package com.evolveum.midpoint.model.intest.security;

import com.evolveum.midpoint.model.api.ModelAuthorizationAction;
import com.evolveum.midpoint.model.api.ModelExecuteOptions;
import com.evolveum.midpoint.model.api.RoleSelectionSpecification;
import com.evolveum.midpoint.model.intest.AbstractConfiguredModelIntegrationTest;
import com.evolveum.midpoint.prism.PrismContainer;
import com.evolveum.midpoint.prism.PrismObject;
import com.evolveum.midpoint.prism.PrismObjectDefinition;
import com.evolveum.midpoint.prism.PrismReferenceValue;
import com.evolveum.midpoint.prism.delta.ObjectDelta;
import com.evolveum.midpoint.prism.path.ItemPath;
import com.evolveum.midpoint.prism.path.ItemPathSegment;
import com.evolveum.midpoint.prism.path.NameItemPathSegment;
import com.evolveum.midpoint.prism.polystring.PolyString;
import com.evolveum.midpoint.prism.query.ObjectFilter;
import com.evolveum.midpoint.prism.query.ObjectQuery;
import com.evolveum.midpoint.prism.query.TypeFilter;
import com.evolveum.midpoint.prism.util.PrismAsserts;
import com.evolveum.midpoint.prism.util.PrismTestUtil;
import com.evolveum.midpoint.prism.xml.XmlTypeConverter;
import com.evolveum.midpoint.schema.GetOperationOptions;
import com.evolveum.midpoint.schema.SelectorOptions;
import com.evolveum.midpoint.schema.constants.SchemaConstants;
import com.evolveum.midpoint.schema.result.OperationResult;
import com.evolveum.midpoint.schema.util.MiscSchemaUtil;
import com.evolveum.midpoint.security.enforcer.api.AuthorizationParameters;
import com.evolveum.midpoint.task.api.Task;
import com.evolveum.midpoint.test.IntegrationTestTools;
import com.evolveum.midpoint.util.exception.CommunicationException;
import com.evolveum.midpoint.util.exception.ConfigurationException;
import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
import com.evolveum.midpoint.util.exception.ObjectAlreadyExistsException;
import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
import com.evolveum.midpoint.util.exception.PolicyViolationException;
import com.evolveum.midpoint.util.exception.SchemaException;
import com.evolveum.midpoint.util.exception.SecurityViolationException;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ActivationStatusType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ActivationType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AssignmentPolicyEnforcementType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AssignmentType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationPhaseType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ConstructionType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ExclusionPolicyConstraintType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.FocusType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.MappingType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.MetadataType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectReferenceType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.OrgType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.PolicyConstraintsType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.PolicyExceptionType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.PolicyRuleType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ResourceAttributeDefinitionType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.RoleType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType;
import java.io.File;
import java.io.IOException;
import java.util.List;
import javax.xml.datatype.XMLGregorianCalendar;
import javax.xml.namespace.QName;
import org.springframework.test.annotation.DirtiesContext;
import org.springframework.test.context.ContextConfiguration;
import org.testng.AssertJUnit;
import org.testng.annotations.Test;

@ContextConfiguration(locations = {"classpath:ctx-model-intest-test-main.xml"})
@DirtiesContext(classMode = DirtiesContext.ClassMode.AFTER_CLASS)
/* loaded from: input_file:com/evolveum/midpoint/model/intest/security/TestSecurityAdvanced.class */
public class TestSecurityAdvanced extends AbstractSecurityTest {
    private static final String AUTHORIZATION_ACTION_WORKITEMS = "http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#myWorkItems";
    private static final String BIG_BADA_BOOM = "bigBadaBoom";
    private static final String HUGE_BADA_BOOM = "hugeBadaBoom";
    private static final String FIRST_RULE = "firstRule";
    protected static final String ROLE_LIMITED_ROLE_ADMINISTRATOR_OID = "ce67b472-e5a6-11e7-98c3-174355334559";
    protected static final String ROLE_LIMITED_READ_ROLE_ADMINISTRATOR_OID = "b9fcce10-050d-11e8-b668-eb75ab96577d";
    protected static final String ROLE_EXCLUSION_PIRATE_OID = "cf60ec66-e5a8-11e7-a997-ab32b7ec5fdb";
    protected static final String ROLE_MAXASSIGNEES_10_OID = "09dadf60-f6f1-11e7-8223-a72f04f867e7";
    protected static final String ROLE_MODIFY_POLICY_EXCEPTION_OID = "09e9acde-f787-11e7-987c-13212be79c7d";
    protected static final String ROLE_MODIFY_POLICY_EXCEPTION_SITUATION_OID = "45bee61c-f79f-11e7-a2a7-27ade881c9e0";
    protected static final String ROLE_MODIFY_DESCRIPTION_OID = "1a0616e4-f79a-11e7-80c9-d77b403e1a81";
    protected static final String ROLE_PROP_EXCEPT_ASSIGNMENT_OID = "bc0f3bfe-029f-11e8-995d-273b6606fd79";
    protected static final String ROLE_PROP_EXCEPT_ADMINISTRATIVE_STATUS_OID = "cc549256-02a5-11e8-994e-43c307e2a819";
    protected static final String ROLE_ASSIGN_ORG_OID = "be96f834-2dbb-11e8-b29d-7f5de07e7995";
    protected static final int NUMBER_OF_IMPORTED_ROLES = 9;
    protected static final File ROLE_LIMITED_ROLE_ADMINISTRATOR_FILE = new File(TEST_DIR, "role-limited-role-administrator.xml");
    protected static final File ROLE_LIMITED_READ_ROLE_ADMINISTRATOR_FILE = new File(TEST_DIR, "role-limited-read-role-administrator.xml");
    protected static final File ROLE_EXCLUSION_PIRATE_FILE = new File(TEST_DIR, "role-exclusion-pirate.xml");
    protected static final File ROLE_MAXASSIGNEES_10_FILE = new File(TEST_DIR, "role-maxassignees-10.xml");
    protected static final File ROLE_MODIFY_POLICY_EXCEPTION_FILE = new File(TEST_DIR, "role-modify-policy-exception.xml");
    protected static final File ROLE_MODIFY_POLICY_EXCEPTION_SITUATION_FILE = new File(TEST_DIR, "role-modify-policy-exception-situation.xml");
    protected static final File ROLE_MODIFY_DESCRIPTION_FILE = new File(TEST_DIR, "role-modify-description.xml");
    protected static final File ROLE_PROP_EXCEPT_ASSIGNMENT_FILE = new File(TEST_DIR, "role-prop-except-assignment.xml");
    protected static final File ROLE_PROP_EXCEPT_ADMINISTRATIVE_STATUS_FILE = new File(TEST_DIR, "role-prop-except-administrative-status.xml");
    protected static final File ROLE_ASSIGN_ORG_FILE = new File(TEST_DIR, "role-assign-org.xml");

    @Override // com.evolveum.midpoint.model.intest.security.AbstractSecurityTest, com.evolveum.midpoint.model.intest.AbstractInitializedModelIntegrationTest, com.evolveum.midpoint.model.intest.AbstractConfiguredModelIntegrationTest
    public void initSystem(Task task, OperationResult operationResult) throws Exception {
        super.initSystem(task, operationResult);
        repoAddObjectFromFile(ROLE_LIMITED_ROLE_ADMINISTRATOR_FILE, operationResult);
        repoAddObjectFromFile(ROLE_LIMITED_READ_ROLE_ADMINISTRATOR_FILE, operationResult);
        repoAddObjectFromFile(ROLE_MAXASSIGNEES_10_FILE, operationResult);
        repoAddObjectFromFile(ROLE_MODIFY_POLICY_EXCEPTION_FILE, operationResult);
        repoAddObjectFromFile(ROLE_MODIFY_POLICY_EXCEPTION_SITUATION_FILE, operationResult);
        repoAddObjectFromFile(ROLE_MODIFY_DESCRIPTION_FILE, operationResult);
        repoAddObjectFromFile(ROLE_PROP_EXCEPT_ASSIGNMENT_FILE, operationResult);
        repoAddObjectFromFile(ROLE_PROP_EXCEPT_ADMINISTRATIVE_STATUS_FILE, operationResult);
        repoAddObjectFromFile(ROLE_ASSIGN_ORG_FILE, operationResult);
        setDefaultObjectTemplate(UserType.COMPLEX_TYPE, "b3a8f244-565a-11e7-8802-7b2586c1ce99", operationResult);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // com.evolveum.midpoint.model.intest.security.AbstractSecurityTest, com.evolveum.midpoint.model.intest.AbstractInitializedModelIntegrationTest, com.evolveum.midpoint.model.intest.AbstractConfiguredModelIntegrationTest
    public int getNumberOfRoles() {
        return super.getNumberOfRoles() + NUMBER_OF_IMPORTED_ROLES;
    }

    @Test
    public void test080AutzJackEndUserPassword() throws Exception {
        displayTestTitle("test080AutzJackEndUserPassword");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aa0f");
        clearUserPassword(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        PrismObject user = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        display("User with cleared password", user);
        assertAssignments(user, 1);
        assertLinks(user, 0);
        assertUserNoPassword(user);
        assumeAssignmentPolicy(AssignmentPolicyEnforcementType.RELATIVE);
        login("jack");
        XMLGregorianCalendar currentTimeXMLGregorianCalendar = this.clock.currentTimeXMLGregorianCalendar();
        displayWhen("test080AutzJackEndUserPassword");
        assertAllow("set jack's password", (task, operationResult) -> {
            modifyUserSetPassword(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "nbusr123", task, operationResult);
        });
        displayThen("test080AutzJackEndUserPassword");
        XMLGregorianCalendar currentTimeXMLGregorianCalendar2 = this.clock.currentTimeXMLGregorianCalendar();
        PrismObject user2 = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        display("user after password change", user2);
        MetadataType metadata = assertUserPassword(user2, "nbusr123").getMetadata();
        AssertJUnit.assertNotNull("No password metadata", metadata);
        assertMetadata("password metadata", metadata, true, false, currentTimeXMLGregorianCalendar, currentTimeXMLGregorianCalendar2, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, SchemaConstants.CHANNEL_GUI_USER_URI);
        assertGlobalStateUntouched();
    }

    @Test
    public void test100AutzJackPersonaManagement() throws Exception {
        displayTestTitle("test100AutzJackPersonaManagement");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "2f0246f8-30df-11e7-b35b-bbb92a001091");
        login("jack");
        displayWhen("test100AutzJackPersonaManagement");
        assertGetAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertGetDeny(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116");
        assertGetDeny(UserType.class, "c0c010c0-d34d-b33f-f00d-1c1c11cc11c2");
        assertGetDeny(UserType.class, "65e66ea2-30de-11e7-b852-4b46724fcdaa");
        assertSearch(UserType.class, (ObjectQuery) null, 1);
        assertSearch(ObjectType.class, (ObjectQuery) null, 1);
        assertSearch(OrgType.class, (ObjectQuery) null, 0);
        assertAddDeny();
        assertModifyDeny();
        assertDeleteDeny();
        assertGlobalStateUntouched();
    }

    @Test
    public void test102AutzLechuckPersonaManagement() throws Exception {
        displayTestTitle("test102AutzLechuckPersonaManagement");
        cleanupAutzTest("c0c010c0-d34d-b33f-f00d-1c1c11cc11c2", 1);
        assignRole("c0c010c0-d34d-b33f-f00d-1c1c11cc11c2", "2f0246f8-30df-11e7-b35b-bbb92a001091");
        login("lechuck");
        displayWhen("test102AutzLechuckPersonaManagement");
        assertGetDeny(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertGetDeny(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116");
        assertGetAllow(UserType.class, "c0c010c0-d34d-b33f-f00d-1c1c11cc11c2");
        assertGetAllow(UserType.class, "65e66ea2-30de-11e7-b852-4b46724fcdaa");
        assertSearch(OrgType.class, (ObjectQuery) null, 0);
        assertAddDeny();
        assertModifyDeny();
        assertDeleteDeny();
        assertGlobalStateUntouched();
    }

    @Test
    public void test110AutzJackPersonaAdmin() throws Exception {
        displayTestTitle("test110AutzJackAddPersonaAdmin");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "2f0246f8-30df-11e7-b35b-bbb92a001091");
        login("jack");
        displayWhen("test110AutzJackAddPersonaAdmin");
        assertAllow("assign application role 1 to jack", (task, operationResult) -> {
            assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "16813ae6-2c0a-11e7-91fc-8333c244329e", task, operationResult);
        });
        PrismObject assertGetAllow = assertGetAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        display("User jack after persona assign", assertGetAllow);
        assertGetDeny(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116");
        assertGetDeny(UserType.class, "c0c010c0-d34d-b33f-f00d-1c1c11cc11c2");
        assertGetDeny(UserType.class, "65e66ea2-30de-11e7-b852-4b46724fcdaa");
        assertPersonaLinks(assertGetAllow, 1);
        String oid = ((ObjectReferenceType) assertGetAllow.asObjectable().getPersonaRef().get(0)).getOid();
        PrismObject assertGetAllow2 = assertGetAllow(UserType.class, oid);
        display("Persona jack", assertGetAllow2);
        AssertJUnit.assertEquals("Wrong jack persona givenName before change", AbstractConfiguredModelIntegrationTest.USER_JACK_GIVEN_NAME, assertGetAllow2.asObjectable().getGivenName().getOrig());
        assertSearch(OrgType.class, (ObjectQuery) null, 0);
        assertAllow("modify jack givenName", (task2, operationResult2) -> {
            modifyUserReplace(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, UserType.F_GIVEN_NAME, task2, operationResult2, new Object[]{createPolyString(AbstractConfiguredModelIntegrationTest.USER_JACK_ADDITIONAL_NAME)});
        });
        AssertJUnit.assertEquals("Wrong jack givenName after change", AbstractConfiguredModelIntegrationTest.USER_JACK_ADDITIONAL_NAME, assertGetAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID).asObjectable().getGivenName().getOrig());
        AssertJUnit.assertEquals("Wrong jack persona givenName after change", AbstractConfiguredModelIntegrationTest.USER_JACK_ADDITIONAL_NAME, assertGetAllow(UserType.class, oid).asObjectable().getGivenName().getOrig());
        assertAllow("unassign application role 1 to jack", (task3, operationResult3) -> {
            unassignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "16813ae6-2c0a-11e7-91fc-8333c244329e", task3, operationResult3);
        });
        assertPersonaLinks(assertGetAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID), 0);
        assertNoObject(UserType.class, oid);
        assertAddDeny();
        assertModifyDeny();
        assertDeleteDeny();
        assertGlobalStateUntouched();
    }

    @Test
    public void test120AutzJackDelagator() throws Exception {
        displayTestTitle("test120AutzJackDelagator");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000d001");
        assumeAssignmentPolicy(AssignmentPolicyEnforcementType.RELATIVE);
        login("jack");
        displayWhen("test120AutzJackDelagator");
        assertReadAllow(11);
        assertAddDeny();
        assertModifyDeny();
        assertDeleteDeny();
        PrismObject user = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertAssignments(user, 1);
        assertAssignedRole(user, "00000000-0000-0000-0000-00000000d001");
        assertNoAssignments(getUser("c0c010c0-d34d-b33f-f00d-111111111112"));
        assertDeny("assign business role to jack", (task, operationResult) -> {
            assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aab1", task, operationResult);
        });
        assertAssignments(getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID), 1);
        assertDeny("delegate from Barbossa to Jack", (task2, operationResult2) -> {
            assignDeputy(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "c0c010c0-d34d-b33f-f00d-111111111112", task2, operationResult2);
        });
        assertAllow("delegate to Barbossa", (task3, operationResult3) -> {
            assignDeputy("c0c010c0-d34d-b33f-f00d-111111111112", AbstractConfiguredModelIntegrationTest.USER_JACK_OID, task3, operationResult3);
        });
        PrismObject user2 = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        display("Jack delegator", user2);
        assertAssignments(user2, 1);
        PrismObject user3 = getUser("c0c010c0-d34d-b33f-f00d-111111111112");
        display("Barbossa delegate", user3);
        assertAssignments(user3, 1);
        assertAssignedDeputy(user3, AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertDeputySearchDelegatorRef(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "c0c010c0-d34d-b33f-f00d-111111111112");
        assertDeputySearchAssignmentTarget(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "c0c010c0-d34d-b33f-f00d-111111111112");
        PrismObject user4 = getUser(this.userRumRogersOid);
        display("User Rum Rogers", user4);
        assertNoAssignments(user4);
        login("barbossa");
        displayWhen("test120AutzJackDelagator");
        display("Logged in as Barbossa");
        assertReadAllow(11);
        assertAddDeny();
        assertModifyDeny();
        assertDeleteDeny();
        login("jack");
        displayWhen("test120AutzJackDelagator");
        display("Logged in as Jack");
        assertAllow("undelegate from Barbossa", (task4, operationResult4) -> {
            unassignDeputy("c0c010c0-d34d-b33f-f00d-111111111112", AbstractConfiguredModelIntegrationTest.USER_JACK_OID, task4, operationResult4);
        });
        assertAssignments(getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID), 1);
        assertNoAssignments(getUser("c0c010c0-d34d-b33f-f00d-111111111112"));
        assertGlobalStateUntouched();
        login("barbossa");
        displayWhen("test120AutzJackDelagator");
        display("Logged in as Barbossa");
        assertReadDeny();
        assertAddDeny();
        assertModifyDeny();
        assertDeleteDeny();
        assertDeny("delegate to Jack", (task5, operationResult5) -> {
            assignDeputy(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "c0c010c0-d34d-b33f-f00d-111111111112", task5, operationResult5);
        });
        assertDeny("delegate from Jack to Barbossa", (task6, operationResult6) -> {
            assignDeputy("c0c010c0-d34d-b33f-f00d-111111111112", AbstractConfiguredModelIntegrationTest.USER_JACK_OID, task6, operationResult6);
        });
        assertGlobalStateUntouched();
    }

    @Test
    public void test122AutzJackDelagatorValidity() throws Exception {
        displayTestTitle("test122AutzJackDelagatorValidity");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000d001");
        assumeAssignmentPolicy(AssignmentPolicyEnforcementType.RELATIVE);
        login("jack");
        displayWhen("test122AutzJackDelagatorValidity");
        PrismObject user = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertAssignments(user, 1);
        assertAssignedRole(user, "00000000-0000-0000-0000-00000000d001");
        assertNoAssignments(getUser("c0c010c0-d34d-b33f-f00d-111111111112"));
        XMLGregorianCalendar currentTimeXMLGregorianCalendar = this.clock.currentTimeXMLGregorianCalendar();
        ActivationType activationType = new ActivationType();
        activationType.setValidFrom(XmlTypeConverter.addDuration(currentTimeXMLGregorianCalendar, "PT2H"));
        activationType.setValidTo(XmlTypeConverter.addDuration(currentTimeXMLGregorianCalendar, "P1D"));
        assertAllow("delegate to Barbossa", (task, operationResult) -> {
            assignDeputy("c0c010c0-d34d-b33f-f00d-111111111112", AbstractConfiguredModelIntegrationTest.USER_JACK_OID, assignmentType -> {
                assignmentType.setActivation(activationType);
            }, task, operationResult);
        });
        PrismObject user2 = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        display("Jack delegator", user2);
        assertAssignments(user2, 1);
        PrismObject user3 = getUser("c0c010c0-d34d-b33f-f00d-111111111112");
        display("Barbossa delegate", user3);
        assertAssignments(user3, 0);
        assertDeputySearchDelegatorRef(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, new String[0]);
        assertDeputySearchAssignmentTarget(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "c0c010c0-d34d-b33f-f00d-111111111112");
        PrismObject user4 = getUser(this.userRumRogersOid);
        display("User Rum Rogers", user4);
        assertNoAssignments(user4);
        login("barbossa");
        displayWhen("test122AutzJackDelagatorValidity");
        display("Logged in as Barbossa");
        assertReadDeny();
        assertAddDeny();
        assertModifyDeny();
        assertDeleteDeny();
        clockForward("PT3H");
        login("administrator");
        recomputeUser("c0c010c0-d34d-b33f-f00d-111111111112");
        login("jack");
        PrismObject user5 = getUser("c0c010c0-d34d-b33f-f00d-111111111112");
        display("Barbossa delegate", user5);
        assertAssignments(user5, 1);
        assertAssignedDeputy(user5, AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertDeputySearchDelegatorRef(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "c0c010c0-d34d-b33f-f00d-111111111112");
        assertDeputySearchAssignmentTarget(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "c0c010c0-d34d-b33f-f00d-111111111112");
        login("barbossa");
        displayWhen("test122AutzJackDelagatorValidity");
        display("Logged in as Barbossa");
        assertReadAllow(11);
        assertAddDeny();
        assertModifyDeny();
        assertDeleteDeny();
        clockForward("P1D");
        login("administrator");
        recomputeUser("c0c010c0-d34d-b33f-f00d-111111111112");
        login("barbossa");
        displayWhen("test122AutzJackDelagatorValidity");
        display("Logged in as Barbossa");
        assertReadDeny();
        assertAddDeny();
        assertModifyDeny();
        assertDeleteDeny();
        login("jack");
        displayWhen("test122AutzJackDelagatorValidity");
        display("Logged in as Jack");
        assertAllow("undelegate from Barbossa", (task2, operationResult2) -> {
            unassignDeputy("c0c010c0-d34d-b33f-f00d-111111111112", AbstractConfiguredModelIntegrationTest.USER_JACK_OID, assignmentType -> {
                assignmentType.setActivation(activationType);
            }, task2, operationResult2);
        });
        assertAssignments(getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID), 1);
        assertNoAssignments(getUser("c0c010c0-d34d-b33f-f00d-111111111112"));
        assertGlobalStateUntouched();
        login("barbossa");
        displayWhen("test122AutzJackDelagatorValidity");
        display("Logged in as Barbossa");
        assertReadDeny();
        assertAddDeny();
        assertModifyDeny();
        assertDeleteDeny();
        assertDeny("delegate to Jack", (task3, operationResult3) -> {
            assignDeputy(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "c0c010c0-d34d-b33f-f00d-111111111112", task3, operationResult3);
        });
        assertDeny("delegate from Jack to Barbossa", (task4, operationResult4) -> {
            assignDeputy("c0c010c0-d34d-b33f-f00d-111111111112", AbstractConfiguredModelIntegrationTest.USER_JACK_OID, task4, operationResult4);
        });
        assertGlobalStateUntouched();
    }

    @Test
    public void test124AutzJackDelagatorPlusValidity() throws Exception {
        displayTestTitle("test124AutzJackDelagatorPlusValidity");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000d101");
        assumeAssignmentPolicy(AssignmentPolicyEnforcementType.RELATIVE);
        login("jack");
        displayWhen("test124AutzJackDelagatorPlusValidity");
        PrismObject user = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertAssignments(user, 1);
        assertAssignedRole(user, "00000000-0000-0000-0000-00000000d101");
        assertNoAssignments(getUser("c0c010c0-d34d-b33f-f00d-111111111112"));
        XMLGregorianCalendar currentTimeXMLGregorianCalendar = this.clock.currentTimeXMLGregorianCalendar();
        ActivationType activationType = new ActivationType();
        activationType.setValidFrom(XmlTypeConverter.addDuration(currentTimeXMLGregorianCalendar, "PT2H"));
        activationType.setValidTo(XmlTypeConverter.addDuration(currentTimeXMLGregorianCalendar, "P1D"));
        assertAllow("delegate to Barbossa", (task, operationResult) -> {
            assignDeputy("c0c010c0-d34d-b33f-f00d-111111111112", AbstractConfiguredModelIntegrationTest.USER_JACK_OID, assignmentType -> {
                assignmentType.setActivation(activationType);
            }, task, operationResult);
        });
        PrismObject user2 = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        display("Jack delegator", user2);
        assertAssignments(user2, 1);
        PrismObject user3 = getUser("c0c010c0-d34d-b33f-f00d-111111111112");
        display("Barbossa delegate", user3);
        assertAssignments(user3, 1);
        assertAssignedDeputy(user3, AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertDeputySearchDelegatorRef(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, new String[0]);
        assertDeputySearchAssignmentTarget(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "c0c010c0-d34d-b33f-f00d-111111111112");
        PrismObject user4 = getUser(this.userRumRogersOid);
        display("User Rum Rogers", user4);
        assertNoAssignments(user4);
        login("barbossa");
        displayWhen("test124AutzJackDelagatorPlusValidity");
        display("Logged in as Barbossa");
        assertReadDeny();
        assertAddDeny();
        assertModifyDeny();
        assertDeleteDeny();
        clockForward("PT3H");
        login("administrator");
        recomputeUser("c0c010c0-d34d-b33f-f00d-111111111112");
        login("jack");
        PrismObject user5 = getUser("c0c010c0-d34d-b33f-f00d-111111111112");
        display("Barbossa delegate", user5);
        assertAssignments(user5, 1);
        assertAssignedDeputy(user5, AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertDeputySearchDelegatorRef(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "c0c010c0-d34d-b33f-f00d-111111111112");
        assertDeputySearchAssignmentTarget(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "c0c010c0-d34d-b33f-f00d-111111111112");
        login("barbossa");
        displayWhen("test124AutzJackDelagatorPlusValidity");
        display("Logged in as Barbossa");
        assertReadAllow(11);
        assertAddDeny();
        assertModifyDeny();
        assertDeleteDeny();
        clockForward("P1D");
        login("administrator");
        recomputeUser("c0c010c0-d34d-b33f-f00d-111111111112");
        login("jack");
        PrismObject user6 = getUser("c0c010c0-d34d-b33f-f00d-111111111112");
        display("Barbossa delegate", user6);
        assertAssignments(user6, 1);
        assertAssignedDeputy(user6, AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertDeputySearchDelegatorRef(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, new String[0]);
        assertDeputySearchAssignmentTarget(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "c0c010c0-d34d-b33f-f00d-111111111112");
        login("barbossa");
        displayWhen("test124AutzJackDelagatorPlusValidity");
        display("Logged in as Barbossa");
        assertReadDeny();
        assertAddDeny();
        assertModifyDeny();
        assertDeleteDeny();
        login("jack");
        displayWhen("test124AutzJackDelagatorPlusValidity");
        display("Logged in as Jack");
        assertAllow("undelegate from Barbossa", (task2, operationResult2) -> {
            unassignDeputy("c0c010c0-d34d-b33f-f00d-111111111112", AbstractConfiguredModelIntegrationTest.USER_JACK_OID, assignmentType -> {
                assignmentType.setActivation(activationType);
            }, task2, operationResult2);
        });
        assertAssignments(getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID), 1);
        assertNoAssignments(getUser("c0c010c0-d34d-b33f-f00d-111111111112"));
        assertGlobalStateUntouched();
        login("barbossa");
        displayWhen("test124AutzJackDelagatorPlusValidity");
        display("Logged in as Barbossa");
        assertReadDeny();
        assertAddDeny();
        assertModifyDeny();
        assertDeleteDeny();
        assertDeny("delegate to Jack", (task3, operationResult3) -> {
            assignDeputy(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "c0c010c0-d34d-b33f-f00d-111111111112", task3, operationResult3);
        });
        assertDeny("delegate from Jack to Barbossa", (task4, operationResult4) -> {
            assignDeputy("c0c010c0-d34d-b33f-f00d-111111111112", AbstractConfiguredModelIntegrationTest.USER_JACK_OID, task4, operationResult4);
        });
        assertGlobalStateUntouched();
    }

    @Test
    public void test150AutzJackApproverUnassignRoles() throws Exception {
        displayTestTitle("test150AutzJackApproverUnassignRoles");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "5d9cead8-3a2e-11e7-8609-f762a755b58e");
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "7a7ad698-3a37-11e7-9af7-6fd138dd9572", SchemaConstants.ORG_APPROVER);
        PrismObject user = getUser(this.userCobbOid);
        IntegrationTestTools.display("User cobb before", user);
        assertRoleMembershipRef(user, new String[]{"7a7ad698-3a37-11e7-9af7-6fd138dd9572", "2264afee-3ae4-11e7-a63c-8b53efadd642", "00000000-8888-6666-0000-100000000006"});
        login("jack");
        displayWhen("test150AutzJackApproverUnassignRoles");
        assertGetAllow(RoleType.class, "7a7ad698-3a37-11e7-9af7-6fd138dd9572");
        assertGetDeny(RoleType.class, "16813ae6-2c0a-11e7-91fc-8333c244329e");
        assertGetDeny(RoleType.class, "5d9cead8-3a2e-11e7-8609-f762a755b58e");
        PrismObject assertGetAllow = assertGetAllow(UserType.class, this.userRumRogersOid);
        display("User Rum Rogers", this.userRumRogersOid);
        assertRoleMembershipRef(assertGetAllow, new String[]{"7a7ad698-3a37-11e7-9af7-6fd138dd9572", "2264afee-3ae4-11e7-a63c-8b53efadd642", "00000000-8888-6666-0000-100000000004"});
        assertGetAllow(UserType.class, this.userCobbOid);
        assertGetDeny(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertGetDeny(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116");
        assertGetDeny(UserType.class, "c0c010c0-d34d-b33f-f00d-1c1c11cc11c2");
        assertSearch(OrgType.class, (ObjectQuery) null, 0);
        assertSearch(RoleType.class, (ObjectQuery) null, 0);
        assertSearch(UserType.class, (ObjectQuery) null, 0);
        assertSearch(UserType.class, createMembersQuery(UserType.class, "5d9cead8-3a2e-11e7-8609-f762a755b58e"), 0);
        assert15xCommon();
    }

    @Test
    public void test151AutzJackApproverUnassignRolesAndRead() throws Exception {
        displayTestTitle("test151AutzJackApproverUnassignRolesAndRead");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "5d9cead8-3a2e-11e7-8609-f762a755b58e");
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "519e8bf4-3af3-11e7-bc89-cbcee62d4088");
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "7a7ad698-3a37-11e7-9af7-6fd138dd9572", SchemaConstants.ORG_APPROVER);
        login("jack");
        displayWhen("test151AutzJackApproverUnassignRolesAndRead");
        assertGetAllow(RoleType.class, "7a7ad698-3a37-11e7-9af7-6fd138dd9572");
        assertGetAllow(RoleType.class, "16813ae6-2c0a-11e7-91fc-8333c244329e");
        assertGetAllow(RoleType.class, "5d9cead8-3a2e-11e7-8609-f762a755b58e");
        PrismObject assertGetAllow = assertGetAllow(UserType.class, this.userRumRogersOid);
        display("User Rum Rogers", this.userRumRogersOid);
        assertRoleMembershipRef(assertGetAllow, new String[]{"7a7ad698-3a37-11e7-9af7-6fd138dd9572", "2264afee-3ae4-11e7-a63c-8b53efadd642", "00000000-8888-6666-0000-100000000004"});
        assertGetAllow(UserType.class, this.userCobbOid);
        assertNoRoleMembershipRef(assertGetAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID));
        assertGetAllow(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116");
        assertGetAllow(UserType.class, "c0c010c0-d34d-b33f-f00d-1c1c11cc11c2");
        assertSearch(OrgType.class, (ObjectQuery) null, 11);
        assertSearch(RoleType.class, (ObjectQuery) null, getNumberOfRoles());
        assertSearch(UserType.class, (ObjectQuery) null, 11);
        assert15xCommon();
    }

    @Test
    public void test154AutzJackApproverRead() throws Exception {
        displayTestTitle("test154AutzJackApproverRead");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "519e8bf4-3af3-11e7-bc89-cbcee62d4088");
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "7a7ad698-3a37-11e7-9af7-6fd138dd9572", SchemaConstants.ORG_APPROVER);
        login("jack");
        displayWhen("test154AutzJackApproverRead");
        assertNoRoleMembershipRef(assertGetAllow(RoleType.class, "7a7ad698-3a37-11e7-9af7-6fd138dd9572"));
        assertGetAllow(RoleType.class, "16813ae6-2c0a-11e7-91fc-8333c244329e");
        assertNoRoleMembershipRef(assertGetAllow(RoleType.class, "5d9cead8-3a2e-11e7-8609-f762a755b58e"));
        assertNoRoleMembershipRef(assertGetAllow(UserType.class, this.userRumRogersOid));
        assertGetAllow(UserType.class, this.userCobbOid);
        assertGetAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertGetAllow(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116");
        assertGetAllow(UserType.class, "c0c010c0-d34d-b33f-f00d-1c1c11cc11c2");
        assertSearch(OrgType.class, (ObjectQuery) null, 11);
        assertSearch(RoleType.class, (ObjectQuery) null, getNumberOfRoles());
        assertSearch(UserType.class, (ObjectQuery) null, 11);
        assertSearch(UserType.class, createMembersQuery(UserType.class, "7a7ad698-3a37-11e7-9af7-6fd138dd9572"), 0);
        assertSearch(UserType.class, createMembersQuery(UserType.class, "5d9cead8-3a2e-11e7-8609-f762a755b58e"), 0);
        assertCanSearchRoleMemberUsers("7a7ad698-3a37-11e7-9af7-6fd138dd9572", false);
        assertCanSearchRoleMembers("7a7ad698-3a37-11e7-9af7-6fd138dd9572", false);
        assertCanSearchRoleMemberUsers("2264afee-3ae4-11e7-a63c-8b53efadd642", false);
        assertCanSearchRoleMembers("2264afee-3ae4-11e7-a63c-8b53efadd642", false);
        assertCanSearchRoleMemberUsers("5d9cead8-3a2e-11e7-8609-f762a755b58e", false);
        assertCanSearchRoleMembers("2264afee-3ae4-11e7-a63c-8b53efadd642", false);
        assertDeny("unassign ordinary role from cobb", (task, operationResult) -> {
            unassignRole(this.userCobbOid, "7a7ad698-3a37-11e7-9af7-6fd138dd9572", task, operationResult);
        });
        assertSearch(UserType.class, createMembersQuery(UserType.class, "7a7ad698-3a37-11e7-9af7-6fd138dd9572"), 0);
        assertDeny("unassign uninteresting role from cobb", (task2, operationResult2) -> {
            unassignRole(this.userCobbOid, "2264afee-3ae4-11e7-a63c-8b53efadd642", task2, operationResult2);
        });
        assertDeny("unassign uninteresting role from rum", (task3, operationResult3) -> {
            unassignRole(this.userRumRogersOid, "2264afee-3ae4-11e7-a63c-8b53efadd642", task3, operationResult3);
        });
        assertDeny("unassign approver role from jack", (task4, operationResult4) -> {
            unassignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "5d9cead8-3a2e-11e7-8609-f762a755b58e", task4, operationResult4);
        });
        assertDeny("unassign ordinary role from lechuck", (task5, operationResult5) -> {
            unassignRole("c0c010c0-d34d-b33f-f00d-1c1c11cc11c2", "7a7ad698-3a37-11e7-9af7-6fd138dd9572", task5, operationResult5);
        });
        assertAddDeny();
        assertModifyDeny();
        assertDeleteDeny();
        assertGlobalStateUntouched();
    }

    @Test
    public void test155AutzJackApproverSelf() throws Exception {
        displayTestTitle("test155AutzJackApproverSelf");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aa03");
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "7a7ad698-3a37-11e7-9af7-6fd138dd9572", SchemaConstants.ORG_APPROVER);
        login("jack");
        displayWhen("test155AutzJackApproverSelf");
        assertGetDeny(RoleType.class, "7a7ad698-3a37-11e7-9af7-6fd138dd9572");
        assertGetDeny(RoleType.class, "16813ae6-2c0a-11e7-91fc-8333c244329e");
        assertGetDeny(RoleType.class, "5d9cead8-3a2e-11e7-8609-f762a755b58e");
        assertGetAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertGetDeny(UserType.class, this.userRumRogersOid);
        assertGetDeny(UserType.class, this.userCobbOid);
        assertGetDeny(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116");
        assertGetDeny(UserType.class, "c0c010c0-d34d-b33f-f00d-1c1c11cc11c2");
        assertSearch(OrgType.class, (ObjectQuery) null, 0);
        assertSearch(RoleType.class, (ObjectQuery) null, 0);
        assertSearch(UserType.class, (ObjectQuery) null, 1);
        assertSearch(UserType.class, createMembersQuery(UserType.class, "7a7ad698-3a37-11e7-9af7-6fd138dd9572"), 0);
        assertSearch(UserType.class, createMembersQuery(UserType.class, "5d9cead8-3a2e-11e7-8609-f762a755b58e"), 0);
        assertCanSearchRoleMemberUsers("7a7ad698-3a37-11e7-9af7-6fd138dd9572", false);
        assertCanSearchRoleMembers("7a7ad698-3a37-11e7-9af7-6fd138dd9572", false);
        assertCanSearchRoleMemberUsers("2264afee-3ae4-11e7-a63c-8b53efadd642", false);
        assertCanSearchRoleMembers("2264afee-3ae4-11e7-a63c-8b53efadd642", false);
        assertCanSearchRoleMemberUsers("5d9cead8-3a2e-11e7-8609-f762a755b58e", false);
        assertCanSearchRoleMembers("2264afee-3ae4-11e7-a63c-8b53efadd642", false);
        assertDeny("unassign ordinary role from cobb", (task, operationResult) -> {
            unassignRole(this.userCobbOid, "7a7ad698-3a37-11e7-9af7-6fd138dd9572", task, operationResult);
        });
        assertSearch(UserType.class, createMembersQuery(UserType.class, "7a7ad698-3a37-11e7-9af7-6fd138dd9572"), 0);
        assertDeny("unassign uninteresting role from cobb", (task2, operationResult2) -> {
            unassignRole(this.userCobbOid, "2264afee-3ae4-11e7-a63c-8b53efadd642", task2, operationResult2);
        });
        assertDeny("unassign uninteresting role from rum", (task3, operationResult3) -> {
            unassignRole(this.userRumRogersOid, "2264afee-3ae4-11e7-a63c-8b53efadd642", task3, operationResult3);
        });
        assertDeny("unassign ordinary role from lechuck", (task4, operationResult4) -> {
            unassignRole("c0c010c0-d34d-b33f-f00d-1c1c11cc11c2", "7a7ad698-3a37-11e7-9af7-6fd138dd9572", task4, operationResult4);
        });
        assertAddDeny();
        assertModifyAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, UserType.F_HONORIFIC_PREFIX, PrismTestUtil.createPolyString("Captain"));
        assertModifyDeny(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116", UserType.F_HONORIFIC_PREFIX, PrismTestUtil.createPolyString("Pirate"));
        assertDeleteDeny();
        assertGlobalStateUntouched();
    }

    @Test
    public void test157AutzJackReadRoleMembers() throws Exception {
        displayTestTitle("test157AutzJackReadRoleMembers");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "40df00e8-3efc-11e7-8d18-7b955ccb96a1");
        login("jack");
        displayWhen("test157AutzJackReadRoleMembers");
        assertNoRoleMembershipRef(assertGetAllow(RoleType.class, "7a7ad698-3a37-11e7-9af7-6fd138dd9572"));
        assertNoRoleMembershipRef(assertGetAllow(RoleType.class, "5d9cead8-3a2e-11e7-8609-f762a755b58e"));
        assertGetAllow(RoleType.class, "16813ae6-2c0a-11e7-91fc-8333c244329e");
        assertRoleMembershipRef(assertGetAllow(UserType.class, this.userRumRogersOid), new String[]{"7a7ad698-3a37-11e7-9af7-6fd138dd9572", "2264afee-3ae4-11e7-a63c-8b53efadd642", "00000000-8888-6666-0000-100000000004"});
        assertGetAllow(UserType.class, this.userCobbOid);
        assertGetAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertGetAllow(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116");
        assertGetAllow(UserType.class, "c0c010c0-d34d-b33f-f00d-1c1c11cc11c2");
        assertSearch(RoleType.class, (ObjectQuery) null, getNumberOfRoles());
        assertSearch(UserType.class, (ObjectQuery) null, 11);
        assertSearch(OrgType.class, (ObjectQuery) null, 0);
        assertSearch(UserType.class, createMembersQuery(UserType.class, "7a7ad698-3a37-11e7-9af7-6fd138dd9572"), 2);
        assertSearch(UserType.class, createMembersQuery(UserType.class, "5d9cead8-3a2e-11e7-8609-f762a755b58e"), 0);
        assertCanSearchRoleMemberUsers("7a7ad698-3a37-11e7-9af7-6fd138dd9572", true);
        assertCanSearchRoleMembers("7a7ad698-3a37-11e7-9af7-6fd138dd9572", true);
        assertCanSearchRoleMemberUsers("2264afee-3ae4-11e7-a63c-8b53efadd642", true);
        assertCanSearchRoleMembers("2264afee-3ae4-11e7-a63c-8b53efadd642", true);
        assertCanSearchRoleMemberUsers("5d9cead8-3a2e-11e7-8609-f762a755b58e", true);
        assertCanSearchRoleMembers("2264afee-3ae4-11e7-a63c-8b53efadd642", true);
        assertDeny("unassign ordinary role from cobb", (task, operationResult) -> {
            unassignRole(this.userCobbOid, "7a7ad698-3a37-11e7-9af7-6fd138dd9572", task, operationResult);
        });
        assertDeny("unassign uninteresting role from rum", (task2, operationResult2) -> {
            unassignRole(this.userRumRogersOid, "2264afee-3ae4-11e7-a63c-8b53efadd642", task2, operationResult2);
        });
        assertDeny("unassign approver role from jack", (task3, operationResult3) -> {
            unassignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "5d9cead8-3a2e-11e7-8609-f762a755b58e", task3, operationResult3);
        });
        assertAddDeny();
        assertModifyDeny();
        assertDeleteDeny();
        assertGlobalStateUntouched();
    }

    @Test
    public void test158AutzJackReadRoleMembersWrong() throws Exception {
        displayTestTitle("test158AutzJackReadRoleMembersWrong");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "8418e248-3efc-11e7-a546-931a90cb8ee3");
        login("jack");
        displayWhen("test158AutzJackReadRoleMembersWrong");
        assertNoRoleMembershipRef(assertGetAllow(RoleType.class, "7a7ad698-3a37-11e7-9af7-6fd138dd9572"));
        assertNoRoleMembershipRef(assertGetAllow(RoleType.class, "5d9cead8-3a2e-11e7-8609-f762a755b58e"));
        assertGetAllow(RoleType.class, "16813ae6-2c0a-11e7-91fc-8333c244329e");
        assertNoRoleMembershipRef(assertGetAllow(UserType.class, this.userRumRogersOid));
        assertGetAllow(UserType.class, this.userCobbOid);
        assertGetAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertGetAllow(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116");
        assertGetAllow(UserType.class, "c0c010c0-d34d-b33f-f00d-1c1c11cc11c2");
        assertSearch(RoleType.class, (ObjectQuery) null, getNumberOfRoles());
        assertSearch(UserType.class, (ObjectQuery) null, 11);
        assertSearch(OrgType.class, (ObjectQuery) null, 0);
        assertSearch(UserType.class, createMembersQuery(UserType.class, "7a7ad698-3a37-11e7-9af7-6fd138dd9572"), 0);
        assertSearch(UserType.class, createMembersQuery(UserType.class, "5d9cead8-3a2e-11e7-8609-f762a755b58e"), 0);
        assertCanSearchRoleMemberUsers("7a7ad698-3a37-11e7-9af7-6fd138dd9572", false);
        assertCanSearchRoleMembers("7a7ad698-3a37-11e7-9af7-6fd138dd9572", true);
        assertCanSearchRoleMemberUsers("2264afee-3ae4-11e7-a63c-8b53efadd642", false);
        assertCanSearchRoleMembers("2264afee-3ae4-11e7-a63c-8b53efadd642", true);
        assertCanSearchRoleMemberUsers("5d9cead8-3a2e-11e7-8609-f762a755b58e", false);
        assertCanSearchRoleMembers("2264afee-3ae4-11e7-a63c-8b53efadd642", true);
        assertDeny("unassign ordinary role from cobb", (task, operationResult) -> {
            unassignRole(this.userCobbOid, "7a7ad698-3a37-11e7-9af7-6fd138dd9572", task, operationResult);
        });
        assertDeny("unassign uninteresting role from rum", (task2, operationResult2) -> {
            unassignRole(this.userRumRogersOid, "2264afee-3ae4-11e7-a63c-8b53efadd642", task2, operationResult2);
        });
        assertDeny("unassign approver role from jack", (task3, operationResult3) -> {
            unassignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "5d9cead8-3a2e-11e7-8609-f762a755b58e", task3, operationResult3);
        });
        assertAddDeny();
        assertModifyDeny();
        assertDeleteDeny();
        assertGlobalStateUntouched();
    }

    @Test
    public void test159AutzJackReadRoleMembersNone() throws Exception {
        displayTestTitle("test159AutzJackReadRoleMembersNone");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "9e93dfb2-3eff-11e7-b56b-1b0e35f837fc");
        login("jack");
        displayWhen("test159AutzJackReadRoleMembersNone");
        assertNoRoleMembershipRef(assertGetAllow(RoleType.class, "7a7ad698-3a37-11e7-9af7-6fd138dd9572"));
        assertNoRoleMembershipRef(assertGetAllow(RoleType.class, "5d9cead8-3a2e-11e7-8609-f762a755b58e"));
        assertGetAllow(RoleType.class, "16813ae6-2c0a-11e7-91fc-8333c244329e");
        assertNoRoleMembershipRef(assertGetAllow(UserType.class, this.userRumRogersOid));
        assertGetAllow(UserType.class, this.userCobbOid);
        assertGetAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertGetAllow(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116");
        assertGetAllow(UserType.class, "c0c010c0-d34d-b33f-f00d-1c1c11cc11c2");
        assertSearch(RoleType.class, (ObjectQuery) null, getNumberOfRoles());
        assertSearch(UserType.class, (ObjectQuery) null, 11);
        assertSearch(OrgType.class, (ObjectQuery) null, 0);
        assertSearch(UserType.class, createMembersQuery(UserType.class, "7a7ad698-3a37-11e7-9af7-6fd138dd9572"), 0);
        assertSearch(UserType.class, createMembersQuery(UserType.class, "5d9cead8-3a2e-11e7-8609-f762a755b58e"), 0);
        assertCanSearchRoleMemberUsers("7a7ad698-3a37-11e7-9af7-6fd138dd9572", false);
        assertCanSearchRoleMembers("7a7ad698-3a37-11e7-9af7-6fd138dd9572", false);
        assertCanSearchRoleMemberUsers("2264afee-3ae4-11e7-a63c-8b53efadd642", false);
        assertCanSearchRoleMembers("2264afee-3ae4-11e7-a63c-8b53efadd642", false);
        assertCanSearchRoleMemberUsers("5d9cead8-3a2e-11e7-8609-f762a755b58e", false);
        assertCanSearchRoleMembers("2264afee-3ae4-11e7-a63c-8b53efadd642", false);
        assertDeny("unassign ordinary role from cobb", (task, operationResult) -> {
            unassignRole(this.userCobbOid, "7a7ad698-3a37-11e7-9af7-6fd138dd9572", task, operationResult);
        });
        assertDeny("unassign uninteresting role from rum", (task2, operationResult2) -> {
            unassignRole(this.userRumRogersOid, "2264afee-3ae4-11e7-a63c-8b53efadd642", task2, operationResult2);
        });
        assertDeny("unassign approver role from jack", (task3, operationResult3) -> {
            unassignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "5d9cead8-3a2e-11e7-8609-f762a755b58e", task3, operationResult3);
        });
        assertAddDeny();
        assertModifyDeny();
        assertDeleteDeny();
        assertGlobalStateUntouched();
    }

    private void assert15xCommon() throws Exception {
        assertSearch(UserType.class, createMembersQuery(UserType.class, "7a7ad698-3a37-11e7-9af7-6fd138dd9572"), 2);
        assertSearch(FocusType.class, createMembersQuery(FocusType.class, "7a7ad698-3a37-11e7-9af7-6fd138dd9572"), 2);
        assertSearch(UserType.class, createMembersQuery(UserType.class, "5d9cead8-3a2e-11e7-8609-f762a755b58e"), 0);
        assertSearch(FocusType.class, createMembersQuery(FocusType.class, "5d9cead8-3a2e-11e7-8609-f762a755b58e"), 0);
        assertCanSearchRoleMemberUsers("7a7ad698-3a37-11e7-9af7-6fd138dd9572", true);
        assertCanSearchRoleMembers("7a7ad698-3a37-11e7-9af7-6fd138dd9572", true);
        assertCanSearchRoleMemberUsers("2264afee-3ae4-11e7-a63c-8b53efadd642", false);
        assertCanSearchRoleMembers("2264afee-3ae4-11e7-a63c-8b53efadd642", false);
        assertCanSearchRoleMemberUsers("5d9cead8-3a2e-11e7-8609-f762a755b58e", false);
        assertCanSearchRoleMembers("5d9cead8-3a2e-11e7-8609-f762a755b58e", false);
        assertAllow("unassign ordinary role from cobb", (task, operationResult) -> {
            unassignRole(this.userCobbOid, "7a7ad698-3a37-11e7-9af7-6fd138dd9572", task, operationResult);
        });
        assertSearch(UserType.class, createMembersQuery(UserType.class, "7a7ad698-3a37-11e7-9af7-6fd138dd9572"), 1);
        assertDeny("unassign uninteresting role from cobb", (task2, operationResult2) -> {
            unassignRole(this.userCobbOid, "2264afee-3ae4-11e7-a63c-8b53efadd642", task2, operationResult2);
        });
        assertDeny("unassign uninteresting role from rum", (task3, operationResult3) -> {
            unassignRole(this.userRumRogersOid, "2264afee-3ae4-11e7-a63c-8b53efadd642", task3, operationResult3);
        });
        assertDeny("unassign approver role from jack", (task4, operationResult4) -> {
            unassignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "5d9cead8-3a2e-11e7-8609-f762a755b58e", task4, operationResult4);
        });
        assertDeny("unassign ordinary role from lechuck", (task5, operationResult5) -> {
            unassignRole("c0c010c0-d34d-b33f-f00d-1c1c11cc11c2", "7a7ad698-3a37-11e7-9af7-6fd138dd9572", task5, operationResult5);
        });
        assertAddDeny();
        assertModifyDeny();
        assertDeleteDeny();
        assertGlobalStateUntouched();
    }

    @Test
    public void test200AutzJackModifyOrgunit() throws Exception {
        displayTestTitle("test200AutzJackModifyOrgunit");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "97cc13ac-5660-11e7-8687-d76f3a88c78d");
        assumeAssignmentPolicy(AssignmentPolicyEnforcementType.RELATIVE);
        login("jack");
        displayWhen("test200AutzJackModifyOrgunit");
        assertGetAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertAddDeny();
        assertModifyDeny();
        assertDeleteDeny();
        assertDeny("assign org to jack", (task, operationResult) -> {
            assignOrg(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-8888-6666-0000-100000000006", task, operationResult);
        });
        assertAssignments(getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID), 1);
        assertModifyAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, UserType.F_ORGANIZATIONAL_UNIT, createPolyString("F0006"));
        PrismObject user = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        display("Jack in medias res", user);
        assertAssignments(user, 2);
        assertAssignedOrg(user, "00000000-8888-6666-0000-100000000006");
        assertModifyAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, UserType.F_ORGANIZATIONAL_UNIT, createPolyString("F0004"));
        PrismObject user2 = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        display("Jack in medias res", user2);
        assertAssignments(user2, 2);
        assertAssignedOrg(user2, "00000000-8888-6666-0000-100000000004");
        assertModifyAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, UserType.F_ORGANIZATIONAL_UNIT, new Object[0]);
        assertAssignments(getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID), 1);
        assertGlobalStateUntouched();
    }

    @Test
    public void test202AutzJackModifyOrgunitAndAssignRole() throws Exception {
        displayTestTitle("test202AutzJackModifyOrgunitAndAssignRole");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "97cc13ac-5660-11e7-8687-d76f3a88c78d");
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000ad0c");
        assumeAssignmentPolicy(AssignmentPolicyEnforcementType.RELATIVE);
        login("jack");
        displayWhen("test202AutzJackModifyOrgunitAndAssignRole");
        assertGetAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertAddDeny();
        assertModifyDeny();
        assertDeleteDeny();
        assertDeny("assign org to jack", (task, operationResult) -> {
            assignOrg(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-8888-6666-0000-100000000006", task, operationResult);
        });
        assertAssignments(getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID), 2);
        assertAllow("doing the thing", (task2, operationResult2) -> {
            ObjectDelta createAssignmentFocusDelta = createAssignmentFocusDelta(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aab1", RoleType.COMPLEX_TYPE, null, null, true);
            createAssignmentFocusDelta.addModificationReplaceProperty(UserType.F_ORGANIZATIONAL_UNIT, new PolyString[]{createPolyString("F0006")});
            this.modelService.executeChanges(MiscSchemaUtil.createCollection(new ObjectDelta[]{createAssignmentFocusDelta}), (ModelExecuteOptions) null, task2, operationResult2);
        });
        PrismObject user = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        display("Jack in medias res", user);
        assertAssignments(user, 4);
        assertAssignedOrg(user, "00000000-8888-6666-0000-100000000006");
        assertAssignedRole(user, "00000000-0000-0000-0000-00000000aab1");
        assertModifyAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, UserType.F_ORGANIZATIONAL_UNIT, createPolyString("F0004"));
        PrismObject user2 = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        display("Jack in medias res", user2);
        assertAssignments(user2, 4);
        assertAssignedOrg(user2, "00000000-8888-6666-0000-100000000004");
        assertAssignedRole(user2, "00000000-0000-0000-0000-00000000aab1");
        assertModifyAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, UserType.F_ORGANIZATIONAL_UNIT, new Object[0]);
        PrismObject user3 = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertAssignments(user3, 3);
        assertAssignedRole(user3, "00000000-0000-0000-0000-00000000aab1");
        assertNotAssignedOrg(user3, "00000000-8888-6666-0000-100000000004");
        assertAllow("unassign role from jack", (task3, operationResult3) -> {
            unassignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aab1", task3, operationResult3);
        });
        PrismObject user4 = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertAssignments(user4, 2);
        assertNotAssignedRole(user4, "00000000-0000-0000-0000-00000000aab1");
        assertGlobalStateUntouched();
    }

    @Test
    public void test220AutzJackRoleExpressionNoConstCenter() throws Exception {
        displayTestTitle("test220AutzJackRoleExpressionNoConstCenter");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "27058fde-b27e-11e7-b557-e7e43b583989");
        assumeAssignmentPolicy(AssignmentPolicyEnforcementType.RELATIVE);
        login("jack");
        displayWhen("test220AutzJackRoleExpressionNoConstCenter");
        assertReadDeny();
        assertAddDeny();
        assertModifyDeny();
        assertDeleteDeny();
        assertGetDeny(RoleType.class, "00000000-0000-0000-0000-00000000aab1");
        assertGetDeny(RoleType.class, "00000000-0000-0000-0000-00000000aab2");
        assertGetDeny(RoleType.class, "00000000-0000-0000-0000-00000000aaa1");
        assertGetDeny(RoleType.class, "27058fde-b27e-11e7-b557-e7e43b583989");
        assertSearchDeny(RoleType.class, null, null);
        assertSearchDeny(RoleType.class, queryFor(RoleType.class).item(new QName[]{RoleType.F_ROLE_TYPE}).eq(new Object[]{"business"}).build(), null);
        assertSearchDeny(RoleType.class, queryFor(RoleType.class).item(new QName[]{RoleType.F_ROLE_TYPE}).eq(new Object[]{"application"}).build(), null);
        assertGlobalStateUntouched();
    }

    @Test
    public void test222AutzJackRoleExpressionConstCenterBusiness() throws Exception {
        displayTestTitle("test222AutzJackRoleExpressionConstCenterBusiness");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "27058fde-b27e-11e7-b557-e7e43b583989");
        Task createTask = createTask("test222AutzJackRoleExpressionConstCenterBusiness");
        modifyUserReplace(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, UserType.F_COST_CENTER, createTask, createTask.getResult(), new Object[]{"business"});
        assumeAssignmentPolicy(AssignmentPolicyEnforcementType.RELATIVE);
        login("jack");
        displayWhen("test222AutzJackRoleExpressionConstCenterBusiness");
        assertReadDeny();
        assertAddDeny();
        assertModifyDeny();
        assertDeleteDeny();
        assertGetAllow(RoleType.class, "00000000-0000-0000-0000-00000000aab1");
        assertGetAllow(RoleType.class, "00000000-0000-0000-0000-00000000aab2");
        assertGetDeny(RoleType.class, "00000000-0000-0000-0000-00000000aaa1");
        assertGetDeny(RoleType.class, "27058fde-b27e-11e7-b557-e7e43b583989");
        assertSearch(RoleType.class, (ObjectQuery) null, 3);
        assertSearch(RoleType.class, queryFor(RoleType.class).item(new QName[]{RoleType.F_ROLE_TYPE}).eq(new Object[]{"business"}).build(), 3);
        assertSearchDeny(RoleType.class, queryFor(RoleType.class).item(new QName[]{RoleType.F_ROLE_TYPE}).eq(new Object[]{"application"}).build(), null);
        assertGlobalStateUntouched();
    }

    @Test
    public void test230AttorneyCaribbeanUnlimited() throws Exception {
        displayTestTitle("test230AttorneyCaribbeanUnlimited");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "b27b9f3c-b962-11e7-9c89-03e5b32f525d");
        cleanupAutzTest("c0c010c0-d34d-b33f-f00d-111111111112");
        assignRole("c0c010c0-d34d-b33f-f00d-111111111112", "00000000-0000-0000-0000-00000000aa08");
        assumeAssignmentPolicy(AssignmentPolicyEnforcementType.RELATIVE);
        login("jack");
        displayWhen("test230AttorneyCaribbeanUnlimited");
        assertReadAllow();
        assertAddDeny();
        assertModifyDeny();
        assertDeleteDeny();
        Task createTask = createTask("test230AttorneyCaribbeanUnlimited");
        ObjectFilter donorFilter = this.modelInteractionService.getDonorFilter(UserType.class, (ObjectFilter) null, (String) null, createTask, createTask.getResult());
        display("donorFilterAll", donorFilter);
        assertSearchFilter(UserType.class, donorFilter, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "c0c010c0-d34d-b33f-f00d-111111111112");
        assertAuthenticated();
        assertLoggedInUsername("jack");
        assertLoggedInUserOid(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertSecurityContextAuthorizationActions(new ModelAuthorizationAction[]{ModelAuthorizationAction.READ, ModelAuthorizationAction.ATTORNEY});
        assertPrincipalAttorneyOid(assumePowerOfAttorneyAllow("c0c010c0-d34d-b33f-f00d-111111111112"), AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertAuthenticated();
        assertLoggedInUserOid("c0c010c0-d34d-b33f-f00d-111111111112");
        assertSecurityContextPrincipalAttorneyOid(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertSecurityContextAuthorizationActions(new ModelAuthorizationAction[]{ModelAuthorizationAction.READ, ModelAuthorizationAction.MODIFY, ModelAuthorizationAction.MODIFY});
        assertReadSomeModifySome(1);
        assertPrincipalAttorneyOid(dropPowerOfAttorneyAllow(), null);
        assertAuthenticated();
        assertLoggedInUserOid(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertSecurityContextPrincipalAttorneyOid(null);
        assertSecurityContextAuthorizationActions(new ModelAuthorizationAction[]{ModelAuthorizationAction.READ, ModelAuthorizationAction.ATTORNEY});
        assertReadAllow();
        assertAddDeny();
        assertModifyDeny();
        assertDeleteDeny();
        assumePowerOfAttorneyDeny(this.userRumRogersOid);
        assumePowerOfAttorneyDeny("c0c010c0-d34d-b33f-f00d-111111111116");
        assertAuthenticated();
        assertLoggedInUserOid(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertSecurityContextPrincipalAttorneyOid(null);
        assertGlobalStateUntouched();
    }

    @Test
    public void test232ManagerAttorneyNoOrg() throws Exception {
        displayTestTitle("test232ManagerAttorneyNoOrg");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "5cf5b6c8-b968-11e7-b77d-6b029450f900");
        cleanupUnassign("c0c010c0-d34d-b33f-f00d-111111111112", "00000000-0000-0000-0000-00000000aa08");
        assumeAssignmentPolicy(AssignmentPolicyEnforcementType.RELATIVE);
        login("jack");
        displayWhen("test232ManagerAttorneyNoOrg");
        assertReadAllow();
        assertAddDeny();
        assertModifyDeny();
        assertDeleteDeny();
        Task createTask = createTask("test232ManagerAttorneyNoOrg");
        OperationResult result = createTask.getResult();
        ObjectFilter donorFilter = this.modelInteractionService.getDonorFilter(UserType.class, (ObjectFilter) null, (String) null, createTask, result);
        display("donorFilterAll", donorFilter);
        assertSearchFilter(UserType.class, donorFilter, 0);
        ObjectFilter donorFilter2 = this.modelInteractionService.getDonorFilter(UserType.class, (ObjectFilter) null, AUTHORIZATION_ACTION_WORKITEMS, createTask, result);
        display("donorFilterWorkitems", donorFilter2);
        assertSearchFilter(UserType.class, donorFilter2, 0);
        assertLoggedInUserOid(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertSecurityContextPrincipalAttorneyOid(null);
        assumePowerOfAttorneyDeny("c0c010c0-d34d-b33f-f00d-111111111112");
        assumePowerOfAttorneyDeny("c0c010c0-d34d-b33f-f00d-111111111116");
        assumePowerOfAttorneyDeny(this.userRumRogersOid);
        assertLoggedInUserOid(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertSecurityContextPrincipalAttorneyOid(null);
        assertGlobalStateUntouched();
    }

    @Test
    public void test234ManagerAttorneyRum() throws Exception {
        displayTestTitle("test234ManagerAttorneyRum");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "5cf5b6c8-b968-11e7-b77d-6b029450f900");
        assignOrg(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-8888-6666-0000-100000000004", SchemaConstants.ORG_MANAGER);
        login("jack");
        displayWhen("test234ManagerAttorneyRum");
        assertReadAllow();
        assertAddDeny();
        assertModifyDeny();
        assertDeleteDeny();
        Task createTask = createTask("test234ManagerAttorneyRum");
        OperationResult result = createTask.getResult();
        ObjectFilter donorFilter = this.modelInteractionService.getDonorFilter(UserType.class, (ObjectFilter) null, (String) null, createTask, result);
        display("donorFilterAll", donorFilter);
        assertSearchFilter(UserType.class, donorFilter, 4);
        ObjectFilter donorFilter2 = this.modelInteractionService.getDonorFilter(UserType.class, (ObjectFilter) null, AUTHORIZATION_ACTION_WORKITEMS, createTask, result);
        display("donorFilterWorkitems", donorFilter2);
        assertSearchFilter(UserType.class, donorFilter2, 4);
        assertLoggedInUserOid(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertSecurityContextPrincipalAttorneyOid(null);
        assumePowerOfAttorneyDeny("c0c010c0-d34d-b33f-f00d-111111111112");
        assertLoggedInUserOid(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertSecurityContextPrincipalAttorneyOid(null);
        assertSecurityContextAuthorizationActions(new ModelAuthorizationAction[]{ModelAuthorizationAction.READ, ModelAuthorizationAction.ATTORNEY});
        assumePowerOfAttorneyAllow(this.userRumRogersOid);
        assertLoggedInUserOid(this.userRumRogersOid);
        assertSecurityContextPrincipalAttorneyOid(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertSecurityContextNoAuthorizationActions();
        assertReadDeny();
        assertAddDeny();
        assertModifyDeny();
        assertDeleteDeny();
        dropPowerOfAttorneyAllow();
        assertLoggedInUserOid(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertSecurityContextPrincipalAttorneyOid(null);
        assertSecurityContextAuthorizationActions(new ModelAuthorizationAction[]{ModelAuthorizationAction.READ, ModelAuthorizationAction.ATTORNEY});
        assumePowerOfAttorneyDeny("c0c010c0-d34d-b33f-f00d-111111111116");
        assertGlobalStateUntouched();
    }

    @Test
    public void test235ManagerAttorneyRumRogersEntitled() throws Exception {
        displayTestTitle("test234ManagerAttorneyRum");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "5cf5b6c8-b968-11e7-b77d-6b029450f900");
        assignOrg(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-8888-6666-0000-100000000004", SchemaConstants.ORG_MANAGER);
        assignRole(this.userRumRogersOid, "1d8d9bec-ba51-11e7-95dc-f3520461c08d");
        login("jack");
        displayWhen("test234ManagerAttorneyRum");
        assertReadAllow();
        assertAddDeny();
        assertModifyDeny();
        assertDeleteDeny();
        Task createTask = createTask("test234ManagerAttorneyRum");
        OperationResult result = createTask.getResult();
        ObjectFilter donorFilter = this.modelInteractionService.getDonorFilter(UserType.class, (ObjectFilter) null, (String) null, createTask, result);
        display("donorFilterAll", donorFilter);
        assertSearchFilter(UserType.class, donorFilter, 4);
        ObjectFilter donorFilter2 = this.modelInteractionService.getDonorFilter(UserType.class, (ObjectFilter) null, AUTHORIZATION_ACTION_WORKITEMS, createTask, result);
        display("donorFilterWorkitems", donorFilter2);
        assertSearchFilter(UserType.class, donorFilter2, 4);
        assertLoggedInUserOid(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertSecurityContextPrincipalAttorneyOid(null);
        assumePowerOfAttorneyDeny("c0c010c0-d34d-b33f-f00d-111111111112");
        assertLoggedInUserOid(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertSecurityContextPrincipalAttorneyOid(null);
        assertSecurityContextAuthorizationActions(new ModelAuthorizationAction[]{ModelAuthorizationAction.READ, ModelAuthorizationAction.ATTORNEY});
        assumePowerOfAttorneyAllow(this.userRumRogersOid);
        assertLoggedInUserOid(this.userRumRogersOid);
        assertSecurityContextPrincipalAttorneyOid(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertSecurityContextAuthorizationActions(new String[]{AUTHORIZATION_ACTION_WORKITEMS});
        assertReadDeny();
        assertAddDeny();
        assertModifyDeny();
        assertDeleteDeny();
        dropPowerOfAttorneyAllow();
        assertLoggedInUserOid(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertSecurityContextPrincipalAttorneyOid(null);
        assertSecurityContextAuthorizationActions(new ModelAuthorizationAction[]{ModelAuthorizationAction.READ, ModelAuthorizationAction.ATTORNEY});
        assumePowerOfAttorneyDeny("c0c010c0-d34d-b33f-f00d-111111111116");
        assertGlobalStateUntouched();
    }

    @Test
    public void test236ManagerAttorneyCaribbeanRum() throws Exception {
        displayTestTitle("test236ManagerAttorneyCaribbeanRum");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "b27b9f3c-b962-11e7-9c89-03e5b32f525d");
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "5cf5b6c8-b968-11e7-b77d-6b029450f900");
        assignOrg(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-8888-6666-0000-100000000004", SchemaConstants.ORG_MANAGER);
        assignRole(this.userRumRogersOid, "1d8d9bec-ba51-11e7-95dc-f3520461c08d");
        assignRole("c0c010c0-d34d-b33f-f00d-111111111112", "00000000-0000-0000-0000-00000000aa08");
        login("jack");
        displayWhen("test236ManagerAttorneyCaribbeanRum");
        assertReadAllow();
        assertAddDeny();
        assertModifyDeny();
        assertDeleteDeny();
        Task createTask = createTask("test236ManagerAttorneyCaribbeanRum");
        OperationResult result = createTask.getResult();
        ObjectFilter donorFilter = this.modelInteractionService.getDonorFilter(UserType.class, (ObjectFilter) null, (String) null, createTask, result);
        display("donorFilterAll", donorFilter);
        assertSearchFilter(UserType.class, donorFilter, 5);
        ObjectFilter donorFilter2 = this.modelInteractionService.getDonorFilter(UserType.class, (ObjectFilter) null, AUTHORIZATION_ACTION_WORKITEMS, createTask, result);
        display("donorFilterWorkitems", donorFilter2);
        assertSearchFilter(UserType.class, donorFilter2, 5);
        assumePowerOfAttorneyAllow("c0c010c0-d34d-b33f-f00d-111111111112");
        assertLoggedInUserOid("c0c010c0-d34d-b33f-f00d-111111111112");
        assertSecurityContextPrincipalAttorneyOid(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertSecurityContextAuthorizationActions(new ModelAuthorizationAction[]{ModelAuthorizationAction.READ, ModelAuthorizationAction.MODIFY, ModelAuthorizationAction.MODIFY});
        assertReadSomeModifySome(3);
        dropPowerOfAttorneyAllow();
        assertLoggedInUserOid(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertSecurityContextPrincipalAttorneyOid(null);
        assertSecurityContextAuthorizationActions(new ModelAuthorizationAction[]{ModelAuthorizationAction.READ, ModelAuthorizationAction.ATTORNEY, ModelAuthorizationAction.READ, ModelAuthorizationAction.ATTORNEY});
        assumePowerOfAttorneyAllow(this.userRumRogersOid);
        assertLoggedInUserOid(this.userRumRogersOid);
        assertSecurityContextPrincipalAttorneyOid(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertSecurityContextAuthorizationActions(new String[]{AUTHORIZATION_ACTION_WORKITEMS});
        assertReadDeny();
        assertAddDeny();
        assertModifyDeny();
        assertDeleteDeny();
        dropPowerOfAttorneyAllow();
        assertLoggedInUserOid(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertSecurityContextPrincipalAttorneyOid(null);
        assertSecurityContextAuthorizationActions(new ModelAuthorizationAction[]{ModelAuthorizationAction.READ, ModelAuthorizationAction.ATTORNEY, ModelAuthorizationAction.READ, ModelAuthorizationAction.ATTORNEY});
        assumePowerOfAttorneyDeny("c0c010c0-d34d-b33f-f00d-111111111116");
        login("administrator");
        cleanupUnassign(this.userRumRogersOid, "1d8d9bec-ba51-11e7-95dc-f3520461c08d");
        cleanupUnassign("c0c010c0-d34d-b33f-f00d-111111111112", "00000000-0000-0000-0000-00000000aa08");
        assertGlobalStateUntouched();
    }

    @Test
    public void test250AssignRequestableSelfOtherApporver() throws Exception {
        displayTestTitle("test250AssignRequestableSelfOtherApporver");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "d3e83cce-bb25-11e7-ae7c-b73d2208bf2a");
        cleanupUnassign(this.userRumRogersOid, "1d8d9bec-ba51-11e7-95dc-f3520461c08d");
        cleanupUnassign("c0c010c0-d34d-b33f-f00d-111111111112", "00000000-0000-0000-0000-00000000aa08");
        login("jack");
        displayWhen("test250AssignRequestableSelfOtherApporver");
        assertReadAllow();
        assertAddDeny();
        assertModifyDeny();
        assertDeleteDeny();
        PrismObject user = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertAssignments(user, 1);
        assertAssignedRole(user, "d3e83cce-bb25-11e7-ae7c-b73d2208bf2a");
        assertAllow("assign business role to jack", (task, operationResult) -> {
            assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aab1", task, operationResult);
        });
        PrismObject user2 = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertAssignments(user2, 2);
        assertAssignedRole(user2, "00000000-0000-0000-0000-00000000aab1");
        assertDeny("assign application role to jack", (task2, operationResult2) -> {
            assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aab2", task2, operationResult2);
        });
        assertAllow("unassign business role from jack", (task3, operationResult3) -> {
            unassignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aab1", task3, operationResult3);
        });
        assertDeny("assign business role to jack (manager)", (task4, operationResult4) -> {
            assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aab1", SchemaConstants.ORG_MANAGER, task4, operationResult4);
        });
        assertDeny("assign application role to barbossa", (task5, operationResult5) -> {
            assignRole("c0c010c0-d34d-b33f-f00d-111111111112", "00000000-0000-0000-0000-00000000aab1", task5, operationResult5);
        });
        assertAllow("assign business role to barbossa (approver)", (task6, operationResult6) -> {
            assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aab1", SchemaConstants.ORG_APPROVER, task6, operationResult6);
        });
        assertAllow("unassign business role to barbossa (approver)", (task7, operationResult7) -> {
            unassignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aab1", SchemaConstants.ORG_APPROVER, task7, operationResult7);
        });
        assertAllow("assign business role to barbossa (owner)", (task8, operationResult8) -> {
            assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aab2", SchemaConstants.ORG_OWNER, task8, operationResult8);
        });
        assertAllow("unassign business role to barbossa (owner)", (task9, operationResult9) -> {
            unassignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aab2", SchemaConstants.ORG_OWNER, task9, operationResult9);
        });
        assertAssignments(getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID), 1);
        assertAssignments(getUser("c0c010c0-d34d-b33f-f00d-111111111112"), 0);
        assertGlobalStateUntouched();
    }

    @Test
    public void test252AssignRequestableSelfOtherApporverEmptyDelta() throws Exception {
        displayTestTitle("test252AssignRequestableSelfOtherApporverEmptyDelta");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "d3e83cce-bb25-11e7-ae7c-b73d2208bf2a");
        cleanupUnassign(this.userRumRogersOid, "1d8d9bec-ba51-11e7-95dc-f3520461c08d");
        cleanupUnassign("c0c010c0-d34d-b33f-f00d-111111111112", "00000000-0000-0000-0000-00000000aa08");
        login("jack");
        displayWhen("test252AssignRequestableSelfOtherApporverEmptyDelta");
        assertReadAllow();
        assertAddDeny();
        assertModifyDeny();
        assertDeleteDeny();
        PrismObject user = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertAssignments(user, 1);
        assertAssignedRole(user, "d3e83cce-bb25-11e7-ae7c-b73d2208bf2a");
        assertAllow("assign business role to jack", (task, operationResult) -> {
            assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aab1", task, operationResult);
        });
        PrismObject user2 = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertAssignments(user2, 2);
        assertAssignedRole(user2, "00000000-0000-0000-0000-00000000aab1");
        assertDeny("assign application role to jack", (task2, operationResult2) -> {
            assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aab2", task2, operationResult2);
        });
        assertAllow("unassign business role from jack", (task3, operationResult3) -> {
            deleteFocusAssignmentEmptyDelta(user2, "00000000-0000-0000-0000-00000000aab1", task3, operationResult3);
        });
        assertDeny("assign business role to jack (manager)", (task4, operationResult4) -> {
            assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aab1", SchemaConstants.ORG_MANAGER, task4, operationResult4);
        });
        assertDeny("assign application role to barbossa", (task5, operationResult5) -> {
            assignRole("c0c010c0-d34d-b33f-f00d-111111111112", "00000000-0000-0000-0000-00000000aab1", task5, operationResult5);
        });
        assertAllow("assign business role to barbossa (approver)", (task6, operationResult6) -> {
            assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aab1", SchemaConstants.ORG_APPROVER, task6, operationResult6);
        });
        assertAllow("unassign business role to barbossa (approver)", (task7, operationResult7) -> {
            unassignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aab1", SchemaConstants.ORG_APPROVER, task7, operationResult7);
        });
        assertAllow("assign business role to barbossa (owner)", (task8, operationResult8) -> {
            assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aab2", SchemaConstants.ORG_OWNER, task8, operationResult8);
        });
        PrismObject user3 = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertAssignments(user3, 2);
        assertAssignedRole(user3, "00000000-0000-0000-0000-00000000aab2");
        assertAllow("unassign business role to barbossa (owner)", (task9, operationResult9) -> {
            deleteFocusAssignmentEmptyDelta(user3, "00000000-0000-0000-0000-00000000aab2", SchemaConstants.ORG_OWNER, task9, operationResult9);
        });
        assertAssignments(getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID), 1);
        assertAssignments(getUser("c0c010c0-d34d-b33f-f00d-111111111112"), 0);
        assertGlobalStateUntouched();
    }

    @Test
    public void test254AssignUnassignRequestableSelf() throws Exception {
        displayTestTitle("test254AssignUnassignRequestableSelf");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "7c903f28-04ed-11e8-bb7a-df31e8679d27");
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aab1");
        login("jack");
        displayWhen("test254AssignUnassignRequestableSelf");
        assertReadAllow();
        assertAddDeny();
        assertModifyDeny();
        assertDeleteDeny();
        PrismObject user = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertAssignments(user, 2);
        assertAssignedRole(user, "7c903f28-04ed-11e8-bb7a-df31e8679d27");
        assertAssignedRole(user, "00000000-0000-0000-0000-00000000aab1");
        assertAllow("unassign business role from jack", (task, operationResult) -> {
            unassignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aab1", task, operationResult);
        });
        PrismObject user2 = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertAssignments(user2, 1);
        assertAssignedRole(user2, "7c903f28-04ed-11e8-bb7a-df31e8679d27");
        assertDeny("unassign ROLE_UNASSIGN_SELF_REQUESTABLE role from jack", (task2, operationResult2) -> {
            unassignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "7c903f28-04ed-11e8-bb7a-df31e8679d27", task2, operationResult2);
        });
        assertGlobalStateUntouched();
    }

    @Test
    public void test256AssignUnassignRequestableSelfEmptyDelta() throws Exception {
        displayTestTitle("test256AssignUnassignRequestableSelfEmptyDelta");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "7c903f28-04ed-11e8-bb7a-df31e8679d27");
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aab1");
        login("jack");
        displayWhen("test256AssignUnassignRequestableSelfEmptyDelta");
        assertReadAllow();
        assertAddDeny();
        assertModifyDeny();
        assertDeleteDeny();
        PrismObject user = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertAssignments(user, 2);
        assertAssignedRole(user, "7c903f28-04ed-11e8-bb7a-df31e8679d27");
        assertAssignedRole(user, "00000000-0000-0000-0000-00000000aab1");
        assertAllow("unassign business role from jack", (task, operationResult) -> {
            deleteFocusAssignmentEmptyDelta(user, "00000000-0000-0000-0000-00000000aab1", task, operationResult);
        });
        PrismObject user2 = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertAssignments(user2, 1);
        assertAssignedRole(user2, "7c903f28-04ed-11e8-bb7a-df31e8679d27");
        assertDeny("unassign ROLE_UNASSIGN_SELF_REQUESTABLE role from jack", (task2, operationResult2) -> {
            deleteFocusAssignmentEmptyDelta(user2, "7c903f28-04ed-11e8-bb7a-df31e8679d27", task2, operationResult2);
        });
        assertGlobalStateUntouched();
    }

    @Test
    public void test260AutzJackLimitedRoleAdministrator() throws Exception {
        displayTestTitle("test260AutzJackLimitedRoleAdministrator");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, ROLE_LIMITED_ROLE_ADMINISTRATOR_OID);
        login("jack");
        displayWhen("test260AutzJackLimitedRoleAdministrator");
        assertGetAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertGetDeny(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, SelectorOptions.createCollection(GetOperationOptions.createRaw()));
        assertGetDeny(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116");
        assertGetDeny(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116", SelectorOptions.createCollection(GetOperationOptions.createRaw()));
        assertReadDenyRaw();
        assertSearch(UserType.class, (ObjectQuery) null, 1);
        assertSearch(UserType.class, createNameQuery("jack"), 1);
        assertSearchDeny(UserType.class, createNameQuery("jack"), SelectorOptions.createCollection(GetOperationOptions.createRaw()));
        assertSearch(UserType.class, createNameQuery("guybrush"), 0);
        assertSearchDeny(UserType.class, createNameQuery("guybrush"), SelectorOptions.createCollection(GetOperationOptions.createRaw()));
        assertAddDeny();
        assertDeleteDeny();
        assertAddAllow(ROLE_EXCLUSION_PIRATE_FILE);
        PrismObject<RoleType> assertGetAllow = assertGetAllow(RoleType.class, ROLE_EXCLUSION_PIRATE_OID);
        display("Exclusion role", assertGetAllow);
        assertExclusion(assertGetAllow, "12345678-d34d-b33f-f00d-555555556666");
        PrismObjectDefinition editObjectDefinition = getEditObjectDefinition(assertGetAllow);
        display("Exclusion role edit schema", editObjectDefinition);
        assertItemFlags(editObjectDefinition, RoleType.F_NAME, true, true, true);
        assertItemFlags(editObjectDefinition, RoleType.F_DESCRIPTION, true, true, true);
        assertItemFlags(editObjectDefinition, RoleType.F_ROLE_TYPE, true, true, true);
        assertItemFlags(editObjectDefinition, RoleType.F_LIFECYCLE_STATE, true, true, true);
        assertItemFlags(editObjectDefinition, RoleType.F_METADATA, false, false, false);
        assertItemFlags(editObjectDefinition, RoleType.F_ASSIGNMENT, true, true, true);
        assertItemFlags(editObjectDefinition, new ItemPath(new QName[]{RoleType.F_ASSIGNMENT, AssignmentType.F_POLICY_RULE}), true, true, true);
        assertItemFlags(editObjectDefinition, new ItemPath(new QName[]{RoleType.F_ASSIGNMENT, AssignmentType.F_POLICY_RULE, PolicyRuleType.F_POLICY_CONSTRAINTS}), true, true, true);
        assertItemFlags(editObjectDefinition, new ItemPath(new QName[]{RoleType.F_ASSIGNMENT, AssignmentType.F_POLICY_RULE, PolicyRuleType.F_POLICY_CONSTRAINTS, PolicyConstraintsType.F_EXCLUSION}), true, true, true);
        assertItemFlags(editObjectDefinition, new ItemPath(new QName[]{RoleType.F_ASSIGNMENT, AssignmentType.F_POLICY_RULE, PolicyRuleType.F_POLICY_CONSTRAINTS, PolicyConstraintsType.F_EXCLUSION, ExclusionPolicyConstraintType.F_TARGET_REF}), true, true, true);
        assertItemFlags(editObjectDefinition, new ItemPath(new QName[]{RoleType.F_ASSIGNMENT, AssignmentType.F_POLICY_RULE, PolicyRuleType.F_POLICY_CONSTRAINTS, PolicyConstraintsType.F_EXCLUSION, ExclusionPolicyConstraintType.F_DESCRIPTION}), true, true, true);
        assertItemFlags(editObjectDefinition, new ItemPath(new QName[]{RoleType.F_ASSIGNMENT, AssignmentType.F_CONSTRUCTION}), false, false, false);
        assertItemFlags(editObjectDefinition, new ItemPath(new QName[]{RoleType.F_ASSIGNMENT, AssignmentType.F_POLICY_RULE, PolicyRuleType.F_EVALUATION_TARGET}), false, false, false);
        assertItemFlags(editObjectDefinition, new ItemPath(new QName[]{RoleType.F_ASSIGNMENT, AssignmentType.F_POLICY_RULE, PolicyRuleType.F_POLICY_CONSTRAINTS, PolicyConstraintsType.F_MAX_ASSIGNEES}), false, false, false);
        assertItemFlags(editObjectDefinition, RoleType.F_INDUCEMENT, true, true, true);
        assertItemFlags(editObjectDefinition, new ItemPath(new QName[]{RoleType.F_INDUCEMENT, AssignmentType.F_POLICY_RULE}), true, true, true);
        assertItemFlags(editObjectDefinition, new ItemPath(new QName[]{RoleType.F_INDUCEMENT, AssignmentType.F_POLICY_RULE, PolicyRuleType.F_POLICY_CONSTRAINTS}), true, true, true);
        assertItemFlags(editObjectDefinition, new ItemPath(new QName[]{RoleType.F_INDUCEMENT, AssignmentType.F_POLICY_RULE, PolicyRuleType.F_POLICY_CONSTRAINTS, PolicyConstraintsType.F_EXCLUSION}), true, true, true);
        assertItemFlags(editObjectDefinition, new ItemPath(new QName[]{RoleType.F_INDUCEMENT, AssignmentType.F_POLICY_RULE, PolicyRuleType.F_POLICY_CONSTRAINTS, PolicyConstraintsType.F_EXCLUSION, ExclusionPolicyConstraintType.F_TARGET_REF}), true, true, true);
        assertItemFlags(editObjectDefinition, new ItemPath(new QName[]{RoleType.F_INDUCEMENT, AssignmentType.F_POLICY_RULE, PolicyRuleType.F_POLICY_CONSTRAINTS, PolicyConstraintsType.F_EXCLUSION, ExclusionPolicyConstraintType.F_DESCRIPTION}), true, true, true);
        assertItemFlags(editObjectDefinition, new ItemPath(new QName[]{RoleType.F_INDUCEMENT, AssignmentType.F_CONSTRUCTION}), true, true, true);
        assertItemFlags(editObjectDefinition, new ItemPath(new QName[]{RoleType.F_INDUCEMENT, AssignmentType.F_POLICY_RULE, PolicyRuleType.F_EVALUATION_TARGET}), true, true, true);
        assertItemFlags(editObjectDefinition, new ItemPath(new QName[]{RoleType.F_INDUCEMENT, AssignmentType.F_POLICY_RULE, PolicyRuleType.F_POLICY_CONSTRAINTS, PolicyConstraintsType.F_MAX_ASSIGNEES}), true, true, true);
        assertAllow("add exclusion (1)", (task, operationResult) -> {
            modifyRoleAddExclusion("12345111-1111-2222-1111-121212111112", "12345678-d34d-b33f-f00d-555555556666", task, operationResult);
        });
        PrismObject<RoleType> assertGetAllow2 = assertGetAllow(RoleType.class, "12345111-1111-2222-1111-121212111112");
        display("Empty role with exclusion (1)", assertGetAllow2);
        assertExclusion(assertGetAllow2, "12345678-d34d-b33f-f00d-555555556666");
        assertAllow("delete exclusion (1)", (task2, operationResult2) -> {
            modifyRoleDeleteExclusion("12345111-1111-2222-1111-121212111112", "12345678-d34d-b33f-f00d-555555556666", task2, operationResult2);
        });
        assertAllow("add exclusion (2)", (task3, operationResult3) -> {
            modifyRoleAddExclusion("12345111-1111-2222-1111-121212111112", "12345678-d34d-b33f-f00d-555555556666", task3, operationResult3);
        });
        PrismObject<RoleType> assertGetAllow3 = assertGetAllow(RoleType.class, "12345111-1111-2222-1111-121212111112");
        display("Empty role with exclusion (2)", assertGetAllow3);
        AssignmentType assertExclusion = assertExclusion(assertGetAllow3, "12345678-d34d-b33f-f00d-555555556666");
        assertAllow("delete exclusion (2)", (task4, operationResult4) -> {
            modifyRoleDeleteAssignment("12345111-1111-2222-1111-121212111112", createAssignmentIdOnly(assertExclusion.getId().longValue()), task4, operationResult4);
        });
        assertDeny("add minAssignee", (task5, operationResult5) -> {
            modifyRolePolicyRule("12345111-1111-2222-1111-121212111112", createMinAssigneePolicyRule(1), true, task5, operationResult5);
        });
        assertDeny("delete maxAssignee 10 (by value)", (task6, operationResult6) -> {
            modifyRolePolicyRule(ROLE_MAXASSIGNEES_10_OID, createMaxAssigneePolicyRule(10), false, task6, operationResult6);
        });
        assertDeny("delete maxAssignee 10 (by id)", (task7, operationResult7) -> {
            modifyRoleDeleteAssignment(ROLE_MAXASSIGNEES_10_OID, createAssignmentIdOnly(10L), task7, operationResult7);
        });
        assertDeny("assign role pirate to empty role", (task8, operationResult8) -> {
            assignRole(RoleType.class, "12345111-1111-2222-1111-121212111112", "12345678-d34d-b33f-f00d-555555556666", task8, operationResult8);
        });
        PrismObject assertGetAllow4 = assertGetAllow(RoleType.class, "12345111-1111-2222-1111-121212111112");
        display("Empty role without exclusion", assertGetAllow4);
        assertAssignments(assertGetAllow4, 0);
        assertGlobalStateUntouched();
    }

    @Test
    public void test262AutzJackLimitedRoleAdministratorAndAssignApplicationRoles() throws Exception {
        displayTestTitle("test260AutzJackLimitedRoleAdministrator");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, ROLE_LIMITED_ROLE_ADMINISTRATOR_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aa0c");
        login("jack");
        displayWhen("test260AutzJackLimitedRoleAdministrator");
        assertReadAllow();
        assertReadDenyRaw();
        assertAddDeny();
        assertDeleteDeny();
        assertAllow("assign application role to jack", (task, operationResult) -> {
            assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aaa1", task, operationResult);
        });
        PrismObject user = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertAssignments(user, 3);
        assertAssignedRole(user, "00000000-0000-0000-0000-00000000aaa1");
        assertDeny("assign business role to jack", (task2, operationResult2) -> {
            assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aab1", task2, operationResult2);
        });
        assertAllow("unassign application role from jack", (task3, operationResult3) -> {
            unassignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aaa1", task3, operationResult3);
        });
        assertAddAllow(ROLE_EXCLUSION_PIRATE_FILE);
        PrismObject<RoleType> assertGetAllow = assertGetAllow(RoleType.class, ROLE_EXCLUSION_PIRATE_OID);
        display("Exclusion role", assertGetAllow);
        assertExclusion(assertGetAllow, "12345678-d34d-b33f-f00d-555555556666");
        assertAllow("add exclusion (1)", (task4, operationResult4) -> {
            modifyRoleAddExclusion("12345111-1111-2222-1111-121212111112", "12345678-d34d-b33f-f00d-555555556666", task4, operationResult4);
        });
        PrismObject<RoleType> assertGetAllow2 = assertGetAllow(RoleType.class, "12345111-1111-2222-1111-121212111112");
        display("Empty role with exclusion (1)", assertGetAllow2);
        assertExclusion(assertGetAllow2, "12345678-d34d-b33f-f00d-555555556666");
        assertAllow("delete exclusion (1)", (task5, operationResult5) -> {
            modifyRoleDeleteExclusion("12345111-1111-2222-1111-121212111112", "12345678-d34d-b33f-f00d-555555556666", task5, operationResult5);
        });
        assertAllow("add exclusion (2)", (task6, operationResult6) -> {
            modifyRoleAddExclusion("12345111-1111-2222-1111-121212111112", "12345678-d34d-b33f-f00d-555555556666", task6, operationResult6);
        });
        PrismObject<RoleType> assertGetAllow3 = assertGetAllow(RoleType.class, "12345111-1111-2222-1111-121212111112");
        display("Empty role with exclusion (2)", assertGetAllow3);
        AssignmentType assertExclusion = assertExclusion(assertGetAllow3, "12345678-d34d-b33f-f00d-555555556666");
        display("TTTA1");
        assertAllow("delete exclusion (2)", (task7, operationResult7) -> {
            modifyRoleDeleteAssignment("12345111-1111-2222-1111-121212111112", createAssignmentIdOnly(assertExclusion.getId().longValue()), task7, operationResult7);
        });
        assertDeny("add minAssignee", (task8, operationResult8) -> {
            modifyRolePolicyRule("12345111-1111-2222-1111-121212111112", createMinAssigneePolicyRule(1), true, task8, operationResult8);
        });
        assertDeny("delete maxAssignee 10 (by value)", (task9, operationResult9) -> {
            modifyRolePolicyRule(ROLE_MAXASSIGNEES_10_OID, createMaxAssigneePolicyRule(10), false, task9, operationResult9);
        });
        display("TTTA2");
        assertDeny("delete maxAssignee 10 (by id)", (task10, operationResult10) -> {
            modifyRoleDeleteAssignment(ROLE_MAXASSIGNEES_10_OID, createAssignmentIdOnly(10L), task10, operationResult10);
        });
        assertDeny("assign role pirate to empty role", (task11, operationResult11) -> {
            assignRole(RoleType.class, "12345111-1111-2222-1111-121212111112", "12345678-d34d-b33f-f00d-555555556666", task11, operationResult11);
        });
        PrismObject assertGetAllow4 = assertGetAllow(RoleType.class, "12345111-1111-2222-1111-121212111112");
        display("Empty role without exclusion", assertGetAllow4);
        assertAssignments(assertGetAllow4, 0);
        asAdministrator((task12, operationResult12) -> {
            deleteObject(RoleType.class, "12345111-1111-2222-1111-121212111112");
        });
        assertAddAllow(ROLE_EMPTY_FILE);
        asAdministrator((task13, operationResult13) -> {
            deleteObject(RoleType.class, "12345111-1111-2222-1111-121212111112");
        });
        PrismObject parseObject = parseObject(ROLE_EMPTY_FILE);
        AssignmentType assignmentType = new AssignmentType();
        ObjectReferenceType objectReferenceType = new ObjectReferenceType();
        objectReferenceType.setOid("00000000-0000-0000-0000-00000000aaa1");
        objectReferenceType.setType(RoleType.COMPLEX_TYPE);
        assignmentType.setTargetRef(objectReferenceType);
        parseObject.asObjectable().getAssignment().add(assignmentType);
        assertAllow("Add empty role with application role assignment", (task14, operationResult14) -> {
            addObject(parseObject);
        });
        PrismObject instantiate = this.prismContext.getSchemaRegistry().findObjectDefinitionByCompileTimeClass(RoleType.class).instantiate();
        AssertJUnit.assertTrue(instantiate.isEmpty());
        assertIsAuthorized(ModelAuthorizationAction.ADD.getUrl(), AuthorizationPhaseType.REQUEST, AuthorizationParameters.Builder.buildObject(instantiate), null);
        instantiate.asObjectable().setRiskLevel("hazardous");
        AssertJUnit.assertFalse(instantiate.isEmpty());
        assertIsNotAuthorized(ModelAuthorizationAction.ADD.getUrl(), AuthorizationPhaseType.REQUEST, AuthorizationParameters.Builder.buildObject(instantiate), null);
        assertGlobalStateUntouched();
    }

    @Test
    public void test264AutzJackLimitedReadRoleAdministrator() throws Exception {
        displayTestTitle("test264AutzJackLimitedReadRoleAdministrator");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, ROLE_LIMITED_READ_ROLE_ADMINISTRATOR_OID);
        login("jack");
        displayWhen("test264AutzJackLimitedReadRoleAdministrator");
        assertGetAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertGetDeny(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, SelectorOptions.createCollection(GetOperationOptions.createRaw()));
        assertGetDeny(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116");
        assertGetDeny(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116", SelectorOptions.createCollection(GetOperationOptions.createRaw()));
        assertReadDenyRaw();
        assertSearch(UserType.class, (ObjectQuery) null, 1);
        assertSearch(UserType.class, createNameQuery("jack"), 1);
        assertSearchDeny(UserType.class, createNameQuery("jack"), SelectorOptions.createCollection(GetOperationOptions.createRaw()));
        assertSearch(UserType.class, createNameQuery("guybrush"), 0);
        assertSearchDeny(UserType.class, createNameQuery("guybrush"), SelectorOptions.createCollection(GetOperationOptions.createRaw()));
        assertAddDeny();
        assertDeleteDeny();
        PrismObject assertGetAllow = assertGetAllow(RoleType.class, "12345111-1111-2222-1111-121212111112");
        display("Empty role", assertGetAllow);
        PrismObjectDefinition editObjectDefinition = getEditObjectDefinition(assertGetAllow);
        display("Exclusion role edit schema", editObjectDefinition);
        assertItemFlags(editObjectDefinition, RoleType.F_NAME, true, true, true);
        assertItemFlags(editObjectDefinition, RoleType.F_DESCRIPTION, true, true, true);
        assertItemFlags(editObjectDefinition, RoleType.F_ROLE_TYPE, true, true, true);
        assertItemFlags(editObjectDefinition, RoleType.F_LIFECYCLE_STATE, true, true, true);
        assertItemFlags(editObjectDefinition, RoleType.F_METADATA, false, false, false);
        assertItemFlags(editObjectDefinition, RoleType.F_ASSIGNMENT, true, false, false);
        assertItemFlags(editObjectDefinition, new ItemPath(new QName[]{RoleType.F_ASSIGNMENT, AssignmentType.F_POLICY_RULE}), true, false, false);
        assertItemFlags(editObjectDefinition, new ItemPath(new QName[]{RoleType.F_ASSIGNMENT, AssignmentType.F_POLICY_RULE, PolicyRuleType.F_POLICY_CONSTRAINTS}), true, false, false);
        assertItemFlags(editObjectDefinition, new ItemPath(new QName[]{RoleType.F_ASSIGNMENT, AssignmentType.F_POLICY_RULE, PolicyRuleType.F_POLICY_CONSTRAINTS, PolicyConstraintsType.F_EXCLUSION}), true, false, false);
        assertItemFlags(editObjectDefinition, new ItemPath(new QName[]{RoleType.F_ASSIGNMENT, AssignmentType.F_CONSTRUCTION}), true, false, false);
        assertItemFlags(editObjectDefinition, new ItemPath(new QName[]{RoleType.F_ASSIGNMENT, AssignmentType.F_POLICY_RULE, PolicyRuleType.F_EVALUATION_TARGET}), true, false, false);
        assertItemFlags(editObjectDefinition, new ItemPath(new QName[]{RoleType.F_ASSIGNMENT, AssignmentType.F_POLICY_RULE, PolicyRuleType.F_POLICY_CONSTRAINTS, PolicyConstraintsType.F_MAX_ASSIGNEES}), true, false, false);
        assertItemFlags(editObjectDefinition, RoleType.F_INDUCEMENT, true, true, true);
        assertItemFlags(editObjectDefinition, new ItemPath(new QName[]{RoleType.F_INDUCEMENT, AssignmentType.F_CONSTRUCTION}), true, true, true);
        assertItemFlags(editObjectDefinition, new ItemPath(new QName[]{RoleType.F_INDUCEMENT, AssignmentType.F_CONSTRUCTION, ConstructionType.F_STRENGTH}), true, true, true);
        assertItemFlags(editObjectDefinition, new ItemPath(new QName[]{RoleType.F_INDUCEMENT, AssignmentType.F_CONSTRUCTION, ConstructionType.F_RESOURCE_REF}), true, true, true);
        assertItemFlags(editObjectDefinition, new ItemPath(new QName[]{RoleType.F_INDUCEMENT, AssignmentType.F_CONSTRUCTION, ConstructionType.F_INTENT}), false, true, true);
        assertItemFlags(editObjectDefinition, new ItemPath(new QName[]{RoleType.F_INDUCEMENT, AssignmentType.F_CONSTRUCTION, ConstructionType.F_ATTRIBUTE}), true, true, true);
        assertItemFlags(editObjectDefinition, new ItemPath(new QName[]{RoleType.F_INDUCEMENT, AssignmentType.F_CONSTRUCTION, ConstructionType.F_ATTRIBUTE, ResourceAttributeDefinitionType.F_OUTBOUND}), true, true, true);
        assertItemFlags(editObjectDefinition, new ItemPath(new QName[]{RoleType.F_INDUCEMENT, AssignmentType.F_CONSTRUCTION, ConstructionType.F_ATTRIBUTE, ResourceAttributeDefinitionType.F_OUTBOUND, MappingType.F_STRENGTH}), true, true, true);
        assertItemFlags(editObjectDefinition, new ItemPath(new QName[]{RoleType.F_INDUCEMENT, AssignmentType.F_CONSTRUCTION, ConstructionType.F_ATTRIBUTE, ResourceAttributeDefinitionType.F_OUTBOUND, MappingType.F_DESCRIPTION}), false, true, true);
        assertItemFlags(editObjectDefinition, new ItemPath(new QName[]{RoleType.F_INDUCEMENT, AssignmentType.F_CONSTRUCTION, ConstructionType.F_ATTRIBUTE, ResourceAttributeDefinitionType.F_MATCHING_RULE}), false, true, true);
        assertItemFlags(editObjectDefinition, new ItemPath(new QName[]{RoleType.F_INDUCEMENT, AssignmentType.F_CONSTRUCTION, ConstructionType.F_STRENGTH}), true, true, true);
        assertGlobalStateUntouched();
    }

    @Test
    public void test270AutzJackModifyPolicyException() throws Exception {
        displayTestTitle("test270AutzJackModifyPolicyException");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, ROLE_MODIFY_POLICY_EXCEPTION_OID);
        login("jack");
        displayWhen("test270AutzJackModifyPolicyException");
        assertGetAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertReadDenyRaw();
        assertAddDeny();
        assertDeleteDeny();
        display("Empty role", assertGetAllow(RoleType.class, "12345111-1111-2222-1111-121212111112"));
        assertAllow("add policyException (1)", (task, operationResult) -> {
            modifyRoleAddPolicyException("12345111-1111-2222-1111-121212111112", createPolicyException(null, BIG_BADA_BOOM), task, operationResult);
        });
        PrismObject<RoleType> assertGetAllow = assertGetAllow(RoleType.class, "12345111-1111-2222-1111-121212111112");
        display("Empty role with policyException (1)", assertGetAllow);
        assertPolicyException(assertGetAllow, null, BIG_BADA_BOOM);
        assertAllow("delete policyException (1)", (task2, operationResult2) -> {
            modifyRoleDeletePolicyException("12345111-1111-2222-1111-121212111112", createPolicyException(null, BIG_BADA_BOOM), task2, operationResult2);
        });
        assertAllow("add policyException (2)", (task3, operationResult3) -> {
            modifyRoleAddPolicyException("12345111-1111-2222-1111-121212111112", createPolicyException(null, BIG_BADA_BOOM), task3, operationResult3);
        });
        PrismObject<RoleType> assertGetAllow2 = assertGetAllow(RoleType.class, "12345111-1111-2222-1111-121212111112");
        display("Empty role with policyException (2)", assertGetAllow2);
        PolicyExceptionType assertPolicyException = assertPolicyException(assertGetAllow2, null, BIG_BADA_BOOM);
        PolicyExceptionType policyExceptionType = new PolicyExceptionType();
        policyExceptionType.asPrismContainerValue().setId(assertPolicyException.asPrismContainerValue().getId());
        assertAllow("delete policyException (2)", (task4, operationResult4) -> {
            modifyRoleDeletePolicyException("12345111-1111-2222-1111-121212111112", policyExceptionType, task4, operationResult4);
        });
        assertDeny("add minAssignee", (task5, operationResult5) -> {
            modifyRolePolicyRule("12345111-1111-2222-1111-121212111112", createMinAssigneePolicyRule(1), true, task5, operationResult5);
        });
        assertDeny("assign role pirate to empty role", (task6, operationResult6) -> {
            assignRole(RoleType.class, "12345111-1111-2222-1111-121212111112", "12345678-d34d-b33f-f00d-555555556666", task6, operationResult6);
        });
        assertDeny("add exclusion", (task7, operationResult7) -> {
            modifyRoleAddExclusion("12345111-1111-2222-1111-121212111112", "12345678-d34d-b33f-f00d-555555556666", task7, operationResult7);
        });
        PrismObject assertGetAllow3 = assertGetAllow(RoleType.class, "12345111-1111-2222-1111-121212111112");
        display("Empty role without exclusion", assertGetAllow3);
        assertAssignments(assertGetAllow3, 0);
        assertGlobalStateUntouched();
    }

    @Test
    public void test272AutzJackModifyPolicyExceptionFirstRule() throws Exception {
        displayTestTitle("test272AutzJackModifyPolicyExceptionFirstRule");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, ROLE_MODIFY_POLICY_EXCEPTION_OID);
        login("jack");
        displayWhen("test272AutzJackModifyPolicyExceptionFirstRule");
        assertGetAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertReadDenyRaw();
        assertAddDeny();
        assertDeleteDeny();
        display("Empty role", assertGetAllow(RoleType.class, "12345111-1111-2222-1111-121212111112"));
        assertAllow("add policyException (1)", (task, operationResult) -> {
            modifyRoleAddPolicyException("12345111-1111-2222-1111-121212111112", createPolicyException(FIRST_RULE, BIG_BADA_BOOM), task, operationResult);
        });
        PrismObject<RoleType> assertGetAllow = assertGetAllow(RoleType.class, "12345111-1111-2222-1111-121212111112");
        display("Empty role with policyException (1)", assertGetAllow);
        PolicyExceptionType assertPolicyException = assertPolicyException(assertGetAllow, FIRST_RULE, BIG_BADA_BOOM);
        PolicyExceptionType policyExceptionType = new PolicyExceptionType();
        policyExceptionType.asPrismContainerValue().setId(assertPolicyException.asPrismContainerValue().getId());
        login("administrator");
        unassignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, ROLE_MODIFY_POLICY_EXCEPTION_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, ROLE_MODIFY_POLICY_EXCEPTION_SITUATION_OID);
        login("jack");
        assertDeny("delete policyException (1)", (task2, operationResult2) -> {
            modifyRoleDeletePolicyException("12345111-1111-2222-1111-121212111112", policyExceptionType, task2, operationResult2);
        });
        assertDeny("delete policyException (2)", (task3, operationResult3) -> {
            modifyRoleDeletePolicyException("12345111-1111-2222-1111-121212111112", createPolicyException(FIRST_RULE, BIG_BADA_BOOM), task3, operationResult3);
        });
        PolicyExceptionType policyExceptionType2 = new PolicyExceptionType();
        policyExceptionType2.asPrismContainerValue().setId(assertPolicyException.asPrismContainerValue().getId());
        assertDeny("delete policyException (3)", (task4, operationResult4) -> {
            ObjectDelta createModificationDeleteContainer = ObjectDelta.createModificationDeleteContainer(RoleType.class, "12345111-1111-2222-1111-121212111112", new ItemPath(new ItemPathSegment[]{new NameItemPathSegment(RoleType.F_POLICY_EXCEPTION)}), this.prismContext, new PolicyExceptionType[]{policyExceptionType2});
            createModificationDeleteContainer.addModificationReplaceProperty(RoleType.F_DESCRIPTION, new String[]{"whatever"});
            this.modelService.executeChanges(MiscSchemaUtil.createCollection(new ObjectDelta[]{createModificationDeleteContainer}), (ModelExecuteOptions) null, task4, operationResult4);
        });
        assertDeny("replace policyException (1)", (task5, operationResult5) -> {
            modifyRoleReplacePolicyException("12345111-1111-2222-1111-121212111112", createPolicyException(null, HUGE_BADA_BOOM), task5, operationResult5);
        });
        assertGlobalStateUntouched();
    }

    @Test
    public void test274AutzJackModifyPolicyExceptionSituation() throws Exception {
        displayTestTitle("test274AutzJackModifyPolicyExceptionSituation");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, ROLE_MODIFY_POLICY_EXCEPTION_SITUATION_OID);
        login("jack");
        assertDeny("add policyException (1)", (task, operationResult) -> {
            modifyRoleAddPolicyException("12345111-1111-2222-1111-121212111112", createPolicyException(FIRST_RULE, BIG_BADA_BOOM), task, operationResult);
        });
        assertAllow("add policyException (3)", (task2, operationResult2) -> {
            modifyRoleAddPolicyException("12345111-1111-2222-1111-121212111112", createPolicyException(null, BIG_BADA_BOOM), task2, operationResult2);
        });
        assertAllow("replace policyException", (task3, operationResult3) -> {
            modifyRoleReplacePolicyException("12345111-1111-2222-1111-121212111112", createPolicyException(null, HUGE_BADA_BOOM), task3, operationResult3);
        });
        PrismObject<RoleType> assertGetAllow = assertGetAllow(RoleType.class, "12345111-1111-2222-1111-121212111112");
        display("Empty role with policyException (3)", assertGetAllow);
        PolicyExceptionType assertPolicyException = assertPolicyException(assertGetAllow, null, HUGE_BADA_BOOM);
        PolicyExceptionType policyExceptionType = new PolicyExceptionType();
        policyExceptionType.asPrismContainerValue().setId(assertPolicyException.asPrismContainerValue().getId());
        login("administrator");
        unassignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, ROLE_MODIFY_POLICY_EXCEPTION_SITUATION_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, ROLE_MODIFY_DESCRIPTION_OID);
        login("jack");
        assertDeny("delete policyException (3)", (task4, operationResult4) -> {
            modifyRoleDeletePolicyException("12345111-1111-2222-1111-121212111112", policyExceptionType, task4, operationResult4);
        });
        assertGlobalStateUntouched();
    }

    @Test
    public void test280AutzJackModifyPolicyExceptionAndAssignOrg() throws Exception {
        displayTestTitle("test280AutzJackModifyPolicyExceptionAndAssignOrg");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, ROLE_LIMITED_ROLE_ADMINISTRATOR_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, ROLE_ASSIGN_ORG_OID);
        login("jack");
        displayWhen("test280AutzJackModifyPolicyExceptionAndAssignOrg");
        assertGetAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertReadDenyRaw();
        assertAddDeny();
        assertDeleteDeny();
        display("Empty role", assertGetAllow(RoleType.class, "12345111-1111-2222-1111-121212111112"));
        assertAllow("add exclusion & assign org (1)", (task, operationResult) -> {
            modifyRoleAddExclusionAndAssignOrg("12345111-1111-2222-1111-121212111112", "12345678-d34d-b33f-f00d-555555556666", "00000000-8888-6666-0000-100000000004", task, operationResult);
        });
        PrismObject assertGetAllow = assertGetAllow(RoleType.class, "12345111-1111-2222-1111-121212111112");
        display("Empty role with exclusion and org", assertGetAllow);
        assertAssignments(assertGetAllow, 2);
        assertGlobalStateUntouched();
    }

    @Test
    public void test282AutzJackModifyPolicyExceptionAndAssignOrgDeny() throws Exception {
        displayTestTitle("test282AutzJackModifyPolicyExceptionAndAssignOrgDeny");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, ROLE_LIMITED_ROLE_ADMINISTRATOR_OID);
        login("jack");
        displayWhen("test282AutzJackModifyPolicyExceptionAndAssignOrgDeny");
        assertGetAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertReadDenyRaw();
        assertAddDeny();
        assertDeleteDeny();
        display("Empty role", assertGetAllow(RoleType.class, "12345111-1111-2222-1111-121212111112"));
        assertDeny("add policyException & assign org (1)", (task, operationResult) -> {
            modifyRoleAddExclusionAndAssignOrg("12345111-1111-2222-1111-121212111112", "12345678-d34d-b33f-f00d-555555556666", "00000000-8888-6666-0000-100000000004", task, operationResult);
        });
        PrismObject assertGetAllow = assertGetAllow(RoleType.class, "12345111-1111-2222-1111-121212111112");
        display("Empty role ", assertGetAllow);
        assertAssignments(assertGetAllow, 0);
        assertGlobalStateUntouched();
    }

    @Test
    public void test283AutzJackModifyPolicyAssignOrg() throws Exception {
        displayTestTitle("test283AutzJackModifyPolicyAssignOrg");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, ROLE_ASSIGN_ORG_OID);
        login("jack");
        displayWhen("test283AutzJackModifyPolicyAssignOrg");
        assertGetAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertReadDenyRaw();
        assertAddDeny();
        assertDeleteDeny();
        display("Empty role", assertGetAllow(RoleType.class, "12345111-1111-2222-1111-121212111112"));
        assertAllow("assign org (1)", (task, operationResult) -> {
            assignOrg(RoleType.class, "12345111-1111-2222-1111-121212111112", "00000000-8888-6666-0000-100000000004", task, operationResult);
        });
        PrismObject assertGetAllow = assertGetAllow(RoleType.class, "12345111-1111-2222-1111-121212111112");
        display("Empty role ", assertGetAllow);
        assertAssignments(assertGetAllow, 1);
        assertGlobalStateUntouched();
    }

    protected void modifyRoleAddExclusionAndAssignOrg(String str, String str2, String str3, Task task, OperationResult operationResult) throws SchemaException, ObjectAlreadyExistsException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, PolicyViolationException, SecurityViolationException {
        ObjectDelta createAssignmentFocusDelta = createAssignmentFocusDelta(RoleType.class, str, str3, OrgType.COMPLEX_TYPE, null, null, null, true);
        PolicyRuleType createExclusionPolicyRule = createExclusionPolicyRule(str2);
        AssignmentType assignmentType = new AssignmentType();
        assignmentType.setPolicyRule(createExclusionPolicyRule);
        createAssignmentFocusDelta.addModificationAddContainer(new ItemPath(new QName[]{RoleType.F_ASSIGNMENT}), new AssignmentType[]{assignmentType});
        executeChanges(createAssignmentFocusDelta, null, task, operationResult);
    }

    @Test
    public void test300AutzJackExceptAssignment() throws Exception {
        displayTestTitle("test300AutzJackExceptAssignment");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, ROLE_PROP_EXCEPT_ASSIGNMENT_OID);
        modifyJackValidTo();
        login("jack");
        displayWhen("test300AutzJackExceptAssignment");
        PrismObject user = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        display(AbstractConfiguredModelIntegrationTest.USER_JACK_GIVEN_NAME, user);
        PrismAsserts.assertPropertyValue(user, UserType.F_NAME, new PolyString[]{createPolyString("jack")});
        PrismAsserts.assertPropertyValue(user, UserType.F_FULL_NAME, new PolyString[]{PrismTestUtil.createPolyString("Jack Sparrow")});
        PrismAsserts.assertPropertyValue(user, UserType.F_GIVEN_NAME, new PolyString[]{createPolyString(AbstractConfiguredModelIntegrationTest.USER_JACK_GIVEN_NAME)});
        PrismAsserts.assertNoItem(user, SchemaConstants.PATH_ACTIVATION_ADMINISTRATIVE_STATUS);
        PrismAsserts.assertPropertyValue(user, SchemaConstants.PATH_ACTIVATION_EFFECTIVE_STATUS, new ActivationStatusType[]{ActivationStatusType.ENABLED});
        PrismAsserts.assertNoItem(user, SchemaConstants.PATH_ACTIVATION_VALID_TO);
        assertAssignments(user, 0);
        PrismObjectDefinition editObjectDefinition = getEditObjectDefinition(user);
        display("Jack's edit schema", editObjectDefinition);
        assertItemFlags(editObjectDefinition, UserType.F_NAME, true, false, true);
        assertItemFlags(editObjectDefinition, UserType.F_FULL_NAME, true, false, true);
        assertItemFlags(editObjectDefinition, UserType.F_DESCRIPTION, true, false, true);
        assertItemFlags(editObjectDefinition, UserType.F_GIVEN_NAME, true, false, true);
        assertItemFlags(editObjectDefinition, UserType.F_FAMILY_NAME, true, false, true);
        assertItemFlags(editObjectDefinition, UserType.F_ADDITIONAL_NAME, true, false, true);
        assertItemFlags(editObjectDefinition, UserType.F_METADATA, true, false, true);
        assertItemFlags(editObjectDefinition, new ItemPath(new QName[]{UserType.F_METADATA, MetadataType.F_CREATE_TIMESTAMP}), true, false, true);
        assertItemFlags(editObjectDefinition, UserType.F_ASSIGNMENT, false, false, false);
        assertItemFlags(editObjectDefinition, new ItemPath(new QName[]{UserType.F_ASSIGNMENT, UserType.F_METADATA}), false, false, false);
        assertItemFlags(editObjectDefinition, new ItemPath(new QName[]{UserType.F_ASSIGNMENT, UserType.F_METADATA, MetadataType.F_CREATE_TIMESTAMP}), false, false, false);
        assertItemFlags(editObjectDefinition, UserType.F_ACTIVATION, true, false, true);
        assertItemFlags(editObjectDefinition, SchemaConstants.PATH_ACTIVATION_ADMINISTRATIVE_STATUS, false, false, true);
        assertItemFlags(editObjectDefinition, SchemaConstants.PATH_ACTIVATION_VALID_FROM, true, false, false);
        assertItemFlags(editObjectDefinition, SchemaConstants.PATH_ACTIVATION_VALID_TO, false, false, true);
        assertItemFlags(editObjectDefinition, SchemaConstants.PATH_ACTIVATION_EFFECTIVE_STATUS, true, false, true);
        assertAddDeny();
        assertModifyAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, UserType.F_FULL_NAME, createPolyString("Captain Jack Sparrow"));
        assertModifyDeny(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, SchemaConstants.PATH_ACTIVATION_VALID_FROM, JACK_VALID_FROM_LONG_AGO);
        assertModifyAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, SchemaConstants.PATH_ACTIVATION_VALID_TO, JACK_VALID_FROM_LONG_AGO);
        assertModifyAllow(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116", UserType.F_DESCRIPTION, "Pirate wannabe");
        assertModifyAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, UserType.F_HONORIFIC_PREFIX, createPolyString("Captain"));
        assertModifyAllow(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116", UserType.F_HONORIFIC_PREFIX, createPolyString("Pirate"));
        assertModifyAllow(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111112", UserType.F_HONORIFIC_PREFIX, createPolyString("Mutinier"));
        assertModifyAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, UserType.F_COST_CENTER, "V3RYC0STLY");
        assertModifyAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, UserType.F_ORGANIZATION, createPolyString("Brethren of the Coast"));
        assertDeny("assign business role to jack", (task, operationResult) -> {
            assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aab1", task, operationResult);
        });
        assertDeleteDeny();
        assertGlobalStateUntouched();
    }

    @Test
    public void test302AutzJackExceptAdministrativeStatus() throws Exception {
        displayTestTitle("test302AutzJackExceptAdministrativeStatus");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, ROLE_PROP_EXCEPT_ADMINISTRATIVE_STATUS_OID);
        modifyJackValidTo();
        login("jack");
        displayWhen("test302AutzJackExceptAdministrativeStatus");
        PrismObject user = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        display(AbstractConfiguredModelIntegrationTest.USER_JACK_GIVEN_NAME, user);
        PrismAsserts.assertPropertyValue(user, UserType.F_NAME, new PolyString[]{createPolyString("jack")});
        PrismAsserts.assertPropertyValue(user, UserType.F_FULL_NAME, new PolyString[]{PrismTestUtil.createPolyString("Jack Sparrow")});
        PrismAsserts.assertPropertyValue(user, UserType.F_GIVEN_NAME, new PolyString[]{createPolyString(AbstractConfiguredModelIntegrationTest.USER_JACK_GIVEN_NAME)});
        PrismAsserts.assertNoItem(user, SchemaConstants.PATH_ACTIVATION_ADMINISTRATIVE_STATUS);
        PrismAsserts.assertPropertyValue(user, SchemaConstants.PATH_ACTIVATION_EFFECTIVE_STATUS, new ActivationStatusType[]{ActivationStatusType.ENABLED});
        PrismAsserts.assertPropertyValue(user, SchemaConstants.PATH_ACTIVATION_VALID_TO, new XMLGregorianCalendar[]{JACK_VALID_TO_LONG_AGEAD});
        assertAssignments(user, 1);
        PrismObjectDefinition editObjectDefinition = getEditObjectDefinition(user);
        display("Jack's edit schema", editObjectDefinition);
        assertItemFlags(editObjectDefinition, UserType.F_NAME, true, false, true);
        assertItemFlags(editObjectDefinition, UserType.F_FULL_NAME, true, false, true);
        assertItemFlags(editObjectDefinition, UserType.F_DESCRIPTION, true, false, true);
        assertItemFlags(editObjectDefinition, UserType.F_GIVEN_NAME, true, false, true);
        assertItemFlags(editObjectDefinition, UserType.F_FAMILY_NAME, true, false, true);
        assertItemFlags(editObjectDefinition, UserType.F_ADDITIONAL_NAME, true, false, true);
        assertItemFlags(editObjectDefinition, UserType.F_METADATA, true, false, true);
        assertItemFlags(editObjectDefinition, new ItemPath(new QName[]{UserType.F_METADATA, MetadataType.F_CREATE_TIMESTAMP}), true, false, true);
        assertItemFlags(editObjectDefinition, UserType.F_ASSIGNMENT, true, false, true);
        assertItemFlags(editObjectDefinition, new ItemPath(new QName[]{UserType.F_ASSIGNMENT, UserType.F_METADATA}), true, false, true);
        assertItemFlags(editObjectDefinition, new ItemPath(new QName[]{UserType.F_ASSIGNMENT, UserType.F_METADATA, MetadataType.F_CREATE_TIMESTAMP}), true, false, true);
        assertItemFlags(editObjectDefinition, UserType.F_ACTIVATION, true, false, true);
        assertItemFlags(editObjectDefinition, SchemaConstants.PATH_ACTIVATION_ADMINISTRATIVE_STATUS, false, false, false);
        assertItemFlags(editObjectDefinition, SchemaConstants.PATH_ACTIVATION_VALID_FROM, true, false, true);
        assertItemFlags(editObjectDefinition, SchemaConstants.PATH_ACTIVATION_VALID_TO, true, false, true);
        assertItemFlags(editObjectDefinition, SchemaConstants.PATH_ACTIVATION_EFFECTIVE_STATUS, true, false, true);
        assertAddDeny();
        assertModifyAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, UserType.F_FULL_NAME, createPolyString("Captain Jack Sparrow"));
        assertModifyAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, SchemaConstants.PATH_ACTIVATION_VALID_FROM, JACK_VALID_FROM_LONG_AGO);
        assertModifyAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, SchemaConstants.PATH_ACTIVATION_VALID_TO, JACK_VALID_FROM_LONG_AGO);
        assertModifyAllow(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116", UserType.F_DESCRIPTION, "Pirate wannabe");
        assertModifyAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, UserType.F_HONORIFIC_PREFIX, createPolyString("Captain"));
        assertModifyAllow(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116", UserType.F_HONORIFIC_PREFIX, createPolyString("Pirate"));
        assertModifyAllow(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111112", UserType.F_HONORIFIC_PREFIX, createPolyString("Mutinier"));
        assertModifyAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, UserType.F_COST_CENTER, "V3RYC0STLY");
        assertModifyAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, UserType.F_ORGANIZATION, createPolyString("Brethren of the Coast"));
        assertAllow("assign business role to jack", (task, operationResult) -> {
            assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aab1", task, operationResult);
        });
        assertDeleteDeny();
        assertGlobalStateUntouched();
    }

    @Test
    public void test304AutzJackPropExceptAssignmentReadSomeModifySomeUser() throws Exception {
        displayTestTitle("test304AutzJackPropExceptAssignmentReadSomeModifySomeUser");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000ae08");
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, ROLE_PROP_EXCEPT_ASSIGNMENT_OID);
        modifyJackValidTo();
        login("jack");
        displayWhen("test304AutzJackPropExceptAssignmentReadSomeModifySomeUser");
        PrismObject<UserType> assertAlmostFullJackRead = assertAlmostFullJackRead(2);
        PrismAsserts.assertPropertyValue(assertAlmostFullJackRead, SchemaConstants.PATH_ACTIVATION_ADMINISTRATIVE_STATUS, new ActivationStatusType[]{ActivationStatusType.ENABLED});
        PrismAsserts.assertNoItem(assertAlmostFullJackRead, SchemaConstants.PATH_ACTIVATION_VALID_TO);
        PrismObjectDefinition editObjectDefinition = getEditObjectDefinition(assertAlmostFullJackRead);
        display("Jack's edit schema", editObjectDefinition);
        assertItemFlags(editObjectDefinition, UserType.F_NAME, true, false, true);
        assertItemFlags(editObjectDefinition, UserType.F_FULL_NAME, true, false, true);
        assertItemFlags(editObjectDefinition, UserType.F_DESCRIPTION, true, false, true);
        assertItemFlags(editObjectDefinition, UserType.F_GIVEN_NAME, true, false, true);
        assertItemFlags(editObjectDefinition, UserType.F_FAMILY_NAME, true, false, true);
        assertItemFlags(editObjectDefinition, UserType.F_ADDITIONAL_NAME, true, false, true);
        assertItemFlags(editObjectDefinition, UserType.F_METADATA, true, false, true);
        assertItemFlags(editObjectDefinition, new ItemPath(new QName[]{UserType.F_METADATA, MetadataType.F_CREATE_TIMESTAMP}), true, false, true);
        assertItemFlags(editObjectDefinition, UserType.F_ASSIGNMENT, true, false, false);
        assertItemFlags(editObjectDefinition, new ItemPath(new QName[]{UserType.F_ASSIGNMENT, UserType.F_METADATA}), true, false, false);
        assertItemFlags(editObjectDefinition, new ItemPath(new QName[]{UserType.F_ASSIGNMENT, UserType.F_METADATA, MetadataType.F_CREATE_TIMESTAMP}), true, false, false);
        assertItemFlags(editObjectDefinition, UserType.F_ACTIVATION, true, false, true);
        assertItemFlags(editObjectDefinition, SchemaConstants.PATH_ACTIVATION_ADMINISTRATIVE_STATUS, true, false, true);
        assertItemFlags(editObjectDefinition, SchemaConstants.PATH_ACTIVATION_VALID_FROM, true, false, true);
        assertItemFlags(editObjectDefinition, SchemaConstants.PATH_ACTIVATION_VALID_TO, false, false, true);
        assertItemFlags(editObjectDefinition, SchemaConstants.PATH_ACTIVATION_EFFECTIVE_STATUS, true, false, true);
        assertAddDeny();
        assertModifyAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, UserType.F_FULL_NAME, createPolyString("Captain Jack Sparrow"));
        assertModifyAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, SchemaConstants.PATH_ACTIVATION_VALID_FROM, JACK_VALID_FROM_LONG_AGO);
        assertModifyAllow(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116", UserType.F_DESCRIPTION, "Pirate wannabe");
        assertModifyAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, UserType.F_HONORIFIC_PREFIX, createPolyString("Captain"));
        assertModifyAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, UserType.F_COST_CENTER, "V3RYC0STLY");
        assertModifyAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, UserType.F_ORGANIZATION, createPolyString("Brethren of the Coast"));
        assertDeleteDeny();
        assertGlobalStateUntouched();
    }

    @Test
    public void test306AutzJackPropExceptAssignmentExceptAdministrativeStatus() throws Exception {
        displayTestTitle("test306AutzJackPropExceptAssignmentExceptAdministrativeStatus");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, ROLE_PROP_EXCEPT_ADMINISTRATIVE_STATUS_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, ROLE_PROP_EXCEPT_ASSIGNMENT_OID);
        modifyJackValidTo();
        login("jack");
        displayWhen("test306AutzJackPropExceptAssignmentExceptAdministrativeStatus");
        PrismObject<UserType> assertAlmostFullJackRead = assertAlmostFullJackRead(2);
        PrismAsserts.assertNoItem(assertAlmostFullJackRead, SchemaConstants.PATH_ACTIVATION_ADMINISTRATIVE_STATUS);
        PrismAsserts.assertPropertyValue(assertAlmostFullJackRead, SchemaConstants.PATH_ACTIVATION_VALID_TO, new XMLGregorianCalendar[]{JACK_VALID_TO_LONG_AGEAD});
        PrismObjectDefinition editObjectDefinition = getEditObjectDefinition(assertAlmostFullJackRead);
        display("Jack's edit schema", editObjectDefinition);
        assertItemFlags(editObjectDefinition, UserType.F_NAME, true, false, true);
        assertItemFlags(editObjectDefinition, UserType.F_FULL_NAME, true, false, true);
        assertItemFlags(editObjectDefinition, UserType.F_DESCRIPTION, true, false, true);
        assertItemFlags(editObjectDefinition, UserType.F_GIVEN_NAME, true, false, true);
        assertItemFlags(editObjectDefinition, UserType.F_FAMILY_NAME, true, false, true);
        assertItemFlags(editObjectDefinition, UserType.F_ADDITIONAL_NAME, true, false, true);
        assertItemFlags(editObjectDefinition, UserType.F_METADATA, true, false, true);
        assertItemFlags(editObjectDefinition, new ItemPath(new QName[]{UserType.F_METADATA, MetadataType.F_CREATE_TIMESTAMP}), true, false, true);
        assertItemFlags(editObjectDefinition, UserType.F_ASSIGNMENT, true, false, true);
        assertItemFlags(editObjectDefinition, new ItemPath(new QName[]{UserType.F_ASSIGNMENT, UserType.F_METADATA}), true, false, true);
        assertItemFlags(editObjectDefinition, new ItemPath(new QName[]{UserType.F_ASSIGNMENT, UserType.F_METADATA, MetadataType.F_CREATE_TIMESTAMP}), true, false, true);
        assertItemFlags(editObjectDefinition, UserType.F_ACTIVATION, true, false, true);
        assertItemFlags(editObjectDefinition, SchemaConstants.PATH_ACTIVATION_ADMINISTRATIVE_STATUS, false, false, true);
        assertItemFlags(editObjectDefinition, SchemaConstants.PATH_ACTIVATION_VALID_FROM, true, false, true);
        assertItemFlags(editObjectDefinition, SchemaConstants.PATH_ACTIVATION_VALID_TO, true, false, true);
        assertItemFlags(editObjectDefinition, SchemaConstants.PATH_ACTIVATION_EFFECTIVE_STATUS, true, false, true);
        assertAddDeny();
        assertModifyAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, UserType.F_FULL_NAME, createPolyString("Captain Jack Sparrow"));
        assertModifyAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, SchemaConstants.PATH_ACTIVATION_VALID_FROM, JACK_VALID_FROM_LONG_AGO);
        assertModifyAllow(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116", UserType.F_DESCRIPTION, "Pirate wannabe");
        assertModifyAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, UserType.F_HONORIFIC_PREFIX, createPolyString("Captain"));
        assertModifyAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, UserType.F_COST_CENTER, "V3RYC0STLY");
        assertModifyAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, UserType.F_ORGANIZATION, createPolyString("Brethren of the Coast"));
        assertDeleteDeny();
        assertGlobalStateUntouched();
    }

    @Test
    public void test308AutzJackPropExceptAssignmentAssignApplicationRoles() throws Exception {
        displayTestTitle("test308AutzJackPropExceptAssignmentAssignApplicationRoles");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aa0c");
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, ROLE_PROP_EXCEPT_ASSIGNMENT_OID);
        modifyJackValidTo();
        login("jack");
        displayWhen("test308AutzJackPropExceptAssignmentAssignApplicationRoles");
        PrismObject user = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        display(AbstractConfiguredModelIntegrationTest.USER_JACK_GIVEN_NAME, user);
        PrismAsserts.assertPropertyValue(user, UserType.F_NAME, new PolyString[]{createPolyString("jack")});
        PrismAsserts.assertPropertyValue(user, UserType.F_FULL_NAME, new PolyString[]{PrismTestUtil.createPolyString("Jack Sparrow")});
        PrismAsserts.assertPropertyValue(user, UserType.F_GIVEN_NAME, new PolyString[]{createPolyString(AbstractConfiguredModelIntegrationTest.USER_JACK_GIVEN_NAME)});
        PrismAsserts.assertPropertyValue(user, SchemaConstants.PATH_ACTIVATION_ADMINISTRATIVE_STATUS, new ActivationStatusType[]{ActivationStatusType.ENABLED});
        PrismAsserts.assertPropertyValue(user, SchemaConstants.PATH_ACTIVATION_EFFECTIVE_STATUS, new ActivationStatusType[]{ActivationStatusType.ENABLED});
        PrismAsserts.assertPropertyValue(user, SchemaConstants.PATH_ACTIVATION_VALID_TO, new XMLGregorianCalendar[]{JACK_VALID_TO_LONG_AGEAD});
        assertAssignments(user, 2);
        PrismObjectDefinition editObjectDefinition = getEditObjectDefinition(user);
        display("Jack's edit schema", editObjectDefinition);
        assertItemFlags(editObjectDefinition, UserType.F_NAME, true, false, true);
        assertItemFlags(editObjectDefinition, UserType.F_FULL_NAME, true, false, true);
        assertItemFlags(editObjectDefinition, UserType.F_DESCRIPTION, true, false, true);
        assertItemFlags(editObjectDefinition, UserType.F_GIVEN_NAME, true, false, true);
        assertItemFlags(editObjectDefinition, UserType.F_FAMILY_NAME, true, false, true);
        assertItemFlags(editObjectDefinition, UserType.F_ADDITIONAL_NAME, true, false, true);
        assertItemFlags(editObjectDefinition, UserType.F_METADATA, true, false, true);
        assertItemFlags(editObjectDefinition, new ItemPath(new QName[]{UserType.F_METADATA, MetadataType.F_CREATE_TIMESTAMP}), true, false, true);
        assertItemFlags(editObjectDefinition, UserType.F_ASSIGNMENT, true, false, false);
        assertItemFlags(editObjectDefinition, new ItemPath(new QName[]{UserType.F_ASSIGNMENT, UserType.F_METADATA}), true, false, false);
        assertItemFlags(editObjectDefinition, new ItemPath(new QName[]{UserType.F_ASSIGNMENT, UserType.F_METADATA, MetadataType.F_CREATE_TIMESTAMP}), true, false, false);
        assertItemFlags(editObjectDefinition, UserType.F_ACTIVATION, true, false, true);
        assertItemFlags(editObjectDefinition, SchemaConstants.PATH_ACTIVATION_ADMINISTRATIVE_STATUS, true, false, true);
        assertItemFlags(editObjectDefinition, SchemaConstants.PATH_ACTIVATION_VALID_FROM, true, false, false);
        assertItemFlags(editObjectDefinition, SchemaConstants.PATH_ACTIVATION_VALID_TO, true, false, true);
        assertItemFlags(editObjectDefinition, SchemaConstants.PATH_ACTIVATION_EFFECTIVE_STATUS, true, false, true);
        assertAddDeny();
        assertModifyAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, UserType.F_FULL_NAME, createPolyString("Captain Jack Sparrow"));
        assertModifyDeny(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, SchemaConstants.PATH_ACTIVATION_VALID_FROM, JACK_VALID_FROM_LONG_AGO);
        assertModifyAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, SchemaConstants.PATH_ACTIVATION_VALID_TO, JACK_VALID_FROM_LONG_AGO);
        assertModifyAllow(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116", UserType.F_DESCRIPTION, "Pirate wannabe");
        assertModifyAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, UserType.F_HONORIFIC_PREFIX, createPolyString("Captain"));
        assertModifyAllow(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116", UserType.F_HONORIFIC_PREFIX, createPolyString("Pirate"));
        assertModifyAllow(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111112", UserType.F_HONORIFIC_PREFIX, createPolyString("Mutinier"));
        assertModifyAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, UserType.F_COST_CENTER, "V3RYC0STLY");
        assertModifyAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, UserType.F_ORGANIZATION, createPolyString("Brethren of the Coast"));
        assertDeny("assign business 1 role to jack", (task, operationResult) -> {
            assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aab1", task, operationResult);
        });
        assertAllow("assign application 1 role to jack", (task2, operationResult2) -> {
            assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aaa1", task2, operationResult2);
        });
        PrismObject user2 = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertAssignments(user2, 3);
        assertAssignedRole(user2, "00000000-0000-0000-0000-00000000aaa1");
        assertDeny("assign business 2 role to jack", (task3, operationResult3) -> {
            assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aab2", task3, operationResult3);
        });
        assertAllow("unassign application 1 role from jack", (task4, operationResult4) -> {
            unassignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aaa1", task4, operationResult4);
        });
        assertAssignments(getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID), 2);
        RoleSelectionSpecification assignableRoleSpecification = getAssignableRoleSpecification(getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID));
        assertRoleTypes(assignableRoleSpecification, new String[]{"application", "nonexistent"});
        assertFilter(assignableRoleSpecification.getFilter(), TypeFilter.class);
        assertAllowRequestAssignmentItems(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aaa1", new ItemPath[]{SchemaConstants.PATH_ASSIGNMENT_TARGET_REF, SchemaConstants.PATH_ASSIGNMENT_ACTIVATION_VALID_FROM, SchemaConstants.PATH_ASSIGNMENT_ACTIVATION_VALID_TO});
        assertGlobalStateUntouched();
    }

    private void modifyJackValidTo() throws ObjectNotFoundException, SchemaException, ExpressionEvaluationException, CommunicationException, ConfigurationException, ObjectAlreadyExistsException, PolicyViolationException, SecurityViolationException {
        Task createTask = createTask("modifyJackValidTo");
        OperationResult result = createTask.getResult();
        modifyUserReplace(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, SchemaConstants.PATH_ACTIVATION_VALID_TO, createTask, result, new Object[]{JACK_VALID_TO_LONG_AGEAD});
        assertSuccess(result);
    }

    private PrismObject<UserType> assertAlmostFullJackRead(int i) throws Exception {
        PrismObject<UserType> user = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        display(AbstractConfiguredModelIntegrationTest.USER_JACK_GIVEN_NAME, user);
        PrismAsserts.assertPropertyValue(user, UserType.F_NAME, new PolyString[]{PrismTestUtil.createPolyString("jack")});
        PrismAsserts.assertPropertyValue(user, UserType.F_FULL_NAME, new PolyString[]{PrismTestUtil.createPolyString("Jack Sparrow")});
        PrismAsserts.assertPropertyValue(user, UserType.F_GIVEN_NAME, new PolyString[]{createPolyString(AbstractConfiguredModelIntegrationTest.USER_JACK_GIVEN_NAME)});
        PrismAsserts.assertPropertyValue(user, SchemaConstants.PATH_ACTIVATION_EFFECTIVE_STATUS, new ActivationStatusType[]{ActivationStatusType.ENABLED});
        assertAssignmentsWithTargets(user, i);
        return user;
    }

    private PolicyExceptionType assertPolicyException(PrismObject<RoleType> prismObject, String str, String str2) {
        List policyException = prismObject.asObjectable().getPolicyException();
        AssertJUnit.assertEquals("Wrong size of policyException container in " + prismObject, 1, policyException.size());
        PolicyExceptionType policyExceptionType = (PolicyExceptionType) policyException.get(0);
        AssertJUnit.assertEquals("Wrong rule name in " + prismObject, str, policyExceptionType.getRuleName());
        AssertJUnit.assertEquals("Wrong situation in " + prismObject, str2, policyExceptionType.getPolicySituation());
        return policyExceptionType;
    }

    private AssignmentType assertExclusion(PrismObject<RoleType> prismObject, String str) {
        PrismContainer findContainer = prismObject.findContainer(RoleType.F_ASSIGNMENT);
        AssertJUnit.assertNotNull("No assignment container in " + prismObject, findContainer);
        AssertJUnit.assertEquals("Wrong size of assignment container in " + prismObject, 1, findContainer.size());
        AssignmentType asContainerable = findContainer.getValue().asContainerable();
        PolicyRuleType policyRule = asContainerable.getPolicyRule();
        AssertJUnit.assertNotNull("No policy rule in " + prismObject, policyRule);
        PolicyConstraintsType policyConstraints = policyRule.getPolicyConstraints();
        AssertJUnit.assertNotNull("No policy rule constraints in " + prismObject, policyConstraints);
        List exclusion = policyConstraints.getExclusion();
        AssertJUnit.assertEquals("Wrong size of exclusion policy constraints in " + prismObject, 1, exclusion.size());
        ExclusionPolicyConstraintType exclusionPolicyConstraintType = (ExclusionPolicyConstraintType) exclusion.get(0);
        AssertJUnit.assertNotNull("No exclusion policy constraint in " + prismObject, exclusionPolicyConstraintType);
        ObjectReferenceType targetRef = exclusionPolicyConstraintType.getTargetRef();
        AssertJUnit.assertNotNull("No targetRef in exclusion policy constraint in " + prismObject, targetRef);
        AssertJUnit.assertEquals("Wrong OID targetRef in exclusion policy constraint in " + prismObject, str, targetRef.getOid());
        return asContainerable;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // com.evolveum.midpoint.model.intest.security.AbstractSecurityTest
    public void cleanupAutzTest(String str, int i) throws ObjectNotFoundException, SchemaException, ExpressionEvaluationException, CommunicationException, ConfigurationException, ObjectAlreadyExistsException, PolicyViolationException, SecurityViolationException, IOException {
        super.cleanupAutzTest(str, i);
        Task createTaskInstance = this.taskManager.createTaskInstance(TestSecurityAdvanced.class.getName() + ".cleanupAutzTest");
        OperationResult result = createTaskInstance.getResult();
        assignRole(this.userRumRogersOid, "7a7ad698-3a37-11e7-9af7-6fd138dd9572", createTaskInstance, result);
        assignRole(this.userRumRogersOid, "2264afee-3ae4-11e7-a63c-8b53efadd642", createTaskInstance, result);
        assignRole(this.userCobbOid, "7a7ad698-3a37-11e7-9af7-6fd138dd9572", createTaskInstance, result);
        assignRole(this.userCobbOid, "2264afee-3ae4-11e7-a63c-8b53efadd642", createTaskInstance, result);
    }

    private void assertDeputySearchDelegatorRef(String str, String... strArr) throws Exception {
        PrismReferenceValue prismReferenceValue = new PrismReferenceValue(str, UserType.COMPLEX_TYPE);
        prismReferenceValue.setRelation(SchemaConstants.ORG_DEPUTY);
        assertSearch(UserType.class, queryFor(UserType.class).item(new QName[]{UserType.F_DELEGATED_REF}).ref(new PrismReferenceValue[]{prismReferenceValue}).build(), strArr);
    }

    private void assertDeputySearchAssignmentTarget(String str, String... strArr) throws Exception {
        PrismReferenceValue prismReferenceValue = new PrismReferenceValue(str, UserType.COMPLEX_TYPE);
        prismReferenceValue.setRelation(SchemaConstants.ORG_DEPUTY);
        assertSearch(UserType.class, queryFor(UserType.class).item(new ItemPath(new QName[]{UserType.F_ASSIGNMENT, AssignmentType.F_TARGET_REF})).ref(new PrismReferenceValue[]{prismReferenceValue}).build(), strArr);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // com.evolveum.midpoint.model.intest.security.AbstractSecurityTest
    public void cleanupAutzTest(String str) throws ObjectNotFoundException, SchemaException, ExpressionEvaluationException, CommunicationException, ConfigurationException, ObjectAlreadyExistsException, PolicyViolationException, SecurityViolationException, IOException {
        super.cleanupAutzTest(str);
        Task createTaskInstance = this.taskManager.createTaskInstance(TestSecurityAdvanced.class.getName() + ".cleanupAutzTest");
        cleanupDelete(RoleType.class, ROLE_EXCLUSION_PIRATE_OID, createTaskInstance, createTaskInstance.getResult());
    }
}
