<div dir="ltr">One thing else:<br><br><br><div>If the "xml" is as follows, all user attributes are shown and i CAN create the users (with no error messages):<br></div><div><br><role xmlns="<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">http://midpoint.evolveum.com/xml/ns/public/common/common-3</a>"<br>      xmlns:q="<a href="http://prism.evolveum.com/xml/ns/public/query-3">http://prism.evolveum.com/xml/ns/public/query-3</a>"<br>      xmlns:c="<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">http://midpoint.evolveum.com/xml/ns/public/common/common-3</a>"<br>      xmlns:t="<a href="http://prism.evolveum.com/xml/ns/public/types-3">http://prism.evolveum.com/xml/ns/public/types-3</a>"<br>      xmlns:icfs="<a href="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3">http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3</a>"<br>      xmlns:ri="<a href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">http://midpoint.evolveum.com/xml/ns/public/resource/instance-3</a>"<br>      oid="f076552f-b782-4e1d-86b5-1b02d9df6bfa"<br>      version="48"><br>   <name>Allow create</name><br>   <description>Role authorizing end users to log in, change their passwords and review assigned accounts.</description><br>   <metadata><br>      <createTimestamp>2016-08-22T19:41:47.977-03:00</createTimestamp><br>      <createChannel><a href="http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#init">http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#init</a></createChannel><br>   </metadata><br>   <activation><br>      <effectiveStatus>enabled</effectiveStatus><br>      <enableTimestamp>2016-08-22T19:41:47.782-03:00</enableTimestamp><br>   </activation><br>   <iteration>0</iteration><br>   <iterationToken/><br>   <authorization id="1"><br>      <name>Allow creation of users</name><br>      <description><br>            Allow creation of users.<br>        </description><br>      <decision>allow</decision><br>      <action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#user">http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#user</a></action><br>      <action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#users">http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#users</a></action><br>   </authorization><br>   <authorization id="2"><br>      <action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add</a></action><br>   </authorization><br>   <roleType>system</roleType><br></role><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">2016-10-11 16:17 GMT-03:00 Carlos Ferreira <span dir="ltr"><<a href="mailto:carlos18619@gmail.com" target="_blank">carlos18619@gmail.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>Hi,<br><br></div><div>My necessity is as follows:<br><br></div><div>1. I have a kind of 'special' user. I want to assign him a role to authorize the creation of another users (only this);<br></div><div>2. I do not want this user to access the other admin menu options (resources, roles, etc);<br></div><div>3. To accomplish that, I've create a role, which "xml" is as follows:<br></div><br><div><div><br><br><role xmlns="<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3" target="_blank">http://midpoint.<wbr>evolveum.com/xml/ns/public/<wbr>common/common-3</a>"<br>      xmlns:q="<a href="http://prism.evolveum.com/xml/ns/public/query-3" target="_blank">http://prism.<wbr>evolveum.com/xml/ns/public/<wbr>query-3</a>"<br>      xmlns:c="<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3" target="_blank">http://midpoint.<wbr>evolveum.com/xml/ns/public/<wbr>common/common-3</a>"<br>      xmlns:t="<a href="http://prism.evolveum.com/xml/ns/public/types-3" target="_blank">http://prism.<wbr>evolveum.com/xml/ns/public/<wbr>types-3</a>"<br>      xmlns:icfs="<a href="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" target="_blank">http://midpoint.<wbr>evolveum.com/xml/ns/public/<wbr>connector/icf-1/resource-<wbr>schema-3</a>"<br>      xmlns:ri="<a href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" target="_blank">http://midpoint.<wbr>evolveum.com/xml/ns/public/<wbr>resource/instance-3</a>"<br>      oid="f076552f-b782-4e1d-86b5-<wbr>1b02d9df6bfa"<br>      version="47"><br>   <name>Allow create</name><br>   <description>Role authorizing a special user on creating another users</description><br>   <metadata><br>      <createTimestamp>2016-08-<wbr>22T19:41:47.977-03:00</<wbr>createTimestamp><br>      <createChannel><a href="http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#init" target="_blank">http://<wbr>midpoint.evolveum.com/xml/ns/<wbr>public/gui/channels-3#init</a></<wbr>createChannel><br>   </metadata><br>   <activation><br>      <effectiveStatus>enabled</<wbr>effectiveStatus><br>      <enableTimestamp>2016-08-<wbr>22T19:41:47.782-03:00</<wbr>enableTimestamp><br>   </activation><br>   <iteration>0</iteration><br>   <iterationToken/><br>   <authorization id="1"><br>      <name>Allow creation of users</name><br>      <description><br>            Allow creation of users.<br>        </description><br>      <decision>allow</decision><br>      <action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#user" target="_blank">http://midpoint.<wbr>evolveum.com/xml/ns/public/<wbr>security/authorization-ui-3#<wbr>user</a></action><br>      <action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#users" target="_blank">http://midpoint.<wbr>evolveum.com/xml/ns/public/<wbr>security/authorization-ui-3#<wbr>users</a></action><br>   </authorization><br>   <authorization id="2"><br>      <action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add" target="_blank">http://midpoint.<wbr>evolveum.com/xml/ns/public/<wbr>security/authorization-model-<wbr>3#add</a></action><br>      <object><br>         <type>UserType</type><br>      </object><br>      <c:item>name</c:item><br>      <c:item>givenName</c:item><br>      <c:item>familyName</c:item><br>      <c:item>fullName</c:item><br>      <c:item>employeeType</c:item><br>      <c:item>employeeNumber</c:<wbr>item><br>   </authorization><br>   <roleType>system</roleType><br></role><br><br></div><div>4. Doing so, on acessing "<a href="http://localhost:8080/midpoint/admin/users?3" target="_blank">http://localhost:8080/<wbr>midpoint/admin/users?3</a>" and selecting the "New User" option, I have the specified attributes (name, givenname, etc) presented on the screen;<br><br></div><div>5. Nevertheless, after filling them and pressing the "save" button, the following error message is shown:<br><br>
                <a id="m_5361664820264126773gmail-ida4" class="m_5361664820264126773gmail-box-title">
                        <b id="m_5361664820264126773gmail-idaa" class="m_5361664820264126773gmail-box-title">User ''specialuser'' not authorized 
for operation 
http://midpoint.evolveum.com/<wbr>xml/ns/public/security/<wbr>authorization-model-3#add
 on user:null(a)</b>
                </a><br><br></div><div><br><br></div></div></div>
</blockquote></div><br></div>