-
Notifications
You must be signed in to change notification settings - Fork 188
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
4 changed files
with
52 additions
and
17 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
= Bulk Actions Authorizations | ||
:page-since: 4.8 | ||
|
||
Bulk actions are generally considered "safe", as their execution involves checking appropriate authorizations. | ||
For example, if one executes `add` action, the `#add` authorization relevant to object(s) being added is required. | ||
|
||
However, to add another layer of security - for example, to prevent denial of service attacks - the mere execution of a bulk action requires a special authorization. | ||
|
||
Before midPoint 4.8, it was named `http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#executeScript`. | ||
Unfortunately, the name was confusing. | ||
It sounds like the authorization would allow to run Groovy (or Velocity, Python, JavaScript, and similar) scripts, which is not true. | ||
(Because of their power, to run these scripts from bulk actions before 4.8, the `#all` authorization was required.) | ||
|
||
Since 4.8, the `#executeScript` authorization is replaced by `http://midpoint.evolveum.com/xml/ns/public/security/authorization-bulk-3#all`. | ||
Furthermore, it is now possible to allow or deny execution of _individual actions_ using authorizations. | ||
|
||
For example, if only `http://midpoint.evolveum.com/xml/ns/public/security/authorization-bulk-3#assign` is granted, then only `assign` bulk action can be invoked. | ||
|
||
See xref:/midpoint/reference/misc/bulk/index.adoc#_actions[Actions]. | ||
|
||
== See Also | ||
|
||
* xref:../[Authorization] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters