml/ns/public/<wbr>common/common-3</a>" <br>
> xmlns:apti="<a href="http://midpoint.evolveum.com/xml/ns/public/common/api-types-3" rel="noreferrer" target="_blank">http://midpoint.<wbr>evolveum.com/xml/ns/public/<wbr>common/api-types-3</a>" <br>
> xmlns:c="<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3" rel="noreferrer" target="_blank">http://midpoint.<wbr>evolveum.com/xml/ns/public/<wbr>common/common-3</a>" <br>
> xmlns:icfs="<a href="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" rel="noreferrer" target="_blank">http://midpoint.<wbr>evolveum.com/xml/ns/public/<wbr>connector/icf-1/resource-<wbr>schema-3</a>" <br>
> xmlns:org="<a href="http://midpoint.evolveum.com/xml/ns/public/common/org-3" rel="noreferrer" target="_blank">http://midpoint.<wbr>evolveum.com/xml/ns/public/<wbr>common/org-3</a>" <br>
> xmlns:q="<a href="http://prism.evolveum.com/xml/ns/public/query-3" rel="noreferrer" target="_blank">http://prism.<wbr>evolveum.com/xml/ns/public/<wbr>query-3</a>" <br>
> xmlns:ri="<a href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" rel="noreferrer" target="_blank">http://midpoint.<wbr>evolveum.com/xml/ns/public/<wbr>resource/instance-3</a>" <br>
> xmlns:t="<a href="http://prism.evolveum.com/xml/ns/public/types-3" rel="noreferrer" target="_blank">http://prism.<wbr>evolveum.com/xml/ns/public/<wbr>types-3</a>" <br>
> xmlns:xsi="<a href="http://www.w3.org/2001/XMLSchema-instance" rel="noreferrer" target="_blank">http://www.w3.org/<wbr>2001/XMLSchema-instance</a>" oid="5bdac06d-c192-4569-acf6-<wbr>d432ad555fc4" version="5"><br>
>       <name>Admin Accounts</name><br>
>       <parentOrgRef oid="a2cd50c1-b115-44ae-88af-<wbr>792588acc0e4" relation="org:default" type="c:OrgType"/><br>
>       <parentOrgRef oid="2b538ce4-01e4-4aa1-8dc1-<wbr>0c2eba8203a9" relation="org:default" type="c:OrgType"/><br>
>       <assignment><br>
>          <targetRef oid="a2cd50c1-b115-44ae-88af-<wbr>792588acc0e4" relation="org:default" type="c:OrgType"/><br>
>          <activation><br>
>             <effectiveStatus>enabled</<wbr>effectiveStatus><br>
>          </activation><br>
>       </assignment><br>
>       <roleMembershipRef oid="a2cd50c1-b115-44ae-88af-<wbr>792588acc0e4" relation="org:default" type="c:OrgType"/><br>
>       <roleMembershipRef oid="2b538ce4-01e4-4aa1-8dc1-<wbr>0c2eba8203a9" relation="org:default" type="c:OrgType"/><br>
>       <displayName>Admin Accounts</displayName><br>
>       <inducement><br>
>          <targetRef oid="57713b87-17af-44fe-b4ed-<wbr>7f158a4fa030" relation="org:default" type="c:RoleType"/><br>
>       </inducement><br>
>       <securityPolicyRef oid="6df80eb2-0a63-11e7-8ced-<wbr>af0e536f33e1" relation="org:default" type="c:SecurityPolicyType"/><br>
>       <assignment><br>
>         <policyRule><br>
>             <name>Excluded-Roles!</name><br>
>             <policyConstraints><br>
>                 <exclusion><br>
>                     <targetRef oid="00000000-0000-0000-0000-<wbr>000000000004" type="RoleType"/><br>
>                 </exclusion><br>
> <!--                 <exclusion><br>
>                 <targetRef oid="00000000-0000-0000-0000-<wbr>00000000000a" type="RoleType"/><br>
>                 </exclusion> --><br>
>             </policyConstraints><br>
>             <policyActions><br>
>                 <enforcement/><br>
>             </policyActions><br>
>         </policyRule><br>
>     </assignment><br>
>    </org><br>
><br>
> Thanks Jan<br>
><br>
><br>
</div></div>> ______________________________<wbr>_________________<br>
> midPoint mailing list<br>
> <a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
> <a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a><br>
><br>
______________________________<wbr>_________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a><br>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><table style="font-family:Verdana,Arial,Helvetica,sans-serif;border-collapse:collapse;padding:0px;margin:0px;border-width:0px!important;border-style:solid!important;width:482px!important"><tbody><tr style="padding:0px;margin:0px;border:0px solid gray!important"><td style="color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:11px;width:160px;vertical-align:bottom;padding:0px;border:0px solid gray!important"><p><span style="font-size:14px;font-weight:bold">Oskar Butovič</span><br>solution architect<br><br>gsm: [+420] 774 480 101<br>e-mail: <a href="mailto:oskar.butovic@ami.cz" target="_blank">oskar.butovic@ami.cz</a></p></td><td style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;border-right-width:1px;border-right-style:solid;border-right-color:rgb(204,204,204);padding:0px;border-top-width:0px!important;border-bottom-width:0px!important;border-left-width:0px!important;border-top-style:solid!important;border-bottom-style:solid!important;border-left-style:solid!important;border-top-color:gray!important;border-bottom-color:gray!important;border-left-color:gray!important">   </td><td style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;padding:0px;border:0px solid gray!important">   </td><td style="color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:11px;vertical-align:bottom;padding:0px;width:123px;border:0px solid gray!important"><p>AMI Praha a.s.<br>Pláničkova 11<br>162 00 Praha 6<br>tel.: [+420] 274 783 239<br>web: <a href="http://www.ami.cz/" target="_blank">www.ami.cz</a></p></td><td style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;border-right-width:1px;border-right-style:solid;border-right-color:rgb(204,204,204);padding:0px;border-top-width:0px!important;border-bottom-width:0px!important;border-left-width:0px!important;border-top-style:solid!important;border-bottom-style:solid!important;border-left-style:solid!important;border-top-color:gray!important;border-bottom-color:gray!important;border-left-color:gray!important">   </td><td style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;padding:0px;border:0px solid gray!important">   </td><td style="color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:11px;margin:8px;border:0px solid gray!important;width:116px"><p><img src="http://www.ami.cz/images/podpis/ami_logo.gif" alt="AMI Praha a.s." style="border:0px"></p></td></tr><tr style="padding:0px;margin:0px;border:0px solid gray!important"><td colspan="7" style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;padding:0px;width:480px;border:0px solid gray!important"><br><a href="http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management" target="_blank"><img src="http://www.ami.cz/images/podpis/AMI-podpis-IdM_1.png" alt="AMI Praha a.s." style="border:0px;width:480px!important;height:82px!important"></a></td></tr><tr style="padding:0px;margin:0px;border:0px solid gray!important"><td colspan="7" style="color:rgb(128,128,128);font-family:Arial,sans-serif;font-size:11px;padding:0px;border:0px solid gray!important"><br>Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za společnost AMI Praha a.s.<br>jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně písemnou formu.<br><br></td></tr></tbody></table></div></div></div></div></div></div></div>
</div>