Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
languagexml
 <role>
    <name>Controlling metarole</name>
    <description>Excludes all executive roles using a filter</description>
    <inducement>
    	<policyRule>
    		<name>executive exclusion</name>
    		<policyConstraints>
		    	<exclusion>
		    		<targetRef type="RoleType">
			    		<filter>
							<q:equal>
								<q:path>subtype</q:path>
								<q:value>executive</q:value>
							</q:equal>
			    		</filter>
                        <resolutionTime>run</resolutionTime>
		    		</targetRef>
		    	</exclusion>
		    </policyConstraints>
		    <policyActions>
		    	<enforcement/>
		    </policyActions>
    	</policyRule>
    </inducement>
</role>

 The metarole above is to be assigned to controlling roles (where subtype is different from "executive", e.g. "controlling"). If the user has any controlling role assigned and attempts to have other role with subtype="executive" assigned, the request will be refused because of the SoD conflict. Thus it is not possible to mix executive and controlling roles.

Legacy Configuration

In midPoint 3.4 and earlier there was no policy rules feature. Therefore the role exclusion was defined as:

...