Type and Parent Clauses
Selects objects of the specified type. In the following case all shadows are selected.
<authorization> <action>...</action> <object> <type>ShadowType</type> </object> </authorization>
Since 4.8This functionality is available since version 4.8.
For values that are smaller than an object (sometimes called sub-object values) we need to specify their exact position in the midPoint data model. The position is specified by an object type, and a path.
For example, this selects all case work items:
<parent> <type>CaseType</type> <path>workItem</path> </parent>
type is optional here: it can be determined from the parent type and the path.
Optionally, a selector may be provided to limit the parent values as well. This selects work items from the correlation cases:
<parent> <type>CaseType</type> <archetypeRef oid="00000000-0000-0000-0000-000000000345"/> <!-- correlation case archetype --> <path>workItem</path> </parent>
Although the parent is usually an object type, it can be also a sub-object type. For example, certification work item is part of a certification case, which is a part of certification campaign:
<parent> <parent> <type>AccessCertificationCampaignType</type> <!-- some conditions on campaigns here --> <path>case</path> </parent> <!-- some conditions on certification cases here --> <path>workItem</path> </parent> <!-- ... some conditions on certification work items here -->
The following authorization allows the logged-in user to read the content of all values in
workItem container in any
CaseType object, where they are an assignee or deputy assignee.
This authorization covers all sub-items of
workItem, except for the
<authorization> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action> <object> <parent> <type>CaseType</type> <path>workItem</path> </parent> <assignee> <special>self</special> </assignee> </object> <exceptItem>createTimestamp</exceptItem> </authorization>
#search) authorization targeting sub-object values (e.g., case work items) does not authorize the user to search for embedding objects, i.e., cases. For that, a separate
CaseTypehas to be provided.
Currently, the following items are supported by this clause:
case work items,
certification cases work items,
operation execution records,
assignments (partially - not for searching),
simulation-related processed objects records (partially - not for searching).
Other items should work as well, but with no guarantees.
In particular, it is possible to e.g. specify
UserType as authorization object, but there is currently no way of specifying filter for the value.
How should we call this selector?
In the query language we use
ownedBy for this concept.
However, in selectors we already have
parent clause is specified, a type of
ObjectType is assumed.