<div dir="ltr">Hi Pavol,<div><br></div><div>thank you for the tip, however i can't use <span style="font-family:monospace;font-size:8px">hasAssignment </span>as i need to combine several conditions - check attribute values and possibly multiple role assignments - that are defined by administrators in GUI simply by providing role attribute values. The policyRule script then works with these values, in essence it combines the two functions from testing/story/src/test/resources/delivery/rules/library.xml.</div><div><br></div><div>My simplified policy rule is</div><div><br></div><div><div> <policyRule></div><div> <policyConstraints></div><div> <objectState id="2"></div><div> <expression><br></div><div> <script></div><div> <code></div><div><span class="gmail-Apple-tab-span" style="white-space:pre"> ... check object.roleMembershipRef and other conditions ...</span></div><div><span class="gmail-Apple-tab-span" style="white-space:pre"> </span></code></div><div> </script></div><div> </expression></div><div> </objectState></div><div> </policyConstraints></div><div> <policyActions></div><div> <enforcement /></div><div> </policyActions></div><div> <evaluationTarget>assignment</evaluationTarget></div><div> </policyRule></div></div><div><br></div><div>The <span style="white-space:pre">roleMembershipRef contains one set of refs when preview is clicked and different one when saved.</span></div><div><span style="white-space:pre"><br></span></div><div><span style="white-space:pre">Hope i can quick fix this by 'mandatory preview'.</span></div><div><span style="white-space:pre"><br></span></div><div><span style="white-space:pre">arnost</span></div><div><span style="white-space:pre"><br></span></div></div><div class="gmail_extra"><br><div class="gmail_quote">2018-05-11 19:07 GMT+02:00 Pavol Mederly <span dir="ltr"><<a href="mailto:mederly@evolveum.com" target="_blank">mederly@evolveum.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<p>Hello Arnošt,</p>
<p>how does your state constraint (and the whole policy rule) look
like?</p>
<p>I am aware of some issues related to constraint evaluation, but I
think this could work.<br>
</p>
<p>And, by the way, haven't you considered <tt>hasAssignment</tt>
constraint? It should support direct, indirect, and both modes of
assignment.<br>
</p>
<pre class="m_4360598796791613230moz-signature" cols="72">Pavol Mederly
Software developer
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre><div><div class="h5">
<div class="m_4360598796791613230moz-cite-prefix">On 11.05.2018 17:36, Arnošt Starosta -
AMI Praha a.s. wrote:<br>
</div>
</div></div><blockquote type="cite"><div><div class="h5">
<div dir="ltr">Hi all,
<div><br>
</div>
<div>I want to check the identity has a direct or indirect
assignment to a role in a scripted object state policy
constraint. And it almost works .)</div>
<div><br>
</div>
<div>The script uses user.roleMembershipRef to determine if a
user 'has' a given role.</div>
<div><br>
</div>
<div>In GUI Preview everything works nice, policy matches,
roleMembershipRef contains the assigned roles.</div>
<div><br>
</div>
<div>But when you click 'Save', roleMembershipRef does not
reflect the new state, the newly assigned roles are not there
as in preview. My policy now effectively checks the old object
state only.</div>
<div><br>
</div>
<div>Do you know any other way how to check for directly or
indirectly assigned roles in a policy constraint? </div>
<div><br>
</div>
<div>Checking only directly assigned roles seem to work ok with
user.assignment (midpoint.isDirectlyAssigned()<wbr>). I can't find
any way to trigger the policy after roleMembershipRefs are
evaluated.</div>
<div><br>
</div>
<div>Thanks!</div>
<div>arnost<br clear="all">
<div><br>
</div>
-- <br>
<div class="m_4360598796791613230gmail-m_-883594576147119623gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<table style="font-family:Verdana,Arial,Helvetica,sans-serif;border-collapse:collapse;padding:0px;margin:0px;border-width:0px;border-style:solid;width:482px">
<tbody>
<tr style="padding:0px;margin:0px;border:0px solid gray">
<td style="color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:11px;width:160px;vertical-align:bottom;padding:0px;border:0px solid gray">
<p><span style="font-size:14px;font-weight:bold">Arnošt
Starosta</span><br>
solution architect<br>
<br>
gsm: [+420] 603 794 932<br>
e-mail: <a href="mailto:arnost.starosta@ami.cz" target="_blank">arnost.starosta@ami.cz</a></p>
</td>
<td style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;border-width:0px 1px 0px 0px;border-style:solid;border-color:gray rgb(204,204,204) gray gray;padding:0px"> </td>
<td style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;padding:0px;border:0px solid gray"> </td>
<td style="color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:11px;vertical-align:bottom;padding:0px;width:123px;border:0px solid gray">
<p>AMI Praha a.s.<br>
Pláničkova 11<br>
162 00 Praha 6<br>
tel.: [+420] 274 783 239<br>
web: <a href="http://www.ami.cz/" target="_blank">www.ami.cz</a></p>
</td>
<td style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;border-width:0px 1px 0px 0px;border-style:solid;border-color:gray rgb(204,204,204) gray gray;padding:0px"> </td>
<td style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;padding:0px;border:0px solid gray"> </td>
<td style="color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:11px;margin:8px;width:116px;border:0px solid gray">
<p><img src="http://www.ami.cz/images/podpis/ami_logo.gif" alt="AMI Praha a.s." style="border:0px"></p>
</td>
</tr>
<tr style="padding:0px;margin:0px;border:0px solid gray">
<td colspan="7" style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;padding:0px;width:480px;border:0px solid gray"><br>
<a href="http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management" target="_blank"><img src="http://www.ami.cz/images/podpis/AMI-podpis-IdM_1.png" alt="AMI
Praha a.s." style="border:0px;width:480px;height:82px"></a></td>
</tr>
<tr style="padding:0px;margin:0px;border:0px solid gray">
<td colspan="7" style="color:rgb(128,128,128);font-family:Arial,sans-serif;font-size:11px;padding:0px;border:0px solid gray"><br>
Textem tohoto e-mailu podepisující neslibuje
uzavřít ani neuzavírá za společnost AMI Praha
a.s.<br>
jakoukoliv smlouvu. Každá smlouva, pokud bude
uzavřena, musí mít výhradně písemnou formu.<br>
<br>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="m_4360598796791613230mimeAttachmentHeader"></fieldset>
<br>
</div></div><pre>______________________________<wbr>_________________
midPoint mailing list
<a class="m_4360598796791613230moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a class="m_4360598796791613230moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
</div>
<br>______________________________<wbr>_________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><p style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10.3846px"></p><table style="font-family:Verdana,Arial,Helvetica,sans-serif;border-collapse:collapse;padding:0px;margin:0px;border-width:0px!important;border-style:solid!important;width:482px!important"><tbody><tr style="padding:0px;margin:0px;border:0px solid gray!important"><td style="color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:11px;width:160px;vertical-align:bottom;padding:0px;border:0px solid gray!important"><p><span style="font-size:14px;font-weight:bold">Arnošt Starosta</span><br>solution architect<br><br>gsm: [+420] 603 794 932<br>e-mail: <a href="mailto:arnost.starosta@ami.cz" target="_blank">arnost.starosta@ami.cz</a></p></td><td style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;border-right:1px solid rgb(204,204,204);padding:0px;border-top:0px solid gray!important;border-bottom:0px solid gray!important;border-left:0px solid gray!important"> </td><td style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;padding:0px;border:0px solid gray!important"> </td><td style="color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:11px;vertical-align:bottom;padding:0px;width:123px;border:0px solid gray!important"><p>AMI Praha a.s.<br>Pláničkova 11<br>162 00 Praha 6<br>tel.: [+420] 274 783 239<br>web: <a href="http://www.ami.cz/" target="_blank">www.ami.cz</a></p></td><td style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;border-right:1px solid rgb(204,204,204);padding:0px;border-top:0px solid gray!important;border-bottom:0px solid gray!important;border-left:0px solid gray!important"> </td><td style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;padding:0px;border:0px solid gray!important"> </td><td style="color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:11px;margin:8px;border:0px solid gray!important;width:116px"><p><img src="http://www.ami.cz/images/podpis/ami_logo.gif" alt="AMI Praha a.s." style="border:0px"></p></td></tr><tr style="padding:0px;margin:0px;border:0px solid gray!important"><td colspan="7" style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;padding:0px;width:480px;border:0px solid gray!important"><br><a href="http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management" target="_blank"><img src="http://www.ami.cz/images/podpis/AMI-podpis-IdM_1.png" alt="AMI Praha a.s." style="border:0px;width:480px!important;height:82px!important"></a></td></tr><tr style="padding:0px;margin:0px;border:0px solid gray!important"><td colspan="7" style="color:rgb(128,128,128);font-family:Arial,sans-serif;font-size:11px;padding:0px;border:0px solid gray!important"><br>Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za společnost AMI Praha a.s.<br>jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně písemnou formu.<br><br></td></tr></tbody></table></div></div></div></div>
</div>