[midPoint] End User vs Approver vs Owner

[Florin. Stingaciu]

Hey guys,

I've been trying to mess around with authorization model to basically
achieve the following system roles:

1. End User: has access to login, review his details and be able to request
a role
2. Approver: the same rights as the End User + access to Work Items and
being allowed to approver/reject requests for roles that lists them as an
approver
3. Owner: the same rights as Approver + access to the Roles UI and access
to ONLY the roles he is owner for (Read/Modify/Assign/etc)

The first two are simple to configure and basically come out of the box.
However the third is much more complicated.

In order for an End User to be able to request a role, he has to have the
following authorization:

   <authorization>
      <action>
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read
</action>
      <object>
         <type>RoleType</type>
      </object>
   </authorization>

Which he needs for two reasons:
1. To be able to list the roles when requesting a role
2. To be able to see the "My Assignments" box on the Self Page

This authorization also works in the same way for the approver which only
has extra access to work items.

However, for the owner, if I enable the List Role, and Role Details UI
authorizations, because of the Read on Role Type coming from the End User
role assignment, the Owner will see all the roles. And, yes, he only has
access to modify the ones he actually owns, however there is no easy
indication of which ones he owns. We have over 1000 roles...

I'm wondering if there is a way of setting up the authorization model so
that an owner can still request a role (and thus read all roles), but for
the List Roles UI page, only be able to list the ones he actually owns.

Thanks,
-F
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161109/980fe711/attachment.htm>