<role> <name>Controlling metarole</name> <description>Excludes all executive roles using a filter</description> <inducement> <policyRule> <name>executive exclusion</name> <policyConstraints> <exclusion> <targetRef type="RoleType"> <filter> <q:equal> <q:path>subtype</q:path> <q:value>executive</q:value> </q:equal> </filter> <resolutionTime>run</resolutionTime> </targetRef> </exclusion> </policyConstraints> <policyActions> <enforcement/> </policyActions> </policyRule> </inducement> </role>
The metarole above is to be assigned to controlling roles (where subtype is different from "executive", e.g. "controlling"). If the user has any controlling role assigned and attempts to have other role with subtype="executive" assigned, the request will be refused because of the SoD conflict. Thus it is not possible to mix executive and controlling roles.
In midPoint 3.4 and earlier there was no policy rules feature. Therefore the role exclusion was defined as: