[midPoint] get the name of OrgType in filter

Emil Militzer emil.militzer at posteo.de
Sun Feb 6 10:15:04 CET 2022 

Hallo,

I came to the realization that this is overcomplicated. Midpoint offers the path expression which is more clean and useful in this case.

<authorization>
    <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
    <object>
        <type>OrgType</type>
        <filter>
            <q:equal>
                <q:path>name</q:path>
                <expression>
                    <queryInterpretationOfNoValue>filterNone</queryInterpretationOfNoValue>
                    <path>$subject/organization</path>
                </expression>
            </q:equal>
        </filter>
    </object>
</authorization>
This is also the example from the midpoint Authorization configuration wiki page.

Kind Regards
Emil



> Am 05.02.2022 um 21:15 schrieb Emil Militzer <emil.militzer at posteo.de>:
> 
> Hello,
> 
> You don’t have access to the name of the org in the expression context because inside the expression you need to compute the value list for the possible name parameters in the query.
> If I understand your requirement correctly you want to allow the read access to all orgs which are configured in the Organisation attribute of the user.
> Can you try the following configuration?
> (It works with midpoint 4.3 and later, if you use an older version you can access midpoint.getPrincipal().getUser() to get the UserType object.)
> 
> 
> <authorization>
>     <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read <http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read></action>
>     <object>
>         <type>OrgType</type>
>         <filter>
>             <q:equal>
>                 <q:path>name</q:path>
>                 <expression>
>                     <script>
>                         <code>import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType
>                         return ((UserType)midpoint.getPrincipal().getFocus()).getOrganization()
>                         </code>
>                     </script>
>                 </expression>
>             </q:equal>
>         </filter>
>     </object>
> </authorization>
> 
> Kind Regards,
> Emil
> 
> I want to restrict the authorization to view only OrgType that in a predefined list of each user.
> Below is the code and I am wondering how to get something like the variable “thisInputOrgName”.
> Any idea?
> 
> [cid:image001.png at 01D819DF.61DF3890 <https://lists.evolveum.com/mailman/listinfo/midpoint>]
> 
> 
> Many thanks for the help in advance!
> 
> Best regards,
> Hsin-Fang
> 
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20220204/a22d90d1/attachment-0001.htm <https://lists.evolveum.com/pipermail/midpoint/attachments/20220204/a22d90d1/attachment-0001.htm>>
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: image001.png
> Type: image/png
> Size: 76589 bytes
> Desc: image001.png
> URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20220204/a22d90d1/attachment-0001.png <https://lists.evolveum.com/pipermail/midpoint/attachments/20220204/a22d90d1/attachment-0001.png>>
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20220206/35673db3/attachment.htm>

More information about the midPoint mailing list