[midPoint] (no subject)
tomas.husar at ibask.eu
tomas.husar at ibask.eu
Wed Oct 21 09:06:38 CEST 2020
Hallo, together
i have following trouble
i have some user who act in specific role
user's organizationID is 94270
and then i am trying to grant to the user (trough role) rights to read
other users witch belong to same organizationID(organizationIDis extended
attribute)
I start to do it according
https://wiki.evolveum.com/display/midPoint/Authorization+Configuration#AuthorizationConfiguration-ObjectSpecification
and wrote some filtering inside role-xml (here is simplified one).
BUT,
when i log to midpoint as mentioned user, i see all the Users, regardless
the value of organizationID.
When i do in UI filtering on organizationID, it works and i see just users
with asked organizationID,
when i add to object <special>self</special> i see that self is used
So why the filter do not work? What I am doing wrong? I tried as well to
do it with script, I logged every user which was filtered. But.. it DO NOT
WORK.
<authorization id="25">
<name>[Zamestnanec XY] EXT/TEMP Some user attributes (read)</name>
<description>Alow visibility of users attributes (EXT/TEMP)</
description>
<action>
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read
</action>
<object id="24">
<type>UserType</type>
<filter>
<q:equal>
<q:path>extension/organizationID</q:path>
<q:value>94270</q:value>
</q:equal>
</filter>
<!-- <special>self</special> -->
</object>
<c:item>name</c:item>
<c:item>subtype</c:item>
<c:item>extension/organizationID</c:item>
</authorization>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20201021/5a3d93ad/attachment.htm>
More information about the midPoint
mailing list