<div dir="ltr"><div>Hi,<br><br></div><div>My necessity is as follows:<br><br></div><div>1. I have a kind of 'special' user. I want to assign him a role to authorize the creation of another users (only this);<br></div><div>2. I do not want this user to access the other admin menu options (resources, roles, etc);<br></div><div>3. To accomplish that, I've create a role, which "xml" is as follows:<br></div><br><div><div><br><br><role xmlns="<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">http://midpoint.evolveum.com/xml/ns/public/common/common-3</a>"<br> xmlns:q="<a href="http://prism.evolveum.com/xml/ns/public/query-3">http://prism.evolveum.com/xml/ns/public/query-3</a>"<br> xmlns:c="<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">http://midpoint.evolveum.com/xml/ns/public/common/common-3</a>"<br> xmlns:t="<a href="http://prism.evolveum.com/xml/ns/public/types-3">http://prism.evolveum.com/xml/ns/public/types-3</a>"<br> xmlns:icfs="<a href="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3">http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3</a>"<br> xmlns:ri="<a href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">http://midpoint.evolveum.com/xml/ns/public/resource/instance-3</a>"<br> oid="f076552f-b782-4e1d-86b5-1b02d9df6bfa"<br> version="47"><br> <name>Allow create</name><br> <description>Role authorizing a special user on creating another users</description><br> <metadata><br> <createTimestamp>2016-08-22T19:41:47.977-03:00</createTimestamp><br> <createChannel><a href="http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#init">http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#init</a></createChannel><br> </metadata><br> <activation><br> <effectiveStatus>enabled</effectiveStatus><br> <enableTimestamp>2016-08-22T19:41:47.782-03:00</enableTimestamp><br> </activation><br> <iteration>0</iteration><br> <iterationToken/><br> <authorization id="1"><br> <name>Allow creation of users</name><br> <description><br> Allow creation of users.<br> </description><br> <decision>allow</decision><br> <action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#user">http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#user</a></action><br> <action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#users">http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#users</a></action><br> </authorization><br> <authorization id="2"><br> <action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add</a></action><br> <object><br> <type>UserType</type><br> </object><br> <c:item>name</c:item><br> <c:item>givenName</c:item><br> <c:item>familyName</c:item><br> <c:item>fullName</c:item><br> <c:item>employeeType</c:item><br> <c:item>employeeNumber</c:item><br> </authorization><br> <roleType>system</roleType><br></role><br><br></div><div>4. Doing so, on acessing "<a href="http://localhost:8080/midpoint/admin/users?3">http://localhost:8080/midpoint/admin/users?3</a>" and selecting the "New User" option, I have the specified attributes (name, givenname, etc) presented on the screen;<br><br></div><div>5. Nevertheless, after filling them and pressing the "save" button, the following error message is shown:<br><br>
<a id="gmail-ida4" class="gmail-box-title">
<b id="gmail-idaa" class="gmail-box-title">User ''specialuser'' not authorized
for operation
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add
on user:null(a)</b>
</a><br><br></div><div><br><br></div></div></div>