<div dir="ltr">Thank you Ivan, the #add part finally helped.<div><br></div><div>It now works from both places, Create user and Add member.</div><div>So for the archive, this is working delegated administrator:</div><div><br></div><div><div><role xmlns="<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">http://midpoint.evolveum.com/xml/ns/public/common/common-3</a>"</div><div> xmlns:icfs="<a href="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3">http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3</a>"</div><div> xmlns:t="<a href="http://prism.evolveum.com/xml/ns/public/types-3">http://prism.evolveum.com/xml/ns/public/types-3</a>"</div><div> xmlns:c="<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">http://midpoint.evolveum.com/xml/ns/public/common/common-3</a>"</div><div> xmlns:q="<a href="http://prism.evolveum.com/xml/ns/public/query-3">http://prism.evolveum.com/xml/ns/public/query-3</a>"</div><div> xmlns:ri="<a href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">http://midpoint.evolveum.com/xml/ns/public/resource/instance-3</a>"</div><div> oid="delegatedAdmin"</div><div> version="34"></div><div> <name>Delegated administrator</name></div><div><span style="line-height:1.5;font-size:13.2px"> <activation></span><br></div><div> <effectiveStatus>enabled</effectiveStatus></div><div> </activation></div><div> <iteration>0</iteration></div><div> <iterationToken/></div><div> <authorization id="1"></div><div> <action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</a></action></div><div> <action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</a></action></div><div> <object></div><div> <type>OrgType</type></div><div> </object></div><div> <object></div><div> <type>ResourceType</type></div><div> </object></div><div> <object></div><div> <type>RoleType</type></div><div> </object></div><div> <object></div><div> <type>ShadowType</type></div><div> </object></div><div> <object></div><div> <type>UserType</type></div><div> <orgRef xmlns:tns="<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">http://midpoint.evolveum.com/xml/ns/public/common/common-3</a>"</div><div> oid="3404b331-57c0-4bef-b699-0192ce8d728b"</div><div> type="tns:OrgType"><!-- oid of org where user with this role is an admin --></orgRef></div><div> </object></div><div> </authorization></div><div> <authorization id="2"></div><div> <action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#dashboard">http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#dashboard</a></action></div><div> <action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#myPasswords">http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#myPasswords</a></action></div><div> <action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#users">http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#users</a></action></div><div> <action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#userDetails">http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#userDetails</a></action></div><div> <action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#findUsers">http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#findUsers</a></action></div><div> <action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#orgTree">http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#orgTree</a></action></div><div> <action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#workItems">http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#workItems</a></action></div><div> <action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#workItem">http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#workItem</a></action></div><div> <action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#workItemsMyRequests">http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#workItemsMyRequests</a></action></div><div> <action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#workItemsProcessInstance">http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#workItemsProcessInstance</a></action></div><div> <action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#user">http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#user</a></action></div><div> <action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#orgUnit">http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#orgUnit</a></action></div><div> <action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#usersAll">http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#usersAll</a></action></div><div> </authorization></div><div> <authorization id="3"></div><div> <action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add</a></action></div><div> <phase>request</phase></div><div> <object></div><div> <type>UserType</type></div><div> </object></div><div> </authorization></div><div> <authorization id="4"></div><div> <action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add</a></action></div><div> <phase>execution</phase></div><div> <object></div><div> <type>UserType</type></div><div> <filter></div><div> <q:or></div><div> <q:equal></div><div> <q:path>employeeType</q:path></div><div> </q:equal></div><div> </q:or></div><div> </filter></div><div> </object></div><div> </authorization></div><div></role></div></div></div><br><div class="gmail_quote"><div dir="ltr">po 3. 8. 2015 v 14:39 odesílatel Ivan Noris <<a href="mailto:ivan.noris@evolveum.com">ivan.noris@evolveum.com</a>> napsal:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
Hi Petr,<br>
<br>
I can't see #add operation authorization for UserType. Only #modify
(and #read). But as you seem to allow only creation of Users in some
organization (by reference), it's possible that you will need some
more things later.<br>
<br>
Please try to add #add authorization to be able to create users.<br>
<br>
Regards,<br>
Ivan</div><div bgcolor="#FFFFFF" text="#000000"><br>
<br>
<div>On 08/03/2015 01:46 PM, Petr Gašparík
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Thank you, Ivan, this is for 3.1.1 ... I can see
users and their attributes, but I can't create new one - see
below.
<div><br>
</div>
<img alt="Clip398.png" style="max-width:100%" src="cid:part1.03080601.04050909@evolveum.com">
<div><br>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr">po 3. 8. 2015 v 8:36 odesílatel Ivan Noris <<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>>
napsal:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"> Hi Petr,<br>
<br>
please check the <b>GUI</b> authorization namespaces,
there was a change for the upcoming 3.2.<br>
<br>
e.g. <a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization" target="_blank">http://midpoint.evolveum.com/xml/ns/public/security/authorization</a><b>-ui</b>-3#dashboard<br>
<br>
The End User and Superuser role are already modified in
XML files, not sure about the documentation...<br>
<br>
Please try.<br>
Regards,<br>
Ivan</div>
<div text="#000000" bgcolor="#FFFFFF"><br>
<br>
<div>On 07/31/2015 05:24 PM, Petr Gašparík wrote:<br>
</div>
</div>
<div text="#000000" bgcolor="#FFFFFF">
<blockquote type="cite">
<div dir="ltr">Hi,
<div>I tried to setup delegated administrator for
organization (user management + workflow tasks) and
ended with role like below. This, assigned to user,
does not allow him to see attributes when creating
user, thus admin can't enter values into them (name,
for example). </div>
<div><br>
</div>
<div>What am I missing? Is there example for delegated
administrator? (I checked web and git already)</div>
<div><br>
</div>
<div>regards</div>
<div>Petr G.</div>
<div><br>
</div>
<div>-------------------------------------------</div>
<div><br>
</div>
<div>
<div><role xmlns="<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3" target="_blank">http://midpoint.evolveum.com/xml/ns/public/common/common-3</a>"</div>
<div> xmlns:icfs="<a href="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" target="_blank">http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3</a>"</div>
<div> xmlns:t="<a href="http://prism.evolveum.com/xml/ns/public/types-3" target="_blank">http://prism.evolveum.com/xml/ns/public/types-3</a>"</div>
<div> xmlns:c="<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3" target="_blank">http://midpoint.evolveum.com/xml/ns/public/common/common-3</a>"</div>
<div> xmlns:q="<a href="http://prism.evolveum.com/xml/ns/public/query-3" target="_blank">http://prism.evolveum.com/xml/ns/public/query-3</a>"</div>
<div> xmlns:ri="<a href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" target="_blank">http://midpoint.evolveum.com/xml/ns/public/resource/instance-3</a>"</div>
<div> oid="delegatedAdmin"</div>
<div> version="23"></div>
<div> <name>Delegated
administrator</name></div>
<div> <activation><br>
</div>
<div>
<effectiveStatus>enabled</effectiveStatus></div>
<div> </activation></div>
<div> <iteration>0</iteration></div>
<div> <iterationToken/></div>
<div> <authorization id="1"></div>
<div> <action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read" target="_blank">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</a></action></div>
<div> <action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify" target="_blank">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</a></action></div>
<div> <object></div>
<div> <type>OrgType</type></div>
<div> </object></div>
<div> <object></div>
<div> <type>ResourceType</type></div>
<div> </object></div>
<div> <object></div>
<div> <type>RoleType</type></div>
<div> </object></div>
<div> <object></div>
<div> <type>ShadowType</type></div>
<div> </object></div>
<div> <object></div>
<div> <type>UserType</type></div>
<div> <orgRef xmlns:tns="<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3" target="_blank">http://midpoint.evolveum.com/xml/ns/public/common/common-3</a>"</div>
<div>
oid="3404b331-57c0-4bef-b699-0192ce8d728b"</div>
<div>
type="tns:OrgType"></orgRef></div>
<div> </object></div>
<div> </authorization></div>
<div> <authorization id="2"></div>
<div> <action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#dashboard" target="_blank">http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#dashboard</a></action></div>
<div> <action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#myPasswords" target="_blank">http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#myPasswords</a></action></div>
<div> <action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#users" target="_blank">http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#users</a></action></div>
<div> <action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#userDetails" target="_blank">http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#userDetails</a></action></div>
<div> <action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#findUsers" target="_blank">http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#findUsers</a></action></div>
<div> <action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#orgTree" target="_blank">http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#orgTree</a></action></div>
<div> <action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#workItems" target="_blank">http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#workItems</a></action></div>
<div> <action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#workItem" target="_blank">http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#workItem</a></action></div>
<div> <action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#workItemsMyRequests" target="_blank">http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#workItemsMyRequests</a></action></div>
<div> <action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#workItemsProcessInstance" target="_blank">http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#workItemsProcessInstance</a></action></div>
<div> </authorization></div>
<div></role></div>
</div>
</div>
<div dir="ltr">-- <br>
</div>
<div dir="ltr">--
<div>Petr G.</div>
</div>
<br>
<fieldset></fieldset>
<br>
</blockquote>
</div>
<div text="#000000" bgcolor="#FFFFFF">
<blockquote type="cite">
<pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
<a href="http://evolveum.com" target="_blank">evolveum.com</a> <a href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
___________________________________________________
"Semper Id(e)M Vix."
</pre>
</div>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
</blockquote>
</div>
</div>
<div dir="ltr">-- <br>
</div>
<div dir="ltr">--
<div>Petr G.</div>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
<a href="http://evolveum.com" target="_blank">evolveum.com</a> <a href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
___________________________________________________
"Semper Id(e)M Vix."
</pre>
</div>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
</blockquote></div><div dir="ltr">-- <br></div><div dir="ltr">--<div>Petr G.</div></div>