From markus.calmius at proton.ch Tue Jul 1 17:17:40 2025 From: markus.calmius at proton.ch (Markus Calmius) Date: Tue, 01 Jul 2025 15:17:40 +0000 Subject: [midPoint] Add delegation view Message-ID: <3Ahz5V-u8FQ3Q98oNuVkVi4lv2ifANDrRyBQVNBYJIDsybHjA2-9LkDFrdsCA73EhqOIR8acfVADc2KTRVLIDZUX_HfiHjRLvRYFvo65UGo=@proton.ch> Hi, I think I asked this, or similar question, last year. Setup: Midpoint: 4.8.5 Users have a few default roles, they do NOT have authorisation to Approve or Delegate requests by default. We have some approval-roles that use an archetype that also authorises those members to approve requests. Vacation time is upon us. I would like for all that have approval rights to be able to delegate to other users. But only delegate to users that also have approval rights. I have created an Object Collection that displays this, but how can I force this object collection to be the only one available when a user clicks "Add Delegation" I seem to remember, hopefully wrongly, that this is not possible... How can I force a specific collection for a specific part of the gui? Thanks in advance, Markus -------------- next part -------------- An HTML attachment was scrubbed... URL: From ivan.noris at evolveum.com Wed Jul 2 10:38:06 2025 From: ivan.noris at evolveum.com (Ivan Noris) Date: Wed, 2 Jul 2025 10:38:06 +0200 Subject: [midPoint] How to add extension-attribute from HR - inbound Schema ? In-Reply-To: References: Message-ID: Hi, I think what you want is to /populate/ (this is the keyword) the assignment properties. That is done outside the "target" element, but in "assignmentTargetSearch". You should be able to use assignment properties (extensions) like this: OrgType _extension/title_ See also here: https://docs.evolveum.com/midpoint/reference/support-4.9/expressions/expressions/#assignment-target-search Relation and subtype can be set using "assignmentProperties" element as displayed in the documentation (chapter: *Relation parameter*). Chapter: *Activation parameters* shows how activation properties of assignment can be set; the example above for extension property is analogous. Hope this helps. Best regards, Ivan On 30. 6. 2025 18:40, Bao Tran via midPoint wrote: > Hi all, > > 1. We have successfully added an AssignmentExtensionSchema.xml? > (attachment) with detail: > - extension ref="c:AssignmentType" > - name=JobTitle > - DisplayName=*title* > > And in ?midpoint GUI , it look like screenshot below > title extension.png > > > 2. Currently, we can only add assignment to user via OrganizationName > (below xml) > > Our goal: is how to configure the *HR-application-inbound.xml.* :: > *inbound-schema* , in order?to > - Assign the user into Organization and add value for the > *title*?(which is extension above) > > > > ri:OrganizationName > ? ? ? ? ? ? > set-org-level1 > ? ? ? ? ? ? ? ? ? ? ? ? ? > > ?OrgType > ? > > ? ? ?name > ? ? ? > ? ? ? ? ? ? > ? ? ? ? > ? > ? > > ? > > *** > ?assignment* > ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? <-- We can only find the > OrganizationName and make assignment for user --> > <-- How do we set value for extension::JobTitle above ? --> > ** > ? ? ? ? ? ? ? > > > Thank you in advance > -- > Bao Tran > Software developer > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > https://lists.evolveum.com/mailman/listinfo/midpoint -- Ivan Noris Expert Identity Engineer evolveum.com -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: title extension.png Type: image/png Size: 135041 bytes Desc: not available URL: From hazelton at internet2.edu Wed Jul 2 21:18:14 2025 From: hazelton at internet2.edu (Keith Hazelton) Date: Wed, 2 Jul 2025 19:18:14 +0000 Subject: [midPoint] AD LDAP connector: LDAP error during DirSync search: insufficientAccessRights: 00002105: LdapErr: DSID-0C090CC1, comment: Error processing control, data 0, v4563? (50) In-Reply-To: References: Message-ID: Mr Wang, Seems there is a small miscommunication in our recent email conversations. You say you are on midPoint version 4.9.9, but as far as I know, the latest release is 4.9.3. Just want to be sure we are looking at the same version. --Keith - hazelton at internet2.edu ________________________________ From: midPoint on behalf of Wang, Eugene Mr. (Fed) via midPoint Sent: Thursday, June 26, 2025 9:07 AM To: midpoint at lists.evolveum.com Cc: Wang, Eugene Mr. (Fed) ; Withers, Timothy J. (Fed) ; Jiang, Scott Zhihua (Fed) ; Wei, Jingfang (Jenny) (Fed) Subject: [midPoint] AD LDAP connector: LDAP error during DirSync search: insufficientAccessRights: 00002105: LdapErr: DSID-0C090CC1, comment: Error processing control, data 0, v4563? (50) We have troubleshooted this issue following the instructions provided by the midPoint supporting engineers Claude and Keith. https://claude.ai/share/67073561-d22d-43fe-8423-df33ad26cbf4 Unfortunately, we were not able to figure out the cause of the problem. Any advice is deeply appreciated. We confirmed our AD setting: * Active Directory DS supports the full function level of 2016 and is deployed on Windows 2019. * The user account is in the Domain Admin group. * The user account has both the additional permissions required by midPoint provisioning operations: * Replicating Directory Changes * Replicating Directory Changes All The midPoint application is the release of 4.9.9 We turned the midPoint application ?Class Logger? for Provisioning logger at the Debug level. It showed that the AD connector worked successfully in ?returning clone? AD user data. But it failed at the step ? Start synchronization of resource object? . The logger error message is here: 2025-06-26 09:04:16,246 [PROVISIONING] [midPointScheduler_Worker-5] DEBUG (com.evolveum.midpoint.provisioning.impl.resources.ResourceCache): HIT(returning clone) for resource:51996605-7561-457f-b6f0-6502a67990db(NIST AD LDAP connector 2 -- only use one object schema: user) (v128) 2025-06-26 09:04:16,246 [PROVISIONING] [midPointScheduler_Worker-5] DEBUG (com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl): Start synchronization of resource:51996605-7561-457f-b6f0-6502a67990db(NIST AD LDAP connector 2 -- only use one object schema: user) 2025-06-26 09:04:16,430 [] [midPointScheduler_Worker-5] ERROR (com.evolveum.polygon.connector.ldap.sync.AdDirSyncStrategy): method: null msg:LDAP error during DirSync search: insufficientAccessRights: 00002105: LdapErr: DSID-0C090CC1, comment: Error processing control, data 0, v4563? (50) 2025-06-26 09:04:16,431 [] [midPointScheduler_Worker-5] WARN (com.evolveum.midpoint.provisioning.ucf.impl.connid.ConnIdUtil): Got ConnId exception (might be handled by upper layers later) org.identityconnectors.framework.common.exceptions.PermissionDeniedException in NIST AD LDAP connector 2 -- only use one object schema: user: ConnectorSpec.Main(resource:51996605-7561-457f-b6f0-6502a67990db(NIST AD LDAP connector 2 -- only use one object schema: user)): LDAP error during DirSync search: insufficientAccessRights: 00002105: LdapErr: DSID-0C090CC1, comment: Error processing control, data 0, v4563? (50), reason: LDAP error during DirSync search: insufficientAccessRights: 00002105: LdapErr: DSID-0C090CC1, comment: Error processing control, data 0, v4563? (50) (class org.identityconnectors.framework.common.exceptions.PermissionDeniedException) 2025-06-26 09:04:16,431 [] [midPointScheduler_Worker-5] DEBUG (com.evolveum.midpoint.provisioning.ucf.impl.connid.ConnIdUtil): Got ConnId exception (might be handled by upper layers later) org.identityconnectors.framework.common.exceptions.PermissionDeniedException in NIST AD LDAP connector 2 -- only use one object schema: user: ConnectorSpec.Main(resource:51996605-7561-457f-b6f0-6502a67990db(NIST AD LDAP connector 2 -- only use one object schema: user)): LDAP error during DirSync search: insufficientAccessRights: 00002105: LdapErr: DSID-0C090CC1, comment: Error processing control, data 0, v4563? (50). org.identityconnectors.framework.common.exceptions.PermissionDeniedException: LDAP error during DirSync search: insufficientAccessRights: 00002105: LdapErr: DSID-0C090CC1, comment: Error processing control, data 0, v4563? (50) at com.evolveum.polygon.connector.ldap.ErrorHandler.processLdapResult(ErrorHandler.java:156) at com.evolveum.polygon.connector.ldap.ad.AdErrorHandler.processLdapResult(AdErrorHandler.java:63) at com.evolveum.polygon.connector.ldap.sync.AdDirSyncStrategy.getLatestSyncToken(AdDirSyncStrategy.java:254) at com.evolveum.polygon.connector.ldap.AbstractLdapConnector.getLatestSyncToken(AbstractLdapConnector.java:1865) at org.identityconnectors.framework.impl.api.local.operations.SyncImpl.getLatestSyncToken(SyncImpl.java:147) at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103) at java.base/java.lang.reflect.Method.invoke(Method.java:580) at org.identityconnectors.framework.impl.api.local.operations.ConnectorAPIOperationRunnerProxy.invoke(ConnectorAPIOperationRunnerProxy.java:99) at jdk.proxy2/jdk.proxy2.$Proxy213.getLatestSyncToken(Unknown Source) at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103) at java.base/java.lang.reflect.Method.invoke(Method.java:580) at org.identityconnectors.framework.impl.api.local.operations.ThreadClassLoaderManagerProxy.invoke(ThreadClassLoaderManagerProxy.java:96) at jdk.proxy2/jdk.proxy2.$Proxy213.getLatestSyncToken(Unknown Source) at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103) at java.base/java.lang.reflect.Method.invoke(Method.java:580) at org.identityconnectors.framework.impl.api.DelegatingTimeoutProxy.invoke(DelegatingTimeoutProxy.java:99) at jdk.proxy2/jdk.proxy2.$Proxy213.getLatestSyncToken(Unknown Source) at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103) at java.base/java.lang.reflect.Method.invoke(Method.java:580) at org.identityconnectors.framework.impl.api.LoggingProxy.invoke(LoggingProxy.java:89) at jdk.proxy2/jdk.proxy2.$Proxy213.getLatestSyncToken(Unknown Source) at org.identityconnectors.framework.impl.api.AbstractConnectorFacade.getLatestSyncToken(AbstractConnectorFacade.java:289) at com.evolveum.midpoint.provisioning.ucf.impl.connid.ConnectorInstanceConnIdImpl.fetchCurrentToken(ConnectorInstanceConnIdImpl.java:1416) at com.evolveum.midpoint.provisioning.impl.resourceobjects.ResourceObjectConverter.fetchCurrentToken(ResourceObjectConverter.java:278) at com.evolveum.midpoint.provisioning.impl.shadows.sync.LiveSynchronizer.fetchAndRememberCurrentToken(LiveSynchronizer.java:202) at com.evolveum.midpoint.provisioning.impl.shadows.sync.LiveSynchronizer.synchronize(LiveSynchronizer.java:79) at com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl.synchronize(ProvisioningServiceImpl.java:252) at com.evolveum.midpoint.model.impl.sync.tasks.sync.LiveSyncActivityRun.iterateOverItemsInBucket(LiveSyncActivityRun.java:130) at com.evolveum.midpoint.repo.common.activity.run.IterativeActivityRun.processSingleBucket(IterativeActivityRun.java:457) at com.evolveum.midpoint.repo.common.activity.run.IterativeActivityRun.processOrAnalyzeOrSkipSingleBucket(IterativeActivityRun.java:414) at com.evolveum.midpoint.repo.common.activity.run.IterativeActivityRun.doRun(IterativeActivityRun.java:245) at com.evolveum.midpoint.repo.common.activity.run.IterativeActivityRun.runLocally(IterativeActivityRun.java:185) at com.evolveum.midpoint.repo.common.activity.run.LocalActivityRun.runInternal(LocalActivityRun.java:99) at com.evolveum.midpoint.repo.common.activity.run.AbstractActivityRun.runTreatingExceptions(AbstractActivityRun.java:271) at com.evolveum.midpoint.repo.common.activity.run.AbstractActivityRun.run(AbstractActivityRun.java:228) at com.evolveum.midpoint.repo.common.activity.run.task.ActivityBasedTaskRun.run(ActivityBasedTaskRun.java:82) at com.evolveum.midpoint.repo.common.activity.run.task.ActivityBasedTaskHandler.run(ActivityBasedTaskHandler.java:80) at com.evolveum.midpoint.task.quartzimpl.run.HandlerExecutor.executeHandler(HandlerExecutor.java:37) at com.evolveum.midpoint.task.quartzimpl.run.TaskCycleExecutor.executeHandler(TaskCycleExecutor.java:134) at com.evolveum.midpoint.task.quartzimpl.run.TaskCycleExecutor.executeTaskCycleRun(TaskCycleExecutor.java:127) at com.evolveum.midpoint.task.quartzimpl.run.TaskCycleExecutor.executeRecurringTask(TaskCycleExecutor.java:97) at com.evolveum.midpoint.task.quartzimpl.run.TaskCycleExecutor.execute(TaskCycleExecutor.java:70) at com.evolveum.midpoint.task.quartzimpl.run.JobExecutor.executeHandler(JobExecutor.java:157) at com.evolveum.midpoint.task.quartzimpl.run.JobExecutor.executeInternal(JobExecutor.java:126) at com.evolveum.midpoint.task.quartzimpl.run.JobExecutor.execute(JobExecutor.java:69) at org.quartz.core.JobRunShell.run(JobRunShell.java:202) at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:588) 2025-06-26 09:04:16,432 [PROVISIONING] [midPointScheduler_Worker-5] DEBUG (com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl): Got unexpected exception: org.identityconnectors.framework.common.exceptions.PermissionDeniedException: LDAP error during DirSync search: insufficientAccessRights: 00002105: LdapErr: DSID-0C090CC1, comment: Error processing control, data 0, v4563? (50), reason: Got unexpected exception: org.identityconnectors.framework.common.exceptions.PermissionDeniedException: LDAP error during DirSync search: insufficientAccessRights: 00002105: LdapErr: DSID-0C090CC1, comment: Error processing control, data 0, v4563? (50) (class com.evolveum.midpoint.util.exception.SystemException) 2025-06-26 09:04:16,432 [PROVISIONING] [midPointScheduler_Worker-5] ERROR (com.evolveum.midpoint.repo.common.activity.run.ActivityRunResult): Unhandled exception in root activity in 'Sync AD LDAP Users' task (OID 14413783-ccae-4605-baf5-5fec2a47828d). com.evolveum.midpoint.util.exception.SystemException: Got unexpected exception: org.identityconnectors.framework.common.exceptions.PermissionDeniedException: LDAP error during DirSync search: insufficientAccessRights: 00002105: LdapErr: DSID-0C090CC1, comment: Error processing control, data 0, v4563? (50) at com.evolveum.midpoint.provisioning.ucf.impl.connid.ConnectorInstanceConnIdImpl.fetchCurrentToken(ConnectorInstanceConnIdImpl.java:1435) at com.evolveum.midpoint.provisioning.impl.resourceobjects.ResourceObjectConverter.fetchCurrentToken(ResourceObjectConverter.java:278) at com.evolveum.midpoint.provisioning.impl.shadows.sync.LiveSynchronizer.fetchAndRememberCurrentToken(LiveSynchronizer.java:202) at com.evolveum.midpoint.provisioning.impl.shadows.sync.LiveSynchronizer.synchronize(LiveSynchronizer.java:79) at com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl.synchronize(ProvisioningServiceImpl.java:252) at com.evolveum.midpoint.model.impl.sync.tasks.sync.LiveSyncActivityRun.iterateOverItemsInBucket(LiveSyncActivityRun.java:130) at com.evolveum.midpoint.repo.common.activity.run.IterativeActivityRun.processSingleBucket(IterativeActivityRun.java:457) at com.evolveum.midpoint.repo.common.activity.run.IterativeActivityRun.processOrAnalyzeOrSkipSingleBucket(IterativeActivityRun.java:414) at com.evolveum.midpoint.repo.common.activity.run.IterativeActivityRun.doRun(IterativeActivityRun.java:245) Thanks, Eugene (Yujin) Wang (301)975-3621 (office) (240)386-9234 (mobile) IT Specialist - Application Systems Division Office of Information Management (OISM), NIST -------------- next part -------------- An HTML attachment was scrubbed... URL: From markus.calmius at proton.ch Thu Jul 3 09:10:11 2025 From: markus.calmius at proton.ch (Markus Calmius) Date: Thu, 03 Jul 2025 07:10:11 +0000 Subject: [midPoint] panel visibility Message-ID: Hi, Info: running MidPoint 4.8.5. Following up on my earlier message regarding delegations: I?d like to hide the Delegations and Delegated to Me panels for all standard users, but ensure they remain visible for users who have delegation rights. Based on the documentation, I assumed this could be achieved by setting: vacant in the role assigned to all users, and then overriding it with automatic or visible in the role granted to users with delegation rights. However, this doesn?t seem to have the intended effect. Additional context: - All users are assigned a basic access role - A subset of users also receive an authorised to approve and delegate role Currently, the Delegations panels are hidden for all users?even those who have the additional delegation role. Any guidance on how to resolve this would be appreciated. Thanks in advance, Markus -------------- next part -------------- An HTML attachment was scrubbed... URL: From ivan.noris at evolveum.com Thu Jul 3 09:50:40 2025 From: ivan.noris at evolveum.com (Ivan Noris) Date: Thu, 3 Jul 2025 09:50:40 +0200 Subject: [midPoint] panel visibility In-Reply-To: References: Message-ID: Hi Markus, I think you are hitting this: https://docs.evolveum.com/midpoint/reference/support-4.8/admin-gui/admin-gui-config/#how-it-works " If several roles specify conflicting values then the behavior is unpredictable. It is a responsibility of midPoint administrator to ensure the consistency." Last time I had this issue, I resorted to have two distinct roles, one for end user and other for admin users (in my case) conditionally induced from main end user role. Best regards, Ivan On 3. 7. 2025 9:10, Markus Calmius via midPoint wrote: > > Hi, > > Info: running MidPoint 4.8.5. > > Following up on my earlier message regarding delegations: > > I?d like to hide the /Delegations/ and /Delegated to Me/ panels for > all standard users, but ensure they remain visible for users who have > delegation rights. > > Based on the documentation, I assumed this could be achieved by setting: > > |vacant | > > in the role assigned to all users, and then overriding it with > |automatic| or > |visible| in the role granted to users with > delegation rights. However, this doesn?t seem to have the intended effect. > > Additional context: > > * > > All users are assigned a *basic access* role > > * > > A subset of users also receive an *authorised to approve and > delegate* role > > Currently, the /Delegations/ panels are hidden for all users?even > those who have the additional delegation role. > > Any guidance on how to resolve this would be appreciated. > > Thanks in advance, > > Markus > > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > https://lists.evolveum.com/mailman/listinfo/midpoint -- Ivan Noris Expert Identity Engineer evolveum.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From markus.calmius at proton.ch Thu Jul 3 13:20:59 2025 From: markus.calmius at proton.ch (Markus Calmius) Date: Thu, 03 Jul 2025 11:20:59 +0000 Subject: [midPoint] panel visibility In-Reply-To: References: Message-ID: Hi Ivan, Certainly! Here's a more professional and balanced rephrasing of your message: --- Thank you for your response. In that case, I believe the documentation may need some clarification. Currently, it states: The element will not be visible. Not even if the authorizations allow to see its content. But if any other role specifies the element as visible or automatic then it will be visible. This setting is easily overridden. To me, this implies that a setting of `vacant` should be overridden if another role defines the element as `visible` or `automatic`. However, in practice, this doesn?t seem to be the case. Especially since `automatic` is now the default value, it makes it a bit confusing. It might be helpful to update the wording or provide further explanation to avoid confusion. Kind regards, Markus On Thursday, 3 July 2025 at 12:00, midpoint-request at lists.evolveum.com wrote: > Send midPoint mailing list submissions to > midpoint at lists.evolveum.com > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.evolveum.com/mailman/listinfo/midpoint > or, via email, send a message with subject or body 'help' to > midpoint-request at lists.evolveum.com > > You can reach the person managing the list at > midpoint-owner at lists.evolveum.com > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of midPoint digest..." > > > Today's Topics: > > 1. panel visibility (Markus Calmius) > 2. Re: panel visibility (Ivan Noris) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Thu, 03 Jul 2025 07:10:11 +0000 > From: Markus Calmius markus.calmius at proton.ch > > To: midPoint General Discussion midpoint at lists.evolveum.com > > Subject: [midPoint] panel visibility > Message-ID: > tHgZwByR0MS45paGBHeJn_YjowwSyWDrjCZzKdoE2rUVhZN9cv65o6gdZ0R-PPn4oXjjoVdmWXnIGjiX7PbEgwc-_enWz6UvMmodpXlE6Ss=@proton.ch > > > Content-Type: text/plain; charset="utf-8" > > Hi, > > Info: running MidPoint 4.8.5. > > Following up on my earlier message regarding delegations: > > I?d like to hide the Delegations and Delegated to Me panels for all standard users, but ensure they remain visible for users who have delegation rights. > > Based on the documentation, I assumed this could be achieved by setting: > > vacant > > > in the role assigned to all users, and then overriding it with automatic or visible in the role granted to users with delegation rights. However, this doesn?t seem to have the intended effect. > > > Additional context: > > - > > All users are assigned a basic access role > > - > > A subset of users also receive an authorised to approve and delegate role > > Currently, the Delegations panels are hidden for all users?even those who have the additional delegation role. > > Any guidance on how to resolve this would be appreciated. > > Thanks in advance, > > Markus > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: https://lists.evolveum.com/pipermail/midpoint/attachments/20250703/1979a5d3/attachment-0001.htm > > > ------------------------------ > > Message: 2 > Date: Thu, 3 Jul 2025 09:50:40 +0200 > From: Ivan Noris ivan.noris at evolveum.com > > To: midpoint at lists.evolveum.com > Subject: Re: [midPoint] panel visibility > Message-ID: d256c4fb-70e1-4f2e-acb9-e8165c431929 at evolveum.com > > Content-Type: text/plain; charset="utf-8"; Format="flowed" > > Hi Markus, > > I think you are hitting this: > > https://docs.evolveum.com/midpoint/reference/support-4.8/admin-gui/admin-gui-config/#how-it-works > > " If several roles specify conflicting values then the behavior is > unpredictable. It is a responsibility of midPoint administrator to > ensure the consistency." > > Last time I had this issue, I resorted to have two distinct roles, one > for end user and other for admin users (in my case) conditionally > induced from main end user role. > > Best regards, > > Ivan > > On 3. 7. 2025 9:10, Markus Calmius via midPoint wrote: > > > Hi, > > > > Info: running MidPoint 4.8.5. > > > > Following up on my earlier message regarding delegations: > > > > I?d like to hide the /Delegations/ and /Delegated to Me/ panels for > > all standard users, but ensure they remain visible for users who have > > delegation rights. > > > > Based on the documentation, I assumed this could be achieved by setting: > > > > |vacant | > > > > in the role assigned to all users, and then overriding it with > > |automatic| or > > |visible| in the role granted to users with > > delegation rights. However, this doesn?t seem to have the intended effect. > > > > Additional context: > > > > * > > > > All users are assigned a basic access role > > > > * > > > > A subset of users also receive an authorised to approve and > > delegate role > > > > Currently, the /Delegations/ panels are hidden for all users?even > > those who have the additional delegation role. > > > > Any guidance on how to resolve this would be appreciated. > > > > Thanks in advance, > > > > Markus > > > > _______________________________________________ > > midPoint mailing list > > midPoint at lists.evolveum.com > > https://lists.evolveum.com/mailman/listinfo/midpoint > > > -- > Ivan Noris > Expert Identity Engineer > evolveum.com > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: https://lists.evolveum.com/pipermail/midpoint/attachments/20250703/451c32e7/attachment-0001.htm > > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > https://lists.evolveum.com/mailman/listinfo/midpoint > > > ------------------------------ > > End of midPoint Digest, Vol 159, Issue 3 > **************************************** From hazelton at internet2.edu Thu Jul 3 17:13:40 2025 From: hazelton at internet2.edu (Keith Hazelton) Date: Thu, 3 Jul 2025 15:13:40 +0000 Subject: [midPoint] panel visibility In-Reply-To: References: Message-ID: Thank you for the suggestion. If you don't get another response by then, I'll bring this up on a call we have with Evolveum on Tuesday, July 8 --Keith ________________________________ From: midPoint on behalf of Markus Calmius via midPoint Sent: Thursday, July 3, 2025 6:20 AM To: midpoint at lists.evolveum.com Cc: Markus Calmius Subject: Re: [midPoint] panel visibility Hi Ivan, Certainly! Here's a more professional and balanced rephrasing of your message: --- Thank you for your response. In that case, I believe the documentation may need some clarification. Currently, it states: The element will not be visible. Not even if the authorizations allow to see its content. But if any other role specifies the element as visible or automatic then it will be visible. This setting is easily overridden. To me, this implies that a setting of `vacant` should be overridden if another role defines the element as `visible` or `automatic`. However, in practice, this doesn?t seem to be the case. Especially since `automatic` is now the default value, it makes it a bit confusing. It might be helpful to update the wording or provide further explanation to avoid confusion. Kind regards, Markus On Thursday, 3 July 2025 at 12:00, midpoint-request at lists.evolveum.com wrote: > Send midPoint mailing list submissions to > midpoint at lists.evolveum.com > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.evolveum.com/mailman/listinfo/midpoint > or, via email, send a message with subject or body 'help' to > midpoint-request at lists.evolveum.com > > You can reach the person managing the list at > midpoint-owner at lists.evolveum.com > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of midPoint digest..." > > > Today's Topics: > > 1. panel visibility (Markus Calmius) > 2. Re: panel visibility (Ivan Noris) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Thu, 03 Jul 2025 07:10:11 +0000 > From: Markus Calmius markus.calmius at proton.ch > > To: midPoint General Discussion midpoint at lists.evolveum.com > > Subject: [midPoint] panel visibility > Message-ID: > tHgZwByR0MS45paGBHeJn_YjowwSyWDrjCZzKdoE2rUVhZN9cv65o6gdZ0R-PPn4oXjjoVdmWXnIGjiX7PbEgwc-_enWz6UvMmodpXlE6Ss=@proton.ch > > > Content-Type: text/plain; charset="utf-8" > > Hi, > > Info: running MidPoint 4.8.5. > > Following up on my earlier message regarding delegations: > > I?d like to hide the Delegations and Delegated to Me panels for all standard users, but ensure they remain visible for users who have delegation rights. > > Based on the documentation, I assumed this could be achieved by setting: > > vacant > > > in the role assigned to all users, and then overriding it with automatic or visible in the role granted to users with delegation rights. However, this doesn?t seem to have the intended effect. > > > Additional context: > > - > > All users are assigned a basic access role > > - > > A subset of users also receive an authorised to approve and delegate role > > Currently, the Delegations panels are hidden for all users?even those who have the additional delegation role. > > Any guidance on how to resolve this would be appreciated. > > Thanks in advance, > > Markus > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: https://lists.evolveum.com/pipermail/midpoint/attachments/20250703/1979a5d3/attachment-0001.htm > > > ------------------------------ > > Message: 2 > Date: Thu, 3 Jul 2025 09:50:40 +0200 > From: Ivan Noris ivan.noris at evolveum.com > > To: midpoint at lists.evolveum.com > Subject: Re: [midPoint] panel visibility > Message-ID: d256c4fb-70e1-4f2e-acb9-e8165c431929 at evolveum.com > > Content-Type: text/plain; charset="utf-8"; Format="flowed" > > Hi Markus, > > I think you are hitting this: > > https://docs.evolveum.com/midpoint/reference/support-4.8/admin-gui/admin-gui-config/#how-it-works > > " If several roles specify conflicting values then the behavior is > unpredictable. It is a responsibility of midPoint administrator to > ensure the consistency." > > Last time I had this issue, I resorted to have two distinct roles, one > for end user and other for admin users (in my case) conditionally > induced from main end user role. > > Best regards, > > Ivan > > On 3. 7. 2025 9:10, Markus Calmius via midPoint wrote: > > > Hi, > > > > Info: running MidPoint 4.8.5. > > > > Following up on my earlier message regarding delegations: > > > > I?d like to hide the /Delegations/ and /Delegated to Me/ panels for > > all standard users, but ensure they remain visible for users who have > > delegation rights. > > > > Based on the documentation, I assumed this could be achieved by setting: > > > > |vacant | > > > > in the role assigned to all users, and then overriding it with > > |automatic| or > > |visible| in the role granted to users with > > delegation rights. However, this doesn?t seem to have the intended effect. > > > > Additional context: > > > > * > > > > All users are assigned a basic access role > > > > * > > > > A subset of users also receive an authorised to approve and > > delegate role > > > > Currently, the /Delegations/ panels are hidden for all users?even > > those who have the additional delegation role. > > > > Any guidance on how to resolve this would be appreciated. > > > > Thanks in advance, > > > > Markus > > > > _______________________________________________ > > midPoint mailing list > > midPoint at lists.evolveum.com > > https://lists.evolveum.com/mailman/listinfo/midpoint > > > -- > Ivan Noris > Expert Identity Engineer > evolveum.com > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: https://lists.evolveum.com/pipermail/midpoint/attachments/20250703/451c32e7/attachment-0001.htm > > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > https://lists.evolveum.com/mailman/listinfo/midpoint > > > ------------------------------ > > End of midPoint Digest, Vol 159, Issue 3 > **************************************** _______________________________________________ midPoint mailing list midPoint at lists.evolveum.com https://lists.evolveum.com/mailman/listinfo/midpoint -------------- next part -------------- An HTML attachment was scrubbed... URL: From om.bhallamudi at proton.ch Wed Jul 9 12:01:17 2025 From: om.bhallamudi at proton.ch (Om Bhallamudi) Date: Wed, 09 Jul 2025 10:01:17 +0000 Subject: [midPoint] Which databasetable connector? Message-ID: Hello, I need to add multi-object class support to a database table connector, but I'm not sure which of the database table connectors is best to fork? - Evolveum connectors: https://docs.evolveum.com/connectors/connectors/org.identityconnectors.databasetable.DatabaseTableConnector/ - ConnID bundle: https://connid.atlassian.net/wiki/spaces/BASE/pages/360497/Database+Table Would you recommend one over the other based on updates, features etc? Any help, suggestions, or warnings are appreciated. Thank you, Om -------------- next part -------------- An HTML attachment was scrubbed... URL: From markus.calmius at proton.ch Wed Jul 9 15:02:40 2025 From: markus.calmius at proton.ch (Markus Calmius) Date: Wed, 09 Jul 2025 13:02:40 +0000 Subject: [midPoint] Add delegation view In-Reply-To: References: Message-ID: <4dQ30Blag-mLN3kMwcnPXxHPguPAr-4BlFMJlwP9CLBy3xAvXE2tessTQwepmzyFst2qCSqy8lSKGbvvUQh6152b3N7GiVXaf0t3vFSCIgk=@proton.ch> Answering my own question here. I think I've found a work-around. Although I need to test it a lot more. Basically, by default, users cannot search for other users. So by adding an authorisation: search-other-users http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#search

That might work. Just need to verify that it works for all higher privileged users (to see all users) /M On Wednesday, 2 July 2025 at 10:38, midpoint-request at lists.evolveum.com midpoint-request at lists.evolveum.com wrote: > Send midPoint mailing list submissions to > midpoint at lists.evolveum.com > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.evolveum.com/mailman/listinfo/midpoint > or, via email, send a message with subject or body 'help' to > midpoint-request at lists.evolveum.com > > You can reach the person managing the list at > midpoint-owner at lists.evolveum.com > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of midPoint digest..." > > Today's Topics: > > 1. Add delegation view (Markus Calmius) > 2. Re: How to add extension-attribute from HR - inbound Schema ? > (Ivan Noris) > > ---------------------------------------------------------------------- > > Message: 1 > Date: Tue, 01 Jul 2025 15:17:40 +0000 > From: Markus Calmius markus.calmius at proton.ch > > To: midPoint General Discussion midpoint at lists.evolveum.com > > Subject: [midPoint] Add delegation view > Message-ID: > 3Ahz5V-u8FQ3Q98oNuVkVi4lv2ifANDrRyBQVNBYJIDsybHjA2-9LkDFrdsCA73EhqOIR8acfVADc2KTRVLIDZUX_HfiHjRLvRYFvo65UGo=@proton.ch > > Content-Type: text/plain; charset="utf-8" > > Hi, > > I think I asked this, or similar question, last year. > > Setup: > Midpoint: 4.8.5 > Users have a few default roles, they do NOT have authorisation to Approve or Delegate requests by default. > We have some approval-roles that use an archetype that also authorises those members to approve requests. > > Vacation time is upon us. > I would like for all that have approval rights to be able to delegate to other users. But only delegate to users that also have approval rights. > > I have created an Object Collection that displays this, but how can I force this object collection to be the only one available when a user clicks "Add Delegation" > I seem to remember, hopefully wrongly, that this is not possible... > > How can I force a specific collection for a specific part of the gui? > > Thanks in advance, > Markus > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: https://lists.evolveum.com/pipermail/midpoint/attachments/20250701/52ef1250/attachment-0001.htm > > ------------------------------ > > Message: 2 > Date: Wed, 2 Jul 2025 10:38:06 +0200 > From: Ivan Noris ivan.noris at evolveum.com > > To: midpoint at lists.evolveum.com > Subject: Re: [midPoint] How to add extension-attribute from HR - > inbound Schema ? > Message-ID: a74203af-6fd5-425c-85ad-92056c1de139 at evolveum.com > > Content-Type: text/plain; charset="utf-8"; Format="flowed" > > Hi, > > I think what you want is to /populate/ (this is the keyword) the > assignment properties. That is done outside the "target" element, but in > "assignmentTargetSearch". > > You should be able to use assignment properties (extensions) like this: > > > > > > OrgType > > > > > > > > > > > > > > > > > > extension/title > > > > > > > > > > > > See also here: > https://docs.evolveum.com/midpoint/reference/support-4.9/expressions/expressions/#assignment-target-search > Relation and subtype can be set using "assignmentProperties" element as > displayed in the documentation (chapter: Relation parameter). > Chapter: Activation parameters shows how activation properties of > assignment can be set; the example above for extension property is > analogous. > > Hope this helps. > Best regards, > Ivan > > On 30. 6. 2025 18:40, Bao Tran via midPoint wrote: > >> Hi all, >> >> 1. We have successfully added an AssignmentExtensionSchema.xml? >> (attachment) with detail: >> - extension ref="c:AssignmentType" >> - name=JobTitle >> - DisplayName=title >> >> And in ?midpoint GUI , it look like screenshot below >> title extension.png >> >> 2. Currently, we can only add assignment to user via OrganizationName >> (below xml) >> >> Our goal: is how to configure the HR-application-inbound.xml. :: >> inbound-schema , in order?to >> - Assign the user into Organization and add value for the >> title?(which is extension above) >> >> >> ri:OrganizationName >> ? ? ? ? ? ? >> set-org-level1 >> ? ? ? ? ? ? ? ? ? ? ? ? ? >> >> ?OrgType >> ? >> >> ? ? ?name >> ? ? ? >> ? ? ? ? ? ? >> ? ? ? ? >> ? >> ? >> >> ? >> >> * >> ?assignment* >> ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? <-- We can only find the >> OrganizationName and make assignment for user --> >> <-- How do we set value for extension::JobTitle above ? --> >> >> ? ? ? ? ? ? ? >> >> >> Thank you in advance >> -- >> Bao Tran >> Software developer >> >> _______________________________________________ >> midPoint mailing list >> midPoint at lists.evolveum.com >> https://lists.evolveum.com/mailman/listinfo/midpoint > > -- > Ivan Noris > Expert Identity Engineer > evolveum.com > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: https://lists.evolveum.com/pipermail/midpoint/attachments/20250702/87a00263/attachment.htm > > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: title extension.png > Type: image/png > Size: 135041 bytes > Desc: not available > URL: https://lists.evolveum.com/pipermail/midpoint/attachments/20250702/87a00263/attachment.png > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > https://lists.evolveum.com/mailman/listinfo/midpoint > > ------------------------------ > > End of midPoint Digest, Vol 159, Issue 1 > **************************************** -------------- next part -------------- An HTML attachment was scrubbed... URL: From markus.calmius at proton.ch Thu Jul 10 13:02:27 2025 From: markus.calmius at proton.ch (Markus Calmius) Date: Thu, 10 Jul 2025 11:02:27 +0000 Subject: [midPoint] gui authorization for Delete Delegation Message-ID: Hi, What is needed to make the "Delete Delegation" option appear in the GUI? Adding the authorization: http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#delegate seems to only enable the "Add Delegation" functionality. Running 4.8.5/4.8.8 Markus -------------- next part -------------- An HTML attachment was scrubbed... URL: From markus.calmius at proton.ch Thu Jul 10 13:15:17 2025 From: markus.calmius at proton.ch (Markus Calmius) Date: Thu, 10 Jul 2025 11:15:17 +0000 Subject: [midPoint] gui authorization for Delete Delegation In-Reply-To: References: Message-ID: Just to elaborate a bit Adding the following authorization: http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#adminUnassign does make the "Delete Delegation" option visible. However, it also enables the "Unassign" button for all assignments. Self-service unassignment might be something we will implement in the future, we do not want it for all assignments (just some the roles that are requested should be possible to unassign) Is there a way to show only the "Delete Delegation" option without exposing the general unassign functionality? Markus On Thursday, 10 July 2025 at 13:03, Markus Calmius via midPoint wrote: > Hi, > > What is needed to make the "Delete Delegation" option appear in the GUI? Adding the authorization: > http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#delegate > seems to only enable the "Add Delegation" functionality. > > Running 4.8.5/4.8.8 > Markus -------------- next part -------------- An HTML attachment was scrubbed... URL: From markus.calmius at proton.ch Thu Jul 10 16:37:19 2025 From: markus.calmius at proton.ch (Markus Calmius) Date: Thu, 10 Jul 2025 14:37:19 +0000 Subject: [midPoint] gui authorization for Delete Delegation In-Reply-To: References:

Message-ID: Keeping the discussion going with myself ;) The code has this for Add: if ( WebComponentUtil .isAuthorized( AuthorizationConstants . AUTZ_UI_DELEGATE_ACTION_URL )) { item = new InlineMenuItem ( createStringResource ( "AssignmentTablePanel.menu.addDelegation" )) { wouldn't it make sense to have the same authorization for delete? Delete: if ( WebComponentUtil .isAuthorized( AuthorizationConstants . AUTZ_UI_ADMIN_UNASSIGN_ACTION_URI )) { item = new InlineMenuItem ( createStringResource ( "AssignmentTablePanel.menu.deleteDelegation" )) { Markus On Thursday, 10 July 2025 at 13:15, Markus Calmius wrote: > Just to elaborate a bit > > Adding the following authorization: > > http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#adminUnassign > does make the "Delete Delegation" option visible. However, it also enables the "Unassign" button for all assignments. > > Self-service unassignment might be something we will implement in the future, we do not want it for all assignments (just some the roles that are requested should be possible to unassign) > > Is there a way to show only the "Delete Delegation" option without exposing the general unassign functionality? > > Markus > > On Thursday, 10 July 2025 at 13:03, Markus Calmius via midPoint wrote: > >> Hi, >> >> What is needed to make the "Delete Delegation" option appear in the GUI? Adding the authorization: >> http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#delegate >> seems to only enable the "Add Delegation" functionality. >> >> Running 4.8.5/4.8.8 >> Markus -------------- next part -------------- An HTML attachment was scrubbed... URL: