<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">Hello Pat,<br>
      <br>
      user reconciliation is actually executed as an empty modify
      action, with the option of reconcile=true.<br>
      <br>
      So I would suggest you to set the following authorizations
      (provided that view only access is set up):<br>
      <br>
      <tt><authorization></tt><tt><br>
      </tt><tt>     
<action><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</a></action></tt><tt><br>
      </tt><tt>      <phase>execution</phase></tt><tt><br>
      </tt><tt>      <object></tt><tt><br>
      </tt><tt>         <type>UserType</type></tt><tt><br>
      </tt><tt>      </object></tt><tt><br>
      </tt><tt><tt>      <object></tt><tt><br>
        </tt><tt>         <type>ShadowType</type></tt><tt><br>
        </tt><tt>      </object></tt><tt><br>
        </tt></authorization></tt><tt><br>
      </tt><br>
      This ensures that the user can do any modification that would be
      computed by the reconciliation.<br>
      <br>
      But you need to specify that the user can not request anything
      explicitly. This seems to work:<br>
      <tt><br>
      </tt><tt><authorization></tt><tt><br>
      </tt><tt>     
<action><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</a></action></tt><tt><br>
      </tt><tt>      <phase>request</phase></tt><tt><br>
      </tt><tt>      <object></tt><tt><br>
      </tt><tt>         <type>UserType</type></tt><tt><br>
      </tt><tt>      </object></tt><tt><br>
      </tt><tt>      <c:item>dummyItem</c:item></tt><tt><br>
      </tt><tt></authorization></tt><br>
      <br>
      (dummyItem is any non-existing item name - if there were no items
      specified, requester could modify anything)<br>
      <br>
      After applying this, I am able to request a reconciliation of
      given user(s) from the user list page.<br>
      Actually I cannot display user details but maybe it's some
      misconfiguration at my side.<br>
      <br>
      Overall, I'm not a big expert in authorizations; maybe someone on
      this list could improve this suggestion. :)<br>
      <br>
      Best regards,<br>
      Pavol<br>
      <br>
    </div>
    <blockquote
cite="mid:1C909E70745FE843A5BDBFCC9E11C62AA99500@CITESMBX3.ad.uillinois.edu"
      type="cite">
      <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
      <meta name="Generator" content="Microsoft Word 15 (filtered
        medium)">
      <style><!--
/* Font Definitions */
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:11.0pt;
        font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:#0563C1;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:#954F72;
        text-decoration:underline;}
span.EmailStyle17
        {mso-style-type:personal-compose;
        font-family:"Calibri",sans-serif;
        color:windowtext;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-family:"Calibri",sans-serif;}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
      <div class="WordSection1">
        <p class="MsoNormal">I am looking to secure the GUI and define a
          role that has view only access, but with the option of
          performing a reconcile on a user as being allowed. I can get
          the view only option working, but how can I overlay allowing
          reconcile? Does this need to be a separate role?<o:p></o:p></p>
        <p class="MsoNormal"><o:p> </o:p></p>
        <p class="MsoNormal"><i><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">Pat
              Schlehuber<o:p></o:p></span></i></p>
        <p class="MsoNormal"><o:p> </o:p></p>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>