Authorization define fine-grained access to midPoint objects and system functionality.
Name | Type | Multiplicity | Description |
---|---|---|---|
name |
property string |
[0,1] | |
description |
property string |
[0,1] | |
decision |
property AuthorizationDecisionType |
[0,1] | |
action |
property anyURI |
[1,-1] | |
phase |
property AuthorizationPhaseType |
[0,1] | |
enforcementStrategy |
property AuthorizationEnforcementStrategyType |
[0,1] | Setting that specifies when to enforce the authorization. |
zoneOfControl |
property ZoneOfControlType |
[0,1] | |
object |
container OwnedObjectSelectorType |
[0,-1] | Object part from the (subject,action,object) authorization triple. |
item |
property ItemPathType |
[0,-1] | |
exceptItem |
property ItemPathType |
[0,-1] | Specification of items that are excluded from the scope of this authorization. |
target |
container OwnedObjectSelectorType |
[0,-1] | Target of the operation. |
relation |
property QName |
[0,-1] | Relation(s) to which the authorization applies. |
orderConstraints |
container OrderConstraintsType |
[0,1] | Order constraints for cases when assignment/inducement is a matter of the authorization decision. |
limitations |
container AuthorizationLimitationsType |
[0,1] | Limitations of this authorization when it is applied to other authorizations. |
Flags: RAM,runtime
Multiplicity: [0,1]
Flags: RAM,runtime
Multiplicity: [0,1]
Flags: RAM,runtime,AVals:2
Multiplicity: [0,1]
Flags: RAM,runtime
Multiplicity: [1,-1]
Flags: RAM,runtime,AVals:2
Multiplicity: [0,1]
Flags: RAM,runtime,AVals:2
Multiplicity: [0,1]
Flags: RAM,runtime,AVals:2
Multiplicity: [0,1]
Flags: RAM,runtime
Multiplicity: [0,-1]
Flags: RAM,runtime
Multiplicity: [0,-1]
Flags: RAM,runtime
Multiplicity: [0,-1]
Specification of items that are excluded from the scope of this authorization.
I.e. the authorization applies to all the items except those items that are
specified here.
Note: there is subtle (but important) difference between not allowing access and
denying access. Authorization that denies access specifies a final decision. Denied
access cannot be allowed by any other authorization. Deny authorization are very
strong from a security perspective, but it is extremely difficult to combine them
with other authorizations. Therefore deny authorizations are used very rarely.
On the other hand if the access is not allowed by a specific authorization then
it can still be allowed by another authorization. This makes authorizations "mergeable".
Not allowing access is usually the right approach.
The exceptItem specification is a convenient way to "not allow" access to specific
items.
The item specification must not be combined with exceptItem. One or the other can be
used, but not both. If neither item nor exceptItem is specified then it is assumed
that the authorization applies to all items.
Flags: RAM,runtime
Multiplicity: [0,-1]
Flags: RAM,runtime
Multiplicity: [0,-1]
Flags: RAM,runtime
Multiplicity: [0,1]
Flags: RAM,runtime
Multiplicity: [0,1]