/
role-end-user-requestable-abstractroles.xml
146 lines (146 loc) · 5.99 KB
/
role-end-user-requestable-abstractroles.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
<role oid="9434bf5b-c088-456f-9286-84a1e5a0223c"
xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">
<name>Assign Requestable orgs</name>
<description>Role authorizing end users to log in, change their passwords and review assigned accounts.</description>
<authorization id="1">
<name>gui-self-service-access</name>
<description>
Allow access to all self-service operations in GUI.
</description>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#selfAll</action>
</authorization>
<authorization id="2">
<name>self-read</name>
<description>
Allow to read all the properties of "self" object. I.e. every logged-in user can read
object that represent his own identity.
</description>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
<object>
<special>self</special>
</object>
</authorization>
<authorization id="3">
<name>self-shadow-read</name>
<description>
Allow to read all the properties of all the shadows that belong to "self" object.
I.e. every logged-in user can read all his accounts.
</description>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
<object>
<type>ShadowType</type>
<owner>
<special>self</special>
</owner>
</object>
</authorization>
<authorization id="4">
<name>self-credentials-request</name>
<description>
Allow to modify user's own credentials.
Note that this is a request phase authorization. It also requires corresponding execution-phase authorization.
</description>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#changeCredentials</action>
<phase>request</phase>
<object>
<special>self</special>
</object>
<c:item>credentials</c:item>
</authorization>
<authorization id="5">
<name>self-shadow-credentials-request</name>
<description>
Allow to modify credentials of all users accounts.
Note that this is a request phase authorization. It also requires corresponding execution-phase authorization.
</description>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#changeCredentials</action>
<phase>request</phase>
<object>
<type>ShadowType</type>
<owner>
<special>self</special>
</owner>
</object>
<c:item>credentials</c:item>
</authorization>
<authorization id="6">
<name>assign-requestable-roles</name>
<description>
Allow to assign requestable roles. This allows to request roles in a request-and-approve process.
The requestable roles will be displayed in the role request dialog by default.
Please note that the roles also need an approved definition to go through the approval process.
Otherwise they will be assigned automatically wihout any approval.
</description>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#assign</action>
<phase>request</phase>
<object>
<special>self</special>
</object>
<target>
<type>RoleType</type>
<filter>
<q:equal>
<q:path>requestable</q:path>
<q:value>true</q:value>
</q:equal>
</filter>
</target>
</authorization>
<authorization id="7">
<name>assignment-target-read</name>
<description>
Authorization that allows to read all the object that are possible assignment targets. We want that
to display the targets in the selection windows.
Note that this authorization may be too broad for production use. Normally it should be limited to just
selected properties such as name and description.
</description>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
<object>
<type>OrgType</type>
</object>
<object>
<type>ResourceType</type>
</object>
<object>
<type>RoleType</type>
</object>
<object>
<type>ServiceType</type>
</object>
</authorization>
<authorization id="8">
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add</action>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</action>
<phase>execution</phase>
</authorization>
<authorization id="9">
<name>assign-requestable-orgs</name>
<description>
Allow to assign requestable roles. This allows to request roles in a request-and-approve process.
The requestable roles will be displayed in the role request dialog by default.
Please note that the roles also need an approved definition to go through the approval process.
Otherwise they will be assigned automatically wihout any approval.
</description>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#assign</action>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#unassign</action>
<phase>request</phase>
<object>
<special>self</special>
</object>
<target>
<type>OrgType</type>
<filter>
<q:equal>
<q:path>requestable</q:path>
<q:value>true</q:value>
</q:equal>
</filter>
</target>
</authorization>
<roleType>system</roleType>
</role>