<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <p>Hello Jan,</p>
    <p>this is by design. <br>
    </p>
    <p>A policy rule contains a set of policy constraints, which are -
      by default - treated as a conjunction (i.e. connected by "and").
      It means that in order for a rule to fire, all of the constraints
      must match.</p>
    <p>Fortunately, the policy constraints language in 3.7 is quite
      rich. It allows to specify arbitrary logic expressions using
      "and", "or" and "not" operators. Please have a look at <a
        moz-do-not-send="true"
        href="https://wiki.evolveum.com/display/midPoint/Policy+Constraints">https://wiki.evolveum.com/display/midPoint/Policy+Constraints</a>.
      Although it is quite unfinished and in progress, most of the ideas
      were implemented in midPoint 3.7. Your case is covered by the
      first example on that page:</p>
    <div class="container" title="Hint: double-click to select code">
      <div class="line number1 index0 alt2"><code class="xml plain"><</code><code
          class="xml keyword">policyRule</code><code class="xml plain">></code></div>
      <div class="line number2 index1 alt1"><code class="xml spaces">    </code><code
          class="xml plain"><</code><code class="xml keyword">name</code><code
          class="xml plain">>criminal exclusion</</code><code
          class="xml keyword">name</code><code class="xml plain">></code></div>
      <div class="line number3 index2 alt2"><code class="xml spaces">    </code><code
          class="xml plain"><</code><code class="xml keyword">policyConstraints</code><code
          class="xml plain">></code></div>
      <div class="line number4 index3 alt1"><code class="xml spaces">    </code><code
          class="xml comments"><!-- triggers if Judge, Pirate, and/or
          Thief is assigned in addition to the current assignment --></code></div>
      <div class="line number5 index4 alt2"><code class="xml spaces">       </code><code
          class="xml plain"> <</code><code class="xml keyword">or</code><code
          class="xml plain">></code></div>
      <div class="line number6 index5 alt1"><code class="xml spaces">            </code><code
          class="xml plain"><</code><code class="xml keyword">exclusion</code><code
          class="xml plain">></code></div>
      <div class="line number7 index6 alt2"><code class="xml spaces">                </code><code
          class="xml plain"><</code><code class="xml keyword">targetRef</code>
        <code class="xml color1">oid</code><code class="xml plain">=</code><code
          class="xml string">"12345111-1111-2222-1111-121212111111"</code>
        <code class="xml color1">type</code><code class="xml plain">=</code><code
          class="xml string">"RoleType"</code><code class="xml plain">/>
        </code><code class="xml comments"><!-- Judge --></code></div>
      <div class="line number8 index7 alt1"><code class="xml spaces">            </code><code
          class="xml plain"></</code><code class="xml keyword">exclusion</code><code
          class="xml plain">></code></div>
      <div class="line number9 index8 alt2"><code class="xml spaces">            </code><code
          class="xml plain"><</code><code class="xml keyword">exclusion</code><code
          class="xml plain">></code></div>
      <div class="line number10 index9 alt1"><code class="xml spaces">                </code><code
          class="xml plain"><</code><code class="xml keyword">targetRef</code>
        <code class="xml color1">oid</code><code class="xml plain">=</code><code
          class="xml string">"12345678-d34d-b33f-f00d-555555556666"</code>
        <code class="xml color1">type</code><code class="xml plain">=</code><code
          class="xml string">"RoleType"</code><code class="xml plain">/>
        </code><code class="xml comments"><!-- Pirate --></code></div>
      <div class="line number11 index10 alt2"><code class="xml spaces">            </code><code
          class="xml plain"></</code><code class="xml keyword">exclusion</code><code
          class="xml plain">></code></div>
      <div class="line number12 index11 alt1"><code class="xml spaces">            </code><code
          class="xml plain"><</code><code class="xml keyword">exclusion</code><code
          class="xml plain">></code></div>
      <div class="line number13 index12 alt2"><code class="xml spaces">                </code><code
          class="xml plain"><</code><code class="xml keyword">targetRef</code>
        <code class="xml color1">oid</code><code class="xml plain">=</code><code
          class="xml string">"b189fcb8-1ff9-11e5-8912-001e8c717e5b"</code>
        <code class="xml color1">type</code><code class="xml plain">=</code><code
          class="xml string">"RoleType"</code><code class="xml plain">/>
        </code><code class="xml comments"><!-- Thief --></code></div>
      <div class="line number14 index13 alt1"><code class="xml spaces">            </code><code
          class="xml plain"></</code><code class="xml keyword">exclusion</code><code
          class="xml plain">></code></div>
      <div class="line number15 index14 alt2"><code class="xml spaces">        </code><code
          class="xml plain"></</code><code class="xml keyword">or</code><code
          class="xml plain">></code></div>
      <div class="line number16 index15 alt1"><code class="xml spaces">    </code><code
          class="xml plain"></</code><code class="xml keyword">policyConstraints</code><code
          class="xml plain">></code></div>
      <div class="line number17 index16 alt2"><code class="xml spaces">    </code><code
          class="xml plain"><</code><code class="xml keyword">policyActions</code><code
          class="xml plain">></code></div>
      <div class="line number18 index17 alt1"><code class="xml spaces">        </code><code
          class="xml plain"><</code><code class="xml keyword">enforcement</code><code
          class="xml plain">> ... </</code><code class="xml
          keyword">enforcement</code><code class="xml plain">></code></div>
      <div class="line number19 index18 alt2"><code class="xml spaces">    </code><code
          class="xml plain"></</code><code class="xml keyword">policyActions</code><code
          class="xml plain">></code></div>
      <div class="line number20 index19 alt1"><code class="xml plain"></</code><code
          class="xml keyword">policyRule</code><code class="xml plain">><br>
        </code><code class="xml plain"></code>
        <p>Of course, what have Oskar suggested, is valid as well. You
          can use a filter to specify more targets at once. (It is not
          possible to specify more targetRef elements in one exclusion
          element, though.)</p>
        <p>Hope this helps.<br>
        </p>
      </div>
    </div>
    <pre class="moz-signature" cols="72">Pavol Mederly
Software developer
evolveum.com
</pre>
    <div class="moz-cite-prefix">On 05.02.2018 8:33, Jan Kaspar wrote:<br>
    </div>
    <blockquote type="cite"
      cite="mid:7%7BR.vU6.6N6Foq4Rvaa.1QU0Yx@seznam.cz">
      <meta http-equiv="Context-Type" content="text/html; charset=utf-8">
      Hello,
      <div><br>
      </div>
      <div>i tryed to apply SoD for some of groups / orgs. It works only
        if I specify only one exluded role.</div>
      <div><br>
      </div>
      <div>Here is an example of Org with exlusion of one or two roles.
        If I uncomment second exclude definition,</div>
      <div>then i am able to assing one of those roles, I got an error
        only in case that i tryed to assign both of excluded</div>
      <div>roles. Is that an error? I can solve this by specifying
        multiple policies. But I think this is not optimal.</div>
      <div><br>
      </div>
      <div>
        <div><org
          xmlns=<a class="moz-txt-link-rfc2396E" href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">"http://midpoint.evolveum.com/xml/ns/public/common/common-3"</a> </div>
        <div><span> </span>
xmlns:apti=<a class="moz-txt-link-rfc2396E" href="http://midpoint.evolveum.com/xml/ns/public/common/api-types-3">"http://midpoint.evolveum.com/xml/ns/public/common/api-types-3"</a> </div>
        <div><span> </span>
          xmlns:c=<a class="moz-txt-link-rfc2396E" href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">"http://midpoint.evolveum.com/xml/ns/public/common/common-3"</a> </div>
        <div><span> </span>
xmlns:icfs=<a class="moz-txt-link-rfc2396E" href="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3">"http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"</a> </div>
        <div><span> </span>
          xmlns:org=<a class="moz-txt-link-rfc2396E" href="http://midpoint.evolveum.com/xml/ns/public/common/org-3">"http://midpoint.evolveum.com/xml/ns/public/common/org-3"</a> </div>
        <div><span> </span>
          xmlns:q=<a class="moz-txt-link-rfc2396E" href="http://prism.evolveum.com/xml/ns/public/query-3">"http://prism.evolveum.com/xml/ns/public/query-3"</a> </div>
        <div><span> </span>
xmlns:ri=<a class="moz-txt-link-rfc2396E" href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">"http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"</a> </div>
        <div><span> </span>
          xmlns:t=<a class="moz-txt-link-rfc2396E" href="http://prism.evolveum.com/xml/ns/public/types-3">"http://prism.evolveum.com/xml/ns/public/types-3"</a> </div>
        <div><span> </span>
          xmlns:xsi=<a class="moz-txt-link-rfc2396E" href="http://www.w3.org/2001/XMLSchema-instance">"http://www.w3.org/2001/XMLSchema-instance"</a>
          oid="5bdac06d-c192-4569-acf6-d432ad555fc4" version="5"></div>
        <div>      <name>Admin Accounts</name></div>
        <div>      <parentOrgRef
          oid="a2cd50c1-b115-44ae-88af-792588acc0e4"
          relation="org:default" type="c:OrgType"/></div>
        <div>      <parentOrgRef
          oid="2b538ce4-01e4-4aa1-8dc1-0c2eba8203a9"
          relation="org:default" type="c:OrgType"/></div>
        <div>      <assignment></div>
        <div>         <targetRef
          oid="a2cd50c1-b115-44ae-88af-792588acc0e4"
          relation="org:default" type="c:OrgType"/></div>
        <div>         <activation></div>
        <div>           
          <effectiveStatus>enabled</effectiveStatus></div>
        <div>         </activation></div>
        <div>      </assignment></div>
        <div>      <roleMembershipRef
          oid="a2cd50c1-b115-44ae-88af-792588acc0e4"
          relation="org:default" type="c:OrgType"/></div>
        <div>      <roleMembershipRef
          oid="2b538ce4-01e4-4aa1-8dc1-0c2eba8203a9"
          relation="org:default" type="c:OrgType"/></div>
        <div>      <displayName>Admin Accounts</displayName></div>
        <div>      <inducement></div>
        <div>         <targetRef
          oid="57713b87-17af-44fe-b4ed-7f158a4fa030"
          relation="org:default" type="c:RoleType"/></div>
        <div>      </inducement></div>
        <div>      <securityPolicyRef
          oid="6df80eb2-0a63-11e7-8ced-af0e536f33e1"
          relation="org:default" type="c:SecurityPolicyType"/></div>
        <div>      <assignment></div>
        <div>        <policyRule></div>
        <div>            <name>Excluded-Roles!</name></div>
        <div>            <policyConstraints></div>
        <div>                <exclusion></div>
        <div>                    <targetRef
          oid="00000000-0000-0000-0000-000000000004"
          type="RoleType"/></div>
        <div>                </exclusion></div>
        <div><!--                 <exclusion></div>
        <div>                <span> </span><targetRef
          oid="00000000-0000-0000-0000-00000000000a"
          type="RoleType"/></div>
        <div>                </exclusion> --></div>
        <div>            </policyConstraints></div>
        <div>            <policyActions></div>
        <div>                <enforcement/></div>
        <div>            </policyActions></div>
        <div>        </policyRule></div>
        <div>    </assignment></div>
        <div>   </org></div>
      </div>
      <div><br>
      </div>
      <div>Thanks Jan</div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>