Better default authorizations for requestable roles in end user role …

…(MID-5045)
Evolveum · Jan 3, 2019 · 655bbdf · 655bbdf
1 parent a8d8f3d
commit 655bbdf
Showing 1 changed file with 30 additions and 3 deletions.
diff --git a/gui/admin-gui/src/main/resources/initial-objects/040-role-enduser.xml b/gui/admin-gui/src/main/resources/initial-objects/040-role-enduser.xml
@@ -18,7 +18,7 @@
       xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
       xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3">
     <name>End user</name>
-    <description>Role authorizing end users to log in, change their passwords and review assigned accounts.</description>
+    <description>Role authorizing end users to log in, change their passwords and review assigned accounts. Note: This role definition is just an example. It should be tailored for each specific deployment.</description>
     <authorization>
     	<name>gui-self-service-access</name>
     	<description>
@@ -93,13 +93,39 @@
     	</object>
     	<item>credentials</item>
     </authorization>
+    <authorization>
+    	<name>read-requestable-roles</name>
+    	<description>
+    		Allow to read requestable roles. This allows to search for requestable roles in user interface.
+    	</description>
+    	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
+    	<object>
+    		<type>RoleType</type>
+    		<filter>
+    			<q:equal>
+    				<q:path>requestable</q:path>
+    				<q:value>true</q:value>
+    			</q:equal>
+    		</filter>
+    	</object>
+    	<!-- Note: for production use you should consider limiting the items that can be read. -->
+    </authorization>
+     <authorization>
+    	<name>requestable-role-details</name>
+    	<description>
+    		Allow to show details of requestable roles in the user interface.
+    	</description>
+    	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#roleDetails</action>
+    	<!-- Note: object specification should be here to limit this authorization to requestable roles. 
+    	     But this is not yet supported. -->
+    </authorization>
     <authorization>
     	<name>assign-requestable-roles</name>
     	<description>
     		Allow to assign requestable roles. This allows to request roles in a request-and-approve process.
     	    The requestable roles will be displayed in the role request dialog by default.
-    	    Please note that the roles also need an approved definition to go through the approval process.
-    	    Otherwise they will be assigned automatically wihout any approval. 
+    	    Please note that the roles also need an approval definition to go through the approval process.
+    	    Otherwise they will be assigned automatically without any approval. 
     	</description>
     	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#assign</action>
     	<phase>request</phase>
@@ -173,6 +199,7 @@
         <object> <!-- Deputy delegations may have users as targets -->
             <type>UserType</type>
         </object>
+        <!-- Note: for production use you should consider limiting the items that can be read. -->
     </authorization>
     <authorization>
     	<name>assignment-target-read-task</name>