[midPoint] Create a role with read permission on users

Ivan Noris ivan.noris at evolveum.com
Fri Feb 24 11:07:49 CET 2017 

Yes this would work if the attribute is set as indexed (in your case in
the custom schema). A quick check to see if an attribute is indexed is
to try find by that attribute in (e.g.) User list.

Ivan


On 02/24/2017 10:27 AM, Marco Benucci wrote:
>
> The filter
>
> <q:equal>
>     <q:path>extension/kind</q:path>
>     <q:value>Personal</q:value>
> </q:equal>
>
> works, thank you for your hint!
>
> Marco
>
>
>
>
> On 02/24/2017 10:10 AM, Marco Benucci wrote:
>> Hi,
>>
>> Actually this could be a great idea!
>> I use midPoint to manage virtual Identities for real person and
>> functional ActiveDirectory accounts...
>> They have an extension-attribute in which i write 'Personal' or
>> 'Funcitonal'.
>>
>> I suppose I can filter by
>> <q:equal>
>>     <q:path>extension/kind</q:path>
>>     <q:value>Personal</q:value>
>> </q:equal>
>>
>> is this correct?
>>
>>
>> On 02/24/2017 09:47 AM, Ivan Noris wrote:
>>>
>>> Hi Marco,
>>>
>>> you can make it even better if all your users have some common
>>> property, e.g. employeeType, and you can allow to see only users
>>> having specific value(s) in that property. This will allow you to
>>> hide special account such as administrator.
>>>
>>> For example, I'm using this:
>>>
>>> ...
>>>
>>>     <authorization>
>>>         <name>Read users</name>
>>>        
>>> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
>>>         <object>
>>>             <type>UserType</type>
>>>             <filter>
>>>                 <q:or>
>>>                     <q:equal>
>>>                         <q:path>employeeType</q:path>
>>>                         <q:value>EMPLOYEE</q:value>
>>>                     </q:equal>
>>>                     <q:equal>
>>>                         <q:path>employeeType</q:path>
>>>                         <q:value>CONTRACTOR</q:value>
>>>                     </q:equal>
>>>                     <q:equal>
>>>                         <q:path>employeeType</q:path>
>>>                         <q:value>Vendor</q:value>
>>>                     </q:equal>
>>>                     <q:equal>
>>>                         <q:path>employeeType</q:path>
>>>                         <q:value>MagicVendor</q:value>
>>>                     </q:equal>
>>>                     <q:equal>
>>>                         <q:path>employeeType</q:path>
>>>                         <q:value>System</q:value>
>>>                     </q:equal>
>>>         </q:or>
>>>             </filter>
>>>         </object>
>>>     </authorization>
>>>
>>> ...
>>>
>>> Ivan
>>>
>>> On 02/23/2017 04:12 PM, Marco Benucci wrote:
>>>>
>>>> Ok, this actually what i was looking for!
>>>>
>>>> Now, i have the current configuration in my guest Role:
>>>> -----------
>>>> <authorization id="1">
>>>>       <name>Guest</name>
>>>>       <description>
>>>>             grants read-only privileges on all users, their
>>>> projection and assignment
>>>>         </description>
>>>>      
>>>> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#users</action>
>>>>      
>>>> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#findUsers</action>
>>>>      
>>>> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#userDetails</action>
>>>>    </authorization>
>>>>    <authorization id="2">
>>>>      
>>>> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
>>>>       <object>
>>>>          <type>UserType</type>
>>>>       </object>
>>>>    </authorization>
>>>>    <authorization id="3">
>>>>      
>>>> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
>>>>       <object>
>>>>          <type>ShadowType</type>
>>>>       </object>
>>>>    </authorization>
>>>> -----------
>>>>
>>>> Really really thank you!
>>>>
>>>>
>>>>
>>>> On 02/23/2017 03:27 PM, Pálos Gustáv wrote:
>>>>> Hi Marco,
>>>>>
>>>>> you started correctly with this wiki page:
>>>>> https://wiki.evolveum.com/display/midPoint/GUI+Authorizations
>>>>> but you need also to read & apply this:
>>>>> https://wiki.evolveum.com/display/midPoint/Authorization+Configuration
>>>>> if you have a problem, you can apply this:
>>>>> https://wiki.evolveum.com/display/midPoint/Troubleshooting+Authorizations
>>>>> and if nothing helped, please reply again to this subject your
>>>>> complete actual role config and we try to help.
>>>>>
>>>>> > PS: My other midpoint users do not have the "end user" role
>>>>> because they do not have to access on midPoint.
>>>>> Is this the "problem"?
>>>>>
>>>>> no, it is OK.
>>>>>
>>>>> Best regards,
>>>>>
>>>>> Gustav
>>>>>
>>>>> 2017-02-23 15:16 GMT+01:00 Marco Benucci <m.benucci at nsr.it
>>>>> <mailto:m.benucci at nsr.it>>:
>>>>>
>>>>>     Hi,
>>>>>
>>>>>     I'm on midpoint 3.4.1 and I would like to create a role that
>>>>>     grants to a user to list all other users
>>>>>     and see (only see, not modify) their Basic, Projection and
>>>>>     Assignment tabs.
>>>>>
>>>>>     I have assigned to this user the role "end user" and I created
>>>>>     the role "Guest" with the
>>>>>     the authorization
>>>>>     http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#users
>>>>>     <http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#users>
>>>>>     and
>>>>>     http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#userDetails
>>>>>     <http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#userDetails>
>>>>>
>>>>>     but this user can see only himself.
>>>>>
>>>>>     PS: My other midpoint users do not have the "end user" role
>>>>>     because they do not have to access on midPoint.
>>>>>     Is this the "problem"?
>>>>>
>>>>>     Thank you
>>>>>
>>>>>
>>>>>     _______________________________________________
>>>>>     midPoint mailing list
>>>>>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>>>>     http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>     <http://lists.evolveum.com/mailman/listinfo/midpoint>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> -- 
>>>>> Gustáv Pálos
>>>>> Identity Engineer
>>>>> evolveum.com <http://evolveum.com/>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> midPoint mailing list
>>>>> midPoint at lists.evolveum.com
>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>> -- 
>>> Ivan Noris
>>> Senior Identity Engineer
>>> evolveum.com
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
Ivan Noris
Senior Identity Engineer
evolveum.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170224/0ef3a763/attachment.htm>

More information about the midPoint mailing list