Policy rule above specifies that midPoint should monitor creation of new users (specified by policyConstraints) and when the limit is reached (count=4), task execution is stopped (policyAction=stop). After defining such a role with policy rules, midPoint has to know that such a role should be taken into account. Therefore, it is needed to assign this role to the task as in the example bellow.
<task oid="10335c7c-838f-11e8-93a6-4b1dd0ab58e4" xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:syncext="http://midpoint.evolveum.com/xml/ns/public/model/extension-3" xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <name>Reconciliation: Dummy</name> <extension> ... <syncext:simulateBeforeExecute>true</syncext:simulateBeforeExecute> </extension> ... <assignment> <targetRef oid="00000000-role-0000-0000-999111111112" type="RoleType"/> </assignment> </task>
In the example above, important part is assignment. According to this assignment midPoint knows that there could be applicable roles and policies during executing such a task. One additional setting in the example above is the extension property simulateBeforeExecute. When set to true, midPoint will first run reconciliation in the simulation mode - midPoint will compute all changes, apply all policy rules and so on, but nothing is executed. Only after the simulation mode ends successfully, there is a second round of reconciliation in the full mode. If the simulation mode ends with errors and the limit was reached, the full reconciliation is not run. The default value for simulateBeforeExecute property is false.