[midPoint] authorization for role requests
Ivan Noris
ivan.noris at evolveum.com
Mon Jun 1 08:52:24 CEST 2015
Hi Petr,
I was experimenting some time ago with this. User can request only roles
with "requestable == true". Modify as you need.
There seems to be missing read permissions on Resource (which I guess is
by default permitted) and Shadows (which is not); I try to find more
examples. In general, you need to see the Resource objects, Shadows for
accounts and Shadows for entitlements (associations). And assigned roles
of course.
<role oid="00000000-dc00-dc00-0004-000000000043"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
<name>ASK ROLES FOR HIMSELF</name>
<description>Rola allowing to ask roles for self-service</description>
<!-- GUI -->
<authorization>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#users</action>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#user</action>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#userDetails</action>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#orgTree</action>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#orgUnit</action>
</authorization>
<!-- Model -->
<authorization>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
<object>
<special>self</special>
</object>
</authorization>
<!-- Authorization to Read roles (to display assigned roles). GUI
authorization limits the usage on pages. -->
<authorization>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
<object>
<type>RoleType</type>
<!-- Only requestable=true roles to avoid meta-roles etc. being assigned
by support (which assigned THIS role) -->
<filter>
<q:equal>
<q:path>requestable</q:path>
<q:value>true</q:value>
</q:equal>
</filter>
</object>
</authorization>
<authorization>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#assign</action>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#unassign</action>
<phase>request</phase>
<target>
<type>RoleType</type>
<filter>
<q:equal>
<q:path>requestable</q:path>
<q:value>true</q:value>
</q:equal>
</filter>
</target>
</authorization>
<authorization>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add</action>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</action>
<phase>execution</phase>
</authorization>
</role>
Best regards,
Ivan
On 05/29/2015 05:39 PM, Petr Gašparík wrote:
> Hi,
> I do basic approval scheme.
> It works well in requesting (end user) and approval (his manager), but
> then, the workflow is suspended.
>
> Error is:
> User 'demo.user' not authorized for operation
> http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify
>
> My guess is that I need to add some authorization to End User role,
> but it is unclear for me for what.
> identity self? shadow account? something else?
>
> thank you in advance
>
> best regards
> --
> Petr Gašparík
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
evolveum.com evolveum.com/blog/
___________________________________________________
"Semper Id(e)M Vix."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20150601/ec89d64b/attachment.htm>
More information about the midPoint
mailing list