<authorization> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action> <object> <type>UserType</type> <delegator> <special>self</special> </delegator> </object> <item>assignment</item> <item>roleMembershipRef</item> <item>delegatedRef</item> </authorization>
The object matches this selector clause if it has an active delegation assignment to the object specified by inner object selector.
When a subject want so see what are their delegates (i.e., users that are given some authorities of the subject), it needs to have a read authorization against these users. The reason is that the delegation assignments are not stored in the delegator object, but in the delegate objects. So we must select all users whose delegator is the current subject.
So, for example, if
mary are delegates of
jack should have the above authorization to allow him to see
delegatedRef items of those three users.
selfclause can be specified as the inner object selector.
Objects considered by this selector are limited to
This clause is not supported for search pre-processing (e.g.