[midPoint] Add delegation view

Markus Calmius markus.calmius at proton.ch
Wed Jul 9 15:02:40 CEST 2025 

Answering my own question here.

I think I've found a work-around. Although I need to test it a lot more.
Basically, by default, users cannot search for other users. So by adding an authorisation:

<authorization>
<name>search-other-users</name>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#search</action>
<object>
<type>UserType</type>
<filter>
<q:text>roleMembershipRef/@/name = "name_of_role_that_approvers_have"</q:text>
</filter>
</object>
</authorization>
That might work. Just need to verify that it works for all higher privileged users (to see all users)

/M

On Wednesday, 2 July 2025 at 10:38, midpoint-request at lists.evolveum.com midpoint-request at lists.evolveum.com wrote:

> Send midPoint mailing list submissions to
> midpoint at lists.evolveum.com
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.evolveum.com/mailman/listinfo/midpoint
> or, via email, send a message with subject or body 'help' to
> midpoint-request at lists.evolveum.com
>
> You can reach the person managing the list at
> midpoint-owner at lists.evolveum.com
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of midPoint digest..."
>
> Today's Topics:
>
> 1. Add delegation view (Markus Calmius)
> 2. Re: How to add extension-attribute from HR - inbound Schema ?
> (Ivan Noris)
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 01 Jul 2025 15:17:40 +0000
> From: Markus Calmius markus.calmius at proton.ch
>
> To: midPoint General Discussion midpoint at lists.evolveum.com
>
> Subject: [midPoint] Add delegation view
> Message-ID:
> 3Ahz5V-u8FQ3Q98oNuVkVi4lv2ifANDrRyBQVNBYJIDsybHjA2-9LkDFrdsCA73EhqOIR8acfVADc2KTRVLIDZUX_HfiHjRLvRYFvo65UGo=@proton.ch
>
> Content-Type: text/plain; charset="utf-8"
>
> Hi,
>
> I think I asked this, or similar question, last year.
>
> Setup:
> Midpoint: 4.8.5
> Users have a few default roles, they do NOT have authorisation to Approve or Delegate requests by default.
> We have some approval-roles that use an archetype that also authorises those members to approve requests.
>
> Vacation time is upon us.
> I would like for all that have approval rights to be able to delegate to other users. But only delegate to users that also have approval rights.
>
> I have created an Object Collection that displays this, but how can I force this object collection to be the only one available when a user clicks "Add Delegation"
> I seem to remember, hopefully wrongly, that this is not possible...
>
> How can I force a specific collection for a specific part of the gui?
>
> Thanks in advance,
> Markus
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: https://lists.evolveum.com/pipermail/midpoint/attachments/20250701/52ef1250/attachment-0001.htm
>
> ------------------------------
>
> Message: 2
> Date: Wed, 2 Jul 2025 10:38:06 +0200
> From: Ivan Noris ivan.noris at evolveum.com
>
> To: midpoint at lists.evolveum.com
> Subject: Re: [midPoint] How to add extension-attribute from HR -
> inbound Schema ?
> Message-ID: a74203af-6fd5-425c-85ad-92056c1de139 at evolveum.com
>
> Content-Type: text/plain; charset="utf-8"; Format="flowed"
>
> Hi,
>
> I think what you want is to /populate/ (this is the keyword) the
> assignment properties. That is done outside the "target" element, but in
> "assignmentTargetSearch".
>
> You should be able to use assignment properties (extensions) like this:
>
> <expression>
>
> <assignmentTargetSearch>
>
> <targetType>OrgType</targetType>
>
> <filter>
>
> <!-- ... --> </filter>
>
> <populate>
>
> <populateItem>
>
> <expression>
>
> <script>
>
> <code>return 'General Manager of Universe'</code>
>
> </script>
>
> </expression>
>
> <target>
>
> <path>extension/title</path>
>
> </target>
>
> </populateItem>
>
> </populate>
>
> </assignmentTargetSearch>
>
> </expression>
>
> See also here:
> https://docs.evolveum.com/midpoint/reference/support-4.9/expressions/expressions/#assignment-target-search
> Relation and subtype can be set using "assignmentProperties" element as
> displayed in the documentation (chapter: Relation parameter).
> Chapter: Activation parameters shows how activation properties of
> assignment can be set; the example above for extension property is
> analogous.
>
> Hope this helps.
> Best regards,
> Ivan
>
> On 30. 6. 2025 18:40, Bao Tran via midPoint wrote:
>
>> Hi all,
>>
>> 1. We have successfully added an AssignmentExtensionSchema.xml?
>> (attachment) with detail:
>> - extension ref="c:AssignmentType"
>> - name=JobTitle
>> - DisplayName=title
>>
>> And in ?midpoint GUI , it look like screenshot below
>> title extension.png
>>
>> 2. Currently, we can only add assignment to user via OrganizationName
>> (below xml)
>>
>> Our goal: is how to configure the HR-application-inbound.xml. ::
>> inbound-schema , in order?to
>> - Assign the user into Organization and add value for the
>> title?(which is extension above)
>>
>> <attribute id="49">
>> <ref>ri:OrganizationName</ref>
>> ? ? ? ? ? ? <inbound id="50">
>> <name>set-org-level1</name>
>> ? ? ? ? ? ? ? ? ? ? ? ? ? <expression>
>> <assignmentTargetSearch>
>> ?<targetType>OrgType</targetType>
>> ?<filter>
>> <q:equal>
>> ? ? ?<q:path>name</q:path>
>> ? ? ?<expression>
>> ? ? ? ? ? ? <script>
>> ? ? ? ? ? ? ? ? ? ?<code>input</code>
>> ? ? ? ? ? ? ?</script>
>> ? ? ? ? </expression>
>> ?</q:equal>
>> ?</filter>
>> </assignmentTargetSearch>
>> ?</expression>
>>
>> <target>*
>> ?<path>assignment</path>*
>> ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? <-- We can only find the
>> OrganizationName and make assignment for user -->
>> <-- How do we set value for extension::JobTitle above ? -->
>> </target>
>> ? ? ? ? ? ? ?</inbound>
>> </attribute>
>>
>> Thank you in advance
>> --
>> Bao Tran
>> Software developer
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> https://lists.evolveum.com/mailman/listinfo/midpoint
>
> --
> Ivan Noris
> Expert Identity Engineer
> evolveum.com
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: https://lists.evolveum.com/pipermail/midpoint/attachments/20250702/87a00263/attachment.htm
>
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: title extension.png
> Type: image/png
> Size: 135041 bytes
> Desc: not available
> URL: https://lists.evolveum.com/pipermail/midpoint/attachments/20250702/87a00263/attachment.png
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
>
> ------------------------------
>
> End of midPoint Digest, Vol 159, Issue 1
> ****************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20250709/e7cf86aa/attachment.htm>

More information about the midPoint mailing list