<authorization> <name>attorney-manager-workitems</name> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#attorney</action> <object> <type>UserType</type> <orgRelation> <subjectRelation>org:manager</subjectRelation> <scope>allDescendants</scope> <includeReferenceOrg>true</includeReferenceOrg> </orgRelation> </object> <limitations> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#myWorkItems</action> <!-- simple way to read objects --> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action> </limitations> </authorization> <authorization> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#attorneyWorkItems</action> </authorization>
Power of Attorney Configuration
Since 3.7This functionality is available since version 3.7.
Attorney authorization is needed for the manager to enable this functionality. The manager acts as an attorney for the approver. Therefore the manager role should contain the following authorization:
This authorization given the manager power of attorney (action) over the subordinate employees (object). The power of attorney is limited only to workitem-related actions (limitations).
User Interface Support
As the functionality is currently hardcoded to the workitem-related operations there is no feature to switch the whole user interface to the donor view. The attorney will only see a new menu item in the workitem section that allows the attorney to work with the workitems of the donor.
Missing/incomplete featureThis is a missing or incomplete feature of midPoint and/or of other related components. We are perfectly capable to implement, fix and finish the feature, just the funding for the work is needed. Please consider the possibility for supporting development of this feature by means of midPoint Platform subscription. If you already are midPoint Platform subscriber and this feature is within the goals of your deployment you may be able to use your subscription to endorse implementation of this feature.