Extending policy rule and collection schema.

gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/api/page/PageBase.java

@@ -2152,7 +2152,7 @@ private void addCollectionsMenuItems(List<MenuItem> menu, QName type, Class<? ex
             return;
         }
         objectViews.forEach(objectView -> {
-        	CollectionSpecificationType collection = objectView.getCollection();
+        	CollectionRefSpecificationType collection = objectView.getCollection();
         	if (collection == null) {
         		return;
         	}

infra/schema/src/main/resources/xml/ns/public/common/common-core-3.xsd

@@ -15142,7 +15142,7 @@
 					        </xsd:documentation>
 					    </xsd:annotation>
 		            </xsd:element>
-		            <xsd:element name="baseCollection" type="tns:CollectionSpecificationType" minOccurs="0" maxOccurs="1">
+		            <xsd:element name="baseCollection" type="tns:CollectionRefSpecificationType" minOccurs="0" maxOccurs="1">
 					    <xsd:annotation>
 					        <xsd:documentation>
 					        	<p>
@@ -15162,10 +15162,29 @@
 							</xsd:appinfo>
 					    </xsd:annotation>
 		            </xsd:element>
+		            <xsd:element name="domain" type="tns:CollectionRefSpecificationType" minOccurs="0" maxOccurs="1">
+					    <xsd:annotation>
+					        <xsd:documentation>
+					        	<p>
+						        	Domain for this collection. Domain is a set of object that is "all the things" for this collection.
+						        	For example collection of "active employees" will have a domain "all employees". Collection
+						        	"failed resources" will have domain collection "all resources" and so on.
+					        	</p>
+					        	<p>
+					        		The purpose of domain is mostly to evaluate percentages. E.g. what percentage of employees are active.
+					        		Domain does not affect the collection itself. E.g. it has no meaning when collection is used in authorizations.
+					        		Domain just adds some kind of perspective when collection is presented to the user.
+					        		The domain may also be important for policy rules. E.g. policy rules that trigger a notificaiton when percentage of
+					        		active employees gets too low.
+					        	</p>
+					        </xsd:documentation>
+						    <xsd:appinfo>
+								<a:since>4.0</a:since>
+							</xsd:appinfo>
+					    </xsd:annotation>
+		            </xsd:element>
 		            <!-- Note: collection references such as domanin or baseCollection may point to collection or archetype. Maybe even to org or role. -->
 
-		            <!-- TODO: domain (filter or reference to another collection) -->
-		            <!-- TODO: tresholds (actions should be performed by policy rules) -->
 		            <!-- TODO(maybe): default view specification, e.g. default set of columns, search, etc. -->
 
 		            <xsd:element name="stats" type="tns:CollectionStatsType" minOccurs="0" maxOccurs="1">
@@ -15185,26 +15204,15 @@
     <xsd:complexType name="CollectionSpecificationType">
         <xsd:annotation>
         	<xsd:documentation>
-        		Specification of an explicit or implicit object collection.
+        		Specification of an explicit or implicit object collection, withough reference to the collection.
+        		This data structure expects that the collection is referenced implicitly (e.g. from policy rules).
         	</xsd:documentation>
             <xsd:appinfo>
                 <a:container/>
                 <a:since>4.0</a:since>
             </xsd:appinfo>
         </xsd:annotation>
 		<xsd:sequence>
-			<xsd:element name="collectionRef" type="tns:ObjectReferenceType" minOccurs="1" maxOccurs="1">
-				<xsd:annotation>
-					<xsd:documentation>
-						Referrence to an object that defines the base of implicit or explicit collection.
-						This may be ObjectCollectionType or any subclass of AbstractRoleType.
-					</xsd:documentation>
-					<xsd:appinfo>
-						<a:since>4.0</a:since>
-						<a:displayName>CollectionSpecificationType.collectionRef</a:displayName>
-					</xsd:appinfo>
-				</xsd:annotation>
-			</xsd:element>
 			<xsd:element name="interpretation" type="tns:CollectionSpecificationInterpretationType" minOccurs="0" maxOccurs="1">
 				<xsd:annotation>
 					<xsd:documentation>
@@ -15252,6 +15260,36 @@
 		</xsd:sequence>
     </xsd:complexType>
 
+    <xsd:complexType name="CollectionRefSpecificationType">
+        <xsd:annotation>
+        	<xsd:documentation>
+        		Specification of an explicit or implicit object collection (including reference to the collection).
+        	</xsd:documentation>
+            <xsd:appinfo>
+                <a:container/>
+                <a:since>4.0</a:since>
+            </xsd:appinfo>
+        </xsd:annotation>
+        <xsd:complexContent>
+        	<xsd:extension base="tns:CollectionSpecificationType">
+				<xsd:sequence>
+					<xsd:element name="collectionRef" type="tns:ObjectReferenceType" minOccurs="1" maxOccurs="1">
+						<xsd:annotation>
+							<xsd:documentation>
+								Referrence to an object that defines the base of implicit or explicit collection.
+								This may be ObjectCollectionType or any subclass of AbstractRoleType.
+							</xsd:documentation>
+							<xsd:appinfo>
+								<a:since>4.0</a:since>
+								<a:displayName>CollectionSpecificationType.collectionRef</a:displayName>
+							</xsd:appinfo>
+						</xsd:annotation>
+					</xsd:element>
+				</xsd:sequence>
+        	</xsd:extension>
+        </xsd:complexContent>
+    </xsd:complexType>
+
     <xsd:simpleType name="CollectionSpecificationInterpretationType">
 		<xsd:annotation>
 			<xsd:documentation>
@@ -21168,7 +21206,7 @@
 							</xsd:appinfo>
 	       				</xsd:annotation>
 	       			</xsd:element>
-	       			<xsd:element name="collection" type="tns:CollectionSpecificationType" minOccurs="0" maxOccurs="1">
+	       			<xsd:element name="collection" type="tns:CollectionRefSpecificationType" minOccurs="0" maxOccurs="1">
 	       				<xsd:annotation>
 	       					<xsd:documentation>
 	       						Specification of an explicit or implicit object collection that will be used to select objects in this view.

infra/schema/src/main/resources/xml/ns/public/common/common-policy-3.xsd

@@ -235,6 +235,28 @@
 							</xsd:appinfo>
 						</xsd:annotation>
 					</xsd:element>
+					<xsd:element name="collectionStats" type="tns:CollectionStatsPolicyConstraintType" minOccurs="0" maxOccurs="unbounded">
+						<xsd:annotation>
+							<xsd:documentation>
+								<p>
+									Constraints for collection stats (statistics). Can be used to trigger policy
+									rules on the number of objects in collection, percentage and so on.
+								</p>
+								<p>
+									Policy rules with this constraint are ignored during normal processing.
+									Evaluation of such policy rules require special handling (e.g. scanner task).
+								</p>
+							</xsd:documentation>
+							<xsd:appinfo>
+								<xsd:appinfo>
+									<a:displayName>PolicyConstraintsType.collectionStats</a:displayName>
+									<a:help>PolicyConstraintsType.collectionStats.help</a:help>
+									<a:since>4.0</a:since>
+									<a:experimental>true</a:experimental>
+								</xsd:appinfo>
+							</xsd:appinfo>
+						</xsd:annotation>
+					</xsd:element>
 					<xsd:element name="and" type="tns:PolicyConstraintsType" minOccurs="0" maxOccurs="unbounded">
 						<xsd:annotation>
 							<xsd:documentation>
@@ -1126,6 +1148,47 @@
     </xsd:complexType>
     <xsd:element name="situationPolicyConstraint" type="tns:PolicySituationPolicyConstraintType" substitutionGroup="tns:abstractPolicyConstraint" />
 
+	<xsd:complexType name="CollectionStatsPolicyConstraintType">
+        <xsd:annotation>
+            <xsd:documentation>
+				<p>
+					Constraints for collection stats (statistics). Can be used to trigger policy
+					rules on the number of objects in collection, percentage and so on.
+				</p>
+				<p>
+					Policy rules with this constraint are ignored during normal processing.
+					Evaluation of such policy rules require special handling (e.g. scanner task).
+				</p>
+            </xsd:documentation>
+            <xsd:appinfo>
+                <a:container/>
+                <a:since>4.0</a:since>
+                <a:experimental>true</a:experimental>
+            </xsd:appinfo>
+        </xsd:annotation>
+        <xsd:complexContent>
+            <xsd:extension base="tns:AbstractPolicyConstraintType">
+                <xsd:sequence>
+                    <xsd:element name="collection" type="tns:CollectionSpecificationType"  minOccurs="0" maxOccurs="unbounded">
+                        <xsd:annotation>
+                            <xsd:documentation>
+                                Refers to "itself" as a collection. This means that it interprets the object
+                                to which the rule applies as a collection. And this element specifies the 
+                                details how the collection should be interpreted. E.g. whether we mean
+                                the list of objects that ObjectCollectionType refers to by filter. Or
+                                whether we mean assignees (owners/approvers) of that object.
+                            </xsd:documentation>
+							<xsd:appinfo>
+								<a:displayName>CollectionStatsPolicyConstraintType.collection</a:displayName>
+							</xsd:appinfo>
+                        </xsd:annotation>
+                    </xsd:element>
+                </xsd:sequence>
+            </xsd:extension>
+        </xsd:complexContent>
+    </xsd:complexType>
+
+
     <xsd:complexType name="TransitionPolicyConstraintType">
         <xsd:annotation>
             <xsd:documentation>

model/model-api/src/main/java/com/evolveum/midpoint/model/api/authentication/CompiledObjectCollectionView.java

@@ -1,5 +1,5 @@
 /**
- * Copyright (c) 2018 Evolveum
+ * Copyright (c) 2018-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -28,7 +28,7 @@
 import com.evolveum.midpoint.util.DebugUtil;
 import com.evolveum.midpoint.util.QNameUtil;
 import com.evolveum.midpoint.util.annotation.Experimental;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.CollectionSpecificationType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.CollectionRefSpecificationType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.DisplayType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.DistinctSearchOptionType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.GuiActionType;
@@ -48,7 +48,7 @@ public class CompiledObjectCollectionView implements DebugDumpable, Serializable
 	private final String viewIdentifier;
 
 	private List<GuiActionType> actions = new ArrayList<>();
-	private CollectionSpecificationType collection;
+	private CollectionRefSpecificationType collection;
 	private List<GuiObjectColumnType> columns = new ArrayList<>();
 	private DisplayType display;
 	private GuiObjectListViewAdditionalPanelsType additionalPanels;
@@ -83,11 +83,11 @@ public List<GuiActionType> getActions() {
 		return actions;
 	}
 
-	public CollectionSpecificationType getCollection() {
+	public CollectionRefSpecificationType getCollection() {
 		return collection;
 	}
 
-	public void setCollection(CollectionSpecificationType collection) {
+	public void setCollection(CollectionRefSpecificationType collection) {
 		this.collection = collection;
 	}
 

model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/security/UserProfileCompiler.java

@@ -85,6 +85,7 @@
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ArchetypeType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.AssignmentHolderType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.AssignmentType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.CollectionRefSpecificationType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.CollectionSpecificationType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.DashboardWidgetType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.DisplayType;
@@ -426,7 +427,7 @@ private String determineViewIdentifier(GuiObjectListViewType objectListViewType)
 			// legacy, deprecated
 			return viewName;
 		}
-		CollectionSpecificationType collection = objectListViewType.getCollection();
+		CollectionRefSpecificationType collection = objectListViewType.getCollection();
 		if (collection == null) {
 			return objectListViewType.getType().getLocalPart();
 		}
@@ -467,14 +468,14 @@ private void compileAdditionalPanels(CompiledObjectCollectionView existingView,
 	}
 
 	private void compileCollection(CompiledObjectCollectionView existingView, GuiObjectListViewType objectListViewType, Task task, OperationResult result) throws SchemaException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
-		CollectionSpecificationType collectionSpec = objectListViewType.getCollection();
+		CollectionRefSpecificationType collectionSpec = objectListViewType.getCollection();
 		if (collectionSpec == null) {
 			ObjectReferenceType collectionRef = objectListViewType.getCollectionRef();
 			if (collectionRef == null) {
 				return;
 			}
 			// Legacy, deprecated
-			collectionSpec = new CollectionSpecificationType();
+			collectionSpec = new CollectionRefSpecificationType();
 			collectionSpec.setCollectionRef(collectionRef.clone());
 		}
 		if (existingView.getCollection() != null) {
@@ -485,7 +486,7 @@ private void compileCollection(CompiledObjectCollectionView existingView, GuiObj
 		compileCollection(existingView, collectionSpec, task, result);
 	}
 
-	private void compileCollection(CompiledObjectCollectionView existingView, CollectionSpecificationType collectionSpec, Task task, OperationResult result) throws SchemaException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
+	private void compileCollection(CompiledObjectCollectionView existingView, CollectionRefSpecificationType collectionSpec, Task task, OperationResult result) throws SchemaException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
 		ObjectReferenceType collectionRef = collectionSpec.getCollectionRef();
 
 		QName targetObjectType = existingView.getObjectType();
@@ -541,7 +542,7 @@ private void compileCollection(CompiledObjectCollectionView existingView, Collec
 			if (collectionFilterType != null) {
 				collectionFilter = prismContext.getQueryConverter().parseFilter(collectionFilterType, targetTypeClass);
 			}
-			CollectionSpecificationType baseCollectionSpec = objectCollectionType.getBaseCollection();
+			CollectionRefSpecificationType baseCollectionSpec = objectCollectionType.getBaseCollection();
 			if (baseCollectionSpec == null) {
 				existingView.setFilter(collectionFilter);
 			} else {

samples/experimental/collection-resources-up.xml

@@ -46,7 +46,9 @@
     			     The <collection> constraint means, the the rule should not look at the collection definition.
     			     The rule should look at the collected objects. -->
     			<collectionStats> <!-- or just <collectionStats/> should be enough. Default interpretation for ObjectCollectionType should be "explicit". -->
-    				<collectionInterpretation>explicit</collectionInterpretation>
+    				<collection>
+    					<interpretation>explicit</interpretation>
+    				</collection>
     			</collectionStats>
     		</policyConstraints>
     		<policyThreshold>