[midPoint] Non-Requestable Role

Ivan Noris ivan.noris at evolveum.com
Fri Feb 13 16:49:34 CET 2015 

Hi Anand,

you can do this using security authorizations, to allow users to see
(and assign) only roles with requestable=true (or any other condition).

For example, a role:

<role oid="00000000-dc00-dc00-0004-000000000067"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
        xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
       
xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
       
xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
*    <name>End User Role Restriction</name>**
*    <authorization>
*        <decision>deny</decision>**
*       
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
        <object>
            <type>RoleType</type>
            <filter>
                    <q:and>
                        <q:not>
                            <q:equal>
                                <q:path>name</q:path>
                                <q:value>End user</q:value>
                            </q:equal>
                        </q:not>
                        <q:not>
                            <q:equal>
                                <q:path>requestable</q:path>
                                <q:value>true</q:value>
                            </q:equal>
                        </q:not>
                    </q:and>
            </filter>
        </object>
    </authorization>
</role>

When this role is assigned to your users with e.g. "End user" role (user
must have both), although End user role will allow to display all roles,
the other role will deny displaying of any non-requestable user (except
the End user role itself).

This is a fragment from my working setup, haven't tried this alone, but
it should work.

The security roles applies for model, so it should restrict the roles
also for webservice access.

Regards,
Ivan

On 02/13/2015 10:13 AM, Anand Kothekar wrote:
> Hi,
>
> I have a situation where I want role to be "Non-Requestable" so that
> no user will be able to assign that particular role.
>
> I tried to make*<requestable>false</requestable>* but the user is
> still able to assign role.
>
> I even tried to *disable* that particular role but still it is allowed
> to be assigned.
>
>
> Can you please suggest me how a role could be Non-Requestable.
>
>
>
> Thanks,
> Anand
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer
  evolveum.com     evolveum.com/blog/
  _____________________________________________
  "Semper Id(e)M Vix."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20150213/da42d37e/attachment.htm>

More information about the midPoint mailing list