[midPoint] Using assignment organization reference in role authorization
Frédéric Lohier
frederic at lohier.org
Thu Jul 25 17:04:01 CEST 2019
Hi all,
I want to delegate the modification of specific organizations to some
selected users.
To achieve that, I defined a “organization manager” role that I can assign
to users with the Organization reference parameter indicating the
organization they are allowed to modify.
Below is the authorization, but* I can’t manage to find the correct filter
to get the oid of the orgRef parameter of the user’s assignment to the
“organization manager” role*:
<role>
...
<authorization>
<name>Organization items modify authorizations</name>
<action>
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify
</action>
<object>
<type>OrgType</type>
<filter>find the oid of the orgRef parameter of the user’s assignment
to the “organization manager” role</filter
</object>
</authorization>
...
</role>
Is this the right approach?
I tried successfully the <orgRelation> object filter which gives the modify
authorization on all organizations assigned to the user with a “manager”
relation, but it feels messier.
<orgRelation>
<subjectRelation>org:manager</subjectRelation>
<scope>allDescendants</scope>
<includeReferenceOrg>true</includeReferenceOrg>
</orgRelation>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190725/7939a4b8/attachment.htm>
More information about the midPoint
mailing list