[midPoint] Authorization restriction to some certain objects in Assignments window in User profile

Ivan Noris ivan.noris at evolveum.com
Tue Jul 10 14:52:50 CEST 2018


Can you attach a portion of screen so that I know what exactly is
missing? I would say this would be some missing gui authorization, but I
would like to see the screenshot with indication what is missing.


Thank you!

Ivan


On 10.07.2018 10:06, Oleksandr Nekriach wrote:
> Ivan,
> When I add some target section with filter adminAssign button disappear.
> Do you have some working example to understand what I am doing in a
> wrong way?
>
> See the button but also see the all roles
>      <authorization>
>         <name>AssignGUI</name>
>        
> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#adminAssign</action>
>        
> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#adminUnassign</action>
>         <description>Assign/unassign in admin GUI (role
> profile)</description>
>         <object>
>           <type>UserType</type>
>         </object>
>       </authorization>
>
>
> Don't see button  at all
>
>      <authorization>
>         <name>AssignGUI</name>
>        
> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#adminAssign</action>
>        
> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#adminUnassign</action>
>         <description>Assign/unassign in admin GUI (role
> profile)</description>
>         <object>
>           <type>UserType</type>
>         </object>
>            <target>
>             <filter>
>                 <q:type>
>                     <q:type>c:RoleType</q:type>
>                         <q:filter>
>                            <q:substring>
>                            <q:matching>polyStringNorm</q:matching>
>                             <q:path>name</q:path>
>                             <q:value>Role</q:value>
>                             <q:anchorStart>true</q:anchorStart>
>                         </q:substring>
>                    </q:filter>
>                 </q:type>
>           </filter>
>         </target>
>     </authorization>
>
>
>
>
> On 10 July 2018 at 09:22, Oleksandr Nekriach <o.nekriach at dynatech.lv
> <mailto:o.nekriach at dynatech.lv>> wrote:
>
>     Hi Ivan, thank you.
>
>     On 9 July 2018 at 22:08, Ivan Noris <ivan.noris at evolveum.com
>     <mailto:ivan.noris at evolveum.com>> wrote:
>
>         Hi Oleksandr,
>
>         please see the referenced jira issue with example that I
>         reported earlier and was fixed meanwhile.
>
>         https://jira.evolveum.com/browse/MID-3615
>         <https://jira.evolveum.com/browse/MID-3615>
>
>         Maybe you're only missing the q:matching element. Or target;
>         as assign/unassign are target-aware.
>
>         Best regards,
>
>         Ivan
>
>
>         On 06.07.2018 13:54, Oleksandr Nekriach wrote:
>>         Hello,
>>         I am stuck. Is it possible to restrict  access to some
>>         certain objects only (role with Role- prefix only e.g) in
>>         Assignments window in User profile .
>>         Something like this but this example does not work.
>>
>>              <authorization>
>>                 <name>AssignGUI</name>
>>                
>>         <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#adminAssign
>>         <http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#adminAssign></action>
>>                
>>         <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#adminUnassign
>>         <http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#adminUnassign></action>
>>                 <description>Assign/unassign in admin GUI (role
>>         profile)</description>
>>                 <c:object>
>>                     <c:type>RoleType</c:type>
>>                 </c:object>
>>                 <filter>
>>                     <q:substring>
>>                        <q:path>name</q:path>
>>                        <q:value>Role-</q:value>
>>                        <q:anchorStart>true</q:anchorStart>
>>                     </q:substring>
>>                  </filter>
>>             </authorization>
>>
>>
>>
>>
>>
>>         -- 
>>         Best regards,
>>
>>
>>
>>         Oleksandr Nekriach | Identity and access management engineer
>>
>>         Dynatech, Mednieku str. 4a, Riga, LV-1010, Latvia
>>         <https://maps.google.com/?q=Mednieku+str.+4a,+Riga,+LV-1010,+Latvia&entry=gmail&source=g>
>>
>>
>>         +37125314685 <tel:+371%2025%20314%20685>
>>         ,
>>         o.nekriach at dynatech.lv <mailto:o.nekriach at dynatech.lv>
>>         |
>>         www.dynatech.lv <http://www.dynatech.lv>
>>
>>
>>         Stay connected:
>>         <https://www.facebook.com/DynatechLatvia/?ref=br_rs>
>>         <https://www.linkedin.com/company-beta/17893047/>
>>
>>
>>         Confidentiality Notice: This message contains confidential
>>         information and is intended only for the named recipient(s).
>>         If you are not the addressee you may not copy, distribute or
>>         perform any other activities with this information. If you
>>         have received this transmission in error, please notify us by
>>         e-mail immediately. E-mail transmission cannot be guaranteed
>>         to be secure or error-free as information could be
>>         intercepted, corrupted, lost, destroyed, arrive late or
>>         incomplete, or contain viruses.
>>
>>
>>         _______________________________________________
>>         midPoint mailing list
>>         midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>         http://lists.evolveum.com/mailman/listinfo/midpoint
>>         <http://lists.evolveum.com/mailman/listinfo/midpoint>
>
>         -- 
>         Ivan Noris
>         Senior Identity Engineer
>         evolveum.com <http://evolveum.com>
>
>
>         _______________________________________________
>         midPoint mailing list
>         midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>         http://lists.evolveum.com/mailman/listinfo/midpoint
>         <http://lists.evolveum.com/mailman/listinfo/midpoint>
>
>
>
>
>     -- 
>     Best regards,
>
>
>
>     Oleksandr Nekriach | Identity and access management engineer
>
>     Dynatech, Mednieku str. 4a, Riga, LV-1010, Latvia
>     <https://maps.google.com/?q=Mednieku+str.+4a,+Riga,+LV-1010,+Latvia&entry=gmail&source=g>
>
>
>     +37125314685 <tel:+371%2025%20314%20685>
>     ,
>     o.nekriach at dynatech.lv <mailto:o.nekriach at dynatech.lv>
>     |
>     www.dynatech.lv <http://www.dynatech.lv>
>
>
>     Stay connected:
>     <https://www.facebook.com/DynatechLatvia/?ref=br_rs>
>     <https://www.linkedin.com/company-beta/17893047/>
>
>
>     Confidentiality Notice: This message contains confidential
>     information and is intended only for the named recipient(s). If
>     you are not the addressee you may not copy, distribute or perform
>     any other activities with this information. If you have received
>     this transmission in error, please notify us by e-mail
>     immediately. E-mail transmission cannot be guaranteed to be secure
>     or error-free as information could be intercepted, corrupted,
>     lost, destroyed, arrive late or incomplete, or contain viruses.
>
>
>
>
> -- 
> Best regards,
>
>
>
> Oleksandr Nekriach | Identity and access management engineer
>
> Dynatech, Mednieku str. 4a, Riga, LV-1010, Latvia
> <https://maps.google.com/?q=Mednieku+str.+4a,+Riga,+LV-1010,+Latvia&entry=gmail&source=g>
>
>
> +37125314685 <tel:+371%2025%20314%20685>
> ,
> o.nekriach at dynatech.lv <mailto:o.nekriach at dynatech.lv>
> |
> www.dynatech.lv <http://www.dynatech.lv>
>
>
> Stay connected:
> <https://www.facebook.com/DynatechLatvia/?ref=br_rs>
> <https://www.linkedin.com/company-beta/17893047/>
>
>
> Confidentiality Notice: This message contains confidential information
> and is intended only for the named recipient(s). If you are not the
> addressee you may not copy, distribute or perform any other activities
> with this information. If you have received this transmission in
> error, please notify us by e-mail immediately. E-mail transmission
> cannot be guaranteed to be secure or error-free as information could
> be intercepted, corrupted, lost, destroyed, arrive late or incomplete,
> or contain viruses.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
Ivan Noris
Senior Identity Engineer
evolveum.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180710/194e8d25/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: o.nekriach at dynatech.lv1520941785292-7770
Type: image/png
Size: 4265 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180710/194e8d25/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: o.nekriach at dynatech.lv1520941785292-7771
Type: image/png
Size: 790 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180710/194e8d25/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: o.nekriach at dynatech.lv1520941785292-7772
Type: image/png
Size: 786 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180710/194e8d25/attachment-0002.png>


More information about the midPoint mailing list