Service Authorizations

Last modified 05 Mar 2024 10:28 +01:00

REST Service Authorizations

ID Action Allows access to


All operations


Access to specific REST operation. The URI fragments of individual operations are present in their description: on pages devoted to individual operations, e.g., . These authorizations do not check for any specific objects, e.g., an object that is going to be retrieved or modified by the operation. They are just "yes/no" authorizations for the operation itself.

See the note below.


Authorizes the impersonation.

Operation-level authorizations are available in the following midPoint versions:

  • 4.4.8 and higher (for 4.4.x),

  • 4.7.4 and higher (for 4.7.x),

  • 4.8.2 and higher (for 4.8.x).

In 4.4.x and 4.7.x, the following REST operations can be specified:

  • generateValue: Generate value

  • rpcGenerateValue: Generate value (RPC)

  • validateValue: Validate value

  • rpcValidateValue: Validate value (RPC)

  • getValuePolicy: Get value policy

  • getObject: Get object

  • getSelf: Get self

  • getObjects: Get objects

  • addObject: Add object

  • deleteObject: Delete object

  • modifyObject: Modify object

  • notifyChange: Notify change

  • findShadowOwner: Find shadow owner

  • importShadow: Import shadow

  • searchObjects: Search objects

  • importFromResource: Import from resource

  • testResource: Test resource

  • suspendTask: Suspend task

  • resumeTask: Resume task

  • runTask: Run task

  • executeScript: Execute script

  • resetCredential: Reset credentials

Service Authorizations and Object Authorizations

WS or REST authorizations are necessary, but not sufficient condition to allow access to data in midPoint. These authorizations are just the "first line" of defense. The user needs to have these authorizations to invoke the service operation. But this authorization does not give access to any data. For practical use-cases the user must also have ordinary (object) authorizations such as read, add, modify or delete to access any midPoint data. Without these authorizations the WS/REST authorizations are almost useless.

See Also

Was this page helpful?
Thanks for your feedback