<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Hi Anand,<br>
<br>
you can do this using security authorizations, to allow users to see
(and assign) only roles with requestable=true (or any other
condition).<br>
<br>
For example, a role:<br>
<br>
<role oid="00000000-dc00-dc00-0004-000000000067"
xmlns:xsi=<a class="moz-txt-link-rfc2396E" href="http://www.w3.org/2001/XMLSchema-instance">"http://www.w3.org/2001/XMLSchema-instance"</a><br>
xmlns=<a class="moz-txt-link-rfc2396E" href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">"http://midpoint.evolveum.com/xml/ns/public/common/common-3"</a><br>
xmlns:q=<a class="moz-txt-link-rfc2396E" href="http://prism.evolveum.com/xml/ns/public/query-3">"http://prism.evolveum.com/xml/ns/public/query-3"</a><br>
xmlns:ri=<a class="moz-txt-link-rfc2396E" href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">"http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"</a><br>
xmlns:c=<a class="moz-txt-link-rfc2396E" href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">"http://midpoint.evolveum.com/xml/ns/public/common/common-3"</a>><br>
<b> <name>End User Role Restriction</name></b><b><br>
</b> <authorization><br>
<b> <decision>deny</decision></b><b><br>
</b>
<action><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</a></action><br>
<object><br>
<type>RoleType</type><br>
<filter><br>
<q:and><br>
<q:not><br>
<q:equal><br>
<q:path>name</q:path><br>
<q:value>End
user</q:value><br>
</q:equal><br>
</q:not><br>
<q:not><br>
<q:equal><br>
<q:path>requestable</q:path><br>
<q:value>true</q:value><br>
</q:equal><br>
</q:not><br>
</q:and><br>
</filter><br>
</object><br>
</authorization><br>
</role><br>
<br>
When this role is assigned to your users with e.g. "End user" role
(user must have both), although End user role will allow to display
all roles, the other role will deny displaying of any
non-requestable user (except the End user role itself).<br>
<br>
This is a fragment from my working setup, haven't tried this alone,
but it should work.<br>
<br>
The security roles applies for model, so it should restrict the
roles also for webservice access.<br>
<br>
Regards,<br>
Ivan<br>
<br>
<div class="moz-cite-prefix">On 02/13/2015 10:13 AM, Anand Kothekar
wrote:<br>
</div>
<blockquote
cite="mid:CAHUT-CRoVU_gOMaWQWeiUy3np__e92OEieqvqv4ogGCVPvdvmA@mail.gmail.com"
type="cite">
<div dir="ltr">Hi,
<div><br>
</div>
<div>I have a situation where I want role to be
"Non-Requestable" so that no user will be able to assign that
particular role.</div>
<div><br>
</div>
<div>I tried to make<b>
<requestable>false</requestable></b> but the
user is still able to assign role.</div>
<div><br>
</div>
<div>I even tried to <b>disable</b> that particular role but
still it is allowed to be assigned.</div>
<div><br>
</div>
<div><br>
</div>
<div>Can you please suggest me how a role could be
Non-Requestable.</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div>Thanks,</div>
<div>Anand</div>
<img moz-do-not-send="true" class="mailtrack-img"
src="https://mailtrack.io/trace/mail/4d157c88ed11c6f688e5c02f16097088627b9c86.png"
height="0" width="0"></div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer
evolveum.com evolveum.com/blog/
_____________________________________________
"Semper Id(e)M Vix."
</pre>
</body>
</html>