<html><body>Hello,<div><br></div><div>i tryed to apply SoD for some of groups / orgs. It works only if I specify only one exluded role.</div><div><br></div><div>Here is an example of Org with exlusion of one or two roles. If I uncomment second exclude definition,</div><div>then i am able to assing one of those roles, I got an error only in case that i tryed to assign both of excluded</div><div>roles. Is that an error? I can solve this by specifying multiple policies. But I think this is not optimal.</div><div><br></div><div><div><org xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3" </div><div><span style="white-space:pre">    </span> xmlns:apti="http://midpoint.evolveum.com/xml/ns/public/common/api-types-3" </div><div><span style="white-space:pre">   </span> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" </div><div><span style="white-space:pre"> </span> xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" </div><div><span style="white-space:pre">    </span> xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3" </div><div><span style="white-space:pre">  </span> xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3" </div><div><span style="white-space:pre">    </span> xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" </div><div><span style="white-space:pre">    </span> xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3" </div><div><span style="white-space:pre">    </span> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" oid="5bdac06d-c192-4569-acf6-d432ad555fc4" version="5"></div><div>      <name>Admin Accounts</name></div><div>      <parentOrgRef oid="a2cd50c1-b115-44ae-88af-792588acc0e4" relation="org:default" type="c:OrgType"/></div><div>      <parentOrgRef oid="2b538ce4-01e4-4aa1-8dc1-0c2eba8203a9" relation="org:default" type="c:OrgType"/></div><div>      <assignment></div><div>         <targetRef oid="a2cd50c1-b115-44ae-88af-792588acc0e4" relation="org:default" type="c:OrgType"/></div><div>         <activation></div><div>            <effectiveStatus>enabled</effectiveStatus></div><div>         </activation></div><div>      </assignment></div><div>      <roleMembershipRef oid="a2cd50c1-b115-44ae-88af-792588acc0e4" relation="org:default" type="c:OrgType"/></div><div>      <roleMembershipRef oid="2b538ce4-01e4-4aa1-8dc1-0c2eba8203a9" relation="org:default" type="c:OrgType"/></div><div>      <displayName>Admin Accounts</displayName></div><div>      <inducement></div><div>         <targetRef oid="57713b87-17af-44fe-b4ed-7f158a4fa030" relation="org:default" type="c:RoleType"/></div><div>      </inducement></div><div>      <securityPolicyRef oid="6df80eb2-0a63-11e7-8ced-af0e536f33e1" relation="org:default" type="c:SecurityPolicyType"/></div><div>      <assignment></div><div>        <policyRule></div><div>            <name>Excluded-Roles!</name></div><div>            <policyConstraints></div><div>                <exclusion></div><div>                    <targetRef oid="00000000-0000-0000-0000-000000000004" type="RoleType"/></div><div>                </exclusion></div><div><!--                 <exclusion></div><div>                <span style="white-space:pre">    </span><targetRef oid="00000000-0000-0000-0000-00000000000a" type="RoleType"/></div><div>                </exclusion> --></div><div>            </policyConstraints></div><div>            <policyActions></div><div>                <enforcement/></div><div>            </policyActions></div><div>        </policyRule></div><div>    </assignment></div><div>   </org></div></div><div><br></div><div>Thanks Jan</div></body></html>