<html>

  <head>

    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">

  </head>

  <body text="#000000" bgcolor="#FFFFFF">

    Hi,<br>

    <br>

    there are two different authorization types in midPoint:<br>

    <br>

    1) GUI-related. These allow or dissalow access to specific GUI

    components (pages).<br>

    2) Model-related. These allow or dissalow access to specific

    operations on specific objects.<br>

    <br>

    In your example, the role has GUI authorization:<br>

    <br>

       <authorization id="2"><br>

<action><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#usersAll">http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#usersAll</a></action><br>

       </authorization><br>

    <br>

    This means that Users tab is displayed.<br>

    <br>

    Also, End user role is <b>assigned</b> to this role. It should have

    been <b>inducement</b>, not assignment, to apply to users that have

    the adminRole. That's probably a bug. You should not be able to log

    in to midPoint with the original role (403 forbidden).<br>

    <br>

    The End user role is giving you the default permissions such as read

    for yourself.<br>

    <br>

    That's why you only see one user in midPoint.<br>

    <br>

    You have to combine both authz types. E.g. add the following to the

    role and you will see all users (read only):<br>

    <br>

        <authorization><br>

<action><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</a></action><br>

            <object><br>

                <type>UserType</type><br>

            </object><br>

        </authorization><br>

    <br>

    To allow modifications of all users except administrator, you need

    to add more:<br>

    <br>

    <!-- This authorization enables to modify all users except

    name=administrator --><br>

       <authorization><br>

<action><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</a></action><br>

           <object><br>

               <type>UserType</type><br>

               <filter><br>

                 <q:not><br>

                   <q:equal><br>

                     <q:path>name</q:path><br>

                     <q:value>administrator</q:value><br>

                   </q:equal><br>

                 </q:not><br>

               </filter><br>

           </object><br>

       </authorization><br>

    <br>

    You can use any filter that is supported by our queries. This is

    just a simple example.<br>

    <br>

    Normally you would need to have authorizations to more than just

    User objects. For example you need to have authz for Shadows to

    allow provisioning. Also you can specifically allow operations on

    some user attributes; e.g. HR manager can only update Given Name and

    Family Name, but nothing more. The User details form is dynamic and

    displays only those attributes. Some more examples are in

    ./model/model-intest/src/test/resources/security/<br>

    <br>

    The updated sample role is attached. Please note that I have updated

    the GUI authorization as the URI has changed for 3.2 midPoint

    (current master)! If you are using older midPoint, keep the GUI

    authorization from your original sample.<br>

    <br>

    Regards,<br>

    Ivan<br>

    <br>

    <div class="moz-cite-prefix">On 07/07/2015 08:53 PM, Steklac Michal

      wrote:<br>

    </div>

    <blockquote cite="mid:1436295181.2503.8.camel@steky" type="cite">

      <meta http-equiv="Content-Type" content="text/html; charset=utf-8">

      <meta name="GENERATOR" content="GtkHTML/4.6.6">

      Hi,<br>

      <br>

      I´m create role<br>

      <role xmlns="<a moz-do-not-send="true"

        href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">http://midpoint.evolveum.com/xml/ns/public/common/common-3</a>"<br>

            oid="1326ac7b-4f14-4779-b329-f684883abff5"<br>

            version="26"><br>

         <name>adminUser</name><br>

         <description>adminUser</description><br>

         <metadata><br>

<createTimestamp>2015-07-06T12:26:53.054+02:00</createTimestamp><br>

            <creatorRef oid="00000000-0000-0000-0000-000000000002"

      type="UserType"/><br>

<createChannel><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#user">http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#user</a></createChannel><br>

<modifyTimestamp>2015-07-06T13:07:20.395+02:00</modifyTimestamp><br>

            <modifierRef

      xmlns:tns=<a class="moz-txt-link-rfc2396E" href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">"http://midpoint.evolveum.com/xml/ns/public/common/common-3"</a><br>

                         oid="00000000-0000-0000-0000-000000000002"<br>

                         type="tns:UserType"/><br>

<modifyChannel><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#user">http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#user</a></modifyChannel><br>

         </metadata><br>

         <assignment id="3"><br>

            <targetRef oid="00000000-0000-0000-0000-000000000008"

      type="RoleType"/><br>

            <activation><br>

      <administrativeStatus>enabled</administrativeStatus><br>

            </activation><br>

         </assignment><br>

         <activation><br>

      <administrativeStatus>enabled</administrativeStatus><br>

            <effectiveStatus>enabled</effectiveStatus><br>

<enableTimestamp>2015-07-06T12:26:53.023+02:00</enableTimestamp><br>

         </activation><br>

         <iteration>0</iteration><br>

         <iterationToken/><br>

         <authorization id="2"><br>

<action><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#usersAll">http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#usersAll</a></action><br>

         </authorization><br>

         <requestable>false</requestable><br>

      </role><br>

      <br>

      When I log with user who is in role then I am seen only one user.

      It is login user how is in role. I want to seen all user who is in

      midpoint. How I must change role?<br>

      <br>

      Thanks<br>

      Best regards<br>

      MiSo

      <br>

      <fieldset class="mimeAttachmentHeader"></fieldset>

      <br>

      <pre wrap="">_______________________________________________

midPoint mailing list

<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>

<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>

</pre>

    </blockquote>

    <br>

    <pre class="moz-signature" cols="72">-- 

  Ing. Ivan Noris

  Senior Identity Management Engineer & IDM Architect

  evolveum.com                     evolveum.com/blog/

  ___________________________________________________

  "Semper Id(e)M Vix."

</pre>

  </body>

</html>