Skip to content

Commit

Permalink
Merge remote-tracking branch 'refs/remotes/origin/master'
Browse files Browse the repository at this point in the history
  • Loading branch information
skublik committed Mar 22, 2024
2 parents b3c6059 + c28544c commit 9c5054c
Show file tree
Hide file tree
Showing 4 changed files with 22 additions and 13 deletions.
9 changes: 8 additions & 1 deletion docs/roles-policies/classification/index.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,8 @@ compliance:
description: 'Example demonstrating use of policy rules to enforce classification requirements'
'5.14':
description: 'Description of an idea for limiting access to internal information using classification scheme'
'5.16':
description: 'Management of user clearances'
---
= Information Classification and Clearances
:page-toc: top
Expand Down Expand Up @@ -301,7 +303,12 @@ E.g. certify access to category III systems every 6 months, certify access to ca
// TODO: create an example for this, after 4.9 when new certification settles in.
// TODO: Refer from ISO 27001 5.13

* As classifications (labels) and clearances are assigned to relevant objects using ordinary feature:assignment[assignments], feature:access-certification[access certification] features can be used to regularly re-certify the classifications and clearances. Furthermore, the feature:schema-activation[activation mechanisms] of the assignment can be used to assign clearances for a limited time period.
* As clearances are assigned to users using ordinary feature:assignment[assignments], feature:access-certification[access certification] features can be used to regularly re-certify the clearances. Furthermore, the feature:schema-activation[activation mechanisms] of the assignment can be used to assign clearances for a limited time period.
// TODO: create an example for this, after 4.9 when new certification settles in.
// TODO: Refer from ISO 27001 5.6

// TODO * As classifications (labels) are assigned to relevant objects using ordinary feature:assignment[assignments], feature:access-certification[access certification] features can be used to regularly re-certify the classifications.
// TODO: we need ability to replace assignment in certification, not just removal of assignment
// TODO: create an example for this, after 4.9 when new certification settles in.
// TODO: Refer from ISO 27001 5.12

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -190,14 +190,14 @@ private boolean processItem(
return false;
}

if (def.isOperational()) {
return true;
}

if (def.isOptionalCleanup()) {
return fireConfirmOptionalCleanup(createEvent(object, currentPath, item, source, result));
}

if (def.isOperational()) {
return true;
}

return false;
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -316,6 +316,8 @@ public PrismObjectDefinition<ShadowType> getPrismObjectDefinition() {
if (prismObjectDefinition == null) {
PrismObjectDefinition<ShadowType> definition = toPrismObjectDefinition();
definition.freeze();
// We could also consider not caching the definition if this object is still mutable. That would be perhaps safer.
// Currently, it is solved by invalidation this definition when attributes/associations are added. See also MID-9535.
this.prismObjectDefinition = definition;
}
return prismObjectDefinition;
Expand Down Expand Up @@ -757,6 +759,7 @@ public void add(ItemDefinition<?> definition) {
}

attributeDefinitions.add(definitionToAdd);
invalidatePrismObjectDefinition();
return definitionToAdd;
}

Expand Down Expand Up @@ -814,6 +817,7 @@ public void validate() throws SchemaException {
void addAssociationDefinition(@NotNull ShadowAssociationDefinition associationDef) {
checkMutable();
associationDefinitions.add(associationDef);
invalidatePrismObjectDefinition();
}

void addAuxiliaryObjectClassDefinition(@NotNull ResourceObjectDefinition definition) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -30,13 +30,6 @@
<icfi:supportValidity>true</icfi:supportValidity>
<icfi:passwordReadabilityMode>readable</icfi:passwordReadabilityMode>
</icfc:configurationProperties>

<icfc:resultsHandlerConfiguration>
<icfc:enableNormalizingResultsHandler>false</icfc:enableNormalizingResultsHandler>
<icfc:enableFilteredResultsHandler>false</icfc:enableFilteredResultsHandler>
<icfc:enableAttributesToGetSearchResultsHandler>false</icfc:enableAttributesToGetSearchResultsHandler>
</icfc:resultsHandlerConfiguration>

</connectorConfiguration>
<!-- No schema. It should be generated by provisioning on the first use of this resource. -->
<schemaHandling>
Expand All @@ -56,7 +49,12 @@
<intent>default</intent>
<displayName>Default Account</displayName>
<default>true</default>
<objectClass>ri:AccountObjectClass</objectClass>
<delineation>
<objectClass>ri:AccountObjectClass</objectClass>
<filter> <!-- MID-9535 -->
<q:text>attributes/name not endsWith "nonsense-string"</q:text>
</filter>
</delineation>
<attribute>
<ref>icfs:name</ref>
<displayName>Username</displayName>
Expand Down

0 comments on commit 9c5054c

Please sign in to comment.