[midPoint] Allowing end users to request association to roles or organisations.

Roman Pudil - AMI Praha a.s. roman.pudil at ami.cz
Wed Dec 13 15:09:41 CET 2017 

Hello Chris,

try this partial example:

    <authorization id="19">
       <decision>allow</decision>
       
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#assign</action>
       
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#unassign</action>
       <object>
          <type>UserType</type>
       </object>
       <target>
          <type>RoleType</type>
          <filter>
             <q:equal>
                <q:path>roleType</q:path>
                <q:value>login-role</q:value>
             </q:equal>
          </filter>
       </target>
    </authorization>

This authorization allows assign and unassign roles with filled 
attribute roleType=login-role to users.

Try this:

1) Create new custom role

2) in this role set inducement to End user role:
    <inducement id="7">
       <targetRef oid="00000000-0000-0000-0000-000000000008" 
type="c:RoleType"><!-- End user -->
          <description>Role authorizing end users to log in, change their 
passwords and review assigned accounts.</description>
       </targetRef>
    </inducement>

3) Add authorization in higher example.

Resulted custom role (user, who will have assigned this role) will have 
all credentials from End User role (inducement) and new assign/unassign 
credentials.

Regards

Roman Pudil
solution architect

gsm: [+420] 775 663 666
e-mail: roman.pudil at ami.cz


AMI Praha a.s.
Pláničkova 11
162 00 Praha 6
tel./fax: [+420] 274 783 239
web: www.ami.cz




<http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>
Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za 
společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít 
výhradně písemnou formu.

------ Původní zpráva ------
Od: "Christopher Hoskin" <christopher.hoskin at gmail.com>
Komu: midpoint at lists.evolveum.com
Odesláno: 13.12.2017 14:57:05
Předmět: [midPoint] Allowing end users to request association to roles 
or organisations.

>Hello,
>
>I'm evaluating MidPoint for my employer.
>
>One of the features that we're interested in is allowing end users to 
>request association with a role or organisation. If I log in to the web 
>interface as the administrator, then I can see roles and organisations 
>under 'Request a role'. If I log in as a user with an assignment to the 
>'End User' role, then I can't see any roles or organisations to request 
>an association with.
>
>Doing a little reading, it appears that the user needs a role with the 
>'selfRequestAssignment' authorization. So I have created a copy of the 
>End User role and added the following authorization:
>
>       <authorization id="11">
>          
><action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#selfRequestAssignment</action>
>       <object>
>          <special>self</special>
>       </object>
>       </authorization>
>
>However, when I log in as a user with this new role, I am still unable 
>to see any roles or organisations to request association with.
>
>Have I got something wrong? Is there something else I need to do?
>
>Thanks.
>
>Christopher Hoskin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20171213/2f119fab/attachment.htm>

More information about the midPoint mailing list