From ce202a611db94e326917c3448f3a281c39db81fb Mon Sep 17 00:00:00 2001
From: Katarina Valalikova <k.valalikova@evolveum.com>
Date: Sun, 19 Mar 2017 22:20:02 +0100
Subject: [PATCH 1/2] rest api validate/generate operations. added tests.

---
 .../xml/ns/public/common/api-types-3.xsd      |   3 +
 .../midpoint/model/impl/ModelRestService.java | 198 ++++++++++---
 .../testing/rest/TestAbstractRestService.java | 267 +++++++++++++++++-
 .../repo/json/policy-generate-bad-path.json   |  15 +
 .../repo/json/policy-generate-execute.json    |  28 ++
 .../resources/repo/json/policy-generate.json  |  20 ++
 .../policy-validate-explicit-conflict.json    |  16 ++
 .../repo/json/policy-validate-explicit.json   |  16 ++
 ...licy-validate-implicit-multi-conflict.json |  15 +
 .../json/policy-validate-implicit-multi.json  |  10 +
 .../json/policy-validate-implicit-single.json |  15 +
 .../resources/repo/json/user-darthadder.json  |   3 +
 .../resources/repo/system-configuration.xml   |   1 +
 .../resources/repo/value-policy-general.xml   |  73 +++++
 .../resources/repo/value-policy-numeric.xml   |  48 ++++
 .../repo/xml/policy-generate-bad-path.xml     |  14 +
 .../repo/xml/policy-generate-execute.xml      |  26 ++
 .../resources/repo/xml/policy-generate.xml    |  19 ++
 .../xml/policy-validate-explicit-conflict.xml |  16 ++
 .../repo/xml/policy-validate-explicit.xml     |  16 ++
 ...olicy-validate-implicit-multi-conflict.xml |  15 +
 .../xml/policy-validate-implicit-multi.xml    |  14 +
 .../xml/policy-validate-implicit-single.xml   |  15 +
 .../resources/repo/xml/user-darthadder.xml    |   7 +
 .../repo/yaml/policy-generate-bad-path.yml    |   9 +
 .../repo/yaml/policy-generate-execute.yml     |  18 ++
 .../resources/repo/yaml/policy-generate.yml   |  11 +
 .../policy-validate-explicit-conflict.yml     |  10 +
 .../repo/yaml/policy-validate-explicit.yml    |  10 +
 ...olicy-validate-implicit-multi-conflict.yml |   9 +
 .../yaml/policy-validate-implicit-multi.yml   |   5 +
 .../yaml/policy-validate-implicit-single.yml  |   9 +
 .../resources/repo/yaml/user-darthadder.yml   |   9 +
 33 files changed, 913 insertions(+), 47 deletions(-)
 create mode 100644 testing/rest/src/test/resources/repo/json/policy-generate-bad-path.json
 create mode 100644 testing/rest/src/test/resources/repo/json/policy-generate-execute.json
 create mode 100644 testing/rest/src/test/resources/repo/json/policy-generate.json
 create mode 100644 testing/rest/src/test/resources/repo/json/policy-validate-explicit-conflict.json
 create mode 100644 testing/rest/src/test/resources/repo/json/policy-validate-explicit.json
 create mode 100644 testing/rest/src/test/resources/repo/json/policy-validate-implicit-multi-conflict.json
 create mode 100644 testing/rest/src/test/resources/repo/json/policy-validate-implicit-multi.json
 create mode 100644 testing/rest/src/test/resources/repo/json/policy-validate-implicit-single.json
 create mode 100644 testing/rest/src/test/resources/repo/value-policy-general.xml
 create mode 100644 testing/rest/src/test/resources/repo/value-policy-numeric.xml
 create mode 100644 testing/rest/src/test/resources/repo/xml/policy-generate-bad-path.xml
 create mode 100644 testing/rest/src/test/resources/repo/xml/policy-generate-execute.xml
 create mode 100644 testing/rest/src/test/resources/repo/xml/policy-generate.xml
 create mode 100644 testing/rest/src/test/resources/repo/xml/policy-validate-explicit-conflict.xml
 create mode 100644 testing/rest/src/test/resources/repo/xml/policy-validate-explicit.xml
 create mode 100644 testing/rest/src/test/resources/repo/xml/policy-validate-implicit-multi-conflict.xml
 create mode 100644 testing/rest/src/test/resources/repo/xml/policy-validate-implicit-multi.xml
 create mode 100644 testing/rest/src/test/resources/repo/xml/policy-validate-implicit-single.xml
 create mode 100644 testing/rest/src/test/resources/repo/yaml/policy-generate-bad-path.yml
 create mode 100644 testing/rest/src/test/resources/repo/yaml/policy-generate-execute.yml
 create mode 100644 testing/rest/src/test/resources/repo/yaml/policy-generate.yml
 create mode 100644 testing/rest/src/test/resources/repo/yaml/policy-validate-explicit-conflict.yml
 create mode 100644 testing/rest/src/test/resources/repo/yaml/policy-validate-explicit.yml
 create mode 100644 testing/rest/src/test/resources/repo/yaml/policy-validate-implicit-multi-conflict.yml
 create mode 100644 testing/rest/src/test/resources/repo/yaml/policy-validate-implicit-multi.yml
 create mode 100644 testing/rest/src/test/resources/repo/yaml/policy-validate-implicit-single.yml

diff --git a/infra/schema/src/main/resources/xml/ns/public/common/api-types-3.xsd b/infra/schema/src/main/resources/xml/ns/public/common/api-types-3.xsd
index 9b7d00a3fd3..48377165c04 100644
--- a/infra/schema/src/main/resources/xml/ns/public/common/api-types-3.xsd
+++ b/infra/schema/src/main/resources/xml/ns/public/common/api-types-3.xsd
@@ -577,6 +577,9 @@
 	                <xsd:documentation>
 	                    Contains either generated value or value which will be validated
 	                </xsd:documentation>
+	                <xsd:appinfo>
+                        <a:rawType/>
+                    </xsd:appinfo>
 	            </xsd:annotation>
         	</xsd:element>
         	
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/ModelRestService.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/ModelRestService.java
index d0ca3ccccd8..fa2237b77cb 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/ModelRestService.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/ModelRestService.java
@@ -19,6 +19,7 @@
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.List;
+import java.util.stream.Collectors;
 
 import javax.ws.rs.Consumes;
 import javax.ws.rs.DELETE;
@@ -39,6 +40,7 @@
 import javax.xml.bind.JAXBException;
 import javax.xml.namespace.QName;
 
+import org.apache.commons.configuration.SystemConfiguration;
 import org.apache.commons.lang.BooleanUtils;
 import org.apache.commons.lang.StringUtils;
 import org.apache.commons.lang.Validate;
@@ -64,10 +66,13 @@
 import com.evolveum.midpoint.prism.ItemDefinition;
 import com.evolveum.midpoint.prism.PrismContext;
 import com.evolveum.midpoint.prism.PrismObject;
+import com.evolveum.midpoint.prism.PrismProperty;
+import com.evolveum.midpoint.prism.PrismPropertyDefinition;
 import com.evolveum.midpoint.prism.PrismValue;
 import com.evolveum.midpoint.prism.delta.ItemDelta;
 import com.evolveum.midpoint.prism.delta.PropertyDelta;
 import com.evolveum.midpoint.prism.path.ItemPath;
+import com.evolveum.midpoint.prism.polystring.PolyString;
 import com.evolveum.midpoint.prism.query.ObjectQuery;
 import com.evolveum.midpoint.prism.query.QueryJaxbConvertor;
 import com.evolveum.midpoint.prism.query.builder.QueryBuilder;
@@ -80,7 +85,9 @@
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.task.api.TaskManager;
+import com.evolveum.midpoint.util.DOMUtil;
 import com.evolveum.midpoint.util.MiscUtil;
+import com.evolveum.midpoint.util.QNameUtil;
 import com.evolveum.midpoint.util.exception.CommunicationException;
 import com.evolveum.midpoint.util.exception.ConfigurationException;
 import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
@@ -95,17 +102,20 @@
 import com.evolveum.midpoint.xml.ns._public.common.api_types_3.ObjectListType;
 import com.evolveum.midpoint.xml.ns._public.common.api_types_3.ObjectModificationType;
 import com.evolveum.midpoint.xml.ns._public.common.api_types_3.PolicyItemDefinitionType;
+import com.evolveum.midpoint.xml.ns._public.common.api_types_3.PolicyItemTargetType;
 import com.evolveum.midpoint.xml.ns._public.common.api_types_3.PolicyItemsDefinitionType;
 import com.evolveum.midpoint.xml.ns._public.common.api_types_3.ScriptOutputsType;
 import com.evolveum.midpoint.xml.ns._public.common.api_types_3.SingleScriptOutputType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialsPolicyType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.LogFileContentType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.NodeType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectReferenceType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ResourceObjectShadowChangeDescriptionType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ResourceType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.StringPolicyType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.SystemConfigurationType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.TaskType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ValuePolicyType;
@@ -113,6 +123,7 @@
 import com.evolveum.midpoint.xml.ns._public.model.scripting_3.ItemListType;
 import com.evolveum.midpoint.xml.ns._public.model.scripting_3.ScriptingExpressionType;
 import com.evolveum.prism.xml.ns._public.query_3.QueryType;
+import com.evolveum.prism.xml.ns._public.types_3.PolyStringType;
 import com.evolveum.prism.xml.ns._public.types_3.RawType;
 
 /**
@@ -142,10 +153,12 @@ public class ModelRestService {
 	public static final String OPERATION_COMPARE = CLASS_DOT + "compare";
 	public static final String OPERATION_GET_LOG_FILE_CONTENT = CLASS_DOT + "getLogFileContent";
 	public static final String OPERATION_GET_LOG_FILE_SIZE = CLASS_DOT + "getLogFileSize";
+	public static final String OPERATION_VALIDATE_VALUE = CLASS_DOT +  "validateValue";
+	
 	private static final String CURRENT = "current";
 	private static final String VALIDATE = "validate";
-
-	@Autowired
+	
+		@Autowired
 	private ModelCrudService model;
 
 	@Autowired
@@ -205,9 +218,9 @@ public <O extends ObjectType> Response generateValue(@PathParam("type") String t
 		try {
 			PrismObject<O> object = model.getObject(clazz, oid, null, task, parentResult);
 
-			PrismObject<ValuePolicyType> valuePolicy = resolveUserPolicy((PrismObject<UserType>) object, task,
-					parentResult);
-
+			
+			PrismObject<ValuePolicyType> valuePolicy = resolvePolicy(object, task, parentResult);
+			
 			boolean executeImmediatelly = false;
 			Collection<PropertyDelta> propertyDeltas = new ArrayList<>();
 			for (PolicyItemDefinitionType policyItemDefinition : policyItemsDefinition
@@ -230,6 +243,7 @@ public <O extends ObjectType> Response generateValue(@PathParam("type") String t
 			ResponseBuilder responseBuilder = Response.ok(policyItemsDefinition);
 			response = responseBuilder.build();
 		} catch (Exception ex) {
+			parentResult.computeStatus();
 			response = RestServiceUtil.handleException(parentResult, ex);
 		}
 
@@ -239,39 +253,76 @@ public <O extends ObjectType> Response generateValue(@PathParam("type") String t
 
 	}
 	
-	private PrismObject<ValuePolicyType> resolveUserPolicy(PrismObject<UserType> user, Task task, OperationResult parentResult) throws ObjectNotFoundException, SchemaException, CommunicationException, ConfigurationException, SecurityViolationException {
-		CredentialsPolicyType policy = modelInteraction.getCredentialsPolicy(user, task, parentResult);
+	private <O extends ObjectType> PrismObject<ValuePolicyType> resolvePolicy(PrismObject<O> object, Task task, OperationResult parentResult) throws ObjectNotFoundException, SchemaException, CommunicationException, ConfigurationException, SecurityViolationException {
+	
+		PrismObject<ValuePolicyType> valuePolicy = null;
 		
+		if (object.getCompileTimeClass().isAssignableFrom(UserType.class)) {
+			CredentialsPolicyType policy = modelInteraction
+					.getCredentialsPolicy((PrismObject<UserType>) object, task, parentResult);
+
+			if (policy != null) {
+
+				if (policy.getPassword().getPasswordPolicyRef() != null) {
+					valuePolicy = model.getObject(ValuePolicyType.class,
+							policy.getPassword().getPasswordPolicyRef().getOid(), null, task, parentResult);
+				}
+			}
+
+		} else {
 		
-		PrismObject<ValuePolicyType> valuePolicy = null;
-		if (policy.getPassword().getPasswordPolicyRef() != null) {
-			valuePolicy = model.getObject(ValuePolicyType.class, policy.getPassword().getPasswordPolicyRef().getOid(), null, task, parentResult);
+			SystemConfigurationType systemConfigurationType = modelInteraction
+					.getSystemConfiguration(parentResult);
+			ObjectReferenceType policyRef = systemConfigurationType.getGlobalPasswordPolicyRef();
+			if (policyRef == null) {
+				return null;
+			}
+
+			valuePolicy = model.getObject(ValuePolicyType.class, policyRef.getOid(), null, task, parentResult);
 		}
-		
 		return valuePolicy;
 	}
 	
 	private <O extends ObjectType> void generateValue(PrismObject<O> object, PrismObject<ValuePolicyType> policy, PolicyItemDefinitionType policyItemDefinition, Task task, OperationResult result) throws ExpressionEvaluationException, SchemaException, ObjectNotFoundException, CommunicationException, ConfigurationException, SecurityViolationException {
 		
+		PolicyItemTargetType target = policyItemDefinition.getTarget();
+		if (target == null || target.getPath() == null) {
+			LOGGER.error("Target item path must be defined");
+			result.recordFatalError("Target item path must be defined");
+			throw new SchemaException("Target item path must be defined");
+		}
+		
+		ItemPath targetProperty = target.getPath().getItemPath();
+		
 		StringPolicyType stringPolicy = null;
 		if (policyItemDefinition.getValuePolicyRef() != null) {
 			PrismObject<ValuePolicyType> valuePolicy = model.getObject(ValuePolicyType.class, policyItemDefinition.getValuePolicyRef().getOid(), null, task, result);
 			PrismObject<ValuePolicyType> policyOverride = valuePolicy.clone();
 			stringPolicy = policyOverride != null ? policyOverride.asObjectable().getStringPolicy() : null;
 		} else {
-		
-			stringPolicy = policy != null ? policy.asObjectable().getStringPolicy() : null;
+			if (stringPolicy == null) {
+				SystemConfigurationType systemConfiguration = modelInteraction.getSystemConfiguration(result);
+				if (systemConfiguration.getGlobalPasswordPolicyRef() != null) {
+					PrismObject<ValuePolicyType> valuePolicy = model.getObject(ValuePolicyType.class, systemConfiguration.getGlobalPasswordPolicyRef().getOid(), null, task, result);
+					stringPolicy = valuePolicy != null ? valuePolicy.asObjectable().getStringPolicy() : null;
+				}
+				 
+			} else {
+				stringPolicy = policy != null ? policy.asObjectable().getStringPolicy() : null;
+			}
 		}
-		String newValue = policyProcessor.generate(stringPolicy, 10, object, "generating value for" + policyItemDefinition.getTarget().getPath(), task, result);
+		String newValue = policyProcessor.generate(stringPolicy, 10, object, "generating value for" + targetProperty, task, result);
 		policyItemDefinition.setValue(newValue);
 	}
 	
 	@POST
 	@Path("/{type}/{oid}/validate")
+	@Consumes({"application/xml", "application/json", "application/yaml"})
+	@Produces({"application/xml", "application/json", "application/yaml"})
 	public <O extends ObjectType> Response validateValue(@PathParam("type") String type, @PathParam("oid") String oid, PolicyItemsDefinitionType policyItemsDefinition, @Context MessageContext mc) {
 		
 		Task task = RestServiceUtil.initRequest(mc);
-		OperationResult parentResult = task.getResult().createSubresult(OPERATION_GET);
+		OperationResult parentResult = task.getResult().createSubresult(OPERATION_VALIDATE_VALUE);
 
 		Class<O> clazz = ObjectTypes.getClassFromRestType(type);
 		Response response = null;
@@ -284,60 +335,125 @@ public <O extends ObjectType> Response validateValue(@PathParam("type") String t
 		try {
 			PrismObject<O> object = model.getObject(clazz, oid, null, task, parentResult);
 
-			PrismObject<ValuePolicyType> valuePolicy = resolveUserPolicy((PrismObject<UserType>) object, task,
-					parentResult);
+			PrismObject<ValuePolicyType> valuePolicy = resolvePolicy(object, task, parentResult);
 
-			boolean executeImmediatelly = false;
-			Collection<PropertyDelta> propertyDeltas = new ArrayList<>();
 			for (PolicyItemDefinitionType policyItemDefinition : policyItemsDefinition
 					.getPolicyItemDefinition()) {
-
 				validateValue(object, valuePolicy, policyItemDefinition, task, parentResult);
-			
 			}
 			
-			
-
-			ResponseBuilder responseBuilder = Response.ok(policyItemsDefinition);
+			parentResult.computeStatusIfUnknown();;
+			ResponseBuilder responseBuilder = null;
+			if (parentResult.isAcceptable()) {
+				responseBuilder = Response.ok();
+			} else {
+				responseBuilder = Response.status(Status.CONFLICT).entity(parentResult);
+			}
 			response = responseBuilder.build();
 		} catch (Exception ex) {
+			parentResult.computeStatus();
 			response = RestServiceUtil.handleException(parentResult, ex);
+			
 		}
 
-		parentResult.computeStatus();
+		
 		finishRequest(task);
 		return response;
 
 		
 	}
 	
-private <O extends ObjectType> void validateValue(PrismObject<O> object, PrismObject<ValuePolicyType> policy, PolicyItemDefinitionType policyItemDefinition, Task task, OperationResult result) throws ExpressionEvaluationException, SchemaException, ObjectNotFoundException, CommunicationException, ConfigurationException, SecurityViolationException, PolicyViolationException {
+private <T, O extends ObjectType> boolean validateValue(PrismObject<O> object, PrismObject<ValuePolicyType> policy, PolicyItemDefinitionType policyItemDefinition, Task task, OperationResult parentResult) throws ExpressionEvaluationException, SchemaException, ObjectNotFoundException, CommunicationException, ConfigurationException, SecurityViolationException, PolicyViolationException {
 		
-	ValuePolicyType stringPolicy = null;
+		ValuePolicyType stringPolicy = null;
 		if (policyItemDefinition.getValuePolicyRef() != null) {
-			PrismObject<ValuePolicyType> valuePolicy = model.getObject(ValuePolicyType.class, policyItemDefinition.getValuePolicyRef().getOid(), null, task, result);
+			PrismObject<ValuePolicyType> valuePolicy = model.getObject(ValuePolicyType.class, policyItemDefinition.getValuePolicyRef().getOid(), null, task, parentResult);
 			PrismObject<ValuePolicyType> policyOverride = valuePolicy.clone();
 			stringPolicy = policyOverride != null ? policyOverride.asObjectable() : null;
 		} else {
-		
-			stringPolicy = policy != null ? policy.asObjectable() : null;
+			if (policy == null) {
+				SystemConfigurationType systemConfiguration = modelInteraction
+						.getSystemConfiguration(parentResult);
+				if (systemConfiguration.getGlobalPasswordPolicyRef() != null) {
+					PrismObject<ValuePolicyType> valuePolicy = model.getObject(ValuePolicyType.class,
+							systemConfiguration.getGlobalPasswordPolicyRef().getOid(), null, task,
+							parentResult);
+					stringPolicy = valuePolicy != null ? valuePolicy.asObjectable() : null;
+				}
+
+			} else {
+				stringPolicy = policy != null ? policy.asObjectable() : null;
+			}
 		}
 		
-		ItemDefinition itemToValidateDefinition = object.findItem(policyItemDefinition.getTarget().getPath().getItemPath()).getDefinition();
-		itemToValidateDefinition.getTypeName();
+		RawType rawValue = (RawType) policyItemDefinition.getValue();
+		String valueToValidate = null;
 		
-		prismContext.getEntityResolver();
-		
-		//TODO 		
-		String valueToValidate = (String) policyItemDefinition.getValue();
-		if (StringUtils.isBlank(valueToValidate)) {
-			valueToValidate = object.findItem(policyItemDefinition.getTarget().getPath().getItemPath()).getRealValue();
+		List<String> valuesToValidate = new ArrayList<>();
+
+		if (rawValue != null) {
+			valueToValidate = rawValue.getParsedRealValue(String.class);
+			valuesToValidate.add(valueToValidate);
+		} else {
+			PolicyItemTargetType target = policyItemDefinition.getTarget();
+			if (target == null || target.getPath() == null) {
+				LOGGER.error("Target item path must be defined");
+				parentResult.recordFatalError("Target item path must be defined");
+				throw new SchemaException("Target item path must be defined");
+			}
+			ItemPath path = target.getPath().getItemPath();
+
+			PrismProperty<T> property = object.findProperty(path);
+			if (property == null || property.isEmpty()) {
+				LOGGER.error("Attribute {} has no value. Nothing to validate.", property);
+				parentResult.recordFatalError("Attribute " + property + " has no value. Nothing to validate");
+				throw new SchemaException("Attribute " + property + " has no value. Nothing to validate");
+			}
+
+			PrismPropertyDefinition<T> itemToValidateDefinition = property.getDefinition();
+			QName definitionName = itemToValidateDefinition.getTypeName();
+			if (!QNameUtil.qNameToUri(definitionName).equals(QNameUtil.qNameToUri(DOMUtil.XSD_STRING))
+					&& !QNameUtil.qNameToUri(definitionName).equals(QNameUtil.qNameToUri(PolyStringType.COMPLEX_TYPE))) {
+				LOGGER.error("Trying to validate string policy on the property of type {} failed. Unsupported type.",
+						itemToValidateDefinition);
+				parentResult.recordFatalError("Trying to validate string policy on the property of type "
+						+ itemToValidateDefinition + " failed. Unsupported type.");
+				throw new SchemaException("Trying to validate string policy on the property of type "
+						+ itemToValidateDefinition + " failed. Unsupported type.");
+			}
+
+			if (itemToValidateDefinition.isSingleValue()) {
+				if (definitionName.equals(PolyStringType.COMPLEX_TYPE)) {
+					valueToValidate = ((PolyString) property.getRealValue()).getOrig();
+
+				} else {
+					valueToValidate = (String) property.getRealValue();
+				}
+				valuesToValidate.add(valueToValidate);
+			} else {
+				if (definitionName.equals(DOMUtil.XSD_STRING)) {
+					valuesToValidate.addAll(property.getRealValues(String.class));
+				} else {
+					for (PolyString val : property.getRealValues(PolyString.class)) {
+						valuesToValidate.add(val.getOrig());
+					}
+				}
+			}
+			
 		}
 		
-		if (!policyProcessor.validateValue(valueToValidate, stringPolicy, object, "validate value for " + object + " value " + valueToValidate, task, result)) {
-			result.computeStatus();
-			throw new PolicyViolationException("Validation for value: " + valueToValidate + " failed." + result.getMessage());
+		for (String newValue : valuesToValidate) {
+			OperationResult result = parentResult.createSubresult(OPERATION_VALIDATE_VALUE + ".value");
+			result.addParam("valueToValidate", newValue);
+			if (!policyProcessor.validateValue(newValue, stringPolicy, object, "validate value for " + object + " value " + valueToValidate, task, result)) {
+				result.recordFatalError("Validation for value " + newValue + " against policy " + stringPolicy + " failed");
+				LOGGER.error("Validation for value {} against policy {} failed", newValue, stringPolicy);
+			}
+			result.computeStatusIfUnknown();
 		}
+		parentResult.computeStatusIfUnknown();
+		
+		return parentResult.isAcceptable();
 		
 	}
 	
diff --git a/testing/rest/src/test/java/com/evolveum/midpoint/testing/rest/TestAbstractRestService.java b/testing/rest/src/test/java/com/evolveum/midpoint/testing/rest/TestAbstractRestService.java
index d83ab292df8..97f55ff4cc9 100644
--- a/testing/rest/src/test/java/com/evolveum/midpoint/testing/rest/TestAbstractRestService.java
+++ b/testing/rest/src/test/java/com/evolveum/midpoint/testing/rest/TestAbstractRestService.java
@@ -65,9 +65,12 @@
 import com.evolveum.midpoint.test.IntegrationTestTools;
 import com.evolveum.midpoint.test.util.TestUtil;
 import com.evolveum.midpoint.util.MiscUtil;
+import com.evolveum.midpoint.util.exception.CommunicationException;
+import com.evolveum.midpoint.util.exception.ConfigurationException;
 import com.evolveum.midpoint.util.exception.ObjectAlreadyExistsException;
 import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
 import com.evolveum.midpoint.util.exception.SchemaException;
+import com.evolveum.midpoint.util.exception.SecurityViolationException;
 import com.evolveum.midpoint.util.logging.Trace;
 import com.evolveum.midpoint.util.logging.TraceManager;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ActivationStatusType;
@@ -108,34 +111,47 @@ public abstract class TestAbstractRestService {
 	public static final String USER_SOMEBODY_PASSWORD = "somepassword";
 	
 	// REST, reader and adder authorization
- 	public static final String USER_DARTHADDER_FILE = "user-darthadder";//new File(REPO_DIR, "user-darthadder.xml");
+ 	public static final String USER_DARTHADDER_FILE = "user-darthadder";
  	public static final String USER_DARTHADDER_OID = "1696229e-d90a-11e4-9ce6-001e8c717e5b";
  	public static final String USER_DARTHADDER_USERNAME = "darthadder";
  	public static final String USER_DARTHADDER_PASSWORD = "iamyouruncle";
  	
  	// Authorizations, but no password
- 	public static final String USER_NOPASSWORD_FILE = "user-nopassword"; //new File(REPO_DIR, "user-nopassword.xml");
+ 	public static final String USER_NOPASSWORD_FILE = "user-nopassword";
  	public static final String USER_NOPASSWORD_USERNAME = "nopassword";
 
 	public static final File ROLE_SUPERUSER_FILE = new File(BASE_REPO_DIR, "role-superuser.xml");
 	public static final File ROLE_REST_FILE = new File(BASE_REPO_DIR, "role-rest.xml");
 	public static final File ROLE_READER_FILE = new File(BASE_REPO_DIR, "role-reader.xml");
-	public static final String ROLE_ADDER_FILE = "role-adder";//new File(REPO_DIR, "role-adder.xml");
+	public static final String ROLE_ADDER_FILE = "role-adder";
 	
-	public static final String ROLE_MODIFIER_FILE = "role-modifier"; //new File(REPO_DIR, "role-modifier.xml");
+	public static final String ROLE_MODIFIER_FILE = "role-modifier"; 
 	public static final String ROLE_MODIFIER_OID = "82005ae4-d90b-11e4-bdcc-001e8c717e5b";
+	
+	public static final String POLICY_ITEM_DEFINITION_GENERATE = "policy-generate"; 	
+	public static final String POLICY_ITEM_DEFINITION_GENERATE_BAD_PATH = "policy-generate-bad-path"; 
+	public static final String POLICY_ITEM_DEFINITION_GENERATE_EXECUTE = "policy-generate-execute";
+	public static final String POLICY_ITEM_DEFINITION_VALIDATE_EXPLICIT = "policy-validate-explicit";
+	public static final String POLICY_ITEM_DEFINITION_VALIDATE_EXPLICIT_CONFLICT = "policy-validate-explicit-conflict";
+	public static final String POLICY_ITEM_DEFINITION_VALIDATE_IMPLICIT_SINGLE = "policy-validate-implicit-single";
+	public static final String POLICY_ITEM_DEFINITION_VALIDATE_IMPLICIT_MULTI = "policy-validate-implicit-multi";
+	public static final String POLICY_ITEM_DEFINITION_VALIDATE_IMPLICIT_MULTI_CONFLICT = "policy-validate-implicit-multi-conflict";
+
 
 	public static final File RESOURCE_OPENDJ_FILE = new File(BASE_REPO_DIR, "reosurce-opendj.xml");
 	public static final String RESOURCE_OPENDJ_OID = "ef2bc95b-76e0-59e2-86d6-3d4f02d3ffff";
 
-	public static final String USER_TEMPLATE_FILE = "user-template";//new File(REPO_DIR, "user-template.xml");
+	public static final String USER_TEMPLATE_FILE = "user-template";
 	public static final String USER_TEMPLATE_OID = "c0c010c0-d34d-b33f-f00d-777111111111";
 
-	public static final String ACCOUT_CHUCK_FILE = "account-chuck"; //new File(BASE_REPO_DIR, "account-chuck.xml");
+	public static final String ACCOUT_CHUCK_FILE = "account-chuck";
 	public static final String ACCOUT_CHUCK_OID = BASE_REPO_DIR + "a0c010c0-d34d-b33f-f00d-111111111666";
 
 	public static final File SYSTEM_CONFIGURATION_FILE = new File(BASE_REPO_DIR, "system-configuration.xml");
 
+	public static final File VALUE_POLICY_GENERAL = new File(BASE_REPO_DIR, "value-policy-general.xml");
+	public static final File VALUE_POLICY_NUMERIC = new File(BASE_REPO_DIR, "value-policy-numeric.xml");
+	
 	private static final Trace LOGGER = TraceManager.getTrace(TestAbstractRestService.class);
 
 	private final static String ENDPOINT_ADDRESS = "http://localhost:18080/rest";
@@ -209,6 +225,8 @@ private void startServer() throws Exception {
 		addObject(USER_NOBODY_FILE, result);
 		addObject(USER_CYCLOPS_FILE, result);
 		addObject(USER_SOMEBODY_FILE, result);
+		addObject(VALUE_POLICY_GENERAL, result);
+		addObject(VALUE_POLICY_NUMERIC, result);
 		addObject(SYSTEM_CONFIGURATION_FILE, result);
 
 		dummyAuditService = DummyAuditService.getInstance();
@@ -886,6 +904,243 @@ public void test401AddUserTemplateOverwrite() throws Exception {
 		dummyAuditService.assertHasDelta(1, ChangeType.ADD, ObjectTemplateType.class);
 
 	}
+	
+	
+	@Test
+	public void test501generateValue() throws Exception {
+		final String TEST_NAME = "test501generateValue";
+		displayTestTile(this, TEST_NAME);
+
+		WebClient client = prepareClient();
+		client.path("/users/" + USER_DARTHADDER_OID + "/generate");
+		
+		dummyAuditService.clear();
+
+		TestUtil.displayWhen(TEST_NAME);
+		Response response = client.post(getRepoFile(POLICY_ITEM_DEFINITION_GENERATE));
+
+		TestUtil.displayThen(TEST_NAME);
+		displayResponse(response);
+
+		assertEquals("Expected 200 but got " + response.getStatus(), 200, response.getStatus());
+		
+		IntegrationTestTools.display("Audit", dummyAuditService);
+		dummyAuditService.assertRecords(2);
+		dummyAuditService.assertLoginLogout(SchemaConstants.CHANNEL_REST_URI);
+
+	}
+	
+	@Test
+	public void test502generateValueBadPath() throws Exception {
+		final String TEST_NAME = "test501generateValueBadPath";
+		displayTestTile(this, TEST_NAME);
+
+		WebClient client = prepareClient();
+		client.path("/users/" + USER_DARTHADDER_OID + "/generate");
+		
+		dummyAuditService.clear();
+
+		TestUtil.displayWhen(TEST_NAME);
+		Response response = client.post(getRepoFile(POLICY_ITEM_DEFINITION_GENERATE_BAD_PATH));
+
+		TestUtil.displayThen(TEST_NAME);
+		displayResponse(response);
+
+		assertEquals("Expected 405 but got " + response.getStatus(), 200, response.getStatus());
+		
+		IntegrationTestTools.display("Audit", dummyAuditService);
+		dummyAuditService.assertRecords(2);
+		dummyAuditService.assertLoginLogout(SchemaConstants.CHANNEL_REST_URI);
+
+	}
+	
+	@Test
+	public void test503generateValueExecute() throws Exception {
+		final String TEST_NAME = "test503generateValueExecute";
+		displayTestTile(this, TEST_NAME);
+
+		WebClient client = prepareClient();
+		client.path("/users/" + USER_DARTHADDER_OID + "/generate");
+		
+		dummyAuditService.clear();
+
+		TestUtil.displayWhen(TEST_NAME);
+		Response response = client.post(getRepoFile(POLICY_ITEM_DEFINITION_GENERATE_EXECUTE));
+
+		TestUtil.displayThen(TEST_NAME);
+		displayResponse(response);
+
+		assertEquals("Expected 200 but got " + response.getStatus(), 200, response.getStatus());
+		
+		
+		IntegrationTestTools.display("Audit", dummyAuditService);
+		dummyAuditService.assertRecords(4);
+		dummyAuditService.assertLoginLogout(SchemaConstants.CHANNEL_REST_URI);
+		dummyAuditService.assertHasDelta(1, ChangeType.MODIFY, UserType.class);
+		
+		//UserType user = loadObject(UserType.class, USER_DARTHADDER_OID);
+		//TODO assert changed items
+	}
+	
+	@Test
+	public void test504checkGeneratedValue() throws Exception {
+		final String TEST_NAME = "test503generateValueExecute";
+		displayTestTile(this, TEST_NAME);
+
+		WebClient client = prepareClient();
+		client.path("/users/" + USER_DARTHADDER_OID );
+		
+		dummyAuditService.clear();
+
+		TestUtil.displayWhen(TEST_NAME);
+		Response response = client.get();
+
+		TestUtil.displayThen(TEST_NAME);
+		displayResponse(response);
+
+		assertEquals("Expected 200 but got " + response.getStatus(), 200, response.getStatus());
+		
+		UserType user = response.readEntity(UserType.class);
+		assertNotNull("EmployeeNumber must not be null", user.getEmployeeNumber());
+	}
+	
+	@Test
+	public void test510validateValueExplicit() throws Exception {
+		final String TEST_NAME = "test510validateValueExplicit";
+		displayTestTile(this, TEST_NAME);
+
+		WebClient client = prepareClient();
+		client.path("/users/" + USER_DARTHADDER_OID + "/validate");
+		
+		dummyAuditService.clear();
+
+		TestUtil.displayWhen(TEST_NAME);
+		Response response = client.post(getRepoFile(POLICY_ITEM_DEFINITION_VALIDATE_EXPLICIT));
+
+		TestUtil.displayThen(TEST_NAME);
+		displayResponse(response);
+
+		assertEquals("Expected 200 but got " + response.getStatus(), 200, response.getStatus());
+		
+		IntegrationTestTools.display("Audit", dummyAuditService);
+		dummyAuditService.assertRecords(2);
+		dummyAuditService.assertLoginLogout(SchemaConstants.CHANNEL_REST_URI);
+		
+	
+	}
+	
+	@Test
+	public void test511validateValueExplicitConflict() throws Exception {
+		final String TEST_NAME = "test511validateValueExplicitConflict";
+		displayTestTile(this, TEST_NAME);
+
+		WebClient client = prepareClient();
+		client.path("/users/" + USER_DARTHADDER_OID + "/validate");
+		
+		dummyAuditService.clear();
+
+		TestUtil.displayWhen(TEST_NAME);
+		Response response = client.post(getRepoFile(POLICY_ITEM_DEFINITION_VALIDATE_EXPLICIT_CONFLICT));
+
+		TestUtil.displayThen(TEST_NAME);
+		displayResponse(response);
+
+		assertEquals("Expected 409 but got " + response.getStatus(), 409, response.getStatus());
+		
+		
+		IntegrationTestTools.display("Audit", dummyAuditService);
+		dummyAuditService.assertRecords(2);
+		dummyAuditService.assertLoginLogout(SchemaConstants.CHANNEL_REST_URI);
+		
+		
+	}
+	
+	@Test
+	public void test512validateValueImplicitSingle() throws Exception {
+		final String TEST_NAME = "test512validateValueImplicitSingle";
+		displayTestTile(this, TEST_NAME);
+
+		WebClient client = prepareClient();
+		client.path("/users/" + USER_DARTHADDER_OID + "/validate");
+		
+		dummyAuditService.clear();
+
+		TestUtil.displayWhen(TEST_NAME);
+		Response response = client.post(getRepoFile(POLICY_ITEM_DEFINITION_VALIDATE_IMPLICIT_SINGLE));
+
+		TestUtil.displayThen(TEST_NAME);
+		displayResponse(response);
+		
+		assertEquals("Expected 200 but got " + response.getStatus(), 200, response.getStatus());
+		
+		
+		IntegrationTestTools.display("Audit", dummyAuditService);
+		dummyAuditService.assertRecords(2);
+		dummyAuditService.assertLoginLogout(SchemaConstants.CHANNEL_REST_URI);
+		
+		
+	}
+	
+	@Test
+	public void test513validateValueImplicitMulti() throws Exception {
+		final String TEST_NAME = "test513validateValueImplicitMulti";
+		displayTestTile(this, TEST_NAME);
+
+		WebClient client = prepareClient();
+		client.path("/users/" + USER_DARTHADDER_OID + "/validate");
+		
+		dummyAuditService.clear();
+
+		TestUtil.displayWhen(TEST_NAME);
+		Response response = client.post(getRepoFile(POLICY_ITEM_DEFINITION_VALIDATE_IMPLICIT_MULTI));
+
+		TestUtil.displayThen(TEST_NAME);
+		displayResponse(response);
+
+		assertEquals("Expected 200 but got " + response.getStatus(), 200, response.getStatus());
+		
+		IntegrationTestTools.display("Audit", dummyAuditService);
+		dummyAuditService.assertRecords(2);
+		dummyAuditService.assertLoginLogout(SchemaConstants.CHANNEL_REST_URI);
+		
+	}
+	
+	@Test
+	public void test514validateValueImplicitMultiConflict() throws Exception {
+		final String TEST_NAME = "test514validateValueImplicitMultiConflict";
+		displayTestTile(this, TEST_NAME);
+
+		WebClient client = prepareClient();
+		client.path("/users/" + USER_DARTHADDER_OID + "/validate");
+		
+		dummyAuditService.clear();
+
+		TestUtil.displayWhen(TEST_NAME);
+		Response response = client.post(getRepoFile(POLICY_ITEM_DEFINITION_VALIDATE_IMPLICIT_MULTI_CONFLICT));
+
+		TestUtil.displayThen(TEST_NAME);
+		displayResponse(response);
+
+		OperationResultType result = response.readEntity(OperationResultType.class);
+		IntegrationTestTools.display(OperationResult.createOperationResult(result));
+		
+		assertEquals("Expected 409 but got " + response.getStatus(), 409, response.getStatus());
+	
+		IntegrationTestTools.display("Audit", dummyAuditService);
+		dummyAuditService.assertRecords(2);
+		dummyAuditService.assertLoginLogout(SchemaConstants.CHANNEL_REST_URI);
+	
+		
+	}
+	
+	
+	private <O extends ObjectType> O loadObject(Class<O> type, String oid) throws ObjectNotFoundException, SchemaException, SecurityViolationException, CommunicationException, ConfigurationException {
+		Task task = taskManager.createTaskInstance("loadObject");
+		OperationResult result = task.getResult();
+		
+		PrismObject<O> object = modelService.getObject(type, oid, null, task, result);
+		return object.asObjectable();
+	}
 
 	private WebClient prepareClient() {
 		return prepareClient(USER_ADMINISTRATOR_USERNAME, USER_ADMINISTRATOR_PASSWORD);
diff --git a/testing/rest/src/test/resources/repo/json/policy-generate-bad-path.json b/testing/rest/src/test/resources/repo/json/policy-generate-bad-path.json
new file mode 100644
index 00000000000..32d4db0e89e
--- /dev/null
+++ b/testing/rest/src/test/resources/repo/json/policy-generate-bad-path.json
@@ -0,0 +1,15 @@
+{
+  "@ns": "http://midpoint.evolveum.com/xml/ns/public/common/api-types-3",
+  "policyItemsDefinition": {
+    "policyItemDefinition": [{
+	  "target": {
+	    	"path": "parentOrgRef"
+	    },
+	  "valuePolicyRef": {
+	    "@ns": "http://midpoint.evolveum.com/xml/ns/public/common/common-3",
+	    "type": "http://midpoint.evolveum.com/xml/ns/public/common/common-3#ValuePolicyType",
+	    "oid": "00000000-0000-0000-1111-000000000003"
+	  }
+	 }]
+  }
+}
\ No newline at end of file
diff --git a/testing/rest/src/test/resources/repo/json/policy-generate-execute.json b/testing/rest/src/test/resources/repo/json/policy-generate-execute.json
new file mode 100644
index 00000000000..87aa735f365
--- /dev/null
+++ b/testing/rest/src/test/resources/repo/json/policy-generate-execute.json
@@ -0,0 +1,28 @@
+{
+"@ns": "http://midpoint.evolveum.com/xml/ns/public/common/api-types-3",
+"policyItemsDefinition": {
+  "policyItemDefinition": [{
+  "target": {
+    	"path": "phoneNumber"
+    },
+  "valuePolicyRef": {
+    "@ns": "http://midpoint.evolveum.com/xml/ns/public/common/common-3",
+    "type": "http://midpoint.evolveum.com/xml/ns/public/common/common-3#ValuePolicyType",
+    "oid": "00000000-0000-0000-1111-000000000003"
+  }},{
+  "target": {
+    	"path": "employeeNumber"
+    },
+  "valuePolicyRef": {
+    "@ns": "http://midpoint.evolveum.com/xml/ns/public/common/common-3",
+    "type": "http://midpoint.evolveum.com/xml/ns/public/common/common-3#ValuePolicyType",
+    "oid": "00000000-0000-0000-1111-000000000003"
+  },
+  "execute" : "true"
+  }, {
+  "target": {
+    	"path": "costCenter"
+    }
+ }]
+}
+}
\ No newline at end of file
diff --git a/testing/rest/src/test/resources/repo/json/policy-generate.json b/testing/rest/src/test/resources/repo/json/policy-generate.json
new file mode 100644
index 00000000000..5d19462e131
--- /dev/null
+++ b/testing/rest/src/test/resources/repo/json/policy-generate.json
@@ -0,0 +1,20 @@
+{
+  "@ns": "http://midpoint.evolveum.com/xml/ns/public/common/api-types-3",
+  "policyItemsDefinition": {
+    "policyItemDefinition": [{
+      "target": {
+    	"path": "phoneNumber"
+      },
+      "valuePolicyRef": {
+        "@ns": "http://midpoint.evolveum.com/xml/ns/public/common/common-3",
+        "type": "http://midpoint.evolveum.com/xml/ns/public/common/common-3#ValuePolicyType",
+        "oid": "00000000-0000-0000-1111-000000000003"
+      }
+    },
+    {
+     "target": {
+       "path": "costCenter"
+      }
+    }]
+  }
+}
\ No newline at end of file
diff --git a/testing/rest/src/test/resources/repo/json/policy-validate-explicit-conflict.json b/testing/rest/src/test/resources/repo/json/policy-validate-explicit-conflict.json
new file mode 100644
index 00000000000..5ad2c5dddbe
--- /dev/null
+++ b/testing/rest/src/test/resources/repo/json/policy-validate-explicit-conflict.json
@@ -0,0 +1,16 @@
+{
+"@ns": "http://midpoint.evolveum.com/xml/ns/public/common/api-types-3",
+"policyItemsDefinition": {
+  "policyItemDefinition": [{
+  "target": {
+      "path": "employeeNumber"
+    },
+  "valuePolicyRef": {
+    "@ns": "http://midpoint.evolveum.com/xml/ns/public/common/common-3",
+    "type": "http://midpoint.evolveum.com/xml/ns/public/common/common-3#ValuePolicyType",
+    "oid": "00000000-0000-0000-1111-000000000003"
+  },
+  "value" : "asdfg"
+ }]
+}
+}
\ No newline at end of file
diff --git a/testing/rest/src/test/resources/repo/json/policy-validate-explicit.json b/testing/rest/src/test/resources/repo/json/policy-validate-explicit.json
new file mode 100644
index 00000000000..8e6a11aff17
--- /dev/null
+++ b/testing/rest/src/test/resources/repo/json/policy-validate-explicit.json
@@ -0,0 +1,16 @@
+{
+"@ns": "http://midpoint.evolveum.com/xml/ns/public/common/api-types-3",
+"policyItemsDefinition": { 
+  "policyItemDefinition": [{
+  "target": {
+      "path": "employeeNumber"
+    },
+  "valuePolicyRef": {
+    "@ns": "http://midpoint.evolveum.com/xml/ns/public/common/common-3",
+    "type": "http://midpoint.evolveum.com/xml/ns/public/common/common-3#ValuePolicyType",
+    "oid": "00000000-0000-0000-1111-000000000003"
+  },
+  "value" : "123456"
+ }]
+}
+}
\ No newline at end of file
diff --git a/testing/rest/src/test/resources/repo/json/policy-validate-implicit-multi-conflict.json b/testing/rest/src/test/resources/repo/json/policy-validate-implicit-multi-conflict.json
new file mode 100644
index 00000000000..0084ca37687
--- /dev/null
+++ b/testing/rest/src/test/resources/repo/json/policy-validate-implicit-multi-conflict.json
@@ -0,0 +1,15 @@
+{
+"@ns": "http://midpoint.evolveum.com/xml/ns/public/common/api-types-3",
+"policyItemsDefinition": {
+  "policyItemDefinition": [{
+  "target": {
+      "path": "employeeType"
+    },
+  "valuePolicyRef": {
+    "@ns": "http://midpoint.evolveum.com/xml/ns/public/common/common-3",
+    "type": "http://midpoint.evolveum.com/xml/ns/public/common/common-3#ValuePolicyType",
+    "oid": "00000000-0000-0000-1111-000000000003"
+  }
+ }]
+}
+}
\ No newline at end of file
diff --git a/testing/rest/src/test/resources/repo/json/policy-validate-implicit-multi.json b/testing/rest/src/test/resources/repo/json/policy-validate-implicit-multi.json
new file mode 100644
index 00000000000..f0bdce71ce3
--- /dev/null
+++ b/testing/rest/src/test/resources/repo/json/policy-validate-implicit-multi.json
@@ -0,0 +1,10 @@
+{
+"@ns": "http://midpoint.evolveum.com/xml/ns/public/common/api-types-3",
+"policyItemsDefinition": {
+  "policyItemDefinition": [{
+  "target": {
+      "path": "organization"
+    }
+ }]
+}
+}
\ No newline at end of file
diff --git a/testing/rest/src/test/resources/repo/json/policy-validate-implicit-single.json b/testing/rest/src/test/resources/repo/json/policy-validate-implicit-single.json
new file mode 100644
index 00000000000..114ad06e6e6
--- /dev/null
+++ b/testing/rest/src/test/resources/repo/json/policy-validate-implicit-single.json
@@ -0,0 +1,15 @@
+{
+  "@ns": "http://midpoint.evolveum.com/xml/ns/public/common/api-types-3",
+  "policyItemsDefinition": {
+    "policyItemDefinition": [{
+      "target": {
+        "path": "employeeNumber"
+      },
+      "valuePolicyRef": {
+        "@ns": "http://midpoint.evolveum.com/xml/ns/public/common/common-3",
+        "type": "http://midpoint.evolveum.com/xml/ns/public/common/common-3#ValuePolicyType",
+        "oid": "00000000-0000-0000-1111-000000000003"
+      }
+   }]
+  }
+}
\ No newline at end of file
diff --git a/testing/rest/src/test/resources/repo/json/user-darthadder.json b/testing/rest/src/test/resources/repo/json/user-darthadder.json
index 174cbfb0057..f0aa30de9ec 100644
--- a/testing/rest/src/test/resources/repo/json/user-darthadder.json
+++ b/testing/rest/src/test/resources/repo/json/user-darthadder.json
@@ -23,6 +23,9 @@
     "activation" : {
       "administrativeStatus" : "enabled"
     },
+    "employeeType" : ["user", "123user", "employeE"],
+    "employeeNumber" : "123456",
+    "organization" : ["Org1", "Org2", "Org3"],
     "fullName" : "Darth Adder",
     "givenName" : "Darth",
     "familyName" : "Adder",
diff --git a/testing/rest/src/test/resources/repo/system-configuration.xml b/testing/rest/src/test/resources/repo/system-configuration.xml
index 7ba4751822c..4b618321f9a 100644
--- a/testing/rest/src/test/resources/repo/system-configuration.xml
+++ b/testing/rest/src/test/resources/repo/system-configuration.xml
@@ -52,4 +52,5 @@
 		<rootLoggerAppender>IDM_LOG</rootLoggerAppender>
 		<rootLoggerLevel>INFO</rootLoggerLevel>
 	</logging>
+	<globalPasswordPolicyRef oid="81818181-76e0-59e2-8888-3d4f02d3fffb" type="ValuePolicyType"/>
 </systemConfiguration>
diff --git a/testing/rest/src/test/resources/repo/value-policy-general.xml b/testing/rest/src/test/resources/repo/value-policy-general.xml
new file mode 100644
index 00000000000..cf9745686b6
--- /dev/null
+++ b/testing/rest/src/test/resources/repo/value-policy-general.xml
@@ -0,0 +1,73 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright (c) 2010-2013 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+<valuePolicy oid="81818181-76e0-59e2-8888-3d4f02d3fffb" xsi:type="c:ValuePolicyType" version="0" xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+	<name>Policy General</name>
+	<description>Complex Password policy requires at least one lowercase letter, at least one uppercase letter, at least one digit
+and at least on special character in the password. The password must start
+with a lowercase letter and must be at least 6 characters long.</description>
+	<lifetime>
+		<expiration>999</expiration>
+		<warnBeforeExpiration>9</warnBeforeExpiration>
+		<lockAfterExpiration>0</lockAfterExpiration>
+		<minPasswordAge>0</minPasswordAge>
+		<passwordHistoryLength>0</passwordHistoryLength>
+	</lifetime>
+	<stringPolicy>
+		<description>String validation policy</description>
+		<limitations>
+			<minLength>4</minLength>
+			<maxLength>32</maxLength>
+			<minUniqueChars>3</minUniqueChars>
+			<!-- not implemented yet
+			 <checkAgainstDictionary>true</checkAgainstDictionary>
+			 -->
+			<checkPattern />
+			<limit>
+				<description>Lowercase alphanumeric characters</description>
+				<minOccurs>1</minOccurs>
+				<mustBeFirst>false</mustBeFirst>
+				<characterClass>
+					<value>abcdefghijklmnopqrstuvwxyz</value>
+				</characterClass>
+			</limit>
+			<limit>
+				<description>Uppercase alphanumeric characters</description>
+				<minOccurs>1</minOccurs>
+				<mustBeFirst>true</mustBeFirst>
+				<characterClass>
+					<value>ABCDEFGHIJKLMNOPQRSTUVWXYZ</value>
+				</characterClass>
+			</limit>
+			<limit>
+				<description>Numeric characters</description>
+				<minOccurs>1</minOccurs>
+				<mustBeFirst>false</mustBeFirst>
+				<characterClass>
+					<value>1234567890</value>
+				</characterClass>
+			</limit>
+			<limit>
+				<description>Special characters</description>
+				<mustBeFirst>false</mustBeFirst>
+				<characterClass>
+					<value> !"#$%&amp;'()*+,-.:;&lt;&gt;?@[]^_`{|}~</value>
+				</characterClass>
+			</limit>
+		</limitations>
+	</stringPolicy>
+</valuePolicy>
\ No newline at end of file
diff --git a/testing/rest/src/test/resources/repo/value-policy-numeric.xml b/testing/rest/src/test/resources/repo/value-policy-numeric.xml
new file mode 100644
index 00000000000..6e3e1240109
--- /dev/null
+++ b/testing/rest/src/test/resources/repo/value-policy-numeric.xml
@@ -0,0 +1,48 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright (c) 2010-2013 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+<valuePolicy oid="00000000-0000-0000-1111-000000000003" xsi:type="c:ValuePolicyType" version="0" xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+	<name>Numeric Policy</name>
+	<description>A policy useful for generating PIN.</description>
+	<lifetime>
+		<expiration>999</expiration>
+		<warnBeforeExpiration>9</warnBeforeExpiration>
+		<lockAfterExpiration>0</lockAfterExpiration>
+		<minPasswordAge>0</minPasswordAge>
+		<passwordHistoryLength>0</passwordHistoryLength>
+	</lifetime>
+	<stringPolicy>
+		<description>String validation policy</description>
+		<limitations>
+			<minLength>4</minLength>
+			<maxLength>15</maxLength>
+			<minUniqueChars>2</minUniqueChars>
+			<!-- not implemented yet
+			 <checkAgainstDictionary>false</checkAgainstDictionary>
+			 -->
+			<checkPattern />
+			<limit>
+				<description>Numeric characters</description>
+				<!--<minOccurs>1</minOccurs>
+				<mustBeFirst>false</mustBeFirst>-->
+				<characterClass>
+					<value>1234567890</value>
+				</characterClass>
+			</limit>
+		</limitations>
+	</stringPolicy>
+</valuePolicy>
\ No newline at end of file
diff --git a/testing/rest/src/test/resources/repo/xml/policy-generate-bad-path.xml b/testing/rest/src/test/resources/repo/xml/policy-generate-bad-path.xml
new file mode 100644
index 00000000000..409f46b497f
--- /dev/null
+++ b/testing/rest/src/test/resources/repo/xml/policy-generate-bad-path.xml
@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<policyItemsDefinition xmlns="http://midpoint.evolveum.com/xml/ns/public/common/api-types-3"
+          xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
+          xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+          xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
+          xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
+          xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">
+	<policyItemDefinition>
+		<c:target>
+			<t:path>parentOrgRef</t:path>
+		</c:target>
+		<c:valuePolicyRef oid="00000000-0000-0000-1111-000000000003" type="c:ValuePolicyType"/>
+	</policyItemDefinition>
+</policyItemsDefinition>
\ No newline at end of file
diff --git a/testing/rest/src/test/resources/repo/xml/policy-generate-execute.xml b/testing/rest/src/test/resources/repo/xml/policy-generate-execute.xml
new file mode 100644
index 00000000000..a8bd3395a0a
--- /dev/null
+++ b/testing/rest/src/test/resources/repo/xml/policy-generate-execute.xml
@@ -0,0 +1,26 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<policyItemsDefinition xmlns="http://midpoint.evolveum.com/xml/ns/public/common/api-types-3"
+          xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
+          xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+          xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
+          xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
+          xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">
+	<policyItemDefinition>
+		<c:target>
+			<t:path>phoneNumber</t:path>
+		</c:target>
+		<c:valuePolicyRef oid="00000000-0000-0000-1111-000000000003" type="c:ValuePolicyType"/>
+	</policyItemDefinition>
+		<policyItemDefinition>
+		<c:target>
+			<t:path>employeeNumber</t:path>
+		</c:target>
+		<execute>true</execute>
+		<c:valuePolicyRef oid="00000000-0000-0000-1111-000000000003" type="c:ValuePolicyType"/>
+	</policyItemDefinition>
+	<policyItemDefinition>
+		<c:target>
+			<t:path>costCenter</t:path>
+		</c:target>
+	</policyItemDefinition>
+</policyItemsDefinition>
\ No newline at end of file
diff --git a/testing/rest/src/test/resources/repo/xml/policy-generate.xml b/testing/rest/src/test/resources/repo/xml/policy-generate.xml
new file mode 100644
index 00000000000..747fd76dfa4
--- /dev/null
+++ b/testing/rest/src/test/resources/repo/xml/policy-generate.xml
@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<policyItemsDefinition xmlns="http://midpoint.evolveum.com/xml/ns/public/common/api-types-3"
+          xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
+          xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+          xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
+          xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
+          xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">
+	<policyItemDefinition>
+		<c:target>
+			<t:path>phoneNumber</t:path>
+		</c:target>
+		<c:valuePolicyRef oid="00000000-0000-0000-1111-000000000003" type="c:ValuePolicyType"/>
+	</policyItemDefinition>
+	<policyItemDefinition>
+		<c:target>
+			<t:path>costCenter</t:path>
+		</c:target>
+	</policyItemDefinition>
+</policyItemsDefinition>
\ No newline at end of file
diff --git a/testing/rest/src/test/resources/repo/xml/policy-validate-explicit-conflict.xml b/testing/rest/src/test/resources/repo/xml/policy-validate-explicit-conflict.xml
new file mode 100644
index 00000000000..68ae1972a92
--- /dev/null
+++ b/testing/rest/src/test/resources/repo/xml/policy-validate-explicit-conflict.xml
@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<policyItemsDefinition xmlns="http://midpoint.evolveum.com/xml/ns/public/common/api-types-3"
+          xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
+          xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+          xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
+          xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
+          xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">
+	<policyItemDefinition>
+		<c:target>
+			<t:path>employeeNumber</t:path>
+		</c:target>
+		<c:valuePolicyRef oid="00000000-0000-0000-1111-000000000003" type="c:ValuePolicyType"/>
+		<c:value>asdfg</c:value>
+	</policyItemDefinition>
+	
+</policyItemsDefinition>
\ No newline at end of file
diff --git a/testing/rest/src/test/resources/repo/xml/policy-validate-explicit.xml b/testing/rest/src/test/resources/repo/xml/policy-validate-explicit.xml
new file mode 100644
index 00000000000..5a1c7c6942b
--- /dev/null
+++ b/testing/rest/src/test/resources/repo/xml/policy-validate-explicit.xml
@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<policyItemsDefinition xmlns="http://midpoint.evolveum.com/xml/ns/public/common/api-types-3"
+          xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
+          xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+          xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
+          xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
+          xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">
+	<policyItemDefinition>
+		<c:target>
+			<t:path>employeeNumber</t:path>
+		</c:target>
+		<c:valuePolicyRef oid="00000000-0000-0000-1111-000000000003" type="c:ValuePolicyType"/>
+		<c:value>123456</c:value>
+	</policyItemDefinition>
+	
+</policyItemsDefinition>
\ No newline at end of file
diff --git a/testing/rest/src/test/resources/repo/xml/policy-validate-implicit-multi-conflict.xml b/testing/rest/src/test/resources/repo/xml/policy-validate-implicit-multi-conflict.xml
new file mode 100644
index 00000000000..80fb916579c
--- /dev/null
+++ b/testing/rest/src/test/resources/repo/xml/policy-validate-implicit-multi-conflict.xml
@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<policyItemsDefinition xmlns="http://midpoint.evolveum.com/xml/ns/public/common/api-types-3"
+          xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
+          xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+          xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
+          xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
+          xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">
+	<policyItemDefinition>
+		<c:target>
+			<t:path>employeeType</t:path>
+		</c:target>
+		<c:valuePolicyRef oid="00000000-0000-0000-1111-000000000003" type="c:ValuePolicyType"/>
+	</policyItemDefinition>
+	
+</policyItemsDefinition>
\ No newline at end of file
diff --git a/testing/rest/src/test/resources/repo/xml/policy-validate-implicit-multi.xml b/testing/rest/src/test/resources/repo/xml/policy-validate-implicit-multi.xml
new file mode 100644
index 00000000000..cbe9b192170
--- /dev/null
+++ b/testing/rest/src/test/resources/repo/xml/policy-validate-implicit-multi.xml
@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<policyItemsDefinition xmlns="http://midpoint.evolveum.com/xml/ns/public/common/api-types-3"
+          xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
+          xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+          xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
+          xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
+          xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">
+	<policyItemDefinition>
+		<c:target>
+			<t:path>organization</t:path>
+		</c:target>
+	</policyItemDefinition>
+	
+</policyItemsDefinition>
\ No newline at end of file
diff --git a/testing/rest/src/test/resources/repo/xml/policy-validate-implicit-single.xml b/testing/rest/src/test/resources/repo/xml/policy-validate-implicit-single.xml
new file mode 100644
index 00000000000..ea186c0ccf2
--- /dev/null
+++ b/testing/rest/src/test/resources/repo/xml/policy-validate-implicit-single.xml
@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<policyItemsDefinition xmlns="http://midpoint.evolveum.com/xml/ns/public/common/api-types-3"
+          xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
+          xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+          xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
+          xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
+          xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">
+	<policyItemDefinition>
+		<c:target>
+			<t:path>employeeNumber</t:path>
+		</c:target>
+		<c:valuePolicyRef oid="00000000-0000-0000-1111-000000000003" type="c:ValuePolicyType"/>
+	</policyItemDefinition>
+	
+</policyItemsDefinition>
\ No newline at end of file
diff --git a/testing/rest/src/test/resources/repo/xml/user-darthadder.xml b/testing/rest/src/test/resources/repo/xml/user-darthadder.xml
index 49af1b5ef31..f507d800c06 100644
--- a/testing/rest/src/test/resources/repo/xml/user-darthadder.xml
+++ b/testing/rest/src/test/resources/repo/xml/user-darthadder.xml
@@ -35,6 +35,13 @@
 	<c:fullName>Darth Adder</c:fullName>
 	<c:givenName>Darth</c:givenName>
 	<c:familyName>Adder</c:familyName>
+	<c:employeeType>user</c:employeeType>
+	<c:employeeType>123user</c:employeeType>
+	<c:employeeType>employeE</c:employeeType>
+	<c:employeeNumber>123456</c:employeeNumber>
+	<c:organization>Org1</c:organization>
+	<c:organization>Org2</c:organization>
+	<c:organization>Org3</c:organization>
 	<c:credentials xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
 		<c:password>
 			<c:value xmlns:enc="http://www.w3.org/2001/04/xmlenc#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
diff --git a/testing/rest/src/test/resources/repo/yaml/policy-generate-bad-path.yml b/testing/rest/src/test/resources/repo/yaml/policy-generate-bad-path.yml
new file mode 100644
index 00000000000..b752336713d
--- /dev/null
+++ b/testing/rest/src/test/resources/repo/yaml/policy-generate-bad-path.yml
@@ -0,0 +1,9 @@
+'@ns': "http://midpoint.evolveum.com/xml/ns/public/common/api-types-3"
+policyItemsDefinition:
+  policyItemDefinition:
+  - target:
+      path: "parentOrgRef"
+    valuePolicyRef:
+      '@ns': "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+      type: "http://midpoint.evolveum.com/xml/ns/public/common/common-3#ValuePolicyType"
+      oid: "00000000-0000-0000-1111-000000000003"
\ No newline at end of file
diff --git a/testing/rest/src/test/resources/repo/yaml/policy-generate-execute.yml b/testing/rest/src/test/resources/repo/yaml/policy-generate-execute.yml
new file mode 100644
index 00000000000..ce8bc99531f
--- /dev/null
+++ b/testing/rest/src/test/resources/repo/yaml/policy-generate-execute.yml
@@ -0,0 +1,18 @@
+'@ns': "http://midpoint.evolveum.com/xml/ns/public/common/api-types-3"
+policyItemsDefinition:
+  policyItemDefinition:
+  - target:
+      path: "phoneNumber"
+    valuePolicyRef:
+      '@ns': "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+      type: "http://midpoint.evolveum.com/xml/ns/public/common/common-3#ValuePolicyType"
+      oid: "00000000-0000-0000-1111-000000000003"
+  - target:
+      path: "employeeNumber"
+    valuePolicyRef:
+      '@ns': "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+      type: "http://midpoint.evolveum.com/xml/ns/public/common/common-3#ValuePolicyType"
+      oid: "00000000-0000-0000-1111-000000000003"
+    execute: true
+  - target:
+      path: "costCenter"
\ No newline at end of file
diff --git a/testing/rest/src/test/resources/repo/yaml/policy-generate.yml b/testing/rest/src/test/resources/repo/yaml/policy-generate.yml
new file mode 100644
index 00000000000..f9c705d5555
--- /dev/null
+++ b/testing/rest/src/test/resources/repo/yaml/policy-generate.yml
@@ -0,0 +1,11 @@
+'@ns': "http://midpoint.evolveum.com/xml/ns/public/common/api-types-3"
+policyItemsDefinition:
+  policyItemDefinition:
+  - target:
+      path: "phoneNumber"
+    valuePolicyRef:
+      '@ns': "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+      type: "http://midpoint.evolveum.com/xml/ns/public/common/common-3#ValuePolicyType"
+      oid: "00000000-0000-0000-1111-000000000003"
+  - target :
+      path: "costCenter"
\ No newline at end of file
diff --git a/testing/rest/src/test/resources/repo/yaml/policy-validate-explicit-conflict.yml b/testing/rest/src/test/resources/repo/yaml/policy-validate-explicit-conflict.yml
new file mode 100644
index 00000000000..b4fbabb9729
--- /dev/null
+++ b/testing/rest/src/test/resources/repo/yaml/policy-validate-explicit-conflict.yml
@@ -0,0 +1,10 @@
+'@ns': "http://midpoint.evolveum.com/xml/ns/public/common/api-types-3"
+policyItemsDefinition:
+  policyItemDefinition:
+  - target:
+      path: "employeeNumber"
+    valuePolicyRef:
+      '@ns': "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+      type: "http://midpoint.evolveum.com/xml/ns/public/common/common-3#ValuePolicyType"
+      oid: "00000000-0000-0000-1111-000000000003"
+    value: "asdfg"
\ No newline at end of file
diff --git a/testing/rest/src/test/resources/repo/yaml/policy-validate-explicit.yml b/testing/rest/src/test/resources/repo/yaml/policy-validate-explicit.yml
new file mode 100644
index 00000000000..524e698560c
--- /dev/null
+++ b/testing/rest/src/test/resources/repo/yaml/policy-validate-explicit.yml
@@ -0,0 +1,10 @@
+'@ns': "http://midpoint.evolveum.com/xml/ns/public/common/api-types-3"
+policyItemsDefinition:
+  policyItemDefinition:
+  - target:
+      path: "employeeNumber"
+    valuePolicyRef:
+      '@ns': "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+      type: "http://midpoint.evolveum.com/xml/ns/public/common/common-3#ValuePolicyType"
+      oid: "00000000-0000-0000-1111-000000000003"
+    value: "123456"
\ No newline at end of file
diff --git a/testing/rest/src/test/resources/repo/yaml/policy-validate-implicit-multi-conflict.yml b/testing/rest/src/test/resources/repo/yaml/policy-validate-implicit-multi-conflict.yml
new file mode 100644
index 00000000000..a2b54549d0f
--- /dev/null
+++ b/testing/rest/src/test/resources/repo/yaml/policy-validate-implicit-multi-conflict.yml
@@ -0,0 +1,9 @@
+'@ns': "http://midpoint.evolveum.com/xml/ns/public/common/api-types-3"
+policyItemsDefinition:
+  policyItemDefinition:
+  - target:
+      path: "employeeType"
+    valuePolicyRef:
+      '@ns': "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+      type: "http://midpoint.evolveum.com/xml/ns/public/common/common-3#ValuePolicyType"
+      oid: "00000000-0000-0000-1111-000000000003"
diff --git a/testing/rest/src/test/resources/repo/yaml/policy-validate-implicit-multi.yml b/testing/rest/src/test/resources/repo/yaml/policy-validate-implicit-multi.yml
new file mode 100644
index 00000000000..44b3f66a402
--- /dev/null
+++ b/testing/rest/src/test/resources/repo/yaml/policy-validate-implicit-multi.yml
@@ -0,0 +1,5 @@
+'@ns': "http://midpoint.evolveum.com/xml/ns/public/common/api-types-3"
+policyItemsDefinition:
+  policyItemDefinition:
+  - target:
+      path: "organization"
\ No newline at end of file
diff --git a/testing/rest/src/test/resources/repo/yaml/policy-validate-implicit-single.yml b/testing/rest/src/test/resources/repo/yaml/policy-validate-implicit-single.yml
new file mode 100644
index 00000000000..1ae2fead4be
--- /dev/null
+++ b/testing/rest/src/test/resources/repo/yaml/policy-validate-implicit-single.yml
@@ -0,0 +1,9 @@
+'@ns': "http://midpoint.evolveum.com/xml/ns/public/common/api-types-3"
+policyItemsDefinition:
+  policyItemDefinition:
+  - target:
+      path: "employeeNumber"
+    valuePolicyRef:
+      '@ns': "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+      type: "http://midpoint.evolveum.com/xml/ns/public/common/common-3#ValuePolicyType"
+      oid: "00000000-0000-0000-1111-000000000003"
\ No newline at end of file
diff --git a/testing/rest/src/test/resources/repo/yaml/user-darthadder.yml b/testing/rest/src/test/resources/repo/yaml/user-darthadder.yml
index 96884cd1ac7..f9f7ef8596d 100644
--- a/testing/rest/src/test/resources/repo/yaml/user-darthadder.yml
+++ b/testing/rest/src/test/resources/repo/yaml/user-darthadder.yml
@@ -40,6 +40,15 @@ user:
   fullName: "Darth Adder"
   givenName: "Darth"
   familyName: "Adder"
+  employeeType : 
+  - "user"
+  - "123user"
+  - "employeE"
+  employeeNumber : "123456"
+  organization : 
+  - "Org1"
+  - "Org2"
+  - "Org3"
   credentials:
     password:
       value:

From 09144319ddbae1ffd8306ba49c45126e1ef3e356 Mon Sep 17 00:00:00 2001
From: honchar <honchar@evolveum.com>
Date: Mon, 20 Mar 2017 03:27:15 +0100
Subject: [PATCH 2/2] object collections settings are applied on the role
 catalog page

---
 .../assignment/AssignmentCatalogPanel.java    | 43 ++++++++----
 .../page/self/PageAssignmentShoppingKart.java | 68 +++++++++++++++++--
 .../web/page/self/dto/AssignmentViewType.java | 17 ++++-
 .../web/session/RoleCatalogStorage.java       |  5 +-
 .../schema/constants/SchemaConstants.java     |  6 ++
 5 files changed, 117 insertions(+), 22 deletions(-)

diff --git a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/component/assignment/AssignmentCatalogPanel.java b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/component/assignment/AssignmentCatalogPanel.java
index 49f868fd0eb..bb69af930d0 100644
--- a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/component/assignment/AssignmentCatalogPanel.java
+++ b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/component/assignment/AssignmentCatalogPanel.java
@@ -57,6 +57,7 @@
 import com.evolveum.midpoint.web.session.SessionStorage;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.*;
 import org.apache.commons.lang.StringUtils;
+import org.apache.commons.lang3.EnumUtils;
 import org.apache.wicket.ajax.AjaxRequestTarget;
 import org.apache.wicket.ajax.form.OnChangeAjaxBehavior;
 import org.apache.wicket.ajax.markup.html.AjaxLink;
@@ -112,28 +113,31 @@ public class AssignmentCatalogPanel<F extends AbstractRoleType> extends BasePane
     private int itemsPerRow = 4;
     private boolean showUserSelectionPopup = true;
     private List<AssignmentEditorDto> listProviderData;
-
+    private AssignmentViewType defaultAssignmentViewType = AssignmentViewType.ROLE_CATALOG_VIEW;
+    List<AssignmentViewType> viewTypeList = new ArrayList<>();
 
     public AssignmentCatalogPanel(String id) {
         super(id);
     }
 
-    public AssignmentCatalogPanel(String id, String rootOid, PageBase pageBase) {
+    public AssignmentCatalogPanel(String id, String rootOid, List<AssignmentViewType> viewTypeList, PageBase pageBase) {
         super(id);
         this.pageBase = pageBase;
         this.rootOid = rootOid;
+        this.viewTypeList = viewTypeList;
         AssignmentViewType.saveViewTypeToSession(pageBase, AssignmentViewType.ROLE_CATALOG_VIEW);
         initLayout();
     }
 
-    public AssignmentCatalogPanel(String id, PageBase pageBase) {
-        this(id, AssignmentViewType.getViewTypeFromSession(pageBase), pageBase);
+    public AssignmentCatalogPanel(String id, List<AssignmentViewType> viewTypeList, PageBase pageBase) {
+        this(id, AssignmentViewType.getViewTypeFromSession(pageBase), viewTypeList, pageBase);
     }
 
-     public AssignmentCatalogPanel(String id, AssignmentViewType viewType, PageBase pageBase) {
+     public AssignmentCatalogPanel(String id, AssignmentViewType viewType, List<AssignmentViewType> viewTypeList, PageBase pageBase) {
         super(id);
         this.pageBase = pageBase;
-        AssignmentViewType.saveViewTypeToSession(pageBase, viewType);
+         AssignmentViewType.saveViewTypeToSession(pageBase, viewType);
+         this.viewTypeList = viewTypeList;
          initLayout();
     }
 
@@ -221,6 +225,7 @@ protected OrgTreeStateStorage getOrgTreeStateStorage(){
             treePanel.setOutputMarkupId(true);
             treePanelContainer.add(new AttributeAppender("class", "col-md-3"));
             treePanelContainer.add(new VisibleEnableBehaviour(){
+                private static final long serialVersionUID = 1L;
                 @Override
                 public boolean isVisible(){
                     return !isCatalogOidEmpty();
@@ -243,6 +248,7 @@ public boolean isVisible(){
         Label assignmentsOwnerLabel = new Label(ID_ASSIGNMENTS_OWNER_NAME,
                 createStringResource("AssignmentCatalogPanel.assignmentsOwner", assignmentsOwnerName));
         assignmentsOwnerLabel.add(new VisibleEnableBehaviour(){
+            private static final long serialVersionUID = 1L;
             @Override
             public boolean isVisible(){
                 return AssignmentViewType.USER_TYPE.equals(pageBase.getSessionStorage().getRoleCatalog().getViewType());
@@ -295,6 +301,7 @@ private void selectTreeItemPerformed(SelectableBean<OrgType> selected, AjaxReque
 
     private void initModels(){
         selectedTreeItemOidModel = new IModel<String>() {
+            private static final long serialVersionUID = 1L;
             @Override
             public String getObject() {
                 return StringUtils.isEmpty(pageBase.getSessionStorage().getRoleCatalog().getSelectedOid()) ?
@@ -312,6 +319,7 @@ public void detach() {
             }
         };
         viewModel = new IModel<AssignmentViewType>() {
+            private static final long serialVersionUID = 1L;
             @Override
             public AssignmentViewType getObject() {
                 return AssignmentViewType.getViewTypeFromSession(pageBase);
@@ -329,6 +337,7 @@ public void detach() {
         };
 
         searchModel = new LoadableModel<Search>(false) {
+            private static final long serialVersionUID = 1L;
             @Override
             public Search load() {
                 Search search = SearchFactory.createSearch(AbstractRoleType.class, pageBase.getPrismContext(),
@@ -338,6 +347,7 @@ public Search load() {
         };
 
         targetUserModel = new IModel<PrismObject<UserType>>() {
+            private static final long serialVersionUID = 1L;
             @Override
             public PrismObject<UserType> getObject() {
                 return getTargetUser();
@@ -367,6 +377,7 @@ private void initUserSelectionPanel(WebMarkupContainer headerPanel){
         WebMarkupContainer targetUserContainer = new WebMarkupContainer(ID_TARGET_USER_CONTAINER);
         targetUserContainer.setOutputMarkupId(true);
         AjaxLink<String> targetUserButton = new AjaxLink<String>(ID_TARGET_USER_BUTTON) {
+            private static final long serialVersionUID = 1L;
             @Override
             public void onClick(AjaxRequestTarget target) {
                 if (showUserSelectionPopup) {
@@ -381,6 +392,7 @@ public void onClick(AjaxRequestTarget target) {
         targetUserButton.add(label);
 
         AjaxLink deleteButton = new AjaxLink(ID_DELETE_TARGET_USER_BUTTON) {
+            private static final long serialVersionUID = 1L;
             @Override
             public void onClick(AjaxRequestTarget target) {
                 showUserSelectionPopup = false;
@@ -389,6 +401,7 @@ public void onClick(AjaxRequestTarget target) {
             }
         };
         deleteButton.add(new VisibleEnableBehaviour(){
+            private static final long serialVersionUID = 1L;
             @Override
             public boolean isVisible(){
                 return pageBase.getSessionStorage().getRoleCatalog().getTargetUser() != null;
@@ -398,9 +411,12 @@ public boolean isVisible(){
         headerPanel.add(targetUserContainer);
     }
     private void initViewSelector(WebMarkupContainer headerPanel){
-        DropDownChoice<AssignmentViewType> viewSelect = new DropDownChoice(ID_VIEW_TYPE, viewModel, new ListModel(createAssignableTypesList()),
+        DropDownChoice<AssignmentViewType> viewSelect = new DropDownChoice(ID_VIEW_TYPE, viewModel,
+                Model.ofList(viewTypeList != null && viewTypeList.size() > 0 ?
+                        viewTypeList : createAssignableTypesList()),
                 new EnumChoiceRenderer<AssignmentViewType>(this));
         viewSelect.add(new OnChangeAjaxBehavior() {
+            private static final long serialVersionUID = 1L;
 
             @Override
             protected void onUpdate(AjaxRequestTarget target) {
@@ -430,6 +446,7 @@ private WebMarkupContainer getHeaderPanel(){
     private DropDownChoice getViewSelectComponent(){
         return (DropDownChoice)getHeaderPanel().get(ID_VIEW_TYPE);
     }
+
     private void initSearchPanel(WebMarkupContainer headerPanel) {
         final Form searchForm = new Form(ID_SEARCH_FORM);
         headerPanel.add(searchForm);
@@ -442,6 +459,7 @@ public boolean isVisible() {
         searchForm.setOutputMarkupId(true);
 
         SearchPanel search = new SearchPanel(ID_SEARCH, (IModel) searchModel, false) {
+            private static final long serialVersionUID = 1L;
 
             @Override
             public void searchPerformed(ObjectQuery query, AjaxRequestTarget target) {
@@ -487,7 +505,7 @@ protected ObjectQuery createContentQuery(ObjectQuery searchQuery) {
     private ObjectQuery createMemberQuery(QName focusTypeClass) {
         ObjectQuery query = new ObjectQuery();
         ObjectFilter filter = null;
-        if (focusTypeClass.equals(RoleType.COMPLEX_TYPE)) {
+        if (RoleType.COMPLEX_TYPE.equals(focusTypeClass)) {
             LOGGER.debug("Loading roles which the current user has right to assign");
             OperationResult result = new OperationResult(OPERATION_LOAD_ASSIGNABLE_ROLES);
             try {
@@ -606,10 +624,10 @@ private boolean isCatalogOidEmpty(){
     private void initUserSelectionPopup(StringResourceModel title, boolean targetUserSelection, AjaxRequestTarget target) {
 
         List<QName> supportedTypes = new ArrayList<>();
-        supportedTypes.add(getPageBase().getPrismContext().getSchemaRegistry()
+        supportedTypes.add(pageBase.getPrismContext().getSchemaRegistry()
                 .findObjectDefinitionByCompileTimeClass(UserType.class).getTypeName());
-        ObjectBrowserPanel<UserType> focusBrowser = new ObjectBrowserPanel<UserType>(getPageBase().getMainPopupBodyId(),
-                UserType.class, supportedTypes, false, getPageBase()) {
+        ObjectBrowserPanel<UserType> focusBrowser = new ObjectBrowserPanel<UserType>(pageBase.getMainPopupBodyId(),
+                UserType.class, supportedTypes, false, pageBase) {
             @Override
             protected void onSelectPerformed(AjaxRequestTarget target, UserType targetUser) {
                 super.onSelectPerformed(target, targetUser);
@@ -631,7 +649,7 @@ public StringResourceModel getTitle() {
             }
 
         };
-        getPageBase().showMainPopup(focusBrowser, target);
+        pageBase.showMainPopup(focusBrowser, target);
     }
 
     private WebMarkupContainer getTargetUserContainer(){
@@ -682,5 +700,6 @@ private PrismObject<UserType> getTargetUser(){
         }
         return pageBase.loadUserSelf(pageBase);
     }
+
 }
 
diff --git a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/self/PageAssignmentShoppingKart.java b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/self/PageAssignmentShoppingKart.java
index d5a9304841c..c6b37fda14c 100644
--- a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/self/PageAssignmentShoppingKart.java
+++ b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/self/PageAssignmentShoppingKart.java
@@ -33,6 +33,9 @@
 import org.apache.wicket.markup.html.basic.Label;
 import org.apache.wicket.markup.html.form.Form;
 
+import java.util.ArrayList;
+import java.util.List;
+
 /**
  * Created by honchar.
  */
@@ -50,6 +53,7 @@ public class PageAssignmentShoppingKart extends PageSelf {
     private static final String ID_MAIN_FORM = "mainForm";
     private static final String DOT_CLASS = PageAssignmentShoppingKart.class.getName() + ".";
     private static final String OPERATION_LOAD_ROLE_CATALOG_REFERENCE = DOT_CLASS + "loadRoleCatalogReference";
+    private static final String OPERATION_GET_ASSIGNMENT_VIEW_LIST = DOT_CLASS + "getAssignmentViewList";
     private static final Trace LOGGER = TraceManager.getTrace(PageAssignmentShoppingKart.class);
 
     private String catalogOid = null;
@@ -91,12 +95,40 @@ private String getRoleCatalogOid() {
     }
 
     private Component initMainPanel() {
-        AssignmentViewType viewType = AssignmentViewType.getViewTypeFromSession(getPageBase());
+        List<AssignmentViewType> viewTypeList = getAssignmentViewList();
+        AssignmentViewType viewType = null;
+        AssignmentViewType viewTypeIfNoRoleCatalog = null;
+        if (viewTypeList != null && viewTypeList.size() > 0){
+            for (AssignmentViewType assignmentViewType : viewTypeList){
+                if (AssignmentViewType.ROLE_CATALOG_VIEW.equals(assignmentViewType)){
+                    viewType = AssignmentViewType.ROLE_CATALOG_VIEW;
+                    break;
+                }
+            }
+            if (viewType == null){
+                viewType = viewTypeList.get(0);
+                viewTypeIfNoRoleCatalog = viewTypeList.get(0);
+            } else {
+                if (viewTypeList.size() == 1){
+                    viewTypeIfNoRoleCatalog = viewTypeList.get(0);
+                } else {
+                    for (AssignmentViewType assignmentViewType : viewTypeList){
+                        if (!viewType.equals(assignmentViewType)){
+                            viewTypeIfNoRoleCatalog = assignmentViewType;
+                            break;
+                        }
+                    }
+                }
+            }
+        } else {
+            viewType = AssignmentViewType.ROLE_CATALOG_VIEW;
+            viewTypeIfNoRoleCatalog = AssignmentViewType.ROLE_TYPE;
+        }
         if (AssignmentViewType.ROLE_CATALOG_VIEW.equals(viewType)) {
             if (StringUtils.isEmpty(catalogOid)) {
-                if (isFirstInit) {
+                if (isFirstInit && !viewTypeIfNoRoleCatalog.equals(AssignmentViewType.ROLE_CATALOG_VIEW)) {
                     isFirstInit = false;
-                    AssignmentCatalogPanel panel = new AssignmentCatalogPanel(ID_MAIN_PANEL, AssignmentViewType.ROLE_TYPE, PageAssignmentShoppingKart.this);
+                    AssignmentCatalogPanel panel = new AssignmentCatalogPanel(ID_MAIN_PANEL, viewTypeIfNoRoleCatalog, viewTypeList, PageAssignmentShoppingKart.this);
                     panel.setOutputMarkupId(true);
                     return panel;
                 } else {
@@ -105,15 +137,41 @@ private Component initMainPanel() {
                     return panel;
                 }
             } else {
-                AssignmentCatalogPanel panel = new AssignmentCatalogPanel(ID_MAIN_PANEL, catalogOid, PageAssignmentShoppingKart.this);
+                AssignmentCatalogPanel panel = new AssignmentCatalogPanel(ID_MAIN_PANEL, catalogOid, viewTypeList, PageAssignmentShoppingKart.this);
                 panel.setOutputMarkupId(true);
                 return panel;
             }
         } else {
-            AssignmentCatalogPanel panel = new AssignmentCatalogPanel(ID_MAIN_PANEL, PageAssignmentShoppingKart.this);
+            AssignmentCatalogPanel panel = new AssignmentCatalogPanel(ID_MAIN_PANEL, viewType, viewTypeList, PageAssignmentShoppingKart.this);
             panel.setRootOid(catalogOid);
             panel.setOutputMarkupId(true);
             return panel;
         }
     }
+
+    private List<AssignmentViewType> getAssignmentViewList() {
+        OperationResult result = new OperationResult(OPERATION_GET_ASSIGNMENT_VIEW_LIST);
+        SystemConfigurationType config;
+        List<AssignmentViewType> assignmentViewTypes = new ArrayList<>();
+        try {
+            config = getModelInteractionService().getSystemConfiguration(result);
+        } catch (ObjectNotFoundException | SchemaException e) {
+            LOGGER.error("Error getting system configuration: {}", e.getMessage(), e);
+            return null;
+        }
+        if (config != null && config.getRoleManagement() != null
+                && config.getRoleManagement().getRoleCatalogCollections() != null
+                && config.getRoleManagement().getRoleCatalogCollections().getCollection() != null) {
+            for (ObjectCollectionUseType collection :
+                    config.getRoleManagement().getRoleCatalogCollections().getCollection()){
+                for (AssignmentViewType viewType : AssignmentViewType.values()){
+                    if (viewType.getUri().equals(collection.getCollectionUri())){
+                        assignmentViewTypes.add(viewType);
+                    }
+                }
+            }
+        }
+        return assignmentViewTypes;
+    }
+
 }
diff --git a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/self/dto/AssignmentViewType.java b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/self/dto/AssignmentViewType.java
index c0bba1227b0..f6efc75682b 100644
--- a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/self/dto/AssignmentViewType.java
+++ b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/self/dto/AssignmentViewType.java
@@ -17,13 +17,28 @@
 package com.evolveum.midpoint.web.page.self.dto;
 
 import com.evolveum.midpoint.gui.api.page.PageBase;
+import com.evolveum.midpoint.schema.constants.SchemaConstants;
 import com.evolveum.midpoint.web.session.SessionStorage;
 
 /**
  * Created by honchar.
  */
 public enum AssignmentViewType {
-    ROLE_CATALOG_VIEW, ROLE_TYPE, ORG_TYPE, SERVICE_TYPE, USER_TYPE;
+    ROLE_CATALOG_VIEW(SchemaConstants.OBJECT_COLLECTION_ROLE_CATALOG_URI),
+    ROLE_TYPE(SchemaConstants.OBJECT_COLLECTION_ALL_ROLES_URI),
+    ORG_TYPE(SchemaConstants.OBJECT_COLLECTION_ALL_ORGS_URI),
+    SERVICE_TYPE(SchemaConstants.OBJECT_COLLECTION_ALL_SERVICES_URI),
+    USER_TYPE(SchemaConstants.OBJECT_COLLECTION_USER_ASSIGNMENTS_URI);
+
+    private String uri;
+
+    AssignmentViewType(String uri){
+        this.uri = uri;
+    }
+
+    public String getUri() {
+        return uri;
+    }
 
     public static AssignmentViewType getViewTypeFromSession(PageBase pageBase){
         SessionStorage storage = pageBase.getSessionStorage();
diff --git a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/session/RoleCatalogStorage.java b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/session/RoleCatalogStorage.java
index d3d3cde6a10..9c514d929c0 100644
--- a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/session/RoleCatalogStorage.java
+++ b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/session/RoleCatalogStorage.java
@@ -49,7 +49,7 @@ public class RoleCatalogStorage implements PageStorage, OrgTreeStateStorage {
     private int selectedTabId = 0;                 //selected tab id on the Org. structure page
     private SelectableBean<OrgType> collapsedItem = null;                 //collapsed tree item
     private List<AssignmentEditorDto> assignmentShoppingCart;   //  a list of assignments in the shopping cart
-    private AssignmentViewType viewType = AssignmentViewType.ROLE_CATALOG_VIEW;      //the current view type
+    private AssignmentViewType viewType = null;      //the current view type
     private PrismObject<UserType> targetUser = null;
     private PrismObject<UserType> assignmentsUserOwner = null;
     private List<AssignmentConflictDto> conflictsList;
@@ -154,9 +154,6 @@ public void setAssignmentShoppingCart(List<AssignmentEditorDto> assignmentShoppi
     }
 
     public AssignmentViewType getViewType() {
-        if (viewType == null){
-            viewType = AssignmentViewType.ROLE_TYPE;
-        }
         return viewType;
     }
 
diff --git a/infra/schema/src/main/java/com/evolveum/midpoint/schema/constants/SchemaConstants.java b/infra/schema/src/main/java/com/evolveum/midpoint/schema/constants/SchemaConstants.java
index b4c71e19350..c11dd7b9d4c 100644
--- a/infra/schema/src/main/java/com/evolveum/midpoint/schema/constants/SchemaConstants.java
+++ b/infra/schema/src/main/java/com/evolveum/midpoint/schema/constants/SchemaConstants.java
@@ -432,6 +432,12 @@ public abstract class SchemaConstants {
 	public static final QName OBJECT_COLLECTION_ALL_SERVICES_QNAME = new QName(NS_OBJECT_COLLECTIONS, "allServices");
 	public static final String OBJECT_COLLECTION_ALL_SERVICES_URI = QNameUtil.qNameToUri(OBJECT_COLLECTION_ALL_SERVICES_QNAME);
 	
+	/**
+	 * Collection that contains user's assignments.
+	 */
+	public static final QName OBJECT_COLLECTION_USER_ASSIGNMENTS_QNAME = new QName(NS_OBJECT_COLLECTIONS, "userAssignments");
+	public static final String OBJECT_COLLECTION_USER_ASSIGNMENTS_URI = QNameUtil.qNameToUri(OBJECT_COLLECTION_ALL_SERVICES_QNAME);
+
 	// Samples
 
 	public static final QName SAMPLES_SSN = new QName(SchemaConstants.NS_SAMPLES_EXTENSION, "ssn");