[OPENIDM-10696] Full attribute details not available to policies when creating role via relationship collection Created: 17/Apr/18  Updated: 25/Apr/18  Resolved: 25/Apr/18

Status: Closed
Project: OpenIDM
Component/s: Module - Policy
Affects Version/s: OpenIDM 5.0.0, OpenIDM 5.5.0
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Tom Wood Assignee: Brendan Miller
Resolution: Won't Fix Votes: 0
Labels: release-notes
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


When creating a relationship between two objects, any policy on the relationship itself does not have access to the child attributes (e.g. _refProperties) if the relationship is created directly against the relationship collection.

As an example, the UI performs the following when adding a role to a managed/user:

POST http://localhost:8080/openidm/managed/user/342e91a7-b0f2-4950-9270-91ee83c44926/roles?_action=create


Which has the following content for the 'fullObject' within policy.js:

INFO: fullObject: {preferences={updates=false, marketing=false}, mail=test@test.com, sn=test, givenName=test, userName=test}

If adding the role directly to the user object:

POST http://localhost:8080/openidm/managed/user/342e91a7-b0f2-4950-9270-91ee83c44926?_action=patch

[{"operation":"replace","field":"roles","value": [{"_ref": "managed/role/778fa522-f1c7-493a-be29-e6b7e418eb10","_refProperties": {"temporalConstraints": [],"_grantType": ""}}]}]

Then the entire role object is available to the policy:

INFO: fullObject: {preferences={updates=false, marketing=false}, mail=test@test.com, sn=test, givenName=test, userName=test, accountStatus=active, lastChanged={date=2018-04-17T09:53:40.143Z}, effectiveRoles=[], effectiveAssignments=[], _rev=000000008eb4bc61, _id=342e91a7-b0f2-4950-9270-91ee83c44926}

Comment by Brendan Miller [ 25/Apr/18 ]

1. This is not a bug - we've never implemented policy checks on relationship endpoints.
2. There is a workaround - create the user (or other object) on the side requiring policy with the

{ _ref : .. }

to the role or other related object.

Generated at Mon Sep 21 16:20:11 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.