Skip to content

Commit

Permalink
Updated authorizations in end user role
Browse files Browse the repository at this point in the history
  • Loading branch information
@semancik
semancik committed Apr 4, 2016
1 parent 8a97c8a commit a3c9e3e
Showing 1 changed file with 75 additions and 5 deletions.
80 changes: 75 additions & 5 deletions gui/admin-gui/src/main/resources/initial-objects/040-role-enduser.xml
View file
@@ -1,6 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
~ Copyright (c) 2010-2015 Evolveum
~ Copyright (c) 2010-2016 Evolveum
~
~ Licensed under the Apache License, Version 2.0 (the "License");
~ you may not use this file except in compliance with the License.
Expand All @@ -15,19 +15,34 @@
~ limitations under the License.
-->
<role oid="00000000-0000-0000-0000-000000000008"
xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3">
<name>End user</name>
<description>Role authorizing end users to log in, change their passwords and review assigned accounts.</description>
<authorization>
<name>gui-self-service-access</name>
<description>
Allow access to all self-service operations in GUI.
</description>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#selfAll</action>
</authorization>
<authorization>
<name>self-read</name>
<description>
Allow to read all the properties of "self" object. I.e. every logged-in user can read
object that represent his own identity.
</description>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
<object>
<special>self</special>
</object>
</authorization>
<authorization>
<name>self-shadow-read</name>
<description>
Allow to read all the properties of all the shadows that belong to "self" object.
I.e. every logged-in user can read all his accounts.
</description>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
<object>
<type>ShadowType</type>
Expand All @@ -37,6 +52,11 @@
</object>
</authorization>
<authorization>
<name>self-credentials-request</name>
<description>
Allow to modify user's own credentials.
Note that this is a request phase authorization. It also requires corresponding execution-phase authorization.
</description>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#changeCredentials</action>
<phase>request</phase>
<object>
Expand All @@ -45,6 +65,11 @@
<item>credentials</item>
</authorization>
<authorization>
<name>self-shadow-credentials-request</name>
<description>
Allow to modify credentials of all users accounts.
Note that this is a request phase authorization. It also requires corresponding execution-phase authorization.
</description>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#changeCredentials</action>
<phase>request</phase>
<object>
Expand All @@ -56,14 +81,52 @@
<item>credentials</item>
</authorization>
<authorization>
<name>assign-requestable-roles</name>
<description>
Allow to assign requestable roles. This allows to request roles in a request-and-approve process.
The requestable roles will be displayed in the role request dialog by default.
Please note that the roles also need an approved definition to go through the approval process.
Otherwise they will be assigned automatically wihout any approval.
</description>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#assign</action>
<phase>request</phase>
<object>
<special>self</special>
</object>
<target>
<type>RoleType</type>
<filter>
<q:equal>
<q:path>requestable</q:path>
<q:value>true</q:value>
</q:equal>
</filter>
</target>
</authorization>
<authorization>
<name>self-execution-modify</name>
<description>
Authorization that allows to self-modification of some properties, but only in execution phase.
The limitation real limitation of these operations is done in the request phase.
E.g. the modification of assignments is controlled in the request phase by using the #assign
authorization.
</description>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</action>
<phase>execution</phase>
<object>
<special>self</special>
</object>
<item>credentials</item>
<item>assignment</item>
<item>parentOrgRef</item>
<item>roleMembershipRef</item>
</authorization>
<authorization>
<name>self-sahdow-execution-modify</name>
<description>
Authorization that allows to self-modification of some properties on user's accounts, but only in execution phase.
The limitation real limitation of these operations is done in the request phase.
</description>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</action>
<phase>execution</phase>
<object>
Expand All @@ -75,6 +138,13 @@
<item>credentials</item>
</authorization>
<authorization>
<name>assignment-target-read</name>
<description>
Authorization that allows to read all the object that are possible assignment targets. We want that
to display the targets in the selection windows.
Note that this authorization may be too broad for production use. Normally it should be limited to just
selected properties such as name and description.
</description>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
<object>
<type>OrgType</type>
Expand All @@ -85,9 +155,9 @@
<object>
<type>RoleType</type>
</object>
</authorization>
<authorization>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#selfRequestRole</action>
<object>
<type>ServiceType</type>
</object>
</authorization>
<roleType>system</roleType>
</role>

0 comments on commit a3c9e3e

Please sign in to comment.