MidPoint does not have direct configuration for role exclusion clases (set of roles where each excludes all other roles from the same class or from different classes). However this configuration can easily be created an maintained by using role hierarchies and metaroles.
For example, the following example illustrates "exclusion class" between executive and controlling roles. The controlling metarole defines exclusion of all executive roles:
<role> <name>Controlling metarole</name> <description>Excludes all executive roles using a filter</description> <inducement> <policyRule> <name>executive exclusion</name> <policyConstraints> <exclusion> <targetRef type="RoleType"> <filter> <q:equal> <q:path>sybtype</q:path> <q:value>executive</q:value> </q:equal> </filter> <resolutionTime>run</resolutionTime> </targetRef> </exclusion> </policyConstraints> <policyActions> <enforcement/> </policyActions> </policyRule> </inducement> </role>
In midPoint 3.4 and earlier there was no policy rules feature. Therefore the role exclusion was defined as: