[midPoint] Authorization role to allow read own managers
Yakov Revyakin
yrevyakin at gmail.com
Tue May 9 18:13:06 CEST 2023
Hi all,
I'm looking for a way to authorize a user to read their own managers.
In case of a role request for self (with assigned built-in End-User role)
we can see in UI, clicking on button "Requesting for", that users' list is
limited by self.
In metarole I have definition:
<approverExpression>
<script>
<code>
return
midpoint.getManagersOidsExceptUser(object)
</code>
</script>
</approverExpression>
<evaluationStrategy>firstDecides</evaluationStrategy>
<outcomeIfNoApprovers>reject</outcomeIfNoApprovers>
If the user requests a role, getManagersOidsExceptUser() can't return
managers because it is not authorized. This results in automatic rejection
of the request.
If I'm adding something like this:
<authorization>
<action>
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read
</action>
<object>
<type>UserType</type>
</object>
</authorization>
getManagersOidsExceptUser() returns managers correctly. But, clicking on
the button "Requesting for" I can see all existing users. But I still want
to see only myself in the list.
How to get the user authorized to read own managers? And, at the same time,
not to break user list under the "Requesting for" button with extra users?
Thanks,
Yakov
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20230509/fe164247/attachment.htm>
More information about the midPoint
mailing list