<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hi Petr,<br>
<br>
I was experimenting some time ago with this. User can request only
roles with "requestable == true". Modify as you need.<br>
<br>
There seems to be missing read permissions on Resource (which I
guess is by default permitted) and Shadows (which is not); I try to
find more examples. In general, you need to see the Resource
objects, Shadows for accounts and Shadows for entitlements
(associations). And assigned roles of course.<br>
<br>
<role oid="00000000-dc00-dc00-0004-000000000043"
xmlns:xsi=<a class="moz-txt-link-rfc2396E" href="http://www.w3.org/2001/XMLSchema-instance">"http://www.w3.org/2001/XMLSchema-instance"</a><br>
xmlns=<a class="moz-txt-link-rfc2396E" href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">"http://midpoint.evolveum.com/xml/ns/public/common/common-3"</a><br>
xmlns:q=<a class="moz-txt-link-rfc2396E" href="http://prism.evolveum.com/xml/ns/public/query-3">"http://prism.evolveum.com/xml/ns/public/query-3"</a><br>
xmlns:ri=<a class="moz-txt-link-rfc2396E" href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">"http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"</a><br>
xmlns:c=<a class="moz-txt-link-rfc2396E" href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">"http://midpoint.evolveum.com/xml/ns/public/common/common-3"</a>><br>
<name>ASK ROLES FOR HIMSELF</name><br>
<description>Rola allowing to ask roles for
self-service</description><br>
<!-- GUI --><br>
<authorization><br>
<action><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#users">http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#users</a></action>
<br>
<action><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#user">http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#user</a></action>
<br>
<action><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#userDetails">http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#userDetails</a></action><br>
<action><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#orgTree">http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#orgTree</a></action><br>
<action><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#orgUnit">http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#orgUnit</a></action><br>
</authorization><br>
<br>
<!-- Model --><br>
<authorization><br>
<action><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</a></action><br>
<object><br>
<special>self</special><br>
</object><br>
</authorization><br>
<!-- Authorization to Read roles (to display assigned roles). GUI
authorization limits the usage on pages. --><br>
<authorization><br>
<action><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</a></action><br>
<object><br>
<type>RoleType</type><br>
<!-- Only requestable=true roles to avoid meta-roles etc. being
assigned by support (which assigned THIS role) --><br>
<filter><br>
<q:equal><br>
<q:path>requestable</q:path><br>
<q:value>true</q:value><br>
</q:equal><br>
</filter><br>
</object><br>
</authorization><br>
<br>
<authorization><br>
<action><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#assign">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#assign</a></action><br>
<action><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#unassign">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#unassign</a></action><br>
<phase>request</phase><br>
<target><br>
<type>RoleType</type><br>
<filter><br>
<q:equal><br>
<q:path>requestable</q:path><br>
<q:value>true</q:value><br>
</q:equal><br>
</filter><br>
</target><br>
</authorization><br>
<authorization><br>
<action><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add</a></action><br>
<action><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</a></action><br>
<phase>execution</phase><br>
</authorization><br>
<br>
</role><br>
<br>
Best regards,<br>
Ivan<br>
<br>
<div class="moz-cite-prefix">On 05/29/2015 05:39 PM, Petr Gašparík
wrote:<br>
</div>
<blockquote
cite="mid:CAFmDq46s5KPi8XD5evJUX6g1Ce0UaUvNEeW-09Rx4bggoTmMtQ@mail.gmail.com"
type="cite">
<div dir="ltr">Hi,
<div>I do basic approval scheme.</div>
<div>It works well in requesting (end user) and approval (his
manager), but then, the workflow is suspended.</div>
<div><br>
</div>
<div>Error is:</div>
<div>
<div class="" style="display:inline">User 'demo.user' not
authorized for operation <a moz-do-not-send="true"
href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</a> </div>
</div>
<div>
<div class="" style="display:inline"><br>
</div>
</div>
<div>
<div class="" style="display:inline">My guess is that I need
to add some authorization to End User role, but it is
unclear for me for what. </div>
</div>
<div>
<div class="" style="display:inline">identity self? shadow
account? something else?</div>
</div>
<div>
<div class="" style="display:inline"><br>
</div>
</div>
<div>
<div class="" style="display:inline">thank you in advance</div>
</div>
<div>
<div class="" style="display:inline"><br>
</div>
</div>
<div>
<div class="" style="display:inline">best regards</div>
</div>
<div>
<div>
<div class="gmail_signature">--<br>
Petr Gašparík</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
evolveum.com evolveum.com/blog/
___________________________________________________
"Semper Id(e)M Vix."
</pre>
</body>
</html>