Reworked ProvisioningPolicy into ObjectOperationPolicy

infra/schema/src/main/resources/xml/ns/public/common/common-core-3.xsd

@@ -506,6 +506,37 @@
                 </xsd:annotation>
             </xsd:element>
 
+            <xsd:element name="effectiveMarkRef" type="tns:ObjectReferenceType" minOccurs="0" maxOccurs="unbounded">
+                <xsd:annotation>
+                    <xsd:documentation>
+                       Tags and Shadow marks assigned to the shadow.
+                    </xsd:documentation>
+                    <xsd:appinfo>
+                        <a:objectReferenceTargetType>tns:MarkType</a:objectReferenceTargetType>
+                        <a:experimental />
+                    </xsd:appinfo>
+                </xsd:annotation>
+             </xsd:element>
+           <xsd:element name="policyStatement" type="tns:PolicyStatementType" minOccurs="0" maxOccurs="unbounded">
+               <xsd:annotation>
+                   <xsd:documentation>
+                      Policy statements to manually add or exclude effective marks of shadow.
+                   </xsd:documentation>
+                   <xsd:appinfo>
+                       <a:experimental>true</a:experimental>
+                   </xsd:appinfo>
+               </xsd:annotation>
+            </xsd:element>
+            <xsd:element name="effectiveOperationPolicy" type="tns:ObjectOperationPolicyType" minOccurs="0">
+               <xsd:annotation>
+                 <xsd:documentation>
+                    Effective provisioning policy derived from Shadow marks and resource configuration.
+                 </xsd:documentation>
+                 <xsd:appinfo>
+                     <a:experimental>true</a:experimental>
+                 </xsd:appinfo>
+               </xsd:annotation>
+           </xsd:element>
         </xsd:sequence>
 
         <xsd:attribute name="oid" type="xsd:string">
@@ -808,7 +839,7 @@
                             </xsd:appinfo>
                         </xsd:annotation>
                     </xsd:element>
-                    <xsd:element name="provisioningPolicy" type="tns:ShadowProvisioningPolicyType" minOccurs="0">
+                    <xsd:element name="objectOperationPolicy" type="tns:ObjectOperationPolicyType" minOccurs="0">
                        <xsd:annotation>
                             <xsd:documentation>
                                 Provisioning policy, which is applied to shadows, which have this tag assigned.
@@ -15611,6 +15642,13 @@
                     </xsd:appinfo>
                 </xsd:annotation>
             </xsd:enumeration>
+            <xsd:enumeration value="00000000-0000-0000-0000-000000000702">
+                <xsd:annotation>
+                    <xsd:appinfo>
+                        <jaxb:typesafeEnumMember name="ARCHETYPE_SHADOW_MARK"/>
+                    </xsd:appinfo>
+                </xsd:annotation>
+            </xsd:enumeration>
             <!-- Do we want also these tags? -->
             <xsd:enumeration value="00000000-0000-0000-0000-000000000710">
                 <xsd:annotation>
@@ -19764,4 +19802,47 @@
             <xsd:element name="selector" type="q:SearchFilterType" minOccurs="0" />
         </xsd:sequence>
     </xsd:complexType>
+
+    <xsd:complexType name="OperationPolicyConfigurationType">
+        <xsd:sequence>
+            <xsd:element name="enabled" minOccurs="0" type="xsd:boolean" default="true" />
+            <xsd:element name="severity" minOccurs="0" type="tns:ValidationIssueSeverityType" />
+        </xsd:sequence>
+    </xsd:complexType>
+
+
+    <xsd:complexType name="SynchronizeOperationPolicyConfigurationType">
+        <xsd:sequence>
+            <xsd:element name="inbound" type="tns:OperationPolicyConfigurationType" minOccurs="0" />
+            <xsd:element name="outbound" type="tns:OperationPolicyConfigurationType" minOccurs="0" />
+        </xsd:sequence>
+    </xsd:complexType>
+
+    <xsd:complexType name="ObjectOperationPolicyType">
+        <xsd:annotation>
+            <xsd:documentation>
+                Shadow specific provisioning policy. This policy is applied to concrete shadows using TagType.
+            </xsd:documentation>
+            <xsd:appinfo>
+                <a:container>true</a:container>
+                <a:since>4.7</a:since>
+                <a:experimental>true</a:experimental>
+            </xsd:appinfo>
+        </xsd:annotation>
+        <xsd:sequence>
+            <!-- 
+                 If false: (like protected)
+                 Inbound / outbound mapping changes are disabled 
+                 do not run clockwork (SynchronizationServiceImpl)
+                 do not run inbounds
+                 do not run outbounds
+            -->
+
+            <xsd:element name="synchronize" type="tns:SynchronizeOperationPolicyConfigurationType" minOccurs="0" />
+            <xsd:element name="add" type="tns:OperationPolicyConfigurationType" minOccurs="0" />
+            <xsd:element name="modify" type="tns:OperationPolicyConfigurationType" minOccurs="0" />
+            <xsd:element name="delete" type="tns:OperationPolicyConfigurationType" minOccurs="0" />
+        </xsd:sequence>
+    </xsd:complexType>
+
 </xsd:schema>

infra/schema/src/main/resources/xml/ns/public/common/common-provisioning-3.xsd

@@ -4295,26 +4295,6 @@
                             </xsd:documentation>
                         </xsd:annotation>
                     </xsd:element>
-                    <xsd:element name="policyStatement" type="tns:PolicyStatementType" minOccurs="0" maxOccurs="unbounded">
-                        <xsd:annotation>
-                            <xsd:documentation>
-                               Policy statements to manually add or exclude effective marks of shadow.
-                            </xsd:documentation>
-                            <xsd:appinfo>
-                                <a:experimental>true</a:experimental>
-                            </xsd:appinfo>
-                        </xsd:annotation>
-                     </xsd:element>
-                     <xsd:element name="effectiveProvisioningPolicy" type="tns:EffectiveShadowProvisioningPolicyType" minOccurs="0">
-                        <xsd:annotation>
-                          <xsd:documentation>
-                             Effective provisioning policy derived from Shadow marks and resource configuration.
-                          </xsd:documentation>
-                          <xsd:appinfo>
-                              <a:experimental>true</a:experimental>
-                          </xsd:appinfo>
-                        </xsd:annotation>
-                    </xsd:element>
                 </xsd:sequence>
             </xsd:extension>
         </xsd:complexContent>
@@ -5584,56 +5564,4 @@
             <!-- inheritance options may be included later -->
         </xsd:sequence>
     </xsd:complexType>
-
-    <xsd:complexType name="ShadowProvisioningPolicyType">
-        <xsd:annotation>
-            <xsd:documentation>
-                Shadow specific provisioning policy. This policy is applied to concrete shadows using TagType.
-            </xsd:documentation>
-            <xsd:appinfo>
-                <a:container>true</a:container>
-                <a:since>4.7</a:since>
-                <a:experimental>true</a:experimental>
-            </xsd:appinfo>
-        </xsd:annotation>
-        <xsd:sequence>
-            <xsd:element name="protected" type="xsd:boolean" minOccurs="0" default="false">
-                <xsd:annotation>
-                    <xsd:documentation>
-                        Protected shadows cannot be changed. They are out of IDM control.
-                        This is only informational property. Changing it will have no effect on
-                        whether object is protected or not. Object protection is a strict policy that
-                        cannot be easily overridden.
-                    </xsd:documentation>
-                </xsd:annotation>
-            </xsd:element>
-            <xsd:element name="readOnly" type="xsd:boolean" minOccurs="0" default="false" />
-        </xsd:sequence>
-    </xsd:complexType>
-
-    <xsd:complexType name="EffectiveShadowProvisioningPolicyType">
-        <xsd:annotation>
-            <xsd:documentation>
-                Shadow specific provisioning policy. This policy is applied to concrete shadows using TagType.
-            </xsd:documentation>
-            <xsd:appinfo>
-                <a:container>true</a:container>
-                <a:since>4.7</a:since>
-                <a:experimental>true</a:experimental>
-            </xsd:appinfo>
-        </xsd:annotation>
-        <xsd:sequence>
-            <xsd:element name="protected" type="xsd:boolean" minOccurs="1" default="false">
-                <xsd:annotation>
-                    <xsd:documentation>
-                        Protected shadows cannot be changed. They are out of IDM control.
-                        This is only informational property. Changing it will have no effect on
-                        whether object is protected or not. Object protection is a strict policy that
-                        cannot be easily overridden.
-                    </xsd:documentation>
-                </xsd:annotation>
-            </xsd:element>
-            <xsd:element name="readOnly" type="xsd:boolean" minOccurs="1" default="false" />
-        </xsd:sequence>
-    </xsd:complexType>
 </xsd:schema>

model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/LensProjectionContext.java

@@ -50,6 +50,7 @@
 
 import com.evolveum.midpoint.common.crypto.CryptoUtil;
 import com.evolveum.midpoint.prism.util.ObjectDeltaObject;
+import com.evolveum.midpoint.repo.common.ShadowMarkManager;
 import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.util.DebugUtil;
 
@@ -1903,6 +1904,7 @@ public boolean isAdministrativeStatusSupported() throws SchemaException, Configu
     }
 
     public boolean isMarkedReadOnly() {
-                return Boolean.TRUE.equals(getObjectCurrentOrOld().asObjectable().getEffectiveProvisioningPolicy().isReadOnly());
+        var policy = ShadowMarkManager.get().computeEffectivePolicy(getObjectCurrentOrOld().asObjectable(), new OperationResult("markReadOnly"));
+        return !policy.getAdd().isEnabled() && !policy.getModify().isEnabled() && !policy.getDelete().isEnabled();
     }
 }

model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/sync/SynchronizationContext.java

@@ -193,6 +193,10 @@ boolean isSynchronizationEnabled() {
                 && synchronizationPolicy.isSynchronizationEnabled();
     }
 
+    public boolean isMarkedSkipSynchronization() {
+        return !shadowedResourceObject.getEffectiveOperationPolicy().getSynchronize().getInbound().isEnabled();
+    }
+
     public boolean isProtected() {
         return BooleanUtils.isTrue(shadowedResourceObject.isProtectedObject());
     }

model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/sync/SynchronizationServiceImpl.java

@@ -230,6 +230,19 @@ private boolean shouldSkipSynchronization(SynchronizationContext<?> syncCtx, Ope
             return true;
         }
 
+        if (syncCtx.isMarkedSkipSynchronization()) {
+            String message = String.format(
+                    "SYNCHRONIZATION is skipped for marked shadow %s, ignoring change from channel %s", shadow, channel);
+            LOGGER.debug(message);
+            syncCtx.getUpdater()
+                    .updateBothSyncTimestamps() // TODO should we really record this as full synchronization?
+                    .updateCoordinatesIfMissing();
+            result.recordNotApplicable(message);
+            syncCtx.recordSyncExclusionInTask(PROTECTED);
+            return true;
+        }
+
+
         if (syncCtx.isProtected()) {
             String message = String.format(
                     "SYNCHRONIZATION is skipped for protected shadow %s, ignoring change from channel %s", shadow, channel);