[midPoint] Create a role with read permission on users
Marco Benucci
m.benucci at nsr.it
Fri Feb 24 10:10:54 CET 2017
Hi,
Actually this could be a great idea!
I use midPoint to manage virtual Identities for real person and
functional ActiveDirectory accounts...
They have an extension-attribute in which i write 'Personal' or
'Funcitonal'.
I suppose I can filter by
<q:equal>
<q:path>extension/kind</q:path>
<q:value>Personal</q:value>
</q:equal>
is this correct?
On 02/24/2017 09:47 AM, Ivan Noris wrote:
>
> Hi Marco,
>
> you can make it even better if all your users have some common
> property, e.g. employeeType, and you can allow to see only users
> having specific value(s) in that property. This will allow you to hide
> special account such as administrator.
>
> For example, I'm using this:
>
> ...
>
> <authorization>
> <name>Read users</name>
> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
> <object>
> <type>UserType</type>
> <filter>
> <q:or>
> <q:equal>
> <q:path>employeeType</q:path>
> <q:value>EMPLOYEE</q:value>
> </q:equal>
> <q:equal>
> <q:path>employeeType</q:path>
> <q:value>CONTRACTOR</q:value>
> </q:equal>
> <q:equal>
> <q:path>employeeType</q:path>
> <q:value>Vendor</q:value>
> </q:equal>
> <q:equal>
> <q:path>employeeType</q:path>
> <q:value>MagicVendor</q:value>
> </q:equal>
> <q:equal>
> <q:path>employeeType</q:path>
> <q:value>System</q:value>
> </q:equal>
> </q:or>
> </filter>
> </object>
> </authorization>
>
> ...
>
> Ivan
>
> On 02/23/2017 04:12 PM, Marco Benucci wrote:
>>
>> Ok, this actually what i was looking for!
>>
>> Now, i have the current configuration in my guest Role:
>> -----------
>> <authorization id="1">
>> <name>Guest</name>
>> <description>
>> grants read-only privileges on all users, their
>> projection and assignment
>> </description>
>>
>> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#users</action>
>>
>> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#findUsers</action>
>>
>> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#userDetails</action>
>> </authorization>
>> <authorization id="2">
>>
>> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
>> <object>
>> <type>UserType</type>
>> </object>
>> </authorization>
>> <authorization id="3">
>>
>> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
>> <object>
>> <type>ShadowType</type>
>> </object>
>> </authorization>
>> -----------
>>
>> Really really thank you!
>>
>>
>>
>> On 02/23/2017 03:27 PM, Pálos Gustáv wrote:
>>> Hi Marco,
>>>
>>> you started correctly with this wiki page:
>>> https://wiki.evolveum.com/display/midPoint/GUI+Authorizations
>>> but you need also to read & apply this:
>>> https://wiki.evolveum.com/display/midPoint/Authorization+Configuration
>>> if you have a problem, you can apply this:
>>> https://wiki.evolveum.com/display/midPoint/Troubleshooting+Authorizations
>>> and if nothing helped, please reply again to this subject your
>>> complete actual role config and we try to help.
>>>
>>> > PS: My other midpoint users do not have the "end user" role
>>> because they do not have to access on midPoint.
>>> Is this the "problem"?
>>>
>>> no, it is OK.
>>>
>>> Best regards,
>>>
>>> Gustav
>>>
>>> 2017-02-23 15:16 GMT+01:00 Marco Benucci <m.benucci at nsr.it
>>> <mailto:m.benucci at nsr.it>>:
>>>
>>> Hi,
>>>
>>> I'm on midpoint 3.4.1 and I would like to create a role that
>>> grants to a user to list all other users
>>> and see (only see, not modify) their Basic, Projection and
>>> Assignment tabs.
>>>
>>> I have assigned to this user the role "end user" and I created
>>> the role "Guest" with the
>>> the authorization
>>> http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#users
>>> <http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#users>
>>> and
>>> http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#userDetails
>>> <http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#userDetails>
>>>
>>> but this user can see only himself.
>>>
>>> PS: My other midpoint users do not have the "end user" role
>>> because they do not have to access on midPoint.
>>> Is this the "problem"?
>>>
>>> Thank you
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>> <http://lists.evolveum.com/mailman/listinfo/midpoint>
>>>
>>>
>>>
>>>
>>> --
>>> Gustáv Pálos
>>> Identity Engineer
>>> evolveum.com <http://evolveum.com/>
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>
> --
> Ivan Noris
> Senior Identity Engineer
> evolveum.com
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170224/321d8c57/attachment.htm>
More information about the midPoint
mailing list