Bulk Actions Authorizations
|
Since 4.8
This functionality is available since version 4.8.
|
Bulk actions are generally considered "safe", as their execution involves checking appropriate authorizations.
For example, if one executes add action, the #add authorization relevant to object(s) being added is required.
However, to add another layer of security - for example, to prevent denial of service attacks - the mere execution of a bulk action requires a special authorization.
Before midPoint 4.8, it was named http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#executeScript.
Unfortunately, the name was confusing.
It sounds like the authorization would allow to run Groovy (or Velocity, Python, JavaScript, and similar) scripts, which is not true.
(Because of their power, to run these scripts from bulk actions before 4.8, the #all authorization was required.)
Since 4.8, the #executeScript authorization is replaced by http://midpoint.evolveum.com/xml/ns/public/security/authorization-bulk-3#all.
Furthermore, it is now possible to allow or deny execution of individual actions using authorizations.
For example, if only http://midpoint.evolveum.com/xml/ns/public/security/authorization-bulk-3#assign is granted, then only assign bulk action can be invoked.
See Actions.
The primary names of actions should be used: e.g., generate-value (not generateValue).