Document REST operation-level authorizations

docs/interfaces/rest/operations/create-op-rest.adoc

@@ -76,10 +76,15 @@ link:https://evolveum.com/downloads/midpoint/latest/midpoint-latest-schemadoc/ht
 
 include::../../rest/concepts/raw/outcome.adoc[]
 
+== Access Authorization
+
+- `http://midpoint.evolveum.com/xml/ns/public/security/authorization-rest-3#addObject`
+
 == Examples
 
 1. xref:/midpoint/reference/interfaces/rest/operations/examples/create-object/[Create object]
 
 == See Also
 - xref:/midpoint/reference/interfaces/rest/concepts/media-types-rest/[Supported Media Types]
 - xref:/midpoint/reference/interfaces/rest/concepts/authentication/[Authentication]
+- xref:/midpoint/reference/security/authorization/service/[]

docs/interfaces/rest/operations/delete-op-rest.adoc

@@ -40,6 +40,10 @@ No additional option parameters supported for these types of requests.
 
 include::../../rest/concepts/raw/outcome.adoc[]
 
+== Access Authorization
+
+- `http://midpoint.evolveum.com/xml/ns/public/security/authorization-rest-3#deleteObject`
+
 == Examples
 
 include::../../rest/operations/examples/raw/delete-user.adoc[]
@@ -52,3 +56,4 @@ include::../../rest/operations/examples/raw/delete-resource.adoc[]
 
 - xref:/midpoint/reference/interfaces/rest/concepts/media-types-rest/[Supported Media Types]
 - xref:/midpoint/reference/interfaces/rest/concepts/authentication/[Authentication]
+- xref:/midpoint/reference/security/authorization/service/[]

docs/interfaces/rest/operations/generate-and-validate-concrete-op-rest.adoc

@@ -70,6 +70,11 @@ There are no supported operation options for this type of operation.
 
 include::../../rest/concepts/raw/outcome.adoc[]
 
+== Access Authorization
+
+- `http://midpoint.evolveum.com/xml/ns/public/security/authorization-rest-3#generateValue`
+- `http://midpoint.evolveum.com/xml/ns/public/security/authorization-rest-3#validateValue`
+
 == Examples
 
 include::../../rest/operations/examples/raw/role-id-generate.adoc[]
@@ -80,3 +85,4 @@ include::../../rest/operations/examples/raw/modify-id-generate.adoc[]
 
 - xref:/midpoint/reference/interfaces/rest/concepts/media-types-rest/[Supported Media Types]
 - xref:/midpoint/reference/interfaces/rest/concepts/authentication/[Authentication]
+- xref:/midpoint/reference/security/authorization/service/[]

docs/interfaces/rest/operations/generate-and-validate-op-rest.adoc

@@ -65,6 +65,11 @@ There are no supported operation options for this type of operation.
 
 include::../../rest/concepts/raw/outcome.adoc[]
 
+== Access Authorization
+
+- `http://midpoint.evolveum.com/xml/ns/public/security/authorization-rest-3#rpcGenerateValue`
+- `http://midpoint.evolveum.com/xml/ns/public/security/authorization-rest-3#rpcValidateValue`
+
 == Examples
 
 include::../../rest/operations/examples/raw/validate-value-rpc.adoc[]
@@ -73,3 +78,4 @@ include::../../rest/operations/examples/raw/validate-value-rpc.adoc[]
 
 - xref:/midpoint/reference/interfaces/rest/concepts/media-types-rest/[Supported Media Types]
 - xref:/midpoint/reference/interfaces/rest/concepts/authentication/[Authentication]
+- xref:/midpoint/reference/security/authorization/service/[]

docs/interfaces/rest/operations/get-op-rest.adoc

@@ -176,7 +176,7 @@ For more information on midPoint authorizations please see this link.
 [NOTE]
 ====
 MidPoint application authorizations may sound similar to the authorization header used in
-REST authentication, but they are two distict topics.
+REST authentication, but they are two distinct topics.
 ====
 
 For following is a simple authorization configuration example.
@@ -211,6 +211,11 @@ for production use! Authorization configuration should be more *fine-grained* an
 for your use case*.
 ====
 
+== Access Authorization
+
+- `http://midpoint.evolveum.com/xml/ns/public/security/authorization-rest-3#getObject`
+- `http://midpoint.evolveum.com/xml/ns/public/security/authorization-rest-3#getSelf`
+
 == Examples
 
 include::../operations/examples/raw/get-user-administrator.adoc[]
@@ -223,3 +228,4 @@ include::../operations/examples/raw/get-user-administrator.adoc[]
 
 - xref:/midpoint/reference/interfaces/rest/concepts/media-types-rest/[Supported Media Types]
 - xref:/midpoint/reference/interfaces/rest/concepts/authentication/[Authentication]
+- xref:/midpoint/reference/security/authorization/service/[]

docs/interfaces/rest/operations/index.adoc

@@ -232,3 +232,4 @@ a| * 200 OK, ExecuteScriptResponseType returned in the body
 == See Also
 - xref:/midpoint/reference/interfaces/rest/concepts/media-types-rest/[Supported Media Types]
 - xref:/midpoint/reference/interfaces/rest/concepts/authentication/[Authentication]
+- xref:/midpoint/reference/security/authorization/service/[]

docs/interfaces/rest/operations/modify-op-rest.adoc

@@ -12,7 +12,7 @@ Modification of objects based on payload data in the body of the REST request.
 Use either the HTTP POST or PATCH method with your request, both usages are equivalent,
 this is based on the possibility that not all clients are capable of using non-standard HTTP verbs.
 
-INFO:: The usage of HTTP PATCH is preferred, the meaning is clearer thant the case of HTTP POST in the context of Modify.
+INFO:: The usage of HTTP PATCH is preferred, the meaning is clearer than the case of HTTP POST in the context of Modify.
 
 .Modify operation using HTTP POST
 [source, http]
@@ -72,6 +72,10 @@ include::../../rest/operations/raw/options-usage-meo.adoc[]
 
 include::../../rest/concepts/raw/outcome.adoc[]
 
+== Access Authorization
+
+- `http://midpoint.evolveum.com/xml/ns/public/security/authorization-rest-3#modifyObject`
+
 == Examples
 
 include::../../rest/operations/examples/raw/modify-attr-user.adoc[]
@@ -82,3 +86,4 @@ include::../../rest/operations/examples/raw/modify-attr.adoc[]
 
 - xref:/midpoint/reference/interfaces/rest/concepts/media-types-rest/[Supported Media Types]
 - xref:/midpoint/reference/interfaces/rest/concepts/authentication/[Authentication]
+- xref:/midpoint/reference/security/authorization/service/[]

docs/interfaces/rest/operations/notify-op-rest.adoc

@@ -16,9 +16,14 @@
 
 include::../../rest/concepts/raw/outcome.adoc[]
 
+== Access Authorization
+
+- `http://midpoint.evolveum.com/xml/ns/public/security/authorization-rest-3#notifyChange`
+
 == Examples
 
 == See Also
 
 - xref:/midpoint/reference/interfaces/rest/concepts/media-types-rest/[Supported Media Types]
 - xref:/midpoint/reference/interfaces/rest/concepts/authentication/[Authentication]
+- xref:/midpoint/reference/security/authorization/service/[]

docs/interfaces/rest/operations/resource-op-rest.adoc

@@ -64,6 +64,11 @@ There are no supported operation options for this type of operation.
 
 include::../../rest/concepts/raw/outcome.adoc[]
 
+== Access Authorization
+
+- `http://midpoint.evolveum.com/xml/ns/public/security/authorization-rest-3#testResource`
+- `http://midpoint.evolveum.com/xml/ns/public/security/authorization-rest-3#importFromResource`
+
 == Examples
 
 include::../../rest/operations/examples/raw/test-resource.adoc[]
@@ -73,3 +78,4 @@ include::../../rest/operations/examples/raw/import-from-resource.adoc[]
 
 - xref:/midpoint/reference/interfaces/rest/concepts/media-types-rest/[Supported Media Types]
 - xref:/midpoint/reference/interfaces/rest/concepts/authentication/[Authentication]
+- xref:/midpoint/reference/security/authorization/service/[]

docs/interfaces/rest/operations/script-execute-op-rest.adoc

@@ -68,6 +68,10 @@ include::../../rest/concepts/raw/outcome.adoc[]
 - *240 Handled error*, OperationResult is returned in the body
 - *250 Partial error*, OperationResult is returned in the body
 
+== Access Authorization
+
+- `http://midpoint.evolveum.com/xml/ns/public/security/authorization-rest-3#executeScript`
+
 == Examples
 
 include::../../rest/operations/examples/raw/execute-script-rpc.adoc[]
@@ -76,3 +80,4 @@ include::../../rest/operations/examples/raw/execute-script-rpc.adoc[]
 
 - xref:/midpoint/reference/interfaces/rest/concepts/media-types-rest/[Supported Media Types]
 - xref:/midpoint/reference/interfaces/rest/concepts/authentication/[Authentication]
+- xref:/midpoint/reference/security/authorization/service/[]

docs/interfaces/rest/operations/search-op-rest.adoc

@@ -68,6 +68,10 @@ include::../../rest/operations/raw/operation-prop-search.adoc[]
 
 include::../../rest/concepts/raw/outcome.adoc[]
 
+== Access Authorization
+
+- `http://midpoint.evolveum.com/xml/ns/public/security/authorization-rest-3#searchObjects`
+
 == Examples
 
 include::../../rest/operations/examples/raw/search-all-users.adoc[]
@@ -80,3 +84,4 @@ include::../../rest/operations/examples/raw/search-all.adoc[]
 
 - xref:/midpoint/reference/interfaces/rest/concepts/media-types-rest/[Supported Media Types]
 - xref:/midpoint/reference/interfaces/rest/concepts/authentication/[Authentication]
+- xref:/midpoint/reference/security/authorization/service/[]

docs/interfaces/rest/operations/shadow-op-rest.adoc

@@ -64,6 +64,11 @@ No additional option parameters supported for these types of requests.
 
 include::../../rest/concepts/raw/outcome.adoc[]
 
+== Access Authorization
+
+- `http://midpoint.evolveum.com/xml/ns/public/security/authorization-rest-3#findShadowOwner`
+- `http://midpoint.evolveum.com/xml/ns/public/security/authorization-rest-3#importShadow`
+
 == Examples
 
 include::../../rest/operations/examples/raw/get-shadow-owner.adoc[]
@@ -75,3 +80,4 @@ include::../../rest/operations/examples/raw/import-shadow.adoc[]
 - xref:/midpoint/reference/interfaces/rest/endpoints/shadows.adoc[Shadow Objects Endpoint]
 - xref:/midpoint/reference/interfaces/rest/concepts/media-types-rest/[Supported Media Types]
 - xref:/midpoint/reference/interfaces/rest/concepts/authentication/[Authentication]
+- xref:/midpoint/reference/security/authorization/service/[]

docs/interfaces/rest/operations/task-specific-op-rest.adoc

@@ -15,9 +15,16 @@
 
 include::../../rest/concepts/raw/outcome.adoc[]
 
+== Access Authorization
+
+- `http://midpoint.evolveum.com/xml/ns/public/security/authorization-rest-3#suspendTask`
+- `http://midpoint.evolveum.com/xml/ns/public/security/authorization-rest-3#resumeTask`
+- `http://midpoint.evolveum.com/xml/ns/public/security/authorization-rest-3#runTask`
+
 == Examples
 
 == See Also
 
 - xref:/midpoint/reference/interfaces/rest/concepts/media-types-rest/[Supported Media Types]
 - xref:/midpoint/reference/interfaces/rest/concepts/authentication/[Authentication]
+- xref:/midpoint/reference/security/authorization/service/[]

docs/interfaces/rest/operations/user-specific-op-rest.adoc

@@ -15,9 +15,15 @@
 
 include::../../rest/concepts/raw/outcome.adoc[]
 
+== Access Authorization
+
+- `http://midpoint.evolveum.com/xml/ns/public/security/authorization-rest-3#resetCredential`
+- `http://midpoint.evolveum.com/xml/ns/public/security/authorization-rest-3#getValuePolicy`
+
 == Examples
 
 == See Also
 
 - xref:/midpoint/reference/interfaces/rest/concepts/media-types-rest/[Supported Media Types]
 - xref:/midpoint/reference/interfaces/rest/concepts/authentication/[Authentication]
+- xref:/midpoint/reference/security/authorization/service/[]

docs/security/authorization/service.adoc

@@ -16,6 +16,16 @@
 | http://midpoint.evolveum.com/xml/ns/public/security/authorization-rest-3#all
 | All operations
 
+| 2
+| http://midpoint.evolveum.com/xml/ns/public/security/authorization-rest-3#<operation>
+| Access to specific REST operation.
+The URI fragments of individual operations are present xref:/midpoint/reference/interfaces/rest/operations/[in their description]: on pages devoted to individual operations, e.g., xref:/midpoint/reference/interfaces/rest/operations/search-op-rest/[].
+These authorizations do *not* check for any specific objects, e.g., an object that is going to be retrieved or modified by the operation.
+They are just "yes/no" authorizations for the operation itself.
+
+| 3
+| http://midpoint.evolveum.com/xml/ns/public/security/authorization-rest-3#proxy
+| Authorizes the xref:/midpoint/reference/interfaces/rest/concepts/authentication/#proxy-impersonation[impersonation].
 
 |===
 
@@ -84,4 +94,4 @@ Without these authorizations the WS/REST authorizations are almost useless.
 
 == See Also
 
-* xref:../[Authorization]
+* xref:../[Authorization]