[midPoint] different authorization based on role

Tue Jun 11 12:06:36 CEST 2024

Hi,

I forgot to mention that all active users have the Normal User role. The other roles are added depending on usertype.
So, a Manager will have Normal User, Approving User and Delegating User.

Markus

On Tuesday, 11 June 2024 at 12:00, midpoint-request at lists.evolveum.com <midpoint-request at lists.evolveum.com> wrote:

> Send midPoint mailing list submissions to
> midpoint at lists.evolveum.com
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.evolveum.com/mailman/listinfo/midpoint
> or, via email, send a message with subject or body 'help' to
> midpoint-request at lists.evolveum.com
> 
> You can reach the person managing the list at
> midpoint-owner at lists.evolveum.com
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of midPoint digest..."
> 
> 
> Today's Topics:
> 
> 1. different authorization based on role (Markus Calmius)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Mon, 10 Jun 2024 11:44:14 +0000
> From: Markus Calmius markus.calmius at proton.ch
> 
> To: midPoint General Discussion midpoint at lists.evolveum.com
> 
> Subject: [midPoint] different authorization based on role
> Message-ID:
> yPZl8Ry3OcAKETIeOhTQn91Qb14IdiVJV4KwVCsDDSURNtwJMHa-O9aK6HlumUgWwijXANTy2J0ohBdnlObwCYeq3NojIbGTvrG0pJS5USQ=@proton.ch
> 
> 
> Content-Type: text/plain; charset="utf-8"
> 
> Hi,
> 
> I'm trying to configure the gui depending on what role you have.
> For now, I have three different roles:
> 
> - Normal User
> - Approving User
> - Delegating User
> 
> All these roles are based on, the EndUser, Approver and Delegator roles, but are limited more.
> 
> Scenario is this:
> 
> - As an end-user you can only view a limited number of attributes and panels on the selfProfilePage.
> 
> - As an approver you should be able to see the basic information about the roles and users you are approving.
> 
> - As a delegator you should be able to delegate to other users with approving-capacity
> 
> Starting with 1 and 3, I cannot (at least haven't found a way) remove/hide the delegations from the normal/end-user view and enable it if you have the delegator role.
> i.e.
> 
> <
> 
> panel
> 
> 
> <
> 
> identifier
> 
> 
> userDelegations
> 
> </
> 
> identifier
> 
> 
> <
> 
> visibility
> 
> 
> visible
> 
> </
> 
> visibility
> 
> 
> </
> 
> panel
> 
> 
> <
> 
> panel
> 
> 
> <
> 
> identifier
> 
> 
> delegatedToMe
> 
> </
> 
> identifier
> 
> 
> <
> 
> visibility
> 
> 
> visible
> 
> </
> 
> visibility
> 
> 
> </
> 
> panel
> 
> 
> does nothing if the end-user role has hidden or vacancy. It will still be gone.
> 
> 2 and 3:
> If I want to limit the list when you click "add delegation" to check for if the user is manager. This also impact the users shown in "approval"
> i.e. either I allow all users => delegations can be done to anyone or I limit to "is manager" and approvals will not show all users.
> 
> 
> Is it possible to configure the authorizations like this?
> If not, I have to figure out a different way. An easy work-around would be to let all users have "approval" rights, but... to limit would be better.
> 
> Thanks,
> Markus
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: https://lists.evolveum.com/pipermail/midpoint/attachments/20240610/64b837f1/attachment-0001.htm
> 
> 
> ------------------------------
> 
> Subject: Digest Footer
> 
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
> 
> 
> ------------------------------
> 
> End of midPoint Digest, Vol 146, Issue 6
> ****************************************