[midPoint] Assign role which allows creation of users
Carlos Ferreira
carlos18619 at gmail.com
Tue Oct 11 21:22:23 CEST 2016
One thing else:
If the "xml" is as follows, all user attributes are shown and i CAN create
the users (with no error messages):
<role xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
xmlns:icfs="
http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3
"
xmlns:ri="
http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
oid="f076552f-b782-4e1d-86b5-1b02d9df6bfa"
version="48">
<name>Allow create</name>
<description>Role authorizing end users to log in, change their
passwords and review assigned accounts.</description>
<metadata>
<createTimestamp>2016-08-22T19:41:47.977-03:00</createTimestamp>
<createChannel>
http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#init
</createChannel>
</metadata>
<activation>
<effectiveStatus>enabled</effectiveStatus>
<enableTimestamp>2016-08-22T19:41:47.782-03:00</enableTimestamp>
</activation>
<iteration>0</iteration>
<iterationToken/>
<authorization id="1">
<name>Allow creation of users</name>
<description>
Allow creation of users.
</description>
<decision>allow</decision>
<action>
http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#user
</action>
<action>
http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#users
</action>
</authorization>
<authorization id="2">
<action>
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add
</action>
</authorization>
<roleType>system</roleType>
</role>
2016-10-11 16:17 GMT-03:00 Carlos Ferreira <carlos18619 at gmail.com>:
> Hi,
>
> My necessity is as follows:
>
> 1. I have a kind of 'special' user. I want to assign him a role to
> authorize the creation of another users (only this);
> 2. I do not want this user to access the other admin menu options
> (resources, roles, etc);
> 3. To accomplish that, I've create a role, which "xml" is as follows:
>
>
>
> <role xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
> xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/
> connector/icf-1/resource-schema-3"
> xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/
> resource/instance-3"
> oid="f076552f-b782-4e1d-86b5-1b02d9df6bfa"
> version="47">
> <name>Allow create</name>
> <description>Role authorizing a special user on creating another
> users</description>
> <metadata>
> <createTimestamp>2016-08-22T19:41:47.977-03:00</createTimestamp>
> <createChannel>http://midpoint.evolveum.com/xml/ns/
> public/gui/channels-3#init</createChannel>
> </metadata>
> <activation>
> <effectiveStatus>enabled</effectiveStatus>
> <enableTimestamp>2016-08-22T19:41:47.782-03:00</enableTimestamp>
> </activation>
> <iteration>0</iteration>
> <iterationToken/>
> <authorization id="1">
> <name>Allow creation of users</name>
> <description>
> Allow creation of users.
> </description>
> <decision>allow</decision>
> <action>http://midpoint.evolveum.com/xml/ns/public/
> security/authorization-ui-3#user</action>
> <action>http://midpoint.evolveum.com/xml/ns/public/
> security/authorization-ui-3#users</action>
> </authorization>
> <authorization id="2">
> <action>http://midpoint.evolveum.com/xml/ns/public/
> security/authorization-model-3#add</action>
> <object>
> <type>UserType</type>
> </object>
> <c:item>name</c:item>
> <c:item>givenName</c:item>
> <c:item>familyName</c:item>
> <c:item>fullName</c:item>
> <c:item>employeeType</c:item>
> <c:item>employeeNumber</c:item>
> </authorization>
> <roleType>system</roleType>
> </role>
>
> 4. Doing so, on acessing "http://localhost:8080/midpoint/admin/users?3"
> and selecting the "New User" option, I have the specified attributes (name,
> givenname, etc) presented on the screen;
>
> 5. Nevertheless, after filling them and pressing the "save" button, the
> following error message is shown:
>
> *User ''specialuser'' not authorized for operation
> http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add
> on user:null(a)*
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161011/64cae4bb/attachment.htm>
More information about the midPoint
mailing list