<accessRequest>
<targetSelection>
<group>
<!-- group collection defined directly via object filter -->
<identifier>b-users</identifier>
<display>
<label>Users with name containing b</label>
<icon>
<cssClass>fa fa-pencil</cssClass>
</icon>
</display>
<collection>
<filter>
<q:substring>
<q:path>name</q:path>
<q:value>b</q:value>
</q:substring>
</filter>
</collection>
</group>
<group>
<!-- group collection defined via reference to ObjectCollectionType -->
<identifier>collection-users</identifier>
<display>
<label>Users from collection</label>
<icon>
<cssClass>fa fa-building</cssClass>
</icon>
</display>
<collection>
<collectionRef oid="82a2e4be-4042-42f6-8b06-02f1ebffda48" relation="org:default" type="c:ObjectCollectionType"/>
</collection>
</group>
</targetSelection>
<relationSelection>
<!-- relation will be preselected and whole step hidden, since there's only one relation to be selected -->
<defaultRelation>org:default</defaultRelation>
<allowOtherRelations>false</allowOtherRelations>
</relationSelection>
<roleCatalog>
<!-- we'll hide menu that allows user to search for roles in catalog based on roles of teammate -->
<showRolesOfTeammate>false</showRolesOfTeammate>
<!-- Org. unit structure to build menu for role catalog (up to 3 levels) -->
<roleCatalogRef oid="8d4670a8-17db-4330-a753-8d3492b19ff8" relation="org:default" type="c:OrgType"/>
<!-- Another menu item created using reference to ObjectCollectionType -->
<collection id="233">
<identifier>example-collection</identifier>
<collectionRef oid="d4f124ed-9694-4a97-8e18-f9fc45563003" relation="org:default" type="c:ObjectCollectionType"/>
</collection>
<!--
Menu create using default collection (in this case reference by short identifier `allRoles`,
which is equivalent to `http://midpoint.evolveum.com/xml/ns/public/common/object-collections-3#allRoles`).
Also custom details panel was defined for popup.
-->
<collection>
<identifier>all roles</identifier>
<collectionIdentifier>allRoles</collectionIdentifier>
<details>
<identifier>some panel</identifier>
<container>
<identifier>container-identifier</identifier>
<display>
<label>Custom description</label>
</display>
<item>
<path>description</path>
</item>
</container>
<panelType>formPanel</panelType>
<type>RoleType</type>
</details>
</collection>
<collection>
<identifier>all orgs</identifier>
<collectionIdentifier>allOrgs</collectionIdentifier>
<default>true</default>
</collection>
<collection>
<identifier>all services</identifier>
<collectionIdentifier>http://midpoint.evolveum.com/xml/ns/public/common/object-collections-3#allServices</collectionIdentifier>
</collection>
<collection>
<identifier>mid roles</identifier>
<collectionRef oid="5c12258a-7f1d-43bc-8f40-9993df476bb5" type="c:ObjectCollectionType"/>
</collection>
</roleCatalog>
<checkout>
<!-- custom validity duration was created -->
<validityConfiguration>
<mandatory>true</mandatory>
<predefinedValue>
<display>
<label>10 years</label>
</display>
<duration>P10Y</duration>
</predefinedValue>
</validityConfiguration>
</checkout>
</accessRequest>
Request access configuration
Since 4.6
This functionality is available since version 4.6.
|
Following document describes different options and configuration possibilities for request access UI.
Configuration can be placed in admin gui configuration element - globally set is system configuration or in all roles. See Admin GUI configuration on how configuration is compiled when user logs in.
As for request access UI, configuration is merged on level of wizard steps, e.g.:
-
Person of interest:
targetSelection
-
Relations:
relationSelection
-
Role catalog:
roleCatalog
-
Shopping cart:
checkout
Person of interest
If user can request role only for him/herself, this step will be hidden and user will be automatically selected. If there’s only one group for users to be selected, step will not be hidden and group will be automatically preselected and user will see autocomplete/manual user search. |
Element | Type | Default value | Description |
---|---|---|---|
defaultSelection |
String |
Identifier of group that should be preselected or constant "myself" to preselect option which represents user currently logged in. |
|
allowRequestForMyself |
boolean |
|
This is simple override if currently authenticated user has authorization to request for him/herself assign other relations, but we don’t want them to do it via shopping cart. |
allowRequestForOthers |
boolean |
|
This is simple override if currently authenticated user has authorization to assign other relations, but we don’t want them to do it via shopping cart. |
group |
GroupSelectionType |
Group selection structure creates new tile in first step of request access wizard UI (person of interest). Tile button will allow user requesting access to select other users from collections specified by collectionRef or filter. Identifier and display elements are mandatory. |
Relations
If there’s only one relation available, this step will be hidden and relation will be selected automatically. |
Element | Type | Default value | Description |
---|---|---|---|
defaultRelation |
QName |
QName of preselected relation. |
|
allowOtherRelations |
boolean |
|
Whether to allow other relations than defaultRelation.
Relations are computed as combination of predefined ones ( |
Role catalog
Element | Type | Default value | Description |
---|---|---|---|
defaultView |
RoleCatalogViewType |
|
Default view of role catalog that should be presented to users. |
allowedViews |
RoleCatalogViewType |
|
Allowed values |
showRolesOfTeammate |
boolean |
|
If true, menu item will be created. It will allow user to request roles based on other user assigned roles. |
roleCatalogRef |
ObjectReferenceType |
Reference to the root object of the role catalog (org. structure). Up to 3 levels of org. structure will be shown as menus/submenus. |
|
collection |
RoleCollectionViewType |
Role collection view defines structure that should be shown in request access UI wizard - in role catalog step. It will represent new menu item with list of roles defined by collectionRef or collection identifier (e.g. allOrgs, allServices). |
Shopping cart
Element | Type | Default value | Description |
---|---|---|---|
comment |
CheckoutCommentType |
Configuration of comment text field in last step (checkout) of request access UI wizard. |
|
validityConfiguration |
CheckoutValidityConfigurationType |
Configuration of validity (assignment validity) for requested roles in last step (checkout) of request access UI wizard. |