Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
languagexml
<role>
        <name>Tenant Admin Role</name>
        <authorization>
            <name>tenant admin autz</name>
            <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
            <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add</action>
            <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</action>
            <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#delete</action>
            <object>
                <tenant>
                    <sameAsSubject>true</sameAsSubject>
                </tenant>
            </object>
            <exceptItem>tenant</exceptItem>
            <exceptItem>tenantRef</exceptItem>
        </authorization>
    </role>

 

TODO

This authorization works only if both subject and object are multi-tenant. I.e. it will not work if subject does not have tenant (no tenantRef) or in case that the object does not have tenant. Ordinary (non-tenant) authorizations should be used for those cases.

Limitations and Future Improvements

...