Merge remote-tracking branch 'refs/remotes/origin/master'

Evolveum · Oct 13, 2023 · 745ef27 · 745ef27
2 parents 85a0f16 + b9d03dd
commit 745ef27
Show file tree

Hide file tree

Showing 2 changed files with 111 additions and 4 deletions.
diff --git a/docs/security/authentication/flexible-authentication/configuration.adoc b/docs/security/authentication/flexible-authentication/configuration.adoc
@@ -69,6 +69,14 @@ No suffix specified.
 | http://midpoint.evolveum.com/xml/ns/public/common/channels-3#selfRegistration
 |
 
+| /invitation
+| http://midpoint.evolveum.com/xml/ns/public/common/channels-3#invitation
+|
+
+| /identityRecovery
+| http://midpoint.evolveum.com/xml/ns/public/common/channels-3#identityRecovery
+|
+
 
 |===
 
@@ -263,6 +271,86 @@ If not specified then default password definition is used.
 </mailNonce>
 ----
 
+[#_archetypeSelection]
+==== Module archetypeSelection
+
+Archetype selection module is used during xref:/midpoint/reference/security/credentials/identity-recovery/index.adoc[Identity recovery] flow.
+During this module processing the user can select an archetype which will be used in the following authentication modules in sequence.
+
+[%autowidth]
+|===
+| Name | Description | Required | Type
+
+| `archetypeSelection`
+| Contains the only multivalue element `archetypeRef` which is used to configure a list of the archetypes
+| false
+| _ArchetypeSelectionType_
+
+| `allowUndefinedArchetype`
+| If true, then the user can proceed authentication process without specifying a particular archetype.
+
+If no, the particular archetype should be selected during Archetype selection module processing to proceed the authentication.
+| false
+| _boolean_
+|===
+
+
+.Example of archetypeSelection module
+[source,xml]
+----
+<archetypeSelection>
+    <identifier>archetype-selection</identifier>
+    <archetypeSelection>
+        <archetypeRef oid="4b18a1eb-75ed-40f7-bed1-11cf2a6ef7ba"/>  <!-- Student archetype -->
+        <archetypeRef oid="fd4fb0e1-0147-4431-a1c6-bc03ae5eacad"/>  <!-- Teacher archetype -->
+    </archetypeSelection>
+    <allowUndefinedArchetype>false</allowUndefinedArchetype>
+</archetypeSelection>
+----
+
+[#_correlation]
+==== Module correlation
+
+Correlation module gives the possibility to find identity(es) (user object(s) for now) in midpoint using xref:midpoint/reference/correlation/index.adoc[correlation] mechanism within authentication process.
+This module is used during xref:/midpoint/reference/security/credentials/identity-recovery/index.adoc[Identity recovery] flow as the second authentication module.
+
+The specified in the module correlators are processed one by one till the only identity is found by the correlators, or till the last correlator is proceeded. In case no identity is found after the last correlator, the list of candidates from the correlators results are considered to be a list of found identities.
+
+[%autowidth]
+|===
+| Name | Description | Required | Type
+
+| `correlator`
+| The definition of the correlator. Within this element `correlatorIdentifier` (should match 'name' attribute of the correlator set in object template) and `order` (the order during processing) are defined.
+| false
+| _CorrelationModuleConfigurationType_
+
+| `options`
+| Used to set some options for correlation module. For now contains the only `candidateLimit` element which restricts the maximum count of the found identities to the specified in this element number.
+| false
+| _CorrelationModuleOptionsType_
+|===
+
+
+.Example of correlation module
+[source,xml]
+----
+<correlation>
+    <identifier>correlation</identifier>
+    <correlator>
+        <correlatorIdentifier>family-name-only</correlatorIdentifier>
+        <order>1</order>
+    </correlator>
+    <correlator>
+        <correlatorIdentifier>family-and-given-name</correlatorIdentifier>
+        <order>2</order>
+    </correlator>
+    <options>
+        <candidateLimit>10</candidateLimit>
+    </options>
+</correlation>
+----
+
 
 ==== Module ldap
 

diff --git a/docs/security/authorization/configuration/selectors/type-and-parent.adoc b/docs/security/authorization/configuration/selectors/type-and-parent.adoc
@@ -97,12 +97,31 @@ This authorization covers all sub-items of `workItem`, except for the `createTim
 </authorization>
 ----
 
-== Default
+=== Notes
 
-If neither `type` nor `parent` clause is specified, a type of `ObjectType` is assumed.
+- The `#read` (or `#search`) authorization targeting sub-object values (e.g., case work items) does _not_ authorize the user to search for embedding objects, i.e., cases.
+For that, a separate `#search` authorization with `type` set to `CaseType` has to be provided.
+
+=== Limitations
+
+Currently, the following items are supported by this clause:
+
+- case work items,
+- certification cases,
+- certification cases work items,
+- operation execution records,
+- assignments (partially - not for searching),
+- simulation-related processed objects records (partially - not for searching).
 
-== Open Questions
+Other items should work as well, but with no guarantees.
+In particular, it is possible to e.g. specify `name` in `UserType` as authorization object, but there is currently no way of specifying filter for the value.
 
-#How should we call this selector?#
+=== Open Questions
+
+How should we call this selector?
 In the query language we use `ownedBy` for this concept.
 However, in selectors we already have `owner` selector.
+
+== Default
+
+If neither `type` nor `parent` clause is specified, a type of `ObjectType` is assumed.