[midPoint] Assign role which allows creation of users

Carlos Ferreira carlos18619 at gmail.com
Tue Oct 11 21:17:25 CEST 2016 

Hi,

My necessity is as follows:

1. I have a kind of 'special' user. I want to assign him a role to
authorize the creation of another users (only this);
2. I do not want this user to access the other admin menu options
(resources, roles, etc);
3. To accomplish that, I've create a role, which "xml" is as follows:



<role xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
      xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
      xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
      xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
      xmlns:icfs="
http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3
"
      xmlns:ri="
http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
      oid="f076552f-b782-4e1d-86b5-1b02d9df6bfa"
      version="47">
   <name>Allow create</name>
   <description>Role authorizing a special user on creating another
users</description>
   <metadata>
      <createTimestamp>2016-08-22T19:41:47.977-03:00</createTimestamp>
      <createChannel>
http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#init
</createChannel>
   </metadata>
   <activation>
      <effectiveStatus>enabled</effectiveStatus>
      <enableTimestamp>2016-08-22T19:41:47.782-03:00</enableTimestamp>
   </activation>
   <iteration>0</iteration>
   <iterationToken/>
   <authorization id="1">
      <name>Allow creation of users</name>
      <description>
            Allow creation of users.
        </description>
      <decision>allow</decision>
      <action>
http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#user
</action>
      <action>
http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#users
</action>
   </authorization>
   <authorization id="2">
      <action>
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add
</action>
      <object>
         <type>UserType</type>
      </object>
      <c:item>name</c:item>
      <c:item>givenName</c:item>
      <c:item>familyName</c:item>
      <c:item>fullName</c:item>
      <c:item>employeeType</c:item>
      <c:item>employeeNumber</c:item>
   </authorization>
   <roleType>system</roleType>
</role>

4. Doing so, on acessing "http://localhost:8080/midpoint/admin/users?3" and
selecting the "New User" option, I have the specified attributes (name,
givenname, etc) presented on the screen;

5. Nevertheless, after filling them and pressing the "save" button, the
following error message is shown:

*User ''specialuser'' not authorized for operation
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add
on user:null(a)*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161011/542b4769/attachment.htm>

More information about the midPoint mailing list