[midPoint] Filtering for ObjectForms

[Radovan Semancik]

Hi,

This is currently a limitation in midPoint. You cannot differentiate 
between users using adminGuiConfiguration. Authorizations are used to 
differentiate the users, but use of authorization to control the GUI 
behavior is very tricky. That is the reason that we have used 
adminGuiConfiguration instead.

Using object-level authorizations to automatically show or hide the tabs 
is the right solution. In that case the tabs will be shown or hidden 
according to the authorizations that the current user has over the 
object that he is looking at. This is the right way, but it is quite 
tricky and may be difficult to implement properly. So we thought about 
using GUI authorizations for that purpose. Each tab could have its own 
GUI authorization that might control whether to display it or not. But 
there is a problem: no authorizations means no access. Which is not 
really a problem if you add all the tab authorizations to a role. Which 
seems fine. But new tabs appear in almost any version of midPoint. And 
that would mean continually updating the authorizations after each 
upgrade to allow new tabs. And this approach is not really compatible 
with the "automatic" behavior of tabs that we would like to have later. 
What the GUI authorization would mean in that case? Always display the 
tab? Or display the tab only if object authorizations allow it? In that 
former case the automatic object authorizations would not really work 
with pre-existing setup and setup-up will need to be modified after this 
functionality is introduced. This means (at least one) problematic 
upgrade. In the later case when we add object authorizations we would 
still need to add new GUI authorization. Which means all upgrades will 
be slightly problematic. Neither method seems to be good. So, the 
decision was not shoot ourselves in the foot. We have decided to provide 
simpler mechanism based on adminGuiConfiguration, At least for now - 
until we could find the funding to correctly implement evaluation of 
object-level authorizations in the GUI tabs. And there may be even a 
justifiable need to this mechanism: sometimes we would like to hide a 
tab even if the user has an authorization for the operation. The reason 
may be that we want to keep the stock user detail pages simple for some 
users, while still allowing access to the operations e.g. by using 
completely custom GUI tabs.

So, obviously you most likely cannot do what you want to do now (neither 
midPoint 3.5.1 nor midPoint 3.6). There are two options that we could 
consider for midPoint 3.7:

1) Implement the full support for object-level authorizations in GUI. 
This is obviously the right solution. But it may be difficult.

2) Add more options for adminGuiConfiguration. So you could fine-tune 
what objects the configuration is applicable to. This would be easier. 
Yes, it will partially duplicate the existing functionality of 
authorizations. But that may not be a big problem and it fact it may be 
even desirable. E.g. to hide tabs even if user has the authorization.

One way or another, this means new development and therefore it will 
require some kind of funding.

(Sorry for late answer. I've missed this one.)

-- 
Radovan Semancik
Software Architect
evolveum.com



On 04/25/2017 07:48 AM, Aivo Kuhlberg wrote:
>
> In MP 3.5.1 I can limit forms visibility by objectForms 
> adminGuiConfiguration setting. Unfortunately this setting seems to 
> influence all objects of the same type. For example if I declare this 
> for end users:
>    <adminGuiConfiguration>
>       <objectForms>
>          <objectForm>
>             <type>c:UserType</type>
>             <formSpecification>
> <panelUri>http://midpoint.evolveum.com/xml/ns/public/gui/component-3#focusTabBasic</panelUri>
>             </formSpecification>
>          </objectForm>
>       </objectForms>
>    </adminGuiConfiguration>
>
> then users see only Basic tab for user information. But what about 
> situation when I want to see all tabs when I view my own data and 
> limit only tabs visibility when browsing other users data? Can I 
> implement this feature in current midPoint?
> Thanks,
> Aivo Kuhlberg
>
>
> ------------------------------------------------------------------------
> Käesolev e-kiri võib sisaldada asutusesiseseks kasutamiseks 
> tunnistatud teavet.
> This e-mail may contain information which is classified for official use.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170516/82cf84d3/attachment.htm>