Uploaded image for project: 'MidPoint'
  1. MidPoint
  2. MID-1986

Authorization for adding users - no attributes displayed in User Details form

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.1 (Sinan)
    • Fix Version/s: backlog
    • Component/s: None
    • Labels:
      None
    • Subscription:
      Unknown

      Description

      I want to set permissions to allow CRUD on UserType, but with the condition for employeeType, i.e. to allow CRUD on Users where employeeType==employee os something like that.

      RUD is ok, but for Create operation (add) we can't use the employeeType==employee condition, because the object does not exist yet and the form does not display any attributes when using New user option.

      I've tried to workaround it with the following sample:

          <authorization>
              <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#users</action> 
              <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#user</action> 
              <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#userDetails</action>
              <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#orgTree</action>
              <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#orgUnit</action>
          </authorization>
      
      <!-- Model -->
      <!-- Authorization to Add Users, phase=request (no filter) -->
          <authorization>
              <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add</action>
              <phase>request</phase>
              <object>
                  <type>UserType</type>
              </object>
          </authorization>
      <!-- Authorization to Add Users, phase=execution, employeeType=Vendor|Employee|System -->
          <authorization>
              <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add</action>
              <phase>execution</phase>
              <object>
                  <type>UserType</type>
                  <filter>
                      <q:or>
                          <q:equal>
                              <q:path>employeeType</q:path>
                              <q:value>Employee</q:value>
                          </q:equal>
                          <q:equal>
                              <q:path>employeeType</q:path>
                              <q:value>Vendor</q:value>
                          </q:equal>
                          <q:equal>
                              <q:path>employeeType</q:path>
                              <q:value>System</q:value>
                          </q:equal>
      		</q:or>
                  </filter>
              </object>
          </authorization>
      <!-- Authorization to Read, Modify and Delete Users, employeeType=Vendor|Employee|System -->
          <authorization>
              <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
              <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</action>
              <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#delete</action>
              <object>
                  <type>UserType</type>
                  <filter>
                      <q:or>
                          <q:equal>
                              <q:path>employeeType</q:path>
                              <q:value>Employee</q:value>
                          </q:equal>
                          <q:equal>
                              <q:path>employeeType</q:path>
                              <q:value>Vendor</q:value>
                          </q:equal>
                          <q:equal>
                              <q:path>employeeType</q:path>
                              <q:value>System</q:value>
                          </q:equal>
      		</q:or>
                  </filter>
              </object>
          </authorization>
      

      New user option does not display any attributes that can be set.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              vix Ivan Noris
              Reporter:
              vix Ivan Noris
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: