<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Hi,<br>
<br>
This is currently a limitation in midPoint. You cannot
differentiate between users using adminGuiConfiguration.
Authorizations are used to differentiate the users, but use of
authorization to control the GUI behavior is very tricky. That is
the reason that we have used adminGuiConfiguration instead. <br>
<br>
Using object-level authorizations to automatically show or hide
the tabs is the right solution. In that case the tabs will be
shown or hidden according to the authorizations that the current
user has over the object that he is looking at. This is the right
way, but it is quite tricky and may be difficult to implement
properly. So we thought about using GUI authorizations for that
purpose. Each tab could have its own GUI authorization that might
control whether to display it or not. But there is a problem: no
authorizations means no access. Which is not really a problem if
you add all the tab authorizations to a role. Which seems fine.
But new tabs appear in almost any version of midPoint. And that
would mean continually updating the authorizations after each
upgrade to allow new tabs. And this approach is not really
compatible with the "automatic" behavior of tabs that we would
like to have later. What the GUI authorization would mean in that
case? Always display the tab? Or display the tab only if object
authorizations allow it? In that former case the automatic object
authorizations would not really work with pre-existing setup and
setup-up will need to be modified after this functionality is
introduced. This means (at least one) problematic upgrade. In the
later case when we add object authorizations we would still need
to add new GUI authorization. Which means all upgrades will be
slightly problematic. Neither method seems to be good. So, the
decision was not shoot ourselves in the foot. We have decided to
provide simpler mechanism based on adminGuiConfiguration, At least
for now - until we could find the funding to correctly implement
evaluation of object-level authorizations in the GUI tabs. And
there may be even a justifiable need to this mechanism: sometimes
we would like to hide a tab even if the user has an authorization
for the operation. The reason may be that we want to keep the
stock user detail pages simple for some users, while still
allowing access to the operations e.g. by using completely custom
GUI tabs.<br>
<br>
So, obviously you most likely cannot do what you want to do now
(neither midPoint 3.5.1 nor midPoint 3.6). There are two options
that we could consider for midPoint 3.7:<br>
<br>
1) Implement the full support for object-level authorizations in
GUI. This is obviously the right solution. But it may be
difficult.<br>
<br>
2) Add more options for adminGuiConfiguration. So you could
fine-tune what objects the configuration is applicable to. This
would be easier. Yes, it will partially duplicate the existing
functionality of authorizations. But that may not be a big problem
and it fact it may be even desirable. E.g. to hide tabs even if
user has the authorization.<br>
<br>
One way or another, this means new development and therefore it
will require some kind of funding.<br>
<br>
(Sorry for late answer. I've missed this one.)<br>
<br>
<pre class="moz-signature" cols="72">--
Radovan Semancik
Software Architect
evolveum.com</pre>
<br>
<br>
On 04/25/2017 07:48 AM, Aivo Kuhlberg wrote:<br>
</div>
<blockquote cite="mid:1493099304120.33503@rmit.ee" type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<style type="text/css" style="display:none"><!--P{margin-top:0;margin-bottom:0;} --></style>
<p>In MP 3.5.1 I can limit forms visibility by objectForms
adminGuiConfiguration setting. Unfortunately this setting seems
to influence all objects of the same type. For example if I
declare this for end users:<br>
<adminGuiConfiguration><br>
<objectForms><br>
<objectForm><br>
<type>c:UserType</type><br>
<formSpecification><br>
<panelUri><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/gui/component-3#focusTabBasic">http://midpoint.evolveum.com/xml/ns/public/gui/component-3#focusTabBasic</a></panelUri><br>
</formSpecification><br>
</objectForm><br>
</objectForms><br>
</adminGuiConfiguration><br>
<br>
then users see only Basic tab for user information. But what
about situation when I want to see all tabs when I view my own
data and limit only tabs visibility when browsing other users
data? Can I implement this feature in current midPoint?<br>
Thanks,<br>
Aivo Kuhlberg<br>
</p>
<br>
<hr>
<font color="Gray" size="2" face="Arial">Käesolev e-kiri võib
sisaldada asutusesiseseks kasutamiseks tunnistatud teavet.<br>
This e-mail may contain information which is classified for
official use.</font>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">
</pre>
</body>
</html>