[midPoint] Assign role which allows creation of users
Carlos Ferreira
carlos18619 at gmail.com
Thu Oct 13 15:43:59 CEST 2016
Hi Katarina/Oskar,
Second sugestion (2 phases) worked for me. Thanks a lot.
Carlos
2016-10-12 9:26 GMT-03:00 Katka Valalikova <katka.valalikova at evolveum.com>:
> Hi Carlos,
>
> as Oskar mentioned, there can be a case that some of the attributes are
> generated e.g. by using objectTemplate. But even if you don't use object
> template to generate values for attributes, there are some attributes which
> are added/generated by midPoint (e.g activation/effectiveStatus,
> activation/enableTimestamp, iteration, iterationToken and metadata for the
> user). You can either configure this attributes to be allowed (none of
> mentioned attributes are shown in GUI) or you can split authorizations to
> two different phases such as allow named fields for request phase and allow
> to create all attributes in execution phase. Bellow are examples for both
> cases:
> 1. List of allowed attributes to add/modify (without phase defined)
>
> <role xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
> xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/
> connector/icf-1/resource-schema-3"
> xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
> oid="f076552f-b782-4e1d-86b5-1b02d9df6bfa"
> version="47">
> <name>Allow create</name>
> <description>Role authorizing a special user on creating another
> users</description>
> <metadata>
> <createTimestamp>2016-08-22T19:41:47.977-03:00</createTimestamp>
> <createChannel>http://midpoint.evolveum.com/xml/ns/
> public/gui/channels-3#init</createChannel>
> </metadata>
> <activation>
> <effectiveStatus>enabled</effectiveStatus>
> <enableTimestamp>2016-08-22T19:41:47.782-03:00</enableTimestamp>
> </activation>
> <iteration>0</iteration>
> <iterationToken/>
> <authorization id="1">
> <name>Allow creation of users</name>
> <description>Allow creation of users.</description>
> <decision>allow</decision>
> <action>http://midpoint.evolveum.com/xml/ns/
> public/security/authorization-ui-3#user</action>
> <action>http://midpoint.evolveum.com/xml/ns/
> public/security/authorization-ui-3#users</action>
> </authorization>
> <authorization id="2">
> <action>http://midpoint.evolveum.com/xml/ns/
> public/security/authorization-model-3#add</action>
> <object>
> <type>UserType</type>
> </object>
> <c:item>name</c:item>
> <c:item>givenName</c:item>
> <c:item>familyName</c:item>
> <c:item>fullName</c:item>
> <c:item>employeeType</c:item>
> <c:item>employeeNumber</c:item>
>
> *<c:item>activation/effectiveStatus</c:item>*
> * <c:item>metadata</c:item>*
> * <c:item>iterationToken</c:item>*
> * <c:item>iteration</c:item>*
> * <c:item>activation/enableTimestamp</c:item>*
>
> </authorization>
> <roleType>system</roleType>
> </role>
>
>
> Unfortunatelly, while I was testing this setting, I found out that there
> is probably bug with processing authorizations for "containers". I created
> Jira issue for it https://jira.evolveum.com/browse/MID-3461 . Temporal
> workaround for this bug is to allow the whole container - in your case
> you'll need to allow the whole activation (but I can understand that you
> probably don't want to show activation)
>
>
> 2. Split request and response phase
>
> <role xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
> xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/
> connector/icf-1/resource-schema-3"
> xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
> oid="f076552f-b782-4e1d-86b5-1b02d9df6bfa"
> version="47">
> <name>Allow create</name>
> <description>Role authorizing a special user on creating another
> users</description>
> <metadata>
> <createTimestamp>2016-08-22T19:41:47.977-03:00</createTimestamp>
> <createChannel>http://midpoint.evolveum.com/xml/ns/
> public/gui/channels-3#init</createChannel>
> </metadata>
> <activation>
> <effectiveStatus>enabled</effectiveStatus>
> <enableTimestamp>2016-08-22T19:41:47.782-03:00</enableTimestamp>
> </activation>
> <iteration>0</iteration>
> <iterationToken/>
> <authorization id="1">
> <name>Allow creation of users</name>
> <description>Allow creation of users.</description>
> <decision>allow</decision>
> <action>http://midpoint.evolveum.com/xml/ns/
> public/security/authorization-ui-3#user</action>
> <action>http://midpoint.evolveum.com/xml/ns/
> public/security/authorization-ui-3#users</action>
> </authorization>
> <authorization id="2">
>
> * <phase>request</phase>*
> <action>http://midpoint.evolveum.com/xml/ns/
> public/security/authorization-model-3#add</action>
> <object>
> <type>UserType</type>
> </object>
> <c:item>name</c:item>
> <c:item>givenName</c:item>
> <c:item>familyName</c:item>
> <c:item>fullName</c:item>
> <c:item>employeeType</c:item>
> <c:item>employeeNumber</c:item>
>
> </authorization>
>
> <authorization id="2">
>
> * <phase>execution</phase>*
>
> <action>http://midpoint.evolveum.com/xml/ns/
> public/security/authorization-model-3#add</action>
> <object>
> <type>UserType</type>
> </object>
>
> </authorization>
>
>
> <roleType>system</roleType>
> </role>
>
>
>
> Best regards,
>
> Katarina Valalikova
> Java Developer
> evolveum.com
>
> ------------------------------
> *From: *"Oskar Butovič - AMI Praha a.s." <oskar.butovic at ami.cz>
> *To: *"midPoint General Discussion" <midpoint at lists.evolveum.com>
> *Sent: *Wednesday, October 12, 2016 10:20:48 AM
> *Subject: *Re: [midPoint] Assign role which allows creation of users
>
>
> Hi Carlos,
>
> if you generate some user attributes you have to allow their adding as
> well. At least in execution phase. Might that be the case?
>
> 2016-10-11 21:22 GMT+02:00 Carlos Ferreira <carlos18619 at gmail.com>:
>
>> One thing else:
>>
>>
>> If the "xml" is as follows, all user attributes are shown and i CAN
>> create the users (with no error messages):
>>
>> <role xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>> xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
>> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3
>> "
>> xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
>> xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/
>> connector/icf-1/resource-schema-3"
>> xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/
>> resource/instance-3"
>> oid="f076552f-b782-4e1d-86b5-1b02d9df6bfa"
>> version="48">
>> <name>Allow create</name>
>> <description>Role authorizing end users to log in, change their
>> passwords and review assigned accounts.</description>
>> <metadata>
>> <createTimestamp>2016-08-22T19:41:47.977-03:00</createTimestamp>
>> <createChannel>http://midpoint.evolveum.com/xml/ns/
>> public/gui/channels-3#init</createChannel>
>> </metadata>
>> <activation>
>> <effectiveStatus>enabled</effectiveStatus>
>> <enableTimestamp>2016-08-22T19:41:47.782-03:00</enableTimestamp>
>> </activation>
>> <iteration>0</iteration>
>> <iterationToken/>
>> <authorization id="1">
>> <name>Allow creation of users</name>
>> <description>
>> Allow creation of users.
>> </description>
>> <decision>allow</decision>
>> <action>http://midpoint.evolveum.com/xml/ns/public/
>> security/authorization-ui-3#user</action>
>> <action>http://midpoint.evolveum.com/xml/ns/public/
>> security/authorization-ui-3#users</action>
>> </authorization>
>> <authorization id="2">
>> <action>http://midpoint.evolveum.com/xml/ns/public/
>> security/authorization-model-3#add</action>
>> </authorization>
>> <roleType>system</roleType>
>> </role>
>>
>> 2016-10-11 16:17 GMT-03:00 Carlos Ferreira <carlos18619 at gmail.com>:
>>
>>> Hi,
>>>
>>> My necessity is as follows:
>>>
>>> 1. I have a kind of 'special' user. I want to assign him a role to
>>> authorize the creation of another users (only this);
>>> 2. I do not want this user to access the other admin menu options
>>> (resources, roles, etc);
>>> 3. To accomplish that, I've create a role, which "xml" is as follows:
>>>
>>>
>>>
>>> <role xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>> xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
>>> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/
>>> common/common-3"
>>> xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
>>> xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/
>>> connector/icf-1/resource-schema-3"
>>> xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/
>>> resource/instance-3"
>>> oid="f076552f-b782-4e1d-86b5-1b02d9df6bfa"
>>> version="47">
>>> <name>Allow create</name>
>>> <description>Role authorizing a special user on creating another
>>> users</description>
>>> <metadata>
>>> <createTimestamp>2016-08-22T19:41:47.977-03:00</createTimestamp>
>>> <createChannel>http://midpoint.evolveum.com/xml/ns/
>>> public/gui/channels-3#init</createChannel>
>>> </metadata>
>>> <activation>
>>> <effectiveStatus>enabled</effectiveStatus>
>>> <enableTimestamp>2016-08-22T19:41:47.782-03:00</enableTimestamp>
>>> </activation>
>>> <iteration>0</iteration>
>>> <iterationToken/>
>>> <authorization id="1">
>>> <name>Allow creation of users</name>
>>> <description>
>>> Allow creation of users.
>>> </description>
>>> <decision>allow</decision>
>>> <action>http://midpoint.evolveum.com/xml/ns/public/
>>> security/authorization-ui-3#user</action>
>>> <action>http://midpoint.evolveum.com/xml/ns/public/
>>> security/authorization-ui-3#users</action>
>>> </authorization>
>>> <authorization id="2">
>>> <action>http://midpoint.evolveum.com/xml/ns/public/
>>> security/authorization-model-3#add</action>
>>> <object>
>>> <type>UserType</type>
>>> </object>
>>> <c:item>name</c:item>
>>> <c:item>givenName</c:item>
>>> <c:item>familyName</c:item>
>>> <c:item>fullName</c:item>
>>> <c:item>employeeType</c:item>
>>> <c:item>employeeNumber</c:item>
>>> </authorization>
>>> <roleType>system</roleType>
>>> </role>
>>>
>>> 4. Doing so, on acessing "http://localhost:8080/midpoint/admin/users?3"
>>> and selecting the "New User" option, I have the specified attributes (name,
>>> givenname, etc) presented on the screen;
>>>
>>> 5. Nevertheless, after filling them and pressing the "save" button, the
>>> following error message is shown:
>>>
>>> *User ''specialuser'' not authorized for operation
>>> http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add
>>> <http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add>
>>> on user:null(a)*
>>>
>>>
>>>
>>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>
>
> --
>
> Oskar Butovič
> solution architect
>
> gsm: [+420] 774 480 101
> e-mail: oskar.butovic at ami.cz
>
>
> AMI Praha a.s.
> Pláničkova 11
> 162 00 Praha 6
> tel.: [+420] 274 783 239
> web: www.ami.cz
>
>
> [image: AMI Praha a.s.]
>
> [image: AMI Praha a.s.]
> <http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>
>
> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
> společnost AMI Praha a.s.
> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
> písemnou formu.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161013/cecb7609/attachment.htm>
More information about the midPoint
mailing list