[midPoint] Authorization restriction to some certain objects in Assignments window in User profile

Oleksandr Nekriach o.nekriach at dynatech.lv
Tue Jul 10 10:06:10 CEST 2018


Ivan,
When I add some target section with filter adminAssign button disappear.
Do you have some working example to understand what I am doing in a wrong
way?

See the button but also see the all roles
     <authorization>
        <name>AssignGUI</name>
        <action>
http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#adminAssign
</action>
        <action>
http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#adminUnassign
</action>
        <description>Assign/unassign in admin GUI (role
profile)</description>
        <object>
          <type>UserType</type>
        </object>
      </authorization>


Don't see button  at all

     <authorization>
        <name>AssignGUI</name>
        <action>
http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#adminAssign
</action>
        <action>
http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#adminUnassign
</action>
        <description>Assign/unassign in admin GUI (role
profile)</description>
        <object>
          <type>UserType</type>
        </object>
           <target>
            <filter>
                <q:type>
                    <q:type>c:RoleType</q:type>
                        <q:filter>
                           <q:substring>
                           <q:matching>polyStringNorm</q:matching>
                            <q:path>name</q:path>
                            <q:value>Role</q:value>
                            <q:anchorStart>true</q:anchorStart>
                        </q:substring>
                   </q:filter>
                </q:type>
          </filter>
        </target>
    </authorization>




On 10 July 2018 at 09:22, Oleksandr Nekriach <o.nekriach at dynatech.lv> wrote:

> Hi Ivan, thank you.
>
> On 9 July 2018 at 22:08, Ivan Noris <ivan.noris at evolveum.com> wrote:
>
>> Hi Oleksandr,
>>
>> please see the referenced jira issue with example that I reported earlier
>> and was fixed meanwhile.
>>
>> https://jira.evolveum.com/browse/MID-3615
>>
>> Maybe you're only missing the q:matching element. Or target; as
>> assign/unassign are target-aware.
>>
>> Best regards,
>>
>> Ivan
>>
>> On 06.07.2018 13:54, Oleksandr Nekriach wrote:
>>
>> Hello,
>> I am stuck. Is it possible to restrict  access to some certain objects
>> only (role with Role- prefix only e.g) in Assignments window in User
>> profile .
>> Something like this but this example does not work.
>>
>>      <authorization>
>>         <name>AssignGUI</name>
>>         <action>http://midpoint.evolveum.com/xml/ns/public/security/
>> authorization-ui-3#adminAssign</action>
>>         <action>http://midpoint.evolveum.com/xml/ns/public/security/
>> authorization-ui-3#adminUnassign</action>
>>         <description>Assign/unassign in admin GUI (role
>> profile)</description>
>>         <c:object>
>>             <c:type>RoleType</c:type>
>>         </c:object>
>>         <filter>
>>             <q:substring>
>>                <q:path>name</q:path>
>>                <q:value>Role-</q:value>
>>                <q:anchorStart>true</q:anchorStart>
>>             </q:substring>
>>          </filter>
>>     </authorization>
>>
>>
>>
>>
>>
>> --
>> Best regards,
>>
>>
>>
>> Oleksandr Nekriach | Identity and access management engineer
>>
>> Dynatech, Mednieku str. 4a, Riga, LV-1010, Latvia
>> <https://maps.google.com/?q=Mednieku+str.+4a,+Riga,+LV-1010,+Latvia&entry=gmail&source=g>
>>
>> +37125314685 <+371%2025%20314%20685>
>> ,
>> o.nekriach at dynatech.lv
>> |
>> www.dynatech.lv
>>
>>
>> Stay connected:
>> <https://www.facebook.com/DynatechLatvia/?ref=br_rs>
>> <https://www.linkedin.com/company-beta/17893047/>
>>
>>
>> Confidentiality Notice: This message contains confidential information
>> and is intended only for the named recipient(s). If you are not the
>> addressee you may not copy, distribute or perform any other activities with
>> this information. If you have received this transmission in error, please
>> notify us by e-mail immediately. E-mail transmission cannot be guaranteed
>> to be secure or error-free as information could be intercepted, corrupted,
>> lost, destroyed, arrive late or incomplete, or contain viruses.
>>
>>
>> _______________________________________________
>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>> --
>> Ivan Noris
>> Senior Identity Engineerevolveum.com
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>
>
> --
> Best regards,
>
>
>
> Oleksandr Nekriach | Identity and access management engineer
>
> Dynatech, Mednieku str. 4a, Riga, LV-1010, Latvia
> <https://maps.google.com/?q=Mednieku+str.+4a,+Riga,+LV-1010,+Latvia&entry=gmail&source=g>
>
> +37125314685 <+371%2025%20314%20685>
> ,
> o.nekriach at dynatech.lv
> |
> www.dynatech.lv
>
>
> Stay connected:
> <https://www.facebook.com/DynatechLatvia/?ref=br_rs>
> <https://www.linkedin.com/company-beta/17893047/>
>
>
> Confidentiality Notice: This message contains confidential information and
> is intended only for the named recipient(s). If you are not the addressee
> you may not copy, distribute or perform any other activities with this
> information. If you have received this transmission in error, please notify
> us by e-mail immediately. E-mail transmission cannot be guaranteed to be
> secure or error-free as information could be intercepted, corrupted, lost,
> destroyed, arrive late or incomplete, or contain viruses.
>



-- 
Best regards,



Oleksandr Nekriach | Identity and access management engineer

Dynatech, Mednieku str. 4a, Riga, LV-1010, Latvia
<https://maps.google.com/?q=Mednieku+str.+4a,+Riga,+LV-1010,+Latvia&entry=gmail&source=g>

+37125314685 <+371%2025%20314%20685>
,
o.nekriach at dynatech.lv
|
www.dynatech.lv


Stay connected:
<https://www.facebook.com/DynatechLatvia/?ref=br_rs>
<https://www.linkedin.com/company-beta/17893047/>


Confidentiality Notice: This message contains confidential information and
is intended only for the named recipient(s). If you are not the addressee
you may not copy, distribute or perform any other activities with this
information. If you have received this transmission in error, please notify
us by e-mail immediately. E-mail transmission cannot be guaranteed to be
secure or error-free as information could be intercepted, corrupted, lost,
destroyed, arrive late or incomplete, or contain viruses.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180710/75b588cf/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: o.nekriach at dynatech.lv1520941785292-7771
Type: image/png
Size: 790 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180710/75b588cf/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: o.nekriach at dynatech.lv1520941785292-7771
Type: image/png
Size: 790 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180710/75b588cf/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: o.nekriach at dynatech.lv1520941785292-7772
Type: image/png
Size: 786 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180710/75b588cf/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: o.nekriach at dynatech.lv1520941785292-7770
Type: image/png
Size: 4265 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180710/75b588cf/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: o.nekriach at dynatech.lv1520941785292-7772
Type: image/png
Size: 786 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180710/75b588cf/attachment-0004.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: o.nekriach at dynatech.lv1520941785292-7770
Type: image/png
Size: 4265 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180710/75b588cf/attachment-0005.png>


More information about the midPoint mailing list