[midPoint] Create a role with read permission on users
Marco Benucci
m.benucci at nsr.it
Thu Feb 23 16:12:31 CET 2017
Ok, this actually what i was looking for!
Now, i have the current configuration in my guest Role:
-----------
<authorization id="1">
<name>Guest</name>
<description>
grants read-only privileges on all users, their projection
and assignment
</description>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#users</action>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#findUsers</action>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#userDetails</action>
</authorization>
<authorization id="2">
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
<object>
<type>UserType</type>
</object>
</authorization>
<authorization id="3">
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
<object>
<type>ShadowType</type>
</object>
</authorization>
-----------
Really really thank you!
On 02/23/2017 03:27 PM, Pálos Gustáv wrote:
> Hi Marco,
>
> you started correctly with this wiki page:
> https://wiki.evolveum.com/display/midPoint/GUI+Authorizations
> but you need also to read & apply this:
> https://wiki.evolveum.com/display/midPoint/Authorization+Configuration
> if you have a problem, you can apply this:
> https://wiki.evolveum.com/display/midPoint/Troubleshooting+Authorizations
> and if nothing helped, please reply again to this subject your
> complete actual role config and we try to help.
>
> > PS: My other midpoint users do not have the "end user" role because
> they do not have to access on midPoint.
> Is this the "problem"?
>
> no, it is OK.
>
> Best regards,
>
> Gustav
>
> 2017-02-23 15:16 GMT+01:00 Marco Benucci <m.benucci at nsr.it
> <mailto:m.benucci at nsr.it>>:
>
> Hi,
>
> I'm on midpoint 3.4.1 and I would like to create a role that
> grants to a user to list all other users
> and see (only see, not modify) their Basic, Projection and
> Assignment tabs.
>
> I have assigned to this user the role "end user" and I created the
> role "Guest" with the
> the authorization
> http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#users
> <http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#users>
> and
> http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#userDetails
> <http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#userDetails>
>
> but this user can see only himself.
>
> PS: My other midpoint users do not have the "end user" role
> because they do not have to access on midPoint.
> Is this the "problem"?
>
> Thank you
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
> http://lists.evolveum.com/mailman/listinfo/midpoint
> <http://lists.evolveum.com/mailman/listinfo/midpoint>
>
>
>
>
> --
> Gustáv Pálos
> Identity Engineer
> evolveum.com <http://evolveum.com/>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170223/4de13007/attachment.htm>
More information about the midPoint
mailing list