[midPoint] authorization for role requests
Ivan Noris
ivan.noris at evolveum.com
Mon Jun 1 09:02:01 CEST 2015
Hi Petr,
this one could be even better.
The interesting part is roleType filtering. I wanted the users to be
able to request any role with requestable==true, but e.g. End User seems
not to have this and I wanted the Dashboard to display also this one if
it is assigned. I also "created" roleType==provisioning. These roles are
also displayed in Dashboard.
if they are assigned.
<role oid="00000000-dc00-dc00-0004-000000000043"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
<name>Self-service - ask roles</name>
<description>Rola allowing to ask roles for self-service</description>
<!-- GUI -->
<authorization>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#users</action>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#user</action>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#userDetails</action>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#orgTree</action>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#orgUnit</action>
</authorization>
<!-- Model -->
<authorization>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
<object>
<special>self</special>
</object>
</authorization>
<!--
<authorization>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</action>
<object>
<special>self</special>
</object>
</authorization>-->
<!--<authorization>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
</authorization>-->
<!-- Authorization to Read roles (to display assigned roles). GUI
authorization limits the usage on pages. -->
<authorization>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
<object>
<type>RoleType</type>
<!-- Only requestable=true roles to avoid meta-roles etc. being assigned by
support (which is assigned THIS role) -->
<filter>
<q:equal>
<q:path>requestable</q:path>
<q:value>true</q:value>
</q:equal>
</filter>
</object>
</authorization>
<!-- Authorization to read entitlements and generic -->
<authorization>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
<object>
<type>ShadowType</type>
<filter>
<q:or>
<q:equal>
<q:path>kind</q:path>
<q:value>entitlement</q:value>
</q:equal>
<q:equal>
<q:path>kind</q:path>
<q:value>generic</q:value>
</q:equal>
</q:or>
</filter>
</object>
</authorization>
<!-- Authorization to Read roles (to display assigned roles). GUI
authorization limits the usage on pages. -->
<authorization>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
<decision>deny</decision>
<object>
<type>RoleType</type>
<!-- Only requestable roles -->
<filter>
<q:and>
<q:not>
<q:equal>
<q:path>name</q:path>
<q:value>End User</q:value>
</q:equal>
</q:not>
<q:not>
<q:equal>
<q:path>requestable</q:path>
<q:value>true</q:value>
</q:equal>
</q:not>
<q:not>
<q:equal>
<q:path>roleType</q:path>
<q:value>provisioning</q:value>
</q:equal>
</q:not>
</q:and>
</filter>
</object>
</authorization>
<authorization>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#assign</action>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#unassign</action>
<phase>request</phase>
<target>
<type>RoleType</type>
<filter>
<q:equal>
<q:path>requestable</q:path>
<q:value>true</q:value>
</q:equal>
</filter>
</target>
</authorization>
<authorization>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add</action>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</action>
<phase>execution</phase>
</authorization>
<roleType>provisioning</roleType>
</role>
Ivan
On 05/29/2015 05:39 PM, Petr Gašparík wrote:
> Hi,
> I do basic approval scheme.
> It works well in requesting (end user) and approval (his manager), but
> then, the workflow is suspended.
>
> Error is:
> User 'demo.user' not authorized for operation
> http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify
>
> My guess is that I need to add some authorization to End User role,
> but it is unclear for me for what.
> identity self? shadow account? something else?
>
> thank you in advance
>
> best regards
> --
> Petr Gašparík
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
evolveum.com evolveum.com/blog/
___________________________________________________
"Semper Id(e)M Vix."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20150601/eddea5c3/attachment.htm>
More information about the midPoint
mailing list