<div dir="ltr">Hi Carlos,<div><br></div><div>if you generate some user attributes you have to allow their adding as well. At least in execution phase. Might that be the case?</div></div><div class="gmail_extra"><br><div class="gmail_quote">2016-10-11 21:22 GMT+02:00 Carlos Ferreira <span dir="ltr"><<a href="mailto:carlos18619@gmail.com" target="_blank">carlos18619@gmail.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">One thing else:<br><br><br><div>If the "xml" is as follows, all user attributes are shown and i CAN create the users (with no error messages):<br></div><div><span class=""><br><role xmlns="<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3" target="_blank">http://midpoint.<wbr>evolveum.com/xml/ns/public/<wbr>common/common-3</a>"<br> xmlns:q="<a href="http://prism.evolveum.com/xml/ns/public/query-3" target="_blank">http://prism.<wbr>evolveum.com/xml/ns/public/<wbr>query-3</a>"<br> xmlns:c="<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3" target="_blank">http://midpoint.<wbr>evolveum.com/xml/ns/public/<wbr>common/common-3</a>"<br> xmlns:t="<a href="http://prism.evolveum.com/xml/ns/public/types-3" target="_blank">http://prism.<wbr>evolveum.com/xml/ns/public/<wbr>types-3</a>"<br> xmlns:icfs="<a href="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" target="_blank">http://midpoint.<wbr>evolveum.com/xml/ns/public/<wbr>connector/icf-1/resource-<wbr>schema-3</a>"<br> xmlns:ri="<a href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" target="_blank">http://midpoint.<wbr>evolveum.com/xml/ns/public/<wbr>resource/instance-3</a>"<br> oid="f076552f-b782-4e1d-86b5-<wbr>1b02d9df6bfa"<br></span> version="48"><br> <name>Allow create</name><br> <description>Role authorizing end users to log in, change their passwords and review assigned accounts.</description><span class=""><br> <metadata><br> <createTimestamp>2016-08-<wbr>22T19:41:47.977-03:00</<wbr>createTimestamp><br> <createChannel><a href="http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#init" target="_blank">http://<wbr>midpoint.evolveum.com/xml/ns/<wbr>public/gui/channels-3#init</a></<wbr>createChannel><br> </metadata><br> <activation><br> <effectiveStatus>enabled</<wbr>effectiveStatus><br> <enableTimestamp>2016-08-<wbr>22T19:41:47.782-03:00</<wbr>enableTimestamp><br> </activation><br> <iteration>0</iteration><br> <iterationToken/><br> <authorization id="1"><br> <name>Allow creation of users</name><br> <description><br> Allow creation of users.<br> </description><br> <decision>allow</decision><br> <action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#user" target="_blank">http://midpoint.<wbr>evolveum.com/xml/ns/public/<wbr>security/authorization-ui-3#<wbr>user</a></action><br> <action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#users" target="_blank">http://midpoint.<wbr>evolveum.com/xml/ns/public/<wbr>security/authorization-ui-3#<wbr>users</a></action><br> </authorization><br> <authorization id="2"><br> <action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add" target="_blank">http://midpoint.<wbr>evolveum.com/xml/ns/public/<wbr>security/authorization-model-<wbr>3#add</a></action><br></span><span class=""> </authorization><br> <roleType>system</roleType><br></role><br></span></div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">2016-10-11 16:17 GMT-03:00 Carlos Ferreira <span dir="ltr"><<a href="mailto:carlos18619@gmail.com" target="_blank">carlos18619@gmail.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>Hi,<br><br></div><div>My necessity is as follows:<br><br></div><div>1. I have a kind of 'special' user. I want to assign him a role to authorize the creation of another users (only this);<br></div><div>2. I do not want this user to access the other admin menu options (resources, roles, etc);<br></div><div>3. To accomplish that, I've create a role, which "xml" is as follows:<br></div><br><div><div><br><br><role xmlns="<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3" target="_blank">http://midpoint.evolveu<wbr>m.com/xml/ns/public/common/<wbr>common-3</a>"<br> xmlns:q="<a href="http://prism.evolveum.com/xml/ns/public/query-3" target="_blank">http://prism.evolveum<wbr>.com/xml/ns/public/query-3</a>"<br> xmlns:c="<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3" target="_blank">http://midpoint.evolv<wbr>eum.com/xml/ns/public/common/<wbr>common-3</a>"<br> xmlns:t="<a href="http://prism.evolveum.com/xml/ns/public/types-3" target="_blank">http://prism.evolveum<wbr>.com/xml/ns/public/types-3</a>"<br> xmlns:icfs="<a href="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" target="_blank">http://midpoint.ev<wbr>olveum.com/xml/ns/public/conne<wbr>ctor/icf-1/resource-schema-3</a>"<br> xmlns:ri="<a href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" target="_blank">http://midpoint.evol<wbr>veum.com/xml/ns/public/resourc<wbr>e/instance-3</a>"<br> oid="f076552f-b782-4e1d-86b5-1<wbr>b02d9df6bfa"<br> version="47"><br> <name>Allow create</name><br> <description>Role authorizing a special user on creating another users</description><br> <metadata><br> <createTimestamp>2016-08-22T19<wbr>:41:47.977-03:00</createTimest<wbr>amp><br> <createChannel><a href="http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#init" target="_blank">http://midpoint<wbr>.evolveum.com/xml/ns/public/<wbr>gui/channels-3#init</a></createCha<wbr>nnel><br> </metadata><br> <activation><br> <effectiveStatus>enabled</effe<wbr>ctiveStatus><br> <enableTimestamp>2016-08-22T19<wbr>:41:47.782-03:00</enableTimest<wbr>amp><br> </activation><br> <iteration>0</iteration><br> <iterationToken/><br> <authorization id="1"><br> <name>Allow creation of users</name><br> <description><br> Allow creation of users.<br> </description><br> <decision>allow</decision><br> <action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#user" target="_blank">http://midpoint.evolve<wbr>um.com/xml/ns/public/security/<wbr>authorization-ui-3#user</a></<wbr>action><br> <action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#users" target="_blank">http://midpoint.evolve<wbr>um.com/xml/ns/public/security/<wbr>authorization-ui-3#users</a></<wbr>action><br> </authorization><br> <authorization id="2"><br> <action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add" target="_blank">http://midpoint.evolve<wbr>um.com/xml/ns/public/security/<wbr>authorization-model-3#add</a></<wbr>action><br> <object><br> <type>UserType</type><br> </object><br> <c:item>name</c:item><br> <c:item>givenName</c:item><br> <c:item>familyName</c:item><br> <c:item>fullName</c:item><br> <c:item>employeeType</c:item><br> <c:item>employeeNumber</c:item<wbr>><br> </authorization><br> <roleType>system</roleType><br></role><br><br></div><div>4. Doing so, on acessing "<a href="http://localhost:8080/midpoint/admin/users?3" target="_blank">http://localhost:8080/midpoin<wbr>t/admin/users?3</a>" and selecting the "New User" option, I have the specified attributes (name, givenname, etc) presented on the screen;<br><br></div><div>5. Nevertheless, after filling them and pressing the "save" button, the following error message is shown:<br><br>
<a id="m_6638186763092639592m_5361664820264126773gmail-ida4" class="m_6638186763092639592m_5361664820264126773gmail-box-title">
<b id="m_6638186763092639592m_5361664820264126773gmail-idaa" class="m_6638186763092639592m_5361664820264126773gmail-box-title">User ''specialuser'' not authorized
for operation
http://midpoint.evolveum.com/x<wbr>ml/ns/public/security/authoriz<wbr>ation-model-3#add
on user:null(a)</b>
</a><br><br></div><div><br><br></div></div></div>
</blockquote></div><br></div>
</div></div><br>______________________________<wbr>_________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><table style="font-family:Verdana,Arial,Helvetica,sans-serif;border-collapse:collapse;padding:0px;margin:0px;border-width:0px!important;border-style:solid!important;width:482px!important"><tbody><tr style="padding:0px;margin:0px;border:0px solid gray!important"><td style="color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:11px;width:160px;vertical-align:bottom;padding:0px;border:0px solid gray!important"><p><span style="font-size:14px;font-weight:bold">Oskar Butovič</span><br>solution architect<br><br>gsm: [+420] 774 480 101<br>e-mail: <a href="mailto:oskar.butovic@ami.cz" target="_blank">oskar.butovic@ami.cz</a></p></td><td style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;border-right-width:1px;border-right-style:solid;border-right-color:rgb(204,204,204);padding:0px;border-top-width:0px!important;border-bottom-width:0px!important;border-left-width:0px!important;border-top-style:solid!important;border-bottom-style:solid!important;border-left-style:solid!important;border-top-color:gray!important;border-bottom-color:gray!important;border-left-color:gray!important"> </td><td style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;padding:0px;border:0px solid gray!important"> </td><td style="color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:11px;vertical-align:bottom;padding:0px;width:123px;border:0px solid gray!important"><p>AMI Praha a.s.<br>Pláničkova 11<br>162 00 Praha 6<br>tel.: [+420] 274 783 239<br>web: <a href="http://www.ami.cz/" target="_blank">www.ami.cz</a></p></td><td style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;border-right-width:1px;border-right-style:solid;border-right-color:rgb(204,204,204);padding:0px;border-top-width:0px!important;border-bottom-width:0px!important;border-left-width:0px!important;border-top-style:solid!important;border-bottom-style:solid!important;border-left-style:solid!important;border-top-color:gray!important;border-bottom-color:gray!important;border-left-color:gray!important"> </td><td style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;padding:0px;border:0px solid gray!important"> </td><td style="color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:11px;margin:8px;border:0px solid gray!important;width:116px"><p><img src="http://www.ami.cz/images/podpis/ami_logo.gif" alt="AMI Praha a.s." style="border:0px"></p></td></tr><tr style="padding:0px;margin:0px;border:0px solid gray!important"><td colspan="7" style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;padding:0px;width:480px;border:0px solid gray!important"><br><a href="http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management" target="_blank"><img src="http://www.ami.cz/images/podpis/AMI-podpis-IdM_1.png" alt="AMI Praha a.s." style="border:0px;width:480px!important;height:82px!important"></a></td></tr><tr style="padding:0px;margin:0px;border:0px solid gray!important"><td colspan="7" style="color:rgb(128,128,128);font-family:Arial,sans-serif;font-size:11px;padding:0px;border:0px solid gray!important"><br>Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za společnost AMI Praha a.s.<br>jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně písemnou formu.<br><br></td></tr></tbody></table></div></div></div></div></div></div></div>
</div>