Request access configuration

Last modified 14 Aug 2025 14:16 +02:00
Since 4.6
This functionality is available since version 4.6.

Following document describes different options and configuration possibilities for request access UI.

Configuration can be placed in admin gui configuration element - globally set is system configuration or in all roles. See Admin GUI configuration on how configuration is compiled when user logs in.

As for request access UI, configuration is merged on level of wizard steps, e.g.:

  • Person of interest: targetSelection

  • Relations: relationSelection

  • Role catalog: roleCatalog

  • Shopping cart: checkout

Person of interest

If user can request role only for him/herself, this step will be hidden and user will be automatically selected. If there’s only one group for users to be selected, step will not be hidden and group will be automatically preselected and user will see autocomplete/manual user search.
Element Type Default value Description

defaultSelection

String

Identifier of group that should be preselected or constant "myself" to preselect option which represents user currently logged in.

allowRequestForMyself

boolean

true

This is simple override if currently authenticated user has authorization to request for him/herself assign other relations, but we don’t want them to do it via shopping cart.

allowRequestForOthers

boolean

true

This is simple override if currently authenticated user has authorization to assign other relations, but we don’t want them to do it via shopping cart.

group

GroupSelectionType

Group selection structure creates new tile in first step of request access wizard UI (person of interest). Tile button will allow user requesting access to select other users from collections specified by collectionRef or filter. Identifier and display elements are mandatory.

Relations

If there’s only one relation available, this step will be hidden and relation will be selected automatically.
Element Type Default value Description

defaultRelation

QName

QName of preselected relation.

allowOtherRelations

boolean

true

Whether to allow other relations than defaultRelation. Relations are computed as combination of predefined ones (#default, #member, #owner,…​) and configured in system configuration.

Role catalog

Table 1. Role catalog type description
Element Type Default value Description

defaultView

RoleCatalogViewType

tile

Default view of role catalog that should be presented to users.

allowedViews

RoleCatalogViewType

tile, table

Allowed values tile|table. Which types of views of role catalog are allowed to be shown to user.

showRolesOfTeammate

boolean

true

If true, menu item will be created. It will allow user to request roles based on other user assigned roles.

roleCatalogRef

ObjectReferenceType

Reference to the root object of the role catalog (org. structure). Up to 3 levels of org. structure will be shown as menus/submenus.

roleCatalogDepth

positive integer

Maximum depth of org. structure to be shown in role catalog.

collection

RoleCollectionViewType

Role collection view defines structure that should be shown in request access UI wizard - in role catalog step. It will represent new menu item with list of roles defined by collectionRef or collection identifier (e.g. allOrgs, allServices).

viewConfiguration

GuiObjectListViewType

Specification of an object collection that will be used for data presentation in the role catalog (for all available collection views including Roles of teammate and Role catalog organization tree). Role catalog has several sources of the object collection configuration (e.g. collectionRef or viewConfiguration), it’s possible to prioritize the configuration of the current collection (taken from Object collection object referenced in collectionRef) by setting preferCollectionView to true. If it is not specified, the default false value is used, which means that viewConfiguration configuration will be used if it is defined.

Table 2. Role collection view type description
Element Type Default value Description

identifier

String

The local identifier of the collection.

default

boolean

false

If set to true, the collection (the appropriate menu item on the Role catalog panel) will be selected as a default one.

collectionIdentifier

String

The identifier of the collection which points to a specific collection which will be displayed on the Role catalog panel (e.g. "allRoles", "allServices", "allOrgs").

collectionRef

ObjectReferenceType

Reference to the Object Collection object which contains additional configuration for the Role catalog collection (e.g. filter or defaultView are taken from Object collection object to be applied to the Role catalog collection).

preferCollectionView

boolean

false

If set to true, then the configuration of the defaultView taken from Object collection referenced object is prioritized towards viewConfiguration from RoleCatalogType.

details

ContainerPanelConfigurationType

Configuration to be applied to the role catalog item details panel

Shopping cart

Element Type Default value Description

comment

CheckoutCommentType

Configuration of comment text field in last step (checkout) of request access UI wizard.

validityConfiguration

CheckoutValidityConfigurationType

Configuration of validity (assignment validity) for requested roles in last step (checkout) of request access UI wizard.

Example

<accessRequest>
    <targetSelection>
        <group>
            <!-- group collection defined directly via object filter -->
            <identifier>b-users</identifier>
            <display>
                <label>Users with name containing b</label>
                <icon>
                    <cssClass>fa fa-pencil</cssClass>
                </icon>
            </display>
            <collection>
                <filter>
                    <q:text>name contains "b"</q:text>
                </filter>
            </collection>
        </group>
        <group>
            <!-- group collection defined via reference to ObjectCollectionType -->
            <identifier>collection-users</identifier>
            <display>
                <label>Users from collection</label>
                <icon>
                    <cssClass>fa fa-building</cssClass>
                </icon>
            </display>
            <collection>
                <collectionRef oid="82a2e4be-4042-42f6-8b06-02f1ebffda48" relation="org:default" type="c:ObjectCollectionType"/>
            </collection>
        </group>
    </targetSelection>
    <relationSelection>
        <!-- relation will be preselected and whole step hidden, since there's only one relation to be selected -->
        <defaultRelation>org:default</defaultRelation>
        <allowOtherRelations>false</allowOtherRelations>
    </relationSelection>
    <roleCatalog>
        <defaultView>table</defaultView>
        <rolesOfTeammate>
            <autocompleteConfiguration>
                <displayExpression>
                    <script>
                        <code>
                            return "Teammate: " + object.givenName + " (" + object.name + ")"
                        </code>
                    </script>
                </displayExpression>
                <autocompleteMinChars>1</autocompleteMinChars>
            </autocompleteConfiguration>
        </rolesOfTeammate>
        <roleCatalogRef oid="8d4670a8-17db-4330-a753-8d3492b19ff8" relation="org:default" type="c:OrgType"/>
        <roleCatalogDepth>2</roleCatalogDepth>
        <!-- Another menu item created using reference to ObjectCollectionType -->
        <collection>
            <identifier>example-collection</identifier>
            <collectionRef oid="d4f124ed-9694-4a97-8e18-f9fc45563003" relation="org:default" type="c:ObjectCollectionType"/>
        </collection>
        <!--
            Menu create using default collection (in this case reference by short identifier `allRoles`,
            which is equivalent to `http://midpoint.evolveum.com/xml/ns/public/common/object-collections-3#allRoles`).
            Also custom details panel was defined for popup.
        -->
        <collection>
            <identifier>all roles</identifier>
            <collectionIdentifier>allRoles</collectionIdentifier>
            <details>
                <identifier>some panel</identifier>
                <container>
                    <identifier>container-identifier</identifier>
                    <display>
                        <label>Custom description</label>
                    </display>
                    <item>
                        <path>description</path>
                    </item>
                </container>
                <panelType>formPanel</panelType>
                <type>RoleType</type>
            </details>
        </collection>
        <collection>
            <identifier>all orgs</identifier>
            <collectionIdentifier>allOrgs</collectionIdentifier>
            <default>true</default>
        </collection>
        <collection>
            <identifier>all services</identifier>
            <collectionIdentifier>http://midpoint.evolveum.com/xml/ns/public/common/object-collections-3#allServices</collectionIdentifier>
        </collection>
        <collection>
            <identifier>mid roles</identifier>
            <collectionRef oid="5c12258a-7f1d-43bc-8f40-9993df476bb5" type="c:ObjectCollectionType"/>
            <preferCollectionView>true</preferCollectionView>
        </collection>
        <viewConfiguration xsi:type="GuiObjectListViewType">
            <identifier>role-catalog-view</identifier>
            <column>
                <name>nameColumn</name>
                <c:path>name</c:path>
                <display>
                    <label>My Custom Name</label>
                    <cssStyle>min-width:350px;</cssStyle>
                </display>
            </column>
            <column>
                <name>descriptionColumn</name>
                <c:path>description</c:path>
                <display>
                    <label>My Custom Description</label>
                    <cssStyle>min-width:550px;</cssStyle>
                </display>
            </column>
        </viewConfiguration>
    </roleCatalog>
    <checkout>
        <!-- custom validity duration was created -->
        <validityConfiguration>
            <mandatory>true</mandatory>
            <predefinedValue>
                <display>
                    <label>10 years</label>
                </display>
                <duration>P10Y</duration>
            </predefinedValue>
        </validityConfiguration>
    </checkout>
</accessRequest>
Was this page helpful?
YES NO
Thanks for your feedback