[midPoint] Restricting the roles a user can assign

Ivan Noris ivan.noris at evolveum.com
Tue Mar 14 19:00:56 CET 2017 

Hi,

has your user assigned just this role, or another one too? More
specifically does your user has End user as well or not?

(End user role has privileges to see all roles, for example).


Ivan


On 03/14/2017 04:28 PM, Pertti Kellomäki wrote:
>
> Hi all,
>
>
> I am trying to create a restricted administrator role similar to the
> call center operator at
>
> https://wiki.evolveum.com/x/UwDy
>
>
> Below are the authorizations of the role. From the example I would
> expect that a user with the restricted administrator role would only
> be able to see and assign roles with roleType 'kapa' to other users,
> but instead all roles are visible, and the administrator can happily
> make other users superusers. I must be missing something very basic
> here. My midPoint version is 3.5 if that makes a difference.
>
>
> Thanks, Pertti
>
>
>    <authorization id="2">
>      
> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#orgAll</action>
>      
> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#usersAll</action>
>      
> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#dashboard</action>
>    </authorization>
>    <authorization id="3">
>      
> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
>      
> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</action>
>       <object>
>          <type>OrgType</type>
>       </object>
>    </authorization>
>    <authorization id="4">
>      
> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
>      
> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</action>
>       <object>
>          <type>UserType</type>
>       </object>
>    </authorization>
>    <authorization id="5">
>      
> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#assign</action>
>      
> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#unassign</action>
>       <target>
>          <type>RoleType</type>
>          <filter>
>             <q:equal>
>                <q:path>roleType</q:path>
>                <q:value>kapa</q:value>
>             </q:equal>
>          </filter>
>       </target>
>    </authorization>
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
Ivan Noris
Senior Identity Engineer
evolveum.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170314/e8417265/attachment.htm>

More information about the midPoint mailing list