<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Hello Arnošt,</p>
<p>how does your state constraint (and the whole policy rule) look
like?</p>
<p>I am aware of some issues related to constraint evaluation, but I
think this could work.<br>
</p>
<p>And, by the way, haven't you considered <tt>hasAssignment</tt>
constraint? It should support direct, indirect, and both modes of
assignment.<br>
</p>
<pre class="moz-signature" cols="72">Pavol Mederly
Software developer
evolveum.com
</pre>
<div class="moz-cite-prefix">On 11.05.2018 17:36, Arnošt Starosta -
AMI Praha a.s. wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAGPA3FLvbCyM0QqKVZTeQmytqShoPMpbOrUFT67cTZw_Et6TyQ@mail.gmail.com">
<div dir="ltr">Hi all,
<div><br>
</div>
<div>I want to check the identity has a direct or indirect
assignment to a role in a scripted object state policy
constraint. And it almost works .)</div>
<div><br>
</div>
<div>The script uses user.roleMembershipRef to determine if a
user 'has' a given role.</div>
<div><br>
</div>
<div>In GUI Preview everything works nice, policy matches,
roleMembershipRef contains the assigned roles.</div>
<div><br>
</div>
<div>But when you click 'Save', roleMembershipRef does not
reflect the new state, the newly assigned roles are not there
as in preview. My policy now effectively checks the old object
state only.</div>
<div><br>
</div>
<div>Do you know any other way how to check for directly or
indirectly assigned roles in a policy constraint? </div>
<div><br>
</div>
<div>Checking only directly assigned roles seem to work ok with
user.assignment (midpoint.isDirectlyAssigned()). I can't find
any way to trigger the policy after roleMembershipRefs are
evaluated.</div>
<div><br>
</div>
<div>Thanks!</div>
<div>arnost<br clear="all">
<div><br>
</div>
-- <br>
<div class="gmail-m_-883594576147119623gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<table
style="font-family:Verdana,Arial,Helvetica,sans-serif;border-collapse:collapse;padding:0px;margin:0px;border-width:0px;border-style:solid;width:482px">
<tbody>
<tr style="padding:0px;margin:0px;border:0px solid
gray">
<td
style="color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:11px;width:160px;vertical-align:bottom;padding:0px;border:0px
solid gray">
<p><span
style="font-size:14px;font-weight:bold">Arnošt
Starosta</span><br>
solution architect<br>
<br>
gsm: [+420] 603 794 932<br>
e-mail: <a
href="mailto:arnost.starosta@ami.cz"
target="_blank" moz-do-not-send="true">arnost.starosta@ami.cz</a></p>
</td>
<td
style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;border-width:0px
1px 0px
0px;border-style:solid;border-color:gray
rgb(204,204,204) gray gray;padding:0px"> </td>
<td
style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;padding:0px;border:0px
solid gray"> </td>
<td
style="color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:11px;vertical-align:bottom;padding:0px;width:123px;border:0px
solid gray">
<p>AMI Praha a.s.<br>
Pláničkova 11<br>
162 00 Praha 6<br>
tel.: [+420] 274 783 239<br>
web: <a href="http://www.ami.cz/"
target="_blank" moz-do-not-send="true">www.ami.cz</a></p>
</td>
<td
style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;border-width:0px
1px 0px
0px;border-style:solid;border-color:gray
rgb(204,204,204) gray gray;padding:0px"> </td>
<td
style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;padding:0px;border:0px
solid gray"> </td>
<td
style="color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:11px;margin:8px;width:116px;border:0px
solid gray">
<p><img
src="http://www.ami.cz/images/podpis/ami_logo.gif"
alt="AMI Praha a.s." style="border: 0px;"
moz-do-not-send="true"></p>
</td>
</tr>
<tr style="padding:0px;margin:0px;border:0px solid
gray">
<td colspan="7"
style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;padding:0px;width:480px;border:0px
solid gray"><br>
<a
href="http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management"
target="_blank" moz-do-not-send="true"><img
src="http://www.ami.cz/images/podpis/AMI-podpis-IdM_1.png" alt="AMI
Praha a.s." style="border: 0px; width:
480px; height: 82px;"
moz-do-not-send="true"></a></td>
</tr>
<tr style="padding:0px;margin:0px;border:0px solid
gray">
<td colspan="7"
style="color:rgb(128,128,128);font-family:Arial,sans-serif;font-size:11px;padding:0px;border:0px
solid gray"><br>
Textem tohoto e-mailu podepisující neslibuje
uzavřít ani neuzavírá za společnost AMI Praha
a.s.<br>
jakoukoliv smlouvu. Každá smlouva, pokud bude
uzavřena, musí mít výhradně písemnou formu.<br>
<br>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
</body>
</html>