[midPoint] Create a role with read permission on users
Marco Benucci
m.benucci at nsr.it
Fri Feb 24 10:27:29 CET 2017
The filter
<q:equal>
<q:path>extension/kind</q:path>
<q:value>Personal</q:value>
</q:equal>
works, thank you for your hint!
Marco
On 02/24/2017 10:10 AM, Marco Benucci wrote:
> Hi,
>
> Actually this could be a great idea!
> I use midPoint to manage virtual Identities for real person and
> functional ActiveDirectory accounts...
> They have an extension-attribute in which i write 'Personal' or
> 'Funcitonal'.
>
> I suppose I can filter by
> <q:equal>
> <q:path>extension/kind</q:path>
> <q:value>Personal</q:value>
> </q:equal>
>
> is this correct?
>
>
> On 02/24/2017 09:47 AM, Ivan Noris wrote:
>>
>> Hi Marco,
>>
>> you can make it even better if all your users have some common
>> property, e.g. employeeType, and you can allow to see only users
>> having specific value(s) in that property. This will allow you to
>> hide special account such as administrator.
>>
>> For example, I'm using this:
>>
>> ...
>>
>> <authorization>
>> <name>Read users</name>
>>
>> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
>> <object>
>> <type>UserType</type>
>> <filter>
>> <q:or>
>> <q:equal>
>> <q:path>employeeType</q:path>
>> <q:value>EMPLOYEE</q:value>
>> </q:equal>
>> <q:equal>
>> <q:path>employeeType</q:path>
>> <q:value>CONTRACTOR</q:value>
>> </q:equal>
>> <q:equal>
>> <q:path>employeeType</q:path>
>> <q:value>Vendor</q:value>
>> </q:equal>
>> <q:equal>
>> <q:path>employeeType</q:path>
>> <q:value>MagicVendor</q:value>
>> </q:equal>
>> <q:equal>
>> <q:path>employeeType</q:path>
>> <q:value>System</q:value>
>> </q:equal>
>> </q:or>
>> </filter>
>> </object>
>> </authorization>
>>
>> ...
>>
>> Ivan
>>
>> On 02/23/2017 04:12 PM, Marco Benucci wrote:
>>>
>>> Ok, this actually what i was looking for!
>>>
>>> Now, i have the current configuration in my guest Role:
>>> -----------
>>> <authorization id="1">
>>> <name>Guest</name>
>>> <description>
>>> grants read-only privileges on all users, their
>>> projection and assignment
>>> </description>
>>>
>>> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#users</action>
>>>
>>> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#findUsers</action>
>>>
>>> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#userDetails</action>
>>> </authorization>
>>> <authorization id="2">
>>>
>>> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
>>> <object>
>>> <type>UserType</type>
>>> </object>
>>> </authorization>
>>> <authorization id="3">
>>>
>>> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
>>> <object>
>>> <type>ShadowType</type>
>>> </object>
>>> </authorization>
>>> -----------
>>>
>>> Really really thank you!
>>>
>>>
>>>
>>> On 02/23/2017 03:27 PM, Pálos Gustáv wrote:
>>>> Hi Marco,
>>>>
>>>> you started correctly with this wiki page:
>>>> https://wiki.evolveum.com/display/midPoint/GUI+Authorizations
>>>> but you need also to read & apply this:
>>>> https://wiki.evolveum.com/display/midPoint/Authorization+Configuration
>>>> if you have a problem, you can apply this:
>>>> https://wiki.evolveum.com/display/midPoint/Troubleshooting+Authorizations
>>>> and if nothing helped, please reply again to this subject your
>>>> complete actual role config and we try to help.
>>>>
>>>> > PS: My other midpoint users do not have the "end user" role
>>>> because they do not have to access on midPoint.
>>>> Is this the "problem"?
>>>>
>>>> no, it is OK.
>>>>
>>>> Best regards,
>>>>
>>>> Gustav
>>>>
>>>> 2017-02-23 15:16 GMT+01:00 Marco Benucci <m.benucci at nsr.it
>>>> <mailto:m.benucci at nsr.it>>:
>>>>
>>>> Hi,
>>>>
>>>> I'm on midpoint 3.4.1 and I would like to create a role that
>>>> grants to a user to list all other users
>>>> and see (only see, not modify) their Basic, Projection and
>>>> Assignment tabs.
>>>>
>>>> I have assigned to this user the role "end user" and I created
>>>> the role "Guest" with the
>>>> the authorization
>>>> http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#users
>>>> <http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#users>
>>>> and
>>>> http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#userDetails
>>>> <http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#userDetails>
>>>>
>>>> but this user can see only himself.
>>>>
>>>> PS: My other midpoint users do not have the "end user" role
>>>> because they do not have to access on midPoint.
>>>> Is this the "problem"?
>>>>
>>>> Thank you
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>> <http://lists.evolveum.com/mailman/listinfo/midpoint>
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Gustáv Pálos
>>>> Identity Engineer
>>>> evolveum.com <http://evolveum.com/>
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>> --
>> Ivan Noris
>> Senior Identity Engineer
>> evolveum.com
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170224/fd2e841c/attachment.htm>
More information about the midPoint
mailing list