...
If an entity falls out of any group in the IT organization groups (meaning not a central IT employee anymore), then remove permissions from a permission definition or remove from roles which have assignments to the permission definition
Assign this to the permission definition of the permission to be removed.
Java example
| Code Block |
|---|
//add a rule on stem:permission saying if you are out of stem:employee,
//then remove assignments to permission, or from roles which have the permission
AttributeAssign attributeAssign = permissionToAssignRule
.getAttributeDelegate().addAttribute(RuleUtils.ruleAttributeDefName()).getAttributeAssign();
AttributeValueDelegate attributeValueDelegate = attributeAssign.getAttributeValueDelegate();
attributeValueDelegate.assignValue(
RuleUtils.ruleActAsSubjectSourceIdName(), actAs.getSourceId());
attributeValueDelegate.assignValue(
RuleUtils.ruleActAsSubjectIdName(), actAs.getId());
//folder where membership was removed
attributeValueDelegate.assignValue(
RuleUtils.ruleCheckOwnerIdName(), mustBeInGroupInFolder.getUuid());
attributeValueDelegate.assignValue(
RuleUtils.ruleCheckTypeName(),
RuleCheckType.membershipRemoveInFolder.name());
//SUB for all descendants, ONE for just children
attributeValueDelegate.assignValue(
RuleUtils.ruleCheckStemScopeName(),
stemScope.name());
//if there is no more membership in the folder, and there is a membership in the group
attributeValueDelegate.assignValue(
RuleUtils.ruleIfConditionEnumName(),
RuleIfConditionEnum.thisPermissionDefHasAssignmentAndNotFolder.name());
attributeValueDelegate.assignValue(
RuleUtils.ruleThenEnumName(),
RuleThenEnum.removeMemberFromOwnerPermissionDefAssignments.name());
//should be valid
String isValidString = attributeValueDelegate.retrieveValueString(
RuleUtils.ruleValidName());
if (!StringUtils.equals("T", isValidString)) {
throw new RuntimeException(isValidString);
}
|
...