[midPoint] Authorization role to allow read own managers
Pavol Mederly
mederly at evolveum.com
Wed May 10 08:24:16 CEST 2023
Hello Yakov,
please check the docs. There's a nice explanation of various flavors of
"read" authorization, covering exactly your use case.
Best regards,
--
Pavol Mederly
Software developer
evolveum.com
On 09/05/2023 18:13, Yakov Revyakin via midPoint wrote:
> Hi all,
> I'm looking for a way to authorize a user to read their own managers.
>
> In case of a role request for self (with assigned built-in End-User
> role) we can see in UI, clicking on button "Requesting for", that
> users' list is limited by self.
> In metarole I have definition:
>
> <approverExpression>
> <script>
> <code>
> return
> midpoint.getManagersOidsExceptUser(object)
> </code>
> </script>
> </approverExpression>
> <evaluationStrategy>firstDecides</evaluationStrategy>
> <outcomeIfNoApprovers>reject</outcomeIfNoApprovers>
>
> If the user requests a role, getManagersOidsExceptUser() can't return
> managers because it is not authorized. This results in automatic
> rejection of the request.
> If I'm adding something like this:
>
> <authorization>
>
> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
> <object>
> <type>UserType</type>
> </object>
> </authorization>
>
> getManagersOidsExceptUser() returns managers correctly. But, clicking
> on the button "Requesting for" I can see all existing users. But I
> still want to see only myself in the list.
>
> How to get the user authorized to read own managers? And, at the same
> time, not to break user list under the "Requesting for" button with
> extra users?
>
> Thanks,
> Yakov
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
More information about the midPoint
mailing list