From ce202a611db94e326917c3448f3a281c39db81fb Mon Sep 17 00:00:00 2001
From: Katarina Valalikova <k.valalikova@evolveum.com>
Date: Sun, 19 Mar 2017 22:20:02 +0100
Subject: [PATCH] rest api validate/generate operations. added tests.

---
 .../xml/ns/public/common/api-types-3.xsd      |   3 +
 .../midpoint/model/impl/ModelRestService.java | 198 ++++++++++---
 .../testing/rest/TestAbstractRestService.java | 267 +++++++++++++++++-
 .../repo/json/policy-generate-bad-path.json   |  15 +
 .../repo/json/policy-generate-execute.json    |  28 ++
 .../resources/repo/json/policy-generate.json  |  20 ++
 .../policy-validate-explicit-conflict.json    |  16 ++
 .../repo/json/policy-validate-explicit.json   |  16 ++
 ...licy-validate-implicit-multi-conflict.json |  15 +
 .../json/policy-validate-implicit-multi.json  |  10 +
 .../json/policy-validate-implicit-single.json |  15 +
 .../resources/repo/json/user-darthadder.json  |   3 +
 .../resources/repo/system-configuration.xml   |   1 +
 .../resources/repo/value-policy-general.xml   |  73 +++++
 .../resources/repo/value-policy-numeric.xml   |  48 ++++
 .../repo/xml/policy-generate-bad-path.xml     |  14 +
 .../repo/xml/policy-generate-execute.xml      |  26 ++
 .../resources/repo/xml/policy-generate.xml    |  19 ++
 .../xml/policy-validate-explicit-conflict.xml |  16 ++
 .../repo/xml/policy-validate-explicit.xml     |  16 ++
 ...olicy-validate-implicit-multi-conflict.xml |  15 +
 .../xml/policy-validate-implicit-multi.xml    |  14 +
 .../xml/policy-validate-implicit-single.xml   |  15 +
 .../resources/repo/xml/user-darthadder.xml    |   7 +
 .../repo/yaml/policy-generate-bad-path.yml    |   9 +
 .../repo/yaml/policy-generate-execute.yml     |  18 ++
 .../resources/repo/yaml/policy-generate.yml   |  11 +
 .../policy-validate-explicit-conflict.yml     |  10 +
 .../repo/yaml/policy-validate-explicit.yml    |  10 +
 ...olicy-validate-implicit-multi-conflict.yml |   9 +
 .../yaml/policy-validate-implicit-multi.yml   |   5 +
 .../yaml/policy-validate-implicit-single.yml  |   9 +
 .../resources/repo/yaml/user-darthadder.yml   |   9 +
 33 files changed, 913 insertions(+), 47 deletions(-)
 create mode 100644 testing/rest/src/test/resources/repo/json/policy-generate-bad-path.json
 create mode 100644 testing/rest/src/test/resources/repo/json/policy-generate-execute.json
 create mode 100644 testing/rest/src/test/resources/repo/json/policy-generate.json
 create mode 100644 testing/rest/src/test/resources/repo/json/policy-validate-explicit-conflict.json
 create mode 100644 testing/rest/src/test/resources/repo/json/policy-validate-explicit.json
 create mode 100644 testing/rest/src/test/resources/repo/json/policy-validate-implicit-multi-conflict.json
 create mode 100644 testing/rest/src/test/resources/repo/json/policy-validate-implicit-multi.json
 create mode 100644 testing/rest/src/test/resources/repo/json/policy-validate-implicit-single.json
 create mode 100644 testing/rest/src/test/resources/repo/value-policy-general.xml
 create mode 100644 testing/rest/src/test/resources/repo/value-policy-numeric.xml
 create mode 100644 testing/rest/src/test/resources/repo/xml/policy-generate-bad-path.xml
 create mode 100644 testing/rest/src/test/resources/repo/xml/policy-generate-execute.xml
 create mode 100644 testing/rest/src/test/resources/repo/xml/policy-generate.xml
 create mode 100644 testing/rest/src/test/resources/repo/xml/policy-validate-explicit-conflict.xml
 create mode 100644 testing/rest/src/test/resources/repo/xml/policy-validate-explicit.xml
 create mode 100644 testing/rest/src/test/resources/repo/xml/policy-validate-implicit-multi-conflict.xml
 create mode 100644 testing/rest/src/test/resources/repo/xml/policy-validate-implicit-multi.xml
 create mode 100644 testing/rest/src/test/resources/repo/xml/policy-validate-implicit-single.xml
 create mode 100644 testing/rest/src/test/resources/repo/yaml/policy-generate-bad-path.yml
 create mode 100644 testing/rest/src/test/resources/repo/yaml/policy-generate-execute.yml
 create mode 100644 testing/rest/src/test/resources/repo/yaml/policy-generate.yml
 create mode 100644 testing/rest/src/test/resources/repo/yaml/policy-validate-explicit-conflict.yml
 create mode 100644 testing/rest/src/test/resources/repo/yaml/policy-validate-explicit.yml
 create mode 100644 testing/rest/src/test/resources/repo/yaml/policy-validate-implicit-multi-conflict.yml
 create mode 100644 testing/rest/src/test/resources/repo/yaml/policy-validate-implicit-multi.yml
 create mode 100644 testing/rest/src/test/resources/repo/yaml/policy-validate-implicit-single.yml

diff --git a/infra/schema/src/main/resources/xml/ns/public/common/api-types-3.xsd b/infra/schema/src/main/resources/xml/ns/public/common/api-types-3.xsd
index 9b7d00a3fd3..48377165c04 100644
--- a/infra/schema/src/main/resources/xml/ns/public/common/api-types-3.xsd
+++ b/infra/schema/src/main/resources/xml/ns/public/common/api-types-3.xsd
@@ -577,6 +577,9 @@
 	                <xsd:documentation>
 	                    Contains either generated value or value which will be validated
 	                </xsd:documentation>
+	                <xsd:appinfo>
+                        <a:rawType/>
+                    </xsd:appinfo>
 	            </xsd:annotation>
         	</xsd:element>
         	
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/ModelRestService.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/ModelRestService.java
index d0ca3ccccd8..fa2237b77cb 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/ModelRestService.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/ModelRestService.java
@@ -19,6 +19,7 @@
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.List;
+import java.util.stream.Collectors;
 
 import javax.ws.rs.Consumes;
 import javax.ws.rs.DELETE;
@@ -39,6 +40,7 @@
 import javax.xml.bind.JAXBException;
 import javax.xml.namespace.QName;
 
+import org.apache.commons.configuration.SystemConfiguration;
 import org.apache.commons.lang.BooleanUtils;
 import org.apache.commons.lang.StringUtils;
 import org.apache.commons.lang.Validate;
@@ -64,10 +66,13 @@
 import com.evolveum.midpoint.prism.ItemDefinition;
 import com.evolveum.midpoint.prism.PrismContext;
 import com.evolveum.midpoint.prism.PrismObject;
+import com.evolveum.midpoint.prism.PrismProperty;
+import com.evolveum.midpoint.prism.PrismPropertyDefinition;
 import com.evolveum.midpoint.prism.PrismValue;
 import com.evolveum.midpoint.prism.delta.ItemDelta;
 import com.evolveum.midpoint.prism.delta.PropertyDelta;
 import com.evolveum.midpoint.prism.path.ItemPath;
+import com.evolveum.midpoint.prism.polystring.PolyString;
 import com.evolveum.midpoint.prism.query.ObjectQuery;
 import com.evolveum.midpoint.prism.query.QueryJaxbConvertor;
 import com.evolveum.midpoint.prism.query.builder.QueryBuilder;
@@ -80,7 +85,9 @@
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.task.api.TaskManager;
+import com.evolveum.midpoint.util.DOMUtil;
 import com.evolveum.midpoint.util.MiscUtil;
+import com.evolveum.midpoint.util.QNameUtil;
 import com.evolveum.midpoint.util.exception.CommunicationException;
 import com.evolveum.midpoint.util.exception.ConfigurationException;
 import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
@@ -95,17 +102,20 @@
 import com.evolveum.midpoint.xml.ns._public.common.api_types_3.ObjectListType;
 import com.evolveum.midpoint.xml.ns._public.common.api_types_3.ObjectModificationType;
 import com.evolveum.midpoint.xml.ns._public.common.api_types_3.PolicyItemDefinitionType;
+import com.evolveum.midpoint.xml.ns._public.common.api_types_3.PolicyItemTargetType;
 import com.evolveum.midpoint.xml.ns._public.common.api_types_3.PolicyItemsDefinitionType;
 import com.evolveum.midpoint.xml.ns._public.common.api_types_3.ScriptOutputsType;
 import com.evolveum.midpoint.xml.ns._public.common.api_types_3.SingleScriptOutputType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialsPolicyType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.LogFileContentType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.NodeType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectReferenceType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ResourceObjectShadowChangeDescriptionType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ResourceType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.StringPolicyType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.SystemConfigurationType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.TaskType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ValuePolicyType;
@@ -113,6 +123,7 @@
 import com.evolveum.midpoint.xml.ns._public.model.scripting_3.ItemListType;
 import com.evolveum.midpoint.xml.ns._public.model.scripting_3.ScriptingExpressionType;
 import com.evolveum.prism.xml.ns._public.query_3.QueryType;
+import com.evolveum.prism.xml.ns._public.types_3.PolyStringType;
 import com.evolveum.prism.xml.ns._public.types_3.RawType;
 
 /**
@@ -142,10 +153,12 @@ public class ModelRestService {
 	public static final String OPERATION_COMPARE = CLASS_DOT + "compare";
 	public static final String OPERATION_GET_LOG_FILE_CONTENT = CLASS_DOT + "getLogFileContent";
 	public static final String OPERATION_GET_LOG_FILE_SIZE = CLASS_DOT + "getLogFileSize";
+	public static final String OPERATION_VALIDATE_VALUE = CLASS_DOT +  "validateValue";
+	
 	private static final String CURRENT = "current";
 	private static final String VALIDATE = "validate";
-
-	@Autowired
+	
+		@Autowired
 	private ModelCrudService model;
 
 	@Autowired
@@ -205,9 +218,9 @@ public <O extends ObjectType> Response generateValue(@PathParam("type") String t
 		try {
 			PrismObject<O> object = model.getObject(clazz, oid, null, task, parentResult);
 
-			PrismObject<ValuePolicyType> valuePolicy = resolveUserPolicy((PrismObject<UserType>) object, task,
-					parentResult);
-
+			
+			PrismObject<ValuePolicyType> valuePolicy = resolvePolicy(object, task, parentResult);
+			
 			boolean executeImmediatelly = false;
 			Collection<PropertyDelta> propertyDeltas = new ArrayList<>();
 			for (PolicyItemDefinitionType policyItemDefinition : policyItemsDefinition
@@ -230,6 +243,7 @@ public <O extends ObjectType> Response generateValue(@PathParam("type") String t
 			ResponseBuilder responseBuilder = Response.ok(policyItemsDefinition);
 			response = responseBuilder.build();
 		} catch (Exception ex) {
+			parentResult.computeStatus();
 			response = RestServiceUtil.handleException(parentResult, ex);
 		}
 
@@ -239,39 +253,76 @@ public <O extends ObjectType> Response generateValue(@PathParam("type") String t
 
 	}
 	
-	private PrismObject<ValuePolicyType> resolveUserPolicy(PrismObject<UserType> user, Task task, OperationResult parentResult) throws ObjectNotFoundException, SchemaException, CommunicationException, ConfigurationException, SecurityViolationException {
-		CredentialsPolicyType policy = modelInteraction.getCredentialsPolicy(user, task, parentResult);
+	private <O extends ObjectType> PrismObject<ValuePolicyType> resolvePolicy(PrismObject<O> object, Task task, OperationResult parentResult) throws ObjectNotFoundException, SchemaException, CommunicationException, ConfigurationException, SecurityViolationException {
+	
+		PrismObject<ValuePolicyType> valuePolicy = null;
 		
+		if (object.getCompileTimeClass().isAssignableFrom(UserType.class)) {
+			CredentialsPolicyType policy = modelInteraction
+					.getCredentialsPolicy((PrismObject<UserType>) object, task, parentResult);
+
+			if (policy != null) {
+
+				if (policy.getPassword().getPasswordPolicyRef() != null) {
+					valuePolicy = model.getObject(ValuePolicyType.class,
+							policy.getPassword().getPasswordPolicyRef().getOid(), null, task, parentResult);
+				}
+			}
+
+		} else {
 		
-		PrismObject<ValuePolicyType> valuePolicy = null;
-		if (policy.getPassword().getPasswordPolicyRef() != null) {
-			valuePolicy = model.getObject(ValuePolicyType.class, policy.getPassword().getPasswordPolicyRef().getOid(), null, task, parentResult);
+			SystemConfigurationType systemConfigurationType = modelInteraction
+					.getSystemConfiguration(parentResult);
+			ObjectReferenceType policyRef = systemConfigurationType.getGlobalPasswordPolicyRef();
+			if (policyRef == null) {
+				return null;
+			}
+
+			valuePolicy = model.getObject(ValuePolicyType.class, policyRef.getOid(), null, task, parentResult);
 		}
-		
 		return valuePolicy;
 	}
 	
 	private <O extends ObjectType> void generateValue(PrismObject<O> object, PrismObject<ValuePolicyType> policy, PolicyItemDefinitionType policyItemDefinition, Task task, OperationResult result) throws ExpressionEvaluationException, SchemaException, ObjectNotFoundException, CommunicationException, ConfigurationException, SecurityViolationException {
 		
+		PolicyItemTargetType target = policyItemDefinition.getTarget();
+		if (target == null || target.getPath() == null) {
+			LOGGER.error("Target item path must be defined");
+			result.recordFatalError("Target item path must be defined");
+			throw new SchemaException("Target item path must be defined");
+		}
+		
+		ItemPath targetProperty = target.getPath().getItemPath();
+		
 		StringPolicyType stringPolicy = null;
 		if (policyItemDefinition.getValuePolicyRef() != null) {
 			PrismObject<ValuePolicyType> valuePolicy = model.getObject(ValuePolicyType.class, policyItemDefinition.getValuePolicyRef().getOid(), null, task, result);
 			PrismObject<ValuePolicyType> policyOverride = valuePolicy.clone();
 			stringPolicy = policyOverride != null ? policyOverride.asObjectable().getStringPolicy() : null;
 		} else {
-		
-			stringPolicy = policy != null ? policy.asObjectable().getStringPolicy() : null;
+			if (stringPolicy == null) {
+				SystemConfigurationType systemConfiguration = modelInteraction.getSystemConfiguration(result);
+				if (systemConfiguration.getGlobalPasswordPolicyRef() != null) {
+					PrismObject<ValuePolicyType> valuePolicy = model.getObject(ValuePolicyType.class, systemConfiguration.getGlobalPasswordPolicyRef().getOid(), null, task, result);
+					stringPolicy = valuePolicy != null ? valuePolicy.asObjectable().getStringPolicy() : null;
+				}
+				 
+			} else {
+				stringPolicy = policy != null ? policy.asObjectable().getStringPolicy() : null;
+			}
 		}
-		String newValue = policyProcessor.generate(stringPolicy, 10, object, "generating value for" + policyItemDefinition.getTarget().getPath(), task, result);
+		String newValue = policyProcessor.generate(stringPolicy, 10, object, "generating value for" + targetProperty, task, result);
 		policyItemDefinition.setValue(newValue);
 	}
 	
 	@POST
 	@Path("/{type}/{oid}/validate")
+	@Consumes({"application/xml", "application/json", "application/yaml"})
+	@Produces({"application/xml", "application/json", "application/yaml"})
 	public <O extends ObjectType> Response validateValue(@PathParam("type") String type, @PathParam("oid") String oid, PolicyItemsDefinitionType policyItemsDefinition, @Context MessageContext mc) {
 		
 		Task task = RestServiceUtil.initRequest(mc);
-		OperationResult parentResult = task.getResult().createSubresult(OPERATION_GET);
+		OperationResult parentResult = task.getResult().createSubresult(OPERATION_VALIDATE_VALUE);
 
 		Class<O> clazz = ObjectTypes.getClassFromRestType(type);
 		Response response = null;
@@ -284,60 +335,125 @@ public <O extends ObjectType> Response validateValue(@PathParam("type") String t
 		try {
 			PrismObject<O> object = model.getObject(clazz, oid, null, task, parentResult);
 
-			PrismObject<ValuePolicyType> valuePolicy = resolveUserPolicy((PrismObject<UserType>) object, task,
-					parentResult);
+			PrismObject<ValuePolicyType> valuePolicy = resolvePolicy(object, task, parentResult);
 
-			boolean executeImmediatelly = false;
-			Collection<PropertyDelta> propertyDeltas = new ArrayList<>();
 			for (PolicyItemDefinitionType policyItemDefinition : policyItemsDefinition
 					.getPolicyItemDefinition()) {
-
 				validateValue(object, valuePolicy, policyItemDefinition, task, parentResult);
-			
 			}
 			
-			
-
-			ResponseBuilder responseBuilder = Response.ok(policyItemsDefinition);
+			parentResult.computeStatusIfUnknown();;
+			ResponseBuilder responseBuilder = null;
+			if (parentResult.isAcceptable()) {
+				responseBuilder = Response.ok();
+			} else {
+				responseBuilder = Response.status(Status.CONFLICT).entity(parentResult);
+			}
 			response = responseBuilder.build();
 		} catch (Exception ex) {
+			parentResult.computeStatus();
 			response = RestServiceUtil.handleException(parentResult, ex);
+			
 		}
 
-		parentResult.computeStatus();
+		
 		finishRequest(task);
 		return response;
 
 		
 	}
 	
-private <O extends ObjectType> void validateValue(PrismObject<O> object, PrismObject<ValuePolicyType> policy, PolicyItemDefinitionType policyItemDefinition, Task task, OperationResult result) throws ExpressionEvaluationException, SchemaException, ObjectNotFoundException, CommunicationException, ConfigurationException, SecurityViolationException, PolicyViolationException {
+private <T, O extends ObjectType> boolean validateValue(PrismObject<O> object, PrismObject<ValuePolicyType> policy, PolicyItemDefinitionType policyItemDefinition, Task task, OperationResult parentResult) throws ExpressionEvaluationException, SchemaException, ObjectNotFoundException, CommunicationException, ConfigurationException, SecurityViolationException, PolicyViolationException {
 		
-	ValuePolicyType stringPolicy = null;
+		ValuePolicyType stringPolicy = null;
 		if (policyItemDefinition.getValuePolicyRef() != null) {
-			PrismObject<ValuePolicyType> valuePolicy = model.getObject(ValuePolicyType.class, policyItemDefinition.getValuePolicyRef().getOid(), null, task, result);
+			PrismObject<ValuePolicyType> valuePolicy = model.getObject(ValuePolicyType.class, policyItemDefinition.getValuePolicyRef().getOid(), null, task, parentResult);
 			PrismObject<ValuePolicyType> policyOverride = valuePolicy.clone();
 			stringPolicy = policyOverride != null ? policyOverride.asObjectable() : null;
 		} else {
-		
-			stringPolicy = policy != null ? policy.asObjectable() : null;
+			if (policy == null) {
+				SystemConfigurationType systemConfiguration = modelInteraction
+						.getSystemConfiguration(parentResult);
+				if (systemConfiguration.getGlobalPasswordPolicyRef() != null) {
+					PrismObject<ValuePolicyType> valuePolicy = model.getObject(ValuePolicyType.class,
+							systemConfiguration.getGlobalPasswordPolicyRef().getOid(), null, task,
+							parentResult);
+					stringPolicy = valuePolicy != null ? valuePolicy.asObjectable() : null;
+				}
+
+			} else {
+				stringPolicy = policy != null ? policy.asObjectable() : null;
+			}
 		}
 		
-		ItemDefinition itemToValidateDefinition = object.findItem(policyItemDefinition.getTarget().getPath().getItemPath()).getDefinition();
-		itemToValidateDefinition.getTypeName();
+		RawType rawValue = (RawType) policyItemDefinition.getValue();
+		String valueToValidate = null;
 		
-		prismContext.getEntityResolver();
-		
-		//TODO 		
-		String valueToValidate = (String) policyItemDefinition.getValue();
-		if (StringUtils.isBlank(valueToValidate)) {
-			valueToValidate = object.findItem(policyItemDefinition.getTarget().getPath().getItemPath()).getRealValue();
+		List<String> valuesToValidate = new ArrayList<>();
+
+		if (rawValue != null) {
+			valueToValidate = rawValue.getParsedRealValue(String.class);
+			valuesToValidate.add(valueToValidate);
+		} else {
+			PolicyItemTargetType target = policyItemDefinition.getTarget();
+			if (target == null || target.getPath() == null) {
+				LOGGER.error("Target item path must be defined");
+				parentResult.recordFatalError("Target item path must be defined");
+				throw new SchemaException("Target item path must be defined");
+			}
+			ItemPath path = target.getPath().getItemPath();
+
+			PrismProperty<T> property = object.findProperty(path);
+			if (property == null || property.isEmpty()) {
+				LOGGER.error("Attribute {} has no value. Nothing to validate.", property);
+				parentResult.recordFatalError("Attribute " + property + " has no value. Nothing to validate");
+				throw new SchemaException("Attribute " + property + " has no value. Nothing to validate");
+			}
+
+			PrismPropertyDefinition<T> itemToValidateDefinition = property.getDefinition();
+			QName definitionName = itemToValidateDefinition.getTypeName();
+			if (!QNameUtil.qNameToUri(definitionName).equals(QNameUtil.qNameToUri(DOMUtil.XSD_STRING))
+					&& !QNameUtil.qNameToUri(definitionName).equals(QNameUtil.qNameToUri(PolyStringType.COMPLEX_TYPE))) {
+				LOGGER.error("Trying to validate string policy on the property of type {} failed. Unsupported type.",
+						itemToValidateDefinition);
+				parentResult.recordFatalError("Trying to validate string policy on the property of type "
+						+ itemToValidateDefinition + " failed. Unsupported type.");
+				throw new SchemaException("Trying to validate string policy on the property of type "
+						+ itemToValidateDefinition + " failed. Unsupported type.");
+			}
+
+			if (itemToValidateDefinition.isSingleValue()) {
+				if (definitionName.equals(PolyStringType.COMPLEX_TYPE)) {
+					valueToValidate = ((PolyString) property.getRealValue()).getOrig();
+
+				} else {
+					valueToValidate = (String) property.getRealValue();
+				}
+				valuesToValidate.add(valueToValidate);
+			} else {
+				if (definitionName.equals(DOMUtil.XSD_STRING)) {
+					valuesToValidate.addAll(property.getRealValues(String.class));
+				} else {
+					for (PolyString val : property.getRealValues(PolyString.class)) {
+						valuesToValidate.add(val.getOrig());
+					}
+				}
+			}
+			
 		}
 		
-		if (!policyProcessor.validateValue(valueToValidate, stringPolicy, object, "validate value for " + object + " value " + valueToValidate, task, result)) {
-			result.computeStatus();
-			throw new PolicyViolationException("Validation for value: " + valueToValidate + " failed." + result.getMessage());
+		for (String newValue : valuesToValidate) {
+			OperationResult result = parentResult.createSubresult(OPERATION_VALIDATE_VALUE + ".value");
+			result.addParam("valueToValidate", newValue);
+			if (!policyProcessor.validateValue(newValue, stringPolicy, object, "validate value for " + object + " value " + valueToValidate, task, result)) {
+				result.recordFatalError("Validation for value " + newValue + " against policy " + stringPolicy + " failed");
+				LOGGER.error("Validation for value {} against policy {} failed", newValue, stringPolicy);
+			}
+			result.computeStatusIfUnknown();
 		}
+		parentResult.computeStatusIfUnknown();
+		
+		return parentResult.isAcceptable();
 		
 	}
 	
diff --git a/testing/rest/src/test/java/com/evolveum/midpoint/testing/rest/TestAbstractRestService.java b/testing/rest/src/test/java/com/evolveum/midpoint/testing/rest/TestAbstractRestService.java
index d83ab292df8..97f55ff4cc9 100644
--- a/testing/rest/src/test/java/com/evolveum/midpoint/testing/rest/TestAbstractRestService.java
+++ b/testing/rest/src/test/java/com/evolveum/midpoint/testing/rest/TestAbstractRestService.java
@@ -65,9 +65,12 @@
 import com.evolveum.midpoint.test.IntegrationTestTools;
 import com.evolveum.midpoint.test.util.TestUtil;
 import com.evolveum.midpoint.util.MiscUtil;
+import com.evolveum.midpoint.util.exception.CommunicationException;
+import com.evolveum.midpoint.util.exception.ConfigurationException;
 import com.evolveum.midpoint.util.exception.ObjectAlreadyExistsException;
 import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
 import com.evolveum.midpoint.util.exception.SchemaException;
+import com.evolveum.midpoint.util.exception.SecurityViolationException;
 import com.evolveum.midpoint.util.logging.Trace;
 import com.evolveum.midpoint.util.logging.TraceManager;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ActivationStatusType;
@@ -108,34 +111,47 @@ public abstract class TestAbstractRestService {
 	public static final String USER_SOMEBODY_PASSWORD = "somepassword";
 	
 	// REST, reader and adder authorization
- 	public static final String USER_DARTHADDER_FILE = "user-darthadder";//new File(REPO_DIR, "user-darthadder.xml");
+ 	public static final String USER_DARTHADDER_FILE = "user-darthadder";
  	public static final String USER_DARTHADDER_OID = "1696229e-d90a-11e4-9ce6-001e8c717e5b";
  	public static final String USER_DARTHADDER_USERNAME = "darthadder";
  	public static final String USER_DARTHADDER_PASSWORD = "iamyouruncle";
  	
  	// Authorizations, but no password
- 	public static final String USER_NOPASSWORD_FILE = "user-nopassword"; //new File(REPO_DIR, "user-nopassword.xml");
+ 	public static final String USER_NOPASSWORD_FILE = "user-nopassword";
  	public static final String USER_NOPASSWORD_USERNAME = "nopassword";
 
 	public static final File ROLE_SUPERUSER_FILE = new File(BASE_REPO_DIR, "role-superuser.xml");
 	public static final File ROLE_REST_FILE = new File(BASE_REPO_DIR, "role-rest.xml");
 	public static final File ROLE_READER_FILE = new File(BASE_REPO_DIR, "role-reader.xml");
-	public static final String ROLE_ADDER_FILE = "role-adder";//new File(REPO_DIR, "role-adder.xml");
+	public static final String ROLE_ADDER_FILE = "role-adder";
 	
-	public static final String ROLE_MODIFIER_FILE = "role-modifier"; //new File(REPO_DIR, "role-modifier.xml");
+	public static final String ROLE_MODIFIER_FILE = "role-modifier"; 
 	public static final String ROLE_MODIFIER_OID = "82005ae4-d90b-11e4-bdcc-001e8c717e5b";
+	
+	public static final String POLICY_ITEM_DEFINITION_GENERATE = "policy-generate"; 	
+	public static final String POLICY_ITEM_DEFINITION_GENERATE_BAD_PATH = "policy-generate-bad-path"; 
+	public static final String POLICY_ITEM_DEFINITION_GENERATE_EXECUTE = "policy-generate-execute";
+	public static final String POLICY_ITEM_DEFINITION_VALIDATE_EXPLICIT = "policy-validate-explicit";
+	public static final String POLICY_ITEM_DEFINITION_VALIDATE_EXPLICIT_CONFLICT = "policy-validate-explicit-conflict";
+	public static final String POLICY_ITEM_DEFINITION_VALIDATE_IMPLICIT_SINGLE = "policy-validate-implicit-single";
+	public static final String POLICY_ITEM_DEFINITION_VALIDATE_IMPLICIT_MULTI = "policy-validate-implicit-multi";
+	public static final String POLICY_ITEM_DEFINITION_VALIDATE_IMPLICIT_MULTI_CONFLICT = "policy-validate-implicit-multi-conflict";
+
 
 	public static final File RESOURCE_OPENDJ_FILE = new File(BASE_REPO_DIR, "reosurce-opendj.xml");
 	public static final String RESOURCE_OPENDJ_OID = "ef2bc95b-76e0-59e2-86d6-3d4f02d3ffff";
 
-	public static final String USER_TEMPLATE_FILE = "user-template";//new File(REPO_DIR, "user-template.xml");
+	public static final String USER_TEMPLATE_FILE = "user-template";
 	public static final String USER_TEMPLATE_OID = "c0c010c0-d34d-b33f-f00d-777111111111";
 
-	public static final String ACCOUT_CHUCK_FILE = "account-chuck"; //new File(BASE_REPO_DIR, "account-chuck.xml");
+	public static final String ACCOUT_CHUCK_FILE = "account-chuck";
 	public static final String ACCOUT_CHUCK_OID = BASE_REPO_DIR + "a0c010c0-d34d-b33f-f00d-111111111666";
 
 	public static final File SYSTEM_CONFIGURATION_FILE = new File(BASE_REPO_DIR, "system-configuration.xml");
 
+	public static final File VALUE_POLICY_GENERAL = new File(BASE_REPO_DIR, "value-policy-general.xml");
+	public static final File VALUE_POLICY_NUMERIC = new File(BASE_REPO_DIR, "value-policy-numeric.xml");
+	
 	private static final Trace LOGGER = TraceManager.getTrace(TestAbstractRestService.class);
 
 	private final static String ENDPOINT_ADDRESS = "http://localhost:18080/rest";
@@ -209,6 +225,8 @@ private void startServer() throws Exception {
 		addObject(USER_NOBODY_FILE, result);
 		addObject(USER_CYCLOPS_FILE, result);
 		addObject(USER_SOMEBODY_FILE, result);
+		addObject(VALUE_POLICY_GENERAL, result);
+		addObject(VALUE_POLICY_NUMERIC, result);
 		addObject(SYSTEM_CONFIGURATION_FILE, result);
 
 		dummyAuditService = DummyAuditService.getInstance();
@@ -886,6 +904,243 @@ public void test401AddUserTemplateOverwrite() throws Exception {
 		dummyAuditService.assertHasDelta(1, ChangeType.ADD, ObjectTemplateType.class);
 
 	}
+	
+	
+	@Test
+	public void test501generateValue() throws Exception {
+		final String TEST_NAME = "test501generateValue";
+		displayTestTile(this, TEST_NAME);
+
+		WebClient client = prepareClient();
+		client.path("/users/" + USER_DARTHADDER_OID + "/generate");
+		
+		dummyAuditService.clear();
+
+		TestUtil.displayWhen(TEST_NAME);
+		Response response = client.post(getRepoFile(POLICY_ITEM_DEFINITION_GENERATE));
+
+		TestUtil.displayThen(TEST_NAME);
+		displayResponse(response);
+
+		assertEquals("Expected 200 but got " + response.getStatus(), 200, response.getStatus());
+		
+		IntegrationTestTools.display("Audit", dummyAuditService);
+		dummyAuditService.assertRecords(2);
+		dummyAuditService.assertLoginLogout(SchemaConstants.CHANNEL_REST_URI);
+
+	}
+	
+	@Test
+	public void test502generateValueBadPath() throws Exception {
+		final String TEST_NAME = "test501generateValueBadPath";
+		displayTestTile(this, TEST_NAME);
+
+		WebClient client = prepareClient();
+		client.path("/users/" + USER_DARTHADDER_OID + "/generate");
+		
+		dummyAuditService.clear();
+
+		TestUtil.displayWhen(TEST_NAME);
+		Response response = client.post(getRepoFile(POLICY_ITEM_DEFINITION_GENERATE_BAD_PATH));
+
+		TestUtil.displayThen(TEST_NAME);
+		displayResponse(response);
+
+		assertEquals("Expected 405 but got " + response.getStatus(), 200, response.getStatus());
+		
+		IntegrationTestTools.display("Audit", dummyAuditService);
+		dummyAuditService.assertRecords(2);
+		dummyAuditService.assertLoginLogout(SchemaConstants.CHANNEL_REST_URI);
+
+	}
+	
+	@Test
+	public void test503generateValueExecute() throws Exception {
+		final String TEST_NAME = "test503generateValueExecute";
+		displayTestTile(this, TEST_NAME);
+
+		WebClient client = prepareClient();
+		client.path("/users/" + USER_DARTHADDER_OID + "/generate");
+		
+		dummyAuditService.clear();
+
+		TestUtil.displayWhen(TEST_NAME);
+		Response response = client.post(getRepoFile(POLICY_ITEM_DEFINITION_GENERATE_EXECUTE));
+
+		TestUtil.displayThen(TEST_NAME);
+		displayResponse(response);
+
+		assertEquals("Expected 200 but got " + response.getStatus(), 200, response.getStatus());
+		
+		
+		IntegrationTestTools.display("Audit", dummyAuditService);
+		dummyAuditService.assertRecords(4);
+		dummyAuditService.assertLoginLogout(SchemaConstants.CHANNEL_REST_URI);
+		dummyAuditService.assertHasDelta(1, ChangeType.MODIFY, UserType.class);
+		
+		//UserType user = loadObject(UserType.class, USER_DARTHADDER_OID);
+		//TODO assert changed items
+	}
+	
+	@Test
+	public void test504checkGeneratedValue() throws Exception {
+		final String TEST_NAME = "test503generateValueExecute";
+		displayTestTile(this, TEST_NAME);
+
+		WebClient client = prepareClient();
+		client.path("/users/" + USER_DARTHADDER_OID );
+		
+		dummyAuditService.clear();
+
+		TestUtil.displayWhen(TEST_NAME);
+		Response response = client.get();
+
+		TestUtil.displayThen(TEST_NAME);
+		displayResponse(response);
+
+		assertEquals("Expected 200 but got " + response.getStatus(), 200, response.getStatus());
+		
+		UserType user = response.readEntity(UserType.class);
+		assertNotNull("EmployeeNumber must not be null", user.getEmployeeNumber());
+	}
+	
+	@Test
+	public void test510validateValueExplicit() throws Exception {
+		final String TEST_NAME = "test510validateValueExplicit";
+		displayTestTile(this, TEST_NAME);
+
+		WebClient client = prepareClient();
+		client.path("/users/" + USER_DARTHADDER_OID + "/validate");
+		
+		dummyAuditService.clear();
+
+		TestUtil.displayWhen(TEST_NAME);
+		Response response = client.post(getRepoFile(POLICY_ITEM_DEFINITION_VALIDATE_EXPLICIT));
+
+		TestUtil.displayThen(TEST_NAME);
+		displayResponse(response);
+
+		assertEquals("Expected 200 but got " + response.getStatus(), 200, response.getStatus());
+		
+		IntegrationTestTools.display("Audit", dummyAuditService);
+		dummyAuditService.assertRecords(2);
+		dummyAuditService.assertLoginLogout(SchemaConstants.CHANNEL_REST_URI);
+		
+	
+	}
+	
+	@Test
+	public void test511validateValueExplicitConflict() throws Exception {
+		final String TEST_NAME = "test511validateValueExplicitConflict";
+		displayTestTile(this, TEST_NAME);
+
+		WebClient client = prepareClient();
+		client.path("/users/" + USER_DARTHADDER_OID + "/validate");
+		
+		dummyAuditService.clear();
+
+		TestUtil.displayWhen(TEST_NAME);
+		Response response = client.post(getRepoFile(POLICY_ITEM_DEFINITION_VALIDATE_EXPLICIT_CONFLICT));
+
+		TestUtil.displayThen(TEST_NAME);
+		displayResponse(response);
+
+		assertEquals("Expected 409 but got " + response.getStatus(), 409, response.getStatus());
+		
+		
+		IntegrationTestTools.display("Audit", dummyAuditService);
+		dummyAuditService.assertRecords(2);
+		dummyAuditService.assertLoginLogout(SchemaConstants.CHANNEL_REST_URI);
+		
+		
+	}
+	
+	@Test
+	public void test512validateValueImplicitSingle() throws Exception {
+		final String TEST_NAME = "test512validateValueImplicitSingle";
+		displayTestTile(this, TEST_NAME);
+
+		WebClient client = prepareClient();
+		client.path("/users/" + USER_DARTHADDER_OID + "/validate");
+		
+		dummyAuditService.clear();
+
+		TestUtil.displayWhen(TEST_NAME);
+		Response response = client.post(getRepoFile(POLICY_ITEM_DEFINITION_VALIDATE_IMPLICIT_SINGLE));
+
+		TestUtil.displayThen(TEST_NAME);
+		displayResponse(response);
+		
+		assertEquals("Expected 200 but got " + response.getStatus(), 200, response.getStatus());
+		
+		
+		IntegrationTestTools.display("Audit", dummyAuditService);
+		dummyAuditService.assertRecords(2);
+		dummyAuditService.assertLoginLogout(SchemaConstants.CHANNEL_REST_URI);
+		
+		
+	}
+	
+	@Test
+	public void test513validateValueImplicitMulti() throws Exception {
+		final String TEST_NAME = "test513validateValueImplicitMulti";
+		displayTestTile(this, TEST_NAME);
+
+		WebClient client = prepareClient();
+		client.path("/users/" + USER_DARTHADDER_OID + "/validate");
+		
+		dummyAuditService.clear();
+
+		TestUtil.displayWhen(TEST_NAME);
+		Response response = client.post(getRepoFile(POLICY_ITEM_DEFINITION_VALIDATE_IMPLICIT_MULTI));
+
+		TestUtil.displayThen(TEST_NAME);
+		displayResponse(response);
+
+		assertEquals("Expected 200 but got " + response.getStatus(), 200, response.getStatus());
+		
+		IntegrationTestTools.display("Audit", dummyAuditService);
+		dummyAuditService.assertRecords(2);
+		dummyAuditService.assertLoginLogout(SchemaConstants.CHANNEL_REST_URI);
+		
+	}
+	
+	@Test
+	public void test514validateValueImplicitMultiConflict() throws Exception {
+		final String TEST_NAME = "test514validateValueImplicitMultiConflict";
+		displayTestTile(this, TEST_NAME);
+
+		WebClient client = prepareClient();
+		client.path("/users/" + USER_DARTHADDER_OID + "/validate");
+		
+		dummyAuditService.clear();
+
+		TestUtil.displayWhen(TEST_NAME);
+		Response response = client.post(getRepoFile(POLICY_ITEM_DEFINITION_VALIDATE_IMPLICIT_MULTI_CONFLICT));
+
+		TestUtil.displayThen(TEST_NAME);
+		displayResponse(response);
+
+		OperationResultType result = response.readEntity(OperationResultType.class);
+		IntegrationTestTools.display(OperationResult.createOperationResult(result));
+		
+		assertEquals("Expected 409 but got " + response.getStatus(), 409, response.getStatus());
+	
+		IntegrationTestTools.display("Audit", dummyAuditService);
+		dummyAuditService.assertRecords(2);
+		dummyAuditService.assertLoginLogout(SchemaConstants.CHANNEL_REST_URI);
+	
+		
+	}
+	
+	
+	private <O extends ObjectType> O loadObject(Class<O> type, String oid) throws ObjectNotFoundException, SchemaException, SecurityViolationException, CommunicationException, ConfigurationException {
+		Task task = taskManager.createTaskInstance("loadObject");
+		OperationResult result = task.getResult();
+		
+		PrismObject<O> object = modelService.getObject(type, oid, null, task, result);
+		return object.asObjectable();
+	}
 
 	private WebClient prepareClient() {
 		return prepareClient(USER_ADMINISTRATOR_USERNAME, USER_ADMINISTRATOR_PASSWORD);
diff --git a/testing/rest/src/test/resources/repo/json/policy-generate-bad-path.json b/testing/rest/src/test/resources/repo/json/policy-generate-bad-path.json
new file mode 100644
index 00000000000..32d4db0e89e
--- /dev/null
+++ b/testing/rest/src/test/resources/repo/json/policy-generate-bad-path.json
@@ -0,0 +1,15 @@
+{
+  "@ns": "http://midpoint.evolveum.com/xml/ns/public/common/api-types-3",
+  "policyItemsDefinition": {
+    "policyItemDefinition": [{
+	  "target": {
+	    	"path": "parentOrgRef"
+	    },
+	  "valuePolicyRef": {
+	    "@ns": "http://midpoint.evolveum.com/xml/ns/public/common/common-3",
+	    "type": "http://midpoint.evolveum.com/xml/ns/public/common/common-3#ValuePolicyType",
+	    "oid": "00000000-0000-0000-1111-000000000003"
+	  }
+	 }]
+  }
+}
\ No newline at end of file
diff --git a/testing/rest/src/test/resources/repo/json/policy-generate-execute.json b/testing/rest/src/test/resources/repo/json/policy-generate-execute.json
new file mode 100644
index 00000000000..87aa735f365
--- /dev/null
+++ b/testing/rest/src/test/resources/repo/json/policy-generate-execute.json
@@ -0,0 +1,28 @@
+{
+"@ns": "http://midpoint.evolveum.com/xml/ns/public/common/api-types-3",
+"policyItemsDefinition": {
+  "policyItemDefinition": [{
+  "target": {
+    	"path": "phoneNumber"
+    },
+  "valuePolicyRef": {
+    "@ns": "http://midpoint.evolveum.com/xml/ns/public/common/common-3",
+    "type": "http://midpoint.evolveum.com/xml/ns/public/common/common-3#ValuePolicyType",
+    "oid": "00000000-0000-0000-1111-000000000003"
+  }},{
+  "target": {
+    	"path": "employeeNumber"
+    },
+  "valuePolicyRef": {
+    "@ns": "http://midpoint.evolveum.com/xml/ns/public/common/common-3",
+    "type": "http://midpoint.evolveum.com/xml/ns/public/common/common-3#ValuePolicyType",
+    "oid": "00000000-0000-0000-1111-000000000003"
+  },
+  "execute" : "true"
+  }, {
+  "target": {
+    	"path": "costCenter"
+    }
+ }]
+}
+}
\ No newline at end of file
diff --git a/testing/rest/src/test/resources/repo/json/policy-generate.json b/testing/rest/src/test/resources/repo/json/policy-generate.json
new file mode 100644
index 00000000000..5d19462e131
--- /dev/null
+++ b/testing/rest/src/test/resources/repo/json/policy-generate.json
@@ -0,0 +1,20 @@
+{
+  "@ns": "http://midpoint.evolveum.com/xml/ns/public/common/api-types-3",
+  "policyItemsDefinition": {
+    "policyItemDefinition": [{
+      "target": {
+    	"path": "phoneNumber"
+      },
+      "valuePolicyRef": {
+        "@ns": "http://midpoint.evolveum.com/xml/ns/public/common/common-3",
+        "type": "http://midpoint.evolveum.com/xml/ns/public/common/common-3#ValuePolicyType",
+        "oid": "00000000-0000-0000-1111-000000000003"
+      }
+    },
+    {
+     "target": {
+       "path": "costCenter"
+      }
+    }]
+  }
+}
\ No newline at end of file
diff --git a/testing/rest/src/test/resources/repo/json/policy-validate-explicit-conflict.json b/testing/rest/src/test/resources/repo/json/policy-validate-explicit-conflict.json
new file mode 100644
index 00000000000..5ad2c5dddbe
--- /dev/null
+++ b/testing/rest/src/test/resources/repo/json/policy-validate-explicit-conflict.json
@@ -0,0 +1,16 @@
+{
+"@ns": "http://midpoint.evolveum.com/xml/ns/public/common/api-types-3",
+"policyItemsDefinition": {
+  "policyItemDefinition": [{
+  "target": {
+      "path": "employeeNumber"
+    },
+  "valuePolicyRef": {
+    "@ns": "http://midpoint.evolveum.com/xml/ns/public/common/common-3",
+    "type": "http://midpoint.evolveum.com/xml/ns/public/common/common-3#ValuePolicyType",
+    "oid": "00000000-0000-0000-1111-000000000003"
+  },
+  "value" : "asdfg"
+ }]
+}
+}
\ No newline at end of file
diff --git a/testing/rest/src/test/resources/repo/json/policy-validate-explicit.json b/testing/rest/src/test/resources/repo/json/policy-validate-explicit.json
new file mode 100644
index 00000000000..8e6a11aff17
--- /dev/null
+++ b/testing/rest/src/test/resources/repo/json/policy-validate-explicit.json
@@ -0,0 +1,16 @@
+{
+"@ns": "http://midpoint.evolveum.com/xml/ns/public/common/api-types-3",
+"policyItemsDefinition": { 
+  "policyItemDefinition": [{
+  "target": {
+      "path": "employeeNumber"
+    },
+  "valuePolicyRef": {
+    "@ns": "http://midpoint.evolveum.com/xml/ns/public/common/common-3",
+    "type": "http://midpoint.evolveum.com/xml/ns/public/common/common-3#ValuePolicyType",
+    "oid": "00000000-0000-0000-1111-000000000003"
+  },
+  "value" : "123456"
+ }]
+}
+}
\ No newline at end of file
diff --git a/testing/rest/src/test/resources/repo/json/policy-validate-implicit-multi-conflict.json b/testing/rest/src/test/resources/repo/json/policy-validate-implicit-multi-conflict.json
new file mode 100644
index 00000000000..0084ca37687
--- /dev/null
+++ b/testing/rest/src/test/resources/repo/json/policy-validate-implicit-multi-conflict.json
@@ -0,0 +1,15 @@
+{
+"@ns": "http://midpoint.evolveum.com/xml/ns/public/common/api-types-3",
+"policyItemsDefinition": {
+  "policyItemDefinition": [{
+  "target": {
+      "path": "employeeType"
+    },
+  "valuePolicyRef": {
+    "@ns": "http://midpoint.evolveum.com/xml/ns/public/common/common-3",
+    "type": "http://midpoint.evolveum.com/xml/ns/public/common/common-3#ValuePolicyType",
+    "oid": "00000000-0000-0000-1111-000000000003"
+  }
+ }]
+}
+}
\ No newline at end of file
diff --git a/testing/rest/src/test/resources/repo/json/policy-validate-implicit-multi.json b/testing/rest/src/test/resources/repo/json/policy-validate-implicit-multi.json
new file mode 100644
index 00000000000..f0bdce71ce3
--- /dev/null
+++ b/testing/rest/src/test/resources/repo/json/policy-validate-implicit-multi.json
@@ -0,0 +1,10 @@
+{
+"@ns": "http://midpoint.evolveum.com/xml/ns/public/common/api-types-3",
+"policyItemsDefinition": {
+  "policyItemDefinition": [{
+  "target": {
+      "path": "organization"
+    }
+ }]
+}
+}
\ No newline at end of file
diff --git a/testing/rest/src/test/resources/repo/json/policy-validate-implicit-single.json b/testing/rest/src/test/resources/repo/json/policy-validate-implicit-single.json
new file mode 100644
index 00000000000..114ad06e6e6
--- /dev/null
+++ b/testing/rest/src/test/resources/repo/json/policy-validate-implicit-single.json
@@ -0,0 +1,15 @@
+{
+  "@ns": "http://midpoint.evolveum.com/xml/ns/public/common/api-types-3",
+  "policyItemsDefinition": {
+    "policyItemDefinition": [{
+      "target": {
+        "path": "employeeNumber"
+      },
+      "valuePolicyRef": {
+        "@ns": "http://midpoint.evolveum.com/xml/ns/public/common/common-3",
+        "type": "http://midpoint.evolveum.com/xml/ns/public/common/common-3#ValuePolicyType",
+        "oid": "00000000-0000-0000-1111-000000000003"
+      }
+   }]
+  }
+}
\ No newline at end of file
diff --git a/testing/rest/src/test/resources/repo/json/user-darthadder.json b/testing/rest/src/test/resources/repo/json/user-darthadder.json
index 174cbfb0057..f0aa30de9ec 100644
--- a/testing/rest/src/test/resources/repo/json/user-darthadder.json
+++ b/testing/rest/src/test/resources/repo/json/user-darthadder.json
@@ -23,6 +23,9 @@
     "activation" : {
       "administrativeStatus" : "enabled"
     },
+    "employeeType" : ["user", "123user", "employeE"],
+    "employeeNumber" : "123456",
+    "organization" : ["Org1", "Org2", "Org3"],
     "fullName" : "Darth Adder",
     "givenName" : "Darth",
     "familyName" : "Adder",
diff --git a/testing/rest/src/test/resources/repo/system-configuration.xml b/testing/rest/src/test/resources/repo/system-configuration.xml
index 7ba4751822c..4b618321f9a 100644
--- a/testing/rest/src/test/resources/repo/system-configuration.xml
+++ b/testing/rest/src/test/resources/repo/system-configuration.xml
@@ -52,4 +52,5 @@
 		<rootLoggerAppender>IDM_LOG</rootLoggerAppender>
 		<rootLoggerLevel>INFO</rootLoggerLevel>
 	</logging>
+	<globalPasswordPolicyRef oid="81818181-76e0-59e2-8888-3d4f02d3fffb" type="ValuePolicyType"/>
 </systemConfiguration>
diff --git a/testing/rest/src/test/resources/repo/value-policy-general.xml b/testing/rest/src/test/resources/repo/value-policy-general.xml
new file mode 100644
index 00000000000..cf9745686b6
--- /dev/null
+++ b/testing/rest/src/test/resources/repo/value-policy-general.xml
@@ -0,0 +1,73 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright (c) 2010-2013 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+<valuePolicy oid="81818181-76e0-59e2-8888-3d4f02d3fffb" xsi:type="c:ValuePolicyType" version="0" xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+	<name>Policy General</name>
+	<description>Complex Password policy requires at least one lowercase letter, at least one uppercase letter, at least one digit
+and at least on special character in the password. The password must start
+with a lowercase letter and must be at least 6 characters long.</description>
+	<lifetime>
+		<expiration>999</expiration>
+		<warnBeforeExpiration>9</warnBeforeExpiration>
+		<lockAfterExpiration>0</lockAfterExpiration>
+		<minPasswordAge>0</minPasswordAge>
+		<passwordHistoryLength>0</passwordHistoryLength>
+	</lifetime>
+	<stringPolicy>
+		<description>String validation policy</description>
+		<limitations>
+			<minLength>4</minLength>
+			<maxLength>32</maxLength>
+			<minUniqueChars>3</minUniqueChars>
+			<!-- not implemented yet
+			 <checkAgainstDictionary>true</checkAgainstDictionary>
+			 -->
+			<checkPattern />
+			<limit>
+				<description>Lowercase alphanumeric characters</description>
+				<minOccurs>1</minOccurs>
+				<mustBeFirst>false</mustBeFirst>
+				<characterClass>
+					<value>abcdefghijklmnopqrstuvwxyz</value>
+				</characterClass>
+			</limit>
+			<limit>
+				<description>Uppercase alphanumeric characters</description>
+				<minOccurs>1</minOccurs>
+				<mustBeFirst>true</mustBeFirst>
+				<characterClass>
+					<value>ABCDEFGHIJKLMNOPQRSTUVWXYZ</value>
+				</characterClass>
+			</limit>
+			<limit>
+				<description>Numeric characters</description>
+				<minOccurs>1</minOccurs>
+				<mustBeFirst>false</mustBeFirst>
+				<characterClass>
+					<value>1234567890</value>
+				</characterClass>
+			</limit>
+			<limit>
+				<description>Special characters</description>
+				<mustBeFirst>false</mustBeFirst>
+				<characterClass>
+					<value> !"#$%&amp;'()*+,-.:;&lt;&gt;?@[]^_`{|}~</value>
+				</characterClass>
+			</limit>
+		</limitations>
+	</stringPolicy>
+</valuePolicy>
\ No newline at end of file
diff --git a/testing/rest/src/test/resources/repo/value-policy-numeric.xml b/testing/rest/src/test/resources/repo/value-policy-numeric.xml
new file mode 100644
index 00000000000..6e3e1240109
--- /dev/null
+++ b/testing/rest/src/test/resources/repo/value-policy-numeric.xml
@@ -0,0 +1,48 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright (c) 2010-2013 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+<valuePolicy oid="00000000-0000-0000-1111-000000000003" xsi:type="c:ValuePolicyType" version="0" xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+	<name>Numeric Policy</name>
+	<description>A policy useful for generating PIN.</description>
+	<lifetime>
+		<expiration>999</expiration>
+		<warnBeforeExpiration>9</warnBeforeExpiration>
+		<lockAfterExpiration>0</lockAfterExpiration>
+		<minPasswordAge>0</minPasswordAge>
+		<passwordHistoryLength>0</passwordHistoryLength>
+	</lifetime>
+	<stringPolicy>
+		<description>String validation policy</description>
+		<limitations>
+			<minLength>4</minLength>
+			<maxLength>15</maxLength>
+			<minUniqueChars>2</minUniqueChars>
+			<!-- not implemented yet
+			 <checkAgainstDictionary>false</checkAgainstDictionary>
+			 -->
+			<checkPattern />
+			<limit>
+				<description>Numeric characters</description>
+				<!--<minOccurs>1</minOccurs>
+				<mustBeFirst>false</mustBeFirst>-->
+				<characterClass>
+					<value>1234567890</value>
+				</characterClass>
+			</limit>
+		</limitations>
+	</stringPolicy>
+</valuePolicy>
\ No newline at end of file
diff --git a/testing/rest/src/test/resources/repo/xml/policy-generate-bad-path.xml b/testing/rest/src/test/resources/repo/xml/policy-generate-bad-path.xml
new file mode 100644
index 00000000000..409f46b497f
--- /dev/null
+++ b/testing/rest/src/test/resources/repo/xml/policy-generate-bad-path.xml
@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<policyItemsDefinition xmlns="http://midpoint.evolveum.com/xml/ns/public/common/api-types-3"
+          xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
+          xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+          xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
+          xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
+          xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">
+	<policyItemDefinition>
+		<c:target>
+			<t:path>parentOrgRef</t:path>
+		</c:target>
+		<c:valuePolicyRef oid="00000000-0000-0000-1111-000000000003" type="c:ValuePolicyType"/>
+	</policyItemDefinition>
+</policyItemsDefinition>
\ No newline at end of file
diff --git a/testing/rest/src/test/resources/repo/xml/policy-generate-execute.xml b/testing/rest/src/test/resources/repo/xml/policy-generate-execute.xml
new file mode 100644
index 00000000000..a8bd3395a0a
--- /dev/null
+++ b/testing/rest/src/test/resources/repo/xml/policy-generate-execute.xml
@@ -0,0 +1,26 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<policyItemsDefinition xmlns="http://midpoint.evolveum.com/xml/ns/public/common/api-types-3"
+          xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
+          xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+          xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
+          xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
+          xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">
+	<policyItemDefinition>
+		<c:target>
+			<t:path>phoneNumber</t:path>
+		</c:target>
+		<c:valuePolicyRef oid="00000000-0000-0000-1111-000000000003" type="c:ValuePolicyType"/>
+	</policyItemDefinition>
+		<policyItemDefinition>
+		<c:target>
+			<t:path>employeeNumber</t:path>
+		</c:target>
+		<execute>true</execute>
+		<c:valuePolicyRef oid="00000000-0000-0000-1111-000000000003" type="c:ValuePolicyType"/>
+	</policyItemDefinition>
+	<policyItemDefinition>
+		<c:target>
+			<t:path>costCenter</t:path>
+		</c:target>
+	</policyItemDefinition>
+</policyItemsDefinition>
\ No newline at end of file
diff --git a/testing/rest/src/test/resources/repo/xml/policy-generate.xml b/testing/rest/src/test/resources/repo/xml/policy-generate.xml
new file mode 100644
index 00000000000..747fd76dfa4
--- /dev/null
+++ b/testing/rest/src/test/resources/repo/xml/policy-generate.xml
@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<policyItemsDefinition xmlns="http://midpoint.evolveum.com/xml/ns/public/common/api-types-3"
+          xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
+          xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+          xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
+          xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
+          xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">
+	<policyItemDefinition>
+		<c:target>
+			<t:path>phoneNumber</t:path>
+		</c:target>
+		<c:valuePolicyRef oid="00000000-0000-0000-1111-000000000003" type="c:ValuePolicyType"/>
+	</policyItemDefinition>
+	<policyItemDefinition>
+		<c:target>
+			<t:path>costCenter</t:path>
+		</c:target>
+	</policyItemDefinition>
+</policyItemsDefinition>
\ No newline at end of file
diff --git a/testing/rest/src/test/resources/repo/xml/policy-validate-explicit-conflict.xml b/testing/rest/src/test/resources/repo/xml/policy-validate-explicit-conflict.xml
new file mode 100644
index 00000000000..68ae1972a92
--- /dev/null
+++ b/testing/rest/src/test/resources/repo/xml/policy-validate-explicit-conflict.xml
@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<policyItemsDefinition xmlns="http://midpoint.evolveum.com/xml/ns/public/common/api-types-3"
+          xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
+          xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+          xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
+          xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
+          xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">
+	<policyItemDefinition>
+		<c:target>
+			<t:path>employeeNumber</t:path>
+		</c:target>
+		<c:valuePolicyRef oid="00000000-0000-0000-1111-000000000003" type="c:ValuePolicyType"/>
+		<c:value>asdfg</c:value>
+	</policyItemDefinition>
+	
+</policyItemsDefinition>
\ No newline at end of file
diff --git a/testing/rest/src/test/resources/repo/xml/policy-validate-explicit.xml b/testing/rest/src/test/resources/repo/xml/policy-validate-explicit.xml
new file mode 100644
index 00000000000..5a1c7c6942b
--- /dev/null
+++ b/testing/rest/src/test/resources/repo/xml/policy-validate-explicit.xml
@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<policyItemsDefinition xmlns="http://midpoint.evolveum.com/xml/ns/public/common/api-types-3"
+          xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
+          xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+          xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
+          xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
+          xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">
+	<policyItemDefinition>
+		<c:target>
+			<t:path>employeeNumber</t:path>
+		</c:target>
+		<c:valuePolicyRef oid="00000000-0000-0000-1111-000000000003" type="c:ValuePolicyType"/>
+		<c:value>123456</c:value>
+	</policyItemDefinition>
+	
+</policyItemsDefinition>
\ No newline at end of file
diff --git a/testing/rest/src/test/resources/repo/xml/policy-validate-implicit-multi-conflict.xml b/testing/rest/src/test/resources/repo/xml/policy-validate-implicit-multi-conflict.xml
new file mode 100644
index 00000000000..80fb916579c
--- /dev/null
+++ b/testing/rest/src/test/resources/repo/xml/policy-validate-implicit-multi-conflict.xml
@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<policyItemsDefinition xmlns="http://midpoint.evolveum.com/xml/ns/public/common/api-types-3"
+          xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
+          xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+          xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
+          xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
+          xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">
+	<policyItemDefinition>
+		<c:target>
+			<t:path>employeeType</t:path>
+		</c:target>
+		<c:valuePolicyRef oid="00000000-0000-0000-1111-000000000003" type="c:ValuePolicyType"/>
+	</policyItemDefinition>
+	
+</policyItemsDefinition>
\ No newline at end of file
diff --git a/testing/rest/src/test/resources/repo/xml/policy-validate-implicit-multi.xml b/testing/rest/src/test/resources/repo/xml/policy-validate-implicit-multi.xml
new file mode 100644
index 00000000000..cbe9b192170
--- /dev/null
+++ b/testing/rest/src/test/resources/repo/xml/policy-validate-implicit-multi.xml
@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<policyItemsDefinition xmlns="http://midpoint.evolveum.com/xml/ns/public/common/api-types-3"
+          xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
+          xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+          xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
+          xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
+          xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">
+	<policyItemDefinition>
+		<c:target>
+			<t:path>organization</t:path>
+		</c:target>
+	</policyItemDefinition>
+	
+</policyItemsDefinition>
\ No newline at end of file
diff --git a/testing/rest/src/test/resources/repo/xml/policy-validate-implicit-single.xml b/testing/rest/src/test/resources/repo/xml/policy-validate-implicit-single.xml
new file mode 100644
index 00000000000..ea186c0ccf2
--- /dev/null
+++ b/testing/rest/src/test/resources/repo/xml/policy-validate-implicit-single.xml
@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<policyItemsDefinition xmlns="http://midpoint.evolveum.com/xml/ns/public/common/api-types-3"
+          xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
+          xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+          xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
+          xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
+          xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">
+	<policyItemDefinition>
+		<c:target>
+			<t:path>employeeNumber</t:path>
+		</c:target>
+		<c:valuePolicyRef oid="00000000-0000-0000-1111-000000000003" type="c:ValuePolicyType"/>
+	</policyItemDefinition>
+	
+</policyItemsDefinition>
\ No newline at end of file
diff --git a/testing/rest/src/test/resources/repo/xml/user-darthadder.xml b/testing/rest/src/test/resources/repo/xml/user-darthadder.xml
index 49af1b5ef31..f507d800c06 100644
--- a/testing/rest/src/test/resources/repo/xml/user-darthadder.xml
+++ b/testing/rest/src/test/resources/repo/xml/user-darthadder.xml
@@ -35,6 +35,13 @@
 	<c:fullName>Darth Adder</c:fullName>
 	<c:givenName>Darth</c:givenName>
 	<c:familyName>Adder</c:familyName>
+	<c:employeeType>user</c:employeeType>
+	<c:employeeType>123user</c:employeeType>
+	<c:employeeType>employeE</c:employeeType>
+	<c:employeeNumber>123456</c:employeeNumber>
+	<c:organization>Org1</c:organization>
+	<c:organization>Org2</c:organization>
+	<c:organization>Org3</c:organization>
 	<c:credentials xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
 		<c:password>
 			<c:value xmlns:enc="http://www.w3.org/2001/04/xmlenc#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
diff --git a/testing/rest/src/test/resources/repo/yaml/policy-generate-bad-path.yml b/testing/rest/src/test/resources/repo/yaml/policy-generate-bad-path.yml
new file mode 100644
index 00000000000..b752336713d
--- /dev/null
+++ b/testing/rest/src/test/resources/repo/yaml/policy-generate-bad-path.yml
@@ -0,0 +1,9 @@
+'@ns': "http://midpoint.evolveum.com/xml/ns/public/common/api-types-3"
+policyItemsDefinition:
+  policyItemDefinition:
+  - target:
+      path: "parentOrgRef"
+    valuePolicyRef:
+      '@ns': "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+      type: "http://midpoint.evolveum.com/xml/ns/public/common/common-3#ValuePolicyType"
+      oid: "00000000-0000-0000-1111-000000000003"
\ No newline at end of file
diff --git a/testing/rest/src/test/resources/repo/yaml/policy-generate-execute.yml b/testing/rest/src/test/resources/repo/yaml/policy-generate-execute.yml
new file mode 100644
index 00000000000..ce8bc99531f
--- /dev/null
+++ b/testing/rest/src/test/resources/repo/yaml/policy-generate-execute.yml
@@ -0,0 +1,18 @@
+'@ns': "http://midpoint.evolveum.com/xml/ns/public/common/api-types-3"
+policyItemsDefinition:
+  policyItemDefinition:
+  - target:
+      path: "phoneNumber"
+    valuePolicyRef:
+      '@ns': "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+      type: "http://midpoint.evolveum.com/xml/ns/public/common/common-3#ValuePolicyType"
+      oid: "00000000-0000-0000-1111-000000000003"
+  - target:
+      path: "employeeNumber"
+    valuePolicyRef:
+      '@ns': "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+      type: "http://midpoint.evolveum.com/xml/ns/public/common/common-3#ValuePolicyType"
+      oid: "00000000-0000-0000-1111-000000000003"
+    execute: true
+  - target:
+      path: "costCenter"
\ No newline at end of file
diff --git a/testing/rest/src/test/resources/repo/yaml/policy-generate.yml b/testing/rest/src/test/resources/repo/yaml/policy-generate.yml
new file mode 100644
index 00000000000..f9c705d5555
--- /dev/null
+++ b/testing/rest/src/test/resources/repo/yaml/policy-generate.yml
@@ -0,0 +1,11 @@
+'@ns': "http://midpoint.evolveum.com/xml/ns/public/common/api-types-3"
+policyItemsDefinition:
+  policyItemDefinition:
+  - target:
+      path: "phoneNumber"
+    valuePolicyRef:
+      '@ns': "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+      type: "http://midpoint.evolveum.com/xml/ns/public/common/common-3#ValuePolicyType"
+      oid: "00000000-0000-0000-1111-000000000003"
+  - target :
+      path: "costCenter"
\ No newline at end of file
diff --git a/testing/rest/src/test/resources/repo/yaml/policy-validate-explicit-conflict.yml b/testing/rest/src/test/resources/repo/yaml/policy-validate-explicit-conflict.yml
new file mode 100644
index 00000000000..b4fbabb9729
--- /dev/null
+++ b/testing/rest/src/test/resources/repo/yaml/policy-validate-explicit-conflict.yml
@@ -0,0 +1,10 @@
+'@ns': "http://midpoint.evolveum.com/xml/ns/public/common/api-types-3"
+policyItemsDefinition:
+  policyItemDefinition:
+  - target:
+      path: "employeeNumber"
+    valuePolicyRef:
+      '@ns': "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+      type: "http://midpoint.evolveum.com/xml/ns/public/common/common-3#ValuePolicyType"
+      oid: "00000000-0000-0000-1111-000000000003"
+    value: "asdfg"
\ No newline at end of file
diff --git a/testing/rest/src/test/resources/repo/yaml/policy-validate-explicit.yml b/testing/rest/src/test/resources/repo/yaml/policy-validate-explicit.yml
new file mode 100644
index 00000000000..524e698560c
--- /dev/null
+++ b/testing/rest/src/test/resources/repo/yaml/policy-validate-explicit.yml
@@ -0,0 +1,10 @@
+'@ns': "http://midpoint.evolveum.com/xml/ns/public/common/api-types-3"
+policyItemsDefinition:
+  policyItemDefinition:
+  - target:
+      path: "employeeNumber"
+    valuePolicyRef:
+      '@ns': "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+      type: "http://midpoint.evolveum.com/xml/ns/public/common/common-3#ValuePolicyType"
+      oid: "00000000-0000-0000-1111-000000000003"
+    value: "123456"
\ No newline at end of file
diff --git a/testing/rest/src/test/resources/repo/yaml/policy-validate-implicit-multi-conflict.yml b/testing/rest/src/test/resources/repo/yaml/policy-validate-implicit-multi-conflict.yml
new file mode 100644
index 00000000000..a2b54549d0f
--- /dev/null
+++ b/testing/rest/src/test/resources/repo/yaml/policy-validate-implicit-multi-conflict.yml
@@ -0,0 +1,9 @@
+'@ns': "http://midpoint.evolveum.com/xml/ns/public/common/api-types-3"
+policyItemsDefinition:
+  policyItemDefinition:
+  - target:
+      path: "employeeType"
+    valuePolicyRef:
+      '@ns': "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+      type: "http://midpoint.evolveum.com/xml/ns/public/common/common-3#ValuePolicyType"
+      oid: "00000000-0000-0000-1111-000000000003"
diff --git a/testing/rest/src/test/resources/repo/yaml/policy-validate-implicit-multi.yml b/testing/rest/src/test/resources/repo/yaml/policy-validate-implicit-multi.yml
new file mode 100644
index 00000000000..44b3f66a402
--- /dev/null
+++ b/testing/rest/src/test/resources/repo/yaml/policy-validate-implicit-multi.yml
@@ -0,0 +1,5 @@
+'@ns': "http://midpoint.evolveum.com/xml/ns/public/common/api-types-3"
+policyItemsDefinition:
+  policyItemDefinition:
+  - target:
+      path: "organization"
\ No newline at end of file
diff --git a/testing/rest/src/test/resources/repo/yaml/policy-validate-implicit-single.yml b/testing/rest/src/test/resources/repo/yaml/policy-validate-implicit-single.yml
new file mode 100644
index 00000000000..1ae2fead4be
--- /dev/null
+++ b/testing/rest/src/test/resources/repo/yaml/policy-validate-implicit-single.yml
@@ -0,0 +1,9 @@
+'@ns': "http://midpoint.evolveum.com/xml/ns/public/common/api-types-3"
+policyItemsDefinition:
+  policyItemDefinition:
+  - target:
+      path: "employeeNumber"
+    valuePolicyRef:
+      '@ns': "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+      type: "http://midpoint.evolveum.com/xml/ns/public/common/common-3#ValuePolicyType"
+      oid: "00000000-0000-0000-1111-000000000003"
\ No newline at end of file
diff --git a/testing/rest/src/test/resources/repo/yaml/user-darthadder.yml b/testing/rest/src/test/resources/repo/yaml/user-darthadder.yml
index 96884cd1ac7..f9f7ef8596d 100644
--- a/testing/rest/src/test/resources/repo/yaml/user-darthadder.yml
+++ b/testing/rest/src/test/resources/repo/yaml/user-darthadder.yml
@@ -40,6 +40,15 @@ user:
   fullName: "Darth Adder"
   givenName: "Darth"
   familyName: "Adder"
+  employeeType : 
+  - "user"
+  - "123user"
+  - "employeE"
+  employeeNumber : "123456"
+  organization : 
+  - "Org1"
+  - "Org2"
+  - "Org3"
   credentials:
     password:
       value: