Type and Parent Clauses
Last modified 12 Oct 2023 20:56 +02:00

Type Clause

Selects objects of the specified type. In the following case all shadows are selected.

Listing 1. Selector matching all shadows
<type>ShadowType</type>
Listing 2. Authorization matching all shadows
<authorization>
    <action>...</action>
    <object>
        <type>ShadowType</type>
    </object>
</authorization>

Parent Clause

Since 4.8
This functionality is available since version 4.8.

For values that are smaller than an object (sometimes called sub-object values) we need to specify their exact position in the midPoint data model. The position is specified by an object type, and a path.

For example, this selects all case work items:

Listing 3. Selector matching all case work items
<parent>
    <type>CaseType</type>
    <path>workItem</path>
</parent>

Note that type is optional here: it can be determined from the parent type and the path.

Optionally, a selector may be provided to limit the parent values as well. This selects work items from the correlation cases:

Listing 4. Selector matching all correlation cases work items
<parent>
    <type>CaseType</type>
    <archetypeRef oid="00000000-0000-0000-0000-000000000345"/> <!-- correlation case archetype -->
    <path>workItem</path>
</parent>

Although the parent is usually an object type, it can be also a sub-object type. For example, certification work item is part of a certification case, which is a part of certification campaign:

Listing 5. Nested <parent> selectors
<parent>
    <parent>
        <type>AccessCertificationCampaignType</type>
        <!-- some conditions on campaigns here -->
        <path>case</path>
    </parent>
    <!-- some conditions on certification cases here -->
    <path>workItem</path>
</parent>
<!-- ... some conditions on certification work items here -->

Concrete Example

The following authorization allows the logged-in user to read the content of all values in workItem container in any CaseType object, where they are an assignee or deputy assignee. This authorization covers all sub-items of workItem, except for the createTimestamp property.

Listing 6. Complete authorization with <parent> selector
<authorization>
    <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
    <object>
        <parent>
            <type>CaseType</type>
            <path>workItem</path>
        </parent>
        <assignee>
            <special>self</special>
        </assignee>
    </object>
    <exceptItem>createTimestamp</exceptItem>
</authorization>

Notes

  • The #read (or #search) authorization targeting sub-object values (e.g., case work items) does not authorize the user to search for embedding objects, i.e., cases. For that, a separate #search authorization with type set to CaseType has to be provided.

Limitations

Currently, the following items are supported by this clause:

  • case work items,

  • certification cases,

  • certification cases work items,

  • operation execution records,

  • assignments (partially - not for searching),

  • simulation-related processed objects records (partially - not for searching).

Other items should work as well, but with no guarantees. In particular, it is possible to e.g. specify name in UserType as authorization object, but there is currently no way of specifying filter for the value.

Open Questions

How should we call this selector? In the query language we use ownedBy for this concept. However, in selectors we already have owner selector.

Default

If neither type nor parent clause is specified, a type of ObjectType is assumed.

Was this page helpful?
YES NO
Thanks for your feedback