I think I found the solution.
In the exclusion rule:
if (entity instanceof Identity) {
Identity identity = (Identity) entity;
Iterator it = items.iterator();
while(it.hasNext()) {
Object item = it.next();
Certifiable certifiable = (Certifiable) item;
if(certifiable instanceof Bundle) {
Bundle bundle = (Bundle) certifiable;
// get detected roles from identity and if account is inactive exclude the bundle
List roleDetections = identity.getRoleDetections();
for(RoleDetection roleDetection : roleDetections) {
if (bundle.getId().equals(roleDetection.getRoleId())) {
List roleTargets = roleDetection.getTargets();
for (RoleTarget roleTarget : roleTargets) {
Link link = context.getUniqueObject(Link.class, Filter.and(Filter.eq("nativeIdentity",roleTarget.getNativeIdentity()),Filter.eq("application.id", roleTarget.getApplicationId())));
if (link != null) {
if (link.isDisabled()) {
itemsToExclude.add(bundle);
it.remove();
explanation.append("Exclude \"" + bundle.getName() + "\" from certification. Account is inactive.\n");
}
}
}
}
}
}
}
}
– Remold