<html><body><div style="font-family: times new roman, new york, times, serif; font-size: 12pt; color: #000000"><div><div>Hi Shelly,</div><div><br></div><div>what other roles has your user assigned? For example, "End User" role? This will give read access for all organizations.</div><div>In one of my setups, my user has assigned End User role and my own security role, in which I'm specifically denying access to unwanted organizations (based on orgType attribute).</div><div><br></div><div>I'd see two options:</div><div>1. if you have also End user role assigned, unassign it and add only needed permissions from it to your authorization role.</div><div>2. add a deny statement for all-other-than-your organization to your authorization role.</div><div><br></div><div>Example from my setup: deny read access for all organizations (OrgType) with orgType attribute equal to either value1, value2 or value3:</div><div><br></div><div> <authorization><br> <decision>deny</decision><br> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action><br> <object><br> <type>OrgType</type><br> <filter><br> <q:or><br> <q:equal><br> <q:path>orgType</q:path><br> <q:value>value1</q:value><br> </q:equal><br> <q:equal><br> <q:path>orgType</q:path><br> <q:value>value2</q:value><br> </q:equal><br> <q:equal><br> <q:path>orgType</q:path><br> <q:value>value3</q:value><br> </q:equal><br> </q:or><br> </filter><br> </object><br> </authorization><br><br></div><div>Regards,</div>Ivan</div><div><br></div><hr id="zwchr"><blockquote style="border-left:2px solid #1010FF;margin-left:5px;padding-left:5px;color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt;"><b>From: </b>"Shelly Piplani" <shelly.piplani@ilantus.com><br><b>To: </b>midpoint-dev@lists.evolveum.com<br><b>Sent: </b>Monday, October 6, 2014 11:32:01 PM<br><b>Subject: </b>[Midpoint-dev] Restrict user view to a particular Organisation Unit<br><div><br></div>
<style style="display:none"><!--P{margin-top:0;margin-bottom:0;} --></style>
<p>Hi ,</p>
<p><br>
</p>
<p><br>
</p>
<p>I am trying to restrict a user to view only one Organisation Unit to which he is a member of.<br>
</p>
<span style="color: black; font-family: Calibri,Arial,Helvetica,sans-serif; font-size: medium;" data-mce-style="color: black; font-family: Calibri,Arial,Helvetica,sans-serif; font-size: medium;" size="3" color="black" face="Calibri,Arial,Helvetica,sans-serif"><span style="font-size:12pt;background-color:white;" dir="ltr">
<div style="margin-top:0;margin-bottom:0;">I am able to get the full organisation tree for a user but not able to restrict the user to view one OU<br>
</div>
<div style="margin-top:0;margin-bottom:0;">I tried different permutations and combinations for restricting the view of a store user to one particular organisation unit.<br>
<br>
</div>
<div style="margin-top:0;margin-bottom:0;">Following is the script I tried to add in the role of that user:<br>
<br>
</div>
<div style="margin-top:0;margin-bottom:0;"><authorization id><br>
<decision>allow</decision><br>
<action>http://<span id="0.14537967770091398" class="currentHitHighlight">midpoint</span>.evolveum.com/xml/ns/public/security/authorization-3#orgUnit</action><br>
<action>http://<span id="0.7626521602031172" class="highlight">midpoint</span>.evolveum.com/xml/ns/public/security/authorization-3#orgTree</action><br>
<object><br>
<orgRef xmlns:tns="http://<span id="0.9959391090158695" class="highlight">midpoint</span>.evolveum.com/xml/ns/public/common/common-3"<br>
oid="310f0079-4016-46e9-8a09-c9ed149a85a1"<br>
type="tns:OrgType"/><br>
</object><br>
</authorization><br>
<br>
Here oid=<span style="color: black; font-family: Calibri,Arial,Helvetica,sans-serif; font-size: medium;" data-mce-style="color: black; font-family: Calibri,Arial,Helvetica,sans-serif; font-size: medium;" size="3" color="black" face="Calibri,Arial,Helvetica,sans-serif"><span style="font-size:12pt;background-color:white;" dir="ltr">310f0079-4016-46e9-8a09-c9ed149a85a1</span></span> is the oid of the organisation Unit to which I want view for that
user.<br>
<br>
This script is not restricting the view to one Organisation Unit. However I am able to view the full Organisation tree for that user.<br>
<br>
Please provide your help and advice on this.<br>
<br>
Regards,<br>
Shelly<br>
</div>
</span></span>
<p><br>
</p>
This message contains information that may be privileged or confidential and is the property of ILANTUS Technologies. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain,
copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
<br>_______________________________________________<br>midPoint-dev mailing list<br>midPoint-dev@lists.evolveum.com<br>http://lists.evolveum.com/mailman/listinfo/midpoint-dev<br></blockquote><div><br><br></div><div><br></div><div>-- <br></div><div><span name="x"></span> Ing. Ivan Noris<br> Senior Identity Management Engineer<br> evolveum.com<br> ___________________________________________<br> "Idem per idem - semper idem Vix."<span name="x"></span><br></div></div></body></html>