Service Authorizations
REST Service Authorizations
| ID | Action | Allows access to |
|---|---|---|
1 |
|
All operations |
2 |
|
Access to specific REST operation. The URI fragments of individual operations are present here. These authorizations do not check for any specific objects, e.g., an object that is going to be retrieved or modified by the operation. They are just "yes/no" authorizations for the operation itself. See the note below. |
3 |
|
Authorizes the impersonation. |
Operation-level authorizations are available in the following midPoint versions:
-
4.4.8 and higher (for 4.4.x),
-
4.7.4 and higher (for 4.7.x),
-
4.8.2 and higher (for 4.8.x).
In 4.4.x and 4.7.x, the following REST operations can be specified:
-
generateValue: Generate value -
rpcGenerateValue: Generate value (RPC) -
validateValue: Validate value -
rpcValidateValue: Validate value (RPC) -
getValuePolicy: Get value policy -
getObject: Get object -
getSelf: Get self -
getObjects: Get objects -
addObject: Add object -
deleteObject: Delete object -
modifyObject: Modify object -
notifyChange: Notify change -
findShadowOwner: Find shadow owner -
importShadow: Import shadow -
searchObjects: Search objects -
importFromResource: Import from resource -
testResource: Test resource -
suspendTask: Suspend task -
resumeTask: Resume task -
runTask: Run task -
executeScript: Execute script -
resetCredential: Reset credentials
Web Service (SOAP) Authorizations
| The SOAP interface was removed in midPoint 4.2. It was completely replaced by the REST service interface. |
Service Authorizations and Object Authorizations
WS or REST authorizations are necessary, but not sufficient condition to allow access to data in midPoint. These authorizations are just the "first line" of defense. The user needs to have these authorizations to invoke the service operation. But this authorization does not give access to any data. For practical use-cases the user must also have ordinary (object) authorizations such as read, add, modify or delete to access any midPoint data. Without these authorizations the WS/REST authorizations are almost useless.