[midPoint] Members of role in org as authorization object

[Sven Feyerabend]

Hello everyone,

I currently have a system where privileged users can manage users and 
roles in their org.

Now I have a situation, where two departments share a role, so their 
admins are able to assign this shared role to users in their org.
This leads to a situation, where an admin cannot see users that have the 
role assigned, but are not part of their own org.

Is there a way to select these users as objects in an authorization?
Basically, I need to select users that have a role assigned, which 
belongs to an org the actor is a manager of, without them being members 
of said org.
Simple roleRelation rules are not sufficient in this case, as the actor 
does not necessarily have a direct relation to the role.
Similarly, orgRelation is insufficient since the subject does not have a 
relation to the org of the admin.

I could use per-case authorizations which hard-code the names of the 
roles I am dealing with, but I would like to avoid that, as it makes 
dealing with this scenario less flexible.

Kind regards,

Sven

-- 
Sven Feyerabend
Referent für IT-Betreuung
stuvus – Studierendenvertretung Universität Stuttgart
Pfaffenwaldring 5c
70569 Stuttgart
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20240130/6a08b1ad/attachment.htm>