[midPoint] Create a role with read permission on users
Ivan Noris
ivan.noris at evolveum.com
Fri Feb 24 09:47:17 CET 2017
Hi Marco,
you can make it even better if all your users have some common property,
e.g. employeeType, and you can allow to see only users having specific
value(s) in that property. This will allow you to hide special account
such as administrator.
For example, I'm using this:
...
<authorization>
<name>Read users</name>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
<object>
<type>UserType</type>
<filter>
<q:or>
<q:equal>
<q:path>employeeType</q:path>
<q:value>EMPLOYEE</q:value>
</q:equal>
<q:equal>
<q:path>employeeType</q:path>
<q:value>CONTRACTOR</q:value>
</q:equal>
<q:equal>
<q:path>employeeType</q:path>
<q:value>Vendor</q:value>
</q:equal>
<q:equal>
<q:path>employeeType</q:path>
<q:value>MagicVendor</q:value>
</q:equal>
<q:equal>
<q:path>employeeType</q:path>
<q:value>System</q:value>
</q:equal>
</q:or>
</filter>
</object>
</authorization>
...
Ivan
On 02/23/2017 04:12 PM, Marco Benucci wrote:
>
> Ok, this actually what i was looking for!
>
> Now, i have the current configuration in my guest Role:
> -----------
> <authorization id="1">
> <name>Guest</name>
> <description>
> grants read-only privileges on all users, their projection
> and assignment
> </description>
>
> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#users</action>
>
> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#findUsers</action>
>
> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#userDetails</action>
> </authorization>
> <authorization id="2">
>
> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
> <object>
> <type>UserType</type>
> </object>
> </authorization>
> <authorization id="3">
>
> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
> <object>
> <type>ShadowType</type>
> </object>
> </authorization>
> -----------
>
> Really really thank you!
>
>
>
> On 02/23/2017 03:27 PM, Pálos Gustáv wrote:
>> Hi Marco,
>>
>> you started correctly with this wiki page:
>> https://wiki.evolveum.com/display/midPoint/GUI+Authorizations
>> but you need also to read & apply this:
>> https://wiki.evolveum.com/display/midPoint/Authorization+Configuration
>> if you have a problem, you can apply this:
>> https://wiki.evolveum.com/display/midPoint/Troubleshooting+Authorizations
>> and if nothing helped, please reply again to this subject your
>> complete actual role config and we try to help.
>>
>> > PS: My other midpoint users do not have the "end user" role because
>> they do not have to access on midPoint.
>> Is this the "problem"?
>>
>> no, it is OK.
>>
>> Best regards,
>>
>> Gustav
>>
>> 2017-02-23 15:16 GMT+01:00 Marco Benucci <m.benucci at nsr.it
>> <mailto:m.benucci at nsr.it>>:
>>
>> Hi,
>>
>> I'm on midpoint 3.4.1 and I would like to create a role that
>> grants to a user to list all other users
>> and see (only see, not modify) their Basic, Projection and
>> Assignment tabs.
>>
>> I have assigned to this user the role "end user" and I created
>> the role "Guest" with the
>> the authorization
>> http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#users
>> <http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#users>
>> and
>> http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#userDetails
>> <http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#userDetails>
>>
>> but this user can see only himself.
>>
>> PS: My other midpoint users do not have the "end user" role
>> because they do not have to access on midPoint.
>> Is this the "problem"?
>>
>> Thank you
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>> <http://lists.evolveum.com/mailman/listinfo/midpoint>
>>
>>
>>
>>
>> --
>> Gustáv Pálos
>> Identity Engineer
>> evolveum.com <http://evolveum.com/>
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
--
Ivan Noris
Senior Identity Engineer
evolveum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170224/af9740ae/attachment.htm>
More information about the midPoint
mailing list