package com.evolveum.midpoint.model.intest.security;

import com.evolveum.midpoint.common.refinery.RefinedObjectClassDefinition;
import com.evolveum.midpoint.model.api.ModelExecuteOptions;
import com.evolveum.midpoint.model.api.RoleSelectionSpecification;
import com.evolveum.midpoint.model.api.context.ModelContext;
import com.evolveum.midpoint.model.api.context.ModelElementContext;
import com.evolveum.midpoint.model.intest.AbstractConfiguredModelIntegrationTest;
import com.evolveum.midpoint.prism.PrismContainerValue;
import com.evolveum.midpoint.prism.PrismObject;
import com.evolveum.midpoint.prism.PrismObjectDefinition;
import com.evolveum.midpoint.prism.PrismReference;
import com.evolveum.midpoint.prism.PrismReferenceValue;
import com.evolveum.midpoint.prism.delta.ContainerDelta;
import com.evolveum.midpoint.prism.delta.ObjectDelta;
import com.evolveum.midpoint.prism.delta.ReferenceDelta;
import com.evolveum.midpoint.prism.path.ItemPath;
import com.evolveum.midpoint.prism.polystring.PolyString;
import com.evolveum.midpoint.prism.query.NoneFilter;
import com.evolveum.midpoint.prism.query.ObjectQuery;
import com.evolveum.midpoint.prism.query.RefFilter;
import com.evolveum.midpoint.prism.query.TypeFilter;
import com.evolveum.midpoint.prism.util.PrismAsserts;
import com.evolveum.midpoint.prism.util.PrismTestUtil;
import com.evolveum.midpoint.schema.GetOperationOptions;
import com.evolveum.midpoint.schema.SearchResultList;
import com.evolveum.midpoint.schema.SelectorOptions;
import com.evolveum.midpoint.schema.constants.SchemaConstants;
import com.evolveum.midpoint.schema.result.OperationResult;
import com.evolveum.midpoint.schema.util.MiscSchemaUtil;
import com.evolveum.midpoint.schema.util.ObjectQueryUtil;
import com.evolveum.midpoint.task.api.Task;
import com.evolveum.midpoint.test.util.TestUtil;
import com.evolveum.midpoint.util.exception.CommunicationException;
import com.evolveum.midpoint.util.exception.ConfigurationException;
import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
import com.evolveum.midpoint.util.exception.ObjectAlreadyExistsException;
import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
import com.evolveum.midpoint.util.exception.PolicyViolationException;
import com.evolveum.midpoint.util.exception.SchemaException;
import com.evolveum.midpoint.util.exception.SecurityViolationException;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AbstractRoleType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ActivationStatusType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ActivationType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AssignmentPolicyEnforcementType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AssignmentType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationPhaseType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialsPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.MetadataType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectReferenceType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.OrgType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.PolicyExceptionType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.PolicyRuleType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.RoleType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.TaskType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType;
import java.lang.invoke.SerializedLambda;
import java.util.ArrayList;
import java.util.Collection;
import javax.xml.namespace.QName;
import org.springframework.test.annotation.DirtiesContext;
import org.springframework.test.context.ContextConfiguration;
import org.testng.AssertJUnit;
import org.testng.annotations.Test;

@ContextConfiguration(locations = {"classpath:ctx-model-intest-test-main.xml"})
@DirtiesContext(classMode = DirtiesContext.ClassMode.AFTER_CLASS)
/* loaded from: input_file:com/evolveum/midpoint/model/intest/security/TestSecurityBasic.class */
public class TestSecurityBasic extends AbstractSecurityTest {
    @Override // com.evolveum.midpoint.model.intest.security.AbstractSecurityTest, com.evolveum.midpoint.model.intest.AbstractInitializedModelIntegrationTest, com.evolveum.midpoint.model.intest.AbstractConfiguredModelIntegrationTest
    public void initSystem(Task task, OperationResult operationResult) throws Exception {
        super.initSystem(task, operationResult);
    }

    @Test
    public void test200AutzJackNoRole() throws Exception {
        displayTestTitle("test200AutzJackNoRole");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        PrismObject user = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        login("jack");
        assertNoAccess(user);
        assertGlobalStateUntouched();
    }

    @Test
    public void test201AutzJackSuperuserRole() throws Exception {
        displayTestTitle("test201AutzJackSuperuserRole");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-000000000004");
        login("jack");
        assertSuperuserAccess(11);
        assertGlobalStateUntouched();
    }

    @Test
    public void test202AutzJackReadonlyRole() throws Exception {
        displayTestTitle("test202AutzJackReadonlyRole");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aa01");
        login("jack");
        assertReadAllow();
        assertReadDenyRaw();
        assertAddDeny();
        assertModifyDeny();
        assertDeleteDeny();
        assertReadCertCasesAllow();
        assertGlobalStateUntouched();
        assertAuditReadDeny();
    }

    @Test
    public void test202rAutzJackReadonlyReqRole() throws Exception {
        displayTestTitle("test202rAutzJackReadonlyReqRole");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000ab01");
        login("jack");
        assertReadDeny();
        assertAddDeny();
        assertModifyDeny();
        assertDeleteDeny();
        assertGlobalStateUntouched();
        assertAuditReadDeny();
    }

    @Test
    public void test202eAutzJackReadonlyExecRole() throws Exception {
        displayTestTitle("test202eAutzJackReadonlyExecRole");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000ae01");
        login("jack");
        assertReadDeny();
        assertAddDeny();
        assertModifyDeny();
        assertDeleteDeny();
        assertGlobalStateUntouched();
        assertAuditReadDeny();
    }

    @Test
    public void test202reAutzJackReadonlyReqExecRole() throws Exception {
        displayTestTitle("test202reAutzJackReadonlyReqExecRole");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aa01");
        login("jack");
        assertReadAllow();
        assertReadDenyRaw();
        assertAddDeny();
        assertModifyDeny();
        assertDeleteDeny();
        assertGlobalStateUntouched();
        assertAuditReadDeny();
    }

    @Test
    public void test203AutzJackReadonlyDeepRole() throws Exception {
        displayTestTitle("test203AutzJackReadonlyDeepRole");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aa02");
        login("jack");
        assertReadAllow();
        assertReadDenyRaw();
        assertAddDeny();
        assertModifyDeny();
        assertDeleteDeny();
        assertGlobalStateUntouched();
        assertAuditReadDeny();
    }

    @Test
    public void test203eAutzJackReadonlyDeepExecRole() throws Exception {
        displayTestTitle("test203eAutzJackReadonlyDeepExecRole");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aa02");
        login("jack");
        assertReadAllow();
        assertReadDenyRaw();
        assertAddDeny();
        assertModifyDeny();
        assertDeleteDeny();
        assertGlobalStateUntouched();
    }

    @Test
    public void test204AutzJackSelfRole() throws Exception {
        displayTestTitle("test204AutzJackSelfRole");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aa03");
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000001aa00");
        login("jack");
        displayWhen("test204AutzJackSelfRole");
        assertGetAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertGetDeny(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116");
        assertReadDenyRaw();
        assertVisibleUsers(1);
        assertSearch(OrgType.class, null, 0);
        assertSearch(RoleType.class, null, 0);
        assertSearch(ObjectType.class, null, 2);
        assertGetDeny(RoleType.class, "7a7ad698-3a37-11e7-9af7-6fd138dd9572");
        assertGetDeny(RoleType.class, "16813ae6-2c0a-11e7-91fc-8333c244329e");
        assertSearch(UserType.class, createMembersQuery(UserType.class, "7a7ad698-3a37-11e7-9af7-6fd138dd9572"), 0);
        assertSearch(UserType.class, createMembersQuery(UserType.class, "5d9cead8-3a2e-11e7-8609-f762a755b58e"), 0);
        assertCanSearchRoleMemberUsers("7a7ad698-3a37-11e7-9af7-6fd138dd9572", false);
        assertCanSearchRoleMembers("7a7ad698-3a37-11e7-9af7-6fd138dd9572", false);
        assertCanSearchRoleMemberUsers("2264afee-3ae4-11e7-a63c-8b53efadd642", false);
        assertCanSearchRoleMembers("2264afee-3ae4-11e7-a63c-8b53efadd642", false);
        assertAddDeny();
        assertModifyAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, UserType.F_HONORIFIC_PREFIX, PrismTestUtil.createPolyString("Captain"));
        assertModifyDeny(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116", UserType.F_HONORIFIC_PREFIX, PrismTestUtil.createPolyString("Pirate"));
        assertModifyDenyRaw();
        assertDeleteDeny();
        assertDeleteDeny(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertReadCertCases(2);
        assertGlobalStateUntouched();
    }

    @Test
    public void test205AutzJackObjectFilterModifyCaribbeanfRole() throws Exception {
        displayTestTitle("test205AutzJackObjectFilterModifyCaribbeanfRole");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aa04");
        login("jack");
        displayWhen("test205AutzJackObjectFilterModifyCaribbeanfRole");
        assertReadAllow();
        assertReadDenyRaw();
        assertAddDeny();
        assertModifyAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, UserType.F_HONORIFIC_PREFIX, PrismTestUtil.createPolyString("Captain"));
        assertModifyDeny(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116", UserType.F_HONORIFIC_PREFIX, PrismTestUtil.createPolyString("Pirate"));
        assertModifyAllow(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111112", UserType.F_HONORIFIC_PREFIX, PrismTestUtil.createPolyString("Mutinier"));
        assertDeleteDeny();
        assertGlobalStateUntouched();
    }

    @Test
    public void test207AutzJackObjectFilterCaribbeanRole() throws Exception {
        displayTestTitle("test207AutzJackObjectFilterCaribbeanfRole");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aa07");
        login("jack");
        displayWhen("test207AutzJackObjectFilterCaribbeanfRole");
        assertGetAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertGetDeny(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, SelectorOptions.createCollection(GetOperationOptions.createRaw()));
        assertGetDeny(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116");
        assertGetDeny(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116", SelectorOptions.createCollection(GetOperationOptions.createRaw()));
        assertReadDenyRaw();
        assertSearch(UserType.class, null, 2);
        assertSearch(ObjectType.class, null, 2);
        assertSearch(UserType.class, createNameQuery("jack"), 1);
        assertSearchDeny(UserType.class, createNameQuery("jack"), SelectorOptions.createCollection(GetOperationOptions.createRaw()));
        assertSearch(ObjectType.class, createNameQuery("jack"), 1);
        assertSearch(UserType.class, createNameQuery("guybrush"), 0);
        assertSearchDeny(UserType.class, createNameQuery("guybrush"), SelectorOptions.createCollection(GetOperationOptions.createRaw()));
        assertSearch(ObjectType.class, createNameQuery("guybrush"), 0);
        assertAddDeny();
        assertModifyAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, UserType.F_HONORIFIC_PREFIX, PrismTestUtil.createPolyString("Captain"));
        assertModifyDeny(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116", UserType.F_HONORIFIC_PREFIX, PrismTestUtil.createPolyString("Pirate"));
        assertModifyAllow(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111112", UserType.F_HONORIFIC_PREFIX, PrismTestUtil.createPolyString("Mutinier"));
        assertModifyDenyRaw();
        assertDeleteDeny();
        assertGlobalStateUntouched();
    }

    @Test
    public void test207rAutzJackObjectFilterCaribbeanRole() throws Exception {
        displayTestTitle("test207rAutzJackObjectFilterCaribbeanRole");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-a0000000aa07");
        login("jack");
        displayWhen("test207rAutzJackObjectFilterCaribbeanRole");
        assertGetAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertGetAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, SelectorOptions.createCollection(GetOperationOptions.createRaw()));
        assertGetDeny(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116");
        assertGetDeny(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116", SelectorOptions.createCollection(GetOperationOptions.createRaw()));
        assertSearch(UserType.class, null, 2);
        assertSearchRaw(UserType.class, null, 2);
        assertSearch(ObjectType.class, null, 2);
        assertSearch(UserType.class, createNameQuery("jack"), 1);
        assertSearch(UserType.class, createNameQuery("jack"), SelectorOptions.createCollection(GetOperationOptions.createRaw()), 1);
        assertSearch(ObjectType.class, createNameQuery("jack"), 1);
        assertSearch(UserType.class, createNameQuery("guybrush"), 0);
        assertSearch(UserType.class, createNameQuery("guybrush"), SelectorOptions.createCollection(GetOperationOptions.createRaw()), 0);
        assertSearch(ObjectType.class, createNameQuery("guybrush"), 0);
        assertAddDeny();
        assertModifyAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, UserType.F_HONORIFIC_PREFIX, PrismTestUtil.createPolyString("Captain"));
        assertModifyAllowOptions(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, UserType.F_HONORIFIC_PREFIX, ModelExecuteOptions.createRaw(), PrismTestUtil.createPolyString("Raw Captain"));
        assertModifyDeny(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116", UserType.F_HONORIFIC_PREFIX, PrismTestUtil.createPolyString("Pirate"));
        assertModifyAllow(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111112", UserType.F_HONORIFIC_PREFIX, PrismTestUtil.createPolyString("Mutinier"));
        assertModifyAllowOptions(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111112", UserType.F_HONORIFIC_PREFIX, ModelExecuteOptions.createRaw(), PrismTestUtil.createPolyString("Raw Mutinier"));
        assertDeleteDeny();
        assertGlobalStateUntouched();
    }

    @Test
    public void test208AutzJackReadSomeRoles() throws Exception {
        displayTestTitle("test208AutzJackReadSomeRoles");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "7b4a3880-e167-11e6-b38b-2b6a550a03e7");
        login("jack");
        displayWhen("test208AutzJackReadSomeRoles");
        assertReadDeny();
        assertReadDenyRaw();
        assertAddDeny();
        assertModifyDeny();
        assertDeleteDeny();
        assertSearch(UserType.class, null, 0);
        assertSearch(RoleType.class, null, 5);
        assertGetDeny(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertGetDeny(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116");
        assertGetDeny(RoleType.class, "00000000-0000-0000-0000-000000000004");
        assertGetDeny(RoleType.class, "00000000-0000-0000-0000-00000000aa03");
        assertGetDeny(RoleType.class, "00000000-0000-0000-0000-00000000aa0c");
        assertGetAllow(RoleType.class, "00000000-0000-0000-0000-00000000aaa1");
        assertGetAllow(RoleType.class, "00000000-0000-0000-0000-00000000aaa2");
        assertGetAllow(RoleType.class, "00000000-0000-0000-0000-00000000aab1");
        assertGetAllow(RoleType.class, "00000000-0000-0000-0000-00000000aab2");
        assertGetAllow(RoleType.class, "00000000-0000-0000-0000-00000000aab3");
        assertGlobalStateUntouched();
    }

    @Test
    public void test210AutzJackPropReadAllModifySome() throws Exception {
        displayTestTitle("test210AutzJackPropReadAllModifySome");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aa05");
        login("jack");
        displayWhen("test210AutzJackPropReadAllModifySome");
        assertReadAllow();
        assertReadDenyRaw();
        assertAddDeny();
        assertModifyAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, UserType.F_FULL_NAME, PrismTestUtil.createPolyString("Captain Jack Sparrow"));
        assertModifyAllow(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116", UserType.F_DESCRIPTION, "Pirate wannabe");
        assertModifyDeny(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, UserType.F_HONORIFIC_PREFIX, PrismTestUtil.createPolyString("Captain"));
        assertModifyDeny(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116", UserType.F_HONORIFIC_PREFIX, PrismTestUtil.createPolyString("Pirate"));
        assertModifyDeny(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111112", UserType.F_HONORIFIC_PREFIX, PrismTestUtil.createPolyString("Mutinier"));
        assertModifyDenyRaw();
        assertDeleteDeny();
        PrismObject user = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        display(AbstractConfiguredModelIntegrationTest.USER_JACK_GIVEN_NAME, user);
        assertJackEditSchemaReadAllModifySome(user);
        assertGlobalStateUntouched();
    }

    @Test
    public void test211AutzJackPropReadAllModifySomeUser() throws Exception {
        displayTestTitle("test211AutzJackPropReadAllModifySomeUser");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000ae05");
        login("jack");
        displayWhen("test211AutzJackPropReadAllModifySomeUser");
        assertGetAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertGetDeny(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, SelectorOptions.createCollection(GetOperationOptions.createRaw()));
        assertGetDeny(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116");
        assertGetDeny(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116", SelectorOptions.createCollection(GetOperationOptions.createRaw()));
        assertReadDenyRaw();
        assertSearch(UserType.class, null, 1);
        assertSearch(UserType.class, createNameQuery("jack"), 1);
        assertSearchDeny(UserType.class, createNameQuery("jack"), SelectorOptions.createCollection(GetOperationOptions.createRaw()));
        assertSearch(UserType.class, createNameQuery("guybrush"), 0);
        assertSearchDeny(UserType.class, createNameQuery("guybrush"), SelectorOptions.createCollection(GetOperationOptions.createRaw()));
        assertAddDeny();
        assertModifyAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, UserType.F_FULL_NAME, PrismTestUtil.createPolyString("Captain Jack Sparrow"));
        assertModifyDenyRaw(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, UserType.F_FULL_NAME, PrismTestUtil.createPolyString("Raw Captain Jack Sparrow"));
        assertModifyDenyPartial(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, UserType.F_FULL_NAME, PrismTestUtil.createPolyString("Partial Captain Jack Sparrow"));
        assertModifyDeny(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116", UserType.F_DESCRIPTION, "Pirate wannabe");
        assertModifyDenyRaw(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116", UserType.F_DESCRIPTION, "Raw Pirate wannabe");
        assertModifyDenyPartial(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116", UserType.F_DESCRIPTION, "Raw Pirate wannabe");
        assertModifyDeny(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, UserType.F_HONORIFIC_PREFIX, PrismTestUtil.createPolyString("Captain"));
        assertModifyDeny(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116", UserType.F_HONORIFIC_PREFIX, PrismTestUtil.createPolyString("Pirate"));
        assertModifyDeny(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111112", UserType.F_HONORIFIC_PREFIX, PrismTestUtil.createPolyString("Mutinier"));
        assertDeleteDeny();
        PrismObject user = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        display(AbstractConfiguredModelIntegrationTest.USER_JACK_GIVEN_NAME, user);
        assertJackEditSchemaReadAllModifySome(user);
        assertGlobalStateUntouched();
    }

    @Test
    public void test212AutzJackPropReadAllModifySomeUserPartial() throws Exception {
        displayTestTitle("test212AutzJackPropReadAllModifySomeUserPartial");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-b0000000ae05");
        login("jack");
        displayWhen("test212AutzJackPropReadAllModifySomeUserPartial");
        assertGetAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertGetDeny(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, SelectorOptions.createCollection(GetOperationOptions.createRaw()));
        assertGetDeny(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116");
        assertGetDeny(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116", SelectorOptions.createCollection(GetOperationOptions.createRaw()));
        assertReadDenyRaw();
        assertSearch(UserType.class, null, 1);
        assertSearch(UserType.class, createNameQuery("jack"), 1);
        assertSearchDeny(UserType.class, createNameQuery("jack"), SelectorOptions.createCollection(GetOperationOptions.createRaw()));
        assertSearch(UserType.class, createNameQuery("guybrush"), 0);
        assertSearchDeny(UserType.class, createNameQuery("guybrush"), SelectorOptions.createCollection(GetOperationOptions.createRaw()));
        assertAddDeny();
        assertModifyAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, UserType.F_FULL_NAME, PrismTestUtil.createPolyString("Captain Jack Sparrow"));
        assertModifyDenyRaw(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, UserType.F_FULL_NAME, PrismTestUtil.createPolyString("Raw Captain Jack Sparrow"));
        assertModifyAllowPartial(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, UserType.F_FULL_NAME, PrismTestUtil.createPolyString("Partial Captain Jack Sparrow"));
        assertModifyDeny(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116", UserType.F_DESCRIPTION, "Pirate wannabe");
        assertModifyDenyRaw(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116", UserType.F_DESCRIPTION, "Raw Pirate wannabe");
        assertModifyDenyPartial(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116", UserType.F_DESCRIPTION, "Raw Pirate wannabe");
        assertModifyDeny(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, UserType.F_HONORIFIC_PREFIX, PrismTestUtil.createPolyString("Captain"));
        assertModifyDeny(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116", UserType.F_HONORIFIC_PREFIX, PrismTestUtil.createPolyString("Pirate"));
        assertModifyDeny(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111112", UserType.F_HONORIFIC_PREFIX, PrismTestUtil.createPolyString("Mutinier"));
        assertDeleteDeny();
        PrismObject user = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        display(AbstractConfiguredModelIntegrationTest.USER_JACK_GIVEN_NAME, user);
        assertJackEditSchemaReadAllModifySome(user);
        assertGlobalStateUntouched();
    }

    private void assertJackEditSchemaReadAllModifySome(PrismObject<UserType> prismObject) throws SchemaException, ConfigurationException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, SecurityViolationException {
        PrismObjectDefinition editObjectDefinition = getEditObjectDefinition(prismObject);
        display("Jack's edit schema", editObjectDefinition);
        assertItemFlags(editObjectDefinition, UserType.F_NAME, true, false, false);
        assertItemFlags(editObjectDefinition, UserType.F_FULL_NAME, true, false, true);
        assertItemFlags(editObjectDefinition, UserType.F_DESCRIPTION, true, false, true);
        assertItemFlags(editObjectDefinition, UserType.F_GIVEN_NAME, true, false, false);
        assertItemFlags(editObjectDefinition, UserType.F_FAMILY_NAME, true, false, false);
        assertItemFlags(editObjectDefinition, UserType.F_ADDITIONAL_NAME, true, false, false);
        assertItemFlags(editObjectDefinition, UserType.F_METADATA, true, false, false);
        assertItemFlags(editObjectDefinition, new ItemPath(new QName[]{UserType.F_METADATA, MetadataType.F_CREATE_TIMESTAMP}), true, false, false);
        assertItemFlags(editObjectDefinition, UserType.F_ASSIGNMENT, true, false, false);
        assertItemFlags(editObjectDefinition, new ItemPath(new QName[]{UserType.F_ASSIGNMENT, UserType.F_METADATA}), true, false, false);
        assertItemFlags(editObjectDefinition, new ItemPath(new QName[]{UserType.F_ASSIGNMENT, UserType.F_METADATA, MetadataType.F_CREATE_TIMESTAMP}), true, false, false);
        assertItemFlags(editObjectDefinition, new ItemPath(new QName[]{UserType.F_ACTIVATION, ActivationType.F_ADMINISTRATIVE_STATUS}), true, false, false);
        assertItemFlags(editObjectDefinition, new ItemPath(new QName[]{UserType.F_ACTIVATION, ActivationType.F_EFFECTIVE_STATUS}), true, false, false);
    }

    @Test
    public void test215AutzJackPropReadSomeModifySome() throws Exception {
        testAutzJackPropReadSomeModifySome("test215AutzJackPropReadSomeModifySome", "00000000-0000-0000-0000-00000000aa08");
    }

    @Test
    public void test215reAutzJackPropReadSomeModifySomeReqExec() throws Exception {
        testAutzJackPropReadSomeModifySome("test215reAutzJackPropReadSomeModifySomeReqExec", "00000000-0000-0000-0000-00000000ac08");
    }

    @Test
    public void test216AutzJackPropReadSomeModifySomeUser() throws Exception {
        displayTestTitle("test216AutzJackPropReadSomeModifySomeUser");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000ae08");
        login("jack");
        doReadSomeModifySomeUser("test216AutzJackPropReadSomeModifySomeUser");
    }

    @Test
    public void test217AutzJackPropGetSearchSomeModifySomeUser() throws Exception {
        displayTestTitle("test217AutzJackPropGetSearchSomeModifySomeUser");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "e0f81542-af58-11e8-8537-87b51775fc04");
        login("jack");
        doReadSomeModifySomeUser("test217AutzJackPropGetSearchSomeModifySomeUser");
    }

    private void doReadSomeModifySomeUser(String str) throws Exception {
        displayWhen(str);
        PrismObject user = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        display(AbstractConfiguredModelIntegrationTest.USER_JACK_GIVEN_NAME, user);
        assertUserJackReadSomeModifySome(user, 1);
        assertJackEditSchemaReadSomeModifySome(user);
        PrismObject findUserByUsername = findUserByUsername("guybrush");
        display("Guybrush", findUserByUsername);
        AssertJUnit.assertNull("Unexpected Guybrush", findUserByUsername);
        assertAddDeny();
        assertModifyAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, UserType.F_FULL_NAME, createPolyString("Captain Jack Sparrow"));
        assertModifyAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, SchemaConstants.PATH_ACTIVATION_VALID_FROM, JACK_VALID_FROM_LONG_AGO);
        assertModifyDeny(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116", UserType.F_DESCRIPTION, "Pirate wannabe");
        assertModifyDeny(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, UserType.F_HONORIFIC_PREFIX, createPolyString("Captain"));
        assertModifyDeny(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116", UserType.F_HONORIFIC_PREFIX, createPolyString("Pirate"));
        assertModifyDeny(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111112", UserType.F_HONORIFIC_PREFIX, createPolyString("Mutinier"));
        assertModifyDeny(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, UserType.F_COST_CENTER, "V3RYC0STLY");
        assertModifyDeny(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, UserType.F_ORGANIZATION, createPolyString("Brethren of the Coast"));
        assertDeleteDeny();
        assertGlobalStateUntouched();
    }

    public void testAutzJackPropReadSomeModifySome(String str, String str2) throws Exception {
        displayTestTitle(str);
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, str2);
        login("jack");
        displayWhen(str);
        assertReadSomeModifySome(1);
        assertGlobalStateUntouched();
    }

    @Test
    public void test218AutzJackPropReadSomeModifySomeExecAll() throws Exception {
        displayTestTitle("test218AutzJackPropReadSomeModifySomeExecAll");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000ad08");
        login("jack");
        displayWhen("test218AutzJackPropReadSomeModifySomeExecAll");
        assertReadAllow();
        assertModifyAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, UserType.F_ADDITIONAL_NAME, PrismTestUtil.createPolyString("Captain"));
        PrismObject user = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        display(AbstractConfiguredModelIntegrationTest.USER_JACK_GIVEN_NAME, user);
        PrismAsserts.assertPropertyValue(user, UserType.F_NAME, new PolyString[]{PrismTestUtil.createPolyString("jack")});
        PrismAsserts.assertPropertyValue(user, UserType.F_FULL_NAME, new PolyString[]{PrismTestUtil.createPolyString("Jack Sparrow")});
        PrismAsserts.assertPropertyValue(user, UserType.F_FAMILY_NAME, new PolyString[]{PrismTestUtil.createPolyString(AbstractConfiguredModelIntegrationTest.USER_JACK_FAMILY_NAME)});
        PrismAsserts.assertPropertyValue(user, new ItemPath(new QName[]{UserType.F_ACTIVATION, ActivationType.F_ADMINISTRATIVE_STATUS}), new ActivationStatusType[]{ActivationStatusType.ENABLED});
        PrismAsserts.assertNoItem(user, UserType.F_GIVEN_NAME);
        PrismAsserts.assertNoItem(user, UserType.F_ADDITIONAL_NAME);
        PrismAsserts.assertNoItem(user, UserType.F_DESCRIPTION);
        PrismAsserts.assertNoItem(user, new ItemPath(new QName[]{UserType.F_ACTIVATION, ActivationType.F_EFFECTIVE_STATUS}));
        assertAssignmentsWithTargets(user, 1);
        PrismObjectDefinition editObjectDefinition = getEditObjectDefinition(user);
        display("Jack's edit schema", editObjectDefinition);
        assertItemFlags(editObjectDefinition, UserType.F_NAME, true, false, false);
        assertItemFlags(editObjectDefinition, UserType.F_FULL_NAME, true, false, true);
        assertItemFlags(editObjectDefinition, UserType.F_DESCRIPTION, false, false, true);
        assertItemFlags(editObjectDefinition, UserType.F_GIVEN_NAME, false, false, false);
        assertItemFlags(editObjectDefinition, UserType.F_FAMILY_NAME, true, false, false);
        assertItemFlags(editObjectDefinition, UserType.F_ADDITIONAL_NAME, false, false, true);
        assertItemFlags(editObjectDefinition, UserType.F_METADATA, false, false, false);
        assertItemFlags(editObjectDefinition, new ItemPath(new QName[]{UserType.F_METADATA, MetadataType.F_CREATE_TIMESTAMP}), false, false, false);
        assertItemFlags(editObjectDefinition, UserType.F_ASSIGNMENT, true, false, false);
        assertItemFlags(editObjectDefinition, new ItemPath(new QName[]{UserType.F_ASSIGNMENT, UserType.F_METADATA}), true, false, false);
        assertItemFlags(editObjectDefinition, new ItemPath(new QName[]{UserType.F_ASSIGNMENT, UserType.F_METADATA, MetadataType.F_CREATE_TIMESTAMP}), true, false, false);
        assertItemFlags(editObjectDefinition, new ItemPath(new QName[]{UserType.F_ACTIVATION, ActivationType.F_ADMINISTRATIVE_STATUS}), true, false, false);
        assertItemFlags(editObjectDefinition, new ItemPath(new QName[]{UserType.F_ACTIVATION, ActivationType.F_EFFECTIVE_STATUS}), false, false, false);
        PrismObject findUserByUsername = findUserByUsername("guybrush");
        display("Guybrush", findUserByUsername);
        PrismAsserts.assertPropertyValue(findUserByUsername, UserType.F_NAME, new PolyString[]{PrismTestUtil.createPolyString("guybrush")});
        PrismAsserts.assertPropertyValue(findUserByUsername, UserType.F_FULL_NAME, new PolyString[]{PrismTestUtil.createPolyString(AbstractConfiguredModelIntegrationTest.ACCOUNT_GUYBRUSH_DUMMY_FULLNAME)});
        PrismAsserts.assertPropertyValue(findUserByUsername, UserType.F_FAMILY_NAME, new PolyString[]{PrismTestUtil.createPolyString("Threepwood")});
        PrismAsserts.assertPropertyValue(findUserByUsername, new ItemPath(new QName[]{UserType.F_ACTIVATION, ActivationType.F_ADMINISTRATIVE_STATUS}), new ActivationStatusType[]{ActivationStatusType.ENABLED});
        PrismAsserts.assertNoItem(findUserByUsername, UserType.F_GIVEN_NAME);
        PrismAsserts.assertNoItem(findUserByUsername, UserType.F_ADDITIONAL_NAME);
        PrismAsserts.assertNoItem(findUserByUsername, UserType.F_DESCRIPTION);
        PrismAsserts.assertNoItem(findUserByUsername, new ItemPath(new QName[]{UserType.F_ACTIVATION, ActivationType.F_EFFECTIVE_STATUS}));
        assertAssignmentsWithTargets(findUserByUsername, 1);
        assertAddDeny();
        assertModifyAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, UserType.F_FULL_NAME, PrismTestUtil.createPolyString("Captain Jack Sparrow"));
        assertModifyAllow(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116", UserType.F_DESCRIPTION, "Pirate wannabe");
        assertModifyAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, UserType.F_COST_CENTER, "V3RYC0STLY");
        assertModifyDeny(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, UserType.F_HONORIFIC_PREFIX, PrismTestUtil.createPolyString("Captain"));
        assertModifyDeny(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116", UserType.F_HONORIFIC_PREFIX, PrismTestUtil.createPolyString("Pirate"));
        assertModifyDeny(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111112", UserType.F_HONORIFIC_PREFIX, PrismTestUtil.createPolyString("Mutinier"));
        assertModifyDeny(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, UserType.F_ORGANIZATION, PrismTestUtil.createPolyString("Brethren of the Coast"));
        assertDeleteDeny();
        assertGlobalStateUntouched();
    }

    @Test
    public void test219AutzJackPropReadSomeModifySomeFullName() throws Exception {
        displayTestTitle("test219AutzJackPropReadSomeModifySomeFullName");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        Task createTask = createTask("test219AutzJackPropReadSomeModifySomeFullName");
        OperationResult result = createTask.getResult();
        setDefaultObjectTemplate(UserType.COMPLEX_TYPE, "b3a8f244-565a-11e7-8802-7b2586c1ce99", result);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "f9e8a432-af7e-11e9-b338-9336f46ab95d");
        login("jack");
        displayWhen("test219AutzJackPropReadSomeModifySomeFullName");
        assertReadAllow();
        assertModifyAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, UserType.F_ADDITIONAL_NAME, PrismTestUtil.createPolyString("Captain"));
        PrismObject user = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        display(AbstractConfiguredModelIntegrationTest.USER_JACK_GIVEN_NAME, user);
        PrismAsserts.assertPropertyValue(user, UserType.F_NAME, new PolyString[]{PrismTestUtil.createPolyString("jack")});
        PrismAsserts.assertPropertyValue(user, UserType.F_GIVEN_NAME, new PolyString[]{PrismTestUtil.createPolyString(AbstractConfiguredModelIntegrationTest.USER_JACK_GIVEN_NAME)});
        PrismAsserts.assertPropertyValue(user, new ItemPath(new QName[]{UserType.F_ACTIVATION, ActivationType.F_ADMINISTRATIVE_STATUS}), new ActivationStatusType[]{ActivationStatusType.ENABLED});
        PrismAsserts.assertNoItem(user, UserType.F_FULL_NAME);
        PrismAsserts.assertNoItem(user, UserType.F_FAMILY_NAME);
        PrismAsserts.assertNoItem(user, UserType.F_ADDITIONAL_NAME);
        PrismAsserts.assertNoItem(user, UserType.F_DESCRIPTION);
        PrismAsserts.assertNoItem(user, new ItemPath(new QName[]{UserType.F_ACTIVATION, ActivationType.F_EFFECTIVE_STATUS}));
        assertAssignmentsWithTargets(user, 1);
        ModelContext previewChanges = this.modelInteractionService.previewChanges(MiscSchemaUtil.createCollection(new ObjectDelta[]{createModifyUserReplaceDelta(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, UserType.F_GIVEN_NAME, new Object[]{PrismTestUtil.createPolyString(AbstractConfiguredModelIntegrationTest.USER_JACK_ADDITIONAL_NAME)})}), (ModelExecuteOptions) null, createTask, result);
        display("Preview context", previewChanges);
        ModelElementContext focusContext = previewChanges.getFocusContext();
        AssertJUnit.assertNotNull("Null model focus context", focusContext);
        ObjectDelta secondaryDelta = focusContext.getSecondaryDelta();
        AssertJUnit.assertTrue("Focus secondary delta not modify", secondaryDelta.isModify());
        AssertJUnit.assertEquals("Unexpected modifications in focus secondary delta", 0, secondaryDelta.getModifications().size());
        assertDeleteDeny();
        setDefaultObjectTemplate(UserType.COMPLEX_TYPE, null, result);
        assertGlobalStateUntouched();
    }

    @Test
    public void test220AutzJackPropDenyModifySome() throws Exception {
        displayTestTitle("test220AutzJackPropDenyModifySome");
        setDefaultObjectTemplate(UserType.COMPLEX_TYPE, null, createTask("test220AutzJackPropDenyModifySome").getResult());
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "d867ca80-b18a-11e6-826e-1b0f95ef9125");
        login("jack");
        displayWhen("test220AutzJackPropDenyModifySome");
        assertReadAllow();
        PrismObject user = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        display(AbstractConfiguredModelIntegrationTest.USER_JACK_GIVEN_NAME, user);
        PrismAsserts.assertPropertyValue(user, UserType.F_NAME, new PolyString[]{PrismTestUtil.createPolyString("jack")});
        PrismAsserts.assertPropertyValue(user, UserType.F_FULL_NAME, new PolyString[]{PrismTestUtil.createPolyString("Jack Sparrow")});
        PrismAsserts.assertPropertyValue(user, UserType.F_GIVEN_NAME, new PolyString[]{PrismTestUtil.createPolyString(AbstractConfiguredModelIntegrationTest.USER_JACK_GIVEN_NAME)});
        PrismAsserts.assertPropertyValue(user, UserType.F_FAMILY_NAME, new PolyString[]{PrismTestUtil.createPolyString(AbstractConfiguredModelIntegrationTest.USER_JACK_FAMILY_NAME)});
        PrismAsserts.assertPropertyValue(user, new ItemPath(new QName[]{UserType.F_ACTIVATION, ActivationType.F_ADMINISTRATIVE_STATUS}), new ActivationStatusType[]{ActivationStatusType.ENABLED});
        PrismAsserts.assertNoItem(user, UserType.F_ADDITIONAL_NAME);
        PrismAsserts.assertNoItem(user, UserType.F_DESCRIPTION);
        assertAssignmentsWithTargets(user, 1);
        PrismObjectDefinition editObjectDefinition = getEditObjectDefinition(user);
        display("Jack's edit schema", editObjectDefinition);
        assertItemFlags(editObjectDefinition, UserType.F_NAME, true, true, true);
        assertItemFlags(editObjectDefinition, UserType.F_FULL_NAME, true, true, true);
        assertItemFlags(editObjectDefinition, UserType.F_DESCRIPTION, false, true, false);
        assertItemFlags(editObjectDefinition, UserType.F_GIVEN_NAME, true, true, false);
        assertItemFlags(editObjectDefinition, UserType.F_FAMILY_NAME, true, true, true);
        assertItemFlags(editObjectDefinition, UserType.F_ADDITIONAL_NAME, false, true, true);
        PrismObject findUserByUsername = findUserByUsername("guybrush");
        display("Guybrush", findUserByUsername);
        PrismAsserts.assertPropertyValue(findUserByUsername, UserType.F_NAME, new PolyString[]{PrismTestUtil.createPolyString("guybrush")});
        PrismAsserts.assertPropertyValue(findUserByUsername, UserType.F_FULL_NAME, new PolyString[]{PrismTestUtil.createPolyString(AbstractConfiguredModelIntegrationTest.ACCOUNT_GUYBRUSH_DUMMY_FULLNAME)});
        PrismAsserts.assertPropertyValue(findUserByUsername, UserType.F_GIVEN_NAME, new PolyString[]{PrismTestUtil.createPolyString("Guybrush")});
        PrismAsserts.assertPropertyValue(findUserByUsername, UserType.F_FAMILY_NAME, new PolyString[]{PrismTestUtil.createPolyString("Threepwood")});
        PrismAsserts.assertPropertyValue(findUserByUsername, new ItemPath(new QName[]{UserType.F_ACTIVATION, ActivationType.F_ADMINISTRATIVE_STATUS}), new ActivationStatusType[]{ActivationStatusType.ENABLED});
        PrismAsserts.assertNoItem(findUserByUsername, UserType.F_ADDITIONAL_NAME);
        PrismAsserts.assertNoItem(findUserByUsername, UserType.F_DESCRIPTION);
        assertAssignmentsWithTargets(findUserByUsername, 1);
        assertAddAllow();
        assertAddAllowRaw();
        assertModifyAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, UserType.F_FULL_NAME, PrismTestUtil.createPolyString("Captain Jack Sparrow"));
        assertModifyAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, UserType.F_ADDITIONAL_NAME, PrismTestUtil.createPolyString("Captain"));
        assertModifyAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, UserType.F_COST_CENTER, "V3RYC0STLY");
        assertModifyAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, UserType.F_ORGANIZATION, PrismTestUtil.createPolyString("Brethren of the Coast"));
        assertModifyDeny(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, UserType.F_GIVEN_NAME, PrismTestUtil.createPolyString(AbstractConfiguredModelIntegrationTest.USER_JACK_ADDITIONAL_NAME));
        assertModifyDeny(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116", UserType.F_DESCRIPTION, "Pirate wannabe");
        assertModifyDeny(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116", UserType.F_GIVEN_NAME, PrismTestUtil.createPolyString("Brushie"));
        assertModifyDeny(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111112", UserType.F_GIVEN_NAME, PrismTestUtil.createPolyString("Hectie"));
        assertDeleteAllow();
        assertGlobalStateUntouched();
    }

    @Test
    public void test230AutzJackMasterMinistryOfRum() throws Exception {
        displayTestTitle("test230AutzJackMasterMinistryOfRum");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aa06");
        login("jack");
        displayWhen("test230AutzJackMasterMinistryOfRum");
        assertReadDeny(3);
        assertAddDeny();
        assertModifyDeny();
        assertDeleteDeny();
        assertGetAllow(UserType.class, this.userRumRogersOid);
        assertModifyAllow(UserType.class, this.userRumRogersOid, UserType.F_TITLE, PrismTestUtil.createPolyString("drunk"));
        assertGetAllow(UserType.class, this.userCobbOid);
        assertAddDenyRaw(USER_MANCOMB_FILE);
        assertAddAllow(USER_MANCOMB_FILE);
        assertVisibleUsers(4);
        assertDeleteAllow(UserType.class, "00000000-0000-0000-0000-110000000012");
        assertVisibleUsers(3);
        assertGlobalStateUntouched();
    }

    @Test
    public void test232AutzJackReadOrgMinistryOfRum() throws Exception {
        displayTestTitle("test232AutzJackReadOrgMinistryOfRum");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aa0d");
        login("jack");
        displayWhen("test232AutzJackReadOrgMinistryOfRum");
        assertReadDeny(0);
        assertAddDeny();
        assertModifyDeny();
        assertDeleteDeny();
        assertSearch(OrgType.class, null, 1);
        assertSearch(ObjectType.class, null, 1);
        assertGetDeny(UserType.class, this.userRumRogersOid);
        assertModifyDeny(UserType.class, this.userRumRogersOid, UserType.F_TITLE, PrismTestUtil.createPolyString("drunk"));
        assertAddDeny(USER_MANCOMB_FILE);
        assertGlobalStateUntouched();
    }

    @Test
    public void test240AutzJackManagerFullControlNoOrg() throws Exception {
        displayTestTitle("test240AutzJackManagerFullControlNoOrg");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "e2c88fea-db21-11e5-80ba-d7b2f1155264");
        assignAccountToUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "10000000-0000-0000-0000-000000000004", null);
        String singleLinkOid = getSingleLinkOid(getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID));
        login("jack");
        displayWhen("test240AutzJackManagerFullControlNoOrg");
        assertReadDeny(0);
        assertAddDeny();
        assertModifyDeny();
        assertDeleteDeny();
        assertGetDeny(UserType.class, this.userRumRogersOid);
        assertModifyDeny(UserType.class, this.userRumRogersOid, UserType.F_TITLE, PrismTestUtil.createPolyString("drunk"));
        assertGetDeny(UserType.class, this.userCobbOid);
        assertAddDeny(USER_MANCOMB_FILE);
        assertVisibleUsers(0);
        assertGetDeny(OrgType.class, "00000000-8888-6666-0000-100000000004");
        assertSearch(OrgType.class, null, 0);
        assertModifyDeny(OrgType.class, "00000000-8888-6666-0000-100000000004", OrgType.F_DESCRIPTION, "blababla");
        assertModifyDeny(OrgType.class, "00000000-8888-6666-0000-100000000006", OrgType.F_DESCRIPTION, "Hosting the worst scumm of the World.");
        assertDeleteDeny(UserType.class, "00000000-0000-0000-0000-110000000012");
        assertGetDeny(ShadowType.class, singleLinkOid);
        assertGetDeny(ShadowType.class, AbstractConfiguredModelIntegrationTest.ACCOUNT_SHADOW_ELAINE_DUMMY_OID);
        assertSearch(ShadowType.class, ObjectQuery.createObjectQuery(ObjectQueryUtil.createResourceAndObjectClassFilter("10000000-0000-0000-0000-000000000004", new QName("http://midpoint.evolveum.com/xml/ns/public/resource/instance/10000000-0000-0000-0000-000000000004", "AccountObjectClass"), this.prismContext)), 0);
        assertGlobalStateUntouched();
    }

    @Test
    public void test241AutzJackManagerFullControlMemberMinistryOfRum() throws Exception {
        displayTestTitle("test241AutzJackManagerFullControlMemberMinistryOfRum");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "e2c88fea-db21-11e5-80ba-d7b2f1155264");
        assignOrg(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-8888-6666-0000-100000000004", null);
        assignAccountToUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "10000000-0000-0000-0000-000000000004", null);
        String singleLinkOid = getSingleLinkOid(getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID));
        login("jack");
        displayWhen("test241AutzJackManagerFullControlMemberMinistryOfRum");
        assertJack24xMember(singleLinkOid, true);
        assertGlobalStateUntouched();
    }

    @Test
    public void test242AutzJackManagerFullControlManagerMinistryOfRum() throws Exception {
        displayTestTitle("test242AutzJackManagerFullControlManagerMinistryOfRum");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "e2c88fea-db21-11e5-80ba-d7b2f1155264");
        assignOrg(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-8888-6666-0000-100000000004", SchemaConstants.ORG_MANAGER);
        assignAccountToUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "10000000-0000-0000-0000-000000000004", null);
        PrismObject object = getObject(ShadowType.class, AbstractConfiguredModelIntegrationTest.ACCOUNT_SHADOW_ELAINE_DUMMY_OID);
        AssertJUnit.assertNotNull(object);
        display("Elaine's shadow", object);
        login("jack");
        displayWhen("test242AutzJackManagerFullControlManagerMinistryOfRum");
        assertJack24xManager("test242AutzJackManagerFullControlManagerMinistryOfRum", true);
        assertGlobalStateUntouched();
    }

    @Test
    public void test243AutzJackManagerFullControlManagerMinistryOfRumAndDefense() throws Exception {
        displayTestTitle("test243AutzJackManagerFullControlManagerMinistryOfRumAndDefense");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "e2c88fea-db21-11e5-80ba-d7b2f1155264");
        assignOrg(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-8888-6666-0000-100000000004", SchemaConstants.ORG_MANAGER);
        assignOrg(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-8888-6666-0000-100000000002", SchemaConstants.ORG_MANAGER);
        assignAccountToUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "10000000-0000-0000-0000-000000000004", null);
        dumpOrgTreeAndUsers();
        PrismObject object = getObject(ShadowType.class, AbstractConfiguredModelIntegrationTest.ACCOUNT_SHADOW_ELAINE_DUMMY_OID);
        AssertJUnit.assertNotNull(object);
        display("Elaine's shadow", object);
        login("jack");
        displayWhen("test243AutzJackManagerFullControlManagerMinistryOfRumAndDefense");
        assertJack24xManagerDefense("test243AutzJackManagerFullControlManagerMinistryOfRumAndDefense", true);
        assertGlobalStateUntouched();
    }

    @Test
    public void test245AutzJackManagerUserAdminMemberMinistryOfRum() throws Exception {
        displayTestTitle("test245AutzJackManagerUserAdminMemberMinistryOfRum");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "c545323c-5d68-11e7-acba-2b32ef514121");
        assignOrg(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-8888-6666-0000-100000000004", null);
        assignAccountToUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "10000000-0000-0000-0000-000000000004", null);
        String singleLinkOid = getSingleLinkOid(getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID));
        login("jack");
        displayWhen("test245AutzJackManagerUserAdminMemberMinistryOfRum");
        assertJack24xMember(singleLinkOid, false);
        assertGlobalStateUntouched();
    }

    @Test
    public void test246AutzJackManagerUserAdminManagerMinistryOfRum() throws Exception {
        displayTestTitle("test246AutzJackManagerUserAdminManagerMinistryOfRum");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "c545323c-5d68-11e7-acba-2b32ef514121");
        assignOrg(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-8888-6666-0000-100000000004", SchemaConstants.ORG_MANAGER);
        assignAccountToUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "10000000-0000-0000-0000-000000000004", null);
        PrismObject object = getObject(ShadowType.class, AbstractConfiguredModelIntegrationTest.ACCOUNT_SHADOW_ELAINE_DUMMY_OID);
        AssertJUnit.assertNotNull(object);
        display("Elaine's shadow", object);
        login("jack");
        displayWhen("test246AutzJackManagerUserAdminManagerMinistryOfRum");
        assertJack24xManager("test246AutzJackManagerUserAdminManagerMinistryOfRum", false);
        assertGlobalStateUntouched();
    }

    @Test
    public void test247AutzJackManagerUserAdminManagerMinistryOfRumAndDefense() throws Exception {
        displayTestTitle("test243AutzJackManagerFullControlManagerMinistryOfRumAndDefense");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "c545323c-5d68-11e7-acba-2b32ef514121");
        assignOrg(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-8888-6666-0000-100000000004", SchemaConstants.ORG_MANAGER);
        assignOrg(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-8888-6666-0000-100000000002", SchemaConstants.ORG_MANAGER);
        assignAccountToUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "10000000-0000-0000-0000-000000000004", null);
        PrismObject object = getObject(ShadowType.class, AbstractConfiguredModelIntegrationTest.ACCOUNT_SHADOW_ELAINE_DUMMY_OID);
        AssertJUnit.assertNotNull(object);
        display("Elaine's shadow", object);
        login("jack");
        displayWhen("test243AutzJackManagerFullControlManagerMinistryOfRumAndDefense");
        assertJack24xManagerDefense("test243AutzJackManagerFullControlManagerMinistryOfRumAndDefense", false);
        assertGlobalStateUntouched();
    }

    private void assertJack24xMember(String str, boolean z) throws Exception {
        assertReadDeny(0);
        assertAddDeny();
        assertModifyDeny();
        assertDeleteDeny();
        assertGetDeny(UserType.class, this.userRumRogersOid);
        assertModifyDeny(UserType.class, this.userRumRogersOid, UserType.F_TITLE, PrismTestUtil.createPolyString("drunk"));
        assertGetDeny(UserType.class, this.userCobbOid);
        assertAddDeny(USER_MANCOMB_FILE);
        assertVisibleUsers(0);
        assertGetDeny(OrgType.class, "00000000-8888-6666-0000-100000000004");
        assertSearch(OrgType.class, null, 0);
        assertModifyDeny(OrgType.class, "00000000-8888-6666-0000-100000000004", OrgType.F_DESCRIPTION, "blababla");
        assertModifyDeny(OrgType.class, "00000000-8888-6666-0000-100000000006", OrgType.F_DESCRIPTION, "Hosting the worst scumm of the World.");
        assertDeleteDeny(UserType.class, "00000000-0000-0000-0000-110000000012");
        assertGetDeny(ShadowType.class, str);
        assertGetDeny(ShadowType.class, AbstractConfiguredModelIntegrationTest.ACCOUNT_SHADOW_ELAINE_DUMMY_OID);
        assertSearch(ShadowType.class, ObjectQuery.createObjectQuery(ObjectQueryUtil.createResourceAndObjectClassFilter("10000000-0000-0000-0000-000000000004", new QName("http://midpoint.evolveum.com/xml/ns/public/resource/instance/10000000-0000-0000-0000-000000000004", "AccountObjectClass"), this.prismContext)), 0);
    }

    private void assertJack24xManager(String str, boolean z) throws Exception {
        assertGetAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertGetDeny(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, SelectorOptions.createCollection(GetOperationOptions.createRaw()));
        assertGetDeny(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116");
        assertGetDeny(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116", SelectorOptions.createCollection(GetOperationOptions.createRaw()));
        assertSearch(UserType.class, null, 4);
        assertSearch(UserType.class, createNameQuery("jack"), 1);
        assertSearchDeny(UserType.class, createNameQuery("jack"), SelectorOptions.createCollection(GetOperationOptions.createRaw()));
        assertSearch(UserType.class, createNameQuery("guybrush"), 0);
        assertSearchDeny(UserType.class, createNameQuery("guybrush"), SelectorOptions.createCollection(GetOperationOptions.createRaw()));
        assertAddDeny();
        assertModifyAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, UserType.F_HONORIFIC_PREFIX, PrismTestUtil.createPolyString("Captain"));
        assertModifyDenyRaw(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, UserType.F_HONORIFIC_SUFFIX, PrismTestUtil.createPolyString("CSc"));
        assertModifyDeny(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116", UserType.F_HONORIFIC_PREFIX, PrismTestUtil.createPolyString("Pirate"));
        assertDeleteDeny();
        assertGetAllow(UserType.class, this.userRumRogersOid);
        assertModifyAllow(UserType.class, this.userRumRogersOid, UserType.F_TITLE, PrismTestUtil.createPolyString("drunk"));
        assertGetAllow(UserType.class, this.userCobbOid);
        assertAddDenyRaw(USER_MANCOMB_FILE);
        assertAddAllow(USER_MANCOMB_FILE);
        Task createTaskInstance = this.taskManager.createTaskInstance(TestSecurityBasic.class.getName() + "." + str);
        OperationResult result = createTaskInstance.getResult();
        try {
            addObject(ORG_CHEATERS_FILE, createTaskInstance, result);
            assertNotReached();
        } catch (PolicyViolationException e) {
            display("Expected exception", e);
            assertFailure(result);
        }
        String singleLinkOid = getSingleLinkOid(getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID));
        assertGetAllow(ShadowType.class, singleLinkOid);
        display("Jack's shadow", getObject(ShadowType.class, singleLinkOid));
        assertGetDeny(ShadowType.class, AbstractConfiguredModelIntegrationTest.ACCOUNT_SHADOW_ELAINE_DUMMY_OID);
        assertVisibleUsers(5);
        assertGetAllow(OrgType.class, "00000000-8888-6666-0000-100000000004");
        assertSearch(OrgType.class, null, 2);
        assertModifyDeny(OrgType.class, "00000000-8888-6666-0000-100000000004", OrgType.F_DESCRIPTION, "blababla");
        if (z) {
            assertModifyAllow(OrgType.class, "00000000-8888-6666-0000-100000000006", OrgType.F_DESCRIPTION, "Hosting the worst scumm of the World.");
        } else {
            assertModifyDeny(OrgType.class, "00000000-8888-6666-0000-100000000006", OrgType.F_DESCRIPTION, "Hosting the worst scumm of the World.");
        }
        assignAccountToUser("00000000-0000-0000-0000-110000000012", "10000000-0000-0000-0000-000000000004", null);
        String singleLinkOid2 = getSingleLinkOid(getUser("00000000-0000-0000-0000-110000000012"));
        assertGetAllow(ShadowType.class, singleLinkOid2);
        display("Estevan shadow", getObject(ShadowType.class, singleLinkOid2));
        Task createTaskInstance2 = this.taskManager.createTaskInstance(TestSecurityBasic.class.getName() + "." + str);
        OperationResult result2 = createTaskInstance2.getResult();
        try {
            this.modelService.searchObjects(ShadowType.class, ObjectQuery.createObjectQuery(ObjectQueryUtil.createResourceAndObjectClassFilter("10000000-0000-0000-0000-000000000004", new QName("http://midpoint.evolveum.com/xml/ns/public/resource/instance/10000000-0000-0000-0000-000000000004", "AccountObjectClass"), this.prismContext)), (Collection) null, createTaskInstance2, result2);
            AssertJUnit.fail("unexpected success");
        } catch (SchemaException e2) {
            display("Expected exception", e2);
        }
        result2.computeStatus();
        TestUtil.assertFailure(result2);
        assertDeleteAllow(UserType.class, "00000000-0000-0000-0000-110000000012");
        assertVisibleUsers(4);
    }

    private void assertJack24xManagerDefense(String str, boolean z) throws Exception {
        assertGetAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertGetDeny(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, SelectorOptions.createCollection(GetOperationOptions.createRaw()));
        assertGetDeny(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116");
        assertGetDeny(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116", SelectorOptions.createCollection(GetOperationOptions.createRaw()));
        assertSearch(UserType.class, null, 4);
        assertSearch(UserType.class, createNameQuery("jack"), 1);
        assertSearchDeny(UserType.class, createNameQuery("jack"), SelectorOptions.createCollection(GetOperationOptions.createRaw()));
        assertSearch(UserType.class, createNameQuery("guybrush"), 0);
        assertSearchDeny(UserType.class, createNameQuery("guybrush"), SelectorOptions.createCollection(GetOperationOptions.createRaw()));
        assertAddDeny();
        assertModifyAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, UserType.F_HONORIFIC_PREFIX, PrismTestUtil.createPolyString("Captain"));
        assertModifyDenyRaw(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, UserType.F_HONORIFIC_SUFFIX, PrismTestUtil.createPolyString("CSc"));
        assertModifyDeny(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116", UserType.F_HONORIFIC_PREFIX, PrismTestUtil.createPolyString("Pirate"));
        assertDeleteDeny();
        assertGetAllow(UserType.class, this.userRumRogersOid);
        assertModifyAllow(UserType.class, this.userRumRogersOid, UserType.F_TITLE, PrismTestUtil.createPolyString("drunk"));
        assertGetAllow(UserType.class, this.userCobbOid);
        assertAddAllow(USER_MANCOMB_FILE);
        String singleLinkOid = getSingleLinkOid(getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID));
        assertGetAllow(ShadowType.class, singleLinkOid);
        display("Jack's shadow", getObject(ShadowType.class, singleLinkOid));
        assertGetDeny(ShadowType.class, AbstractConfiguredModelIntegrationTest.ACCOUNT_SHADOW_ELAINE_DUMMY_OID);
        assertVisibleUsers(5);
        assertGetAllow(OrgType.class, "00000000-8888-6666-0000-100000000004");
        assertSearch(OrgType.class, null, 3);
        assertModifyDeny(OrgType.class, "00000000-8888-6666-0000-100000000004", OrgType.F_DESCRIPTION, "blababla");
        if (z) {
            assertModifyAllow(OrgType.class, "00000000-8888-6666-0000-100000000006", OrgType.F_DESCRIPTION, "Hosting the worst scumm of the World.");
        } else {
            assertModifyDeny(OrgType.class, "00000000-8888-6666-0000-100000000006", OrgType.F_DESCRIPTION, "Hosting the worst scumm of the World.");
        }
        assignAccountToUser("00000000-0000-0000-0000-110000000012", "10000000-0000-0000-0000-000000000004", null);
        String singleLinkOid2 = getSingleLinkOid(getUser("00000000-0000-0000-0000-110000000012"));
        assertGetAllow(ShadowType.class, singleLinkOid2);
        display("Estevan shadow", getObject(ShadowType.class, singleLinkOid2));
        Task createTaskInstance = this.taskManager.createTaskInstance(TestSecurityBasic.class.getName() + "." + str);
        OperationResult result = createTaskInstance.getResult();
        try {
            this.modelService.searchObjects(ShadowType.class, ObjectQuery.createObjectQuery(ObjectQueryUtil.createResourceAndObjectClassFilter("10000000-0000-0000-0000-000000000004", new QName("http://midpoint.evolveum.com/xml/ns/public/resource/instance/10000000-0000-0000-0000-000000000004", "AccountObjectClass"), this.prismContext)), (Collection) null, createTaskInstance, result);
            AssertJUnit.fail("unexpected success");
        } catch (SchemaException e) {
            display("Expected exception", e);
        }
        assertFailure(result);
        assertSearch(UserType.class, null, 5);
        assertAddAllow(USER_CAPSIZE_FILE);
        assertSearch(UserType.class, null, 6);
        assertDeleteAllow(UserType.class, "00000000-0000-0000-0000-110000000012");
        assertSearch(UserType.class, null, 5);
        assertDeleteAllow(UserType.class, "bab2c6a8-5f2a-11e8-97d2-4fc12ba39043");
        assertSearch(UserType.class, null, 4);
        assertVisibleUsers(4);
    }

    @Test
    public void test250AutzJackSelfAccountsRead() throws Exception {
        displayTestTitle("test250AutzJackSelfAccountsRead");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        PrismObject object = getObject(ShadowType.class, AbstractConfiguredModelIntegrationTest.ACCOUNT_SHADOW_ELAINE_DUMMY_OID);
        AssertJUnit.assertNotNull(object);
        display("Elaine's shadow", object);
        assumeAssignmentPolicy(AssignmentPolicyEnforcementType.RELATIVE);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aa09");
        assignAccountToUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "10000000-0000-0000-0000-000000000004", null);
        assumeAssignmentPolicy(AssignmentPolicyEnforcementType.NONE);
        login("jack");
        displayWhen("test250AutzJackSelfAccountsRead");
        assertGetAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertGetDeny(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116");
        assertAddDeny();
        assertModifyAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, UserType.F_HONORIFIC_PREFIX, PrismTestUtil.createPolyString("Captain"));
        assertModifyDeny(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116", UserType.F_HONORIFIC_PREFIX, PrismTestUtil.createPolyString("Pirate"));
        assertDeleteDeny();
        assertDeleteDeny(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        PrismObject user = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        String singleLinkOid = getSingleLinkOid(user);
        assertGetAllow(ShadowType.class, singleLinkOid);
        PrismObject object2 = getObject(ShadowType.class, singleLinkOid);
        display("Jack's shadow", object2);
        assertGetDeny(ShadowType.class, AbstractConfiguredModelIntegrationTest.ACCOUNT_SHADOW_ELAINE_DUMMY_OID);
        assertAddDeny(ACCOUNT_JACK_DUMMY_RED_FILE);
        assertAddDeny(ACCOUNT_GUYBRUSH_DUMMY_FILE);
        assertDeny("add jack's account to jack", (task, operationResult) -> {
            modifyUserAddAccount(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, ACCOUNT_JACK_DUMMY_RED_FILE, task, operationResult);
        });
        assertDeny("add jack's account to gyubrush", (task2, operationResult2) -> {
            modifyUserAddAccount("c0c010c0-d34d-b33f-f00d-111111111116", ACCOUNT_JACK_DUMMY_RED_FILE, task2, operationResult2);
        });
        assertDeleteDeny(ShadowType.class, singleLinkOid);
        assertDeleteDeny(ShadowType.class, AbstractConfiguredModelIntegrationTest.ACCOUNT_SHADOW_ELAINE_DUMMY_OID);
        getEditObjectDefinition(user);
        getEditObjectDefinition(object2);
        assertGlobalStateUntouched();
    }

    @Test
    public void test255AutzJackSelfAccountsReadWrite() throws Exception {
        displayTestTitle("test255AutzJackSelfAccountsReadWrite");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aa0a");
        assignAccountToUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "10000000-0000-0000-0000-000000000004", null);
        assumeAssignmentPolicy(AssignmentPolicyEnforcementType.NONE);
        login("jack");
        displayWhen("test255AutzJackSelfAccountsReadWrite");
        assertGetAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertGetDeny(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116");
        assertAddDeny();
        assertModifyAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, UserType.F_HONORIFIC_PREFIX, PrismTestUtil.createPolyString("Captain"));
        assertModifyDeny(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116", UserType.F_HONORIFIC_PREFIX, PrismTestUtil.createPolyString("Pirate"));
        assertDeleteDeny();
        assertDeleteDeny(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        String singleLinkOid = getSingleLinkOid(getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID));
        assertGetAllow(ShadowType.class, singleLinkOid);
        PrismObject object = getObject(ShadowType.class, singleLinkOid);
        display("Jack's shadow", object);
        Task createTask = createTask("test255AutzJackSelfAccountsReadWrite");
        RefinedObjectClassDefinition editObjectClassDefinition = this.modelInteractionService.getEditObjectClassDefinition(object, getDummyResourceObject(), (AuthorizationPhaseType) null, createTask, createTask.getResult());
        display("Refined objectclass def", editObjectClassDefinition);
        assertAttributeFlags(editObjectClassDefinition, SchemaConstants.ICFS_UID, true, false, false);
        assertAttributeFlags(editObjectClassDefinition, SchemaConstants.ICFS_NAME, true, true, true);
        assertGetDeny(ShadowType.class, AbstractConfiguredModelIntegrationTest.ACCOUNT_SHADOW_ELAINE_DUMMY_OID);
        assertAddDeny(ACCOUNT_JACK_DUMMY_RED_FILE);
        assertAddDeny(ACCOUNT_GUYBRUSH_DUMMY_FILE);
        assertAllow("add jack's account to jack", (task, operationResult) -> {
            modifyUserAddAccount(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, ACCOUNT_JACK_DUMMY_RED_FILE, task, operationResult);
        });
        PrismObject user = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        display("Jack after red account link", user);
        String linkRefOid = getLinkRefOid(user, "10000000-0000-0000-0000-000000000104");
        AssertJUnit.assertNotNull("Strange, red account not linked to jack", linkRefOid);
        assertDeny("add gyubrush's account", (task2, operationResult2) -> {
            modifyUserAddAccount("c0c010c0-d34d-b33f-f00d-111111111118", ACCOUNT_HERMAN_DUMMY_FILE, task2, operationResult2);
        });
        assertDeleteAllow(ShadowType.class, linkRefOid);
        assertDeleteDeny(ShadowType.class, AbstractConfiguredModelIntegrationTest.ACCOUNT_SHADOW_ELAINE_DUMMY_OID);
        assertGlobalStateUntouched();
    }

    @Test
    public void test256AutzJackSelfAccountsPartialControl() throws Exception {
        displayTestTitle("test256AutzJackSelfAccountsPartialControl");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aa0b");
        assignAccountToUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "10000000-0000-0000-0000-000000000004", null);
        assumeAssignmentPolicy(AssignmentPolicyEnforcementType.NONE);
        login("jack");
        displayWhen("test256AutzJackSelfAccountsPartialControl");
        assertGetAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertGetDeny(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116");
        assertAddDeny();
        assertModifyAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, UserType.F_NICK_NAME, PrismTestUtil.createPolyString("jackie"));
        assertModifyDeny(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, UserType.F_HONORIFIC_PREFIX, PrismTestUtil.createPolyString("Captain"));
        assertModifyDeny(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116", UserType.F_HONORIFIC_PREFIX, PrismTestUtil.createPolyString("Pirate"));
        assertDeleteDeny();
        assertDeleteDeny(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        PrismObject user = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        String singleLinkOid = getSingleLinkOid(user);
        assertGetAllow(ShadowType.class, singleLinkOid);
        PrismObject object = getObject(ShadowType.class, singleLinkOid);
        display("Jack's shadow", object);
        Task createTask = createTask("test256AutzJackSelfAccountsPartialControl");
        OperationResult result = createTask.getResult();
        RefinedObjectClassDefinition editObjectClassDefinition = this.modelInteractionService.getEditObjectClassDefinition(object, getDummyResourceObject(), (AuthorizationPhaseType) null, createTask, result);
        display("Refined objectclass def", editObjectClassDefinition);
        assertAttributeFlags(editObjectClassDefinition, SchemaConstants.ICFS_UID, true, false, false);
        assertAttributeFlags(editObjectClassDefinition, SchemaConstants.ICFS_NAME, true, false, false);
        assertAttributeFlags(editObjectClassDefinition, new QName("location"), true, true, true);
        assertAttributeFlags(editObjectClassDefinition, new QName("weapon"), true, false, false);
        assertGetDeny(ShadowType.class, AbstractConfiguredModelIntegrationTest.ACCOUNT_SHADOW_ELAINE_DUMMY_OID);
        assertAddDeny(ACCOUNT_JACK_DUMMY_RED_FILE);
        assertAddDeny(ACCOUNT_GUYBRUSH_DUMMY_FILE);
        assertPasswordChangeDeny(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "nbusr123");
        assertPasswordChangeDeny(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116", "nbusr123");
        assertItemFlags(this.modelInteractionService.getEditObjectDefinition(user, AuthorizationPhaseType.REQUEST, createTask, result), PASSWORD_PATH, true, false, false);
        assertGlobalStateUntouched();
    }

    @Test
    public void test258AutzJackSelfAccountsPartialControlPassword() throws Exception {
        displayTestTitle("test258AutzJackSelfAccountsPartialControlPassword");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000ab0b");
        assignAccountToUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "10000000-0000-0000-0000-000000000004", null);
        assumeAssignmentPolicy(AssignmentPolicyEnforcementType.NONE);
        login("jack");
        displayWhen("test258AutzJackSelfAccountsPartialControlPassword");
        assertGetAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertGetDeny(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116");
        assertAddDeny();
        assertModifyAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, UserType.F_NICK_NAME, PrismTestUtil.createPolyString("jackie"));
        assertModifyDeny(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, UserType.F_HONORIFIC_PREFIX, PrismTestUtil.createPolyString("Captain"));
        assertModifyDeny(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116", UserType.F_HONORIFIC_PREFIX, PrismTestUtil.createPolyString("Pirate"));
        assertDeleteDeny();
        assertDeleteDeny(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        PrismObject user = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        String singleLinkOid = getSingleLinkOid(user);
        assertGetAllow(ShadowType.class, singleLinkOid);
        PrismObject object = getObject(ShadowType.class, singleLinkOid);
        display("Jack's shadow", object);
        Task createTask = createTask("test258AutzJackSelfAccountsPartialControlPassword");
        OperationResult result = createTask.getResult();
        RefinedObjectClassDefinition editObjectClassDefinition = this.modelInteractionService.getEditObjectClassDefinition(object, getDummyResourceObject(), (AuthorizationPhaseType) null, createTask, result);
        display("Refined objectclass def", editObjectClassDefinition);
        assertAttributeFlags(editObjectClassDefinition, SchemaConstants.ICFS_UID, true, false, false);
        assertAttributeFlags(editObjectClassDefinition, SchemaConstants.ICFS_NAME, true, false, false);
        assertAttributeFlags(editObjectClassDefinition, new QName("location"), true, true, true);
        assertAttributeFlags(editObjectClassDefinition, new QName("weapon"), true, false, false);
        assertGetDeny(ShadowType.class, AbstractConfiguredModelIntegrationTest.ACCOUNT_SHADOW_ELAINE_DUMMY_OID);
        assertAddDeny(ACCOUNT_JACK_DUMMY_RED_FILE);
        assertAddDeny(ACCOUNT_GUYBRUSH_DUMMY_FILE);
        assertPasswordChangeAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "nbusr123");
        assertPasswordChangeDeny(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116", "nbusr123");
        assertItemFlags(this.modelInteractionService.getEditObjectDefinition(user, AuthorizationPhaseType.REQUEST, createTask, result), PASSWORD_PATH, true, false, false);
        assertGlobalStateUntouched();
    }

    @Test
    public void test260AutzJackObjectFilterLocationShadowRole() throws Exception {
        displayTestTitle("test260AutzJackObjectFilterLocationShadowRole");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aa0e");
        login("jack");
        assumeAssignmentPolicy(AssignmentPolicyEnforcementType.NONE);
        displayWhen("test260AutzJackObjectFilterLocationShadowRole");
        assertGetAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertGetDeny(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, SelectorOptions.createCollection(GetOperationOptions.createRaw()));
        assertGetDeny(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116");
        assertGetDeny(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116", SelectorOptions.createCollection(GetOperationOptions.createRaw()));
        assertSearch(UserType.class, null, 2);
        assertSearch(ObjectType.class, null, 8);
        assertSearch(OrgType.class, null, 6);
        assertSearch(UserType.class, createNameQuery("jack"), 1);
        assertSearchDeny(UserType.class, createNameQuery("jack"), SelectorOptions.createCollection(GetOperationOptions.createRaw()));
        assertSearch(ObjectType.class, createNameQuery("jack"), 1);
        assertSearch(UserType.class, createNameQuery("guybrush"), 0);
        assertSearchDeny(UserType.class, createNameQuery("guybrush"), SelectorOptions.createCollection(GetOperationOptions.createRaw()));
        assertSearch(ObjectType.class, createNameQuery("guybrush"), 0);
        assertAddDeny();
        assertModifyAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, UserType.F_HONORIFIC_PREFIX, PrismTestUtil.createPolyString("Captain"));
        assertModifyDeny(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116", UserType.F_HONORIFIC_PREFIX, PrismTestUtil.createPolyString("Pirate"));
        assertModifyAllow(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111112", UserType.F_HONORIFIC_PREFIX, PrismTestUtil.createPolyString("Mutinier"));
        assertDeleteDeny();
        assertAllow("add jack's account to jack", (task, operationResult) -> {
            modifyUserAddAccount(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, ACCOUNT_JACK_DUMMY_RED_FILE, task, operationResult);
        });
        PrismObject user = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        display("Jack after red account link", user);
        String linkRefOid = getLinkRefOid(user, "10000000-0000-0000-0000-000000000104");
        AssertJUnit.assertNotNull("Strange, red account not linked to jack", linkRefOid);
        assertGetAllow(ShadowType.class, linkRefOid);
        assertGlobalStateUntouched();
        displayCleanup("test260AutzJackObjectFilterLocationShadowRole");
        login("administrator");
        Task createTask = createTask("test260AutzJackObjectFilterLocationShadowRole");
        PrismObject parseObject = PrismTestUtil.parseObject(ACCOUNT_JACK_DUMMY_RED_FILE);
        parseObject.setOid(linkRefOid);
        ObjectDelta createEmptyModifyDelta = ObjectDelta.createEmptyModifyDelta(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, this.prismContext);
        createEmptyModifyDelta.addModification(ReferenceDelta.createModificationDelete(UserType.F_LINK_REF, getUserDefinition(), parseObject));
        executeChanges(createEmptyModifyDelta, null, createTask, createTask.getResult());
        assertLinks(getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID), 0);
    }

    @Test
    public void test261AutzAngelicaObjectFilterLocationCreateUserShadowRole() throws Exception {
        displayTestTitle("test261AutzJackObjectFilterLocationCreateUserShadowRole");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aa0h");
        login("jack");
        assumeAssignmentPolicy(AssignmentPolicyEnforcementType.RELATIVE);
        displayWhen("test261AutzJackObjectFilterLocationCreateUserShadowRole");
        assertAllow("add user angelica", (task, operationResult) -> {
            addObject(USER_ANGELICA_FILE, task, operationResult);
        });
        TestUtil.displayThen("test261AutzJackObjectFilterLocationCreateUserShadowRole");
        login("administrator");
        PrismObject findUserByUsername = findUserByUsername("angelika");
        display("angelica", findUserByUsername);
        assertUser(findUserByUsername, null, "angelika", "angelika", "angelika", "angelika");
        assertAssignedRole(findUserByUsername, "00000000-0000-0000-0000-00000000aad1");
        assertAccount(findUserByUsername, "10000000-0000-0000-0000-000000000004");
        assertGlobalStateUntouched();
    }

    @Test
    public void test270AutzJackAssignApplicationRoles() throws Exception {
        displayTestTitle("test270AutzJackAssignApplicationRoles");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aa0c");
        assumeAssignmentPolicy(AssignmentPolicyEnforcementType.RELATIVE);
        login("jack");
        displayWhen("test270AutzJackAssignApplicationRoles");
        assertReadAllow(12);
        assertAddDeny();
        assertModifyDeny();
        assertDeleteDeny();
        PrismObject user = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertAssignments(user, 1);
        assertAssignedRole(user, "00000000-0000-0000-0000-00000000aa0c");
        assertAllow("assign application role to jack", (task, operationResult) -> {
            assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aaa1", task, operationResult);
        });
        PrismObject user2 = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertAssignments(user2, 2);
        assertAssignedRole(user2, "00000000-0000-0000-0000-00000000aaa1");
        assertDeny("assign business role to jack", (task2, operationResult2) -> {
            assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aab1", task2, operationResult2);
        });
        assertAllow("unassign application role from jack", (task3, operationResult3) -> {
            unassignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aaa1", task3, operationResult3);
        });
        assertAssignments(getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID), 1);
        RoleSelectionSpecification assignableRoleSpecification = getAssignableRoleSpecification(getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID));
        assertRoleTypes(assignableRoleSpecification, new String[]{"application", "nonexistent"});
        assertFilter(assignableRoleSpecification.getFilter(), TypeFilter.class);
        assertAllowRequestAssignmentItems(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aaa1", new ItemPath[]{SchemaConstants.PATH_ASSIGNMENT_TARGET_REF, SchemaConstants.PATH_ASSIGNMENT_ACTIVATION_VALID_FROM, SchemaConstants.PATH_ASSIGNMENT_ACTIVATION_VALID_TO});
        assertGlobalStateUntouched();
    }

    @Test
    public void test272AutzJackAssignAnyRoles() throws Exception {
        displayTestTitle("test272AutzJackAssignAnyRoles");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000ab0c");
        assumeAssignmentPolicy(AssignmentPolicyEnforcementType.RELATIVE);
        login("jack");
        displayWhen("test272AutzJackAssignAnyRoles");
        assertReadAllow(12);
        assertAddDeny();
        assertModifyDeny();
        assertDeleteDeny();
        PrismObject user = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertAssignments(user, 1);
        assertAssignedRole(user, "00000000-0000-0000-0000-00000000ab0c");
        assertAllow("assign application role to jack", (task, operationResult) -> {
            assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aaa1", task, operationResult);
        });
        PrismObject user2 = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertAssignments(user2, 2);
        assertAssignedRole(user2, "00000000-0000-0000-0000-00000000aaa1");
        assertAllow("assign business role to jack", (task2, operationResult2) -> {
            assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aab1", task2, operationResult2);
        });
        assertAllow("unassign application role from jack", (task3, operationResult3) -> {
            unassignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aaa1", task3, operationResult3);
        });
        assertAssignments(getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID), 2);
        RoleSelectionSpecification assignableRoleSpecification = getAssignableRoleSpecification(getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID));
        assertRoleTypes(assignableRoleSpecification, new String[0]);
        assertFilter(assignableRoleSpecification.getFilter(), TypeFilter.class);
        assertAllowRequestAssignmentItems(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aaa1", new ItemPath[]{SchemaConstants.PATH_ASSIGNMENT_DESCRIPTION, SchemaConstants.PATH_ASSIGNMENT_TARGET_REF, SchemaConstants.PATH_ASSIGNMENT_ACTIVATION_VALID_FROM, SchemaConstants.PATH_ASSIGNMENT_ACTIVATION_VALID_TO});
        assertGlobalStateUntouched();
    }

    @Test
    public void test273AutzJackRedyAssignmentExceptionRules() throws Exception {
        displayTestTitle("test273AutzJackRedyAssignmentExceptionRules");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000ab0c");
        assumeAssignmentPolicy(AssignmentPolicyEnforcementType.RELATIVE);
        login("jack");
        displayWhen("test273AutzJackRedyAssignmentExceptionRules");
        assertReadAllow(12);
        assertAddDeny();
        assertModifyDeny();
        assertDeleteDeny();
        PrismObject user = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertAssignments(user, 1);
        assertAssignedRole(user, "00000000-0000-0000-0000-00000000ab0c");
        assertDeny("assign application role to jack", (task, operationResult) -> {
            assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aaa1", null, assignmentType -> {
                PolicyExceptionType policyExceptionType = new PolicyExceptionType();
                policyExceptionType.setRuleName("whatever");
                assignmentType.getPolicyException().add(policyExceptionType);
            }, task, operationResult);
        });
        assertAssignments(getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID), 1);
        assertDeny("assign application role to jack", (task2, operationResult2) -> {
            assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aab1", null, assignmentType -> {
                PolicyRuleType policyRuleType = new PolicyRuleType();
                policyRuleType.setName("whatever");
                assignmentType.setPolicyRule(policyRuleType);
            }, task2, operationResult2);
        });
        assertAssignments(getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID), 1);
        assertGlobalStateUntouched();
    }

    @Test
    public void test274AutzJackAssignNonApplicationRoles() throws Exception {
        displayTestTitle("test274AutzJackAssignNonApplicationRoles");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000ac0c");
        assumeAssignmentPolicy(AssignmentPolicyEnforcementType.RELATIVE);
        login("jack");
        displayWhen("test274AutzJackAssignNonApplicationRoles");
        assertReadAllow(12);
        assertAddDeny();
        assertModifyDeny();
        assertDeleteDeny();
        PrismObject user = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertAssignments(user, 1);
        assertAssignedRole(user, "00000000-0000-0000-0000-00000000ac0c");
        assertAllow("assign business role to jack", (task, operationResult) -> {
            assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aab1", task, operationResult);
        });
        PrismObject user2 = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertAssignments(user2, 2);
        assertAssignedRole(user2, "00000000-0000-0000-0000-00000000aab1");
        assertDeny("assign application role to jack", (task2, operationResult2) -> {
            assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aaa1", task2, operationResult2);
        });
        assertAllow("unassign business role from jack", (task3, operationResult3) -> {
            unassignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aab1", task3, operationResult3);
        });
        assertAssignments(getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID), 1);
        RoleSelectionSpecification assignableRoleSpecification = getAssignableRoleSpecification(getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID));
        assertRoleTypes(assignableRoleSpecification, new String[0]);
        assertFilter(assignableRoleSpecification.getFilter(), TypeFilter.class);
        assertGlobalStateUntouched();
    }

    @Test
    public void test275aAutzJackAssignRequestableRoles() throws Exception {
        displayTestTitle("test275aAutzJackAssignRequestableRoles");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000ad0c");
        assumeAssignmentPolicy(AssignmentPolicyEnforcementType.RELATIVE);
        login("jack");
        displayWhen("test275aAutzJackAssignRequestableRoles");
        assertReadAllow(12);
        assertAddDeny();
        assertModifyDeny();
        assertDeleteDeny();
        PrismObject user = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertAssignments(user, 1);
        assertAssignedRole(user, "00000000-0000-0000-0000-00000000ad0c");
        assertAllow("assign business role to jack", (task, operationResult) -> {
            assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aab1", task, operationResult);
        });
        PrismObject user2 = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertAssignments(user2, 2);
        assertAssignedRole(user2, "00000000-0000-0000-0000-00000000aab1");
        assertDeny("assign application role to jack", (task2, operationResult2) -> {
            assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aab2", task2, operationResult2);
        });
        assertAllow("unassign business role from jack", (task3, operationResult3) -> {
            unassignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aab1", task3, operationResult3);
        });
        assertAssignments(getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID), 1);
        RoleSelectionSpecification assignableRoleSpecification = getAssignableRoleSpecification(getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID), 0);
        assertRoleTypes(assignableRoleSpecification, new String[0]);
        assertFilter(assignableRoleSpecification.getFilter(), TypeFilter.class);
        RoleSelectionSpecification assignableRoleSpecification2 = getAssignableRoleSpecification(getRole("00000000-0000-0000-0000-00000000ad0c"), RoleType.class, 1);
        display("Induceable role spec", assignableRoleSpecification2);
        assertRoleTypes(assignableRoleSpecification2, new String[0]);
        assertFilter(assignableRoleSpecification2.getFilter(), NoneFilter.class);
        assertGlobalStateUntouched();
    }

    @Test
    public void test275bAutzJackAssignRequestableOrgs() throws Exception {
        displayTestTitle("test275bAutzJackAssignRequestableOrgs");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "9434bf5b-c088-456f-9286-84a1e5a0223c");
        assumeAssignmentPolicy(AssignmentPolicyEnforcementType.RELATIVE);
        login("jack");
        displayWhen("test275bAutzJackAssignRequestableOrgs");
        PrismObject user = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertAssignments(user, 1);
        assertAssignedRole(user, "9434bf5b-c088-456f-9286-84a1e5a0223c");
        assertAllow("assign requestable org to jack", (task, operationResult) -> {
            assignOrg(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "8f2bd344-a46c-4c0b-aa34-db08b7d7f7f2", task, operationResult);
        });
        assertAssignments(getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID), OrgType.class, 1);
        RoleSelectionSpecification assignableRoleSpecification = getAssignableRoleSpecification(getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID));
        assertRoleTypes(assignableRoleSpecification, new String[0]);
        ObjectQuery objectQuery = new ObjectQuery();
        objectQuery.addFilter(assignableRoleSpecification.getFilter());
        assertSearch(AbstractRoleType.class, objectQuery, 9);
        assertAllow("unassign business role from jack", (task2, operationResult2) -> {
            unassignOrg(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "8f2bd344-a46c-4c0b-aa34-db08b7d7f7f2", task2, operationResult2);
        });
        assertAssignments(getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID), OrgType.class, 0);
        assertGlobalStateUntouched();
    }

    @Test
    public void test275cAutzJackAssignRequestableRolesAndInduceAnyRole() throws Exception {
        displayTestTitle("test275cAutzJackAssignRequestableRolesAndInduceAnything");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000ad0c");
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "a1265d34-f4b3-11e8-8bfe-c3482dfbb7fe");
        assumeAssignmentPolicy(AssignmentPolicyEnforcementType.RELATIVE);
        login("jack");
        displayWhen("test275cAutzJackAssignRequestableRolesAndInduceAnything");
        assertReadAllow(12);
        assertAddDeny();
        assertModifyDeny();
        assertDeleteDeny();
        PrismObject user = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertAssignments(user, 2);
        assertAssignedRole(user, "00000000-0000-0000-0000-00000000ad0c");
        assertAllow("assign business role to jack", (task, operationResult) -> {
            assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aab1", task, operationResult);
        });
        PrismObject user2 = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertAssignments(user2, 3);
        assertAssignedRole(user2, "00000000-0000-0000-0000-00000000aab1");
        assertDeny("assign application role to jack", (task2, operationResult2) -> {
            assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aab2", task2, operationResult2);
        });
        assertAllow("unassign business role from jack", (task3, operationResult3) -> {
            unassignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aab1", task3, operationResult3);
        });
        assertAssignments(getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID), 2);
        RoleSelectionSpecification assignableRoleSpecification = getAssignableRoleSpecification(getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID), 0);
        assertRoleTypes(assignableRoleSpecification, new String[0]);
        assertFilter(assignableRoleSpecification.getFilter(), TypeFilter.class);
        RoleSelectionSpecification assignableRoleSpecification2 = getAssignableRoleSpecification(getRole("00000000-0000-0000-0000-00000000ad0c"), RoleType.class, 1);
        display("Induceable role spec", assignableRoleSpecification2);
        assertRoleTypes(assignableRoleSpecification2, new String[0]);
        assertFilter(assignableRoleSpecification2.getFilter(), null);
        assertGlobalStateUntouched();
    }

    @Test
    public void test276AutzJackAssignRequestableRolesWithOrgRef() throws Exception {
        displayTestTitle("test276AutzJackAssignRequestableRolesWithOrgRef");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000ad0c");
        assumeAssignmentPolicy(AssignmentPolicyEnforcementType.RELATIVE);
        login("jack");
        displayWhen("test276AutzJackAssignRequestableRolesWithOrgRef");
        assertReadAllow(12);
        assertAddDeny();
        assertModifyDeny();
        assertDeleteDeny();
        PrismObject user = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertAssignments(user, 1);
        assertAssignedRole(user, "00000000-0000-0000-0000-00000000ad0c");
        assertAllow("assign business role to jack", (task, operationResult) -> {
            assignParametricRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aab1", "00000000-8888-6666-0000-100000000004", null, task, operationResult);
        });
        PrismObject user2 = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertAssignments(user2, 2);
        assertAssignedRole(user2, "00000000-0000-0000-0000-00000000aab1");
        assertDeny("assign application role to jack", (task2, operationResult2) -> {
            assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aab2", task2, operationResult2);
        });
        assertAllow("unassign business role from jack", (task3, operationResult3) -> {
            unassignParametricRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aab1", "00000000-8888-6666-0000-100000000004", null, task3, operationResult3);
        });
        PrismObject user3 = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        display("user after (expected 1 assignments)", user3);
        assertAssignments(user3, 1);
        RoleSelectionSpecification assignableRoleSpecification = getAssignableRoleSpecification(getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID));
        assertRoleTypes(assignableRoleSpecification, new String[0]);
        assertFilter(assignableRoleSpecification.getFilter(), TypeFilter.class);
        assertGlobalStateUntouched();
    }

    @Test
    public void test277AutzJackAssignRequestableRolesWithOrgRefSecondTime() throws Exception {
        displayTestTitle("test277AutzJackAssignRequestableRolesWithOrgRefSecondTime");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000ad0c");
        assumeAssignmentPolicy(AssignmentPolicyEnforcementType.RELATIVE);
        login("jack");
        displayWhen("test277AutzJackAssignRequestableRolesWithOrgRefSecondTime");
        assertReadAllow(12);
        assertAddDeny();
        assertModifyDeny();
        assertDeleteDeny();
        PrismObject user = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertAssignments(user, 1);
        assertAssignedRole(user, "00000000-0000-0000-0000-00000000ad0c");
        assertAllow("assign business role to jack (no param)", (task, operationResult) -> {
            assignParametricRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aab1", null, null, task, operationResult);
        });
        PrismObject user2 = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertAssignments(user2, 2);
        assertAssignedRole(user2, "00000000-0000-0000-0000-00000000aab1");
        assertAllow("assign business role to jack (org MoR)", (task2, operationResult2) -> {
            assignParametricRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aab1", "00000000-8888-6666-0000-100000000004", null, task2, operationResult2);
        });
        PrismObject user3 = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertAssignments(user3, 3);
        display("user after (expected 3 assignments)", user3);
        assertAssignedRole(user3, "00000000-0000-0000-0000-00000000aab1");
        assertAllow("assign business role to jack (org Scumm)", (task3, operationResult3) -> {
            assignParametricRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aab1", "00000000-8888-6666-0000-100000000006", null, task3, operationResult3);
        });
        PrismObject user4 = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertAssignments(user4, 4);
        display("user after (expected 4 assignments)", user4);
        assertAssignedRole(user4, "00000000-0000-0000-0000-00000000aab1");
        assertAllow("unassign business role from jack (org Scumm)", (task4, operationResult4) -> {
            unassignParametricRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aab1", "00000000-8888-6666-0000-100000000006", null, task4, operationResult4);
        });
        PrismObject user5 = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertAssignments(user5, 3);
        display("user after (expected 3 assignments)", user5);
        assertAssignedRole(user5, "00000000-0000-0000-0000-00000000aab1");
        assertDeny("assign application role to jack", (task5, operationResult5) -> {
            assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aab2", task5, operationResult5);
        });
        assertAllow("unassign business role from jack (no param)", (task6, operationResult6) -> {
            unassignParametricRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aab1", null, null, task6, operationResult6);
        });
        PrismObject user6 = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        display("user after (expected 2 assignments)", user6);
        assertAssignments(user6, 2);
        assertAllow("unassign business role from jack (org MoR)", (task7, operationResult7) -> {
            unassignParametricRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aab1", "00000000-8888-6666-0000-100000000004", null, task7, operationResult7);
        });
        PrismObject user7 = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        display("user after (expected 1 assignments)", user7);
        assertAssignments(user7, 1);
        RoleSelectionSpecification assignableRoleSpecification = getAssignableRoleSpecification(getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID));
        assertRoleTypes(assignableRoleSpecification, new String[0]);
        assertFilter(assignableRoleSpecification.getFilter(), TypeFilter.class);
        assertGlobalStateUntouched();
    }

    @Test
    public void test278AutzJackAssignRequestableRolesWithOrgRefTweakedDelta() throws Exception {
        displayTestTitle("test278AutzJackAssignRequestableRolesWithOrgRefTweakedDelta");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000ad0c");
        assumeAssignmentPolicy(AssignmentPolicyEnforcementType.RELATIVE);
        login("jack");
        displayWhen("test278AutzJackAssignRequestableRolesWithOrgRefTweakedDelta");
        assertReadAllow(12);
        assertAddDeny();
        assertModifyDeny();
        assertDeleteDeny();
        PrismObject user = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertAssignments(user, 1);
        assertAssignedRole(user, "00000000-0000-0000-0000-00000000ad0c");
        assertAllow("assign business role to jack", (task, operationResult) -> {
            assignParametricRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aab1", "00000000-8888-6666-0000-100000000004", null, task, operationResult);
        });
        PrismObject user2 = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertAssignments(user2, 2);
        assertAssignedRole(user2, "00000000-0000-0000-0000-00000000aab1");
        assertDeny("assign application role to jack", (task2, operationResult2) -> {
            ArrayList arrayList = new ArrayList();
            ContainerDelta createDelta = ContainerDelta.createDelta(UserType.F_ASSIGNMENT, getUserDefinition());
            PrismContainerValue prismContainerValue = new PrismContainerValue(this.prismContext);
            createDelta.addValueToAdd(prismContainerValue);
            PrismReference findOrCreateReference = prismContainerValue.findOrCreateReference(AssignmentType.F_TARGET_REF);
            findOrCreateReference.getValue().setOid("00000000-0000-0000-0000-00000000aab2");
            findOrCreateReference.getValue().setTargetType(RoleType.COMPLEX_TYPE);
            findOrCreateReference.getValue().setRelation((QName) null);
            prismContainerValue.setId(123L);
            arrayList.add(createDelta);
            this.modelService.executeChanges(MiscSchemaUtil.createCollection(new ObjectDelta[]{ObjectDelta.createModifyDelta(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, arrayList, UserType.class, this.prismContext)}), (ModelExecuteOptions) null, task2, operationResult2);
        });
        assertAllow("unassign business role from jack", (task3, operationResult3) -> {
            unassignParametricRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aab1", "00000000-8888-6666-0000-100000000004", null, task3, operationResult3);
        });
        PrismObject user3 = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        display("user after (expected 2 assignments)", user3);
        assertAssignments(user3, 1);
        RoleSelectionSpecification assignableRoleSpecification = getAssignableRoleSpecification(getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID));
        assertRoleTypes(assignableRoleSpecification, new String[0]);
        assertFilter(assignableRoleSpecification.getFilter(), TypeFilter.class);
        assertGlobalStateUntouched();
    }

    @Test
    public void test279AutzJackAssignRequestableRolesWithTenantRef() throws Exception {
        displayTestTitle("test279AutzJackAssignRequestableRolesWithTenantRef");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000ad0c");
        assumeAssignmentPolicy(AssignmentPolicyEnforcementType.RELATIVE);
        login("jack");
        displayWhen("test279AutzJackAssignRequestableRolesWithTenantRef");
        assertReadAllow(12);
        assertAddDeny();
        assertModifyDeny();
        assertDeleteDeny();
        PrismObject user = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertAssignments(user, 1);
        assertAssignedRole(user, "00000000-0000-0000-0000-00000000ad0c");
        assertAllow("assign business role to jack", (task, operationResult) -> {
            assignParametricRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aab1", null, "00000000-8888-6666-0000-100000000001", task, operationResult);
        });
        PrismObject user2 = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertAssignments(user2, 2);
        assertAssignedRole(user2, "00000000-0000-0000-0000-00000000aab1");
        assertDeny("assign application role to jack", (task2, operationResult2) -> {
            assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aab2", task2, operationResult2);
        });
        assertAllow("unassign business role from jack", (task3, operationResult3) -> {
            unassignParametricRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aab1", null, "00000000-8888-6666-0000-100000000001", task3, operationResult3);
        });
        PrismObject user3 = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        display("user after (expected 1 assignments)", user3);
        assertAssignments(user3, 1);
        RoleSelectionSpecification assignableRoleSpecification = getAssignableRoleSpecification(getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID));
        assertRoleTypes(assignableRoleSpecification, new String[0]);
        assertFilter(assignableRoleSpecification.getFilter(), TypeFilter.class);
        assertGlobalStateUntouched();
    }

    @Test
    public void test280AutzJackEndUser() throws Exception {
        displayTestTitle("test280AutzJackEndUser");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aa0f");
        PrismObject user = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertAssignments(user, 1);
        assertLinks(user, 0);
        assumeAssignmentPolicy(AssignmentPolicyEnforcementType.RELATIVE);
        login("jack");
        displayWhen("test280AutzJackEndUser");
        assertGetDeny(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, SelectorOptions.createCollection(GetOperationOptions.createRaw()));
        assertGetDeny(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116");
        assertGetDeny(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116", SelectorOptions.createCollection(GetOperationOptions.createRaw()));
        assertSearch(UserType.class, null, 1);
        assertSearch(UserType.class, createNameQuery("jack"), 1);
        assertSearchDeny(UserType.class, createNameQuery("jack"), SelectorOptions.createCollection(GetOperationOptions.createRaw()));
        assertSearch(UserType.class, createNameQuery("guybrush"), 0);
        assertSearchDeny(UserType.class, createNameQuery("guybrush"), SelectorOptions.createCollection(GetOperationOptions.createRaw()));
        assertAddDeny();
        assertModifyDeny();
        assertDeleteDeny();
        assertModifyMetadataDeny(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertModifyMetadataDeny(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116");
        assertPasswordChangeAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "nbusr123");
        assertPasswordChangeDeny(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116", "nbusr123");
        assertAllow("assign business role to jack", (task, operationResult) -> {
            assignParametricRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aab1", null, "00000000-8888-6666-0000-100000000001", task, operationResult);
        });
        PrismObject user2 = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertAssignments(user2, 2);
        assertAssignedRole(user2, "00000000-0000-0000-0000-00000000aab1");
        assertDeny("assign application role to jack", (task2, operationResult2) -> {
            assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aab2", task2, operationResult2);
        });
        assertDeny("unassign business role from jack", (task3, operationResult3) -> {
            unassignParametricRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aab1", null, "00000000-8888-6666-0000-100000000001", task3, operationResult3);
        });
        PrismObject user3 = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        display("user after (expected 3 assignments)", user3);
        assertAssignments(user3, 2);
        assertAllow("assign basic role to jack", (task4, operationResult4) -> {
            assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aad1", task4, operationResult4);
        });
        PrismObject user4 = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        display("user after (expected 3 assignments)", user4);
        assertAssignments(user4, 3);
        String singleLinkOid = getSingleLinkOid(user4);
        display("account shadow", assertGetAllow(ShadowType.class, singleLinkOid));
        assertPasswordChangeAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "nbusr321");
        assertPasswordChangeDeny(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116", "nbusr321");
        assertPasswordChangeAllow(ShadowType.class, singleLinkOid, "nbusr231");
        assertDeny("unassign basic role from jack", (task5, operationResult5) -> {
            unassignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aad1", task5, operationResult5);
        });
        PrismObject user5 = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        display("user after (expected 3 assignments)", user5);
        assertAssignments(user5, 3);
        assertGlobalStateUntouched();
        assertCredentialsPolicy(user5);
    }

    @Test
    public void test281AutzJackEndUserSecondTime() throws Exception {
        displayTestTitle("test281AutzJackEndUserSecondTime");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aa0f");
        assumeAssignmentPolicy(AssignmentPolicyEnforcementType.RELATIVE);
        login("jack");
        displayWhen("test281AutzJackEndUserSecondTime");
        assertAssignments(getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID), 1);
        getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertAllow("assign business role to jack (no param)", (task, operationResult) -> {
            assignParametricRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aab1", null, null, task, operationResult);
        });
        PrismObject user = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertAssignments(user, 2);
        assertAssignedRole(user, "00000000-0000-0000-0000-00000000aab1");
        assertAllow("assign business role to jack (org governor)", (task2, operationResult2) -> {
            assignParametricRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aab1", null, "00000000-8888-6666-0000-100000000001", task2, operationResult2);
        });
        PrismObject user2 = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertAssignments(user2, 3);
        assertAssignedRole(user2, "00000000-0000-0000-0000-00000000aab1");
        assertDeny("assign application role to jack", (task3, operationResult3) -> {
            assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aab2", task3, operationResult3);
        });
        assertDeny("unassign business role from jack", (task4, operationResult4) -> {
            unassignParametricRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aab1", null, "00000000-8888-6666-0000-100000000001", task4, operationResult4);
        });
        PrismObject user3 = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        display("user after (expected 3 assignments)", user3);
        assertAssignments(user3, 3);
        assertGlobalStateUntouched();
        assertCredentialsPolicy(user3);
    }

    private void assertCredentialsPolicy(PrismObject<UserType> prismObject) throws ObjectNotFoundException, SchemaException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
        OperationResult operationResult = new OperationResult("assertCredentialsPolicy");
        CredentialsPolicyType credentialsPolicy = this.modelInteractionService.getCredentialsPolicy(prismObject, (Task) null, operationResult);
        operationResult.computeStatus();
        TestUtil.assertSuccess(operationResult);
        AssertJUnit.assertNotNull("No credentials policy for " + prismObject, credentialsPolicy);
        AssertJUnit.assertEquals("Unexepected number of security questions for " + prismObject, 2, credentialsPolicy.getSecurityQuestions().getQuestion().size());
    }

    @Test
    public void test282AutzJackEndUserAndModify() throws Exception {
        displayTestTitle("test282AutzJackEndUserAndModify");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aa0f");
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aa0g");
        assumeAssignmentPolicy(AssignmentPolicyEnforcementType.RELATIVE);
        login("jack");
        displayWhen("test282AutzJackEndUserAndModify");
        assertReadAllow(12);
        assertAddDeny();
        assertModifyAllow();
        assertDeleteDeny();
        assertAssignments(getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID), 2);
        assertAllow("modify jack's familyName", (task, operationResult) -> {
            modifyObjectReplaceProperty(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, new ItemPath(new QName[]{UserType.F_FAMILY_NAME}), task, operationResult, new Object[]{PrismTestUtil.createPolyString("changed")});
        });
        assertUser(getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID), AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "jack", "Jack Sparrow", AbstractConfiguredModelIntegrationTest.USER_JACK_GIVEN_NAME, "changed");
        assertGlobalStateUntouched();
    }

    @Test
    public void test283AutzJackModifyAndEndUser() throws Exception {
        displayTestTitle("test283AutzJackModifyAndEndUser");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aa0g");
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aa0f");
        assumeAssignmentPolicy(AssignmentPolicyEnforcementType.RELATIVE);
        login("jack");
        displayWhen("test283AutzJackModifyAndEndUser");
        assertReadAllow(12);
        assertAddDeny();
        assertModifyAllow();
        assertDeleteDeny();
        assertAssignments(getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID), 2);
        assertAllow("modify jack's familyName", (task, operationResult) -> {
            modifyObjectReplaceProperty(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID, new ItemPath(new QName[]{UserType.F_FAMILY_NAME}), task, operationResult, new Object[]{PrismTestUtil.createPolyString("changed")});
        });
        assertUser(getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID), AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "jack", "Jack Sparrow", AbstractConfiguredModelIntegrationTest.USER_JACK_GIVEN_NAME, "changed");
        assertGlobalStateUntouched();
    }

    @Test
    public void test290AutzJackRoleOwnerAssign() throws Exception {
        displayTestTitle("test290AutzJackRoleOwnerAssign");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "91b9e546-ded6-11e5-9e87-171d047c57d1");
        unassignAccountFromUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "10000000-0000-0000-0000-000000000004", null);
        PrismObject user = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertAssignments(user, 1);
        assertLinks(user, 0);
        assumeAssignmentPolicy(AssignmentPolicyEnforcementType.RELATIVE);
        login("jack");
        displayWhen("test290AutzJackRoleOwnerAssign");
        assertReadAllow(12);
        assertAddDeny();
        assertModifyDeny();
        assertDeleteDeny();
        PrismObject user2 = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertAssignments(user2, 1);
        assertAssignedRole(user2, "91b9e546-ded6-11e5-9e87-171d047c57d1");
        assertAllow("assign application role 1 to jack", (task, operationResult) -> {
            assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aaa1", task, operationResult);
        });
        PrismObject user3 = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertAssignments(user3, 2);
        assertAssignedRole(user3, "00000000-0000-0000-0000-00000000aaa1");
        assertDeny("assign application role 2 to jack", (task2, operationResult2) -> {
            assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aaa2", task2, operationResult2);
        });
        assertAllow("unassign application role 1 from jack", (task3, operationResult3) -> {
            unassignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-0000-0000-0000-00000000aaa1", task3, operationResult3);
        });
        assertAssignments(getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID), 1);
        RoleSelectionSpecification assignableRoleSpecification = getAssignableRoleSpecification(getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID));
        assertRoleTypes(assignableRoleSpecification, new String[0]);
        assertFilter(assignableRoleSpecification.getFilter(), TypeFilter.class);
        AssertJUnit.assertEquals("Wrong type filter type", RoleType.COMPLEX_TYPE, assignableRoleSpecification.getFilter().getType());
        RefFilter filter = assignableRoleSpecification.getFilter().getFilter();
        assertFilter(filter, RefFilter.class);
        AssertJUnit.assertEquals(1, filter.getValues().size());
        AssertJUnit.assertEquals("Wrong OID in ref filter", AbstractConfiguredModelIntegrationTest.USER_JACK_OID, ((PrismReferenceValue) filter.getValues().get(0)).getOid());
        assertGlobalStateUntouched();
    }

    @Test
    public void test292AutzJackRoleOwnerFullControl() throws Exception {
        displayTestTitle("test292AutzJackRoleOwnerFullControl");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "9c6e597e-dbd7-11e5-a538-97834c1cd5ba");
        assumeAssignmentPolicy(AssignmentPolicyEnforcementType.RELATIVE);
        login("jack");
        displayWhen("test292AutzJackRoleOwnerFullControl");
        assertGetAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertGetDeny(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116");
        assertSearch(UserType.class, null, 1);
        assertSearch(UserType.class, createNameQuery("jack"), 1);
        assertSearch(UserType.class, createNameQuery("guybrush"), 0);
        assertAddDeny();
        assertModifyDeny();
        assertDeleteDeny();
        assertSearch(RoleType.class, null, 2);
        assertGlobalStateUntouched();
    }

    @Test
    public void test295AutzJackAssignOrgRelation() throws Exception {
        displayTestTitle("test295AutzJackAssignOrgRelation");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "5856eb42-319f-11e7-8e26-a7c6d1a855fc");
        assignOrg(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "00000000-8888-6666-0000-100000000004", null);
        login("jack");
        displayWhen("test295AutzJackAssignOrgRelation");
        RoleSelectionSpecification assignableRoleSpecification = getAssignableRoleSpecification(getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID));
        display("Spec (jack)", assignableRoleSpecification);
        assertRoleTypes(assignableRoleSpecification, new String[0]);
        Task createTaskInstance = this.taskManager.createTaskInstance();
        SearchResultList searchObjects = this.modelService.searchObjects(AbstractRoleType.class, ObjectQuery.createObjectQuery(assignableRoleSpecification.getFilter()), (Collection) null, createTaskInstance, createTaskInstance.getResult());
        display("Assignable roles", searchObjects);
        assertObjectOids("Wrong assignable roles (jack)", searchObjects, new String[]{"00000000-0000-0000-0000-00000000aab3"});
        RoleSelectionSpecification assignableRoleSpecification2 = getAssignableRoleSpecification(getUser(this.userRumRogersOid));
        display("Spec (rum)", assignableRoleSpecification2);
        assertRoleTypes(assignableRoleSpecification2, new String[0]);
        SearchResultList searchObjects2 = this.modelService.searchObjects(AbstractRoleType.class, ObjectQuery.createObjectQuery(assignableRoleSpecification2.getFilter()), (Collection) null, createTaskInstance, createTaskInstance.getResult());
        display("Assignable roles", searchObjects2);
        assertObjectOids("Wrong assignable roles (rum)", searchObjects2, new String[]{"00000000-0000-0000-0000-00000000aab3"});
        assertGlobalStateUntouched();
    }

    @Test
    public void test300AutzAnonymous() throws Exception {
        displayTestTitle("test300AutzAnonymous");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        PrismObject user = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        loginAnonymous();
        assertNoAccess(user);
        assertGlobalStateUntouched();
    }

    @Test
    public void test310AutzJackNoRolePrivileged() throws Exception {
        displayTestTitle("test310AutzJackNoRolePrivileged");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        PrismObject user = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        login("jack");
        assertNoAccess(user);
        runPrivileged(() -> {
            try {
                assertSuperuserAccess(12);
                return null;
            } catch (Exception e) {
                new RuntimeException(e.getMessage(), e);
                return null;
            }
        });
        assertNoAccess(user);
        assertGlobalStateUntouched();
    }

    @Test
    public void test312AutzAnonymousPrivileged() throws Exception {
        displayTestTitle("test312AutzAnonymousPrivileged");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        PrismObject user = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        loginAnonymous();
        assertNoAccess(user);
        runPrivileged(() -> {
            try {
                assertSuperuserAccess(12);
                return null;
            } catch (Exception e) {
                new RuntimeException(e.getMessage(), e);
                return null;
            }
        });
        assertNoAccess(user);
        assertGlobalStateUntouched();
    }

    @Test
    public void test313AutzAnonymousPrivilegedRestore() throws Exception {
        displayTestTitle("test313AutzAnonymousPrivilegedRestore");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        PrismObject user = getUser(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        loginAnonymous();
        runPrivileged(() -> {
            return null;
        });
        assertNoAccess(user);
        assertGlobalStateUntouched();
    }

    @Test
    public void test360AutzJackAuditorRole() throws Exception {
        displayTestTitle("test360AutzJackAuditorRole");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "475e37e8-b178-11e6-8339-83e2fa7b9828");
        login("jack");
        assertReadAllow(12);
        assertAddDeny();
        assertModifyDeny();
        assertDeleteDeny();
        assertReadCertCasesAllow();
        assertGlobalStateUntouched();
        assertAuditReadAllow();
    }

    @Test
    public void test370AutzJackLimitedUserAdmin() throws Exception {
        displayTestTitle("test370AutzJackLimitedUserAdmin");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "66ee3a78-1b8a-11e7-aac6-5f43a0a86116");
        login("jack");
        displayWhen("test370AutzJackLimitedUserAdmin");
        assertGetAllow(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertGetAllow(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116");
        assertSearch(UserType.class, null, 12);
        assertSearch(ObjectType.class, null, 12);
        assertSearch(OrgType.class, null, 0);
        assertAddAllow(USER_HERMAN_FILE);
        assertModifyDeny();
        assertDeleteDeny();
        assertGlobalStateUntouched();
    }

    @Test
    public void test380AutzJackSelfTaskOwner() throws Exception {
        displayTestTitle("test380AutzJackSelfTaskOwner");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assignRole(AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "455edc40-30c6-11e7-937f-df84f38dd402");
        login("jack");
        displayWhen("test380AutzJackSelfTaskOwner");
        assertGetDeny(UserType.class, AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        assertGetDeny(UserType.class, "c0c010c0-d34d-b33f-f00d-111111111116");
        assertGetDeny(TaskType.class, "daa36dba-30c7-11e7-bd7d-6311953a3ecd");
        assertGetAllow(TaskType.class, "642d8174-30c8-11e7-b338-c3cf3a6c548a");
        assertSearch(UserType.class, null, 0);
        assertSearch(ObjectType.class, null, 0);
        assertSearch(OrgType.class, null, 0);
        assertSearch(TaskType.class, null, 1);
        assertTaskAddAllow("a46459b8-30e4-11e7-bd37-7bba86e91983", "t1", AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "http://midpoint.evolveum.com/xml/ns/public/model/synchronization/task/useless/handler-3");
        assertTaskAddDeny("a4ab296a-30e4-11e7-a3fd-7f34286d17fa", "t2", AbstractConfiguredModelIntegrationTest.USER_JACK_OID, "nonsense");
        assertTaskAddDeny("a4cfec28-30e4-11e7-946f-07f8d55b4498", "t3", "00000000-0000-0000-0000-000000000002", "http://midpoint.evolveum.com/xml/ns/public/model/synchronization/task/useless/handler-3");
        assertTaskAddDeny("a4ed0312-30e4-11e7-aaff-c3f6264d4bd1", "t4", "c0c010c0-d34d-b33f-f00d-1c1c11cc11c2", "http://midpoint.evolveum.com/xml/ns/public/model/synchronization/task/useless/handler-3");
        assertTaskAddDeny("a507e1c8-30e4-11e7-a739-538d921aa79e", "t5", null, "http://midpoint.evolveum.com/xml/ns/public/model/synchronization/task/useless/handler-3");
        assertAddDeny();
        assertModifyDeny();
        assertDeleteDeny();
        assertGlobalStateUntouched();
    }

    private void assertTaskAddAllow(String str, String str2, String str3, String str4) throws Exception {
        assertAllow("add task " + str2, (task, operationResult) -> {
            addTask(str, str2, str3, str4, task, operationResult);
        });
    }

    private void assertTaskAddDeny(String str, String str2, String str3, String str4) throws Exception {
        assertDeny("add task " + str2, (task, operationResult) -> {
            addTask(str, str2, str3, str4, task, operationResult);
        });
    }

    private void addTask(String str, String str2, String str3, String str4, Task task, OperationResult operationResult) throws SchemaException, ObjectAlreadyExistsException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, PolicyViolationException, SecurityViolationException {
        PrismObject instantiate = this.prismContext.getSchemaRegistry().findObjectDefinitionByCompileTimeClass(TaskType.class).instantiate();
        instantiate.setOid(str);
        TaskType asObjectable = instantiate.asObjectable();
        asObjectable.setName(createPolyStringType(str2));
        if (str3 != null) {
            ObjectReferenceType objectReferenceType = new ObjectReferenceType();
            objectReferenceType.setOid(str3);
            asObjectable.setOwnerRef(objectReferenceType);
        }
        asObjectable.setHandlerUri(str4);
        this.modelService.executeChanges(MiscSchemaUtil.createCollection(new ObjectDelta[]{instantiate.createAddDelta()}), (ModelExecuteOptions) null, task, operationResult);
    }

    private static /* synthetic */ Object $deserializeLambda$(SerializedLambda serializedLambda) {
        String implMethodName = serializedLambda.getImplMethodName();
        boolean z = -1;
        switch (implMethodName.hashCode()) {
            case 816356738:
                if (implMethodName.equals("lambda$test312AutzAnonymousPrivileged$7c8253c1$1")) {
                    z = true;
                    break;
                }
                break;
            case 1170051037:
                if (implMethodName.equals("lambda$test310AutzJackNoRolePrivileged$7c8253c1$1")) {
                    z = false;
                    break;
                }
                break;
            case 1601895573:
                if (implMethodName.equals("lambda$test313AutzAnonymousPrivilegedRestore$7c8253c1$1")) {
                    z = 2;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                if (serializedLambda.getImplMethodKind() == 7 && serializedLambda.getFunctionalInterfaceClass().equals("com/evolveum/midpoint/util/Producer") && serializedLambda.getFunctionalInterfaceMethodName().equals("run") && serializedLambda.getFunctionalInterfaceMethodSignature().equals("()Ljava/lang/Object;") && serializedLambda.getImplClass().equals("com/evolveum/midpoint/model/intest/security/TestSecurityBasic") && serializedLambda.getImplMethodSignature().equals("()Ljava/lang/Object;")) {
                    TestSecurityBasic testSecurityBasic = (TestSecurityBasic) serializedLambda.getCapturedArg(0);
                    return () -> {
                        try {
                            assertSuperuserAccess(12);
                            return null;
                        } catch (Exception e) {
                            new RuntimeException(e.getMessage(), e);
                            return null;
                        }
                    };
                }
                break;
            case true:
                if (serializedLambda.getImplMethodKind() == 7 && serializedLambda.getFunctionalInterfaceClass().equals("com/evolveum/midpoint/util/Producer") && serializedLambda.getFunctionalInterfaceMethodName().equals("run") && serializedLambda.getFunctionalInterfaceMethodSignature().equals("()Ljava/lang/Object;") && serializedLambda.getImplClass().equals("com/evolveum/midpoint/model/intest/security/TestSecurityBasic") && serializedLambda.getImplMethodSignature().equals("()Ljava/lang/Object;")) {
                    TestSecurityBasic testSecurityBasic2 = (TestSecurityBasic) serializedLambda.getCapturedArg(0);
                    return () -> {
                        try {
                            assertSuperuserAccess(12);
                            return null;
                        } catch (Exception e) {
                            new RuntimeException(e.getMessage(), e);
                            return null;
                        }
                    };
                }
                break;
            case true:
                if (serializedLambda.getImplMethodKind() == 6 && serializedLambda.getFunctionalInterfaceClass().equals("com/evolveum/midpoint/util/Producer") && serializedLambda.getFunctionalInterfaceMethodName().equals("run") && serializedLambda.getFunctionalInterfaceMethodSignature().equals("()Ljava/lang/Object;") && serializedLambda.getImplClass().equals("com/evolveum/midpoint/model/intest/security/TestSecurityBasic") && serializedLambda.getImplMethodSignature().equals("()Ljava/lang/Object;")) {
                    return () -> {
                        return null;
                    };
                }
                break;
        }
        throw new IllegalArgumentException("Invalid lambda deserialization");
    }
}
