Uploaded image for project: 'MidPoint'
  1. MidPoint
  2. MID-2789

Implement owner-based security restrictions for repository searches

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: backlog
    • Component/s: Security
    • Labels:
      None

      Description

      Currently it is possible to define "owner = self" restriction, like this:

      <authorization>
          	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
          	<object>
          		<type>ShadowType</type>
          		<owner>
          			<special>self</special>
          		</owner>
          	</object>
      </authorization>
      

      but (1) it works only for ShadowType, and (2) it does not work for searches.

      The idea is to provide this for other objects (e.g. roles, orgs, certification campaigns), and do it in such a way that it would work for all operations, including searches.

      Use case: a role that gives its holders the right to see campaigns he/she owns.

      See also TestSecurity.test250AutzJackSelfAccountsRead.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              mederly Pavol Mederly
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated: