[midPoint] How to filter users
Aivo Kuhlberg
aivo.kuhlberg at rmit.ee
Wed Sep 28 09:43:58 CEST 2016
Hi Ivan,
That did not help. Results are the same.
Aivo
________________________________
Saatja: midPoint <midpoint-bounces at lists.evolveum.com> nimelIvan Noris <ivan.noris at evolveum.com>
Saadetud: 28. september 2016 10:18
Adressaat: midpoint at lists.evolveum.com
Teema: Re: [midPoint] How to filter users
Hi Aivo,
just a wild guess (I remember something similar in the past): can you add also <item>linkRef</item> ?
Ivan
On 09/27/2016 04:04 PM, Aivo Kuhlberg wrote:
Hi,
I want to give end users access to list users inside their organization. For that purpose I created a simple role with following authorizations:
<authorization id="1">
<name>GUI authorizations</name>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#users</action>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#userDetails</action>
</authorization>
<authorization id="2">
<name>users-read</name>
<description>
Allow to read basic user properties to be able to display requestor details in the
approval forms.
</description>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
<object>
<type>UserType</type>
<filter>
<q:equal>
<q:path>organization</q:path>
<q:value>70001000</q:value>
</q:equal>
</filter>
</object>
<c:item>name</c:item>
<c:item>givenName</c:item>
<c:item>familyName</c:item>
<c:item>fullName</c:item>
<c:item>employeeType</c:item>
<c:item>emailAddress</c:item>
</authorization>
When assigning this role to user there appears menu item "Users" and under that command "List users". But when I click on that then the long list of errors appears in log - one error for each user who's data the current user cannot access:
2016-09-27 16:52:16,227 [] [http-nio-8084-exec-3] ERROR (com.evolveum.midpoint.model.impl.controller.SchemaTransformer): Error post-processing object user:c0466a98-f249-45ac-8cfa-07dd85edf05d(null): Access denied
And the listing shows "null (FATAL_ERROR)" for each inaccessible user. Is there a way how to avoid this kind of errors?
Regards,
Aivo Kuhlberg
________________________________
Käesolev e-kiri võib sisaldada asutusesiseseks kasutamiseks tunnistatud teavet.
This e-mail may contain information which is classified for official use.
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
http://lists.evolveum.com/mailman/listinfo/midpoint
--
Ivan Noris
Senior Identity Engineer
evolveum.com
________________________________
Käesolev e-kiri võib sisaldada asutusesiseseks kasutamiseks tunnistatud teavet.
This e-mail may contain information which is classified for official use.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160928/a11111e9/attachment.htm>
More information about the midPoint
mailing list