<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Yes this would work if the attribute is set as indexed (in your
case in the custom schema). A quick check to see if an attribute
is indexed is to try find by that attribute in (e.g.) User list.<br>
</p>
<p>Ivan<br>
</p>
<br>
<div class="moz-cite-prefix">On 02/24/2017 10:27 AM, Marco Benucci
wrote:<br>
</div>
<blockquote cite="mid:c72bac9c-0ca0-63e5-a704-745462bb02af@nsr.it"
type="cite">
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
<p><font face="DejaVu Sans">The filter </font><br>
</p>
<q:equal><br>
<q:path>extension/kind</q:path><br>
<q:value>Personal</q:value><br>
</q:equal><br>
<br>
works, thank you for your hint!<br>
<br>
Marco<br>
<br>
<br>
<br>
<br>
<div class="moz-cite-prefix">On 02/24/2017 10:10 AM, Marco Benucci
wrote:<br>
</div>
<blockquote cite="mid:eca2ed4e-7541-074c-cdd3-7264de20f2b0@nsr.it"
type="cite">
<meta content="text/html; charset=utf-8"
http-equiv="Content-Type">
Hi,<br>
<br>
Actually this could be a great idea!<br>
I use midPoint to manage virtual Identities for real person and
functional ActiveDirectory accounts...<br>
They have an extension-attribute in which i write 'Personal' or
'Funcitonal'.<br>
<br>
I suppose I can filter by<br>
<q:equal><br>
<q:path>extension/kind</q:path><br>
<q:value>Personal</q:value><br>
</q:equal><br>
<br>
is this correct?<br>
<br>
<br>
<div class="moz-cite-prefix">On 02/24/2017 09:47 AM, Ivan Noris
wrote:<br>
</div>
<blockquote
cite="mid:43964fed-7a49-092d-c403-771a1e90e5b9@evolveum.com"
type="cite">
<meta content="text/html; charset=utf-8"
http-equiv="Content-Type">
<p>Hi Marco,</p>
<p>you can make it even better if all your users have some
common property, e.g. employeeType, and you can allow to see
only users having specific value(s) in that property. This
will allow you to hide special account such as
administrator.</p>
<p>For example, I'm using this:</p>
<p>...</p>
<p> <authorization><br>
<name>Read users</name><br>
<action><a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</a></action><br>
<object><br>
<type>UserType</type><br>
<filter><br>
<q:or><br>
<q:equal><br>
<q:path>employeeType</q:path><br>
<q:value>EMPLOYEE</q:value><br>
</q:equal><br>
<q:equal><br>
<q:path>employeeType</q:path><br>
<q:value>CONTRACTOR</q:value><br>
</q:equal><br>
<q:equal><br>
<q:path>employeeType</q:path><br>
<q:value>Vendor</q:value><br>
</q:equal><br>
<q:equal><br>
<q:path>employeeType</q:path><br>
<q:value>MagicVendor</q:value><br>
</q:equal><br>
<q:equal><br>
<q:path>employeeType</q:path><br>
<q:value>System</q:value><br>
</q:equal><br>
</q:or><br>
</filter><br>
</object><br>
</authorization><br>
<br>
...<br>
</p>
Ivan<br>
<br>
<div class="moz-cite-prefix">On 02/23/2017 04:12 PM, Marco
Benucci wrote:<br>
</div>
<blockquote
cite="mid:d5f55930-2d9a-553a-1f18-94d7ce53e659@nsr.it"
type="cite">
<meta content="text/html; charset=utf-8"
http-equiv="Content-Type">
<p><font face="DejaVu Sans">Ok, this actually what i was
looking for!<br>
<br>
Now, i have the current configuration in my guest Role:<br>
-----------<br>
</font><authorization id="1"><br>
<name>Guest</name><br>
<description><br>
grants read-only privileges on all users,
their projection and assignment<br>
</description><br>
<action><a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#users">http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#users</a></action><br>
<action><a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#findUsers">http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#findUsers</a></action><br>
<action><a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#userDetails">http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#userDetails</a></action><br>
</authorization><br>
<authorization id="2"><br>
<action><a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</a></action><br>
<object><br>
<type>UserType</type><br>
</object><br>
</authorization><br>
<authorization id="3"><br>
<action><a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</a></action><br>
<object><br>
<type>ShadowType</type><br>
</object><br>
</authorization><br>
<font face="DejaVu Sans">-----------</font></p>
<p><font face="DejaVu Sans">Really really thank you!<br>
</font></p>
<p><br>
</p>
<br>
<div class="moz-cite-prefix">On 02/23/2017 03:27 PM, Pálos
Gustáv wrote:<br>
</div>
<blockquote
cite="mid:CAPXQVkfeYdMH=wDf8gP-7Ay3s6ZWJA3=JxW0hw0UWHufO2HF7Q@mail.gmail.com"
type="cite">
<div dir="ltr">Hi Marco,
<div><br>
</div>
<div>you started correctly with this wiki page:</div>
<div><a moz-do-not-send="true"
href="https://wiki.evolveum.com/display/midPoint/GUI+Authorizations">https://wiki.evolveum.com/display/midPoint/GUI+Authorizations</a></div>
<div>but you need also to read & apply this:</div>
<div><a moz-do-not-send="true"
href="https://wiki.evolveum.com/display/midPoint/Authorization+Configuration">https://wiki.evolveum.com/display/midPoint/Authorization+Configuration</a></div>
<div>if you have a problem, you can apply this:</div>
<div><a moz-do-not-send="true"
href="https://wiki.evolveum.com/display/midPoint/Troubleshooting+Authorizations">https://wiki.evolveum.com/display/midPoint/Troubleshooting+Authorizations</a></div>
<div>and if nothing helped, please reply again to this
subject your complete actual role config and we try to
help.<br>
<div class="gmail_extra"><br>
</div>
<div class="gmail_extra">> PS: My other midpoint
users do not have the "end user" role because they
do not have to access on midPoint.</div>
Is this the "problem"?</div>
<div><br>
</div>
<div>no, it is OK.</div>
<div><br>
</div>
<div>Best regards,</div>
<div><br>
</div>
<div>Gustav<br>
<div class="gmail_extra"><br>
<div class="gmail_quote">2017-02-23 15:16 GMT+01:00
Marco Benucci <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:m.benucci@nsr.it" target="_blank">m.benucci@nsr.it</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0px
0px 0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF">
<p><font face="DejaVu Sans">Hi,</font></p>
<p><font face="DejaVu Sans">I'm on midpoint
3.4.1 and I would like to create a role
that grants to a user to list all other
users<br>
and see (only see, not modify) their
Basic, Projection and Assignment tabs.<br>
<br>
I have assigned to this user the role "end
user" and I created the role "Guest" with
the<br>
the authorization</font><br>
<a moz-do-not-send="true"
class="gmail-m_897124953619928335moz-txt-link-freetext"
href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#users"
target="_blank">http://midpoint.evolveum.com/<wbr>xml/ns/public/security/<wbr>authorization-ui-3#users</a><br>
and<br>
<a moz-do-not-send="true"
class="gmail-m_897124953619928335moz-txt-link-freetext"
href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#userDetails"
target="_blank">http://midpoint.evolveum.com/<wbr>xml/ns/public/security/<wbr>authorization-ui-3#userDetails</a></p>
<p>but this user can see only himself.<br>
<br>
PS: My other midpoint users do not have the
"end user" role because they do not have to
access on midPoint.<br>
Is this the "problem"?<br>
<br>
</p>
<p>Thank you<br>
</p>
</div>
<br>
______________________________<wbr>_________________<br>
midPoint mailing list<br>
<a moz-do-not-send="true"
href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a moz-do-not-send="true"
href="http://lists.evolveum.com/mailman/listinfo/midpoint"
rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div class="gmail_signature">
<div dir="ltr">
<div>Gustáv Pálos</div>
<div>Identity Engineer</div>
<a moz-do-not-send="true"
href="http://evolveum.com/" rel="noreferrer"
style="color:rgb(17,85,204);font-size:12.8px"
target="_blank">evolveum.com</a><br>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Ivan Noris
Senior Identity Engineer
evolveum.com
</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Ivan Noris
Senior Identity Engineer
evolveum.com
</pre>
</body>
</html>