<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    Hi Petr,<br>
    <br>
    I was experimenting some time ago with this. User can request only
    roles with "requestable == true". Modify as you need.<br>
    <br>
    There seems to be missing read permissions on Resource (which I
    guess is by default permitted) and Shadows (which is not); I try to
    find more examples. In general, you need to see the Resource
    objects, Shadows for accounts and Shadows for entitlements
    (associations). And assigned roles of course.<br>
    <br>
    <role oid="00000000-dc00-dc00-0004-000000000043"
    xmlns:xsi=<a class="moz-txt-link-rfc2396E" href="http://www.w3.org/2001/XMLSchema-instance">"http://www.w3.org/2001/XMLSchema-instance"</a><br>
           
    xmlns=<a class="moz-txt-link-rfc2396E" href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">"http://midpoint.evolveum.com/xml/ns/public/common/common-3"</a><br>
        xmlns:q=<a class="moz-txt-link-rfc2396E" href="http://prism.evolveum.com/xml/ns/public/query-3">"http://prism.evolveum.com/xml/ns/public/query-3"</a><br>
       
xmlns:ri=<a class="moz-txt-link-rfc2396E" href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">"http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"</a><br>
           
    xmlns:c=<a class="moz-txt-link-rfc2396E" href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">"http://midpoint.evolveum.com/xml/ns/public/common/common-3"</a>><br>
        <name>ASK ROLES FOR HIMSELF</name><br>
        <description>Rola allowing to ask roles for
    self-service</description><br>
    <!-- GUI --><br>
        <authorization><br>
           
    <action><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#users">http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#users</a></action>
    <br>
           
    <action><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#user">http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#user</a></action>
    <br>
           
<action><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#userDetails">http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#userDetails</a></action><br>
           
<action><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#orgTree">http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#orgTree</a></action><br>
           
<action><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#orgUnit">http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#orgUnit</a></action><br>
        </authorization><br>
    <br>
    <!-- Model --><br>
        <authorization><br>
           
<action><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</a></action><br>
            <object><br>
                    <special>self</special><br>
            </object><br>
        </authorization><br>
    <!-- Authorization to Read roles (to display assigned roles). GUI
    authorization limits the usage on pages. --><br>
        <authorization><br>
           
<action><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</a></action><br>
            <object><br>
                <type>RoleType</type><br>
    <!-- Only requestable=true roles to avoid meta-roles etc. being
    assigned by support (which assigned THIS role) --><br>
                <filter><br>
                        <q:equal><br>
                            <q:path>requestable</q:path><br>
                            <q:value>true</q:value><br>
                        </q:equal><br>
                </filter><br>
            </object><br>
        </authorization><br>
    <br>
        <authorization><br>
           
<action><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#assign">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#assign</a></action><br>
           
<action><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#unassign">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#unassign</a></action><br>
            <phase>request</phase><br>
            <target><br>
                    <type>RoleType</type><br>
                    <filter><br>
                            <q:equal><br>
                                   
    <q:path>requestable</q:path><br>
                                    <q:value>true</q:value><br>
                            </q:equal><br>
                    </filter><br>
            </target><br>
        </authorization><br>
        <authorization><br>
           
<action><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add</a></action><br>
           
<action><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</a></action><br>
            <phase>execution</phase><br>
        </authorization><br>
    <br>
    </role><br>
    <br>
    Best regards,<br>
    Ivan<br>
    <br>
    <div class="moz-cite-prefix">On 05/29/2015 05:39 PM, Petr Gašparík
      wrote:<br>
    </div>
    <blockquote
cite="mid:CAFmDq46s5KPi8XD5evJUX6g1Ce0UaUvNEeW-09Rx4bggoTmMtQ@mail.gmail.com"
      type="cite">
      <div dir="ltr">Hi,
        <div>I do basic approval scheme.</div>
        <div>It works well in requesting (end user) and approval (his
          manager), but then, the workflow is suspended.</div>
        <div><br>
        </div>
        <div>Error is:</div>
        <div>
          <div class="" style="display:inline">User 'demo.user' not
            authorized for operation <a moz-do-not-send="true"
href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</a> </div>
        </div>
        <div>
          <div class="" style="display:inline"><br>
          </div>
        </div>
        <div>
          <div class="" style="display:inline">My guess is that I need
            to add some authorization to End User role, but it is
            unclear for me for what. </div>
        </div>
        <div>
          <div class="" style="display:inline">identity self? shadow
            account? something else?</div>
        </div>
        <div>
          <div class="" style="display:inline"><br>
          </div>
        </div>
        <div>
          <div class="" style="display:inline">thank you in advance</div>
        </div>
        <div>
          <div class="" style="display:inline"><br>
          </div>
        </div>
        <div>
          <div class="" style="display:inline">best regards</div>
        </div>
        <div>
          <div>
            <div class="gmail_signature">--<br>
              Petr Gašparík</div>
          </div>
        </div>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
    </blockquote>
    <br>
    <pre class="moz-signature" cols="72">-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer & IDM Architect
  evolveum.com                     evolveum.com/blog/
  ___________________________________________________
  "Semper Id(e)M Vix."
</pre>
  </body>
</html>