Resource capabilities are the things that the resource can do. Not all the resource are equal in their capabilities. E.g. one resource supports account activation (enabling and disabling accounts) but other does not. One resource provides read-write access while other can support read-only access. One resource supports real-time synchronization while other does not. The capabilities define what features the resource supports so system can behave accordingly.
All the capabilities can be disabled (i.e. turned off). Disabling the capability will cause that system will not use that part of the connector and resource. The capabilities are usually disabled if they are faulty. E.g. if there is a bug in a connector or on the resource then the bug might be circumvented if appropriate capability is disabled. But the capabilities may be disabled also for administrative reasons. E.g. disabling Create, Update and Delete capabilities makes the resource efficiently read-only.
Some capabilities can be simulated. It means that system can pretend that the resource has specific capability even though it does not have it. E.g. an activation capability can be simulated by setting a specific account attribute to a specific value to disable an account. Such simulated capabilities usually require some configuration. This can also be configured on this page.
This stage of the wizard configures connector configuration properties. They usually define network parameters used to access the resource such as hostname and port numbers. Additional connection parameters such as operation network timeouts and connection pooling configuration can be specified here.
There connector configuration properties are unique for each connector. The specific set of configuration properties are determined by connector configuration schema. Therefore the content of this page depends on the connector type that was selected in the previous page.
+ResourceWizard.help.nameStep=
This stage of the wizard configures basic properties of the resource. It can be used to configure resource name and description. Connector name is mandatory and must be unique. Connector that will be used to access the resource must also be configured. Connectors are deployed on connector hosts. If the connector host is left empty then connectors deployed directly in the system instance will be used.
This step is used to provide configuration for handling of resource schema. The configuration displayed on this page tells system what to do with resource object classes and attributes. It contains the configuration of mappings between user properties and account attributes, configuration of account types, groups, provisioning dependencies, password mapping and so on.
The configuration is grouped into object types. Each object type defines the behavior for specific account type, entitlement type, OU, etc. The object type is uniquely identified by the combination of kind and intent. The kind defines what kind of the object it is\:
kind\=account means that the object is an account, i.e. that it represents a user.
kind\=entitlement is applied to groups, roles, privileges, ACIs and similar objects that can be associated with accounts and which give privileges or access rights to the account.
kind\=generic applies to other objects such as organizational units (OUs), domains, etc.
Intent is a plain string that can be used to distinguish several object types. E.g. it can be used to define several account types, e.g. "default user account", "administration account", "testing account" and so on. See Kind, Intent and ObjectClass wiki page for more details.
This page shows resource schema. The resource schema defines object classes that the connector can manage, e.g. accounts, groups, organizational units and so on. The schema defines a set of attributes for each object class. The schema is presented here in read-only form so you can inspect it and familiarize yourself with the data model that the resource provides.
The resource schema presented at this page is usually retrieved from the resource and automatically generated by system. Resource schema defines what the resource can do, i.e. what object classes it defines and what attributes are used in the object classes. Therefore the schema is read-only. It is not a configuration. It does not defines how system uses the object classes and attributes. That is configured in next steps of the wizard.
The synchronization configuration defines how Identity Manager reacts when it discovers that resource object has changed. E.g. it defines how system reacts when it discovers new account, when it discovers that a group that should exist does not and so on. It is usually does not matter how system discovers the change the reaction is usually the same (although exceptions are possible by using channel specification). Therefore the policy that is configured here usually applies to live synchronization, reconciliation, import, discovery (consistency mechanism) and possible also other mechanisms that may come in the future.
+ChangePasswordPanel.helpPopupTitle=Password propagation help
+PageBase.button.tooltip.clearSearch=Clear
+mainForm.uploadTooLarge = Upload must be less than ${maxSize}.
+mainForm.uploadFailed = File failed to upload\: ${exception.localizedMessage}PageSelfCredentials.couldntResolve\=Couldn't resolve resource.
+PageSelfCredentials.couldntResolve=Couldn't resolve resource.
+roleMemberPanel.type=Type\:
+roleMemberPanel.tenant=Tenant\:
+roleMemberPanel.project=Org/Project\:
+roleMemberPanel.indirectMembers=Include indirect members
+roleMemberPanel.allRelations=Show all relations
+roleMemberPanel.menu.createOwner=Create owner
+roleMemberPanel.menu.assignOwners=Assign owners
+roleMemberPanel.menu.createApprover=Create approver
+roleMemberPanel.menu.assignApprovers=Assign approvers
+roleMemberPanel.relation=Relation
+SearchPanel.more=More...
+SearchPanel.add=Add
+SearchPanel.close=Close
+SearchPanel.properties=Properties
+SearchPanel.fullText=Full text
+SearchPanel.fullTextSearch=Full text search
+SearchItemPanel.all=All
+SearchItemPanel.update=Update
+SearchItemPanel.close=Close
+SearchItemPanel.add=Add
+SearchItemPanel.remove=Remove
+SearchItemPanel.browse=Browse
+SearchItemPanel.or=or
+operation.com.evolveum.midpoint.schema.constants.ConnectorTestOperation.connectorSchema=Connector schema
+FeedbackAlertMessageDetails.operation=Operation
+FeedbackAlertMessageDetails.message=Message
+FeedbackAlertMessageDetails.params=Parameters
+FeedbackAlertMessageDetails.contexts=Context
+FeedbackAlertMessageDetails.count=Count
+FeedbackAlertMessageDetails.error=Error
+operation.com.evolveum.midpoint.model.impl.lens.projector.InboundProcessor.processInbound=Process inbound (Model)
+operation.com.evolveum.midpoint.model.impl.lens.projector.Projector.project=Project (Model)
+operation.com.evolveum.midpoint.model.impl.lens.projector.AssignmentProcessor.processAssignmentsProjections=Process assignments (Model)
+operation.com.evolveum.midpoint.web.page.admin.PageAdminObjectDetails.save=Save (GUI)
+operation.com.evolveum.midpoint.repo.api.RepositoryService.getVersion=Get version (Repository)
+operation.com.evolveum.midpoint.task.quartzimpl.execution.ExecutionManager.scheduleRunnableTaskNow=Schedule runnable task now (Task)
+operation.com.evolveum.midpoint.web.page.admin.server.PageTaskAdd.runNowTask=Run now (Task)
+operation.com.evolveum.midpoint.task.api.TaskManager.scheduleTasksNow=Schedule tasks now (Task)
+operation.com.evolveum.midpoint.model.impl.importer.ObjectImporter.resolveReference=Resolve reference (Model)
+operation.com.evolveum.midpoint.model.impl.importer.ObjectImporter.encryptValues=Encrypt values (Model)
+operation.com.evolveum.midpoint.model.impl.importer.ObjectImporter.importObjectToRepository=Import object to repository (Model)
+operation.com.evolveum.midpoint.model.api.ModelService.executeChange=Execute changes (Model)
+operation.com.evolveum.midpoint.model.impl.lens.projector.AssignmentProcessor.evaluateAssignment=Evaluate assignment (Model)
+operation.com.evolveum.midpoint.wf.impl.WfHook.invoke=Invoke (Workflow)
+operation.com.evolveum.midpoint.model.impl.lens.ChangeExecutor.execute=Execute (Model)
+operation.com.evolveum.midpoint.model.impl.lens.ChangeExecutor.execute.focus.UserType=Execute - user (Model)
+operation.com.evolveum.midpoint.model.impl.lens.ChangeExecutor.executeDelta=Execute delta (Model)
+operation.com.evolveum.midpoint.task.api.Task.listSubtasksDeeply=List subtasks deeply (Task)
+operation.com.evolveum.midpoint.task.api.Task.listSubtasksRaw=List subtasks raw (Task)
+operation.com.evolveum.midpoint.web.page.self.PageSelfCredentials.savePassword=Change password (GUI)
+operation.com.evolveum.midpoint.web.page.self.PageRequestRole.save=Changes were successfully saved
+operation.com.evolveum.midpoint.web.page.self.PageRequestRole.taskCreated=The process of assigning a role is waiting for the approval.
+PageError.button.home=主页
+PageResource.tab.connector=Connector
+PageResource.tab.connector.connectorLabel=Connector
+PageResource.tab.connector.connectorPoolLabel=Connector pool
+PageResource.tab.content.account=Accounts
+PageResource.tab.content.entitlement=Entitlements
+PageResource.tab.content.generic=Generics
+PageResource.tab.content.others=Uncategorized
+PageResource.tab.content.tasks=Defined Tasks
+ResourceContentTabPanel.searchType.repository=Repository
+ResourceContentTabPanel.searchType.resource=Resource
+ResourceContentTabPanel.searchType=Search In\:
+PagePreviewChanges.primaryChangesOne=Primary changes\: {0} object
+PagePreviewChanges.primaryChangesMore=Primary changes\: {0} objects
+PagePreviewChanges.secondaryChangesOne=Secondary changes\: {0} object
+PagePreviewChanges.secondaryChangesMore=Secondary changes\: {0} objects
+PagePreviewChanges.button.continueEditing=Continue editing
+PagePreviewChanges.button.save=Save
+ScenePanel.object={0} object
+ScenePanel.objects={0} objects
+ScenePanel.item=Item
+ScenePanel.oldValue=Old value
+ScenePanel.newValue=New value
+ScenePanel.value=Value
+SceneItemLinePanel.removedValue=Removed value
+SceneItemLinePanel.addedValue=Added value
+SceneItemLinePanel.unchangedValue=Unchanged value
+operation.com.evolveum.midpoint.web.page.admin.resources.ResourceContentTabPanel.changeOwner=Change owner (GUI)
+TaskSummaryPanel.progressWithTotalKnown=Progress\: {0} out of {1}
+TaskSummaryPanel.progressWithTotalUnknown=Progress\: {0}
+TaskSummaryPanel.progressIfSuspended=(suspended)
+TaskSummaryPanel.progressIfWaiting=(waiting)
+TaskSummaryPanel.progressIfClosed=(closed)
+TaskSummaryPanel.progressIfStalled=(stalled since {0})
+TaskSummaryPanel.lastProcessed=Last object processed\: {0}
+ResourceContentResourcePanel.showExisting=Show existing
+ResourceContentResourcePanel.newTask=Create new
+SearchPanel.advanced=Advanced
+SearchPanel.basic=Basic
+SearchPanel.search=Search
+SearchPanel.debug=Debug
+ResourceContentResourcePanel.realSearch=(In fact) Searching by\:
+typedAssignablePanel.selectedOrgs=Orgs\:
+typedAssignablePanel.selectedResources=Resources\:
+typedAssignablePanel.selectedRoles=Roles\:
+typedAssignablePanel.selectedServices=Services\:
+SearchPanel.insertFilterXml=Insert filter xml (SearchFilterType)
+autoRefreshPanel.refreshNow=Refresh now
+autoRefreshPanel.resumeRefreshing=Resume refreshing
+autoRefreshPanel.pauseRefreshing=Pause refreshing
+autoRefreshPanel.refreshingEach=Refreshing each {0} sec
+autoRefreshPanel.noRefreshing=(no refreshing)
+PageAdmin.menu.top.services=Services
+PageAdmin.menu.top.services.list=List services
+PageAdmin.menu.top.services.new=New service
+PageAdmin.menu.top.services.edit=Edit service
+taskShowAdvancedFeaturesPanel.label=Show advanced features
+taskWfParentPanel.changesNotRequiringApproval=Changes not requiring approval
+taskOtherChangesPanel.label.state=State\:
+taskOtherChangesPanel.state.FINAL=Changes have been applied (successfully or not)
+taskOtherChangesPanel.state.PRIMARY=Changes are waiting to be applied
+taskOtherChangesPanel.state.SECONDARY=Changes are waiting to be applied
+taskWfChildPanel.showParent=Show request in a context of the whole operation.
+TaskSummaryPanel.requestedBy=Requested by\: {0}
+TaskSummaryPanel.requestedByWithFullName=Requested by\: {0} ({1})
+TaskSummaryPanel.requestedOn=Requested on\: {0}
+TaskSummaryPanel.requestedByAndOn=Requested by {0} on {1}
+TaskSummaryPanel.stage=Stage\: {0}
+TaskSummaryPanel.rejected=Rejected
+TaskSummaryPanel.approved=Approved
+operation.com.evolveum.midpoint.web.page.admin.resources.PageResource.refreshSchema=Refresh schema (GUI)
+TaskDto.changesApplied=Changes applied (successfully or not)
+TaskDto.changesBeingApplied=Changes being applied
+TaskDto.changesWaitingToBeApplied=Changes waiting to be applied
+TaskDto.changesWaitingToBeApproved=Changes waiting to be approved
+TaskDto.changesRejected=Changes rejected
+TaskDto.changesCanceled=Changes canceled
+PageServices.title=Service List
+PageServices.message.deleteServicesConfirm=Do you really want to delete selected {0} service(s)?
+PageServices.message.confirmationMessageForMultipleObject=Do you really want to {0} selected {1} service(s)?
+PageServices.message.confirmationMessageForSingleObject=Do you really want to {0} service '{1}'?
+PageServices.message.nothingSelected=No service has been selected.
+PageServices.message.buttonDelete=Delete
+LiveSyncHandlerPanel.deleteToken=Delete token
+ScannerHandlerPanel.lastScanTimestamp=Last scan timestamp
+ScriptExecutionHandlerPanel.script=Script
+QueryBasedHandlerPanel.objectType=Object type
+QueryBasedHandlerPanel.query=Query
+DeleteHandlerPanel.executeInRawMode=Execute in raw mode
+ExecuteChangesHandlerPanel.change=Change
+ExecuteChangesHandlerPanel.options=Options
+ReportCreateHandlerPanel.downloadCreatedReport=Download created report
+ReportCreateHandlerPanel.reportParameters=Report parameters
+OperationResultPanel.showTask=(show task)
+PageResources.inlineMenuItem.test=Test connection
+PageRequestRole.title=Request a role
+MainObjectListPanel.refresh=Refresh
+MainObjectListPanel.newObject=New
+MainObjectListPanel.import=Import
+MainObjectListPanel.export=Export
+MainObjectListPanel.exportFileName=export
+TreeTablePanel.menu.createMember=Create member
+TreeTablePanel.menu.createManager=Create manager
+TreeTablePanel.menu.addMembers=Assign members
+TreeTablePanel.menu.addManagers=Assign managers
+TreeTablePanel.menu.unassignMembersSelected=Unassign selected members
+TreeTablePanel.menu.unassignMembersAll=Unassign all members
+TreeTablePanel.menu.removeManagersAll=Unassign all managers
+TreeTablePanel.menu.recomputeMembersSelected=Recompute selected members
+TreeTablePanel.menu.recomputeMembersAll=Recompute all members
+TreeTablePanel.menu.recomputeMembersAllDirect=Recompute direct members
+TreeTablePanel.menu.recomputeManagersAll=Recompute all managers
+TreeTablePanel.menu.deleteManagersAll=Delete all managers
+TreeTablePanel.menu.deleteManager.confirm=Are you sure you want to delete selected manager from system? This change is permanent.
+TreeTablePanel.menu.deleteManagersAll.confirm=All defined managers will be permanently removed from system. Are you sure to perform this action?
+TreeTablePanel.move=Move
+TreeTablePanel.makeRoot=Make root
+TreeTablePanel.delete=Delete
+TreeTablePanel.recompute=Recompute
+TreeTablePanel.edit=Edit
+TreeTablePanel.createChild=Create child
+WorkItemSummaryPanel.allocated=Allocated
+WorkItemSummaryPanel.notAllocated=Not allocated
+WorkItemPanel.showRequest=Show the approval request.
+DefinitionStagesPanel.confirmDelete=Confirm delete
+DefinitionStagesPanel.confirmDeleteText=Do you really want to delete stage '{0}'?
+PageCertDefinition.outcomeStrategyHelpLabel=Please see also
+PageCertDefinition.outcomeStrategyHelpLink=this document
+PageCertDefinition.outcomeStrategyHelp=How is the overall outcome for a case determined, based on outcomes in individual stages? Note\: 'Stop review on\:' field shows outcomes that prevent a case from being advanced to the next stage. Usually you need not change the default value. If necessary, you could do that through the XML configuration.
+PageCertDefinition.campaignLastStartedHelp=When was last campaign created according to this definition started?
+PageCertDefinition.campaignLastClosedHelp=When was last campaign created according to this definition closed - either after successfully going through all stages, or closed at any time. However, if a campaign is deleted without being closed first, it is not shown here.
+PageCertDefinition.scopeObjectTypeHelp=Determines which objects will be considered to be in the scope of the certification campaigns. Features of these objects (e.g. whether to certify their assignments or their inducements or both, etc) are selected below.
+PageCertDefinition.scopeSearchFilterHelp=If only a subset of objects of given type is to be considered for certification, you can specify the corresponding filter here. For example, you can specify that only users from a certain organization should be certified. Or that only employees with a specific employee type should be considered.
+PageCertDefinition.scopeAssignmentsInducementsHelp=Select what features (assignments, inducements or both) of the objects described above are to be certified.
+PageCertDefinition.scopeIncludeTargetTypesHelp=When certifying assignments or inducements, you can specify what target types are taken into account. For example, you can say that you want to certify only assignments of roles (to, for example, users).
+PageCertDefinition.scopeIncludeByStatusHelp=Whether to certify only assignments/inducements that have administrative status set to ENABLED (or not set at all). Note that what is relevant is the administrative status of the assignment, not the administrative status of the assigned object.
+StageDefinitionPanel.stageDurationHelp=Duration of this stage, used to determine stage end time. The end time is computed as the moment of stage opening plus the duration, rounded up to 23\:59\:59 of the last day. Duration is specified in ISO 8601 format, like P14D for 14 days, P3W for 3 weeks, P2M for 2 months, etc.
+StageDefinitionPanel.notifyBeforeDeadlineHelp=How long before the stage end the reminding notifications (to reviewers and campaign owner) will be sent. It is possible to specify more values; separate them by commas. Time interval is specified in ISO 8601 format, like PT12H for 12 hours, P2D for 2 days, P1W for 1 week, etc. An example\: PT48H, PT12H says that the first notification will be sent 48 hours before stage end, and the second one 12 hours before the end.
+StageDefinitionPanel.notifyWhenNoDecisionHelp=If checked, a 'stage end approaching' notification is sent to a reviewer only if he/she has some cases waiting for his/her decision. If not checked, reviewers always get their notifications - regardless of whether they have provided a decision or not. (Note that notifications to the campaign owner about approaching stage end are always sent, regardless of this setting.)
+StageDefinitionPanel.reviewerSpecificationTargetHelp=Selection of reviewers based on assignment/inducement target owner/approver. E.g. you can specify that the role owner is used to certify all assignments of 'his' role (to any users).
+StageDefinitionPanel.reviewerSpecificationObjectHelp=Selection of reviewers based on object that has something assigned (or induced) to. E.g. you can specify that the role owner is used to certify all inducements made to 'his' role.
+StageDefinitionPanel.reviewerUseObjectManagerHelp=Selection of reviewers based on managers of object (typically a user) that has something assigned/induced to. E.g. you can specify that a manager is used to certify all assignments made to users in 'his' organization.
+StageDefinitionPanel.reviewerUseObjectManagerOrgTypeHelp=Influences determination of a manager of a user\: First, we take all managers of all organizations the user belongs to. We exclude the user himself, if he is a manager of such organization (and if 'allow managers to approve their own assignments' below is unchecked). If the value in this field is filled-in, we use it to select only organizations with given organization type value - for example, 'functional' (if you have e.g. both functional-type and project-type organizations). If this field is empty, we take into account all organizations. If we find no suitable manager, we continue with all parent organizations (again, of the given type, if specified).
+StageDefinitionPanel.reviewerUseObjectManagerAllowSelfHelp=If a user is a manager in his organization, could he be selected as a reviewer for his own assignments? If unchecked (the default), a higher-level manager is searched for - see description for the above field.
+StageDefinitionPanel.defaultReviewerRefHelp=This reviewer (or reviewers) will be used if the above condition would lead to no reviewer.
+StageDefinitionPanel.additionalReviewerRefHelp=This reviewer (or reviewers) will be used in addition to any reviewers selected by the above conditions.
+StageDefinitionPanel.outcomeStrategyHelp=If there is more than one reviewer selected, we need a strategy for combining their responses into stage-level outcome. For example, is it sufficient if any of them accepts the certification case? Or should all of them accept? Select the strategy using this field.
+StageDefinitionPanel.outcomeIfNoReviewersHelp=What should be the outcome if there are no reviewers assigned, e.g. if the reviewer is defined as the target role owner, but a particular role has no owner? This does NOT apply in situations when there are reviewers assigned, but they provide no response.
+StageDefinitionPanel.stopReviewOnHelp=What outcomes will prevent a case from being advanced to the next stage? Usually you need not change the default value. If necessary, you could do that through the XML configuration.
+StageDefinitionPanel.configurationHelpLabel=For more information about configuring certification campaign stages, please see also
+StageDefinitionPanel.configurationHelpLink=this document
+NameStep.configurationWillBeLost=The selected connector configuration schema is different from the current one. Configuration properties will be lost if you will proceed.
+resultsHandlerConfiguration=Results handlers
+enableFilteredResultsHandler=Enable additional filtering of results
+enableFilteredResultsHandlerHelp=This handler filters results retrieved from the resource by the connector, at the level of connector framework. It is used by connector implementations that do not provide complete filtering by themselves. Enabling this handler has some drawbacks e.g. in the area of paging. So it is to be used only if really necessary. If not sure, it is advisable to use filtering in validation mode. Default value for current version of ConnId\: enabled.
+filteredResultsHandlerInValidationMode=Perform filtering in validation mode only
+filteredResultsHandlerInValidationModeHelp=Switches the result filtering into validation mode\: all data produced by the connector are checked by the connector framework to see if they are properly filtered. In case of improper filtering, an exception is raised. This mode is to be used for connectors that are expected to provide complete filtering, but their functionality in this area has to be verified. Default value for current version of ConnId\: disabled.
+enableCaseInsensitiveFilter=Make filtering case insensitive
+enableCaseInsensitiveFilterHelp=This option makes filtering case insensitive, for all attributes on the resource. Used for case-insensitive resources. Default value for current version of ConnId\: disabled.
+enableNormalizingResultsHandler=Enable handler that normalizes returned data
+enableNormalizingResultsHandlerHelp=This handler normalizes each attribute that is passed from resource to the system. Usually recommended to be turned off. Default value for current version of ConnId\: enabled.
+enableAttributesToGetSearchResultsHandler=Enable 'attributes to get' results handler
+enableAttributesToGetSearchResultsHandlerHelp=This handler is used to implement 'attributes to get' option. It is advisable to keep the default setting of 'enabled' (in current version of ConnId).
+PageResourceWizard.autoSaveWarning=The resource is automatically saved on each transition between wizard steps.
+PageResourceWizard.readOnlyNote=Resource is in read-only mode.
+PageResourceWizard.readOnlySwitch=Click here to enable editing.
+operation.com.evolveum.midpoint.web.page.admin.users.component.TreeTablePanel.recompute=Recompute (GUI)
+Button.ok=OK
+Button.assign=Assign
+Note=Note
+Warning=Warning
+ProfilingConfigPanel.profilingMustBeEnabled=In order to use profiling, the 'profilingEnabled' system configuration parameter (in config.xml file) must be set to 'true'.
+OperationResultPanel.result=Result
+ResourceTasksPanel.definedTasks=Defined tasks
+ResourceTasksPanel.noTasksSelected=No tasks were selected.
+ObjectBrowserPanel.chooseObject=Choose object
+TypedAssignablePanel.selectObjects=Select object(s)
+OrgTreeAssignablePanel.selectOrg=Select organization(s)
+ChooseFocusTypeDialogPanel.chooseType=Choose type
+TestConnectionResultPanel.testConnection.result=Test connection result(s)
+TestConnectionResultPanel.message=Test is running, please, wait for results.
+operation.com.evolveum.midpoint.web.page.admin.configuration.PageSystemConfiguration.updateSystemConfiguration=Update system configuration (GUI)
+peration.com.evolveum.midpoint.web.page.admin.server.PageTaskEdit.saveTask=Save task (GUI)
+operation.com.evolveum.midpoint.notifications.impl.notifiers.GeneralNotifier.processEvent=Process event (Notification)
+operation.com.evolveum.midpoint.model.impl.lens.ChangeExecutor.execute.focus.OrgType=Execute OrgType (Model)
+TreeTablePanel.menu.deleteMember.confirm=All selected members (users, organizations, services, roles) will be permanently deleted from system. Are you sure to perform this action?
+TreeTablePanel.menu.deleteAllMembers.confirm=所有的主对象类成员(包括用户、组织机构、服务和角色)将从系统中删除,确定要进行操作吗?
+PageTasksCertScheduling.title=Certification scheduling
+PageResourceVisualization.title=Visualization of mappings for {0}
+PageResourceVisualization.dotMessage=Rendering of DOT graph could not be carried out. Please check the error message below, and make sure that\:
+PageResourceVisualization.dot1=DOT rendering software is installed at your server. The recommended one is Graphviz
+PageResourceVisualization.dot2=The path to DOT rendering executable is correctly set in you config.xml file.
+PageResourceVisualization.moreInformation=For more information, please see
+PageResourceVisualization.moreInformationLink=this article
+PageResourceVisualization.errorMessage=Error message\:
+PageResourceVisualization.seeOnline=You can also try to use an online DOT renderer, for example
+PageResourceVisualization.seeOnlineLink=webgraphviz.com
+PageResourceVisualization.copyInstruction=Simply paste the following DOT code into it.
+OrgMemberPanel.editUserTitle=Edit manager
+OrgMemberPanel.unlinkTitle=Unlink manager
+OrgMemberPanel.deleteTitle=Delete manager
+PagePreviewChanges.title=Preview changes
+operation.com.evolveum.midpoint.web.page.admin.PageAdminObjectDetails.previewChanges=Preview changes
+operation.com.evolveum.midpoint.task.api.Task.run=Run task
+operation.com.evolveum.midpoint.web.util.TaskOperationUtils.runNowTask=Run task
+operation.com.evolveum.midpoint.web.page.admin.certification.PageCertDefinition.saveDefinition=Save definition
+operation.com.evolveum.midpoint.web.page.admin.certification.PageCertCampaign.advanceLifecycle=Campaign state
+operation.com.evolveum.midpoint.web.page.admin.certification.PageCertCampaign.openNextStage=Open next stage
+operation.com.evolveum.midpoint.web.page.admin.certification.PageCertCampaign.closeStage=Close stage
+operation.com.evolveum.midpoint.web.page.admin.certification.PageCertCampaign.closeCampaign=Close campaign
+operation.com.evolveum.midpoint.web.page.admin.certification.PageCertCampaign.startRemediation=Start remediation
+
+operation.com.evolveum.midpoint.certification.api.CertificationManager.openNextStage=Open next stage
+operation.com.evolveum.midpoint.certification.api.CertificationManager.closeCampaign=Close campaign
+operation.com.evolveum.midpoint.certification.api.CertificationManager.createCampaign=Create campaign
+operation.com.evolveum.midpoint.certification.api.CertificationManager.closeCurrentStage=Close current stage
+operation.com.evolveum.midpoint.certification.api.CertificationManager.recordDecision=Record decision
+operation.com.evolveum.midpoint.certification.api.CertificationManager.searchDecisionsToReview=Search decisions to review
+operation.com.evolveum.midpoint.certification.api.CertificationManager.getCampaignStatistics=Get campaign statistics
+
+operation.com.evolveum.midpoint.repo.api.RepositoryService.searchContainers=Search for containers
+operation.com.evolveum.midpoint.repo.api.RepositoryService.searchObjectsIterative=Search for objects (iterative)
+
+operation.PageCertCampaigns.startCampaign=Start campaign
+operation.PageCertCampaigns.closeStage=Close stage
+operation.PageCertCampaigns.openNextStage=Open next stage
+operation.PageCertCampaigns.startRemediation=Start remediation
+operation.PageCertCampaigns.closeCampaign=Close campaign
+
+operation.com.evolveum.midpoint.web.page.admin.certification.PageCertDecisions.recordAction=Record action
+operation.com.evolveum.midpoint.web.page.admin.certification.PageCertDecisions.recordActionSelected=Record selected actions
+
+operation.com.evolveum.midpoint.web.page.admin.certification.PageCertDefinition.loadDefinition=Load definition
+
+operation.com.evolveum.midpoint.web.page.admin.certification.PageCertDefinitions.createCampaign=Create campaign
+operation.com.evolveum.midpoint.web.page.admin.certification.PageCertDefinitions.deleteDefinition=Delete definition
+
+SceneDto.unnamed=(unnamed)
+LockoutStatusPanel.undoButtonLabel=Undo
+LockoutStatusPanel.unlockButtonLabel=Set to "Normal"
+LockoutStatusPanel.changesSaving=(will be applied after Save button click)
+operation.com.evolveum.midpoint.web.page.admin.server.PageTaskEdit.saveTask=Save task (GUI)
+operation.com.evolveum.midpoint.web.page.admin.users.PageUsers.unlockUsers=Unlock user
+operation.com.evolveum.midpoint.web.page.admin.workflow.PageProcessInstances.stopProcessInstance=Stop process instance
+
+#values for icon title on Users list page. The name of the property key
+#is generated in the following way:
+# ColumnUtils.getUserIconColumn.createTitleModel. + GuiStyleConstants.CLASS_ICON_STYLE_NORMAL = ColumnUtils.getUserIconColumn.createTitleModel.normal
+ColumnUtils.getUserIconColumn.createTitleModel.normal=normal
+ColumnUtils.getUserIconColumn.createTitleModel.disabled=disabled
+ColumnUtils.getUserIconColumn.createTitleModel.archived=archived
+ColumnUtils.getUserIconColumn.createTitleModel.privileged=privileged
+ColumnUtils.getUserIconColumn.createTitleModel.end-user=end-user
+ColumnUtils.getUserIconColumn.createTitleModel.manager=manager
+ColumnUtils.getUserIconColumn.createTitleModel.broken=broken
+ColumnUtils.getUserIconColumn.createTitleModel.up=up
+ColumnUtils.getUserIconColumn.createTitleModel.down=down
+FocusListInlineMenuHelper.menu.delete=Delete
+FocusListInlineMenuHelper.menu.disable=Disable
+FocusListInlineMenuHelper.menu.enable=Enable
+FocusListInlineMenuHelper.menu.reconcile=Reconcile
+FocusListInlineMenuHelper.message.deleteObjectConfirm=Do you really want to delete selected {0} object(s)?
+FocusListInlineMenuHelper.message.deleteObjectConfirmSingle=Do you really want to delete object '{0}'?
+FocusListInlineMenuHelper.message.nothingSelected=No object has been selected.
+operation.com.evolveum.midpoint.web.page.admin.roles.PageRoles.enableObjects=Enable roles (GUI)
+operation.com.evolveum.midpoint.web.page.admin.roles.PageRoles.enableObject=Enable role (GUI)
+operation.com.evolveum.midpoint.web.page.admin.roles.PageRoles.disableObjects=Disable roles (GUI)
+operation.com.evolveum.midpoint.web.page.admin.roles.PageRoles.disableObject=Disable role (GUI)
+operation.com.evolveum.midpoint.web.page.admin.roles.PageRoles.reconcileObjects=Reconcile roles (GUI)
+operation.com.evolveum.midpoint.web.page.admin.roles.PageRoles.reconcileObject=Reconcile role (GUI)
+operation.com.evolveum.midpoint.web.page.admin.roles.PageRoles.deleteObjects=Delete roles (GUI)
+operation.com.evolveum.midpoint.web.page.admin.roles.PageRoles.deleteObject=Delete role (GUI)
+operation.com.evolveum.midpoint.web.page.admin.services.PageServices.enableObjects=Enable services (GUI)
+operation.com.evolveum.midpoint.web.page.admin.services.PageServices.enableObject=Enable service (GUI)
+operation.com.evolveum.midpoint.web.page.admin.services.PageServices.disableObjects=Disable services (GUI)
+operation.com.evolveum.midpoint.web.page.admin.services.PageServices.disableObject=Disable service (GUI)
+operation.com.evolveum.midpoint.web.page.admin.services.PageServices.reconcileObjects=Reconcile services (GUI)
+operation.com.evolveum.midpoint.web.page.admin.services.PageServices.reconcileObject=Reconcile service (GUI)
+operation.com.evolveum.midpoint.web.page.admin.services.PageServices.deleteObjects=Delete services (GUI)
+operation.com.evolveum.midpoint.web.page.admin.services.PageServices.deleteObject=Delete service (GUI)
+operation.com.evolveum.midpoint.web.page.admin.resources.ResourceContentTabPanel.importObject=Import object (GUI)
+PageConnectorHosts.title=Connector hosts
+operation.com.evolveum.midpoint.web.page.admin.configuration.PageRepositoryQuery.checkQuery=Check query (GUI)
+operation.com.evolveum.midpoint.web.page.admin.configuration.PageRepositoryQuery.translateQuery=Translate query (GUI)
+operation.com.evolveum.midpoint.web.page.admin.configuration.PageRepositoryQuery.executeQuery=Execute query (GUI)
+operation.com.evolveum.midpoint.model.api.ModelDiagnosticService.executeRepositoryQuery=Execute repository query (Model diagnostic service)
+operation.com.evolveum.midpoint.repo.api.RepositoryService.executeQueryDiagnostics=Execute query diagnostics (Repository)
+PageEvaluateMapping.title=Evaluate mapping
+PageEvaluateMapping.button.evaluateMapping=Evaluate mapping
+PageEvaluateMapping.message.emptyString=Please provide a mapping to execute.
+PageEvaluateMapping.result=Result
+PageEvaluateMapping.mapping=Mapping
+PageEvaluateMapping.request=Request
+PageEvaluateMapping.chooseSample=Or use a sample\:
+PageEvaluateMapping.sample.FullName_NoDelta=Full name mapping (no change)
+PageEvaluateMapping.sample.FullName_Delta=Full name mapping (change in givenName)
+PageEvaluateMapping.sample.FullName_Delta_Ref=Full name mapping (change in givenName); source from repository
+PageEvaluateMapping.sample.FullName_Delta_Cond=Full name mapping with condition (change in givenName)
+PageEvaluateMapping.sample.OrgName=Deriving attribute from parent org's name
+PageAssignmentShoppingKart.title=Assignment request
+PageAssignmentShoppingKart.roleCatalogIsNotConfigured=Role catalog is not configured in the system configuration xml
+AssignmentConflictPanel.existingAssignmentLabelMessage=(which user already has)
+AssignmentConflictPanel.addedAssignmentLabelMessage=(which is added to shopping cart)
+AssignmentConflictPanel.conflictMessage=conflicts with
+AssignmentConflictPanel.removeButton=Remove
+AssignmentConflictPanel.unselectButton=Unselect
+AssignmentConflictPanel.undoAction=Undo
+PageAssignmentConflicts.title=Assignments conflicts
+PageAssignmentConflicts.back=Back
+PageAssignmentConflicts.submit=Submit
+AssignmentCatalogPanel.selectTargetUser=Select target user
+AssignmentCatalogPanel.selectAssignmentsUserOwner=Select assignments user owner
+AssignmentCatalogPanel.requestForMe=Target user\: me
+AssignmentCatalogPanel.requestFor=Target user\:
+AssignmentCatalogPanel.requestForMultiple={0} users selected
+AssignmentCatalogPanel.assignmentsOwner={0}'s assignments
+MultiButtonPanel.plusIconTitle=Add item to shopping cart
+MultiButtonPanel.assignmentDetailsPopupTitle=Assignment details
+MultiButtonPanel.detailsLink=Properties
+MultiButtonPanel.addToCartLink=Add to cart
+MultiButtonPanel.alreadyAssignedIconTitle=Already assigned
+PageAssignmentDetails.title=Assignment details
+PageAssignmentDetails.backButton=Back
+PageAssignmentDetails.addToCartButton=Add to cart
+PageAssignmentsList.submitButton=Submit
+PageAssignmentsList.resolveConflicts=Resolve conflicts
+PageAssignmentsList.commentHere=Comment here...
+PageAssignmentsList.requestComment=Request comment (optional)
+AssignmentShoppingCartPanel.treeTitle=Role catalog
+AssignmentViewType.ROLE_CATALOG_VIEW=Role catalog view
+AssignmentViewType.ROLE_TYPE=All roles view
+AssignmentViewType.ORG_TYPE=All organizations view
+AssignmentViewType.SERVICE_TYPE=All services view
+AssignmentViewType.USER_TYPE=User's assignments
+PageAssignmentsList.requestButton = Request
+operation.com.evolveum.midpoint.web.page.self.PageAssignmentsList.requestAssignments=Request assignment
+com.evolveum.midpoint.web.page.self.PageAssignmentsList.requestAssignments=Request assignments
+PageAssignmentsList.title=New assignments list
+PageAuditLogViewer.title=Audit Log Viewer
+PageAuditLogViewer.menuName=Audit Log Viewer
+PageAuditLogViewer.timeLabel=Time
+PageAuditLogViewer.fromLabel=From
+PageAuditLogViewer.toLabel=To
+PageAuditLogViewer.initiatorNameLabel=Initiator
+PageAuditLogViewer.channelLabel=Channel
+PageAuditLogViewer.hostIdentifierLabel=Host Identifier
+PageAuditLogViewer.targetNameLabel=Target
+PageAuditLogViewer.targetTypeLabel=Target Type
+PageAuditLogViewer.targetOwnerNameLabel=Target Owner
+PageAuditLogViewer.eventTypeLabel=Event Type
+PageAuditLogViewer.eventTypeShortLabel=Type
+PageAuditLogViewer.eventStageLabel=Event Stage
+PageAuditLogViewer.eventStageShortLabel=Stage
+PageAuditLogViewer.outcomeLabel=Outcome
+PageAuditLogViewer.changedItem=Item changed
+PageAuditLogViewer.valueRefTargetNamesLabel=Reference Target
+AuditLogViewerPanel.dateValidatorMessage=From date must be before To date.
+AuditEventRecordType.timestamp=Time
+AuditEventRecordType.initiatorRef=Initiator
+AuditEventRecordType.taskIdentifier=Task Identifier
+AuditEventRecordType.channel=Channel
+AuditEventRecordType.delta=Delta
+AuditEventRecordType.targetRef=Target
+AuditEventRecordType.targetOwnerRef=Target owner
+PageAuditLogDetails.title=Audit Log Details
+PageAuditLogDetails.eventTimestamp=Timestamp
+PageAuditLogDetails.eventIdentifier=Event Identifier
+PageAuditLogDetails.eventType=Event Type
+PageAuditLogDetails.eventStage=Event Stage
+PageAuditLogDetails.eventInitiatorRef=Initiator
+PageAuditLogDetails.eventTargetRef=Target ref.
+PageAuditLogDetails.eventTargetOwnerRef= Target Owner ref.
+PageAuditLogDetails.eventResult=Result
+PageAuditLogDetails.eventOutcome=Outcome
+PageAuditLogDetails.sessionIdentifier=Session Identifier
+PageAuditLogDetails.taskIdentifier=Task Identifier
+PageAuditLogDetails.taskOID=Task oid
+PageAuditLogDetails.hostIdentifier=Host Indentifier
+PageAuditLogDetails.channel=Channel
+PageAuditLogDetails.parameter=Parameter
+PageAuditLogDetails.message=Message
+PageAuditLogDetails.deltaKey=Delta List
+ObjectDeltaOperationType.resourceName=Resource name
+ObjectDeltaOperationType.objectName=Object name
+ObjectDeltaOperationType.executionResult=Execution result
+PageMergeObjects.noMergeResultObjectWarning=Merge preview object wasn't found
+PageMergeObjects.title=Merge objects
+PageMergeObjects.tabTitle=Merge preview
+PageMergeObjects.switchDirectionButton=Switch direction
+PageMergeObjects.mergeButton=Merge
+PageMergeObjects.mergeDeltaPreviewButton=Merge delta preview
+PageMergeObjects.backButton=Back
+PageMergeObjects.mergeType=Merge type
+MergeObjectsPanel.switchDirection=Switch direction
+MergeType.DEFAULT=default
+MergeType.EXPRESSION=expression
+MergeType.ALL_RIGHT=allRight
+MergeType.ALL_LEFT=allLeft
+MergeType.EMPTY=empty
+PageMergeObjects.warningMessage=Two objects' oids should be specified
+PageSelfRegistration.register=Register
+PageSelfRegistration.registration.success=Registration was successful
+PageSelfRegistration.registration.error=Registration failed \: {0}
+PageSelfRegistration.registration.confirm.message=Congratulation\! \n\n\n You have been successfully registered. To activate your account check your email and confirm your registration.
+PageRegistrationConfirmation.confirmation.error=Failed to confirm your registration. We are sorry, but probably you'll need to contact system administrator.
+PageRegistrationConfirmation.continueToLogin=继续引导至登录页面
+PageRegistrationConfirmation.confirmation.successful=Confirmation successful
+PageSelfRegistration.title=Registration
+PageRegistrationConfirmation.title=Confirm registration
+PageSelfRegistration.reload=Reload
+PageSelfRegistration.captcha.validation.failed=CAPTCHA validation failed, try again
+ObjectType.name=Name
+ObjectType.lifecycleState=Lifecycle state
+ObjectType.description=Description
+PageUserHistory.title='{0}' historical data {1}
+PageXmlDataReview.title=Historical data
+PageXmlDataReview.aceEditorPanelTitle='{0}' historical xml data {1}
+PageLogin.selfRegistration=Sign up
+PageSelfRegistration.registration.failed.unsatisfied.registration.configuration=Registration process not allowed. Please contact system administrator.
+ObjectHistoryTabPanel.viewHistoricalObjectDataTitle=View object data
+ObjectHistoryTabPanel.viewHistoricalObjectXmlTitle=View object xml
+PageRegistrationConfirmation.bad.credentials=Invalid username or password
+PageSelfRegistration.invalid.registration.link=Registration link is not valid
+PageSelfRegistration.welcome.message=Welcome to midPoint registration
+PageSelfRegistration.additional.message=
+PageSelfRegistration.password.policy=
+PageResetPassword.reset.successful=New password was set successfully. Continue with login.
+PageForgotPassword.form.submited.message=Confirmation link was sent to the email provided. To reset your password, click on the confirmation link and follow instructions.
+pageForgetPassword.message.policy.not.found=Reset password not allowed
+PageAbstractSelfCredentials.save.password.failed=Failed to change password\: {0}
+PageResetPassword.title=Reset password
+PageResetPasswordConfirmation=Reset password confirmation
+PageResetPasswordConfirmation.confirmation.error=Reset password is not allowed. We are sorry, but probably you'll need to contact system administrator.
+PageResetPasswordConfirmation.authnetication.failed=Incorrect username and/or password
+ItemPathSegmentPanel.itemToSearch=Search for {0}
+DecisionDto.automaticallyApproved=(automatically approved)
+DecisionDto.automaticallyRejected=(automatically rejected)
+DecisionDto.approvedDueToTimeout=(approved due to the timeout)
+DecisionDto.rejectedDueToTimeout=(rejected due to the timeout)
+DecisionDto.AUTO_APPROVAL_CONDITION=(auto-approval condition)
+DecisionDto.AUTO_COMPLETION_CONDITION=(auto-completion condition)
+DecisionDto.NO_ASSIGNEES_FOUND=(no approvers found)
+wf.object=Object
+wf.target=Target
+wf.originalAssignee=Original assignee
+wf.currentAssignee=Current assignee(s)
+wf.stageNumber=Stage number
+wf.stageCount=Stage count
+wf.stageName=Stage name
+wf.stageDisplayName=Stage display name
+wf.escalationLevelNumber=Escalation level number
+wf.escalationLevelName=Escalation level name
+wf.escalationLevelDisplayName=Escalation level display name
+wf.workItemId=Work item ID
+wf.processInstanceId=Process instance ID
+PageAccountActivation.account.activation.successful=Activation of accounts was successful
+PageAccountActivation.account.activation.failed=Failed to activate accounts. Please, contact system administrator
+PageAccountActivation.activated.shadows=Activated shadows\:
+PageAccountActivation.button.activate=Activate
+PageAccountActivation.activate.accounts.label=Account activation for user '{0}'.
+PageAccountActivation.provide.password=Please, provide your password to activate accounts.
+PageAccountActivation.title=Account activation
+PageAccountActivation.nothing.to.activate=Unexpected problem occurs while trying to activate account. Please contact system administrator
+PageAccountActivation.authentication.failed=Authentication failed
diff --git a/gui/admin-gui/src/main/resources/localization/locale.properties b/gui/admin-gui/src/main/resources/localization/locale.properties
index 48a2513d9b2..6b39b4ad5ac 100644
--- a/gui/admin-gui/src/main/resources/localization/locale.properties
+++ b/gui/admin-gui/src/main/resources/localization/locale.properties
@@ -51,3 +51,6 @@ sk.flag=sk
tr.name=T\u00fcrk\u00e7e
tr.flag=tr
+
+zh_CN.name=\u4E2D\u6587
+zh_CN.flag=cn
diff --git a/infra/schema/src/main/resources/localization/schema_hu.properties b/infra/schema/src/main/resources/localization/schema_hu.properties
index 89f72cff3f7..13464d78a8d 100644
--- a/infra/schema/src/main/resources/localization/schema_hu.properties
+++ b/infra/schema/src/main/resources/localization/schema_hu.properties
@@ -59,8 +59,8 @@ AssignmentType.project=Szerv. egység/Projekt
AttributeFetchStrategyType.EXPLICIT=Explicit
AttributeFetchStrategyType.IMPLICIT=Implicit
AttributeFetchStrategyType.MINIMAL=Minimal
-AuditEventStageType.EXECUTION=Execution
-AuditEventStageType.REQUEST=Request
+AuditEventStageType.EXECUTION=Végrehajtás
+AuditEventStageType.REQUEST=Kérés
AuditEventType.ADD_OBJECT=Add object
AuditEventType.CREATE_SESSION=Create session
AuditEventType.DELETE_OBJECT=Delete object
@@ -85,14 +85,14 @@ AuditEventTypeType.WORKFLOW_PROCESS_INSTANCE=Workflow process instance
AuditEventTypeType.WORK_ITEM=Work item
AuditEventType.WORKFLOW_PROCESS_INSTANCE=Workflow process instance
AuditEventType.WORK_ITEM=Work item
-OperationResultStatusType.FATAL_ERROR=Fatal Error
+OperationResultStatusType.FATAL_ERROR=Végzetes hiba
OperationResultStatusType.HANDLED_ERROR=Handled Error
-OperationResultStatusType.IN_PROGRESS=In Progress
+OperationResultStatusType.IN_PROGRESS=Folyamatban
OperationResultStatusType.NOT_APPLICABLE=Not Applicable
OperationResultStatusType.PARTIAL_ERROR=Partial Error
OperationResultStatusType.SUCCESS=Success
OperationResultStatusType.UNKNOWN=Ismeretlen
-OperationResultStatusType.WARNING=Warning
+OperationResultStatusType.WARNING=Figyelmeztetés
BeforeAfterType.AFTER=After
BeforeAfterType.BEFORE=Before
Boolean.FALSE=False
@@ -226,8 +226,8 @@ PolicyConstraintEnforcementType.ENFORCE=Enforce
PolicyConstraintEnforcementType.REMEDIATE=Remediate
PolicyConstraintEnforcementType.REPORT=Report
ReportType.export=Export
-ReportType.orientation=Orientation
-ReportType.parent=Parent
+ReportType.orientation=Tájolás
+ReportType.parent=Szülő
ReportType.useHibernateSession=Use hibernate session
ReportType.virtualizer=Jasper virtualizer
ReportType.virtualizerKickOn=Virtualizer's pages kick-on
@@ -237,19 +237,19 @@ ResourceObjectAssociationDirectionType.OBJECT_TO_SUBJECT=Object to subject
ResourceObjectAssociationDirectionType.SUBJECT_TO_OBJECT=Subject to object
ResourceObjectTypeDependencyStrictnessType.LAX=Lax
ResourceObjectTypeDependencyStrictnessType.RELAXED=Relaxed
-ResourceObjectTypeDependencyStrictnessType.STRICT=Strict
-ShadowType.dead=Dead
+ResourceObjectTypeDependencyStrictnessType.STRICT=Szigorú
+ShadowType.dead=Halott
ShadowType.kind=Kind
ShadowType.failedOperationType=Failed operation type
-ShadowType.exists=Exists
-ShadowType.intent=Intent
+ShadowType.exists=Létezik
+ShadowType.intent=Szándék
ShadowType.objectClass=Object Class
ShadowType.synchronizationSituation=Situation
ShadowKindType.ACCOUNT=Account
ShadowKindType.ENTITLEMENT=Entitlement
ShadowKindType.GENERIC=Generic
-SynchronizationSituationType.DELETED=Deleted
-SynchronizationSituationType.DISPUTED=Disputed
+SynchronizationSituationType.DELETED=Törölt
+SynchronizationSituationType.DISPUTED=Vitatott
SynchronizationSituationType.LINKED=Linked
SynchronizationSituationType.null=Choose One
SynchronizationSituationType.UNLINKED=Unlinked
@@ -289,7 +289,7 @@ ObjectTypes.ABSTRACT_ROLE=Abstract role
ObjectTypes.FOCUS_TYPE=Focus type
ObjectTypes.REPORT=Report
ObjectTypes.REPORT_OUTPUT=Report output
-ObjectTypes.SECURITY_POLICY=Security policy
+ObjectTypes.SECURITY_POLICY=Biztonsági házirend
ObjectTypes.LOOKUP_TABLE=Lookup table
ObjectTypes.ACCESS_CERTIFICATION_DEFINITION=Certification definition
ObjectTypes.ACCESS_CERTIFICATION_CAMPAIGN=Certification campaign
@@ -301,7 +301,7 @@ ObjectType.extension=Extension
FocusType.assignmentKey=Assignment
FocusType.jpegPhoto=Jpeg photo
UserType.additionalName=Additional Name
-UserType.nickname=Nickname
+UserType.nickname=Becenév
UserType.honorificPrefix=Honorific Prefix
UserType.honorificSuffix=Honorific Suffix
UserType.title=Title
@@ -312,7 +312,7 @@ UserType.EmailAddress=Email cím
UserType.telephoneNumber=Telefonszám
UserType.employeeNumber=Alkalmazott száma
UserType.employeeType=Alkalmazott típusa
-UserType.costCenter=Cost Center
+UserType.costCenter=Költséghely
UserType.organization=Szervezet
UserType.organizationalUnit=Szervezeti egység
UserType.locality=Locality
@@ -324,7 +324,7 @@ AssignmentType.target=Target
AssignmentType.construction=Construction
AssignmentType.tenantReference=Tenant reference
AssignmentType.orgReference=Org reference
-ActivationType.activation=Activation
+ActivationType.activation=Aktiválás
ActivationType.validityStatus=Validity Status
ActivationType.lockOutStatus=Lock-out Status
ActivationType.lockOutExpiration=Lock-out Expiration
@@ -333,14 +333,14 @@ ShadowType.activation=Activation
AbstractRoleType.inducement=Inducement
AbstractRoleType.requestable=Requestable
AbstractRoleType.riskLevel=Risk Level
-AbstractRoleType.owner=Owner
-AbstractRoleType.approver=Approver
-RoleType.roleType=Role Type
-OrgType.type=Type
+AbstractRoleType.owner=Tulajdonos
+AbstractRoleType.approver=Jóváhagyó
+RoleType.roleType=Szerep típus
+OrgType.type=Típus
OrgType.isTenant=Is Tenant
-OrgType.CostCenter=Cost Center
+OrgType.CostCenter=Költséghely
OrgType.displayOrder=Display Order
-OrgType.passwordPolicy=Password Policy
+OrgType.passwordPolicy=Jelszó házirend
ServiceType.type=Type
ServiceType.locality=Locality
ServiceType.displayOrder=Display Order
diff --git a/infra/schema/src/main/resources/localization/schema_zh_CN.properties b/infra/schema/src/main/resources/localization/schema_zh_CN.properties
new file mode 100644
index 00000000000..2f3c98e1247
--- /dev/null
+++ b/infra/schema/src/main/resources/localization/schema_zh_CN.properties
@@ -0,0 +1,390 @@
+# Copyright (c) 2010-2016 Evolveum
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+#
+# This file contains localization keys that describe elements of the data
+# model: object types, properties, container types, etc.
+# It may also contain keys for concepts that are common to the whole midPoint
+#
+AbstractRoleType.identifier=Identifier
+AbstractRoleType.policyConstraints=Policy constraints
+AccessCertificationCampaignStateType.CLOSED=Closed
+AccessCertificationCampaignStateType.CREATED=Created
+AccessCertificationCampaignStateType.IN_REMEDIATION=In remediation
+AccessCertificationCampaignStateType.IN_REVIEW_STAGE_FULL=In review stage {0} ({1})
+AccessCertificationCampaignStateType.IN_REVIEW_STAGE=In review stage
+AccessCertificationCampaignStateType.REVIEW_STAGE_DONE_FULL=Done review stage {0} ({1})
+AccessCertificationCampaignStateType.REVIEW_STAGE_DONE=Review stage done
+AccessCertificationResponseType.ACCEPT=Accept
+AccessCertificationResponseType.REVOKE=Revoke
+AccessCertificationResponseType.REDUCE=Reduce
+AccessCertificationResponseType.NOT_DECIDED=Not decided
+AccessCertificationResponseType.DELEGATE=Delegate
+AccessCertificationResponseType.NO_RESPONSE=No response
+ActivationStatusType.ARCHIVED=Archived
+ActivationStatusType.DISABLED=Disabled
+ActivationStatusType.ENABLED=Enabled
+ActivationStatusType.null=Undefined
+ActivationType.administrativeStatus=Administrative status
+ActivationType.effectiveStatus=Effective status
+ActivationType.enabled=Enabled
+ActivationType.properties=Properties
+ActivationType.title=Activation
+ActivationType.validFrom=Valid from
+ActivationType.validTo=Valid to
+ActivityType.FOCUS_OPERATION=Operation on focus object (repository)
+ActivityType.NOTIFICATIONS=Sending notifications
+ActivityType.PROJECTOR=Computing projections of the focus object
+ActivityType.RESOURCE_OBJECT_OPERATION=Operation on resource object
+ActivityType.WORKFLOWS=Considering or starting approval workflows
+AssignmentPolicyEnforcementType.FULL=Full
+AssignmentPolicyEnforcementType.LEGALIZE=Legalize
+AssignmentPolicyEnforcementType.MARK=Mark
+AssignmentPolicyEnforcementType.NONE=None
+AssignmentPolicyEnforcementType.POSITIVE=Positive
+AssignmentPolicyEnforcementType.RELATIVE=Relative
+AssignmentType.tenant=Tenant
+AssignmentType.project=Org. unit/Project
+AttributeFetchStrategyType.EXPLICIT=Explicit
+AttributeFetchStrategyType.IMPLICIT=Implicit
+AttributeFetchStrategyType.MINIMAL=Minimal
+AuditEventStageType.EXECUTION=Execution
+AuditEventStageType.REQUEST=Request
+AuditEventType.ADD_OBJECT=Add object
+AuditEventType.CREATE_SESSION=Create session
+AuditEventType.DELETE_OBJECT=Delete object
+AuditEventType.EXECUTE_CHANGES_RAW=Execute changes raw
+AuditEventType.GET_OBJECT=Get object
+AuditEventType.MODIFY_OBJECT=Modify object
+AuditEventType.null=All
+AuditEventType.RECONCILIATION=Reconciliation
+AuditEventType.SYNCHRONIZATION=Synchronization
+AuditEventType.TERMINATE_SESSION=Terminate session
+AuditEventTypeType.ADD_OBJECT=Add object
+AuditEventTypeType.CREATE_SESSION=Create session
+AuditEventTypeType.DELETE_OBJECT=Delete object
+AuditEventTypeType.EXECUTE_CHANGES_RAW=Execute changes raw
+AuditEventTypeType.GET_OBJECT=Get object
+AuditEventTypeType.MODIFY_OBJECT=Modify object
+AuditEventTypeType.null=All
+AuditEventTypeType.RECONCILIATION=Reconciliation
+AuditEventTypeType.SYNCHRONIZATION=Synchronization
+AuditEventTypeType.TERMINATE_SESSION=Terminate session
+AuditEventTypeType.WORKFLOW_PROCESS_INSTANCE=Workflow process instance
+AuditEventTypeType.WORK_ITEM=Work item
+AuditEventType.WORKFLOW_PROCESS_INSTANCE=Workflow process instance
+AuditEventType.WORK_ITEM=Work item
+OperationResultStatusType.FATAL_ERROR=Fatal Error
+OperationResultStatusType.HANDLED_ERROR=Handled Error
+OperationResultStatusType.IN_PROGRESS=In Progress
+OperationResultStatusType.NOT_APPLICABLE=Not Applicable
+OperationResultStatusType.PARTIAL_ERROR=Partial Error
+OperationResultStatusType.SUCCESS=Success
+OperationResultStatusType.UNKNOWN=Unknown
+OperationResultStatusType.WARNING=Warning
+BeforeAfterType.AFTER=After
+BeforeAfterType.BEFORE=Before
+Boolean.FALSE=False
+Boolean.NULL=Undefined
+Boolean.TRUE=True
+CapabilitiesType.activation=Activation
+CapabilitiesType.activationStatus=Activation Status
+CapabilitiesType.activationLockoutStatus=Activation Lockout
+CapabilitiesType.activationValidity=Activation Validity
+CapabilitiesType.credentials=Credentials
+CapabilitiesType.password=Password
+CapabilitiesType.liveSync=Live sync
+CapabilitiesType.testConnection=Test Connection
+CapabilitiesType.schema=Schema
+CapabilitiesType.create=Create
+CapabilitiesType.update=Update
+CapabilitiesType.addRemoveAttributeValues=Add/Remove Values
+CapabilitiesType.countObjects=Count Objects
+CapabilitiesType.delete=Delete
+CapabilitiesType.read=Read
+CapabilitiesType.auxiliaryObjectClasses=Auxiliary Object Classes
+CapabilitiesType.pagedSearch=Paged Search
+CapabilitiesType.script=Script
+ChangeType.ADD=Add
+ChangeType.DELETE=Delete
+ChangeType.MODIFY=Modify
+ConnectorOperationalStatus.connectorClassName=Connector class name
+ConnectorOperationalStatus.poolConfigMinSize=Minimum pool size
+ConnectorOperationalStatus.poolConfigMaxSize=Maximum pool size
+ConnectorOperationalStatus.poolConfigMinIdle=Minimum idle connectors
+ConnectorOperationalStatus.poolConfigMaxIdle=Maximum idle connectors
+ConnectorOperationalStatus.poolConfigWaitTimeout=Wait timeout
+ConnectorOperationalStatus.poolConfigMinEvictableIdleTime=Minimum evictable idle time
+ConnectorOperationalStatus.poolStatusNumIdle=Number of idle connectors
+ConnectorOperationalStatus.poolStatusNumActive=Number of active connectors
+FocusType.activation=Activation
+FocusType.assignment=Assignments
+FocusType.inducement=Inducements
+FocusType.delegations=Delegations
+FocusType.delegatedToMe=Delegated to me
+FocusType.displayName=Display Name
+LockoutStatusType.LOCKED=Locked
+LockoutStatusType.NORMAL=Normal
+LockoutStatusType.UNDEFINED=Undefined
+LoggingComponentType.ALL=All
+LoggingComponentType.GUI=GUI logger
+LoggingComponentType.WEB=Web logger
+LoggingComponentType.MODEL=Model logger
+LoggingComponentType.NOTIFICATIONS = Notification logger
+LoggingComponentType.PROVISIONING=Provisioning logger
+LoggingComponentType.REPOSITORY=Repository logger
+LoggingComponentType.RESOURCEOBJECTCHANGELISTENER=Resource object change listener logger
+LoggingComponentType.TASKMANAGER=Task manager logger
+LoggingComponentType.WORKFLOWS = Workflow logger
+LoggingComponentType.ACCESS_CERTIFICATION = Access certification logger
+LoggingLevelType.ALL=All
+LoggingLevelType.DEBUG=Debug
+LoggingLevelType.ERROR=Error
+LoggingLevelType.INFO=Info
+LoggingLevelType.OFF=Off
+LoggingLevelType.TRACE=Trace
+LoggingLevelType.WARN=Warn
+MailTransportSecurityType.NONE=None
+MailTransportSecurityType.SSL=SSL
+MailTransportSecurityType.STARTTLS_ENABLED=StartTLS enabled
+MailTransportSecurityType.STARTTLS_REQUIRED=StartTLS required
+MappingStrengthType.NORMAL=Normal
+MappingStrengthType.STRONG=Strong
+MappingStrengthType.WEAK=Weak
+MisfireActionType.EXECUTE_IMMEDIATELY=Execute immediately
+MisfireActionType.RESCHEDULE=Reschedule
+NodeExecutionStatusType.COMMUNICATION_ERROR=Unreachable
+NodeExecutionStatusType.DOWN=Turned off
+NodeExecutionStatusType.ERROR=Error
+NodeExecutionStatusType.PAUSED=Stopped
+NodeExecutionStatusType.RUNNING=Running
+ObjectType.description=Description
+ObjectType.AbstractRoleType=Abstract role
+ObjectType.AccessCertificationCampaignType=Access certification campaign
+ObjectType.AccessCertificationDefinitionType=Access certification definition
+ObjectType.AccountType=Account
+ObjectType.ConnectorType=Connector
+ObjectType.ConnectorHostType=Connector host
+ObjectType.FocusType=Focus
+ObjectType.GenericObjectType=Generic object
+ObjectType.LookupTableType=Lookup table
+ObjectType.NodeType=Node
+ObjectType.ObjectType=Object
+ObjectType.ObjectTemplateType=Object template
+ObjectType.OrgManagerType=Org. manager
+ObjectType.OrgType=Organization
+ObjectType.ReportOutputType=Report output
+ObjectType.ReportType=Report
+ObjectType.ResourceType=Resource
+ObjectType.RoleType=Role
+ObjectType.SecurityPolicyType=Security policy
+ObjectType.SequenceType=Sequence
+ObjectType.ShadowType=Shadow
+ObjectType.SystemConfigurationType=System configuration
+ObjectType.TaskType=Task
+ObjectType.UserType=User
+ObjectType.ServiceType=Service
+ObjectType.ValuePolicyType=Value policy
+ObjectType.name=Name
+ObjectType.parentOrgRef=Parent org. units
+OrgType.costCenter=Cost center
+OrgType.displayName=Display name
+OrgType.identifier=Identifier
+OrgType.locality=Locality
+OrgType.mailDomain=Mail Domain
+OrgType.orgType=Org. type
+OrgType.requestable=Requestable
+OrgType.tenant=Tenant
+OriginType.ACTIVATIONS=Activations
+OriginType.ASSIGNMENTS=Assignments
+OriginType.CREDENTIALS=Credentials
+OriginType.INBOUND=Inbound
+OriginType.null=-
+OriginType.OUTBOUND=Outbound
+OriginType.RECONCILIATION=Reconciliation
+OriginType.SYNC_ACTION=Sync action
+OriginType.USER_ACTION=User action
+OriginType.USER_POLICY=User policy
+AccessCertificationCaseOutcomeStrategyType.ONE_ACCEPT_ACCEPTS = Any 'accept' accepts
+AccessCertificationCaseOutcomeStrategyType.ONE_DENY_DENIES = Any 'deny' denies
+AccessCertificationCaseOutcomeStrategyType.ACCEPTED_IF_NOT_DENIED = Accepted if no one denies
+AccessCertificationCaseOutcomeStrategyType.ALL_MUST_ACCEPT = Accepted only if all reviewers accept
+AccessCertificationRemediationStyleType.AUTOMATED=Automated reconciliation (non-conformant items are automatically removed)
+AccessCertificationRemediationStyleType.REPORT_ONLY=Manual reconciliation (non-conformant items are reported)
+PolicyConstraintEnforcementType.ENFORCE=Enforce
+PolicyConstraintEnforcementType.REMEDIATE=Remediate
+PolicyConstraintEnforcementType.REPORT=Report
+ReportType.export=Export
+ReportType.orientation=Orientation
+ReportType.parent=Parent
+ReportType.useHibernateSession=Use hibernate session
+ReportType.virtualizer=Jasper virtualizer
+ReportType.virtualizerKickOn=Virtualizer's pages kick-on
+ReportType.maxPages=Maximum number of pages
+ReportType.timeout=Execution timeout [ms]
+ResourceObjectAssociationDirectionType.OBJECT_TO_SUBJECT=Object to subject
+ResourceObjectAssociationDirectionType.SUBJECT_TO_OBJECT=Subject to object
+ResourceObjectTypeDependencyStrictnessType.LAX=Lax
+ResourceObjectTypeDependencyStrictnessType.RELAXED=Relaxed
+ResourceObjectTypeDependencyStrictnessType.STRICT=Strict
+ShadowType.dead=Dead
+ShadowType.kind=Kind
+ShadowType.failedOperationType=Failed operation type
+ShadowType.exists=Exists
+ShadowType.intent=Intent
+ShadowType.objectClass=Object Class
+ShadowType.synchronizationSituation=Situation
+ShadowKindType.ACCOUNT=Account
+ShadowKindType.ENTITLEMENT=Entitlement
+ShadowKindType.GENERIC=Generic
+SynchronizationSituationType.DELETED=Deleted
+SynchronizationSituationType.DISPUTED=Disputed
+SynchronizationSituationType.LINKED=Linked
+SynchronizationSituationType.null=Choose One
+SynchronizationSituationType.UNLINKED=Unlinked
+SynchronizationSituationType.UNMATCHED=Unmatched
+ThreadStopActionType.CLOSE=Close
+ThreadStopActionType.RESCHEDULE=Reschedule
+ThreadStopActionType.RESTART=Restart
+ThreadStopActionType.SUSPEND=Suspend
+UserType.emailAddress=Email
+UserType.familyName=Family name
+UserType.fullName=Full name
+UserType.givenName=Given name
+FailedOperationTypeType.ADD=Add
+FailedOperationTypeType.GET=Get
+FailedOperationTypeType.MODIFY=Modify
+FailedOperationTypeType.DELETE=Delete
+AbstractRoleType.description=Description
+AbstractRoleType.displayName=Display Name
+TaskType.kind=Kind
+TaskType.intent=Intent
+TaskType.objectClass=Object Class
+TaskType.executionStatus=Status
+ObjectTypes.CONNECTOR=Connector
+ObjectTypes.CONNECTOR_HOST=Connector host
+ObjectTypes.GENERIC_OBJECT=Generic object
+ObjectTypes.RESOURCE=Resource
+ObjectTypes.USER=User
+ObjectTypes.OBJECT_TEMPLATE=Object template
+ObjectTypes.SYSTEM_CONFIGURATION=System configuration
+ObjectTypes.TASK=Task
+ObjectTypes.SHADOW=Shadow
+ObjectTypes.ROLE=Role
+ObjectTypes.PASSWORD_POLICY=Password policy
+ObjectTypes.NODE=Node
+ObjectTypes.ORG=Org
+ObjectTypes.ABSTRACT_ROLE=Abstract role
+ObjectTypes.FOCUS_TYPE=Focus type
+ObjectTypes.REPORT=Report
+ObjectTypes.REPORT_OUTPUT=Report output
+ObjectTypes.SECURITY_POLICY=Security policy
+ObjectTypes.LOOKUP_TABLE=Lookup table
+ObjectTypes.ACCESS_CERTIFICATION_DEFINITION=Certification definition
+ObjectTypes.ACCESS_CERTIFICATION_CAMPAIGN=Certification campaign
+ObjectTypes.SEQUENCE=Sequence
+ObjectTypes.SERVICE=Service
+ObjectTypes.OBJECT=Object
+OrgType.parentOrganization=Parent Organization
+ObjectType.extension=Extension
+FocusType.assignmentKey=Assignment
+FocusType.jpegPhoto=Jpeg photo
+UserType.additionalName=Additional Name
+UserType.nickname=Nickname
+UserType.honorificPrefix=Honorific Prefix
+UserType.honorificSuffix=Honorific Suffix
+UserType.title=Title
+UserType.preferredLanguage=Preferred Language
+UserType.locale=Locale
+UserType.timezone=Timezone
+UserType.EmailAddress=Email Address
+UserType.telephoneNumber=Telephone Number
+UserType.employeeNumber=Employee Number
+UserType.employeeType=Employee Type
+UserType.costCenter=Cost Center
+UserType.organization=Organization
+UserType.organizationalUnit=Organizational Unit
+UserType.locality=Locality
+UserType.credentials=Credentials
+CredentialsType.password=Password
+CredentialsType.securityQuestions=Security Questions
+AssignmentType.assignment=Assignment
+AssignmentType.target=Target
+AssignmentType.construction=Construction
+AssignmentType.tenantReference=Tenant reference
+AssignmentType.orgReference=Org reference
+ActivationType.activation=Activation
+ActivationType.validityStatus=Validity Status
+ActivationType.lockOutStatus=Lock-out Status
+ActivationType.lockOutExpiration=Lock-out Expiration
+ConnectorType.displayName=Display Name
+ShadowType.activation=Activation
+AbstractRoleType.inducement=Inducement
+AbstractRoleType.requestable=Requestable
+AbstractRoleType.riskLevel=Risk Level
+AbstractRoleType.owner=Owner
+AbstractRoleType.approver=Approver
+RoleType.roleType=Role Type
+OrgType.type=Type
+OrgType.isTenant=Is Tenant
+OrgType.CostCenter=Cost Center
+OrgType.displayOrder=Display Order
+OrgType.passwordPolicy=Password Policy
+ServiceType.type=Type
+ServiceType.locality=Locality
+ServiceType.displayOrder=Display Order
+ServiceType.URL=URL
+ResourceAttribute.connIdName=ConnId Name
+ResourceAttribute.connIdUID=ConnId UID
+ResourceValidator.noSchema=Resource schema is not available\: {0}
+ResourceValidator.multipleSynchronizationDefinitions=There are multiple synchronization definitions for kind/intent\: {0}.
+ResourceValidator.multipleSchemaHandlingDefinitions=There are multiple schema handling definitions for kind/intent\: {0}.
+ResourceValidator.multipleSchemaHandlingDefaultDefinitions=There are multiple schema handling definitions for kind ''{0}'' marked as default.
+ResourceValidator.noDefaultAccountSchemaHandlingDefinition=There is no ''account'' schema handling definition marked as default. Unqualified assignments of this resource will not work.
+ResourceValidator.missingObjectClass=Missing object class for schema handling definition\: ''{0}''.
+ResourceValidator.unknownObjectClass=Unknown object class ''{1}'' for schema handling definition\: ''{0}''.
+ResourceValidator.noSynchronizationDefinition=No synchronization definition for ''{0}''.
+ResourceValidator.noSchemaHandlingDefinition=No schema handling definition for ''{0}''.
+ResourceValidator.noAttributeName=Unnamed attribute in schema handling for ''{0}''.
+ResourceValidator.unknownAttributeName=There is no attribute named ''{1}'' in object class ''{2}'' (defined in schema handling for ''{0}'').
+ResourceValidator.noAssociationName=Unnamed association in schema handling for ''{0}''.
+ResourceValidator.collidingAssociationName=Association ''{1}'' collides with existing attribute in schema handling for ''{0}''.
+ResourceValidator.wrongItemName=Illegal reference to attribute or association ''{1}'' in schema handling for ''{0}''.
+ResourceValidator.noItemNamespace=No namespace in reference to attribute or association ''{1}'' in schema handling for ''{0}''.
+ResourceValidator.missingAssociationTargetKind=Missing ''target kind'' property for association ''{1}'' in schema handling for ''{0}''.
+ResourceValidator.missingAssociationTargetIntent=Missing ''target intent'' property for association ''{1}'' in schema handling for ''{0}''.
+ResourceValidator.missingAssociationDirection=Missing ''direction'' property for association ''{1}'' in schema handling for ''{0}''.
+ResourceValidator.missingAssociationAssociationAttribute=Missing ''association attribute'' property for association ''{1}'' in schema handling for ''{0}''.
+ResourceValidator.missingAssociationValueAttribute=Missing ''value attribute'' property for association ''{1}'' in schema handling for ''{0}''.
+ResourceValidator.wrongMatchingRule=Wrong matching rule for attribute ''{1}'' in schema handling for ''{0}''\: {2}
+ResourceValidator.multipleItems=There are multiple definitions for attribute or association ''{1}'' in ''{0}''.
+ResourceValidator.dependentObjectTypeDoesNotExist=Dependent kind/intent ''{1}'' does not exist in a dependency of ''{0}''.
+ResourceValidator.targetObjectTypeDoesNotExist=Target kind/intent ''{1}'' for association ''{2}'' does not exist in schema handling for ''{0}''.
+ResourceValidator.suspiciousMappingSource=Suspicious source for {1} for ''{2}'' in schema handling for ''{0}''\: {3}
+ResourceValidator.invalidMappingSource=Invalid source for {1} for ''{2}'' in schema handling for ''{0}''\: {3}
+ResourceValidator.missingMappingSource=Missing source for {1} for ''{2}'' in schema handling for ''{0}''
+ResourceValidator.suspiciousMappingTarget=Suspicious target for {1} for ''{2}'' in schema handling for ''{0}''\: {3}
+ResourceValidator.invalidMappingTarget=Invalid target for {1} for ''{2}'' in schema handling for ''{0}''\: {3}
+ResourceValidator.missingMappingTarget=Missing target for {1} for ''{2}'' in schema handling for ''{0}''
+ResourceValidator.superfluousMappingTarget=Superfluous target for {1} for ''{2}'' in schema handling for ''{0}''\: {3}
+ResourceValidator.unknownObjectClassInSynchronization=Unknown object class ''{1}'' for synchronization definition\: ''{0}''.
+ResourceValidator.noReaction=No reaction defined in ''{0}'' for situation(s)\: {1}
+ResourceValidator.duplicateReactions=Duplicate reactions defined in ''{0}'' for situation(s)\: {1}
+ResourceValidator.noSituation=Missing synchronization situation name in a reaction defined in ''{0}''
+ResourceValidator.noCorrelationRule=No correlation rule for synchronization of ''{0}''
+ResourceValidator.outboundMapping=outbound mapping
+ResourceValidator.inboundMapping=inbound mapping number {0}
+AdminGuiConfigurationType.adminGuiConfiguration=Admin GUI Configuration
+midPointVersion=${pom.version}
+midPointRevision=${git.describe}
From eec78e65ac28692f2335d74fc0c96db42d29fb22 Mon Sep 17 00:00:00 2001
From: Radovan Semancik
Date: Wed, 17 May 2017 14:17:15 +0200
Subject: [PATCH 2/7] roleRelation authorization almost done
---
.../schema/constants/SchemaConstants.java | 1 +
.../xml/ns/public/common/common-core-3.xsd | 3 +
.../midpoint/model/impl/lens/Clockwork.java | 6 +-
.../midpoint/model/impl/lens/LensContext.java | 2 +
.../intest/security/AbstractSecurityTest.java | 10 +
.../intest/security/TestSecurityAdvanced.java | 242 +++++++++++++++++-
.../intest/security/TestSecurityBasic.java | 106 --------
.../security/role-approver-unassign-roles.xml | 4 +-
.../security/role-read-basic-items.xml | 27 ++
.../resources/security/role-uninteresting.xml | 22 ++
.../midpoint/security/api/Authorization.java | 11 +-
.../security/impl/SecurityEnforcerImpl.java | 125 +++++++--
12 files changed, 413 insertions(+), 146 deletions(-)
create mode 100644 model/model-intest/src/test/resources/security/role-read-basic-items.xml
create mode 100644 model/model-intest/src/test/resources/security/role-uninteresting.xml
diff --git a/infra/schema/src/main/java/com/evolveum/midpoint/schema/constants/SchemaConstants.java b/infra/schema/src/main/java/com/evolveum/midpoint/schema/constants/SchemaConstants.java
index ce9e47c69ea..434559c10eb 100644
--- a/infra/schema/src/main/java/com/evolveum/midpoint/schema/constants/SchemaConstants.java
+++ b/infra/schema/src/main/java/com/evolveum/midpoint/schema/constants/SchemaConstants.java
@@ -233,6 +233,7 @@ public abstract class SchemaConstants {
UserType.F_CREDENTIALS, CredentialsType.F_SECURITY_QUESTIONS, PasswordType.F_FAILED_LOGINS);
public static final ItemPath PATH_LINK_REF = new ItemPath(FocusType.F_LINK_REF);
public static final ItemPath PATH_LIFECYCLE_STATE = new ItemPath(ObjectType.F_LIFECYCLE_STATE);
+ public static final Object PATH_ROLE_MEMBERSHIP_REF = new ItemPath(FocusType.F_ROLE_MEMBERSHIP_REF);
public static final String NS_PROVISIONING = NS_MIDPOINT_PUBLIC + "/provisioning";
public static final String NS_PROVISIONING_LIVE_SYNC = NS_PROVISIONING + "/liveSync-3";
diff --git a/infra/schema/src/main/resources/xml/ns/public/common/common-core-3.xsd b/infra/schema/src/main/resources/xml/ns/public/common/common-core-3.xsd
index 301d682f6fb..2c60156303e 100644
--- a/infra/schema/src/main/resources/xml/ns/public/common/common-core-3.xsd
+++ b/infra/schema/src/main/resources/xml/ns/public/common/common-core-3.xsd
@@ -8864,6 +8864,9 @@
Definition of object with respect to subject relation to a role.
Used to specify authorizations for role approvers, owners and so on.
+
+
+ EXPERIMENTAL. Use at your own risk.
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/Clockwork.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/Clockwork.java
index 8b0ed3cb7fb..2a3806c4b62 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/Clockwork.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/Clockwork.java
@@ -1159,9 +1159,9 @@ private ObjectSecurityConstraints a
// If there is no delta then there is no request to authorize
if (primaryDelta != null) {
primaryDelta = primaryDelta.clone();
- PrismObject object = elementContext.getObjectNew();
- if (primaryDelta.isDelete()) {
- object = elementContext.getObjectCurrent();
+ PrismObject object = elementContext.getObjectCurrent();
+ if (primaryDelta.isAdd()) {
+ object = elementContext.getObjectNew();
}
String operationUrl = ModelUtils.getOperationUrlFromDelta(primaryDelta);
ObjectSecurityConstraints securityConstraints = securityEnforcer.compileSecurityConstraints(object, ownerResolver);
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/LensContext.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/LensContext.java
index c6f51e6ec13..a76dd6c1001 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/LensContext.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/LensContext.java
@@ -805,6 +805,7 @@ protected void copyValues(LensContext clone) {
clone.executionPhaseOnly = this.executionPhaseOnly;
clone.focusClass = this.focusClass;
clone.isFresh = this.isFresh;
+ clone.isRequestAuthorized = this.isRequestAuthorized;
clone.prismContext = this.prismContext;
clone.resourceCache = cloneResourceCache();
// User template is de-facto immutable, OK to just pass reference here.
@@ -880,6 +881,7 @@ public String debugDump(int indent, boolean showTriples) {
}
sb.append(" changes, ");
sb.append("fresh=").append(isFresh);
+ sb.append(", reqAutz=").append(isRequestAuthorized);
if (systemConfiguration == null) {
sb.append(" null-system-configuration");
}
diff --git a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/security/AbstractSecurityTest.java b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/security/AbstractSecurityTest.java
index 7f92b515d96..87e99b944d1 100644
--- a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/security/AbstractSecurityTest.java
+++ b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/security/AbstractSecurityTest.java
@@ -146,6 +146,9 @@ public abstract class AbstractSecurityTest extends AbstractInitializedModelInteg
protected static final File ROLE_READONLY_DEEP_EXEC_FILE = new File(TEST_DIR, "role-readonly-deep-exec.xml");
protected static final String ROLE_READONLY_DEEP_EXEC_OID = "00000000-0000-0000-0000-00000000ae02";
+ protected static final File ROLE_READ_BASIC_ITEMS_FILE = new File(TEST_DIR, "role-read-basic-items.xml");
+ protected static final String ROLE_READ_BASIC_ITEMS_OID = "519e8bf4-3af3-11e7-bc89-cbcee62d4088";
+
protected static final File ROLE_SELF_FILE = new File(TEST_DIR, "role-self.xml");
protected static final String ROLE_SELF_OID = "00000000-0000-0000-0000-00000000aa03";
@@ -277,6 +280,9 @@ public abstract class AbstractSecurityTest extends AbstractInitializedModelInteg
protected static final File ROLE_ORDINARY_FILE = new File(TEST_DIR, "role-ordinary.xml");
protected static final String ROLE_ORDINARY_OID = "7a7ad698-3a37-11e7-9af7-6fd138dd9572";
+ protected static final File ROLE_UNINTERESTING_FILE = new File(TEST_DIR, "role-uninteresting.xml");
+ protected static final String ROLE_UNINTERESTING_OID = "2264afee-3ae4-11e7-a63c-8b53efadd642";
+
protected static final File ORG_REQUESTABLE_FILE = new File(TEST_DIR,"org-requestable.xml");
protected static final String ORG_REQUESTABLE_OID = "8f2bd344-a46c-4c0b-aa34-db08b7d7f7f2";
@@ -306,6 +312,8 @@ public abstract class AbstractSecurityTest extends AbstractInitializedModelInteg
protected static final XMLGregorianCalendar JACK_VALID_FROM_LONG_AGO = XmlTypeConverter.createXMLGregorianCalendar(10000L);
protected static final int NUMBER_OF_ALL_USERS = 11;
+ protected static final int NUMBER_OF_ALL_ROLES = 70;
+ protected static final int NUMBER_OF_ALL_ORGS = 10;
protected String userRumRogersOid;
protected String userCobbOid;
@@ -322,6 +330,7 @@ public void initSystem(Task initTask, OperationResult initResult) throws Excepti
repoAddObjectFromFile(ROLE_READONLY_REQ_EXEC_FILE, initResult);
repoAddObjectFromFile(ROLE_READONLY_DEEP_FILE, initResult);
repoAddObjectFromFile(ROLE_READONLY_DEEP_EXEC_FILE, initResult);
+ repoAddObjectFromFile(ROLE_READ_BASIC_ITEMS_FILE, initResult);
repoAddObjectFromFile(ROLE_SELF_FILE, initResult);
repoAddObjectFromFile(ROLE_OBJECT_FILTER_MODIFY_CARIBBEAN_FILE, initResult);
repoAddObjectFromFile(ROLE_PROP_READ_ALL_MODIFY_SOME_FILE, initResult);
@@ -372,6 +381,7 @@ public void initSystem(Task initTask, OperationResult initResult) throws Excepti
repoAddObjectFromFile(ROLE_PERSONA_ADMIN_FILE, initResult);
repoAddObjectFromFile(ROLE_APPROVER_UNASSIGN_ROLES_FILE, initResult);
repoAddObjectFromFile(ROLE_ORDINARY_FILE, initResult);
+ repoAddObjectFromFile(ROLE_UNINTERESTING_FILE, initResult);
repoAddObjectFromFile(ORG_REQUESTABLE_FILE, initResult);
diff --git a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/security/TestSecurityAdvanced.java b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/security/TestSecurityAdvanced.java
index 5d3e100d1bf..93ddaf410f5 100644
--- a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/security/TestSecurityAdvanced.java
+++ b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/security/TestSecurityAdvanced.java
@@ -15,21 +15,38 @@
*/
package com.evolveum.midpoint.model.intest.security;
+import static com.evolveum.midpoint.test.IntegrationTestTools.display;
import static org.testng.AssertJUnit.assertEquals;
+import java.io.IOException;
+
import org.springframework.test.annotation.DirtiesContext;
import org.springframework.test.annotation.DirtiesContext.ClassMode;
import org.springframework.test.context.ContextConfiguration;
import org.testng.annotations.Test;
import com.evolveum.midpoint.prism.PrismObject;
+import com.evolveum.midpoint.prism.query.ObjectQuery;
+import com.evolveum.midpoint.prism.query.builder.QueryBuilder;
+import com.evolveum.midpoint.prism.util.PrismTestUtil;
import com.evolveum.midpoint.schema.constants.SchemaConstants;
import com.evolveum.midpoint.schema.result.OperationResult;
import com.evolveum.midpoint.task.api.Task;
+import com.evolveum.midpoint.test.IntegrationTestTools;
import com.evolveum.midpoint.test.util.TestUtil;
+import com.evolveum.midpoint.util.exception.CommunicationException;
+import com.evolveum.midpoint.util.exception.ConfigurationException;
+import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
+import com.evolveum.midpoint.util.exception.ObjectAlreadyExistsException;
+import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
+import com.evolveum.midpoint.util.exception.PolicyViolationException;
+import com.evolveum.midpoint.util.exception.SchemaException;
+import com.evolveum.midpoint.util.exception.SecurityViolationException;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.AssignmentPolicyEnforcementType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.OrgType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.RoleType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.TaskType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType;
/**
@@ -45,7 +62,9 @@ public void initSystem(Task initTask, OperationResult initResult) throws Excepti
super.initSystem(initTask, initResult);
assignRole(userRumRogersOid, ROLE_ORDINARY_OID, initTask, initResult);
+ assignRole(userRumRogersOid, ROLE_UNINTERESTING_OID, initTask, initResult);
assignRole(userCobbOid, ROLE_ORDINARY_OID, initTask, initResult);
+ assignRole(userCobbOid, ROLE_UNINTERESTING_OID, initTask, initResult);
}
@@ -160,7 +179,113 @@ public void test110AutzJackPersonaAdmin() throws Exception {
assertGlobalStateUntouched();
}
- @Test(enabled=false)
+ @Test
+ public void test120AutzJackDelagator() throws Exception {
+ final String TEST_NAME = "test350AutzJackDelagator";
+ TestUtil.displayTestTile(this, TEST_NAME);
+ // GIVEN
+ cleanupAutzTest(USER_JACK_OID);
+ assignRole(USER_JACK_OID, ROLE_DELEGATOR_OID);
+
+ assumeAssignmentPolicy(AssignmentPolicyEnforcementType.RELATIVE);
+
+ login(USER_JACK_USERNAME);
+
+ // WHEN
+ TestUtil.displayWhen(TEST_NAME);
+
+ assertReadAllow(NUMBER_OF_ALL_USERS);
+ assertAddDeny();
+ assertModifyDeny();
+ assertDeleteDeny();
+
+ PrismObject userJack = getUser(USER_JACK_OID);
+ assertAssignments(userJack, 1);
+ assertAssignedRole(userJack, ROLE_DELEGATOR_OID);
+
+ PrismObject userBarbossa = getUser(USER_BARBOSSA_OID);
+ assertNoAssignments(userBarbossa);
+
+ assertDeny("assign business role to jack",
+ (task, result) -> {
+ assignRole(USER_JACK_OID, ROLE_BUSINESS_1_OID, task, result);
+ });
+
+ userJack = getUser(USER_JACK_OID);
+ assertAssignments(userJack, 1);
+
+ // Wrong direction. It should NOT work.
+ assertDeny("delegate from Barbossa to Jack",
+ (task, result) -> {
+ assignDeputy(USER_JACK_OID, USER_BARBOSSA_OID, task, result);
+ });
+
+
+ // Good direction
+ assertAllow("delegate to Barbossa",
+ (task, result) -> {
+ assignDeputy(USER_BARBOSSA_OID, USER_JACK_OID, task, result);
+ });
+
+ userJack = getUser(USER_JACK_OID);
+ assertAssignments(userJack, 1);
+
+ userBarbossa = getUser(USER_BARBOSSA_OID);
+ assertAssignments(userBarbossa, 1);
+ assertAssignedDeputy(userBarbossa, USER_JACK_OID);
+
+ login(USER_BARBOSSA_USERNAME);
+ // WHEN
+ TestUtil.displayWhen(TEST_NAME);
+ display("Logged in as Barbossa");
+
+ assertReadAllow(NUMBER_OF_ALL_USERS);
+ assertAddDeny();
+ assertModifyDeny();
+ assertDeleteDeny();
+
+ login(USER_JACK_USERNAME);
+ // WHEN
+ TestUtil.displayWhen(TEST_NAME);
+ display("Logged in as Jack");
+
+ assertAllow("undelegate from Barbossa",
+ (task, result) -> {
+ unassignDeputy(USER_BARBOSSA_OID, USER_JACK_OID, task, result);
+ });
+
+ userJack = getUser(USER_JACK_OID);
+ assertAssignments(userJack, 1);
+
+ userBarbossa = getUser(USER_BARBOSSA_OID);
+ assertNoAssignments(userBarbossa);
+
+ assertGlobalStateUntouched();
+
+ login(USER_BARBOSSA_USERNAME);
+ // WHEN
+ TestUtil.displayWhen(TEST_NAME);
+ display("Logged in as Barbossa");
+
+ assertReadDeny();
+ assertAddDeny();
+ assertModifyDeny();
+ assertDeleteDeny();
+
+ assertDeny("delegate to Jack",
+ (task, result) -> {
+ assignDeputy(USER_JACK_OID, USER_BARBOSSA_OID, task, result);
+ });
+
+ assertDeny("delegate from Jack to Barbossa",
+ (task, result) -> {
+ assignDeputy(USER_BARBOSSA_OID, USER_JACK_OID, task, result);
+ });
+
+ assertGlobalStateUntouched();
+ }
+
+ @Test
public void test150AutzJackApproverUnassignRoles() throws Exception {
final String TEST_NAME = "test150AutzJackApproverUnassignRoles";
TestUtil.displayTestTile(this, TEST_NAME);
@@ -169,6 +294,10 @@ public void test150AutzJackApproverUnassignRoles() throws Exception {
assignRole(USER_JACK_OID, ROLE_APPROVER_UNASSIGN_ROLES_OID);
assignRole(USER_JACK_OID, ROLE_ORDINARY_OID, SchemaConstants.ORG_APPROVER);
+ PrismObject userCobbBefore = getUser(userCobbOid);
+ IntegrationTestTools.display("User cobb before", userCobbBefore);
+ assertRoleMembershipRef(userCobbBefore, ROLE_ORDINARY_OID, ROLE_UNINTERESTING_OID, ORG_SCUMM_BAR_OID);
+
login(USER_JACK_USERNAME);
// WHEN
@@ -180,22 +309,119 @@ public void test150AutzJackApproverUnassignRoles() throws Exception {
assertGetAllow(UserType.class, userRumRogersOid); // member of ROLE_ORDINARY_OID
assertGetAllow(UserType.class, userCobbOid); // member of ROLE_ORDINARY_OID
- assertGetDeny(UserType.class, USER_GUYBRUSH_OID);
- assertGetDeny(UserType.class, USER_LECHUCK_OID);
+ assertGetDeny(UserType.class, USER_JACK_OID); // assignment exists, but wrong relation
+ assertGetDeny(UserType.class, USER_GUYBRUSH_OID); // no assignment to ROLE_ORDINARY_OID
+ assertGetDeny(UserType.class, USER_LECHUCK_OID); // no assignment to ROLE_ORDINARY_OID
- assertSearch(UserType.class, null, NUMBER_OF_ALL_USERS);
- assertSearch(RoleType.class, null, 1);
assertSearch(OrgType.class, null, 0);
+
+ // The appr-read-roles authorization is maySkipOnSearch and there is no other authorization that would
+ // allow read, so no role are returned
+ assertSearch(RoleType.class, null, 0);
- // TODO: assign role
+ // The appr-read-users authorization is maySkipOnSearch and there is no other authorization that would
+ // allow read, so no users are returned
+ assertSearch(UserType.class, null, 0);
+
+ assertSearch(UserType.class,
+ QueryBuilder.queryFor(UserType.class, prismContext).item(UserType.F_ROLE_MEMBERSHIP_REF).ref(ROLE_APPROVER_UNASSIGN_ROLES_OID).build(),
+ 0);
+
+ assert15xCommon();
+ }
+
+ @Test
+ public void test152AutzJackApproverUnassignRolesAndRead() throws Exception {
+ final String TEST_NAME = "test152AutzJackApproverUnassignRolesAndRead";
+ TestUtil.displayTestTile(this, TEST_NAME);
+ // GIVEN
+ cleanupAutzTest(USER_JACK_OID);
+ assignRole(USER_JACK_OID, ROLE_APPROVER_UNASSIGN_ROLES_OID);
+ assignRole(USER_JACK_OID, ROLE_READ_BASIC_ITEMS_OID);
+ assignRole(USER_JACK_OID, ROLE_ORDINARY_OID, SchemaConstants.ORG_APPROVER);
+
+ login(USER_JACK_USERNAME);
- // TODO: list role members
+ // WHEN
+ TestUtil.displayWhen(TEST_NAME);
- // TODO: unassign role
+ assertGetAllow(RoleType.class, ROLE_ORDINARY_OID);
+ assertGetAllow(RoleType.class, ROLE_PERSONA_ADMIN_OID); // no assignment
+ assertGetAllow(RoleType.class, ROLE_APPROVER_UNASSIGN_ROLES_OID); // assignment exists, but wrong relation
+ assertGetAllow(UserType.class, userRumRogersOid); // member of ROLE_ORDINARY_OID
+ assertGetAllow(UserType.class, userCobbOid); // member of ROLE_ORDINARY_OID
+ assertGetAllow(UserType.class, USER_JACK_OID); // assignment exists, but wrong relation
+ assertGetAllow(UserType.class, USER_GUYBRUSH_OID); // no assignment to ROLE_ORDINARY_OID
+ assertGetAllow(UserType.class, USER_LECHUCK_OID); // no assignment to ROLE_ORDINARY_OID
+
+ assertSearch(OrgType.class, null, NUMBER_OF_ALL_ORGS);
+
+ // The appr-read-roles authorization is maySkipOnSearch and the readonly role allows read.
+ assertSearch(RoleType.class, null, NUMBER_OF_ALL_ROLES);
+
+ // The appr-read-users authorization is maySkipOnSearch and the readonly role allows read.
+ assertSearch(UserType.class, null, NUMBER_OF_ALL_USERS);
+
+
+ assert15xCommon();
+ }
+
+ private void assert15xCommon() throws Exception {
+
+ // list ordinary role members, this is allowed
+ assertSearch(UserType.class,
+ QueryBuilder.queryFor(UserType.class, prismContext).item(UserType.F_ROLE_MEMBERSHIP_REF).ref(ROLE_ORDINARY_OID).build(),
+ 2);
+
+ // MID-3916
+ // list approver role members, this is not allowed
+// assertSearch(UserType.class,
+// QueryBuilder.queryFor(UserType.class, prismContext).item(UserType.F_ROLE_MEMBERSHIP_REF).ref(ROLE_APPROVER_UNASSIGN_ROLES_OID).build(),
+// 0);
+
+ assertAllow("unassign ordinary role from cobb",
+ (task,result) -> unassignRole(userCobbOid, ROLE_ORDINARY_OID, task, result));
+
+ assertSearch(UserType.class,
+ QueryBuilder.queryFor(UserType.class, prismContext).item(UserType.F_ROLE_MEMBERSHIP_REF).ref(ROLE_ORDINARY_OID).build(),
+ 1);
+
+ // Jack is not approver of uninteresting role, so this should be denied
+ assertDeny("unassign uninteresting role from cobb",
+ (task,result) -> unassignRole(userCobbOid, ROLE_UNINTERESTING_OID, task, result));
+
+ // Jack is not approver of uninteresting role, so this should be denied
+ // - even though Rum Rogers is a member of a role that jack is an approver of
+ assertDeny("unassign uninteresting role from rum",
+ (task,result) -> unassignRole(userRumRogersOid, ROLE_UNINTERESTING_OID, task, result));
+
+ assertDeny("unassign approver role from jack",
+ (task,result) -> unassignRole(USER_JACK_OID, ROLE_APPROVER_UNASSIGN_ROLES_OID, task, result));
+
+ // Lechuck is not a member of ordinary role
+ assertDeny("unassign ordinary role from lechuck",
+ (task,result) -> unassignRole(USER_LECHUCK_OID, ROLE_ORDINARY_OID, task, result));
+
assertAddDeny();
assertModifyDeny();
assertDeleteDeny();
assertGlobalStateUntouched();
}
+
+ // TODO: combine ROLE_APPROVER_UNASSIGN_ROLES_OID with a role that allows basic read of users and roles
+
+ @Override
+ protected void cleanupAutzTest(String userOid) throws ObjectNotFoundException, SchemaException, ExpressionEvaluationException, CommunicationException, ConfigurationException, ObjectAlreadyExistsException, PolicyViolationException, SecurityViolationException, IOException {
+ super.cleanupAutzTest(userOid);
+
+ Task task = taskManager.createTaskInstance(TestSecurityAdvanced.class.getName() + ".cleanupAutzTest");
+ OperationResult result = task.getResult();
+
+ assignRole(userRumRogersOid, ROLE_ORDINARY_OID, task, result);
+ assignRole(userRumRogersOid, ROLE_UNINTERESTING_OID, task, result);
+ assignRole(userCobbOid, ROLE_ORDINARY_OID, task, result);
+ assignRole(userCobbOid, ROLE_UNINTERESTING_OID, task, result);
+
+ }
}
diff --git a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/security/TestSecurityBasic.java b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/security/TestSecurityBasic.java
index 46be1d44ed7..1131f8766be 100644
--- a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/security/TestSecurityBasic.java
+++ b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/security/TestSecurityBasic.java
@@ -2522,112 +2522,6 @@ public void test313AutzAnonymousPrivilegedRestore() throws Exception {
assertGlobalStateUntouched();
}
- @Test
- public void test350AutzJackDelagator() throws Exception {
- final String TEST_NAME = "test350AutzJackDelagator";
- TestUtil.displayTestTile(this, TEST_NAME);
- // GIVEN
- cleanupAutzTest(USER_JACK_OID);
- assignRole(USER_JACK_OID, ROLE_DELEGATOR_OID);
-
- assumeAssignmentPolicy(AssignmentPolicyEnforcementType.RELATIVE);
-
- login(USER_JACK_USERNAME);
-
- // WHEN
- TestUtil.displayWhen(TEST_NAME);
-
- assertReadAllow(NUMBER_OF_ALL_USERS + 1);
- assertAddDeny();
- assertModifyDeny();
- assertDeleteDeny();
-
- PrismObject userJack = getUser(USER_JACK_OID);
- assertAssignments(userJack, 2);
- assertAssignedRole(userJack, ROLE_DELEGATOR_OID);
-
- PrismObject userBarbossa = getUser(USER_BARBOSSA_OID);
- assertNoAssignments(userBarbossa);
-
- assertDeny("assign business role to jack",
- (task, result) -> {
- assignRole(USER_JACK_OID, ROLE_BUSINESS_1_OID, task, result);
- });
-
- userJack = getUser(USER_JACK_OID);
- assertAssignments(userJack, 2);
-
- // Wrong direction. It should NOT work.
- assertDeny("delegate from Barbossa to Jack",
- (task, result) -> {
- assignDeputy(USER_JACK_OID, USER_BARBOSSA_OID, task, result);
- });
-
-
- // Good direction
- assertAllow("delegate to Barbossa",
- (task, result) -> {
- assignDeputy(USER_BARBOSSA_OID, USER_JACK_OID, task, result);
- });
-
- userJack = getUser(USER_JACK_OID);
- assertAssignments(userJack, 2);
-
- userBarbossa = getUser(USER_BARBOSSA_OID);
- assertAssignments(userBarbossa, 1);
- assertAssignedDeputy(userBarbossa, USER_JACK_OID);
-
- login(USER_BARBOSSA_USERNAME);
- // WHEN
- TestUtil.displayWhen(TEST_NAME);
- display("Logged in as Barbossa");
-
- assertReadAllow(NUMBER_OF_ALL_USERS + 1);
- assertAddDeny();
- assertModifyDeny();
- assertDeleteDeny();
-
- login(USER_JACK_USERNAME);
- // WHEN
- TestUtil.displayWhen(TEST_NAME);
- display("Logged in as Jack");
-
- assertAllow("undelegate from Barbossa",
- (task, result) -> {
- unassignDeputy(USER_BARBOSSA_OID, USER_JACK_OID, task, result);
- });
-
- userJack = getUser(USER_JACK_OID);
- assertAssignments(userJack, 2);
-
- userBarbossa = getUser(USER_BARBOSSA_OID);
- assertNoAssignments(userBarbossa);
-
- assertGlobalStateUntouched();
-
- login(USER_BARBOSSA_USERNAME);
- // WHEN
- TestUtil.displayWhen(TEST_NAME);
- display("Logged in as Barbossa");
-
- assertReadDeny();
- assertAddDeny();
- assertModifyDeny();
- assertDeleteDeny();
-
- assertDeny("delegate to Jack",
- (task, result) -> {
- assignDeputy(USER_JACK_OID, USER_BARBOSSA_OID, task, result);
- });
-
- assertDeny("delegate from Jack to Barbossa",
- (task, result) -> {
- assignDeputy(USER_BARBOSSA_OID, USER_JACK_OID, task, result);
- });
-
- assertGlobalStateUntouched();
- }
-
@Test
public void test360AutzJackAuditorRole() throws Exception {
final String TEST_NAME = "test360AutzJackAuditorRole";
diff --git a/model/model-intest/src/test/resources/security/role-approver-unassign-roles.xml b/model/model-intest/src/test/resources/security/role-approver-unassign-roles.xml
index 0ec891aadb4..6fde7b91672 100644
--- a/model/model-intest/src/test/resources/security/role-approver-unassign-roles.xml
+++ b/model/model-intest/src/test/resources/security/role-approver-unassign-roles.xml
@@ -23,6 +23,7 @@
appr-read-roleshttp://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read
+ maySkipOnSearch
- appr-assign
- http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#assign
+ appr-unassignhttp://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#unassignrequest