[midPoint] How to filter users

Ivan Noris ivan.noris at evolveum.com
Wed Sep 28 09:18:13 CEST 2016 

Hi Aivo,

just a wild guess (I remember something similar in the past): can you
add also <item>linkRef</item> ?

Ivan


On 09/27/2016 04:04 PM, Aivo Kuhlberg wrote:
>
> Hi,
>
> I want to give end users access to list users inside their
> organization. For that purpose I created a simple role with following
> authorizations:
>    <authorization id="1">
>       <name>GUI authorizations</name>
>      
> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#users</action>
>      
> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#userDetails</action>
>    </authorization>
>
>    <authorization id="2">
>       <name>users-read</name>
>       <description>
>             Allow to read basic user properties to be able to display
> requestor details in the
>             approval forms.
>         </description>
>      
> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
>       <object>
>          <type>UserType</type>
>          <filter>
>             <q:equal>
>                <q:path>organization</q:path>
>                <q:value>70001000</q:value>
>             </q:equal>
>          </filter>
>       </object>
>       <c:item>name</c:item>
>       <c:item>givenName</c:item>
>       <c:item>familyName</c:item>
>       <c:item>fullName</c:item>
>       <c:item>employeeType</c:item>
>       <c:item>emailAddress</c:item>
>    </authorization>
>
> When assigning this role to user there appears menu item "Users" and
> under that command "List users". But when I click on that then the
> long list of errors appears in log - one error for each user who's
> data the current user cannot access:
>
> 2016-09-27 16:52:16,227 [] [http-nio-8084-exec-3] ERROR
> (com.evolveum.midpoint.model.impl.controller.SchemaTransformer): Error
> post-processing object
> user:c0466a98-f249-45ac-8cfa-07dd85edf05d(null): Access denied
>
> And the listing shows "null (FATAL_ERROR)" for each inaccessible user.
> Is there a way how to avoid this kind of errors?
>
>
> Regards,
>
> Aivo Kuhlberg
>
>
> ------------------------------------------------------------------------
> Käesolev e-kiri võib sisaldada asutusesiseseks kasutamiseks
> tunnistatud teavet.
> This e-mail may contain information which is classified for official use.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
Ivan Noris
Senior Identity Engineer
evolveum.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160928/ccf1c024/attachment.htm>

More information about the midPoint mailing list