[midPoint] Authorization restriction to some certain objects in Assignments window in User profile
Ivan Noris
ivan.noris at evolveum.com
Tue Jul 10 14:52:50 CEST 2018
Can you attach a portion of screen so that I know what exactly is
missing? I would say this would be some missing gui authorization, but I
would like to see the screenshot with indication what is missing.
Thank you!
Ivan
On 10.07.2018 10:06, Oleksandr Nekriach wrote:
> Ivan,
> When I add some target section with filter adminAssign button disappear.
> Do you have some working example to understand what I am doing in a
> wrong way?
>
> See the button but also see the all roles
> <authorization>
> <name>AssignGUI</name>
>
> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#adminAssign</action>
>
> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#adminUnassign</action>
> <description>Assign/unassign in admin GUI (role
> profile)</description>
> <object>
> <type>UserType</type>
> </object>
> </authorization>
>
>
> Don't see button at all
>
> <authorization>
> <name>AssignGUI</name>
>
> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#adminAssign</action>
>
> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#adminUnassign</action>
> <description>Assign/unassign in admin GUI (role
> profile)</description>
> <object>
> <type>UserType</type>
> </object>
> <target>
> <filter>
> <q:type>
> <q:type>c:RoleType</q:type>
> <q:filter>
> <q:substring>
> <q:matching>polyStringNorm</q:matching>
> <q:path>name</q:path>
> <q:value>Role</q:value>
> <q:anchorStart>true</q:anchorStart>
> </q:substring>
> </q:filter>
> </q:type>
> </filter>
> </target>
> </authorization>
>
>
>
>
> On 10 July 2018 at 09:22, Oleksandr Nekriach <o.nekriach at dynatech.lv
> <mailto:o.nekriach at dynatech.lv>> wrote:
>
> Hi Ivan, thank you.
>
> On 9 July 2018 at 22:08, Ivan Noris <ivan.noris at evolveum.com
> <mailto:ivan.noris at evolveum.com>> wrote:
>
> Hi Oleksandr,
>
> please see the referenced jira issue with example that I
> reported earlier and was fixed meanwhile.
>
> https://jira.evolveum.com/browse/MID-3615
> <https://jira.evolveum.com/browse/MID-3615>
>
> Maybe you're only missing the q:matching element. Or target;
> as assign/unassign are target-aware.
>
> Best regards,
>
> Ivan
>
>
> On 06.07.2018 13:54, Oleksandr Nekriach wrote:
>> Hello,
>> I am stuck. Is it possible to restrict access to some
>> certain objects only (role with Role- prefix only e.g) in
>> Assignments window in User profile .
>> Something like this but this example does not work.
>>
>> <authorization>
>> <name>AssignGUI</name>
>>
>> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#adminAssign
>> <http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#adminAssign></action>
>>
>> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#adminUnassign
>> <http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#adminUnassign></action>
>> <description>Assign/unassign in admin GUI (role
>> profile)</description>
>> <c:object>
>> <c:type>RoleType</c:type>
>> </c:object>
>> <filter>
>> <q:substring>
>> <q:path>name</q:path>
>> <q:value>Role-</q:value>
>> <q:anchorStart>true</q:anchorStart>
>> </q:substring>
>> </filter>
>> </authorization>
>>
>>
>>
>>
>>
>> --
>> Best regards,
>>
>>
>>
>> Oleksandr Nekriach | Identity and access management engineer
>>
>> Dynatech, Mednieku str. 4a, Riga, LV-1010, Latvia
>> <https://maps.google.com/?q=Mednieku+str.+4a,+Riga,+LV-1010,+Latvia&entry=gmail&source=g>
>>
>>
>> +37125314685 <tel:+371%2025%20314%20685>
>> ,
>> o.nekriach at dynatech.lv <mailto:o.nekriach at dynatech.lv>
>> |
>> www.dynatech.lv <http://www.dynatech.lv>
>>
>>
>> Stay connected:
>> <https://www.facebook.com/DynatechLatvia/?ref=br_rs>
>> <https://www.linkedin.com/company-beta/17893047/>
>>
>>
>> Confidentiality Notice: This message contains confidential
>> information and is intended only for the named recipient(s).
>> If you are not the addressee you may not copy, distribute or
>> perform any other activities with this information. If you
>> have received this transmission in error, please notify us by
>> e-mail immediately. E-mail transmission cannot be guaranteed
>> to be secure or error-free as information could be
>> intercepted, corrupted, lost, destroyed, arrive late or
>> incomplete, or contain viruses.
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>> <http://lists.evolveum.com/mailman/listinfo/midpoint>
>
> --
> Ivan Noris
> Senior Identity Engineer
> evolveum.com <http://evolveum.com>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
> http://lists.evolveum.com/mailman/listinfo/midpoint
> <http://lists.evolveum.com/mailman/listinfo/midpoint>
>
>
>
>
> --
> Best regards,
>
>
>
> Oleksandr Nekriach | Identity and access management engineer
>
> Dynatech, Mednieku str. 4a, Riga, LV-1010, Latvia
> <https://maps.google.com/?q=Mednieku+str.+4a,+Riga,+LV-1010,+Latvia&entry=gmail&source=g>
>
>
> +37125314685 <tel:+371%2025%20314%20685>
> ,
> o.nekriach at dynatech.lv <mailto:o.nekriach at dynatech.lv>
> |
> www.dynatech.lv <http://www.dynatech.lv>
>
>
> Stay connected:
> <https://www.facebook.com/DynatechLatvia/?ref=br_rs>
> <https://www.linkedin.com/company-beta/17893047/>
>
>
> Confidentiality Notice: This message contains confidential
> information and is intended only for the named recipient(s). If
> you are not the addressee you may not copy, distribute or perform
> any other activities with this information. If you have received
> this transmission in error, please notify us by e-mail
> immediately. E-mail transmission cannot be guaranteed to be secure
> or error-free as information could be intercepted, corrupted,
> lost, destroyed, arrive late or incomplete, or contain viruses.
>
>
>
>
> --
> Best regards,
>
>
>
> Oleksandr Nekriach | Identity and access management engineer
>
> Dynatech, Mednieku str. 4a, Riga, LV-1010, Latvia
> <https://maps.google.com/?q=Mednieku+str.+4a,+Riga,+LV-1010,+Latvia&entry=gmail&source=g>
>
>
> +37125314685 <tel:+371%2025%20314%20685>
> ,
> o.nekriach at dynatech.lv <mailto:o.nekriach at dynatech.lv>
> |
> www.dynatech.lv <http://www.dynatech.lv>
>
>
> Stay connected:
> <https://www.facebook.com/DynatechLatvia/?ref=br_rs>
> <https://www.linkedin.com/company-beta/17893047/>
>
>
> Confidentiality Notice: This message contains confidential information
> and is intended only for the named recipient(s). If you are not the
> addressee you may not copy, distribute or perform any other activities
> with this information. If you have received this transmission in
> error, please notify us by e-mail immediately. E-mail transmission
> cannot be guaranteed to be secure or error-free as information could
> be intercepted, corrupted, lost, destroyed, arrive late or incomplete,
> or contain viruses.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
--
Ivan Noris
Senior Identity Engineer
evolveum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180710/194e8d25/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: o.nekriach at dynatech.lv1520941785292-7770
Type: image/png
Size: 4265 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180710/194e8d25/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: o.nekriach at dynatech.lv1520941785292-7771
Type: image/png
Size: 790 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180710/194e8d25/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: o.nekriach at dynatech.lv1520941785292-7772
Type: image/png
Size: 786 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180710/194e8d25/attachment-0002.png>
More information about the midPoint
mailing list