-
Notifications
You must be signed in to change notification settings - Fork 188
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
14 changed files
with
544 additions
and
238 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
21 changes: 21 additions & 0 deletions
21
docs/security/authorization/configuration/selectors/archetypeRef.adoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
= Archetype Clause | ||
:page-since: 4.0 | ||
|
||
Authorization applies only to objects that have specified archetype. | ||
|
||
.Listing 1. Authorization applicable to objects with a given archetype. | ||
[source,xml] | ||
---- | ||
<authorization> | ||
<action>...</action> | ||
<object> | ||
<archetypeRef oid="00000000-0000-0000-0000-000000000321"/> | ||
</object> | ||
</authorization> | ||
---- | ||
|
||
Archetype specification is multivalued. | ||
If more than one `archetypeRef` is used in the same authorization, then _or_ operation is implied. | ||
I.e. match of a single archetypes from the list will make the authorization applicable for the object. | ||
|
||
See also xref:/midpoint/reference/schema/archetypes/[Archetypes]. |
53 changes: 53 additions & 0 deletions
53
docs/security/authorization/configuration/selectors/assignee.adoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,53 @@ | ||
= Assignee and Candidate Assignee Clause | ||
|
||
It selects objects (cases, work items) that have an assignee which is specified by inner object selector. | ||
|
||
An example: | ||
|
||
.Listing 1. An authorization allowing reading any case in which the subject is an assignee | ||
[source,xml] | ||
---- | ||
<authorization> | ||
<name>cases-assignee-self-read</name> | ||
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action> | ||
<object> | ||
<type>CaseType</type> | ||
<assignee> | ||
<special>self</special> | ||
</assignee> | ||
</object> | ||
</authorization> | ||
---- | ||
|
||
The following behavior applies to midPoint 4.8. | ||
|
||
.Supported object types | ||
[%autowidth] | ||
|=== | ||
| Object type | What are the assignees? | ||
|
||
| `CaseType` | ||
| All `assigneeRef` values from all `workItem` values. | ||
|
||
| `AccessCertificationCaseType` | ||
| All `assigneeRef` values from all `workItem` values. | ||
|
||
| `AbstractWorkItemType` (work items for both types of cases) | ||
| All `assigneeRef` values. | ||
|=== | ||
|
||
== Delegation | ||
During evaluation of this clause, the `self` clause in the inner selector has an interpretation that slightly differs from the usual one: | ||
Instead of matching the principal object only, it matches all of its deputies relevant for given area (i.e., case management or access certification). | ||
So, if `ann` is a deputy of `jack` with the rights in the area of case management, and a case `C` has a work item assigned to `jack`, and `ann` has the authorization depicted in Listing 1, then she can read the case `C` exactly as `jack` can. | ||
|
||
== Limitations | ||
. When searching, only `self` selector is supported. | ||
|
||
== Candidate Assignee | ||
++++ | ||
{% include since.html since="4.8" %} | ||
++++ | ||
|
||
In a similar way, candidate assignees can be authorized regarding cases, certification cases, and their work items. | ||
The `candidateRef` item is taken into account instead of `assigneeRef`. |
Oops, something went wrong.