[Midpoint-dev] Restrict user view to a particular Organisation Unit

Ivan Noris Ivan.Noris at evolveum.com
Tue Oct 7 08:43:03 CEST 2014

Hi Shelly, 

what other roles has your user assigned? For example, "End User" role? This will give read access for all organizations. 
In one of my setups, my user has assigned End User role and my own security role, in which I'm specifically denying access to unwanted organizations (based on orgType attribute). 

I'd see two options: 
1. if you have also End user role assigned, unassign it and add only needed permissions from it to your authorization role. 
2. add a deny statement for all-other-than-your organization to your authorization role. 

Example from my setup: deny read access for all organizations (OrgType) with orgType attribute equal to either value1, value2 or value3: 



----- Original Message -----

> From: "Shelly Piplani" <shelly.piplani at ilantus.com>
> To: midpoint-dev at lists.evolveum.com
> Sent: Monday, October 6, 2014 11:32:01 PM
> Subject: [Midpoint-dev] Restrict user view to a particular Organisation Unit

> Hi ,

> I am trying to restrict a user to view only one Organisation Unit to which he
> is a member of.
> I am able to get the full organisation tree for a user but not able to
> restrict the user to view one OU
> I tried different permutations and combinations for restricting the view of a
> store user to one particular organisation unit.

> Following is the script I tried to add in the role of that user:

> <authorization id>
> <decision>allow</decision>
> <action>http:// midpoint
> .evolveum.com/xml/ns/public/security/authorization-3#orgUnit</action>
> <action>http:// midpoint
> .evolveum.com/xml/ns/public/security/authorization-3#orgTree</action>
> <object>
> <orgRef xmlns:tns="http:// midpoint
> .evolveum.com/xml/ns/public/common/common-3"
> oid="310f0079-4016-46e9-8a09-c9ed149a85a1"
> type="tns:OrgType"/>
> </object>
> </authorization>

> Here oid= 310f0079-4016-46e9-8a09-c9ed149a85a1 is the oid of the organisation
> Unit to which I want view for that user.

> This script is not restricting the view to one Organisation Unit. However I
> am able to view the full Organisation tree for that user.

> Please provide your help and advice on this.

> Regards,
> Shelly

> This message contains information that may be privileged or confidential and
> is the property of ILANTUS Technologies. It is intended only for the person
> to whom it is addressed. If you are not the intended recipient, you are not
> authorized to read, print, retain, copy, disseminate, distribute, or use
> this message or any part thereof. If you receive this message in error,
> please notify the sender immediately and delete all copies of this message.
> _______________________________________________
> midPoint-dev mailing list
> midPoint-dev at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint-dev

Ing. Ivan Noris 
Senior Identity Management Engineer 
"Idem per idem - semper idem Vix." 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.evolveum.com/pipermail/midpoint-dev/attachments/20141007/e7b7e9c2/attachment.html>

More information about the midPoint-dev mailing list