Org Reference Clause

Last modified 22 Aug 2023 19:13 +02:00

Selects objects that are members of a specific Org. In the following case it only applies to members of Org identified by OID 1f82e908-0072-11e4-9532-001e8c717e5b.

Listing 1. Authorization applicable to objects in Org identified by OID 1f82e908-0072-11e4-9532-001e8c717e5b
        <orgRef oid="1f82e908-0072-11e4-9532-001e8c717e5b"/>

This is good for delegated administration to fixed organizational subtrees.

The organization object itself (1f82e908-0072-11e4-9532-001e8c717e5b in the above example) is not covered by the authorization. In fact, it is not a member of itself.
The membership is understood transitively, i.e., the objects selected are all objects that are in the subtree rooted at given Org, not just the direct children. Also, only effective membership is taken into account: disabled or invalid assignments are ignored. (Technically speaking, parentOrgRef is what counts.)