[Midpoint-dev] Restrict user view to a particular Organisation Unit

[Shelly Piplani]

Hi ,



I am trying to restrict a user to view only one Organisation Unit to which he is a member of.

I am able to get the full organisation tree for a user but not able to restrict the user to view one OU
I tried different permutations and combinations for restricting the view of a store user to one particular organisation unit.

Following  is the script I tried to add in the role of that user:

<authorization id>
      <decision>allow</decision>
      <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#orgUnit</action>
      <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#orgTree</action>
      <object>
         <orgRef xmlns:tns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
                 oid="310f0079-4016-46e9-8a09-c9ed149a85a1"
                 type="tns:OrgType"/>
      </object>
   </authorization>

Here oid=310f0079-4016-46e9-8a09-c9ed149a85a1 is the oid of the organisation Unit to which I want view for that user.

This script is not restricting the view to one Organisation Unit. However I am able to view the full Organisation tree for that user.

Please provide your help and advice on this.

Regards,
Shelly


This message contains information that may be privileged or confidential and is the property of ILANTUS Technologies. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.evolveum.com/pipermail/midpoint-dev/attachments/20141006/ed6210bb/attachment.html>