[midPoint] Create a role with read permission on users

Marco Benucci m.benucci at nsr.it
Thu Feb 23 16:12:31 CET 2017


Ok, this actually what i was looking for!

Now, i have the current configuration in my guest Role:
-----------
<authorization id="1">
       <name>Guest</name>
       <description>
             grants read-only privileges on all users, their projection 
and assignment
         </description>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#users</action>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#findUsers</action>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#userDetails</action>
    </authorization>
    <authorization id="2">
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
       <object>
          <type>UserType</type>
       </object>
    </authorization>
    <authorization id="3">
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
       <object>
          <type>ShadowType</type>
       </object>
    </authorization>
-----------

Really really thank you!



On 02/23/2017 03:27 PM, Pálos Gustáv wrote:
> Hi Marco,
>
> you started correctly with this wiki page:
> https://wiki.evolveum.com/display/midPoint/GUI+Authorizations
> but you need also to read & apply this:
> https://wiki.evolveum.com/display/midPoint/Authorization+Configuration
> if you have a problem, you can apply this:
> https://wiki.evolveum.com/display/midPoint/Troubleshooting+Authorizations
> and if nothing helped, please reply again to this subject your 
> complete actual role config and we try to help.
>
> > PS: My other midpoint users do not have the "end user" role because 
> they do not have to access on midPoint.
> Is this the "problem"?
>
> no, it is OK.
>
> Best regards,
>
> Gustav
>
> 2017-02-23 15:16 GMT+01:00 Marco Benucci <m.benucci at nsr.it 
> <mailto:m.benucci at nsr.it>>:
>
>     Hi,
>
>     I'm on midpoint 3.4.1 and I would like to create a role that
>     grants to a user to list all other users
>     and see (only see, not modify) their Basic, Projection and
>     Assignment tabs.
>
>     I have assigned to this user the role "end user" and I created the
>     role "Guest" with the
>     the authorization
>     http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#users
>     <http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#users>
>     and
>     http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#userDetails
>     <http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#userDetails>
>
>     but this user can see only himself.
>
>     PS: My other midpoint users do not have the "end user" role
>     because they do not have to access on midPoint.
>     Is this the "problem"?
>
>     Thank you
>
>
>     _______________________________________________
>     midPoint mailing list
>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>     http://lists.evolveum.com/mailman/listinfo/midpoint
>     <http://lists.evolveum.com/mailman/listinfo/midpoint>
>
>
>
>
> -- 
> Gustáv Pálos
> Identity Engineer
> evolveum.com <http://evolveum.com/>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170223/4de13007/attachment.htm>


More information about the midPoint mailing list