<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Hello Jan,</p>
<p>this is by design. <br>
</p>
<p>A policy rule contains a set of policy constraints, which are -
by default - treated as a conjunction (i.e. connected by "and").
It means that in order for a rule to fire, all of the constraints
must match.</p>
<p>Fortunately, the policy constraints language in 3.7 is quite
rich. It allows to specify arbitrary logic expressions using
"and", "or" and "not" operators. Please have a look at <a
moz-do-not-send="true"
href="https://wiki.evolveum.com/display/midPoint/Policy+Constraints">https://wiki.evolveum.com/display/midPoint/Policy+Constraints</a>.
Although it is quite unfinished and in progress, most of the ideas
were implemented in midPoint 3.7. Your case is covered by the
first example on that page:</p>
<div class="container" title="Hint: double-click to select code">
<div class="line number1 index0 alt2"><code class="xml plain"><</code><code
class="xml keyword">policyRule</code><code class="xml plain">></code></div>
<div class="line number2 index1 alt1"><code class="xml spaces"> </code><code
class="xml plain"><</code><code class="xml keyword">name</code><code
class="xml plain">>criminal exclusion</</code><code
class="xml keyword">name</code><code class="xml plain">></code></div>
<div class="line number3 index2 alt2"><code class="xml spaces"> </code><code
class="xml plain"><</code><code class="xml keyword">policyConstraints</code><code
class="xml plain">></code></div>
<div class="line number4 index3 alt1"><code class="xml spaces"> </code><code
class="xml comments"><!-- triggers if Judge, Pirate, and/or
Thief is assigned in addition to the current assignment --></code></div>
<div class="line number5 index4 alt2"><code class="xml spaces"> </code><code
class="xml plain"> <</code><code class="xml keyword">or</code><code
class="xml plain">></code></div>
<div class="line number6 index5 alt1"><code class="xml spaces"> </code><code
class="xml plain"><</code><code class="xml keyword">exclusion</code><code
class="xml plain">></code></div>
<div class="line number7 index6 alt2"><code class="xml spaces"> </code><code
class="xml plain"><</code><code class="xml keyword">targetRef</code>
<code class="xml color1">oid</code><code class="xml plain">=</code><code
class="xml string">"12345111-1111-2222-1111-121212111111"</code>
<code class="xml color1">type</code><code class="xml plain">=</code><code
class="xml string">"RoleType"</code><code class="xml plain">/>
</code><code class="xml comments"><!-- Judge --></code></div>
<div class="line number8 index7 alt1"><code class="xml spaces"> </code><code
class="xml plain"></</code><code class="xml keyword">exclusion</code><code
class="xml plain">></code></div>
<div class="line number9 index8 alt2"><code class="xml spaces"> </code><code
class="xml plain"><</code><code class="xml keyword">exclusion</code><code
class="xml plain">></code></div>
<div class="line number10 index9 alt1"><code class="xml spaces"> </code><code
class="xml plain"><</code><code class="xml keyword">targetRef</code>
<code class="xml color1">oid</code><code class="xml plain">=</code><code
class="xml string">"12345678-d34d-b33f-f00d-555555556666"</code>
<code class="xml color1">type</code><code class="xml plain">=</code><code
class="xml string">"RoleType"</code><code class="xml plain">/>
</code><code class="xml comments"><!-- Pirate --></code></div>
<div class="line number11 index10 alt2"><code class="xml spaces"> </code><code
class="xml plain"></</code><code class="xml keyword">exclusion</code><code
class="xml plain">></code></div>
<div class="line number12 index11 alt1"><code class="xml spaces"> </code><code
class="xml plain"><</code><code class="xml keyword">exclusion</code><code
class="xml plain">></code></div>
<div class="line number13 index12 alt2"><code class="xml spaces"> </code><code
class="xml plain"><</code><code class="xml keyword">targetRef</code>
<code class="xml color1">oid</code><code class="xml plain">=</code><code
class="xml string">"b189fcb8-1ff9-11e5-8912-001e8c717e5b"</code>
<code class="xml color1">type</code><code class="xml plain">=</code><code
class="xml string">"RoleType"</code><code class="xml plain">/>
</code><code class="xml comments"><!-- Thief --></code></div>
<div class="line number14 index13 alt1"><code class="xml spaces"> </code><code
class="xml plain"></</code><code class="xml keyword">exclusion</code><code
class="xml plain">></code></div>
<div class="line number15 index14 alt2"><code class="xml spaces"> </code><code
class="xml plain"></</code><code class="xml keyword">or</code><code
class="xml plain">></code></div>
<div class="line number16 index15 alt1"><code class="xml spaces"> </code><code
class="xml plain"></</code><code class="xml keyword">policyConstraints</code><code
class="xml plain">></code></div>
<div class="line number17 index16 alt2"><code class="xml spaces"> </code><code
class="xml plain"><</code><code class="xml keyword">policyActions</code><code
class="xml plain">></code></div>
<div class="line number18 index17 alt1"><code class="xml spaces"> </code><code
class="xml plain"><</code><code class="xml keyword">enforcement</code><code
class="xml plain">> ... </</code><code class="xml
keyword">enforcement</code><code class="xml plain">></code></div>
<div class="line number19 index18 alt2"><code class="xml spaces"> </code><code
class="xml plain"></</code><code class="xml keyword">policyActions</code><code
class="xml plain">></code></div>
<div class="line number20 index19 alt1"><code class="xml plain"></</code><code
class="xml keyword">policyRule</code><code class="xml plain">><br>
</code><code class="xml plain"></code>
<p>Of course, what have Oskar suggested, is valid as well. You
can use a filter to specify more targets at once. (It is not
possible to specify more targetRef elements in one exclusion
element, though.)</p>
<p>Hope this helps.<br>
</p>
</div>
</div>
<pre class="moz-signature" cols="72">Pavol Mederly
Software developer
evolveum.com
</pre>
<div class="moz-cite-prefix">On 05.02.2018 8:33, Jan Kaspar wrote:<br>
</div>
<blockquote type="cite"
cite="mid:7%7BR.vU6.6N6Foq4Rvaa.1QU0Yx@seznam.cz">
<meta http-equiv="Context-Type" content="text/html; charset=utf-8">
Hello,
<div><br>
</div>
<div>i tryed to apply SoD for some of groups / orgs. It works only
if I specify only one exluded role.</div>
<div><br>
</div>
<div>Here is an example of Org with exlusion of one or two roles.
If I uncomment second exclude definition,</div>
<div>then i am able to assing one of those roles, I got an error
only in case that i tryed to assign both of excluded</div>
<div>roles. Is that an error? I can solve this by specifying
multiple policies. But I think this is not optimal.</div>
<div><br>
</div>
<div>
<div><org
xmlns=<a class="moz-txt-link-rfc2396E" href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">"http://midpoint.evolveum.com/xml/ns/public/common/common-3"</a> </div>
<div><span> </span>
xmlns:apti=<a class="moz-txt-link-rfc2396E" href="http://midpoint.evolveum.com/xml/ns/public/common/api-types-3">"http://midpoint.evolveum.com/xml/ns/public/common/api-types-3"</a> </div>
<div><span> </span>
xmlns:c=<a class="moz-txt-link-rfc2396E" href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">"http://midpoint.evolveum.com/xml/ns/public/common/common-3"</a> </div>
<div><span> </span>
xmlns:icfs=<a class="moz-txt-link-rfc2396E" href="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3">"http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"</a> </div>
<div><span> </span>
xmlns:org=<a class="moz-txt-link-rfc2396E" href="http://midpoint.evolveum.com/xml/ns/public/common/org-3">"http://midpoint.evolveum.com/xml/ns/public/common/org-3"</a> </div>
<div><span> </span>
xmlns:q=<a class="moz-txt-link-rfc2396E" href="http://prism.evolveum.com/xml/ns/public/query-3">"http://prism.evolveum.com/xml/ns/public/query-3"</a> </div>
<div><span> </span>
xmlns:ri=<a class="moz-txt-link-rfc2396E" href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">"http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"</a> </div>
<div><span> </span>
xmlns:t=<a class="moz-txt-link-rfc2396E" href="http://prism.evolveum.com/xml/ns/public/types-3">"http://prism.evolveum.com/xml/ns/public/types-3"</a> </div>
<div><span> </span>
xmlns:xsi=<a class="moz-txt-link-rfc2396E" href="http://www.w3.org/2001/XMLSchema-instance">"http://www.w3.org/2001/XMLSchema-instance"</a>
oid="5bdac06d-c192-4569-acf6-d432ad555fc4" version="5"></div>
<div> <name>Admin Accounts</name></div>
<div> <parentOrgRef
oid="a2cd50c1-b115-44ae-88af-792588acc0e4"
relation="org:default" type="c:OrgType"/></div>
<div> <parentOrgRef
oid="2b538ce4-01e4-4aa1-8dc1-0c2eba8203a9"
relation="org:default" type="c:OrgType"/></div>
<div> <assignment></div>
<div> <targetRef
oid="a2cd50c1-b115-44ae-88af-792588acc0e4"
relation="org:default" type="c:OrgType"/></div>
<div> <activation></div>
<div>
<effectiveStatus>enabled</effectiveStatus></div>
<div> </activation></div>
<div> </assignment></div>
<div> <roleMembershipRef
oid="a2cd50c1-b115-44ae-88af-792588acc0e4"
relation="org:default" type="c:OrgType"/></div>
<div> <roleMembershipRef
oid="2b538ce4-01e4-4aa1-8dc1-0c2eba8203a9"
relation="org:default" type="c:OrgType"/></div>
<div> <displayName>Admin Accounts</displayName></div>
<div> <inducement></div>
<div> <targetRef
oid="57713b87-17af-44fe-b4ed-7f158a4fa030"
relation="org:default" type="c:RoleType"/></div>
<div> </inducement></div>
<div> <securityPolicyRef
oid="6df80eb2-0a63-11e7-8ced-af0e536f33e1"
relation="org:default" type="c:SecurityPolicyType"/></div>
<div> <assignment></div>
<div> <policyRule></div>
<div> <name>Excluded-Roles!</name></div>
<div> <policyConstraints></div>
<div> <exclusion></div>
<div> <targetRef
oid="00000000-0000-0000-0000-000000000004"
type="RoleType"/></div>
<div> </exclusion></div>
<div><!-- <exclusion></div>
<div> <span> </span><targetRef
oid="00000000-0000-0000-0000-00000000000a"
type="RoleType"/></div>
<div> </exclusion> --></div>
<div> </policyConstraints></div>
<div> <policyActions></div>
<div> <enforcement/></div>
<div> </policyActions></div>
<div> </policyRule></div>
<div> </assignment></div>
<div> </org></div>
</div>
<div><br>
</div>
<div>Thanks Jan</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
</body>
</html>