[midPoint] parametrized authorization

Pascal PÉRICHON pascal.perichon at u-paris.fr
Fri Feb 26 21:27:56 CET 2021 

Sorry I answser to myself : stupid question <filter> is just a fllter 
mapped into hibernate query.

Le 26/02/2021 à 12:01, Pascal PÉRICHON via midPoint a écrit :
> Hi,
>
> I need in an authorization to know which value is actually presented 
> by <q:path>extension/listeAffectations</q:path>.
>
> The problem is that "extension/listeAffectations" in users accounts is 
> a multi-valued field, and I need to compare this value presented by 
> the authorisation with another in a mutivalued field in the "actor" 
> account. Looking for the good groovy code.
>
>     <authorization>
>         <name>delegations-users-read-modify</name>
> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</action>
>
>         <object>
>             <type>UserType</type>
>             <filter>
>                 <q:and>
>                     </q:equal>
> <q:path>extension/listeAffectations</q:path>
>                         <expression>
>                             <script>
>                                 <code>
>                                     // the groovy code to know which 
> value is actually presented
>                                     // by 
> <q:path>extension/listeAffectations</q:path>
>                                     // to the variable actor or subject
>                                     return 
> the_good_choosen_value_depending_of_context;
>                                 </code>
>                             </script>
>                         </expression>
>                     </q:equal>
>                 </q:and>
>             </filter>
>         </object>
>
>         <item>emailAddress</item>
>         <item>extension/telephonePersonnel</item>
>     </authorization>
>
>
> I checked with "this.binding.variables.each {k,v -> log.info("{} = 
> {}", k, v)};" to find this data... but nothing easy.
>
> I know that maybe it's not the way that midpoint is working, but it's 
> for a very specific use and I can't use an organization structure.
>
> any help ?
>
> thanks a lot
>
>
> -------
> *Pascal PÉRICHON*
> Responsable du référentiel d'identités
> Direction des systèmes d'information et du numérique
> Université de Paris
> Bâtiment les Grands Moulins - Aile A - Bureau 721A
> 5 rue Thomas Mann 75013 Paris
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20210226/3f6c16f5/attachment.htm>

More information about the midPoint mailing list