Assignee and Candidate Assignee Clause

Last modified 22 Aug 2023 19:13 +02:00

It selects objects (cases, work items) that have an assignee which is specified by inner object selector.

An example:

Listing 1. An authorization allowing reading any case in which the subject is an assignee
<authorization>
    <name>cases-assignee-self-read</name>
    <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
    <object>
        <type>CaseType</type>
        <assignee>
            <special>self</special>
        </assignee>
    </object>
</authorization>

The following behavior applies to midPoint 4.8.

Table 1. Supported object types
Object type What are the assignees?

CaseType

All assigneeRef values from all workItem values.

AccessCertificationCaseType

All assigneeRef values from all workItem values.

AbstractWorkItemType (work items for both types of cases)

All assigneeRef values.

Delegation

During evaluation of this clause, the self clause in the inner selector has an interpretation that slightly differs from the usual one: Instead of matching the principal object only, it matches all of its deputies relevant for given area (i.e., case management or access certification). So, if ann is a deputy of jack with the rights in the area of case management, and a case C has a work item assigned to jack, and ann has the authorization depicted in Listing 1, then she can read the case C exactly as jack can.

Limitations

  1. When searching, only self selector is supported.

Candidate Assignee

Since 4.8
This functionality is available since version 4.8.

In a similar way, candidate assignees can be authorized regarding cases, certification cases, and their work items. The candidateRef item is taken into account instead of assigneeRef.

Was this page helpful?
YES NO
Thanks for your feedback