Item Summary
Name	Type	Multiplicity	Description
name	property string	[0,1]
description	property string	[0,1]
decision	property AuthorizationDecisionType	[0,1]
action	property anyURI	[1,-1]
phase	property AuthorizationPhaseType	[0,1]
enforcementStrategy	property AuthorizationEnforcementStrategyType	[0,1]	Setting that specifies when to enforce the authorization.
object	container OwnedObjectSelectorType	[0,-1]	Object part from the (subject,action,object) authorization triple.
item	property ItemPathType	[0,-1]
exceptItem	property ItemPathType	[0,-1]	Specification of items that are excluded from the scope of this authorization.
target	container OwnedObjectSelectorType	[0,-1]	Target of the operation.
relation	property QName	[0,-1]	Relation(s) to which the authorization applies.
limitations	container AuthorizationLimitationsType	[0,1]	Limitations of this authorization when it is applied to other authorizations.

Items
- name
  
  Flags: RAM,runtime
  
  Multiplicity: [0,1]
- description
  
  Flags: RAM,runtime
  
  Multiplicity: [0,1]
- decision
  
  Flags: RAM,runtime,AVals:2
  
  Multiplicity: [0,1]
- action
  
  Flags: RAM,runtime
  
  Multiplicity: [1,-1]
- phase
  
  Flags: RAM,runtime,AVals:2
  
  Multiplicity: [0,1]
- enforcementStrategy
  
  Flags: RAM,runtime,AVals:2
  
  Multiplicity: [0,1]
  
  Setting that specifies when to enforce the authorization. Default setting is to always enforce the authorization.
- object
  
  Flags: RAM,runtime
  
  Multiplicity: [0,-1]
  
  Object part from the (subject,action,object) authorization triple.
- item
  
  Flags: RAM,runtime
  
  Multiplicity: [0,-1]
- exceptItem
  
  Flags: RAM,runtime
  
  Multiplicity: [0,-1]
  
  Specification of items that are excluded from the scope of this authorization. I.e. the authorization applies to all the items except those items that are specified here.
  
  Note: there is subtle (but important) difference between not allowing access and denying access. Authorization that denies access specifies a final decision. Denied access cannot be allowed by any other authorization. Deny authorization are very strong from a security perspective, but it is extremely difficult to combine them with other authorizations. Therefore deny authorizations are used very rarely. On the other hand if the access is not allowed by a specific authorization then it can still be allowed by another authorization. This makes authorizations "mergeable". Not allowing access is usually the right approach. The exceptItem specification is a convenient way to "not allow" access to specific items.
  
  The item specification must not be combined with exceptItem. One or the other can be used, but not both. If neither item nor exceptItem is specified then it is assumed that the authorization applies to all items.
- target
  
  Flags: RAM,runtime
  
  Multiplicity: [0,-1]
  
  Target of the operation. E.g. an role that is being assigned. It can be considered an operation parameter. If no target is specified then the authorization applies to all possible targets.
- relation
  
  Flags: RAM,runtime
  
  Multiplicity: [0,-1]
  
  Relation(s) to which the authorization applies. This is applicable only to some authorizations, mostly those that create new object references (e.g. assign/unassign authorizations). If left empty it applies to all relations.
- limitations
  
  Flags: RAM,runtime
  
  Multiplicity: [0,1]
  
  Limitations of this authorization when it is applied to other authorizations. For example this specification may limit the power of attorney. It is only applicable to some authorization types.

AuthorizationType (Complex Type)

Namespace: http://midpoint.evolveum.com/xml/ns/public/common/common-3

Items

name

description

decision

action

phase

enforcementStrategy

object

item

exceptItem

target

relation

limitations