<div dir="auto">Thank you for your answer Chris !<div dir="auto">I found my error, I had another authorization in another role where I forgot the "extension/" before my customItem name.</div><div dir="auto"><br></div><div dir="auto">-Frederic</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Jul 12, 2019, 16:31 Chris Woods <<a href="mailto:chris@cmwoods.com">chris@cmwoods.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Frédéric,<br>
<br>
we had trouble as well, but this is what ended up working:<br>
<br>
<authorization><br>
<name>autz-archetype-employee-read</name><br>
<description><br>
Allows reading of various fields. archetypeRef must be present, <br>
otherwise the user is displayed without archetype information<br>
</description><br>
<action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read" rel="noreferrer noreferrer" target="_blank">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</a></action><br>
<object><br>
<archetypeRef oid="rs-archetype-employee" /><br>
</object><br>
<item>archetypeRef</item><br>
<item>name</item><br>
<item>fullName</item><br>
<item>givenName</item><br>
<item>familyName</item><br>
<item>extension/rsMainDepartment</item><br>
<item>extension/rsWindowsLogon</item><br>
<item>assignment/targetRef</item><br>
<item>assignment/description</item><br>
<item>assignment/extension/rsITSMTicketNumber</item><br>
<item>assignment/extension/rsCRMSalesArea</item><br>
<item>assignment/extension/rsCRMOrganisationalAssignment</item><br>
</authorization><br>
<br>
<br>
<authorization><br>
<name>autz-archetype-employee-modify</name><br>
<description><br>
Allows modification of ITSM Ticket number, CRM Sales Area and CRM <br>
Organisational Assignment when assigning an object such as role<br>
</description><br>
<action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify" rel="noreferrer noreferrer" target="_blank">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</a></action><br>
<phase>request</phase><br>
<object><br>
<archetypeRef oid="rs-archetype-employee" /><br>
</object><br>
<item>assignment/extension/rsITSMTicketNumber</item><br>
<item>assignment/extension/rsCRMSalesArea</item><br>
<item>assignment/extension/rsCRMOrganisationalAssignment</item><br>
</authorization><br>
<br>
<br>
So, <target> is (as far as I am aware) used for assignment only. You <br>
need <object> instead. The extension items should work without any "c:" <br>
or "ext:" prefixes. As you can see we have extensions to the <br>
AssignmentType too.<br>
<br>
Hope this helps...<br>
<br>
Regards,<br>
Chris<br>
<br>
On 2019-07-12 15:59, Frédéric Lohier wrote:<br>
> Hello,<br>
> <br>
> I have an authorization in a role to allow a list of specific items of<br>
> the User schema to be read by users who has this role assigned.<br>
> <br>
> This works well for items in the standard User schema, but when I try<br>
> to do the same with items from an extension schema of UserType, it is<br>
> not working.<br>
> <br>
> For example, in my-role.xml file, I have the following authorization :<br>
> <br>
> <role (…) xmlns:ext="<a href="http://my-user-extension/extension" rel="noreferrer noreferrer" target="_blank">http://my-user-extension/extension</a>"><br>
> <br>
> <authorization><br>
> <br>
> <name>Users item read authorizations</name><br>
> <br>
> <br>
> <action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read" rel="noreferrer noreferrer" target="_blank">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</a></action><br>
> <br>
> <target><br>
> <br>
> <type>UserType</type><br>
> <br>
> </target><br>
> <br>
> <item>customItem</item><br>
> <br>
> <item>ext:customItem</item><br>
> <br>
> <item>extension/customItem</item><br>
> <br>
> <item>extension/ext:customItem</item><br>
> <br>
> <item>$user/extension/customItem</item><br>
> <br>
> <item>$user/extension/ext:customItem</item><br>
> <br>
> <item>emailAddress</item><br>
> <br>
> </authorization><br>
> <br>
> </role><br>
> <br>
> In the extension-user.xsd, I set the namespace for the extension and<br>
> declare my customItem like this :<br>
> <br>
> <xsd:schema (…) targetNamespace="<a href="http://my-user-extension/extension" rel="noreferrer noreferrer" target="_blank">http://my-user-extension/extension</a>"<br>
> xmlns:tns="<a href="http://my-user-extension/extension" rel="noreferrer noreferrer" target="_blank">http://my-user-extension/extension</a>" ><br>
> <xsd:complexType name="UserExtensionType"><br>
> <br>
> <xsd:annotation><br>
> <br>
> <xsd:appinfo><br>
> <br>
> <a:extension ref="c:UserType"/><br>
> <br>
> </xsd:appinfo><br>
> <br>
> </xsd:annotation><br>
> <br>
> <xsd:sequence><br>
> <br>
> <xsd:element name="customItem" minOccurs="0" maxOccurs="1"<br>
> type="xsd:int"><br>
> <br>
> <xsd:annotation><br>
> <br>
> <xsd:appinfo><br>
> <br>
> <a:indexed>true</a:indexed><br>
> <br>
> <a:displayName>My custom user item</a:displayName><br>
> <br>
> </xsd:appinfo><br>
> <br>
> </xsd:annotation><br>
> <br>
> </xsd:element><br>
> <br>
> </xsd:sequence><br>
> <br>
> </xsd:complexType><br>
> <br>
> </xsd:schema><br>
> <br>
> Am I missing something?<br>
> _______________________________________________<br>
> midPoint mailing list<br>
> <a href="mailto:midPoint@lists.evolveum.com" target="_blank" rel="noreferrer">midPoint@lists.evolveum.com</a><br>
> <a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer noreferrer" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank" rel="noreferrer">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer noreferrer" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
</blockquote></div>