[midPoint] get the name of OrgType in filter

Hsin-Fang Hsu hsin-fang.hsu at itconcepts.ch
Mon Feb 7 09:10:15 CET 2022


Hello Emil,

Thanks a lot for the reply!!
The two methods you provided are good solutions for one organization.
It doesn’t work if there are more than one value in organization (organization can be a list, but the equal filter takes only one value to be compared with).
In my case, I want to show OrgType from a list of organizations.

What I am doing now is using several object selectors for each org that might be shown in the list (i.e., repeating many times the block below in one reading authorization).
<object>
    <type>OrgType</type>
    <filter>
        <q:equal>
            <q:path>name</q:path>
            <expression>
                <script>
                    <code>
                        import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType
                        UserType user = midpoint.getObject(UserType.class, midpoint.principalOid.toString())
                        orgUnits = user.getOrganization();
                        if(orgUnits.any { it =~ "management:org XXXX"}){
                            return "org XXXX"
                        }
                    </code>
                </script>
            </expression>
        </q:equal>
    </filter>
</object>

What I did is certainly not a good way to scale to lots of organizations.


Many thanks and best regards,
Hsin-Fang


From: Emil Militzer <emil.militzer at posteo.de>
Sent: Sunday, February 6, 2022 10:15 AM
To: Hsin-Fang Hsu <hsin-fang.hsu at itconcepts.ch>; midpoint at lists.evolveum.com
Subject: Re: [midPoint] get the name of OrgType in filter

Hallo,

I came to the realization that this is overcomplicated. Midpoint offers the path expression which is more clean and useful in this case.


<authorization>
    <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
    <object>
        <type>OrgType</type>
        <filter>
            <q:equal>
                <q:path>name</q:path>
                <expression>
                    <queryInterpretationOfNoValue>filterNone</queryInterpretationOfNoValue>
                    <path>$subject/organization</path>
                </expression>
            </q:equal>
        </filter>
    </object>
</authorization>
This is also the example from the midpoint Authorization configuration wiki page.

Kind Regards
Emil




Am 05.02.2022 um 21:15 schrieb Emil Militzer <emil.militzer at posteo.de<mailto:emil.militzer at posteo.de>>:

Hello,

You don’t have access to the name of the org in the expression context because inside the expression you need to compute the value list for the possible name parameters in the query.
If I understand your requirement correctly you want to allow the read access to all orgs which are configured in the Organisation attribute of the user.
Can you try the following configuration?
(It works with midpoint 4.3 and later, if you use an older version you can access midpoint.getPrincipal().getUser() to get the UserType object.)



<authorization>
    <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
    <object>
        <type>OrgType</type>
        <filter>
            <q:equal>
                <q:path>name</q:path>
                <expression>
                    <script>
                        <code>import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType
                        return ((UserType)midpoint.getPrincipal().getFocus()).getOrganization()
                        </code>
                    </script>
                </expression>
            </q:equal>
        </filter>
    </object>
</authorization>

Kind Regards,
Emil


I want to restrict the authorization to view only OrgType that in a predefined list of each user.

Below is the code and I am wondering how to get something like the variable “thisInputOrgName”.

Any idea?



[cid:image001.png at 01D819DF.61DF3890<https://lists.evolveum.com/mailman/listinfo/midpoint>]





Many thanks for the help in advance!



Best regards,

Hsin-Fang



-------------- next part --------------

An HTML attachment was scrubbed...

URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20220204/a22d90d1/attachment-0001.htm>

-------------- next part --------------

A non-text attachment was scrubbed...

Name: image001.png

Type: image/png

Size: 76589 bytes

Desc: image001.png

URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20220204/a22d90d1/attachment-0001.png>



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20220207/b02e4f6c/attachment-0001.htm>


More information about the midPoint mailing list