[midPoint] Delegated administrator
Petr Gašparík
petr at gasparik.cz
Mon Aug 3 15:14:24 CEST 2015
Thank you Ivan, the #add part finally helped.
It now works from both places, Create user and Add member.
So for the archive, this is working delegated administrator:
<role xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
xmlns:icfs="
http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3
"
xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
xmlns:ri="
http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
oid="delegatedAdmin"
version="34">
<name>Delegated administrator</name>
<activation>
<effectiveStatus>enabled</effectiveStatus>
</activation>
<iteration>0</iteration>
<iterationToken/>
<authorization id="1">
<action>
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read
</action>
<action>
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify
</action>
<object>
<type>OrgType</type>
</object>
<object>
<type>ResourceType</type>
</object>
<object>
<type>RoleType</type>
</object>
<object>
<type>ShadowType</type>
</object>
<object>
<type>UserType</type>
<orgRef xmlns:tns="
http://midpoint.evolveum.com/xml/ns/public/common/common-3"
oid="3404b331-57c0-4bef-b699-0192ce8d728b"
type="tns:OrgType"><!-- oid of org where user with this
role is an admin --></orgRef>
</object>
</authorization>
<authorization id="2">
<action>
http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#dashboard
</action>
<action>
http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#myPasswords
</action>
<action>
http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#users
</action>
<action>
http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#userDetails
</action>
<action>
http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#findUsers
</action>
<action>
http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#orgTree
</action>
<action>
http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#workItems
</action>
<action>
http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#workItem
</action>
<action>
http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#workItemsMyRequests
</action>
<action>
http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#workItemsProcessInstance
</action>
<action>
http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#user
</action>
<action>
http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#orgUnit
</action>
<action>
http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#usersAll
</action>
</authorization>
<authorization id="3">
<action>
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add
</action>
<phase>request</phase>
<object>
<type>UserType</type>
</object>
</authorization>
<authorization id="4">
<action>
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add
</action>
<phase>execution</phase>
<object>
<type>UserType</type>
<filter>
<q:or>
<q:equal>
<q:path>employeeType</q:path>
</q:equal>
</q:or>
</filter>
</object>
</authorization>
</role>
po 3. 8. 2015 v 14:39 odesílatel Ivan Noris <ivan.noris at evolveum.com>
napsal:
> Hi Petr,
>
> I can't see #add operation authorization for UserType. Only #modify (and
> #read). But as you seem to allow only creation of Users in some
> organization (by reference), it's possible that you will need some more
> things later.
>
> Please try to add #add authorization to be able to create users.
>
> Regards,
> Ivan
>
>
> On 08/03/2015 01:46 PM, Petr Gašparík wrote:
>
> Thank you, Ivan, this is for 3.1.1 ... I can see users and their
> attributes, but I can't create new one - see below.
>
> [image: Clip398.png]
>
>
> po 3. 8. 2015 v 8:36 odesílatel Ivan Noris <ivan.noris at evolveum.com>
> napsal:
>
>> Hi Petr,
>>
>> please check the *GUI* authorization namespaces, there was a change for
>> the upcoming 3.2.
>>
>> e.g. http://midpoint.evolveum.com/xml/ns/public/security/authorization
>> *-ui*-3#dashboard
>>
>> The End User and Superuser role are already modified in XML files, not
>> sure about the documentation...
>>
>> Please try.
>> Regards,
>> Ivan
>>
>>
>> On 07/31/2015 05:24 PM, Petr Gašparík wrote:
>>
>> Hi,
>> I tried to setup delegated administrator for organization (user
>> management + workflow tasks) and ended with role like below. This, assigned
>> to user, does not allow him to see attributes when creating user, thus
>> admin can't enter values into them (name, for example).
>>
>> What am I missing? Is there example for delegated administrator? (I
>> checked web and git already)
>>
>> regards
>> Petr G.
>>
>> -------------------------------------------
>>
>> <role xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>> xmlns:icfs="
>> http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3
>> "
>> xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
>> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3
>> "
>> xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
>> xmlns:ri="
>> http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
>> oid="delegatedAdmin"
>> version="23">
>> <name>Delegated administrator</name>
>> <activation>
>> <effectiveStatus>enabled</effectiveStatus>
>> </activation>
>> <iteration>0</iteration>
>> <iterationToken/>
>> <authorization id="1">
>> <action>
>> http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read
>> </action>
>> <action>
>> http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify
>> </action>
>> <object>
>> <type>OrgType</type>
>> </object>
>> <object>
>> <type>ResourceType</type>
>> </object>
>> <object>
>> <type>RoleType</type>
>> </object>
>> <object>
>> <type>ShadowType</type>
>> </object>
>> <object>
>> <type>UserType</type>
>> <orgRef xmlns:tns="
>> http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>> oid="3404b331-57c0-4bef-b699-0192ce8d728b"
>> type="tns:OrgType"></orgRef>
>> </object>
>> </authorization>
>> <authorization id="2">
>> <action>
>> http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#dashboard
>> </action>
>> <action>
>> http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#myPasswords
>> </action>
>> <action>
>> http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#users
>> </action>
>> <action>
>> http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#userDetails
>> </action>
>> <action>
>> http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#findUsers
>> </action>
>> <action>
>> http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#orgTree
>> </action>
>> <action>
>> http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#workItems
>> </action>
>> <action>
>> http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#workItem
>> </action>
>> <action>
>> http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#workItemsMyRequests
>> </action>
>> <action>
>> http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#workItemsProcessInstance
>> </action>
>> </authorization>
>> </role>
>> --
>> --
>> Petr G.
>>
>>
>> _______________________________________________
>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>> --
>> Ing. Ivan Noris
>> Senior Identity Management Engineer & IDM Architect
>> evolveum.com evolveum.com/blog/
>> ___________________________________________________
>> "Semper Id(e)M Vix."
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
> --
> --
> Petr G.
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> --
> Ing. Ivan Noris
> Senior Identity Management Engineer & IDM Architect
> evolveum.com evolveum.com/blog/
> ___________________________________________________
> "Semper Id(e)M Vix."
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
--
--
Petr G.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20150803/600f6187/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 30488 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20150803/600f6187/attachment.png>
More information about the midPoint
mailing list