Add bulk actions autz documentation

docs/misc/bulk/search.adoc → docs/misc/bulk/actions/search.adoc

@@ -10,7 +10,7 @@
 
 == Description
 
-The `search` scripting expression retrieves a set of objects via `searchObjects` or `searchObjectsIterative` model call.
+The `search` action retrieves a set of objects via `searchObjects` or `searchObjectsIterative` model call.
 
 
 == Input
@@ -219,4 +219,19 @@ Both options (using embedded action or using pipeline) have the same result.
 The difference is mainly in the memory requirements for executing the script on large data: The second option (pipeline) is more memory-consuming, because there a need to construct a list containing all processed objects.
 However, if there would be any need to work with all objects at once (e.g. to select a user with maximum number of accounts), the second option is preferable.
 
-In usual conditions, i.e. no special requirements, and reasonably-sized data, you can use any of the options.
+In usual conditions, i.e. no special requirements, and reasonably-sized data, you can use any of the options.
+
+== Limitations
+
+This action cannot be invoked in the form of
+
+[source,xml]
+----
+<action>
+    <type>search</type>
+</action>
+----
+
+(Because of the conflict in `type` parameter.)
+
+However, the "static" form, i.e. using `<search>` element, is more readable and useful.

docs/misc/bulk/index.adoc

@@ -183,13 +183,9 @@ Currently there are the following kinds of expressions:
 |===
 | Name | Meaning
 
-| xref:/midpoint/reference/misc/bulk/search/[search]
-| Retrieves a set of objects via searchObjects model call.
-
-
 | action
 | An action that can be carried out on a given piece of data that comes at its input.
-Typical actions are add, modify, delete, enable, disable, assign, resolve, log, ...
+Typical actions are add, modify, delete, enable, disable, assign, resolve, log, search, ...
 
 
 | xref:/midpoint/reference/misc/bulk/select/[select]
@@ -458,6 +454,13 @@ Default is "add".
 |
 | Custom message that is prepended to the data.
 
+| xref:/midpoint/reference/misc/bulk/actions/search/[search]
+| search
+| Retrieves a set of objects from the repository or a resource.
+3+| see the description
+|
+|
+
 |===
 
 (++*++) In the future these actions will support also PrismReferences instances as their input.

docs/security/authorization/bulk-actions.adoc

@@ -0,0 +1,23 @@
+= Bulk Actions Authorizations
+:page-since: 4.8
+
+Bulk actions are generally considered "safe", as their execution involves checking appropriate authorizations.
+For example, if one executes `add` action, the `#add` authorization relevant to object(s) being added is required.
+
+However, to add another layer of security - for example, to prevent denial of service attacks - the mere execution of a bulk action requires a special authorization.
+
+Before midPoint 4.8, it was named `http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#executeScript`.
+Unfortunately, the name was confusing.
+It sounds like the authorization would allow to run Groovy (or Velocity, Python, JavaScript, and similar) scripts, which is not true.
+(Because of their power, to run these scripts from bulk actions before 4.8, the `#all` authorization was required.)
+
+Since 4.8, the `#executeScript` authorization is replaced by `http://midpoint.evolveum.com/xml/ns/public/security/authorization-bulk-3#all`.
+Furthermore, it is now possible to allow or deny execution of _individual actions_ using authorizations.
+
+For example, if only `http://midpoint.evolveum.com/xml/ns/public/security/authorization-bulk-3#assign` is granted, then only `assign` bulk action can be invoked.
+
+See xref:/midpoint/reference/misc/bulk/index.adoc#_actions[Actions].
+
+== See Also
+
+* xref:../[Authorization]

docs/security/authorization/model.adoc

@@ -93,19 +93,13 @@ Each individual created object also needs to pass through authorization for `add
 | Allows to invoke `executeChanges` operation with modify deltas for specified objects that add assignment to specified targets
 
 
-| http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#executeBulkActions
-(called `#executeScript` before 4.8)
+| http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#executeScript
+(deprecated)
 | N/A
 | N/A
 | Allows to execute xref:/midpoint/reference/misc/bulk/[midPoint scripts a.k.a. bulk actions]
 | Authorizes the possibility to execute the bulk actions.
-(The additional authorizations to execute specific operations should be present as well.)
-footnote:[For example, if you want to create a set of users via a bulk action, you need both `#executeBulkActions` (`#executeScript`) and `#add` authorizations:
-The former to execute the bulk action at all, the latter to allow the bulk action to add the users.
-The main purpose of `#executeBulkActions` authorization is to provide a protection against e.g. denial of service attacks based on execution of resource-intensive bulk actions.
-Note that the execution of arbitrary Groovy scripts (or Velocity, Python, JavaScript, and similar ones) is _not_ covered by this authorization.
-Because of their power, they required the super-user ("all") authorization (before 4.8).
-Starting with 4.8, they require the xref:/midpoint/reference/security/trusted-actions/index.adoc[expression profile] to be set.]
+See xref:bulk-actions.adoc[].
 |===
 
 The `assign` and `unassign` authorizations are designed especially to allow assignment and un-assignment of specific roles and orgs, e.g. in cases of delegated administration, multi-tenancy and similar set-ups.
@@ -114,4 +108,4 @@ E.g. `assign` authorization can be used to allow assignment only selected roles
 The `assign` and `unassign` authorizations work only in the request phase.
 They are not effective in the execution phase.
 Therefore `modify` authorization is still needed in the execution phase.
-However as the operation needs to pass both phases to be allowed this is a sufficient set-up.
+However, as the operation needs to pass both phases to be allowed this is a sufficient set-up.