[midPoint] How to filter users

Aivo Kuhlberg aivo.kuhlberg at rmit.ee
Tue Sep 27 16:04:48 CEST 2016 

Hi,

I want to give end users access to list users inside their organization. For that purpose I created a simple role with following authorizations:
   <authorization id="1">
      <name>GUI authorizations</name>
      <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#users</action>
      <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#userDetails</action>
   </authorization>

   <authorization id="2">
      <name>users-read</name>
      <description>
            Allow to read basic user properties to be able to display requestor details in the
            approval forms.
        </description>
      <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
      <object>
         <type>UserType</type>
         <filter>
            <q:equal>
               <q:path>organization</q:path>
               <q:value>70001000</q:value>
            </q:equal>
         </filter>
      </object>
      <c:item>name</c:item>
      <c:item>givenName</c:item>
      <c:item>familyName</c:item>
      <c:item>fullName</c:item>
      <c:item>employeeType</c:item>
      <c:item>emailAddress</c:item>
   </authorization>

When assigning this role to user there appears menu item "Users" and under that command "List users". But when I click on that then the long list of errors appears in log - one error for each user who's data the current user cannot access:

2016-09-27 16:52:16,227 [] [http-nio-8084-exec-3] ERROR (com.evolveum.midpoint.model.impl.controller.SchemaTransformer): Error post-processing object user:c0466a98-f249-45ac-8cfa-07dd85edf05d(null): Access denied

And the listing shows "null (FATAL_ERROR)" for each inaccessible user. Is there a way how to avoid this kind of errors?


Regards,

Aivo Kuhlberg

________________________________
Käesolev e-kiri võib sisaldada asutusesiseseks kasutamiseks tunnistatud teavet.
This e-mail may contain information which is classified for official use.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160927/8d08b4e5/attachment.htm>

More information about the midPoint mailing list