Show Only Active Users HOWTO

Last modified 28 Oct 2021 11:18 +02:00
Since 3.9
This functionality is available since version 3.9.

There are scenarios, when it is needed to limit the number of objects that users see. This would normally be done by using authorizations. But authorizations have their limits. For example, we may normally need to allow users to see basic details of almost any objects. This is often needed because objects may be referenced from tasks, workitems, audit records and so on. Therefore users must be authorized to read such objects. On the other hand we do not want users to list all the objects. But getting and object and listing objects are both considered to be reading by an authorization subsystem. Therefore there is no way to disable one and enable the other.

But there is an elegant way how to limit listing of objects in midPoint user interface: Object Collections and Views. This feature was partially implemented in midPoint 3.9 specifically for the purpose of satisfying this use case. The basic principle is to define a special view containing only those objects that the users can see (e.g. "Employees" view). The remove authorizations for the pages that list all users. And leave only authorizations to access that specific view.

Configuration

Definition of object view in adminGuiConfig in a role:

...
<adminGuiConfiguration>
    <objectLists>
        <objectList>
			<type>UserType</type>
            <name>empls-view</name>
            <display>
                <label>Employee</label>
                <pluralLabel>Employees</pluralLabel>
            </display>
            <collectionRef oid="2c2028c8-755e-11e8-bb29-53818f7c88fb" type="ObjectCollectionType"/>
        </objectList>
    </objectLists>
</adminGuiConfiguration>
...

Definition of object collection as a separate midPoint object:

<objectCollection xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
		oid="2c2028c8-755e-11e8-bb29-53818f7c88fb">
    <name>empls</name>
    <type>UserType</type>
    <filter>
        <q:equal>
            <q:path>subtype</q:path>
            <q:value>EMP</q:value>
        </q:equal>
    </filter>
</objectCollection>

GUI representation

usersView

Authorizations

Users should be authorized to access the "user view" page: http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#usersView

Make sure that users do not have authorization to access "All users" page (http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#usersAll).

Was this page helpful?
YES NO
Thanks for your feedback