Add some authorization test objects

These are meant to cover some use cases discussed on May 16th.

model/model-intest/src/test/resources/security/role-show-delegation-assignments.xml

@@ -0,0 +1,33 @@
+<!--
+  ~ Copyright (C) 2010-2023 Evolveum and contributors
+  ~
+  ~ This work is dual-licensed under the Apache License 2.0
+  ~ and European Union Public License. See LICENSE file for details.
+  -->
+<role oid="6d02142b-6256-4e0b-8f15-bac686d89552"
+        xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+        xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
+        xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3">
+    <name>show-delegation-assignments</name>
+    <authorization>
+        <documentation>
+            Selects assignments that delegate power of a user from O1 to a user from O2.
+        </documentation>
+        <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
+        <object>
+            <type>AssignmentType</type>
+            <parent>
+                <type>UserType</type>
+                <orgRef oid="25be8e90-4977-4357-8295-ea9cc13259ec"/> <!-- O2 -->
+                <path>assignment</path>
+            </parent>
+            <target> <!-- new clause (OK?) -->
+                <type>UserType</type>
+                <orgRef oid="49fd49a7-cd4e-4346-8094-a46880a0ed88"/> <!-- O1 -->
+            </target>
+            <filter> <!-- TODO check axiom filter syntax -->
+                <q:text>targetRef matches (relation = "org:deputy")</q:text>
+            </filter>
+        </object>
+    </authorization>
+</role>

model/model-intest/src/test/resources/security/role-show-my-assignments-and-accesses.xml

@@ -0,0 +1,42 @@
+<!--
+  ~ Copyright (C) 2010-2023 Evolveum and contributors
+  ~
+  ~ This work is dual-licensed under the Apache License 2.0
+  ~ and European Union Public License. See LICENSE file for details.
+  -->
+<role oid="1e4d06bd-eacf-4e17-b5c6-d97b4ab6b6e0"
+        xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
+    <name>show-my-assignments-and-accesses</name>
+    <authorization>
+        <documentation>
+            Shows only assignments and accesses (roleMembershipRef values) that belong under roles I own.
+        </documentation>
+        <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
+        <object>
+            <type>AssignmentType</type>
+            <parent>
+                <type>UserType</type>
+                <path>assignment</path>
+            </parent>
+            <target> <!-- new clause -->
+                <type>RoleType</type>
+                <owner>
+                    <special>self</special>
+                </owner>
+            </target>
+        </object>
+        <object>
+            <type>ObjectReferenceType</type>
+            <parent>
+                <type>AssignmentHolderType</type>
+                <path>roleMembershipRef</path>
+            </parent>
+            <target> <!-- new clause -->
+                <type>RoleType</type>
+                <owner>
+                    <special>self</special>
+                </owner>
+            </target>
+        </object>
+    </authorization>
+</role>

model/model-intest/src/test/resources/security/role-show-my-requesters.xml

@@ -0,0 +1,27 @@
+<!--
+  ~ Copyright (C) 2010-2023 Evolveum and contributors
+  ~
+  ~ This work is dual-licensed under the Apache License 2.0
+  ~ and European Union Public License. See LICENSE file for details.
+  -->
+<role oid="3a17b131-82c2-4669-a491-791081be9c04"
+        xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
+    <name>show-my-requesters</name>
+    <authorization>
+        <documentation>
+            Shows only users that request my roles.
+        </documentation>
+        <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#get</action>
+        <object>
+            <type>UserType</type>
+            <!--
+                There exists a CaseType c and RoleType r such that:
+                    c.requester == this user
+                    c.target == r
+                    principal has roleMembershipRef with (r, owner)
+
+                 Can we write a filter for this?
+            -->
+        </object>
+    </authorization>
+</role>

model/model-intest/src/test/resources/security/role-show-roles-inducing-my-role.xml

@@ -0,0 +1,27 @@
+<!--
+  ~ Copyright (C) 2010-2023 Evolveum and contributors
+  ~
+  ~ This work is dual-licensed under the Apache License 2.0
+  ~ and European Union Public License. See LICENSE file for details.
+  -->
+<role oid="2c25f0b8-0f72-4fdd-95e7-1e2ec41f9a3b"
+        xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
+    <name>show-roles-inducing-my-role</name>
+    <authorization>
+        <documentation>
+            Shows only roles that induce a role owned by me.
+        </documentation>
+        <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
+        <object>
+            <type>RoleType</type>
+            <!--
+                Select all roles R such that there is a role R1 that
+
+                    - principal has roleMembershipRef with (R1, owner)
+                    - R has inducement of (R1, any order)
+
+                Can we write a filter for this?
+            -->
+        </object>
+    </authorization>
+</role>