Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

MidPoint does not have direct configuration for role exclusion clases (set of roles where each excludes all other roles from the same class or from different classes). However this configuration can easily be created an maintained by using role hierarchies and metaroles.

For example, the following example illustrates "exclusion class" between executive and controlling roles. The controlling metarole defines exclusion of all executive roles:

Code Block
languagexml
 <role>
    <name>Controlling metarole</name>
    <description>Excludes all executive roles using a filter</description>
    <inducement>
    	<policyRule>
    		<name>executive exclusion</name>
    		<policyConstraints>
		    	<exclusion>
		    		<targetRef type="RoleType">
			    		<filter>
							<q:equal>
								<q:path>sybtype</q:path>
								<q:value>executive</q:value>
							</q:equal>
			    		</filter>
                        <resolutionTime>run</resolutionTime>
		    		</targetRef>
		    	</exclusion>
		    </policyConstraints>
		    <policyActions>
		    	<enforcement/>
		    </policyActions>
    	</policyRule>
    </inducement>
</role>

 

Legacy Configuration

In midPoint 3.4 and earlier there was no policy rules feature. Therefore the role exclusion was defined as:

...