There are scenarios, when it is needed to limit the number of objects that users see. This would normally be done by using authorizations. But authorizations have their limits. For example, we may normally need to allow users to see basic details of almost any objects. This is often needed because objects may be referenced from tasks, workitems, audit records and so on. Therefore users must be authorized to read such objects. On the other hand we do not want users to list all the objects. But getting and object and listing objects are both considered to be reading by an authorization subsystem. Therefore there is no way to disable one and enable the other.
But there is an elegant way how to limit listing of objects in midPoint user interface: Object Collections and Views. This feature was partially implemented in midPoint 3.9 specifically for the purpose of satisfying this use case. The basic principle is to define a special view containing only those objects that the users can see (e.g. "Employees" view). The remove authorizations for the pages that list all users. And leave only authorizations to access that specific view.
Definition of object view in adminGuiConfig in a role:
Definition of object collection as a separate midPoint object:
Users should be authorized to access the "user view" page: http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#usersView
Make sure that users do not have authorization to access "All users" page (http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#usersAll).
- Object Collections and Views
- - MID-4654Getting issue details... STATUS