[midPoint] Authorization issue for items from an extension schema
Chris Woods
chris at cmwoods.com
Fri Jul 12 16:31:21 CEST 2019
Hi Frédéric,
we had trouble as well, but this is what ended up working:
<authorization>
<name>autz-archetype-employee-read</name>
<description>
Allows reading of various fields. archetypeRef must be present,
otherwise the user is displayed without archetype information
</description>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
<object>
<archetypeRef oid="rs-archetype-employee" />
</object>
<item>archetypeRef</item>
<item>name</item>
<item>fullName</item>
<item>givenName</item>
<item>familyName</item>
<item>extension/rsMainDepartment</item>
<item>extension/rsWindowsLogon</item>
<item>assignment/targetRef</item>
<item>assignment/description</item>
<item>assignment/extension/rsITSMTicketNumber</item>
<item>assignment/extension/rsCRMSalesArea</item>
<item>assignment/extension/rsCRMOrganisationalAssignment</item>
</authorization>
<authorization>
<name>autz-archetype-employee-modify</name>
<description>
Allows modification of ITSM Ticket number, CRM Sales Area and CRM
Organisational Assignment when assigning an object such as role
</description>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</action>
<phase>request</phase>
<object>
<archetypeRef oid="rs-archetype-employee" />
</object>
<item>assignment/extension/rsITSMTicketNumber</item>
<item>assignment/extension/rsCRMSalesArea</item>
<item>assignment/extension/rsCRMOrganisationalAssignment</item>
</authorization>
So, <target> is (as far as I am aware) used for assignment only. You
need <object> instead. The extension items should work without any "c:"
or "ext:" prefixes. As you can see we have extensions to the
AssignmentType too.
Hope this helps...
Regards,
Chris
On 2019-07-12 15:59, Frédéric Lohier wrote:
> Hello,
>
> I have an authorization in a role to allow a list of specific items of
> the User schema to be read by users who has this role assigned.
>
> This works well for items in the standard User schema, but when I try
> to do the same with items from an extension schema of UserType, it is
> not working.
>
> For example, in my-role.xml file, I have the following authorization :
>
> <role (…) xmlns:ext="http://my-user-extension/extension">
>
> <authorization>
>
> <name>Users item read authorizations</name>
>
>
> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
>
> <target>
>
> <type>UserType</type>
>
> </target>
>
> <item>customItem</item>
>
> <item>ext:customItem</item>
>
> <item>extension/customItem</item>
>
> <item>extension/ext:customItem</item>
>
> <item>$user/extension/customItem</item>
>
> <item>$user/extension/ext:customItem</item>
>
> <item>emailAddress</item>
>
> </authorization>
>
> </role>
>
> In the extension-user.xsd, I set the namespace for the extension and
> declare my customItem like this :
>
> <xsd:schema (…) targetNamespace="http://my-user-extension/extension"
> xmlns:tns="http://my-user-extension/extension" >
> <xsd:complexType name="UserExtensionType">
>
> <xsd:annotation>
>
> <xsd:appinfo>
>
> <a:extension ref="c:UserType"/>
>
> </xsd:appinfo>
>
> </xsd:annotation>
>
> <xsd:sequence>
>
> <xsd:element name="customItem" minOccurs="0" maxOccurs="1"
> type="xsd:int">
>
> <xsd:annotation>
>
> <xsd:appinfo>
>
> <a:indexed>true</a:indexed>
>
> <a:displayName>My custom user item</a:displayName>
>
> </xsd:appinfo>
>
> </xsd:annotation>
>
> </xsd:element>
>
> </xsd:sequence>
>
> </xsd:complexType>
>
> </xsd:schema>
>
> Am I missing something?
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
More information about the midPoint
mailing list