[midPoint] Restrict role visibility

Radovan Semancik radovan.semancik at evolveum.com
Wed Aug 3 16:17:34 CEST 2016


Hi,

It is not only possible. It is something that midPoint was designed for. 
Just use MidPoint authorization system:

https://wiki.evolveum.com/display/midPoint/Authorization+Configuration

You can also find many examples for authorizations in our integration tests:

https://github.com/Evolveum/midpoint/tree/master/model/model-intest/src/test/resources/security

E.g. this is how you restrict which roles are assignable:

https://github.com/Evolveum/midpoint/blob/master/model/model-intest/src/test/resources/security/role-assign-application-roles.xml

MidPoint orgs also act as roles. So if you want to allow members of some 
org to request some set of roles just put that authorization directly 
into the org.

-- 
Radovan Semancik
Software Architect
evolveum.com




On 08/03/2016 03:06 PM, Grzegorz Lechowicz wrote:
> Hi everyone,
>
> I'm just testing MidPoint IDM 3.4 and I try to do some basic tests to 
> see if it fit in our company requirements.
> The one of the requirements is to prevent users from seeing all the 
> roles available in organization. For example 'role 01' should only be 
> available to request in organization 'org 01' and role 'role 02' 
> should only be visible in 'org 02' organization.
>
> So just to clarify: user that belongs to 'org 01' should only see role 
> 'role 01' and not 'role 02'.
>
> Is it possible?
>
> regards
> theGrzeniek
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160803/146f04dc/attachment.htm>


More information about the midPoint mailing list