<div dir="ltr">Here's the full stack trace for loading the "Profile" page for a user that only contains an account on the problematic resource: <a href="http://pastebin.com/cthMLBY2">http://pastebin.com/cthMLBY2</a><br><br>Also what the GUI looks like: <a href="http://i.imgur.com/4qfzzcH.png">http://i.imgur.com/4qfzzcH.png</a><br><br>I believe these are the relevant lines from the trace:<div><br><div>2016-05-25 19:57:12,972 [MODEL] [http-bio-8443-exec-19] TRACE (com.evolveum.midpoint.security.impl.SecurityEnforcerImpl): Evaluating authorization [<a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#selfAll">http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#selfAll</a>])</div><div>2016-05-25 19:57:12,972 [MODEL] [http-bio-8443-exec-19] TRACE (com.evolveum.midpoint.security.impl.SecurityEnforcerImpl):   Authorization not applicable for operation <a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</a></div><div>2016-05-25 19:57:12,972 [MODEL] [http-bio-8443-exec-19] TRACE (com.evolveum.midpoint.security.impl.SecurityEnforcerImpl): Evaluating authorization [<a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</a>])</div><div>2016-05-25 19:57:12,972 [MODEL] [http-bio-8443-exec-19] TRACE (com.evolveum.midpoint.security.impl.SecurityEnforcerImpl):   Authorization is not applicable for phase REQUEST</div><div>2016-05-25 19:57:12,972 [MODEL] [http-bio-8443-exec-19] TRACE (com.evolveum.midpoint.security.impl.SecurityEnforcerImpl): Evaluating authorization [<a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</a>])</div><div>2016-05-25 19:57:12,972 [MODEL] [http-bio-8443-exec-19] TRACE (com.evolveum.midpoint.security.impl.SecurityEnforcerImpl):   Authorization is not applicable for phase REQUEST</div><div>2016-05-25 19:57:12,972 [MODEL] [http-bio-8443-exec-19] TRACE (com.evolveum.midpoint.security.impl.SecurityEnforcerImpl): Evaluating authorization [<a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#changeCredentials">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#changeCredentials</a>])</div><div>2016-05-25 19:57:12,973 [MODEL] [http-bio-8443-exec-19] TRACE (com.evolveum.midpoint.security.impl.SecurityEnforcerImpl):   Authorization not applicable for operation <a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</a></div><div>2016-05-25 19:57:12,973 [MODEL] [http-bio-8443-exec-19] TRACE (com.evolveum.midpoint.security.impl.SecurityEnforcerImpl): Evaluating authorization [<a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#changeCredentials">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#changeCredentials</a>])</div><div>2016-05-25 19:57:12,973 [MODEL] [http-bio-8443-exec-19] TRACE (com.evolveum.midpoint.security.impl.SecurityEnforcerImpl):   Authorization not applicable for operation <a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</a></div><div>2016-05-25 19:57:12,973 [MODEL] [http-bio-8443-exec-19] TRACE (com.evolveum.midpoint.security.impl.SecurityEnforcerImpl): Evaluating authorization [<a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</a>])</div><div>2016-05-25 19:57:12,973 [MODEL] [http-bio-8443-exec-19] TRACE (com.evolveum.midpoint.security.impl.SecurityEnforcerImpl):   Authorization not applicable for operation <a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</a></div><div>2016-05-25 19:57:12,973 [MODEL] [http-bio-8443-exec-19] TRACE (com.evolveum.midpoint.security.impl.SecurityEnforcerImpl): Evaluating authorization [<a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</a>])</div><div>2016-05-25 19:57:12,973 [MODEL] [http-bio-8443-exec-19] TRACE (com.evolveum.midpoint.security.impl.SecurityEnforcerImpl):   Authorization not applicable for operation <a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</a></div><div>2016-05-25 19:57:12,973 [MODEL] [http-bio-8443-exec-19] TRACE (com.evolveum.midpoint.security.impl.SecurityEnforcerImpl): Evaluating authorization [<a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</a>])</div><div>2016-05-25 19:57:12,973 [MODEL] [http-bio-8443-exec-19] TRACE (com.evolveum.midpoint.security.impl.SecurityEnforcerImpl):   Authorization is not applicable for phase REQUEST</div><div>2016-05-25 19:57:12,973 [MODEL] [http-bio-8443-exec-19] TRACE (com.evolveum.midpoint.security.impl.SecurityEnforcerImpl): AUTZ search pre-process: principal=pwmproxy, operation=<a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</a>: default deny</div><div>2016-05-25 19:57:12,973 [MODEL] [http-bio-8443-exec-19] TRACE (com.evolveum.midpoint.security.impl.SecurityEnforcerImpl): Evaluating authorization [<a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#selfAll">http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#selfAll</a>])</div><div>2016-05-25 19:57:12,974 [MODEL] [http-bio-8443-exec-19] TRACE (com.evolveum.midpoint.security.impl.SecurityEnforcerImpl):   Authorization not applicable for operation <a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</a></div><div>2016-05-25 19:57:12,974 [MODEL] [http-bio-8443-exec-19] TRACE (com.evolveum.midpoint.security.impl.SecurityEnforcerImpl): Evaluating authorization [<a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</a>])</div><div>2016-05-25 19:57:12,974 [MODEL] [http-bio-8443-exec-19] TRACE (com.evolveum.midpoint.security.impl.SecurityEnforcerImpl):   Authorization is not applicable for phase EXECUTION</div><div>2016-05-25 19:57:12,974 [MODEL] [http-bio-8443-exec-19] TRACE (com.evolveum.midpoint.security.impl.SecurityEnforcerImpl): Evaluating authorization [<a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</a>])</div><div>2016-05-25 19:57:12,974 [MODEL] [http-bio-8443-exec-19] TRACE (com.evolveum.midpoint.security.impl.SecurityEnforcerImpl):   Authorization is not applicable for phase EXECUTION</div><div>2016-05-25 19:57:12,974 [MODEL] [http-bio-8443-exec-19] TRACE (com.evolveum.midpoint.security.impl.SecurityEnforcerImpl): Evaluating authorization [<a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#changeCredentials">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#changeCredentials</a>])</div><div>2016-05-25 19:57:12,974 [MODEL] [http-bio-8443-exec-19] TRACE (com.evolveum.midpoint.security.impl.SecurityEnforcerImpl):   Authorization not applicable for operation <a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</a></div><div>2016-05-25 19:57:12,974 [MODEL] [http-bio-8443-exec-19] TRACE (com.evolveum.midpoint.security.impl.SecurityEnforcerImpl): Evaluating authorization [<a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#changeCredentials">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#changeCredentials</a>])</div><div>2016-05-25 19:57:12,974 [MODEL] [http-bio-8443-exec-19] TRACE (com.evolveum.midpoint.security.impl.SecurityEnforcerImpl):   Authorization not applicable for operation <a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</a></div><div>2016-05-25 19:57:12,975 [MODEL] [http-bio-8443-exec-19] TRACE (com.evolveum.midpoint.security.impl.SecurityEnforcerImpl): Evaluating authorization [<a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</a>])</div><div>2016-05-25 19:57:12,975 [MODEL] [http-bio-8443-exec-19] TRACE (com.evolveum.midpoint.security.impl.SecurityEnforcerImpl):   Authorization not applicable for operation <a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</a></div><div>2016-05-25 19:57:12,975 [MODEL] [http-bio-8443-exec-19] TRACE (com.evolveum.midpoint.security.impl.SecurityEnforcerImpl): Evaluating authorization [<a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</a>])</div><div>2016-05-25 19:57:12,975 [MODEL] [http-bio-8443-exec-19] TRACE (com.evolveum.midpoint.security.impl.SecurityEnforcerImpl):   Authorization not applicable for operation <a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</a></div><div>2016-05-25 19:57:12,975 [MODEL] [http-bio-8443-exec-19] TRACE (com.evolveum.midpoint.security.impl.SecurityEnforcerImpl): Evaluating authorization [<a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</a>])</div><div>2016-05-25 19:57:12,975 [MODEL] [http-bio-8443-exec-19] TRACE (com.evolveum.midpoint.security.impl.SecurityEnforcerImpl):   Authorization is not applicable for phase EXECUTION</div><div>2016-05-25 19:57:12,975 [MODEL] [http-bio-8443-exec-19] TRACE (com.evolveum.midpoint.security.impl.SecurityEnforcerImpl): AUTZ search pre-process: principal=pwmproxy, operation=<a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</a>: default deny<br><br>Also, if this is at all relevant, all of these accounts were created via the RESTfull API. I've done this on numerous other deployments but never experienced this issue. Please let me know if there's anything further I could provide. </div><div><br></div><div>Thanks, </div><div>-F </div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, May 25, 2016 at 11:29 AM, Florin. Stingaciu <span dir="ltr"><<a href="mailto:fstingaciu@mirantis.com" target="_blank">fstingaciu@mirantis.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Here's the a pastebin with the End User role: <a href="http://pastebin.com/hufRebnK" target="_blank">http://pastebin.com/hufRebnK</a><br><br>I just tried the same action within my dev environment (the account has groups as well), using this exact same role, and everything worked fine. This leads me to believe there might be a different issue here?<div><br></div><div>Thanks, </div><span class="HOEnZb"><font color="#888888"><div>-F </div></font></span></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Wed, May 25, 2016 at 11:15 AM, Florin. Stingaciu <span dir="ltr"><<a href="mailto:fstingaciu@mirantis.com" target="_blank">fstingaciu@mirantis.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hey Ivan,<div><br></div><div>Yes, indeed. This other account does reference groups. I'm assuming this means there's an authorization action for reading groups?</div><div><br></div><div>The end user role is just the default one that comes with midpoint. I'm using version 3.3.1.</div><div><br></div><div>Thanks, </div><span><font color="#888888"><div>-F </div></font></span></div><div><div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, May 25, 2016 at 11:10 AM, Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div text="#000000" bgcolor="#FFFFFF">
    Hi Florin,<br>
    <br>
    is the other account referencing any associations (groups)? If you
    open the same user as administrator. Most of the times this was my
    problem, if I had not good End user role.<br>
    <br>
    Which midPoint version is this?<br>
    <br>
    Ivan<div><div><br>
    <br>
    <div>On 05/25/2016 07:09 PM, Florin.
      Stingaciu wrote:<br>
    </div>
    </div></div><blockquote type="cite"><div><div>
      <div dir="ltr">Hello, 
        <div><br>
        </div>
        <div>I'm trying to use the End User role to allow users to login
          and verify their accounts. The definition for the End User
          role is the default definition, however when I log in as an
          End User, one of two of my resources fails to load with the
          following error:<br>
          <p>
          </p>
          <p><span>2016-05-25 17:05:17,699 []
              [http-bio-8443-exec-2] ERROR
              (com.evolveum.midpoint.web.page.admin.PageAdminFocus):
              Couldn't load account, reason: Access denied (class
              com.evolveum.midpoint.util.exception.AuthorizationException)</span></p>
          <p>I've used the End User role before without ever
            having any issues, and the fact that it loads the other
            resource just fine is making me a little worried. Any
            guidance would be greatly appreciated. </p>
          <p>Thanks, </p>
          <p>-F  <br>
          </p>
        </div>
      </div>
      <br>
      <fieldset></fieldset>
      <br>
      </div></div><pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><span><font color="#888888">
</font></span></pre><span><font color="#888888">
    </font></span></blockquote><span><font color="#888888">
    <br>
    <pre cols="72">-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer & IDM Architect
  <a href="http://evolveum.com" target="_blank">evolveum.com</a>                     <a href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
  ___________________________________________________
  "Semper ID(e)M Vix."
</pre>
  </font></span></div>

<br>_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br></blockquote></div><br></div>
</div></div></blockquote></div><br></div>
</div></div></blockquote></div><br></div>