<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body>
    <p>Hello, Stéphane,</p>
    <p>just a few general comments:</p>
    <ol>
      <li>I would search the midPoint sources for
        <hasNoAssignment> string. We try to do the development
        seriously, so every feature should have (at least) one test for
        it. This one is no exception.<br>
      </li>
      <li>I would search the docs.evolveum.com for "hasNoAssignment".
        Here the situation is a bit worse. The feature is not quite
        finished - it was sponsored to some extent; but additional
        resources are needed to document it properly. However, this
        work-in-progress document could help: <a moz-do-not-send="true"
href="https://docs.evolveum.com/midpoint/devel/design/policy-constraints/"
          class="moz-txt-link-freetext">https://docs.evolveum.com/midpoint/devel/design/policy-constraints/</a>.
        (The formatting problems are due to wiki migration.)</li>
      <li>As for debugging, policy constraints do not have
        "<tracing>" flag nor the comprehensive troubleshooting
        methodology (as mappings do). So I use the (experimental) <a
          moz-do-not-send="true"
href="https://docs.evolveum.com/midpoint/reference/diag/troubleshooting/troubleshooting-with-traces/">troubleshooting
          with traces</a> to diagnose issues with them.</li>
      <li>Personally, I would be greatly interested in how many
        installations do use policy rules, and this one in particular.<br>
      </li>
    </ol>
    <pre class="moz-signature" cols="72">-- 
Pavol Mederly
Software developer
evolveum.com</pre>
    <div class="moz-cite-prefix">On 10/10/2022 12:54, Delcourt Stéphane
      via midPoint wrote:<br>
    </div>
    <blockquote type="cite"
cite="mid:GV1P190MB1995B088B760723DB4F212D084209@GV1P190MB1995.EURP190.PROD.OUTLOOK.COM">
      <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
      <meta name="Generator" content="Microsoft Word 15 (filtered
        medium)">
      <!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
      <style>@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0cm;
        font-size:11.0pt;
        font-family:"Calibri",sans-serif;
        mso-fareast-language:EN-US;}a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:#0563C1;
        text-decoration:underline;}span.EmailStyle17
        {mso-style-type:personal-compose;
        font-family:"Calibri",sans-serif;
        color:windowtext;}.MsoChpDefault
        {mso-style-type:export-only;
        mso-fareast-language:EN-US;}div.WordSection1
        {page:WordSection1;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
      <div class="WordSection1">
        <p class="MsoNormal">Hi all,<o:p></o:p></p>
        <p class="MsoNormal"><o:p> </o:p></p>
        <p class="MsoNormal"><span lang="EN-US">Does someone know how to
            deal with this policy constraint ?<o:p></o:p></span></p>
        <p class="MsoNormal"><span lang="EN-US">My idea is to use it for
            role dependency as intended
            <a href="https://jira.evolveum.com/browse/MID-4068"
              moz-do-not-send="true" class="moz-txt-link-freetext">https://jira.evolveum.com/browse/MID-4068</a><o:p></o:p></span></p>
        <p class="MsoNormal"><span lang="EN-US">So I want to add policy
            constraint in role B to block user receiving it if not
            assigned of role A<o:p></o:p></span></p>
        <p class="MsoNormal"><span lang="EN-US">Here’s the code sample
            I’m using in role B:<o:p></o:p></span></p>
        <p class="MsoNormal"><span lang="EN-US">    <assignment><o:p></o:p></span></p>
        <p class="MsoNormal"><span lang="EN-US">       
            <policyRule><o:p></o:p></span></p>
        <p class="MsoNormal"><span lang="EN-US">           
            <name>exclude-if-no-role-a</name><o:p></o:p></span></p>
        <p class="MsoNormal"><span lang="EN-US">           
            <policyConstraints><o:p></o:p></span></p>
        <p class="MsoNormal"><span lang="EN-US">               
            <hasNoAssignment><o:p></o:p></span></p>
        <p class="MsoNormal"><span lang="EN-US">                   
            <targetRef oid="role_a_oid" type="RoleType"/><o:p></o:p></span></p>
        <p class="MsoNormal"><span lang="EN-US">               
            </hasNoAssignment><o:p></o:p></span></p>
        <p class="MsoNormal"><span lang="EN-US">           
            </policyConstraints><o:p></o:p></span></p>
        <p class="MsoNormal"><span lang="EN-US">           
            <policyActions><o:p></o:p></span></p>
        <p class="MsoNormal"><span lang="EN-US">               
            <enforcement/><o:p></o:p></span></p>
        <p class="MsoNormal"><span lang="EN-US">           
            </policyActions><o:p></o:p></span></p>
        <p class="MsoNormal"><span lang="EN-US">       
            </policyRule><o:p></o:p></span></p>
        <p class="MsoNormal"><span lang="EN-US">    </assignment><o:p></o:p></span></p>
        <p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span lang="EN-US">But this does not
            trigger any error when I try to assign role B to a user not
            having role A.<o:p></o:p></span></p>
        <p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span lang="EN-US">What am I missing here ?
            <o:p></o:p></span></p>
        <p class="MsoNormal"><span lang="EN-US">I don’t even know how to
            debug this.<o:p></o:p></span></p>
        <p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span lang="EN-US">Thanks for your help<o:p></o:p></span></p>
        <p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:13.5pt"><b><span
style="font-size:9.0pt;font-family:"Arial",sans-serif;color:black;mso-fareast-language:FR-BE"
              lang="FR">Stéphane Delcourt</span></b><span
style="font-size:9.0pt;font-family:"Arial",sans-serif;color:black;mso-fareast-language:FR-BE"
            lang="FR"><br>
            Informaticien – Gestionnaire système - Développeur<br>
          </span><a href="http://www.ulb.ac.be/" title="Université libre
            de Bruxelles" moz-do-not-send="true"><span
style="font-size:9.0pt;font-family:"Arial",sans-serif;color:#2B8DDB;mso-fareast-language:FR-BE;text-decoration:none"><img
                style="width:5.4166in;height:.875in" id="Image_x0020_1"
                src="cid:part1.4UaQEFn6.5gFc8hkz@evolveum.com"
                alt="www.ulb.be" class="" width="520" height="84"
                border="0"></span></a><span
style="font-size:9.0pt;font-family:"Arial",sans-serif;color:black;mso-fareast-language:FR-BE"
            lang="FR"><br>
            <b>Département informatique, Service Applications métier</b><br>
            Av. F. Roosevelt 50, CP 251 - 1050 Bruxelles<o:p></o:p></span></p>
        <p class="MsoNormal"><o:p> </o:p></p>
      </div>
      <br>
      <fieldset class="moz-mime-attachment-header"></fieldset>
      <pre class="moz-quote-pre" wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="https://lists.evolveum.com/mailman/listinfo/midpoint">https://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
    </blockquote>
  </body>
</html>