<html>

  <head>

    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">

  </head>

  <body bgcolor="#FFFFFF" text="#000000">

    <div class="moz-cite-prefix">Hello Cameron,<br>

      <br>

      by default, the access to REST interface is not allowed (except

      for users that have all authorizations, like holders of Superuser

      role).<br>

      <br>

      As you correctly said, the authorization-rest-3 namespace is to be

      used; namely, the following authorization action:<br>

      <br>

              <b><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-rest-3#all">http://midpoint.evolveum.com/xml/ns/public/security/authorization-rest-3#all</a></b><br>

      <br>

      For example, this role gives access to the REST interface:<br>

      <br>

      <tt><role

        xmlns=<a class="moz-txt-link-rfc2396E" href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">"http://midpoint.evolveum.com/xml/ns/public/common/common-3"</a>></tt><tt><br>

      </tt><tt>   <name>rest-role</name></tt><tt><br>

      </tt><tt>   <activation></tt><tt><br>

      </tt><tt>     

        <effectiveStatus>enabled</effectiveStatus></tt><tt><br>

      </tt><tt>   </activation></tt><tt><br>

      </tt><tt>   <displayName>REST role</displayName></tt><tt><br>

      </tt><tt>   <authorization id="1"></tt><tt><br>

      </tt><tt>     

<action><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-rest-3#all">http://midpoint.evolveum.com/xml/ns/public/security/authorization-rest-3#all</a></action></tt><tt><br>

      </tt><tt>   </authorization></tt><tt><br>

      </tt><tt></role></tt><tt><br>

      </tt><br>

      Please note that this enables to use REST interface as such. In

      order to invoke any specific functionality (like reading or

      modifying a user object) you have to provide authorization(s) for

      these actions as well. <br>

      <br>

      Best regards,<br>

      Pavol<br>

      <br>

      <br>

      On 11. 1. 2016 23:17, Cameron Miller wrote:<br>

    </div>

    <blockquote

cite="mid:TY1PR06MB09288B4FFF80506824626284C0C90@TY1PR06MB0928.apcprd06.prod.outlook.com"

      type="cite">

      <meta http-equiv="Content-Type" content="text/html; charset=utf-8">

      <meta name="Generator" content="Microsoft Word 15 (filtered

        medium)">

      <style><!--

/* Font Definitions */

@font-face

        {font-family:"Cambria Math";

        panose-1:2 4 5 3 5 4 6 3 2 4;}

@font-face

        {font-family:Calibri;

        panose-1:2 15 5 2 2 2 4 3 2 4;}

/* Style Definitions */

p.MsoNormal, li.MsoNormal, div.MsoNormal

        {margin:0cm;

        margin-bottom:.0001pt;

        font-size:11.0pt;

        font-family:"Calibri",sans-serif;

        mso-fareast-language:EN-US;}

a:link, span.MsoHyperlink

        {mso-style-priority:99;

        color:#0563C1;

        text-decoration:underline;}

a:visited, span.MsoHyperlinkFollowed

        {mso-style-priority:99;

        color:#954F72;

        text-decoration:underline;}

span.EmailStyle17

        {mso-style-type:personal-compose;

        font-family:"Calibri",sans-serif;

        color:windowtext;}

.MsoChpDefault

        {mso-style-type:export-only;

        font-family:"Calibri",sans-serif;

        mso-fareast-language:EN-US;}

@page WordSection1

        {size:612.0pt 792.0pt;

        margin:72.0pt 72.0pt 72.0pt 72.0pt;}

div.WordSection1

        {page:WordSection1;}

--></style><!--[if gte mso 9]><xml>

<o:shapedefaults v:ext="edit" spidmax="1026" />

</xml><![endif]--><!--[if gte mso 9]><xml>

<o:shapelayout v:ext="edit">

<o:idmap v:ext="edit" data="1" />

</o:shapelayout></xml><![endif]-->

      <div class="WordSection1">

        <p class="MsoNormal">Hi,<o:p></o:p></p>

        <p class="MsoNormal"><o:p> </o:p></p>

        <p class="MsoNormal">How does one go about restricting access to

          the REST API through user roles?

          <o:p></o:p></p>

        <p class="MsoNormal"><o:p> </o:p></p>

        <p class="MsoNormal">I can’t find any documentation aside from

          one bug request on JIRA (<a moz-do-not-send="true"

            href="https://jira.evolveum.com/browse/MID-1967">https://jira.evolveum.com/browse/MID-1967</a>)

          which mentions an authorization-rest-3 namespace but I have no

          idea what is in that namespace.<o:p></o:p></p>

        <p class="MsoNormal"><o:p> </o:p></p>

        <p class="MsoNormal">Regards,<o:p></o:p></p>

        <p class="MsoNormal"><o:p> </o:p></p>

        <p class="MsoNormal">Cameron<o:p></o:p></p>

      </div>

      <br>

      <br>

      <i>This email, and any attachment, is confidential and also

        privileged. If you have received it in error, please notify me

        immediately and delete it from your system along with any

        attachments. You should not copy or use it for any purpose, nor

        disclose its contents to any other person. </i>

      <br>

      <fieldset class="mimeAttachmentHeader"></fieldset>

      <br>

      <pre wrap="">_______________________________________________

midPoint mailing list

<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>

<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>

</pre>

    </blockquote>

    <br>

  </body>

</html>