[midPoint] Authorization role to allow read own managers
Yakov Revyakin
yrevyakin at gmail.com
Fri May 12 15:35:06 CEST 2023
Hi Pavol, thanks to your answer I took a step forward in understanding the
concept. But, still without a final solution.
So, to limit the list of available users during role shopping we limit the
"search" authorization. For example, to limit this list always by self and
"test" we need to add one extra authorization in addition to the End-User
role which provides the following authorization: #read (#search + #get) for
self, #get for any user).
<authorization>
<action>
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3
*#search*
<http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#search>
</action>
<object>
<type>UserType</type>
<filter>
<q:equal>
<q:path>name</q:path>
<expression>
<value>*test*</value>
</expression>
</q:equal>
</filter>
</object>
</authorization>
User list shows 2 available users - very nice.
I don't understand how this can help to get a non-empty list with
"midpoint.getManagersOidsExceptUser(object)"
To get it I must add #search to "manager" user. This, in its turn, adds an
additional user to the list and this is not what I expect.
What I missed again?
On Wed, 10 May 2023 at 09:24, Pavol Mederly via midPoint <
midpoint at lists.evolveum.com> wrote:
> Hello Yakov,
>
> please check the docs. There's a nice explanation of various flavors of
> "read" authorization, covering exactly your use case.
>
> Best regards,
>
> --
> Pavol Mederly
> Software developer
> evolveum.com
>
> On 09/05/2023 18:13, Yakov Revyakin via midPoint wrote:
> > Hi all,
> > I'm looking for a way to authorize a user to read their own managers.
> >
> > In case of a role request for self (with assigned built-in End-User
> > role) we can see in UI, clicking on button "Requesting for", that
> > users' list is limited by self.
> > In metarole I have definition:
> >
> > <approverExpression>
> > <script>
> > <code>
> > return
> > midpoint.getManagersOidsExceptUser(object)
> > </code>
> > </script>
> > </approverExpression>
> > <evaluationStrategy>firstDecides</evaluationStrategy>
> > <outcomeIfNoApprovers>reject</outcomeIfNoApprovers>
> >
> > If the user requests a role, getManagersOidsExceptUser() can't return
> > managers because it is not authorized. This results in automatic
> > rejection of the request.
> > If I'm adding something like this:
> >
> > <authorization>
> >
> > <action>
> http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read
> </action>
> > <object>
> > <type>UserType</type>
> > </object>
> > </authorization>
> >
> > getManagersOidsExceptUser() returns managers correctly. But, clicking
> > on the button "Requesting for" I can see all existing users. But I
> > still want to see only myself in the list.
> >
> > How to get the user authorized to read own managers? And, at the same
> > time, not to break user list under the "Requesting for" button with
> > extra users?
> >
> > Thanks,
> > Yakov
> >
> > _______________________________________________
> > midPoint mailing list
> > midPoint at lists.evolveum.com
> > https://lists.evolveum.com/mailman/listinfo/midpoint
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20230512/3fe96354/attachment.htm>
More information about the midPoint
mailing list