[midPoint] End User vs Approver vs Owner

Radovan Semancik radovan.semancik at evolveum.com
Thu Nov 10 09:59:50 CET 2016 

Hi,

On 11/09/2016 09:32 PM, Florin. Stingaciu wrote:
> The first two are simple to configure and basically come out of the 
> box. However the third is much more complicated.

Yes. And that's one of the reasons we are planning to slightly change 
the role ownership in midPoint 3.6 (some changes may make it even to 
3.5). But for now something like this should work:

     <authorization>
         <name>role-owner</name>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</action>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add</action>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#delete</action>
         <object>
             <type>RoleType</type>
             <owner>
                 <special>self</special>
             </owner>
         </object>
     </authorization>

See:
https://github.com/Evolveum/midpoint/blob/master/model/model-intest/src/test/resources/security/role-role-owner-full-control.xml
https://github.com/Evolveum/midpoint/blob/master/model/model-intest/src/test/resources/security/role-role-owner-assign.xml

> In order for an End User to be able to request a role, he has to have 
> the following authorization:
>
>    <authorization>
>       
> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
>       <object>
>          <type>RoleType</type>
>       </object>
>    </authorization>
>
> Which he needs for two reasons:
> 1. To be able to list the roles when requesting a role
> 2. To be able to see the "My Assignments" box on the Self Page

Yes. Exactly. Of course, you may narrow the authorization only to 
requestable roles and only to some properties. But the user needs access 
to the roles to be able to browse them.

> This authorization also works in the same way for the approver which 
> only has extra access to work items.

Yes. Similar reasons. Approver will see role name on the approve/reject 
screen. So he must have access at least to that.

> However, for the owner, if I enable the List Role, and Role Details UI 
> authorizations, because of the Read on Role Type coming from the End 
> User role assignment, the Owner will see all the roles. And, yes, he 
> only has access to modify the ones he actually owns, however there is 
> no easy indication of which ones he owns. We have over 1000 roles...

Hmmm. I see. I do not think we have any efficient way how to do this 
now. The screens that list the roles are only concerned about 
permissions to read the role (obviously). And you need permission to 
read the roles to work normally. So this is kind of chicken-egg problem. 
Maybe you can place the roles in the organizational structure (create 
some kind of role catalog) and that might help owners find their own roles?

I have another improvement in mind that can help with this: object 
collections. I have just documented it here: 
https://jira.evolveum.com/browse/MID-3517
In that case you would be able to define a collection "Roles that I 
own". Then a link to this collection will appear in the main menu, which 
will lead to a list of roles containing only those that the currently 
logged-in user owns. I'm thinking about allowing any kind of filter for 
the collection, including parametric filters very similar to those in 
authorizations. In fact I plan to reuse the same concept.
But this is a new feature and it will need sponsoring to make it really 
happen.

-- 
Radovan Semancik
Software Architect
evolveum.com

More information about the midPoint mailing list