<type>ShadowType</type>
Type and Parent Clauses
Type Clause
Selects objects of the specified type. In the following case all shadows are selected.
<authorization>
<action>...</action>
<object>
<type>ShadowType</type>
</object>
</authorization>
Parent Clause
Since 4.8
This functionality is available since version 4.8.
|
For values that are smaller than an object (sometimes called sub-object values) we need to specify their exact position in the midPoint data model. The position is specified by an object type, and a path.
For example, this selects all case work items:
<parent>
<type>CaseType</type>
<path>workItem</path>
</parent>
Note that type
is optional here: it can be determined from the parent type and the path.
Optionally, a selector may be provided to limit the parent values as well. This selects work items from the correlation cases:
<parent>
<type>CaseType</type>
<archetypeRef oid="00000000-0000-0000-0000-000000000345"/> <!-- correlation case archetype -->
<path>workItem</path>
</parent>
Although the parent is usually an object type, it can be also a sub-object type. For example, certification work item is part of a certification case, which is a part of certification campaign:
<parent>
selectors<parent>
<parent>
<type>AccessCertificationCampaignType</type>
<!-- some conditions on campaigns here -->
<path>case</path>
</parent>
<!-- some conditions on certification cases here -->
<path>workItem</path>
</parent>
<!-- ... some conditions on certification work items here -->
Concrete Example
The following authorization allows the logged-in user to read the content of all values in workItem
container in any CaseType
object, where they are an assignee or deputy assignee.
This authorization covers all sub-items of workItem
, except for the createTimestamp
property.
<parent>
selector<authorization>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
<object>
<parent>
<type>CaseType</type>
<path>workItem</path>
</parent>
<assignee>
<special>self</special>
</assignee>
</object>
<exceptItem>createTimestamp</exceptItem>
</authorization>
Notes
-
The
#read
(or#search
) authorization targeting sub-object values (e.g., case work items) does not authorize the user to search for embedding objects, i.e., cases. For that, a separate#search
authorization withtype
set toCaseType
has to be provided.
Limitations
Currently, the following items are supported by this clause:
-
case work items,
-
certification cases,
-
certification cases work items,
-
operation execution records,
-
assignments (partially - not for searching),
-
simulation-related processed objects records (partially - not for searching).
Other items should work as well, but with no guarantees.
In particular, it is possible to e.g. specify name
in UserType
as authorization object, but there is currently no way of specifying filter for the value.
Open Questions
How should we call this selector?
In the query language we use ownedBy
for this concept.
However, in selectors we already have owner
selector.
Default
If neither type
nor parent
clause is specified, a type of ObjectType
is assumed.