[midPoint] authorisation for role manager

Markus Calmius markus.calmius at proton.ch
Tue Dec 12 11:37:00 CET 2023 

Hi

we're trying to create a couple of admin roles to split the "super user" into sub-admins.
In other words, I want to limit authorisations as much as I can.

Our first admin role that will be used is a "role manager" and below is the authorisations that we have right now. I am worried though, that it is not limited enough. There are a couple of authorisations that I haven't been able to use an object or target or anything to specify that the authorisation is referring to.

Please take a look and share any thoughts.

kind regards,
Markus

<

authorization

>

<

name

>

Manage ALL Roles - GUI Authorisation

</

name

>

<

action

>

http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#rolesAll

</

action

>

<

action

>

http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#adminAssignMember

</

action

>

<

action

>

http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#adminUnassignMember

</

action

>

<

object

>

<

type

>

c:RoleType

</

type

>

</

object

>

</

authorization

>

<

authorization

>

<

name

>

Manage ALL Roles - add/modify/delete authorisation

</

name

>

<

action

>

http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read

</

action

>

<

action

>

http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add

</

action

>

<

action

>

http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify

</

action

>

<

action

>

http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#delete

</

action

>

<

phase

>

request

</

phase

>

<

object

>

<

type

>

c:RoleType

</

type

>

</

object

>

<

object

>

<

type

>

c:ShadowType

</

type

>

<

owner

>

<

type

>

c:RoleType

</

type

>

</

owner

>

</

object

>

</

authorization

>

<

authorization

>

<

name

>

Manage ALL Roles - Assign/Unassign access to users

</

name

>

<

action

>

http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#assign

</

action

>

<

action

>

http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#unassign

</

action

>

<

action

>

http://midpoint.evolveum.com/xml/ns/public/security/authorization-bulk-3#assign

</

action

>

<

action

>

http://midpoint.evolveum.com/xml/ns/public/security/authorization-bulk-3#unassign

</

action

>

</

authorization

>

<

authorization

>

<

name

>

Manage ALL Roles - modify USER assignment

</

name

>

<

action

>

http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify

</

action

>

<

phase

>

execution

</

phase

>

<

object

>

<

type

>

UserType

</

type

>

</

object

>

<

item

>

assignment

</

item

>

</

authorization

>

<

authorization

>

<

name

>

Manage ALL Roles - modify Shadow assignment

</

name

>

<

action

>

http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify

</

action

>

<

phase

>

execution

</

phase

>

<

object

>

<

type

>

ShadowType

</

type

>

</

object

>

</

authorization

>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20231212/ea08c5f1/attachment.htm>

More information about the midPoint mailing list