Better persona authorizations in the test

Evolveum · May 5, 2017 · 043ce72 · 043ce72
1 parent 230f0fc
commit 043ce72
Showing 1 changed file with 38 additions and 2 deletions.
diff --git a/model/model-intest/src/test/resources/security/role-persona-management.xml b/model/model-intest/src/test/resources/security/role-persona-management.xml
@@ -20,14 +20,24 @@
         xmlns:org='http://midpoint.evolveum.com/xml/ns/public/common/org-3'>
     <name>Role Persona Management</name>
     <authorization>
-    	<name>auth-self-modify-givenName</name>
+    	<name>auth-self-modify-givenName-req</name>
     	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</action>
+    	<phase>request</phase>
     	<object>
     		<type>UserType</type>
    			<special>self</special>
     	</object>
     	<item>givenName</item>
     </authorization>
+    <authorization>
+    	<name>auth-self-modify-exec</name>
+    	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</action>
+    	<phase>execution</phase>
+    	<object>
+    		<type>UserType</type>
+   			<special>self</special>
+    	</object>
+    </authorization>
     <authorization>
     	<name>auth-persona-self-read</name>
     	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
@@ -62,10 +72,36 @@
     	</target>
     </authorization>
     <authorization>
-    	<name>auth-persona-execute</name>
+    	<name>auth-persona-execute-add</name>
     	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add</action>
+    	<phase>execution</phase>
+    	<object>
+    		<type>UserType</type>
+    		<filter>
+    			<q:equal>
+    				<q:path>employeeType</q:path>
+    				<q:value>admin</q:value>
+    			</q:equal>
+    		</filter>
+    		<!-- owner constraint cannot be here, the link does not exists when the persona is added -->
+    	</object>
+    </authorization>
+    <authorization>
+    	<name>auth-persona-execute-modify-delete</name>
     	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</action>
     	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#delete</action>
     	<phase>execution</phase>
+    	<object>
+    		<type>UserType</type>
+    		<filter>
+    			<q:equal>
+    				<q:path>employeeType</q:path>
+    				<q:value>admin</q:value>
+    			</q:equal>
+    		</filter>
+    		<owner>
+    			<special>self</special>
+    		</owner>
+    	</object>
     </authorization>
 </role>