[midPoint] Assign role which allows creation of users
Oskar Butovič - AMI Praha a.s.
oskar.butovic at ami.cz
Wed Oct 12 10:20:48 CEST 2016
Hi Carlos,
if you generate some user attributes you have to allow their adding as
well. At least in execution phase. Might that be the case?
2016-10-11 21:22 GMT+02:00 Carlos Ferreira <carlos18619 at gmail.com>:
> One thing else:
>
>
> If the "xml" is as follows, all user attributes are shown and i CAN create
> the users (with no error messages):
>
> <role xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
> xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/
> connector/icf-1/resource-schema-3"
> xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/
> resource/instance-3"
> oid="f076552f-b782-4e1d-86b5-1b02d9df6bfa"
> version="48">
> <name>Allow create</name>
> <description>Role authorizing end users to log in, change their
> passwords and review assigned accounts.</description>
> <metadata>
> <createTimestamp>2016-08-22T19:41:47.977-03:00</createTimestamp>
> <createChannel>http://midpoint.evolveum.com/xml/ns/
> public/gui/channels-3#init</createChannel>
> </metadata>
> <activation>
> <effectiveStatus>enabled</effectiveStatus>
> <enableTimestamp>2016-08-22T19:41:47.782-03:00</enableTimestamp>
> </activation>
> <iteration>0</iteration>
> <iterationToken/>
> <authorization id="1">
> <name>Allow creation of users</name>
> <description>
> Allow creation of users.
> </description>
> <decision>allow</decision>
> <action>http://midpoint.evolveum.com/xml/ns/public/
> security/authorization-ui-3#user</action>
> <action>http://midpoint.evolveum.com/xml/ns/public/
> security/authorization-ui-3#users</action>
> </authorization>
> <authorization id="2">
> <action>http://midpoint.evolveum.com/xml/ns/public/
> security/authorization-model-3#add</action>
> </authorization>
> <roleType>system</roleType>
> </role>
>
> 2016-10-11 16:17 GMT-03:00 Carlos Ferreira <carlos18619 at gmail.com>:
>
>> Hi,
>>
>> My necessity is as follows:
>>
>> 1. I have a kind of 'special' user. I want to assign him a role to
>> authorize the creation of another users (only this);
>> 2. I do not want this user to access the other admin menu options
>> (resources, roles, etc);
>> 3. To accomplish that, I've create a role, which "xml" is as follows:
>>
>>
>>
>> <role xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>> xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
>> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3
>> "
>> xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
>> xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/conne
>> ctor/icf-1/resource-schema-3"
>> xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resourc
>> e/instance-3"
>> oid="f076552f-b782-4e1d-86b5-1b02d9df6bfa"
>> version="47">
>> <name>Allow create</name>
>> <description>Role authorizing a special user on creating another
>> users</description>
>> <metadata>
>> <createTimestamp>2016-08-22T19:41:47.977-03:00</createTimestamp>
>> <createChannel>http://midpoint.evolveum.com/xml/ns/public/
>> gui/channels-3#init</createChannel>
>> </metadata>
>> <activation>
>> <effectiveStatus>enabled</effectiveStatus>
>> <enableTimestamp>2016-08-22T19:41:47.782-03:00</enableTimestamp>
>> </activation>
>> <iteration>0</iteration>
>> <iterationToken/>
>> <authorization id="1">
>> <name>Allow creation of users</name>
>> <description>
>> Allow creation of users.
>> </description>
>> <decision>allow</decision>
>> <action>http://midpoint.evolveum.com/xml/ns/public/security/
>> authorization-ui-3#user</action>
>> <action>http://midpoint.evolveum.com/xml/ns/public/security/
>> authorization-ui-3#users</action>
>> </authorization>
>> <authorization id="2">
>> <action>http://midpoint.evolveum.com/xml/ns/public/security/
>> authorization-model-3#add</action>
>> <object>
>> <type>UserType</type>
>> </object>
>> <c:item>name</c:item>
>> <c:item>givenName</c:item>
>> <c:item>familyName</c:item>
>> <c:item>fullName</c:item>
>> <c:item>employeeType</c:item>
>> <c:item>employeeNumber</c:item>
>> </authorization>
>> <roleType>system</roleType>
>> </role>
>>
>> 4. Doing so, on acessing "http://localhost:8080/midpoint/admin/users?3"
>> and selecting the "New User" option, I have the specified attributes (name,
>> givenname, etc) presented on the screen;
>>
>> 5. Nevertheless, after filling them and pressing the "save" button, the
>> following error message is shown:
>>
>> *User ''specialuser'' not authorized for operation
>> http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add
>> on user:null(a)*
>>
>>
>>
>>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
--
Oskar Butovič
solution architect
gsm: [+420] 774 480 101
e-mail: oskar.butovic at ami.cz
AMI Praha a.s.
Pláničkova 11
162 00 Praha 6
tel.: [+420] 274 783 239
web: www.ami.cz
[image: AMI Praha a.s.]
[image: AMI Praha a.s.]
<http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>
Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
písemnou formu.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161012/aa007a17/attachment.htm>
More information about the midPoint
mailing list