Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
languagehtml/xml
  <authorization>
    <action>...</action>
    <object>
      <owner>
        <filter>
          <q:equal>
            <q:path>employeeType</q:path>
            <q:value>fulltime</q:value>
          </q:equal>
        </filter>
      <owner>
    </object>
  </authorization>

Object Selection by Tenant

Info
titleMidPoint 3.9 and later

Authorization applies only to objects that have the same tenant as the subject.

Code Block
languagehtml/xml
  <authorization>
    <action>...</action>
    <object>
      <tenant>
          <sameAsSubject>true</sameAsSubject>
      </tenant>
    </object>
  </authorization>

This authorization can be used to limit users to access objects only inside their own tenant.

This authorization works only if both subject and object are multi-tenant. I.e. it will not work if subject does not have tenant (no tenantRef) or in case that the object does not have tenant. Ordinary (non-tenant) authorizations should be used for those cases.

Object Selection Combinations

The object selection criteria can be combined in almost any meaningful way. E.g. the following authorization only applies to user objects that have locality set to Caribbean and are in the Org identified by OID

...