[midPoint] Authorization for role request but "member" or "default" relation only
Peter Holes
pholes at gmail.com
Wed Apr 10 17:11:27 CEST 2019
Hi Wojtech,
did you try autorization like this:
<authorization>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#assign</action>
<phase>request</phase>
<target>
<type>RoleType</type>
</target>
<item>assignment/activation/validFrom</item>
<item>assignment/activation/validTo</item>
</authorization>
This will limit the "Properties" on "Request Role" and assign the
roles only with default relation.Users will be not able to change the
relation type to something else, due the attribute "relation" is not
readable.
To allow visibility of relation attribute, just put additional item:
<item>assignment/targetRef</item>
Hope, this is what you want ;).
Peter.
--
Sent from Sony Xperia™ smartphone.
Please excuse any typos.
More information about the midPoint
mailing list