Power of Attorney Configuration

Last modified 15 Nov 2021 14:24 +01:00
Since 3.7
This functionality is available since version 3.7.

Introduction

MidPoint currently has a very limited implementation of power of attorney. The implementation is limited only to see and manage approval work items of another user. This feature can be used to allow managers of approvers to see their work items and act upon them.

Authorization

Attorney authorization is needed for the manager to enable this functionality. The manager acts as an attorney for the approver. Therefore the manager role should contain the following authorization:

    <authorization>
        <name>attorney-manager-workitems</name>
        <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#attorney</action>
        <object>
            <type>UserType</type>
            <orgRelation>
                <subjectRelation>org:manager</subjectRelation>
                <scope>allDescendants</scope>
                <includeReferenceOrg>true</includeReferenceOrg>
            </orgRelation>
        </object>
        <limitations>
            <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#myWorkItems</action>
            <!-- simple way to read objects -->
            <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
        </limitations>
    </authorization>
    <authorization>
        <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#attorneyWorkItems</action>
    </authorization>

This authorization given the manager power of attorney (action) over the subordinate employees (object). The power of attorney is limited only to workitem-related actions (limitations).

User Interface Support

As the functionality is currently hardcoded to the workitem-related operations there is no feature to switch the whole user interface to the donor view. The attorney will only see a new menu item in the workitem section that allows the attorney to work with the workitems of the donor.

Limitations

Missing/incomplete feature
This is a missing or incomplete feature of midPoint and/or of other related components. We are perfectly capable to implement, fix and finish the feature, just the funding for the work is needed. Please consider the possibility for supporting development of this feature by means of midPoint Platform subscription. If you already are midPoint Platform subscriber and this feature is within the goals of your deployment you may be able to use your subscription to endorse implementation of this feature.

See Also

Was this page helpful?
YES NO
Thanks for your feedback