[midPoint] Authorization issue for items from an extension schema

Frédéric Lohier frederic at lohier.org
Fri Jul 12 16:49:05 CEST 2019 

Thank you for your answer Chris !
I found my error, I had another authorization in another role where I
forgot the "extension/" before my customItem name.

-Frederic

On Fri, Jul 12, 2019, 16:31 Chris Woods <chris at cmwoods.com> wrote:

> Hi Frédéric,
>
> we had trouble as well, but this is what ended up working:
>
> <authorization>
>                         <name>autz-archetype-employee-read</name>
>                         <description>
>                                 Allows reading of various fields.
> archetypeRef must be present,
> otherwise the user is displayed without archetype information
>                         </description>
>                         <action>
> http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read
> </action>
>                         <object>
>                                 <archetypeRef oid="rs-archetype-employee"
> />
>                         </object>
>                         <item>archetypeRef</item>
>                         <item>name</item>
>                 <item>fullName</item>
>                 <item>givenName</item>
>                 <item>familyName</item>
>                 <item>extension/rsMainDepartment</item>
>                 <item>extension/rsWindowsLogon</item>
>                 <item>assignment/targetRef</item>
>                 <item>assignment/description</item>
>                 <item>assignment/extension/rsITSMTicketNumber</item>
>                 <item>assignment/extension/rsCRMSalesArea</item>
>
> <item>assignment/extension/rsCRMOrganisationalAssignment</item>
>                 </authorization>
>
>
>                 <authorization>
>                         <name>autz-archetype-employee-modify</name>
>                         <description>
>                                 Allows modification of ITSM Ticket number,
> CRM Sales Area and CRM
> Organisational Assignment when assigning an object such as role
>                         </description>
>                         <action>
> http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify
> </action>
>                         <phase>request</phase>
>                         <object>
>                                 <archetypeRef oid="rs-archetype-employee"
> />
>                         </object>
>
> <item>assignment/extension/rsITSMTicketNumber</item>
>                 <item>assignment/extension/rsCRMSalesArea</item>
>
> <item>assignment/extension/rsCRMOrganisationalAssignment</item>
>                 </authorization>
>
>
> So, <target> is (as far as I am aware) used for assignment only. You
> need <object> instead. The extension items should work without any "c:"
> or "ext:" prefixes. As you can see we have extensions to the
> AssignmentType too.
>
> Hope this helps...
>
> Regards,
> Chris
>
> On 2019-07-12 15:59, Frédéric Lohier wrote:
> > Hello,
> >
> > I have an authorization in a role to allow a list of specific items of
> > the User schema to be read by users who has this role assigned.
> >
> > This works well for items in the standard User schema, but when I try
> > to do the same with items from an extension schema of UserType, it is
> > not working.
> >
> > For example, in my-role.xml file, I have the following authorization :
> >
> > <role (…) xmlns:ext="http://my-user-extension/extension">
> >
> > <authorization>
> >
> >         <name>Users item read authorizations</name>
> >
> >
> > <action>
> http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read
> </action>
> >
> >         <target>
> >
> >             <type>UserType</type>
> >
> >         </target>
> >
> >         <item>customItem</item>
> >
> >         <item>ext:customItem</item>
> >
> >         <item>extension/customItem</item>
> >
> >         <item>extension/ext:customItem</item>
> >
> >         <item>$user/extension/customItem</item>
> >
> >         <item>$user/extension/ext:customItem</item>
> >
> >         <item>emailAddress</item>
> >
> >     </authorization>
> >
> > </role>
> >
> > In the extension-user.xsd, I set the namespace for the extension and
> > declare my customItem like this :
> >
> > <xsd:schema (…) targetNamespace="http://my-user-extension/extension"
> > xmlns:tns="http://my-user-extension/extension" >
> > <xsd:complexType name="UserExtensionType">
> >
> >         <xsd:annotation>
> >
> >             <xsd:appinfo>
> >
> >                 <a:extension ref="c:UserType"/>
> >
> >             </xsd:appinfo>
> >
> >         </xsd:annotation>
> >
> >         <xsd:sequence>
> >
> >             <xsd:element name="customItem" minOccurs="0" maxOccurs="1"
> > type="xsd:int">
> >
> >               <xsd:annotation>
> >
> >                 <xsd:appinfo>
> >
> >                   <a:indexed>true</a:indexed>
> >
> >                   <a:displayName>My custom user item</a:displayName>
> >
> >                 </xsd:appinfo>
> >
> >               </xsd:annotation>
> >
> >             </xsd:element>
> >
> >        </xsd:sequence>
> >
> >     </xsd:complexType>
> >
> > </xsd:schema>
> >
> > Am I missing something?
> > _______________________________________________
> > midPoint mailing list
> > midPoint at lists.evolveum.com
> > http://lists.evolveum.com/mailman/listinfo/midpoint
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190712/b4f1364e/attachment.htm>

More information about the midPoint mailing list