<div dir="ltr">Thank you, it works!<div><br></div><div>Now, what is the best page on wiki to put it in?<br><br><div class="gmail_quote"><div dir="ltr">po 1. 6. 2015 v 9:02 odesílatel <<a href="mailto:midpoint-request@lists.evolveum.com">midpoint-request@lists.evolveum.com</a>> napsal:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Send midPoint mailing list submissions to<br>
        <a href="mailto:midpoint@lists.evolveum.com" target="_blank">midpoint@lists.evolveum.com</a><br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
        <a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
or, via email, send a message with subject or body 'help' to<br>
        <a href="mailto:midpoint-request@lists.evolveum.com" target="_blank">midpoint-request@lists.evolveum.com</a><br>
<br>
You can reach the person managing the list at<br>
        <a href="mailto:midpoint-owner@lists.evolveum.com" target="_blank">midpoint-owner@lists.evolveum.com</a><br>
<br>
When replying, please edit your Subject line so it is more specific<br>
than "Re: Contents of midPoint digest..."<br>
<br>
<br>
Today's Topics:<br>
<br>
   1. Re: authorization for role requests (Ivan Noris)<br>
   2. Re: authorization for role requests (Ivan Noris)<br>
<br>
<br>
----------------------------------------------------------------------<br>
<br>
Message: 1<br>
Date: Mon, 01 Jun 2015 08:52:24 +0200<br>
From: Ivan Noris <<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>><br>
To: <a href="mailto:midpoint@lists.evolveum.com" target="_blank">midpoint@lists.evolveum.com</a><br>
Subject: Re: [midPoint] authorization for role requests<br>
Message-ID: <<a href="mailto:556C0128.6010507@evolveum.com" target="_blank">556C0128.6010507@evolveum.com</a>><br>
Content-Type: text/plain; charset="utf-8"<br>
<br>
Hi Petr,<br>
<br>
I was experimenting some time ago with this. User can request only roles<br>
with "requestable == true". Modify as you need.<br>
<br>
There seems to be missing read permissions on Resource (which I guess is<br>
by default permitted) and Shadows (which is not); I try to find more<br>
examples. In general, you need to see the Resource objects, Shadows for<br>
accounts and Shadows for entitlements (associations). And assigned roles<br>
of course.<br>
<br>
<role oid="00000000-dc00-dc00-0004-000000000043"<br>
xmlns:xsi="<a href="http://www.w3.org/2001/XMLSchema-instance" target="_blank">http://www.w3.org/2001/XMLSchema-instance</a>"<br>
        xmlns="<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3" target="_blank">http://midpoint.evolveum.com/xml/ns/public/common/common-3</a>"<br>
    xmlns:q="<a href="http://prism.evolveum.com/xml/ns/public/query-3" target="_blank">http://prism.evolveum.com/xml/ns/public/query-3</a>"<br>
<br>
xmlns:ri="<a href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" target="_blank">http://midpoint.evolveum.com/xml/ns/public/resource/instance-3</a>"<br>
<br>
xmlns:c="<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3" target="_blank">http://midpoint.evolveum.com/xml/ns/public/common/common-3</a>"><br>
    <name>ASK ROLES FOR HIMSELF</name><br>
    <description>Rola allowing to ask roles for self-service</description><br>
<!-- GUI --><br>
    <authorization><br>
<br>
<action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#users" target="_blank">http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#users</a></action><br>
<br>
<br>
<action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#user" target="_blank">http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#user</a></action><br>
<br>
<br>
<action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#userDetails" target="_blank">http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#userDetails</a></action><br>
<br>
<action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#orgTree" target="_blank">http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#orgTree</a></action><br>
<br>
<action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#orgUnit" target="_blank">http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#orgUnit</a></action><br>
    </authorization><br>
<br>
<!-- Model --><br>
    <authorization><br>
<br>
<action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read" target="_blank">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</a></action><br>
        <object><br>
                <special>self</special><br>
        </object><br>
    </authorization><br>
<!-- Authorization to Read roles (to display assigned roles). GUI<br>
authorization limits the usage on pages. --><br>
    <authorization><br>
<br>
<action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read" target="_blank">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</a></action><br>
        <object><br>
            <type>RoleType</type><br>
<!-- Only requestable=true roles to avoid meta-roles etc. being assigned<br>
by support (which assigned THIS role) --><br>
            <filter><br>
                    <q:equal><br>
                        <q:path>requestable</q:path><br>
                        <q:value>true</q:value><br>
                    </q:equal><br>
            </filter><br>
        </object><br>
    </authorization><br>
<br>
    <authorization><br>
<br>
<action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#assign" target="_blank">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#assign</a></action><br>
<br>
<action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#unassign" target="_blank">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#unassign</a></action><br>
        <phase>request</phase><br>
        <target><br>
                <type>RoleType</type><br>
                <filter><br>
                        <q:equal><br>
                                <q:path>requestable</q:path><br>
                                <q:value>true</q:value><br>
                        </q:equal><br>
                </filter><br>
        </target><br>
    </authorization><br>
    <authorization><br>
<br>
<action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add" target="_blank">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add</a></action><br>
<br>
<action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify" target="_blank">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</a></action><br>
        <phase>execution</phase><br>
    </authorization><br>
<br>
</role><br>
<br>
Best regards,<br>
Ivan<br>
<br>
On 05/29/2015 05:39 PM, Petr Gašparík wrote:<br>
> Hi,<br>
> I do basic approval scheme.<br>
> It works well in requesting (end user) and approval (his manager), but<br>
> then, the workflow is suspended.<br>
><br>
> Error is:<br>
> User 'demo.user' not authorized for operation<br>
> <a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify" target="_blank">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</a><br>
><br>
> My guess is that I need to add some authorization to End User role,<br>
> but it is unclear for me for what.<br>
> identity self? shadow account? something else?<br>
><br>
> thank you in advance<br>
><br>
> best regards<br>
> --<br>
> Petr Gašparík<br>
><br>
><br>
> _______________________________________________<br>
> midPoint mailing list<br>
> <a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
> <a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br>
--<br>
  Ing. Ivan Noris<br>
  Senior Identity Management Engineer & IDM Architect<br>
  <a href="http://evolveum.com" target="_blank">evolveum.com</a>                     <a href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a><br>
  ___________________________________________________<br>
  "Semper Id(e)M Vix."<br>
<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="http://lists.evolveum.com/pipermail/midpoint/attachments/20150601/ec89d64b/attachment-0001.html" target="_blank">http://lists.evolveum.com/pipermail/midpoint/attachments/20150601/ec89d64b/attachment-0001.html</a>><br>
<br>
------------------------------<br>
<br>
Message: 2<br>
Date: Mon, 01 Jun 2015 09:02:01 +0200<br>
From: Ivan Noris <<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>><br>
To: <a href="mailto:midpoint@lists.evolveum.com" target="_blank">midpoint@lists.evolveum.com</a><br>
Subject: Re: [midPoint] authorization for role requests<br>
Message-ID: <<a href="mailto:556C0369.9030102@evolveum.com" target="_blank">556C0369.9030102@evolveum.com</a>><br>
Content-Type: text/plain; charset="utf-8"<br>
<br>
Hi Petr,<br>
<br>
this one could be even better.<br>
<br>
The interesting part is roleType filtering. I wanted the users to be<br>
able to request any role with requestable==true, but e.g. End User seems<br>
not to have this and I wanted the Dashboard to display also this one if<br>
it is assigned. I also "created" roleType==provisioning. These roles are<br>
also displayed in Dashboard.<br>
 if they are assigned.<br>
<br>
<role oid="00000000-dc00-dc00-0004-000000000043"<br>
xmlns:xsi="<a href="http://www.w3.org/2001/XMLSchema-instance" target="_blank">http://www.w3.org/2001/XMLSchema-instance</a>"<br>
        xmlns="<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3" target="_blank">http://midpoint.evolveum.com/xml/ns/public/common/common-3</a>"<br>
    xmlns:q="<a href="http://prism.evolveum.com/xml/ns/public/query-3" target="_blank">http://prism.evolveum.com/xml/ns/public/query-3</a>"<br>
<br>
xmlns:ri="<a href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" target="_blank">http://midpoint.evolveum.com/xml/ns/public/resource/instance-3</a>"<br>
<br>
xmlns:c="<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3" target="_blank">http://midpoint.evolveum.com/xml/ns/public/common/common-3</a>"><br>
    <name>Self-service - ask roles</name><br>
    <description>Rola allowing to ask roles for self-service</description><br>
<!-- GUI --><br>
    <authorization><br>
<br>
<action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#users" target="_blank">http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#users</a></action><br>
<br>
<br>
<action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#user" target="_blank">http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#user</a></action><br>
<br>
<br>
<action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#userDetails" target="_blank">http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#userDetails</a></action><br>
<br>
<action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#orgTree" target="_blank">http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#orgTree</a></action><br>
<br>
<action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#orgUnit" target="_blank">http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#orgUnit</a></action><br>
    </authorization><br>
<br>
<!-- Model --><br>
    <authorization><br>
<br>
<action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read" target="_blank">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</a></action><br>
        <object><br>
                <special>self</special><br>
        </object><br>
    </authorization><br>
<!--<br>
    <authorization><br>
<br>
<action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify" target="_blank">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</a></action><br>
        <object><br>
                <special>self</special><br>
        </object><br>
    </authorization>--><br>
    <!--<authorization><br>
<br>
<action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read" target="_blank">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</a></action><br>
    </authorization>--><br>
<!-- Authorization to Read roles (to display assigned roles). GUI<br>
authorization limits the usage on pages. --><br>
    <authorization><br>
<br>
<action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read" target="_blank">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</a></action><br>
        <object><br>
            <type>RoleType</type><br>
<!-- Only requestable=true roles to avoid meta-roles etc. being assigned by<br>
support (which is assigned THIS role) --><br>
            <filter><br>
                    <q:equal><br>
                        <q:path>requestable</q:path><br>
                        <q:value>true</q:value><br>
                    </q:equal><br>
            </filter><br>
        </object><br>
    </authorization><br>
<br>
<!-- Authorization to read entitlements and generic --><br>
    <authorization><br>
<br>
<action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read" target="_blank">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</a></action><br>
        <object><br>
            <type>ShadowType</type><br>
            <filter><br>
                <q:or><br>
                    <q:equal><br>
                        <q:path>kind</q:path><br>
                        <q:value>entitlement</q:value><br>
                    </q:equal><br>
                    <q:equal><br>
                        <q:path>kind</q:path><br>
                        <q:value>generic</q:value><br>
        </q:equal><br>
        </q:or><br>
    </filter><br>
        </object><br>
    </authorization><br>
<!-- Authorization to Read roles (to display assigned roles). GUI<br>
authorization limits the usage on pages. --><br>
    <authorization><br>
<br>
<action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read" target="_blank">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</a></action><br>
    <decision>deny</decision><br>
        <object><br>
            <type>RoleType</type><br>
<!-- Only requestable roles --><br>
            <filter><br>
                    <q:and><br>
        <q:not><br>
                    <q:equal><br>
                        <q:path>name</q:path><br>
                        <q:value>End User</q:value><br>
                    </q:equal><br>
        </q:not><br>
        <q:not><br>
                    <q:equal><br>
                        <q:path>requestable</q:path><br>
                        <q:value>true</q:value><br>
                    </q:equal><br>
        </q:not><br>
        <q:not><br>
                    <q:equal><br>
                        <q:path>roleType</q:path><br>
                        <q:value>provisioning</q:value><br>
                    </q:equal><br>
        </q:not><br>
                    </q:and><br>
            </filter><br>
        </object><br>
    </authorization><br>
<br>
    <authorization><br>
<br>
<action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#assign" target="_blank">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#assign</a></action><br>
<br>
<action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#unassign" target="_blank">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#unassign</a></action><br>
        <phase>request</phase><br>
        <target><br>
                <type>RoleType</type><br>
                <filter><br>
                        <q:equal><br>
                                <q:path>requestable</q:path><br>
                                <q:value>true</q:value><br>
                        </q:equal><br>
                </filter><br>
        </target><br>
    </authorization><br>
    <authorization><br>
<br>
<action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add" target="_blank">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add</a></action><br>
<br>
<action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify" target="_blank">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</a></action><br>
        <phase>execution</phase><br>
    </authorization><br>
<roleType>provisioning</roleType><br>
</role><br>
<br>
Ivan<br>
<br>
On 05/29/2015 05:39 PM, Petr Gašparík wrote:<br>
> Hi,<br>
> I do basic approval scheme.<br>
> It works well in requesting (end user) and approval (his manager), but<br>
> then, the workflow is suspended.<br>
><br>
> Error is:<br>
> User 'demo.user' not authorized for operation<br>
> <a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify" target="_blank">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</a><br>
><br>
> My guess is that I need to add some authorization to End User role,<br>
> but it is unclear for me for what.<br>
> identity self? shadow account? something else?<br>
><br>
> thank you in advance<br>
><br>
> best regards<br>
> --<br>
> Petr Gašparík<br>
><br>
><br>
> _______________________________________________<br>
> midPoint mailing list<br>
> <a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
> <a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br>
--<br>
  Ing. Ivan Noris<br>
  Senior Identity Management Engineer & IDM Architect<br>
  <a href="http://evolveum.com" target="_blank">evolveum.com</a>                     <a href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a><br>
  ___________________________________________________<br>
  "Semper Id(e)M Vix."<br>
<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="http://lists.evolveum.com/pipermail/midpoint/attachments/20150601/eddea5c3/attachment.html" target="_blank">http://lists.evolveum.com/pipermail/midpoint/attachments/20150601/eddea5c3/attachment.html</a>><br>
<br>
------------------------------<br>
<br>
Subject: Digest Footer<br>
<br>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br>
<br>
------------------------------<br>
<br>
End of midPoint Digest, Vol 38, Issue 1<br>
***************************************<br>
</blockquote></div></div></div><div dir="ltr">-- <br></div><div dir="ltr">--<div>Petr G.</div></div>