IDM Model Authorizations
| Action | Object | Target | Meaning | How it translated to |
|---|---|---|---|---|
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read |
Object being read |
N/A |
Read objects |
Allows "read" operations such as |
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add |
New object being added |
N/A |
Add new object |
Allows to invoke |
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify |
Object being modified |
N/A |
Modify existing object |
Allows to invoke |
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#delete |
Object being deleted |
N/A |
Delete existing object |
Allows to invoke |
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#recompute |
Object being recomputed |
N/A |
Recompute existing object without any requested change |
Allows to invoke |
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#test |
Resource for which to execute tests |
N/A |
Execute resource connection test |
Allows to invoke |
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#importObjects |
N/A |
N/A |
Import objects from file or stream (bulk).
This only allows to start the import.
Each individual object also needs to pass through authorization for |
Allows to invoke |
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#importFromResource |
Resource to import from |
N/A |
Import objects from resource.
This only allows to start the import.
Each individual created object also needs to pass through authorization for |
Allows to invoke |
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#discoverConnectors |
Connector host on which to start discovery |
N/A |
Discover connectors installed on a specified connector host |
Allows to invoke |
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#assign |
Focal object that receives the assignment (e.g. a user) |
Object which is the target of assignment (e.g. Role or Org) |
Allows to create a new assignment (see note below) |
Allows to invoke |
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#unassign |
Focal object from which the assignment is removed (e.g. a user) |
Object which is the target of assignment (e.g. Role or Org) |
Allows to delete existing assignment (see note below) |
Allows to invoke |
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#executeScript (deprecated) |
N/A |
N/A |
Allows to execute midPoint scripts a.k.a. actions |
Authorizes the possibility to execute the actions. See Actions Authorizations. |
The assign and unassign authorizations are designed especially to allow assignment and un-assignment of specific roles and orgs, e.g. in cases of delegated administration, multi-tenancy and similar set-ups.
These authorizations are a request-phase replacement for much more powerful modify authorization.
E.g. assign authorization can be used to allow assignment only selected roles while modify authorization can only give blanked permission to modify the assignment property.
The assign and unassign authorizations work only in the request phase.
They are not effective in the execution phase.
Therefore modify authorization is still needed in the execution phase.
However, as the operation needs to pass both phases to be allowed this is a sufficient set-up.