<authorization> <action>...</action> <object> <owner> ... inner object selector goes here ... </owner> </object> </authorization>
Selects objects that have an owner which is specified by inner object selector.
ownerclause in authorizations
More specific example:
<authorization> <action>...</action> <object> <owner> <archetypeRef oid="164319fb-7c23-4346-8a58-6e128b4861d5"/> <!-- Full-time employee --> </owner> </object> </authorization>
In midPoint 4.8, the owner clause is supported for the following object types:
The owner of a shadow is the focal object (e.g., user) that has a resource object (e.g., account) with a given shadow as its projection.
The owner of a persona user is another user that has a link to given persona (
The owner of a task is the focal object defined in
The support for other types (e.g. roles) may be added in the future.
However, for search pre-processing (
search authorization action) this clause is supported in even more limited way:
only the task ownership is checked.