Search in sources :

Example 51 with IdmConceptRoleRequestDto

use of eu.bcvsolutions.idm.core.api.dto.IdmConceptRoleRequestDto in project CzechIdMng by bcvsolutions.

the class ChangeIdentityPermissionTest method addSuperAdminRoleWithSubprocessSecurityTest.

@Test
@Transactional
public void addSuperAdminRoleWithSubprocessSecurityTest() {
    loginAsAdmin(InitTestData.TEST_USER_2);
    IdmIdentityDto test1 = identityService.getByUsername(InitTestData.TEST_USER_1);
    IdmIdentityDto test2 = identityService.getByUsername(InitTestData.TEST_USER_2);
    // Guarantee
    int priority = 500;
    IdmRoleDto adminRole = roleService.getByCode(InitTestData.TEST_ADMIN_ROLE);
    adminRole.setPriority(priority);
    IdmRoleGuaranteeDto guarantee = new IdmRoleGuaranteeDto();
    guarantee.setRole(adminRole.getId());
    guarantee.setGuarantee(test2.getId());
    adminRole.getGuarantees().add(guarantee);
    adminRole = roleService.save(adminRole);
    configurationService.setValue(IdmRoleService.WF_BY_ROLE_PRIORITY_PREFIX + priority, APPROVE_ROLE_BY_SECURITY_KEY);
    configurationService.setValue("idm.sec.core.wf.approval.security.enabled", "true");
    IdmIdentityContractDto contract = identityContractService.getPrimeContract(test1.getId());
    IdmRoleRequestDto request = createRoleRequest(test1);
    request = roleRequestService.save(request);
    IdmConceptRoleRequestDto concept = createRoleConcept(adminRole, contract, request);
    concept = conceptRoleRequestService.save(concept);
    roleRequestService.startRequestInternal(request.getId(), true);
    request = roleRequestService.get(request.getId());
    assertEquals(RoleRequestState.IN_PROGRESS, request.getState());
    WorkflowFilterDto taskFilter = new WorkflowFilterDto();
    taskFilter.setCandidateOrAssigned(securityService.getCurrentUsername());
    List<WorkflowTaskInstanceDto> tasks = workflowTaskInstanceService.find(taskFilter, null).getContent();
    assertEquals(0, tasks.size());
    // Help Desk
    request = roleRequestService.get(request.getId());
    loginAsAdmin(InitTestData.TEST_ADMIN_USERNAME);
    taskFilter.setCandidateOrAssigned(InitTestData.TEST_ADMIN_USERNAME);
    checkAndCompleteOneTask(taskFilter, InitTestData.TEST_USER_1, "approve");
    // Manager
    request = roleRequestService.get(request.getId());
    loginAsAdmin(InitTestData.TEST_USER_2);
    taskFilter.setCandidateOrAssigned(InitTestData.TEST_USER_2);
    checkAndCompleteOneTask(taskFilter, InitTestData.TEST_USER_1, "approve");
    // User Manager
    request = roleRequestService.get(request.getId());
    loginAsAdmin(InitTestData.TEST_ADMIN_USERNAME);
    taskFilter.setCandidateOrAssigned(InitTestData.TEST_ADMIN_USERNAME);
    checkAndCompleteOneTask(taskFilter, InitTestData.TEST_USER_1, "approve");
    // Role Guarantee - subprocess
    request = roleRequestService.get(request.getId());
    loginAsAdmin(InitTestData.TEST_USER_2);
    taskFilter.setCandidateOrAssigned(InitTestData.TEST_USER_2);
    checkAndCompleteOneTask(taskFilter, InitTestData.TEST_USER_1, "approve");
    // Security - subprocess
    request = roleRequestService.get(request.getId());
    loginAsAdmin(InitTestData.TEST_ADMIN_USERNAME);
    taskFilter.setCandidateOrAssigned(InitTestData.TEST_ADMIN_USERNAME);
    checkAndCompleteOneTask(taskFilter, InitTestData.TEST_USER_1, "approve");
    // Security
    request = roleRequestService.get(request.getId());
    loginAsAdmin(InitTestData.TEST_ADMIN_USERNAME);
    taskFilter.setCandidateOrAssigned(InitTestData.TEST_ADMIN_USERNAME);
    checkAndCompleteOneTask(taskFilter, InitTestData.TEST_USER_1, "approve");
    request = roleRequestService.get(request.getId());
    assertEquals(RoleRequestState.EXECUTED, request.getState());
    assertNotNull(request.getWfProcessId());
    concept = conceptRoleRequestService.get(concept.getId());
    assertNotNull(concept.getWfProcessId());
}
Also used : IdmRoleDto(eu.bcvsolutions.idm.core.api.dto.IdmRoleDto) IdmRoleGuaranteeDto(eu.bcvsolutions.idm.core.api.dto.IdmRoleGuaranteeDto) WorkflowFilterDto(eu.bcvsolutions.idm.core.workflow.model.dto.WorkflowFilterDto) WorkflowTaskInstanceDto(eu.bcvsolutions.idm.core.workflow.model.dto.WorkflowTaskInstanceDto) IdmConceptRoleRequestDto(eu.bcvsolutions.idm.core.api.dto.IdmConceptRoleRequestDto) IdmIdentityDto(eu.bcvsolutions.idm.core.api.dto.IdmIdentityDto) IdmIdentityContractDto(eu.bcvsolutions.idm.core.api.dto.IdmIdentityContractDto) IdmRoleRequestDto(eu.bcvsolutions.idm.core.api.dto.IdmRoleRequestDto) AbstractCoreWorkflowIntegrationTest(eu.bcvsolutions.idm.core.AbstractCoreWorkflowIntegrationTest) Test(org.junit.Test) Transactional(org.springframework.transaction.annotation.Transactional)

Example 52 with IdmConceptRoleRequestDto

use of eu.bcvsolutions.idm.core.api.dto.IdmConceptRoleRequestDto in project CzechIdMng by bcvsolutions.

the class ChangeIdentityPermissionTest method testGetTaskByAnotherUser.

@Test
@Transactional
public void testGetTaskByAnotherUser() {
    configurationService.setValue(APPROVE_BY_SECURITY_ENABLE, "false");
    configurationService.setValue(APPROVE_BY_MANAGER_ENABLE, "false");
    configurationService.setValue(APPROVE_BY_HELPDESK_ENABLE, "true");
    configurationService.setValue(APPROVE_BY_USERMANAGER_ENABLE, "false");
    // 
    loginAsAdmin(InitTestData.TEST_ADMIN_USERNAME);
    IdmIdentityDto test1 = helper.createIdentity();
    IdmIdentityDto anotherUser = helper.createIdentity();
    IdmRoleDto role = helper.createRole();
    // helpdesk role and identity
    IdmRoleDto helpdeskRole = helper.createRole();
    IdmIdentityDto helpdeskIdentity = helper.createIdentity();
    // add role directly
    helper.createIdentityRole(helpdeskIdentity, helpdeskRole);
    configurationService.setValue(APPROVE_BY_HELPDESK_ROLE, helpdeskRole.getCode());
    IdmIdentityContractDto contract = helper.getPrimeContract(test1.getId());
    // check task before create request
    loginAsAdmin(test1.getUsername());
    IdmRoleRequestDto request = createRoleRequest(test1);
    request = roleRequestService.save(request);
    IdmConceptRoleRequestDto concept = createRoleConcept(role, contract, request);
    concept = conceptRoleRequestService.save(concept);
    roleRequestService.startRequestInternal(request.getId(), true);
    request = roleRequestService.get(request.getId());
    assertEquals(RoleRequestState.IN_PROGRESS, request.getState());
    WorkflowFilterDto taskFilter = new WorkflowFilterDto();
    taskFilter.setCandidateOrAssigned(securityService.getCurrentUsername());
    List<WorkflowTaskInstanceDto> tasks = workflowTaskInstanceService.find(taskFilter, null).getContent();
    assertEquals(0, tasks.size());
    // HELPDESK login
    loginAsAdmin(helpdeskIdentity.getUsername());
    taskFilter.setCandidateOrAssigned(helpdeskIdentity.getUsername());
    tasks = workflowTaskInstanceService.find(taskFilter, null).getContent();
    assertEquals(1, tasks.size());
    WorkflowTaskInstanceDto taskInstanceDto = tasks.get(0);
    String id = taskInstanceDto.getId();
    WorkflowTaskInstanceDto workflowTaskInstanceDto = workflowTaskInstanceService.get(id);
    assertNotNull(workflowTaskInstanceDto);
    // check task get by id
    loginWithout(test1.getUsername(), IdmGroupPermission.APP_ADMIN, CoreGroupPermission.WORKFLOW_TASK_ADMIN);
    workflowTaskInstanceDto = workflowTaskInstanceService.get(id);
    assertNull(workflowTaskInstanceDto);
    loginWithout(anotherUser.getUsername(), IdmGroupPermission.APP_ADMIN, CoreGroupPermission.WORKFLOW_TASK_ADMIN);
    workflowTaskInstanceDto = workflowTaskInstanceService.get(id);
    assertNull(workflowTaskInstanceDto);
    // candidate
    loginWithout(helpdeskIdentity.getUsername(), IdmGroupPermission.APP_ADMIN, CoreGroupPermission.WORKFLOW_TASK_ADMIN);
    workflowTaskInstanceDto = workflowTaskInstanceService.get(id);
    assertNotNull(workflowTaskInstanceDto);
    // WF admin
    loginWithout(InitTestData.TEST_ADMIN_USERNAME, IdmGroupPermission.APP_ADMIN);
    workflowTaskInstanceDto = workflowTaskInstanceService.get(id);
    assertNotNull(workflowTaskInstanceDto);
    // Attacker
    loginWithout(anotherUser.getUsername(), IdmGroupPermission.APP_ADMIN, CoreGroupPermission.WORKFLOW_TASK_ADMIN);
    taskFilter.setCandidateOrAssigned(helpdeskIdentity.getUsername());
    try {
        tasks = workflowTaskInstanceService.find(taskFilter, null).getContent();
        fail();
    } catch (ResultCodeException ex) {
        assertEquals(HttpStatus.FORBIDDEN, ex.getStatus());
    } catch (Exception e) {
        fail();
    }
}
Also used : IdmRoleDto(eu.bcvsolutions.idm.core.api.dto.IdmRoleDto) WorkflowFilterDto(eu.bcvsolutions.idm.core.workflow.model.dto.WorkflowFilterDto) WorkflowTaskInstanceDto(eu.bcvsolutions.idm.core.workflow.model.dto.WorkflowTaskInstanceDto) ResultCodeException(eu.bcvsolutions.idm.core.api.exception.ResultCodeException) IdmConceptRoleRequestDto(eu.bcvsolutions.idm.core.api.dto.IdmConceptRoleRequestDto) IdmIdentityDto(eu.bcvsolutions.idm.core.api.dto.IdmIdentityDto) IdmIdentityContractDto(eu.bcvsolutions.idm.core.api.dto.IdmIdentityContractDto) IdmRoleRequestDto(eu.bcvsolutions.idm.core.api.dto.IdmRoleRequestDto) ResultCodeException(eu.bcvsolutions.idm.core.api.exception.ResultCodeException) AbstractCoreWorkflowIntegrationTest(eu.bcvsolutions.idm.core.AbstractCoreWorkflowIntegrationTest) Test(org.junit.Test) Transactional(org.springframework.transaction.annotation.Transactional)

Example 53 with IdmConceptRoleRequestDto

use of eu.bcvsolutions.idm.core.api.dto.IdmConceptRoleRequestDto in project CzechIdMng by bcvsolutions.

the class ChangeIdentityPermissionTest method testCompleteTaskByPreviosApprover.

@Test
public void testCompleteTaskByPreviosApprover() {
    // approve only by help desk
    configurationService.setValue(APPROVE_BY_SECURITY_ENABLE, "false");
    configurationService.setValue(APPROVE_BY_MANAGER_ENABLE, "false");
    configurationService.setValue(APPROVE_BY_HELPDESK_ENABLE, "true");
    configurationService.setValue(APPROVE_BY_USERMANAGER_ENABLE, "false");
    // 
    loginAsAdmin(InitTestData.TEST_ADMIN_USERNAME);
    IdmIdentityDto test1 = helper.createIdentity();
    IdmIdentityDto guarantee = helper.createIdentity();
    // Guarantee
    int priority = 500;
    IdmRoleDto role = helper.createRole();
    role.setPriority(priority);
    IdmRoleGuaranteeDto roleGuarantee = new IdmRoleGuaranteeDto();
    roleGuarantee.setRole(role.getId());
    roleGuarantee.setGuarantee(guarantee.getId());
    role.getGuarantees().add(roleGuarantee);
    role = roleService.save(role);
    // set approve by guarantee
    configurationService.setValue(IdmRoleService.WF_BY_ROLE_PRIORITY_PREFIX + priority, APPROVE_ROLE_BY_GUARANTEE_KEY);
    // 
    // helpdesk role and identity
    IdmRoleDto helpdeskRole = helper.createRole();
    IdmIdentityDto helpdeskIdentity = helper.createIdentity();
    // add role directly
    helper.createIdentityRole(helpdeskIdentity, helpdeskRole);
    configurationService.setValue(APPROVE_BY_HELPDESK_ROLE, helpdeskRole.getCode());
    IdmIdentityContractDto contract = helper.getPrimeContract(test1.getId());
    loginAsNoAdmin(test1.getUsername());
    IdmRoleRequestDto request = createRoleRequest(test1);
    request = roleRequestService.save(request);
    IdmConceptRoleRequestDto concept = createRoleConcept(role, contract, request);
    concept = conceptRoleRequestService.save(concept);
    roleRequestService.startRequestInternal(request.getId(), true);
    request = roleRequestService.get(request.getId());
    assertEquals(RoleRequestState.IN_PROGRESS, request.getState());
    try {
        completeTasksFromUsers(helpdeskIdentity.getUsername(), "approve");
        fail("This user: " + test1.getUsername() + " can't approve task.");
    } catch (ResultCodeException ex) {
        assertTrue(CoreResultCode.FORBIDDEN.name().equals(ex.getError().getError().getStatusEnum()));
    } catch (Exception e) {
        fail("Some problem: " + e.getLocalizedMessage());
    }
    loginAsNoAdmin(helpdeskIdentity.getUsername());
    try {
        completeTasksFromUsers(helpdeskIdentity.getUsername(), "approve");
    } catch (ResultCodeException ex) {
        fail("User has permission to approve task. Error message: " + ex.getLocalizedMessage());
    } catch (Exception e) {
        fail("Some problem: " + e.getLocalizedMessage());
    }
    loginAsNoAdmin(helpdeskIdentity.getUsername());
    try {
        completeTasksFromUsers(guarantee.getUsername(), "approve");
        fail("This user: " + helpdeskIdentity.getUsername() + " can't approve task.");
    } catch (ResultCodeException ex) {
        assertTrue(CoreResultCode.FORBIDDEN.name().equals(ex.getError().getError().getStatusEnum()));
    } catch (Exception e) {
        fail("Some problem: " + e.getLocalizedMessage());
    }
    loginAsNoAdmin(test1.getUsername());
    try {
        completeTasksFromUsers(guarantee.getUsername(), "approve");
        fail("This user: " + test1.getUsername() + " can't approve task.");
    } catch (ResultCodeException ex) {
        assertTrue(CoreResultCode.FORBIDDEN.name().equals(ex.getError().getError().getStatusEnum()));
    } catch (Exception e) {
        fail("Some problem: " + e.getLocalizedMessage());
    }
    loginAsNoAdmin(guarantee.getUsername());
    try {
        completeTasksFromUsers(guarantee.getUsername(), "approve");
    } catch (ResultCodeException ex) {
        fail("User has permission to approve task. Error message: " + ex.getLocalizedMessage());
    } catch (Exception e) {
        fail("Some problem: " + e.getLocalizedMessage());
    }
}
Also used : IdmRoleDto(eu.bcvsolutions.idm.core.api.dto.IdmRoleDto) IdmRoleGuaranteeDto(eu.bcvsolutions.idm.core.api.dto.IdmRoleGuaranteeDto) ResultCodeException(eu.bcvsolutions.idm.core.api.exception.ResultCodeException) IdmConceptRoleRequestDto(eu.bcvsolutions.idm.core.api.dto.IdmConceptRoleRequestDto) IdmIdentityDto(eu.bcvsolutions.idm.core.api.dto.IdmIdentityDto) IdmIdentityContractDto(eu.bcvsolutions.idm.core.api.dto.IdmIdentityContractDto) IdmRoleRequestDto(eu.bcvsolutions.idm.core.api.dto.IdmRoleRequestDto) ResultCodeException(eu.bcvsolutions.idm.core.api.exception.ResultCodeException) AbstractCoreWorkflowIntegrationTest(eu.bcvsolutions.idm.core.AbstractCoreWorkflowIntegrationTest) Test(org.junit.Test)

Example 54 with IdmConceptRoleRequestDto

use of eu.bcvsolutions.idm.core.api.dto.IdmConceptRoleRequestDto in project CzechIdMng by bcvsolutions.

the class ChangeIdentityPermissionTest method addSuperAdminRoleWithSubprocessDisapproveTest.

@Test
@Transactional
public void addSuperAdminRoleWithSubprocessDisapproveTest() {
    loginAsAdmin(InitTestData.TEST_ADMIN_USERNAME);
    IdmIdentityDto test1 = identityService.getByUsername(InitTestData.TEST_USER_1);
    IdmIdentityDto test2 = identityService.getByUsername(InitTestData.TEST_USER_2);
    // Guarantee
    int priority = 500;
    IdmRoleDto adminRole = roleService.getByCode(InitTestData.TEST_ADMIN_ROLE);
    adminRole.setPriority(priority);
    IdmRoleGuaranteeDto guarantee = new IdmRoleGuaranteeDto();
    guarantee.setRole(adminRole.getId());
    guarantee.setGuarantee(test2.getId());
    adminRole.getGuarantees().add(guarantee);
    adminRole = roleService.save(adminRole);
    configurationService.setValue(IdmRoleService.WF_BY_ROLE_PRIORITY_PREFIX + priority, APPROVE_ROLE_BY_GUARANTEE_KEY);
    IdmIdentityContractDto contract = identityContractService.getPrimeContract(test1.getId());
    IdmRoleRequestDto request = createRoleRequest(test1);
    request = roleRequestService.save(request);
    IdmConceptRoleRequestDto concept = createRoleConcept(adminRole, contract, request);
    concept = conceptRoleRequestService.save(concept);
    roleRequestService.startRequestInternal(request.getId(), true);
    request = roleRequestService.get(request.getId());
    assertEquals(RoleRequestState.IN_PROGRESS, request.getState());
    WorkflowFilterDto taskFilter = new WorkflowFilterDto();
    taskFilter.setCandidateOrAssigned(securityService.getCurrentUsername());
    List<WorkflowTaskInstanceDto> tasks = workflowTaskInstanceService.find(taskFilter, null).getContent();
    assertEquals(0, tasks.size());
    // HELPDESK - must be skipped
    // MANAGER
    loginAsAdmin(InitTestData.TEST_USER_2);
    taskFilter.setCandidateOrAssigned(InitTestData.TEST_USER_2);
    checkAndCompleteOneTask(taskFilter, InitTestData.TEST_USER_1, "approve");
    // USER MANAGER
    loginAsAdmin(InitTestData.TEST_ADMIN_USERNAME);
    taskFilter.setCandidateOrAssigned(InitTestData.TEST_ADMIN_USERNAME);
    checkAndCompleteOneTask(taskFilter, InitTestData.TEST_USER_1, "approve");
    // Subprocess - approve by GUARANTEE
    loginAsAdmin(InitTestData.TEST_USER_2);
    taskFilter.setCandidateOrAssigned(InitTestData.TEST_USER_2);
    checkAndCompleteOneTask(taskFilter, InitTestData.TEST_USER_1, "disapprove");
    // SECURITY
    request = roleRequestService.get(request.getId());
    loginAsAdmin(InitTestData.TEST_ADMIN_USERNAME);
    taskFilter.setCandidateOrAssigned(InitTestData.TEST_ADMIN_USERNAME);
    checkAndCompleteOneTask(taskFilter, InitTestData.TEST_USER_1, "approve");
    request = roleRequestService.get(request.getId());
    assertEquals(RoleRequestState.EXECUTED, request.getState());
    assertNotNull(request.getWfProcessId());
    concept = conceptRoleRequestService.get(concept.getId());
    assertNotNull(concept.getWfProcessId());
    IdmIdentityRoleFilter filter = new IdmIdentityRoleFilter();
    filter.setIdentityId(test1.getId());
    Page<IdmIdentityRoleDto> page = identityRoleService.find(filter, null);
    assertEquals(0, page.getSize());
}
Also used : IdmRoleDto(eu.bcvsolutions.idm.core.api.dto.IdmRoleDto) WorkflowTaskInstanceDto(eu.bcvsolutions.idm.core.workflow.model.dto.WorkflowTaskInstanceDto) IdmIdentityRoleFilter(eu.bcvsolutions.idm.core.api.dto.filter.IdmIdentityRoleFilter) IdmRoleGuaranteeDto(eu.bcvsolutions.idm.core.api.dto.IdmRoleGuaranteeDto) WorkflowFilterDto(eu.bcvsolutions.idm.core.workflow.model.dto.WorkflowFilterDto) IdmConceptRoleRequestDto(eu.bcvsolutions.idm.core.api.dto.IdmConceptRoleRequestDto) IdmIdentityDto(eu.bcvsolutions.idm.core.api.dto.IdmIdentityDto) IdmIdentityRoleDto(eu.bcvsolutions.idm.core.api.dto.IdmIdentityRoleDto) IdmIdentityContractDto(eu.bcvsolutions.idm.core.api.dto.IdmIdentityContractDto) IdmRoleRequestDto(eu.bcvsolutions.idm.core.api.dto.IdmRoleRequestDto) AbstractCoreWorkflowIntegrationTest(eu.bcvsolutions.idm.core.AbstractCoreWorkflowIntegrationTest) Test(org.junit.Test) Transactional(org.springframework.transaction.annotation.Transactional)

Example 55 with IdmConceptRoleRequestDto

use of eu.bcvsolutions.idm.core.api.dto.IdmConceptRoleRequestDto in project CzechIdMng by bcvsolutions.

the class ChangeIdentityPermissionTest method createRoleConcept.

private IdmConceptRoleRequestDto createRoleConcept(IdmRoleDto adminRole, IdmIdentityContractDto contract, IdmRoleRequestDto request) {
    IdmConceptRoleRequestDto concept = new IdmConceptRoleRequestDto();
    concept.setRoleRequest(request.getId());
    concept.setOperation(ConceptRoleRequestOperation.ADD);
    concept.setRole(adminRole.getId());
    concept.setIdentityContract(contract.getId());
    return concept;
}
Also used : IdmConceptRoleRequestDto(eu.bcvsolutions.idm.core.api.dto.IdmConceptRoleRequestDto)

Aggregations

IdmConceptRoleRequestDto (eu.bcvsolutions.idm.core.api.dto.IdmConceptRoleRequestDto)56 IdmRoleRequestDto (eu.bcvsolutions.idm.core.api.dto.IdmRoleRequestDto)50 IdmIdentityDto (eu.bcvsolutions.idm.core.api.dto.IdmIdentityDto)48 Test (org.junit.Test)47 IdmIdentityContractDto (eu.bcvsolutions.idm.core.api.dto.IdmIdentityContractDto)45 IdmRoleDto (eu.bcvsolutions.idm.core.api.dto.IdmRoleDto)45 AbstractCoreWorkflowIntegrationTest (eu.bcvsolutions.idm.core.AbstractCoreWorkflowIntegrationTest)44 WorkflowFilterDto (eu.bcvsolutions.idm.core.workflow.model.dto.WorkflowFilterDto)36 WorkflowTaskInstanceDto (eu.bcvsolutions.idm.core.workflow.model.dto.WorkflowTaskInstanceDto)35 List (java.util.List)26 ArrayList (java.util.ArrayList)25 IdmNotificationLogDto (eu.bcvsolutions.idm.core.notification.api.dto.IdmNotificationLogDto)24 IdmNotificationFilter (eu.bcvsolutions.idm.core.notification.api.dto.filter.IdmNotificationFilter)24 Transactional (org.springframework.transaction.annotation.Transactional)19 IdmIdentityRoleDto (eu.bcvsolutions.idm.core.api.dto.IdmIdentityRoleDto)8 IdmRoleGuaranteeDto (eu.bcvsolutions.idm.core.api.dto.IdmRoleGuaranteeDto)7 ResultCodeException (eu.bcvsolutions.idm.core.api.exception.ResultCodeException)6 IdmConceptRoleRequestFilter (eu.bcvsolutions.idm.core.api.dto.filter.IdmConceptRoleRequestFilter)4 LocalDate (org.joda.time.LocalDate)4 IdmIdentityRoleFilter (eu.bcvsolutions.idm.core.api.dto.filter.IdmIdentityRoleFilter)3