Page tree
Skip to end of metadata
Go to start of metadata
ActionObjectTargetMeaningHow it translated to IDM Model Interface
 http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#readObject being readN/ARead objectsAllows "read" operations such as getObject, searchObjects, countObjects, ...
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#addNew object being addedN/AAdd new objectAllows to invoke executeChanges operation with add deltas for specified objects
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modifyObject being modifiedN/AModify existing objectAllows to invoke executeChanges operation with modify deltas for specified objects
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#deleteObject being deletedN/ADelete existing objectAllows to invoke executeChanges operation with delete deltas for specified objects
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#recomputeObject being recomputedN/ARecompute existing object without any requested changeAllows to invoke recompute operation
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#testResource for which to execute testsN/AExecute resource connection testAllows to invoke testResource operation
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#importObjectsN/AN/AImport objects from file or stream (bulk). This only allows to start the import. Each individual object also needs to pass through authorization for add action.Allows to invoke importObjectsFromFile and importObjectsFromStream operations
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#importFromResourceResource to import fromN/AImport objects from resource. This only allows to start the import. Each individual created object also needs to pass through authorization for add action.Allows to invoke importFromResource operation
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#discoverConnectorsConnector host on which to start discoveryN/ADiscover connectors installed on a specified connector hostAllows to invoke discoverConnectors operation
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#assignFocal object that receives the assignment (e.g. a user)Object which is the target of assignment (e.g. Role or Org)Allows to create a new assignment (see note below)Allows to invoke executeChanges operation with modify deltas for specified objects that add assignment to specified targets
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#unassignFocal object from which the assignment is removed (e.g. a user)Object which is the target of assignment (e.g. Role or Org)Allows to delete existing assignment (see note below)Allows to invoke executeChanges operation with modify deltas for specified objects that add assignment to specified targets

The assign and unassign authorizations are designed especially to allow assignment and un-assignment of specific roles and orgs, e.g. in cases of delegated administration, multi-tenancy and similar set-ups. These authorizations are a request-phase replacement for much more powerful modify authorization. E.g. assign authorization can be used to allow assignment only selected roles while modify authorization can only give blanked permission to modify the assignment property. The assign and unassign authorizations work only in the request phase. They are not effective in the execution phase. Therefore modify authorization is still needed in the execution phase. However as the operation needs to pass both phases to be allowed this is a sufficient set-up.

  • No labels