From 16533c038b494b08ce486909b4c3ca2cb714803d Mon Sep 17 00:00:00 2001 From: Radovan Semancik Date: Thu, 11 Oct 2018 19:55:37 +0200 Subject: [PATCH] Attempt to reproduce getParentOrgs() authorization issue (MID-4934) --- ...bstractConfiguredModelIntegrationTest.java | 2 + .../model/intest/orgstruct/TestOrgStruct.java | 174 ++++++++++++++- .../src/test/resources/logback-test.xml | 2 +- .../orgstruct/resource-dummy-orgtarget.xml | 166 ++++++++++++++ .../resources/orgstruct/role-end-pirate.xml | 204 ++++++++++++++++++ 5 files changed, 538 insertions(+), 10 deletions(-) create mode 100644 model/model-intest/src/test/resources/orgstruct/resource-dummy-orgtarget.xml create mode 100644 model/model-intest/src/test/resources/orgstruct/role-end-pirate.xml diff --git a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/AbstractConfiguredModelIntegrationTest.java b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/AbstractConfiguredModelIntegrationTest.java index 7004ac7051d..f93a71a994e 100644 --- a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/AbstractConfiguredModelIntegrationTest.java +++ b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/AbstractConfiguredModelIntegrationTest.java @@ -407,7 +407,9 @@ public class AbstractConfiguredModelIntegrationTest extends AbstractModelIntegra protected static final String ORG_SCUMM_BAR_NAME = "F0006"; protected static final String ORG_SCUMM_BAR_DISPLAY_NAME = "Scumm Bar"; protected static final String ORG_MINISTRY_OF_OFFENSE_OID = "00000000-8888-6666-0000-100000000003"; + protected static final String ORG_MINISTRY_OF_OFFENSE_NAME = "F0003"; protected static final String ORG_MINISTRY_OF_DEFENSE_OID = "00000000-8888-6666-0000-100000000002"; + protected static final String ORG_MINISTRY_OF_DEFENSE_NAME = "F0002"; protected static final String ORG_MINISTRY_OF_RUM_OID = "00000000-8888-6666-0000-100000000004"; protected static final String ORG_MINISTRY_OF_RUM_NAME = "F0004"; protected static final String ORG_SWASHBUCKLER_SECTION_OID = "00000000-8888-6666-0000-100000000005"; diff --git a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/orgstruct/TestOrgStruct.java b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/orgstruct/TestOrgStruct.java index 4cb7e737d39..5bd7a4feb17 100644 --- a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/orgstruct/TestOrgStruct.java +++ b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/orgstruct/TestOrgStruct.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2010-2017 Evolveum + * Copyright (c) 2010-2018 Evolveum * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -22,7 +22,11 @@ import java.util.ArrayList; import java.util.Collection; import java.util.List; +import java.util.Set; +import com.evolveum.icf.dummy.resource.ConflictException; +import com.evolveum.icf.dummy.resource.DummyAccount; +import com.evolveum.icf.dummy.resource.SchemaViolationException; import com.evolveum.midpoint.model.api.ModelExecuteOptions; import com.evolveum.midpoint.model.impl.expr.ExpressionEnvironment; import com.evolveum.midpoint.model.impl.expr.ModelExpressionThreadLocalHolder; @@ -37,6 +41,7 @@ import com.evolveum.midpoint.util.exception.ObjectAlreadyExistsException; import com.evolveum.midpoint.xml.ns._public.common.common_3.AssignmentType; import com.evolveum.midpoint.xml.ns._public.common.common_3.RoleType; +import com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowKindType; import org.springframework.test.annotation.DirtiesContext; import org.springframework.test.annotation.DirtiesContext.ClassMode; @@ -49,12 +54,14 @@ import com.evolveum.midpoint.prism.delta.ItemDelta; import com.evolveum.midpoint.prism.delta.ObjectDelta; import com.evolveum.midpoint.prism.query.ObjectQuery; +import com.evolveum.midpoint.prism.util.PrismAsserts; import com.evolveum.midpoint.schema.constants.SchemaConstants; import com.evolveum.midpoint.schema.internals.InternalCounters; import com.evolveum.midpoint.schema.result.OperationResult; import com.evolveum.midpoint.schema.util.MiscSchemaUtil; import com.evolveum.midpoint.schema.util.ObjectQueryUtil; import com.evolveum.midpoint.task.api.Task; +import com.evolveum.midpoint.test.DummyResourceContoller; import com.evolveum.midpoint.test.util.MidPointAsserts; import com.evolveum.midpoint.test.util.TestUtil; import com.evolveum.midpoint.util.exception.CommunicationException; @@ -83,6 +90,11 @@ public class TestOrgStruct extends AbstractInitializedModelIntegrationTest { public static final File TEST_DIR = new File("src/test/resources/orgstruct"); + // RED resource has STRONG mappings + protected static final File RESOURCE_DUMMY_ORGTARGET_FILE = new File(TEST_DIR, "resource-dummy-orgtarget.xml"); + protected static final String RESOURCE_DUMMY_ORGTARGET_OID = "89cb4c72-cd61-11e8-a21b-27cbf58a8c0e"; + protected static final String RESOURCE_DUMMY_ORGTARGET_NAME = "orgtarget"; + public static final File ROLE_DEFENDER_FILE = new File(TEST_DIR, "role-defender.xml"); public static final String ROLE_DEFENDER_OID = "12345111-1111-2222-1111-121212111567"; @@ -97,6 +109,9 @@ public class TestOrgStruct extends AbstractInitializedModelIntegrationTest { public static final File ROLE_META_DEFENDER_ADMIN_FILE = new File(TEST_DIR, "role-meta-defender-admin.xml"); public static final String ROLE_META_DEFENDER_ADMIN_OID = "12345111-1111-2222-1111-121212111565"; + + public static final File ROLE_END_PIRATE_FILE = new File(TEST_DIR, "role-end-pirate.xml"); + public static final String ROLE_END_PIRATE_OID = "67780b58-cd69-11e8-b664-dbc7b09e163e"; public static final File ORG_TEMP_FILE = new File(TEST_DIR, "org-temp.xml"); public static final String ORG_TEMP_OID = "43214321-4311-0952-4762-854392584320"; @@ -112,9 +127,14 @@ public void initSystem(Task initTask, OperationResult initResult) throws Excepti addObject(ROLE_META_DEFENDER_ADMIN_FILE); addObject(ROLE_OFFENDER_FILE); addObject(ROLE_OFFENDER_ADMIN_FILE); + addObject(ROLE_END_PIRATE_FILE); addObject(USER_HERMAN_FILE); setDefaultUserTemplate(USER_TEMPLATE_ORG_ASSIGNMENT_OID); // used for tests 4xx //DebugUtil.setDetailedDebugDump(true); + + initDummyResourcePirate(RESOURCE_DUMMY_ORGTARGET_NAME, + RESOURCE_DUMMY_ORGTARGET_FILE, RESOURCE_DUMMY_ORGTARGET_OID, initTask, initResult); + } @Test @@ -160,6 +180,32 @@ public void test052RootOrgQuery() throws Exception { assertMonkeyIslandOrgSanity(); } + @Test + public void test100JackAssignOrgtarget() throws Exception { + final String TEST_NAME = "test100JackAssignOrgtarget"; + displayTestTitle(TEST_NAME); + + Task task = createTask(TEST_NAME); + OperationResult result = task.getResult(); + + // Precondition + assertNoDummyAccount(ACCOUNT_JACK_DUMMY_USERNAME); + assertNoDummyAccount(RESOURCE_DUMMY_ORGTARGET_NAME, ACCOUNT_JACK_DUMMY_USERNAME); + + // WHEN + assignAccount(USER_JACK_OID, RESOURCE_DUMMY_ORGTARGET_OID, null, task, result); + + // THEN + PrismObject userJack = getUser(USER_JACK_OID); + display("User jack after", userJack); + assertAccount(userJack, RESOURCE_DUMMY_ORGTARGET_OID); + + assertJackOrgtarget(null); + + // Postcondition + assertMonkeyIslandOrgSanity(); + } + /** * Scumm bar org also acts as a role, assigning account on dummy resource. */ @@ -182,7 +228,9 @@ public void test101JackAssignScummBar() throws Exception { display("User jack after", userJack); assertUserOrg(userJack, ORG_SCUMM_BAR_OID); - assertDefaultDummyAccount(ACCOUNT_JACK_DUMMY_USERNAME, "Jack Sparrow", true); + assertDefaultDummyAccount(ACCOUNT_JACK_DUMMY_USERNAME, USER_JACK_FULL_NAME, true); + + assertJackOrgtarget(null, ORG_SCUMM_BAR_NAME); // Postcondition assertMonkeyIslandOrgSanity(); @@ -204,6 +252,8 @@ public void test102JackUnassignScummBar() throws Exception { display("User jack after", userJack); assertUserNoOrg(userJack); + assertJackOrgtarget(null); + // Postcondition assertMonkeyIslandOrgSanity(); } @@ -234,6 +284,8 @@ public void test201JackAssignScummBarAndSaveElaine() throws Exception { display("User jack after", userJack); assertUserOrg(userJack, ORG_SCUMM_BAR_OID, ORG_SAVE_ELAINE_OID); + assertJackOrgtarget(null, ORG_SCUMM_BAR_NAME); + // Postcondition assertMonkeyIslandOrgSanity(); } @@ -257,6 +309,8 @@ public void test202JackAssignMinistryOfOffense() throws Exception { display("User jack after", userJack); assertUserOrg(userJack, ORG_SCUMM_BAR_OID, ORG_SAVE_ELAINE_OID, ORG_MINISTRY_OF_OFFENSE_OID); + assertJackOrgtarget(null, ORG_SCUMM_BAR_NAME, ORG_MINISTRY_OF_OFFENSE_NAME); + // Postcondition assertMonkeyIslandOrgSanity(); } @@ -277,6 +331,8 @@ public void test207JackUnAssignScummBar() throws Exception { display("User jack after", userJack); assertUserOrg(userJack, ORG_SAVE_ELAINE_OID, ORG_MINISTRY_OF_OFFENSE_OID); + assertJackOrgtarget(null, ORG_MINISTRY_OF_OFFENSE_NAME); + // Postcondition assertMonkeyIslandOrgSanity(); } @@ -301,6 +357,8 @@ public void test208JackUnassignAll() throws Exception { display("User jack after", userJack); assertUserNoOrg(userJack); + assertNoDummyAccount(RESOURCE_DUMMY_ORGTARGET_NAME, ACCOUNT_JACK_DUMMY_USERNAME); + // Postcondition assertMonkeyIslandOrgSanity(); } @@ -317,6 +375,7 @@ public void test210JackAssignMinistryOfOffenseMember() throws Exception { Collection> modifications = new ArrayList<>(); modifications.add(createAssignmentModification(ORG_MINISTRY_OF_OFFENSE_OID, OrgType.COMPLEX_TYPE, null, null, null, true)); modifications.add(createAssignmentModification(ROLE_DEFENDER_OID, RoleType.COMPLEX_TYPE, null, null, null, true)); + modifications.add(createAssignmentModification(RESOURCE_DUMMY_ORGTARGET_OID, ShadowKindType.ACCOUNT, null, true)); ObjectDelta userDelta = ObjectDelta.createModifyDelta(USER_JACK_OID, modifications, UserType.class, prismContext); Collection> deltas = MiscSchemaUtil.createCollection(userDelta); @@ -329,6 +388,8 @@ public void test210JackAssignMinistryOfOffenseMember() throws Exception { assertAssignedOrgs(userJack, ORG_MINISTRY_OF_OFFENSE_OID); assertHasOrgs(userJack, ORG_MINISTRY_OF_OFFENSE_OID, ORG_MINISTRY_OF_DEFENSE_OID); + assertJackOrgtarget(null, ORG_MINISTRY_OF_OFFENSE_NAME, ORG_MINISTRY_OF_DEFENSE_NAME); + // Postcondition assertMonkeyIslandOrgSanity(); } @@ -354,6 +415,8 @@ public void test211JackAssignMinistryOfOffenseMinister() throws Exception { assertAssignedOrg(userJack, ORG_MINISTRY_OF_OFFENSE_OID, null); assertHasOrg(userJack, ORG_MINISTRY_OF_OFFENSE_OID, null); assertHasOrg(userJack, ORG_MINISTRY_OF_DEFENSE_OID, null); + + assertJackOrgtarget(null, ORG_MINISTRY_OF_OFFENSE_NAME, ORG_MINISTRY_OF_DEFENSE_NAME); // Postcondition assertMonkeyIslandOrgSanity(); @@ -378,6 +441,8 @@ public void test212JackUnassignMinistryOfOffenseMember() throws Exception { assertHasOrgs(userJack, ORG_MINISTRY_OF_OFFENSE_OID, ORG_MINISTRY_OF_DEFENSE_OID); assertHasOrg(userJack, ORG_MINISTRY_OF_OFFENSE_OID, SchemaConstants.ORG_MANAGER); + assertJackOrgtarget(null, ORG_MINISTRY_OF_DEFENSE_NAME); + // Postcondition assertMonkeyIslandOrgSanity(); } @@ -399,6 +464,8 @@ public void test213JackUnassignMinistryOfOffenseManager() throws Exception { assertAssignedNoOrg(userJack); assertHasOrgs(userJack, ORG_MINISTRY_OF_DEFENSE_OID); + assertJackOrgtarget(null, ORG_MINISTRY_OF_DEFENSE_NAME); + // Postcondition assertMonkeyIslandOrgSanity(); } @@ -421,6 +488,8 @@ public void test220JackAssignMinistryOfOffenseMemberAgain() throws Exception { assertHasOrgs(userJack, ORG_MINISTRY_OF_OFFENSE_OID, ORG_MINISTRY_OF_DEFENSE_OID); assertAssignedOrg(userJack, ORG_MINISTRY_OF_OFFENSE_OID, null); assertHasOrg(userJack, ORG_MINISTRY_OF_OFFENSE_OID, null); + + assertJackOrgtarget(null, ORG_MINISTRY_OF_OFFENSE_NAME, ORG_MINISTRY_OF_DEFENSE_NAME); // Postcondition assertMonkeyIslandOrgSanity(); @@ -453,6 +522,8 @@ public void test221JackAssignScummBarAndSaveElaine() throws Exception { assertAssignedOrgs(userJack, ORG_MINISTRY_OF_OFFENSE_OID, ORG_SCUMM_BAR_OID, ORG_SAVE_ELAINE_OID); assertHasOrgs(userJack, ORG_MINISTRY_OF_OFFENSE_OID, ORG_SCUMM_BAR_OID, ORG_SAVE_ELAINE_OID, ORG_MINISTRY_OF_DEFENSE_OID); + assertJackOrgtarget(null, ORG_MINISTRY_OF_OFFENSE_NAME, ORG_MINISTRY_OF_DEFENSE_NAME, ORG_SCUMM_BAR_NAME); + // Postcondition assertMonkeyIslandOrgSanity(); } @@ -508,6 +579,8 @@ public void test223JackChangeMinistryOfOffenseMemberToManager() throws Exception assertHasOrg(userJack, ORG_SCUMM_BAR_OID, null); assertAssignedOrg(userJack, ORG_SAVE_ELAINE_OID, null); assertHasOrg(userJack, ORG_SAVE_ELAINE_OID, null); + + assertJackOrgtarget(null, ORG_MINISTRY_OF_DEFENSE_NAME, ORG_SCUMM_BAR_NAME); // Postcondition assertMonkeyIslandOrgSanity(); @@ -537,7 +610,7 @@ public void test230JackRecompute() throws Exception { TestUtil.assertSuccess(result); assertRefs23x(); - assertCounterIncrement(InternalCounters.SHADOW_FETCH_OPERATION_COUNT, 1); + assertCounterIncrement(InternalCounters.SHADOW_FETCH_OPERATION_COUNT, 2); } /** @@ -568,8 +641,8 @@ public void test232JackDestroyRefsAndRecompute() throws Exception { TestUtil.assertSuccess(result); assertRefs23x(); - assertCounterIncrement(InternalCounters.SHADOW_FETCH_OPERATION_COUNT, 1); - assertCounterIncrement(InternalCounters.CONNECTOR_OPERATION_COUNT, 4); + assertCounterIncrement(InternalCounters.SHADOW_FETCH_OPERATION_COUNT, 2); + assertCounterIncrement(InternalCounters.CONNECTOR_OPERATION_COUNT, 5); } /** @@ -1598,6 +1671,13 @@ public void test439JackCleanup() throws Exception { assertMonkeyIslandOrgSanity(); } + + /** + * Now let's test working with assignments when there is an object template that prescribes an org assignment + * based on organizationalUnit property. + * + */ + /** * MID-3545 */ @@ -1709,17 +1789,82 @@ public void test449JackModifyEmployeeTypeNull() throws Exception { assertMonkeyIslandOrgSanity(); } + @Test + public void test500JackEndPirate() throws Exception { + final String TEST_NAME = "test500JackEndPirate"; + displayTestTitle(TEST_NAME); + + Task task = createTask(TEST_NAME); + OperationResult result = task.getResult(); + + // preconditions + PrismObject userBefore = getUser(USER_JACK_OID); + display("User before", userBefore); + assertNoAssignments(userBefore); + assertLinks(userBefore, 0); + + // WHEN + assignAccount(USER_JACK_OID, RESOURCE_DUMMY_ORGTARGET_OID, null, task, result); + assignOrg(USER_JACK_OID, ORG_SCUMM_BAR_OID, task, result); + assignRole(USER_JACK_OID, ROLE_END_PIRATE_OID, task, result); + + // THEN + result.computeStatus(); + TestUtil.assertSuccess(result); + + PrismObject userJack = getUser(USER_JACK_OID); + display("User jack after", userJack); + assertAssignments(userJack, 3); + + assertJackOrgtarget(USER_ELAINE_USERNAME, ORG_SCUMM_BAR_NAME); + + // Postcondition + assertMonkeyIslandOrgSanity(); + } + /** - * Now let's test working with assignments when there is an object template that prescribes an org assignment - * based on organizationalUnit property. - * + * MID-4934 */ + @Test + public void test510JackEndPirate() throws Exception { + final String TEST_NAME = "test510JackEndPirate"; + displayTestTitle(TEST_NAME); + + login(USER_JACK_USERNAME); + + Task task = createTask(TEST_NAME); + OperationResult result = task.getResult(); + + // WHEN + displayWhen(TEST_NAME); + modifyUserChangePassword(USER_JACK_OID, "X.marks.the.SPOT", task, result); + + // THEN + displayThen(TEST_NAME); + result.computeStatus(); + TestUtil.assertSuccess(result); + + login(USER_ADMINISTRATOR_USERNAME); + + PrismObject userJack = getUser(USER_JACK_OID); + display("User jack after", userJack); + assertAssignments(userJack, 3); + + assertJackOrgtarget(USER_ELAINE_USERNAME, ORG_SCUMM_BAR_NAME); + + // Postcondition + assertMonkeyIslandOrgSanity(); + } + + @Test public void test799DeleteJack() throws Exception { final String TEST_NAME = "test799DeleteJack"; displayTestTitle(TEST_NAME); + login(USER_ADMINISTRATOR_USERNAME); + executeDeleteJack(TEST_NAME); } @@ -1738,7 +1883,6 @@ protected void assertUserOrg(PrismObject user, String... orgOids) thro protected void assertUserNoOrg(PrismObject user) throws Exception { assertAssignedNoOrg(user); assertHasNoOrg(user); - assertAssignments(user, 0); assertHasOrgs(user, 0); } @@ -1769,5 +1913,17 @@ private void assertManager(String userOid, String managerOid, String orgType, bo } } } + + private void assertJackOrgtarget(String expectedShip, String... expectedTitleValues) throws Exception { + DummyAccount account = assertDummyAccount(RESOURCE_DUMMY_ORGTARGET_NAME, ACCOUNT_JACK_DUMMY_USERNAME, USER_JACK_FULL_NAME, true); + display("orgtarget account", account); + String shipAccountValue = account.getAttributeValue(DummyResourceContoller.DUMMY_ACCOUNT_ATTRIBUTE_SHIP_NAME); + assertEquals("Jack's ship is wrong", expectedShip, shipAccountValue); + Set titleAccountValues = account.getAttributeValues(DummyResourceContoller.DUMMY_ACCOUNT_ATTRIBUTE_TITLE_NAME, String.class); + if (titleAccountValues == null && expectedTitleValues.length == 0) { + return; + } + PrismAsserts.assertEqualsCollectionUnordered("Jack's titles are wrong", titleAccountValues, expectedTitleValues); + } } diff --git a/model/model-intest/src/test/resources/logback-test.xml b/model/model-intest/src/test/resources/logback-test.xml index 90d10261aeb..b3fec64ccef 100644 --- a/model/model-intest/src/test/resources/logback-test.xml +++ b/model/model-intest/src/test/resources/logback-test.xml @@ -92,7 +92,7 @@ - + diff --git a/model/model-intest/src/test/resources/orgstruct/resource-dummy-orgtarget.xml b/model/model-intest/src/test/resources/orgstruct/resource-dummy-orgtarget.xml new file mode 100644 index 00000000000..04894887814 --- /dev/null +++ b/model/model-intest/src/test/resources/orgstruct/resource-dummy-orgtarget.xml @@ -0,0 +1,166 @@ + + + + + + + + Dummy Resource: orgtarget + + + + + connectorType + com.evolveum.icf.dummy.connector.DummyConnector + + + connectorVersion + 2.0 + + + + + + + + orgtarget + + whatever + + USEless + + + + false + false + false + + + + + + + account + default + Default Account + true + ri:AccountObjectClass + + icfs:name + Username + + strong + + $user/name + + + + + + + + icfs:uid + UID + + + ri:fullname + Full Name + + + $user/fullName + + + + + ri:title + + strong + + + + + + + ri:ship + + orgtarget-ship + strong + + true + + + + + + + 5 + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/model/model-intest/src/test/resources/orgstruct/role-end-pirate.xml b/model/model-intest/src/test/resources/orgstruct/role-end-pirate.xml new file mode 100644 index 00000000000..a0031a3e38b --- /dev/null +++ b/model/model-intest/src/test/resources/orgstruct/role-end-pirate.xml @@ -0,0 +1,204 @@ + + + End Pirate + Modified/simplified end user role + + admin-gui-self-home + + Allow access to self-service home in GUI. + + http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#selfDashboard + + + gui-self-service-access-credentials + + Allow access to self-service operation credentials in GUI. + + http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#selfCredentials + + + self-read + + Allow to read all the properties of "self" object. I.e. every logged-in user can read + object that represent his own identity. + + http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read + + self + + + + self-shadow-read + + Allow to read all the properties of all the shadows that belong to "self" object. + I.e. every logged-in user can read all his accounts. + + http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read + + ShadowType + + self + + + + + self-credentials-request + + Allow to modify user's own credentials. + Note that this is a request phase authorization. It also requires corresponding execution-phase authorization. + + http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#changeCredentials + request + + self + + credentials + + + self-shadow-credentials-request + + Allow to modify credentials of all users accounts. + Note that this is a request phase authorization. It also requires corresponding execution-phase authorization. + + http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#changeCredentials + request + + ShadowType + + self + + + credentials + + + self-execution-modify + + Authorization that allows to self-modification of some properties, but only in execution phase. + The limitation real limitation of these operations is done in the request phase. + E.g. the modification of assignments is controlled in the request phase by using the #assign + authorization. + + http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify + execution + + self + + credentials + assignment + parentOrgRef + roleMembershipRef + + + self-shadow-execution-add-modify-delete + + Authorization that allows to self-modification of user's accounts, but only in execution phase. + The real limitation of these operations is done in the request phase. + + http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add + http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify + http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#delete + execution + + ShadowType + + self + + + + + assignment-target-read + + Authorization that allows to read all the object that are possible assignment targets. We want that + to display the targets in the selection windows. + Note that this authorization may be too broad for production use. Normally it should be limited to just + selected properties such as name and description. + + http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read + + OrgType + + + ResourceType + + + RoleType + + + ServiceType + + + + self-persona-read + + Allow to read all the personas of currently logged-in user. + + http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read + + UserType + + self + + + + + shadow-read + + workaround for reading cn=technicki_pouzivatelia,ou=Groups,o=XXXX in outbound mapping XXXXPrimaryOrgUnitUP (...getParentOrgs() ) in paperLess resource + + http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read + + ShadowType + + name + dn + resourceRef + + + read-orgs-in-exection-phase + + Authorization to read org in execution phase. + + http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read + execution + + OrgType + + + + read-users-in-exection-phase + + Authorization to read users in execution phase (paperless manager remove when changed password). + + http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read + execution + + UserType + + + + read-shadows-in-exection-phase + + Authorization to read users in execution phase (paperless manager remove when changed password). + + http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read + execution + + ShadowType + + +