Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Test for MID-3636 and modification of ModelInteractionServiceImpl
- Loading branch information
1 parent
7af6a0b
commit f6e1be9
Showing
3 changed files
with
189 additions
and
12 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
145 changes: 145 additions & 0 deletions
145
model/model-intest/src/test/resources/security/role-end-user-requestable-orgs.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,145 @@ | ||
<role oid="9434bf5b-c088-456f-9286-84a1e5a0223c" | ||
xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3" | ||
xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3" | ||
xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" | ||
xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3" | ||
xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" | ||
xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"> | ||
<name>Assign Requestable orgs</name> | ||
<description>Role authorizing end users to log in, change their passwords and review assigned accounts.</description> | ||
<authorization id="1"> | ||
<name>gui-self-service-access</name> | ||
<description> | ||
Allow access to all self-service operations in GUI. | ||
</description> | ||
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#selfAll</action> | ||
</authorization> | ||
<authorization id="2"> | ||
<name>self-read</name> | ||
<description> | ||
Allow to read all the properties of "self" object. I.e. every logged-in user can read | ||
object that represent his own identity. | ||
</description> | ||
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action> | ||
<object> | ||
<special>self</special> | ||
</object> | ||
</authorization> | ||
<authorization id="3"> | ||
<name>self-shadow-read</name> | ||
<description> | ||
Allow to read all the properties of all the shadows that belong to "self" object. | ||
I.e. every logged-in user can read all his accounts. | ||
</description> | ||
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action> | ||
<object> | ||
<type>ShadowType</type> | ||
<owner> | ||
<special>self</special> | ||
</owner> | ||
</object> | ||
</authorization> | ||
<authorization id="4"> | ||
<name>self-credentials-request</name> | ||
<description> | ||
Allow to modify user's own credentials. | ||
Note that this is a request phase authorization. It also requires corresponding execution-phase authorization. | ||
</description> | ||
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#changeCredentials</action> | ||
<phase>request</phase> | ||
<object> | ||
<special>self</special> | ||
</object> | ||
<c:item>credentials</c:item> | ||
</authorization> | ||
<authorization id="5"> | ||
<name>self-shadow-credentials-request</name> | ||
<description> | ||
Allow to modify credentials of all users accounts. | ||
Note that this is a request phase authorization. It also requires corresponding execution-phase authorization. | ||
</description> | ||
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#changeCredentials</action> | ||
<phase>request</phase> | ||
<object> | ||
<type>ShadowType</type> | ||
<owner> | ||
<special>self</special> | ||
</owner> | ||
</object> | ||
<c:item>credentials</c:item> | ||
</authorization> | ||
<authorization id="6"> | ||
<name>assign-requestable-roles</name> | ||
<description> | ||
Allow to assign requestable roles. This allows to request roles in a request-and-approve process. | ||
The requestable roles will be displayed in the role request dialog by default. | ||
Please note that the roles also need an approved definition to go through the approval process. | ||
Otherwise they will be assigned automatically wihout any approval. | ||
</description> | ||
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#assign</action> | ||
<phase>request</phase> | ||
<object> | ||
<special>self</special> | ||
</object> | ||
<target> | ||
<type>RoleType</type> | ||
<filter> | ||
<q:equal> | ||
<q:path>requestable</q:path> | ||
<q:value>true</q:value> | ||
</q:equal> | ||
</filter> | ||
</target> | ||
</authorization> | ||
<authorization id="7"> | ||
<name>assignment-target-read</name> | ||
<description> | ||
Authorization that allows to read all the object that are possible assignment targets. We want that | ||
to display the targets in the selection windows. | ||
Note that this authorization may be too broad for production use. Normally it should be limited to just | ||
selected properties such as name and description. | ||
</description> | ||
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action> | ||
<object> | ||
<type>OrgType</type> | ||
</object> | ||
<object> | ||
<type>ResourceType</type> | ||
</object> | ||
<object> | ||
<type>RoleType</type> | ||
</object> | ||
<object> | ||
<type>ServiceType</type> | ||
</object> | ||
</authorization> | ||
<authorization id="8"> | ||
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add</action> | ||
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</action> | ||
<phase>execution</phase> | ||
</authorization> | ||
<authorization id="9"> | ||
<name>assign-requestable-orgs</name> | ||
<description> | ||
Allow to assign requestable roles. This allows to request roles in a request-and-approve process. | ||
The requestable roles will be displayed in the role request dialog by default. | ||
Please note that the roles also need an approved definition to go through the approval process. | ||
Otherwise they will be assigned automatically wihout any approval. | ||
</description> | ||
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#assign</action> | ||
<phase>request</phase> | ||
<object> | ||
<special>self</special> | ||
</object> | ||
<target> | ||
<type>OrgType</type> | ||
<filter> | ||
<q:equal> | ||
<q:path>requestable</q:path> | ||
<q:value>true</q:value> | ||
</q:equal> | ||
</filter> | ||
</target> | ||
</authorization> | ||
<roleType>system</roleType> | ||
</role> |