IDM Model Authorizations
Action | Object | Target | Meaning | How it translated to |
---|---|---|---|---|
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read |
Object being read |
N/A |
Read objects |
Allows "read" operations such as |
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add |
New object being added |
N/A |
Add new object |
Allows to invoke |
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify |
Object being modified |
N/A |
Modify existing object |
Allows to invoke |
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#delete |
Object being deleted |
N/A |
Delete existing object |
Allows to invoke |
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#recompute |
Object being recomputed |
N/A |
Recompute existing object without any requested change |
Allows to invoke |
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#test |
Resource for which to execute tests |
N/A |
Execute resource connection test |
Allows to invoke |
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#importObjects |
N/A |
N/A |
Import objects from file or stream (bulk).
This only allows to start the import.
Each individual object also needs to pass through authorization for |
Allows to invoke |
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#importFromResource |
Resource to import from |
N/A |
Import objects from resource.
This only allows to start the import.
Each individual created object also needs to pass through authorization for |
Allows to invoke |
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#discoverConnectors |
Connector host on which to start discovery |
N/A |
Discover connectors installed on a specified connector host |
Allows to invoke |
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#assign |
Focal object that receives the assignment (e.g. a user) |
Object which is the target of assignment (e.g. Role or Org) |
Allows to create a new assignment (see note below) |
Allows to invoke |
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#unassign |
Focal object from which the assignment is removed (e.g. a user) |
Object which is the target of assignment (e.g. Role or Org) |
Allows to delete existing assignment (see note below) |
Allows to invoke |
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#executeScript (deprecated) |
N/A |
N/A |
Allows to execute midPoint scripts a.k.a. bulk actions |
Authorizes the possibility to execute the bulk actions. See Bulk Actions Authorizations. |
The assign
and unassign
authorizations are designed especially to allow assignment and un-assignment of specific roles and orgs, e.g. in cases of delegated administration, multi-tenancy and similar set-ups.
These authorizations are a request-phase replacement for much more powerful modify
authorization.
E.g. assign
authorization can be used to allow assignment only selected roles while modify
authorization can only give blanked permission to modify the assignment
property.
The assign
and unassign
authorizations work only in the request phase.
They are not effective in the execution phase.
Therefore modify
authorization is still needed in the execution phase.
However, as the operation needs to pass both phases to be allowed this is a sufficient set-up.