<role> <name>Tenant Admin Role</name> <authorization> <name>tenant admin autz</name> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add</action> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</action> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#delete</action> <object> <tenant> <sameAsSubject>true</sameAsSubject> <includeTenantOrg>false</includeTenantOrg> </tenant> </object> <exceptItem>tenant</exceptItem> <exceptItem>tenantRef</exceptItem> </authorization> </role>
This authorization works only if both subject and object are multi-tenant. I.e. it will not work if subject does not have tenant (no
tenantRef) or in case that the object does not have tenant. Ordinary (non-tenant) authorizations should be used for those cases. See Authorization Configuration page for more details.
Limitations and Future Improvements
- Workitems currently do not support multi-tenancy. They are not bound to specific tenants. Approval processes may still be used in some multi-tenant deployments as workitems are bound to specific users or organizations that have tenancy support. But caution should be exercised in such deployments. This can be later solved by migrating approvals to use midPoint's internal case objects.
- Resource and task do not support assignments (they are not "focal objects"). Resources and tasks can still be placed inside organizational structure, but there are limitations. Support for the concept of assignment for resources and tasks may be one of possible solutions here.
- Objects created by a tenant user could be automatically part of that tenant. E.g. tasks started by user or new resources created by that user might be automatically assigned to the same tenant. This is partially connector not implemented yet. This is partially related to planned Archetypes feature.
- The concept of multi-tenancy has almost no support in midPoint user interface. Ideally, the tenant administrators should be constrained to their tenants, global administrators should be able to switch between tenant and global views and so on. However, current user interface support for tenancy is the same as support for organizational structure. This is sufficient for many multi-tenant deployments. But there is definitely a room for improvement.