[midPoint] Services - GUI Authorization

Pavol Mederly mederly at evolveum.com
Mon Feb 5 18:03:43 CET 2018 

Hello Brad,

looking at the source code I would say that correct URIs for services are

  * ...#servicesAll
  * ...#services
  * ...#service

(analogous to #rolesAll, #roles, #role). But please try if it works as 
expected.

As for the conceptual question about using services instead of roles: I 
think it might be a good idea, even if I haven't heard of anyone doing 
that before. :) Please have a look at this page: 
https://wiki.evolveum.com/display/midPoint/Roles%2C+Services+and+Orgs (I 
think you maybe already did that.)

Technically, the main difference between RoleType, ServiceType, and 
OrgType is that midPoint maintains a closure table for OrgType objects 
in order to quickly answer queries like "is X a child of Y (potentially 
via more intermediaries)?" Besides that, all of them can carry 
inducements, authorizations, mappings, etc - as these are defined in 
parent type called AbstractRoleType.

So, yes, maybe using services instead of roles might be a good idea. 
Perhaps Radovan could comment on this as well after returning from TIIME 
meeting.

Pavol Mederly
Software developer
evolveum.com

On 02.02.2018 1:14, Brad Firestone wrote:
> Hello,
>
> I am planning to make use of Services in place of Roles to grant users 
> access to a "service" that we provide.  An example might be "Email".  
> If I understand correctly, it seems like this is a good use of 
> Services since I'm giving access to a service.  If I used Roles, I 
> would probably assign the Role: Email User.  Services just seems more 
> natural.  If I'm not understanding Services correctly, please let me 
> know.
>
> My other question is how to assign the correct authorizations for a 
> "delegated administrator" to be able to work with Services.  On the 
> wiki page:
>
> https://wiki.evolveum.com/display/midPoint/GUI+Authorizations
>
> I find the list of all the actions including Org, Roles, and many 
> others.  But I don't see "Services" anywhere in the list.  So I'm not 
> sure how to grant authorization for the delegated administrator to 
> work with Services.  If it's not possible without giving "all" access, 
> that's okay.  I just want to know before I go too far into setting up 
> Services.
>
> Thank you!
> Brad
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180205/86ebfa4e/attachment.htm>

More information about the midPoint mailing list