Rest Self Requestresthttp://midpoint.evolveum.com/xml/ns/public/security/authorization-rest-3#allread-requestable-rolesAllow to read requestable roles. This allows to search for requestable roles in user interface.http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#readassign-requestable-rolesAllow to assign requestable roles. This allows to request roles in a request-and-approve process.
The requestable roles will be displayed in the role request dialog by default.
Please note that the roles also need an approval definition to go through the approval process.
Otherwise, they will be assigned automatically without any approval.http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#assignrequestRoleTyperequestable = true AND parentOrgRef matches (oid = "7878cf5d-9de2-486c-aeb7-41b438200a57")org:defaultself-execution-modifyAuthorization that allows to self-modification of some properties, but only in execution phase.
The real limitation of these operations is done in the request phase.
E.g. the modification of assignments is controlled in the request phase by using the #assign
authorization.http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modifyexecutionassignmentassignment-target-getAuthorization that allows to read all the object that are possible assignment targets.
Note that this authorization may be too broad for production use. Normally it should be limited to just
selected properties such as name and description.http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#getassignment-target-read-caseAuthorization that allows to read approval status of cases. This is used to display requests
to the end users, especially in the "My Requests" box in user dashboard.http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#readself-owned-task-readAuthorization that allows to see all tasks owned by a currently logged-in user.http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read