[midPoint] Create a role with read permission on users

Thu Feb 23 15:24:52 CET 2017

You need model authorization too.

<authorization>
  <action>
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read
</action>
  <object>
    <type>UserType</type>
  </object>
</authorization>

see more in
https://wiki.evolveum.com/display/midPoint/Authorization+Configuration#AuthorizationConfiguration-
"Core"Authorizations

2017-02-23 15:16 GMT+01:00 Marco Benucci <m.benucci at nsr.it>:

> Hi,
>
> I'm on midpoint 3.4.1 and I would like to create a role that grants to a
> user to list all other users
> and see (only see, not modify) their Basic, Projection and Assignment tabs.
>
> I have assigned to this user the role "end user" and I created the role
> "Guest" with the
> the authorization
> http://midpoint.evolveum.com/xml/ns/public/security/
> authorization-ui-3#users
> and
> http://midpoint.evolveum.com/xml/ns/public/security/
> authorization-ui-3#userDetails
>
> but this user can see only himself.
>
> PS: My other midpoint users do not have the "end user" role because they
> do not have to access on midPoint.
> Is this the "problem"?
>
> Thank you
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>

-- 

Oskar Butovič
solution architect

gsm: [+420] 774 480 101
e-mail: oskar.butovic at ami.cz

AMI Praha a.s.
Pláničkova 11
162 00 Praha 6
tel.: [+420] 274 783 239
web: www.ami.cz

[image: AMI Praha a.s.]

[image: AMI Praha a.s.]
<http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>

Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
písemnou formu.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170223/758aaeff/attachment.htm>