[midPoint] Object templates

Aivo Kuhlberg aivo.kuhlberg at rmit.ee
Wed Sep 21 15:27:56 CEST 2016 

Hi Pavol,
I am actually not sure should it be user template selection or GUI itselt which needs improvements. My aim was actually to limit somehow user creation attributes, like when organization X  user creates new user then s/he can create new users only for organization X (or some list of organizations if user has more rights). That means the created user should have organization attribute set to value X.

I actually tried to implement this with authorization roles and succeeded to create role with following authorizations:
   <authorization>
      <description>Allows adding users - request phase</description>
      <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add</action>
      <phase>request</phase>
      <object>
         <type>UserType</type>
      </object>
   </authorization>
   <authorization>
      <description>Allows adding users - execution phase</description>
      <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add</action>
      <phase>execution</phase>
      <object>
         <type>UserType</type>
         <filter>
            <q:equal>
               <q:path>organization</q:path>
               <q:value>X</q:value>
            </q:equal>
         </filter>
      </object>
   </authorization>

This seems to work. If I want to widen it to other organizations then I just have to create different authorization roles for each organization which would not be a problem.
What I don't like here is that when user "accountmanagerorgX" who has role with these authorizations creates new user "newtestuser" and forgets to fill in the organization field then midPoint just reports error message:

User ''accountmanagerorgX'' not authorized for operation http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add on user:null(newtestuser)

There is no information for creator that s/he did not fill in the organization field. So my point is that there should be some kind of policy or GUI check which controls user creation form and either pre-fills the required organization value (and makes it read-only) or informs the creator during filling in the user form that organization field value is missing or wrong or is not in accepted range.


Regards,

Aivo Kuhlberg

________________________________
Saatja: midPoint <midpoint-bounces at lists.evolveum.com> nimelPavol Mederly <mederly at evolveum.com>
Saadetud: 21. september 2016 11:40
Adressaat: midpoint at lists.evolveum.com
Teema: Re: [midPoint] Object templates


Hello Aivo,


I'm afraid we can select user templates based on employeeType attribute only. (I don't have experiences with property constraints. Having looked at the code, it is used to set OID for newly created objects based on a value of selected property. Looks like it is of no use for you in your scenario.)


But I think your requirement is very reasonable; maybe you could implement it yourself by changing ModelUtils.determineObjectPolicyConfiguration methods (beware, there are more of them) or you could log a JIRA for this.


Best regards,

Pavol Mederly
Software developer
evolveum.com


On 20.09.2016 16:29, Aivo Kuhlberg wrote:

When I set defaultObjectPolicyConfiguration for UserType in midPoint 3.4.1 then it is set for all users. Is it possible somehow make it more flexible, eg use several user templates depending on some user parameter. I wanted to test if I can configure different user attribute limitations when creating users in different organizations.


I noticed also that there is a parameter "Property constraint" in "Edit Object Policy" dialog but I did not find much information what is it used for.


Thanks,

Aivo Kuhlberg

________________________________
Käesolev e-kiri võib sisaldada asutusesiseseks kasutamiseks tunnistatud teavet.
This e-mail may contain information which is classified for official use.


_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
http://lists.evolveum.com/mailman/listinfo/midpoint



________________________________
Käesolev e-kiri võib sisaldada asutusesiseseks kasutamiseks tunnistatud teavet.
This e-mail may contain information which is classified for official use.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160921/ed7fab83/attachment.htm>

More information about the midPoint mailing list