[midPoint] Assign role which allows creation of users

Katka Valalikova katka.valalikova at evolveum.com
Wed Oct 12 14:26:57 CEST 2016


Hi Carlos, 

as Oskar mentioned, there can be a case that some of the attributes are generated e.g. by using objectTemplate. But even if you don't use object template to generate values for attributes, there are some attributes which are added/generated by midPoint (e.g activation/effectiveStatus, activation/enableTimestamp, iteration, iterationToken and metadata for the user). You can either configure this attributes to be allowed (none of mentioned attributes are shown in GUI) or you can split authorizations to two different phases such as allow named fields for request phase and allow to create all attributes in execution phase. Bellow are examples for both cases: 
1. List of allowed attributes to add/modify (without phase defined) 



<role xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3" 
xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3" 
xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" 
xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3" 
xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" 
xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" 
oid="f076552f-b782-4e1d-86b5-1b02d9df6bfa" 
version="47"> 
<name>Allow create</name> 
<description>Role authorizing a special user on creating another users</description> 
<metadata> 
<createTimestamp>2016-08-22T19:41:47.977-03:00</createTimestamp> 
<createChannel>http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#init</createChannel> 
</metadata> 
<activation> 
<effectiveStatus>enabled</effectiveStatus> 
<enableTimestamp>2016-08-22T19:41:47.782-03:00</enableTimestamp> 
</activation> 
<iteration>0</iteration> 
<iterationToken/> 
<authorization id="1"> 
<name>Allow creation of users</name> 
<description>Allow creation of users.</description> 
<decision>allow</decision> 
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#user</action> 
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#users</action> 
</authorization> 
<authorization id="2"> 
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add</action> 
<object> 
<type>UserType</type> 
</object> 
<c:item>name</c:item> 
<c:item>givenName</c:item> 
<c:item>familyName</c:item> 
<c:item>fullName</c:item> 
<c:item>employeeType</c:item> 
<c:item>employeeNumber</c:item> 

<c:item>activation/effectiveStatus</c:item> 
<c:item>metadata</c:item> 
<c:item>iterationToken</c:item> 
<c:item>iteration</c:item> 
<c:item>activation/enableTimestamp</c:item> 

</authorization> 
<roleType>system</roleType> 
</role> 




Unfortunatelly, while I was testing this setting, I found out that there is probably bug with processing authorizations for "containers". I created Jira issue for it https://jira.evolveum.com/browse/MID-3461 . Temporal workaround for this bug is to allow the whole container - in your case you'll need to allow the whole activation (but I can understand that you probably don't want to show activation) 





2. Split request and response phase 

<role xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3" 
xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3" 
xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" 
xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3" 
xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" 
xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" 
oid="f076552f-b782-4e1d-86b5-1b02d9df6bfa" 
version="47"> 
<name>Allow create</name> 
<description>Role authorizing a special user on creating another users</description> 
<metadata> 
<createTimestamp>2016-08-22T19:41:47.977-03:00</createTimestamp> 
<createChannel>http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#init</createChannel> 
</metadata> 
<activation> 
<effectiveStatus>enabled</effectiveStatus> 
<enableTimestamp>2016-08-22T19:41:47.782-03:00</enableTimestamp> 
</activation> 
<iteration>0</iteration> 
<iterationToken/> 
<authorization id="1"> 
<name>Allow creation of users</name> 
<description>Allow creation of users.</description> 
<decision>allow</decision> 
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#user</action> 
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#users</action> 
</authorization> 
<authorization id="2"> 

<phase>request</phase> 
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add</action> 
<object> 
<type>UserType</type> 
</object> 
<c:item>name</c:item> 
<c:item>givenName</c:item> 
<c:item>familyName</c:item> 
<c:item>fullName</c:item> 
<c:item>employeeType</c:item> 
<c:item>employeeNumber</c:item> 

</authorization> 

<authorization id="2"> 

<phase>execution </phase> 

<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add</action> 
<object> 
<type>UserType</type> 
</object> 


</authorization> 


<roleType>system</roleType> 
</role> 





Best regards, 

Katarina Valalikova 
Java Developer 
evolveum.com 

----- Original Message -----

From: "Oskar Butovič - AMI Praha a.s." <oskar.butovic at ami.cz> 
To: "midPoint General Discussion" <midpoint at lists.evolveum.com> 
Sent: Wednesday, October 12, 2016 10:20:48 AM 
Subject: Re: [midPoint] Assign role which allows creation of users 

Hi Carlos, 

if you generate some user attributes you have to allow their adding as well. At least in execution phase. Might that be the case? 

2016-10-11 21:22 GMT+02:00 Carlos Ferreira < carlos18619 at gmail.com > : 



One thing else: 


If the "xml" is as follows, all user attributes are shown and i CAN create the users (with no error messages): 

<role xmlns=" http://midpoint.evolveum.com/xml/ns/public/common/common-3 " 
xmlns:q=" http://prism.evolveum.com/xml/ns/public/query-3 " 
xmlns:c=" http://midpoint.evolveum.com/xml/ns/public/common/common-3 " 
xmlns:t=" http://prism.evolveum.com/xml/ns/public/types-3 " 
xmlns:icfs=" http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3 " 
xmlns:ri=" http://midpoint.evolveum.com/xml/ns/public/resource/instance-3 " 
oid="f076552f-b782-4e1d-86b5-1b02d9df6bfa" 
version="48"> 
<name>Allow create</name> 
<description>Role authorizing end users to log in, change their passwords and review assigned accounts.</description> 
<metadata> 
<createTimestamp>2016-08-22T19:41:47.977-03:00</createTimestamp> 
<createChannel> http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#init </createChannel> 
</metadata> 
<activation> 
<effectiveStatus>enabled</effectiveStatus> 
<enableTimestamp>2016-08-22T19:41:47.782-03:00</enableTimestamp> 
</activation> 
<iteration>0</iteration> 
<iterationToken/> 
<authorization id="1"> 
<name>Allow creation of users</name> 
<description> 
Allow creation of users. 
</description> 
<decision>allow</decision> 
<action> http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#user </action> 
<action> http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#users </action> 
</authorization> 
<authorization id="2"> 
<action> http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add </action> 
</authorization> 
<roleType>system</roleType> 
</role> 

2016-10-11 16:17 GMT-03:00 Carlos Ferreira < carlos18619 at gmail.com > : 

<blockquote>

Hi, 

My necessity is as follows: 

1. I have a kind of 'special' user. I want to assign him a role to authorize the creation of another users (only this); 
2. I do not want this user to access the other admin menu options (resources, roles, etc); 
3. To accomplish that, I've create a role, which "xml" is as follows: 



<role xmlns=" http://midpoint.evolveum.com/xml/ns/public/common/common-3 " 
xmlns:q=" http://prism.evolveum.com/xml/ns/public/query-3 " 
xmlns:c=" http://midpoint.evolveum.com/xml/ns/public/common/common-3 " 
xmlns:t=" http://prism.evolveum.com/xml/ns/public/types-3 " 
xmlns:icfs=" http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3 " 
xmlns:ri=" http://midpoint.evolveum.com/xml/ns/public/resource/instance-3 " 
oid="f076552f-b782-4e1d-86b5-1b02d9df6bfa" 
version="47"> 
<name>Allow create</name> 
<description>Role authorizing a special user on creating another users</description> 
<metadata> 
<createTimestamp>2016-08-22T19:41:47.977-03:00</createTimestamp> 
<createChannel> http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#init </createChannel> 
</metadata> 
<activation> 
<effectiveStatus>enabled</effectiveStatus> 
<enableTimestamp>2016-08-22T19:41:47.782-03:00</enableTimestamp> 
</activation> 
<iteration>0</iteration> 
<iterationToken/> 
<authorization id="1"> 
<name>Allow creation of users</name> 
<description> 
Allow creation of users. 
</description> 
<decision>allow</decision> 
<action> http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#user </action> 
<action> http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#users </action> 
</authorization> 
<authorization id="2"> 
<action> http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add </action> 
<object> 
<type>UserType</type> 
</object> 
<c:item>name</c:item> 
<c:item>givenName</c:item> 
<c:item>familyName</c:item> 
<c:item>fullName</c:item> 
<c:item>employeeType</c:item> 
<c:item>employeeNumber</c:item> 
</authorization> 
<roleType>system</roleType> 
</role> 

4. Doing so, on acessing " http://localhost:8080/midpoint/admin/users?3 " and selecting the "New User" option, I have the specified attributes (name, givenname, etc) presented on the screen; 

5. Nevertheless, after filling them and pressing the "save" button, the following error message is shown: 

User ''specialuser'' not authorized for operation http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add on user:null(a) 








_______________________________________________ 
midPoint mailing list 
midPoint at lists.evolveum.com 
http://lists.evolveum.com/mailman/listinfo/midpoint 


</blockquote>




-- 


Oskar Butovič 
solution architect 



gsm: [+420] 774 480 101 
e-mail: oskar.butovic at ami.cz 			

AMI Praha a.s. 
Pláničkova 11 
162 00 Praha 6 
tel.: [+420] 274 783 239 
web: www.ami.cz 			





Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za společnost AMI Praha a.s. 
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně písemnou formu. 


_______________________________________________ 
midPoint mailing list 
midPoint at lists.evolveum.com 
http://lists.evolveum.com/mailman/listinfo/midpoint 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161012/138fca3c/attachment.htm>


More information about the midPoint mailing list