Authorization define fine-grained access to midPoint objects and system functionality.
Name | Type | Multiplicity | Description |
---|---|---|---|
name |
property string |
[0,1] | |
description |
property string |
[0,1] | Free-form textual description of the object. |
documentation |
property string |
[0,1] | Technical documentation for a particular object or construct. |
decision |
property AuthorizationDecisionType |
[0,1] | Decision that this authorization specifies. |
action |
property anyURI |
[1,-1] | Action part from the (subject,action,object) authorization triple. |
phase |
property AuthorizationPhaseType |
[0,1] | Specifies when to conduct authorization and what exactly to authorize. |
enforcementStrategy |
property AuthorizationEnforcementStrategyType |
[0,1] | Setting that specifies when to enforce the authorization. |
zoneOfControl |
property ZoneOfControlType |
[0,1] | |
object |
container OwnedObjectSelectorType |
[0,-1] | Object part from the (subject,action,object) authorization triple. |
item |
property ItemPathType |
[0,-1] | Specification of items that form a scope of this authorization. |
exceptItem |
property ItemPathType |
[0,-1] | Specification of items that are excluded from the scope of this authorization. |
target |
container OwnedObjectSelectorType |
[0,-1] | Target of the operation. |
relation |
property QName |
[0,-1] | Relation(s) to which the authorization applies. |
orderConstraints |
container OrderConstraintsType |
[0,1] | Order constraints for cases when assignment/inducement is a matter of the authorization decision. |
limitations |
container AuthorizationLimitationsType |
[0,1] | Limitations of this authorization when it is applied to other authorizations. |
Flags: RAM,runtime
Multiplicity: [0,1]
Display order:
Flags: RAM,runtime
Multiplicity: [0,1]
Display order:
Free-form textual description of the object. It is supposed to describe
the object or a construct that it is attached to.
This information may be presented to midPoint users, even to ordinary end users.
For example role description may be presented to users when they are selecting
roles to request. Therefore the description should be written in a language that
the users can understand.
Description is assumed to be a plan, non-formatted text.
Amount of white space is considered insignificant. E.g. leading and trailing
white space may be skipped, multiple spaces can be collapsed to one and so on.
Flags: RAM,runtime
Multiplicity: [0,1]
Display order:
Technical documentation for a particular object or construct.
The purpose of this element is to document system configuration and behavior.
The documentation will not be presented to end users. In fact, it will probably
not be presented at all in midPoint user interface. This documentation element
is supposed to be a part of the technical documentation of midPoint deployment.
The tools than generate deployment configuration will look for these elements
and combine them to compiled documentation document.
AsciiDoc formatting is assumed for this element. Any leading or trailing
whitespace is skipped. Indentation equivalent to he indentation of the first
non-blank line of text is also skipped.
Flags: RAM,runtime,AVals:2
Multiplicity: [0,1]
Display order:
Decision that this authorization specifies. If the decision is "allow" (which is the
default) then this authorization allows access. If the decision is "deny" then this
authorization denies access. Denial is a final decisions. If at least one applicable
authorization denies access then the access is always denied, regardless of any other
allow authorizations.
Note: there is subtle (but important) difference between not allowing access and
denying access. Authorization that denies access specifies a final decision. Denied
access cannot be allowed by any other authorization. Deny authorization are very
strong from a security perspective, but it is extremely difficult to combine them
with other authorizations. Therefore deny authorizations are used very rarely.
On the other hand if the access is not allowed by a specific authorization then
it can still be allowed by another authorization. This makes authorizations "mergeable".
Not allowing access is usually the right approach.
Flags: RAM,runtime
Multiplicity: [1,-1]
Display order:
Flags: RAM,runtime,AVals:2
Multiplicity: [0,1]
Display order:
Flags: RAM,runtime,AVals:2
Multiplicity: [0,1]
Display order:
Flags: RAM,runtime,AVals:2
Multiplicity: [0,1]
Display order:
Flags: RAM,runtime
Multiplicity: [0,-1]
Display order:
Flags: RAM,runtime
Multiplicity: [0,-1]
Display order:
Specification of items that form a scope of this authorization. This authorization will
only affect the items specified in this element. If no items are specified then the
authorization applies to all items in the objects.
The item specification must not be combined with exceptItem. One or the other can be
used, but not both. If neither item nor exceptItem is specified then it is assumed
that the authorization applies to all items.
Flags: RAM,runtime
Multiplicity: [0,-1]
Display order:
Specification of items that are excluded from the scope of this authorization.
I.e. the authorization applies to all the items except those items that are
specified here.
Note: there is subtle (but important) difference between not allowing access and
denying access. Authorization that denies access specifies a final decision. Denied
access cannot be allowed by any other authorization. Deny authorization are very
strong from a security perspective, but it is extremely difficult to combine them
with other authorizations. Therefore deny authorizations are used very rarely.
On the other hand if the access is not allowed by a specific authorization then
it can still be allowed by another authorization. This makes authorizations "mergeable".
Not allowing access is usually the right approach.
The exceptItem specification is a convenient way to "not allow" access to specific
items.
The item specification must not be combined with exceptItem. One or the other can be
used, but not both. If neither item nor exceptItem is specified then it is assumed
that the authorization applies to all items.
Flags: RAM,runtime
Multiplicity: [0,-1]
Display order:
Flags: RAM,runtime
Multiplicity: [0,-1]
Display order:
Flags: RAM,runtime
Multiplicity: [0,1]
Display order:
Flags: RAM,runtime
Multiplicity: [0,1]
Display order: