[midPoint] seen all user in role

Ivan Noris ivan.noris at evolveum.com
Wed Jul 8 18:18:54 CEST 2015 

Hi,

there are two different authorization types in midPoint:

1) GUI-related. These allow or dissalow access to specific GUI
components (pages).
2) Model-related. These allow or dissalow access to specific operations
on specific objects.

In your example, the role has GUI authorization:

   <authorization id="2">
     
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#usersAll</action>
   </authorization>

This means that Users tab is displayed.

Also, End user role is *assigned* to this role. It should have been
*inducement*, not assignment, to apply to users that have the adminRole.
That's probably a bug. You should not be able to log in to midPoint with
the original role (403 forbidden).

The End user role is giving you the default permissions such as read for
yourself.

That's why you only see one user in midPoint.

You have to combine both authz types. E.g. add the following to the role
and you will see all users (read only):

    <authorization>
       
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
        <object>
            <type>UserType</type>
        </object>
    </authorization>

To allow modifications of all users except administrator, you need to
add more:

<!-- This authorization enables to modify all users except
name=administrator -->
   <authorization>
      
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</action>
       <object>
           <type>UserType</type>
           <filter>
             <q:not>
               <q:equal>
                 <q:path>name</q:path>
                 <q:value>administrator</q:value>
               </q:equal>
             </q:not>
           </filter>
       </object>
   </authorization>

You can use any filter that is supported by our queries. This is just a
simple example.

Normally you would need to have authorizations to more than just User
objects. For example you need to have authz for Shadows to allow
provisioning. Also you can specifically allow operations on some user
attributes; e.g. HR manager can only update Given Name and Family Name,
but nothing more. The User details form is dynamic and displays only
those attributes. Some more examples are in
./model/model-intest/src/test/resources/security/

The updated sample role is attached. Please note that I have updated the
GUI authorization as the URI has changed for 3.2 midPoint (current
master)! If you are using older midPoint, keep the GUI authorization
from your original sample.

Regards,
Ivan

On 07/07/2015 08:53 PM, Steklac Michal wrote:
> Hi,
>
> I´m create role
> <role xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>       oid="1326ac7b-4f14-4779-b329-f684883abff5"
>       version="26">
>    <name>adminUser</name>
>    <description>adminUser</description>
>    <metadata>
>       <createTimestamp>2015-07-06T12:26:53.054+02:00</createTimestamp>
>       <creatorRef oid="00000000-0000-0000-0000-000000000002"
> type="UserType"/>
>      
> <createChannel>http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#user</createChannel>
>       <modifyTimestamp>2015-07-06T13:07:20.395+02:00</modifyTimestamp>
>       <modifierRef
> xmlns:tns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>                    oid="00000000-0000-0000-0000-000000000002"
>                    type="tns:UserType"/>
>      
> <modifyChannel>http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#user</modifyChannel>
>    </metadata>
>    <assignment id="3">
>       <targetRef oid="00000000-0000-0000-0000-000000000008"
> type="RoleType"/>
>       <activation>
>          <administrativeStatus>enabled</administrativeStatus>
>       </activation>
>    </assignment>
>    <activation>
>       <administrativeStatus>enabled</administrativeStatus>
>       <effectiveStatus>enabled</effectiveStatus>
>       <enableTimestamp>2015-07-06T12:26:53.023+02:00</enableTimestamp>
>    </activation>
>    <iteration>0</iteration>
>    <iterationToken/>
>    <authorization id="2">
>      
> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#usersAll</action>
>    </authorization>
>    <requestable>false</requestable>
> </role>
>
> When I log with user who is in role then I am seen only one user. It
> is login user how is in role. I want to seen all user who is in
> midpoint. How I must change role?
>
> Thanks
> Best regards
> MiSo
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer & IDM Architect
  evolveum.com                     evolveum.com/blog/
  ___________________________________________________
  "Semper Id(e)M Vix."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20150708/f494badb/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: miso-role.xml
Type: text/xml
Size: 1562 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20150708/f494badb/attachment.xml>

More information about the midPoint mailing list