Details
Major Description
We are unable to achieve this scenario in 3.9 anymore:
- Endusers are not allowed to see relation=default user-role assignments. Except - when they are org managers. (in other words seeing other user's role is sensitive information)
- Endusers can see any user-role assignments as long as those assignments are owner or approver relation (in other words anybody can see who is role approver). Relation column in Governance tab is filled with values.
- Apart from being manager, we have also dynamic autz on endusers that are e.g. role owners - they can see default members with this autz:
<authorization>
<name>appr-read-users-rolemembershipref APPROVER</name>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
<enforcementStrategy>maySkipOnSearch</enforcementStrategy>
<object>
<type>UserType</type>
<roleRelation>
<subjectRelation>org:approver</subjectRelation>
<objectRelation>org:default</objectRelation>
</roleRelation>
</object>
<item>roleMembershipRef</item>
</authorization>
In 3.9 Members tab is no longer dynamic. Possibly because roleMembershipRef is operational?
Also Show all members button in Assignments tab does not respect any autz.
