<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Hi Marco,</p>
<p>you can make it even better if all your users have some common
property, e.g. employeeType, and you can allow to see only users
having specific value(s) in that property. This will allow you to
hide special account such as administrator.</p>
<p>For example, I'm using this:</p>
<p>...</p>
<p> <authorization><br>
<name>Read users</name><br>
<action><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</a></action><br>
<object><br>
<type>UserType</type><br>
<filter><br>
<q:or><br>
<q:equal><br>
<q:path>employeeType</q:path><br>
<q:value>EMPLOYEE</q:value><br>
</q:equal><br>
<q:equal><br>
<q:path>employeeType</q:path><br>
<q:value>CONTRACTOR</q:value><br>
</q:equal><br>
<q:equal><br>
<q:path>employeeType</q:path><br>
<q:value>Vendor</q:value><br>
</q:equal><br>
<q:equal><br>
<q:path>employeeType</q:path><br>
<q:value>MagicVendor</q:value><br>
</q:equal><br>
<q:equal><br>
<q:path>employeeType</q:path><br>
<q:value>System</q:value><br>
</q:equal><br>
</q:or><br>
</filter><br>
</object><br>
</authorization><br>
<br>
...<br>
</p>
Ivan<br>
<br>
<div class="moz-cite-prefix">On 02/23/2017 04:12 PM, Marco Benucci
wrote:<br>
</div>
<blockquote cite="mid:d5f55930-2d9a-553a-1f18-94d7ce53e659@nsr.it"
type="cite">
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
<p><font face="DejaVu Sans">Ok, this actually what i was looking
for!<br>
<br>
Now, i have the current configuration in my guest Role:<br>
-----------<br>
</font><authorization id="1"><br>
<name>Guest</name><br>
<description><br>
grants read-only privileges on all users, their
projection and assignment<br>
</description><br>
<action><a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#users">http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#users</a></action><br>
<action><a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#findUsers">http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#findUsers</a></action><br>
<action><a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#userDetails">http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#userDetails</a></action><br>
</authorization><br>
<authorization id="2"><br>
<action><a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</a></action><br>
<object><br>
<type>UserType</type><br>
</object><br>
</authorization><br>
<authorization id="3"><br>
<action><a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</a></action><br>
<object><br>
<type>ShadowType</type><br>
</object><br>
</authorization><br>
<font face="DejaVu Sans">-----------</font></p>
<p><font face="DejaVu Sans">Really really thank you!<br>
</font></p>
<p><br>
</p>
<br>
<div class="moz-cite-prefix">On 02/23/2017 03:27 PM, Pálos Gustáv
wrote:<br>
</div>
<blockquote
cite="mid:CAPXQVkfeYdMH=wDf8gP-7Ay3s6ZWJA3=JxW0hw0UWHufO2HF7Q@mail.gmail.com"
type="cite">
<div dir="ltr">Hi Marco,
<div><br>
</div>
<div>you started correctly with this wiki page:</div>
<div><a moz-do-not-send="true"
href="https://wiki.evolveum.com/display/midPoint/GUI+Authorizations">https://wiki.evolveum.com/display/midPoint/GUI+Authorizations</a></div>
<div>but you need also to read & apply this:</div>
<div><a moz-do-not-send="true"
href="https://wiki.evolveum.com/display/midPoint/Authorization+Configuration">https://wiki.evolveum.com/display/midPoint/Authorization+Configuration</a></div>
<div>if you have a problem, you can apply this:</div>
<div><a moz-do-not-send="true"
href="https://wiki.evolveum.com/display/midPoint/Troubleshooting+Authorizations">https://wiki.evolveum.com/display/midPoint/Troubleshooting+Authorizations</a></div>
<div>and if nothing helped, please reply again to this subject
your complete actual role config and we try to help.<br>
<div class="gmail_extra"><br>
</div>
<div class="gmail_extra">> PS: My other midpoint users do
not have the "end user" role because they do not have to
access on midPoint.</div>
Is this the "problem"?</div>
<div><br>
</div>
<div>no, it is OK.</div>
<div><br>
</div>
<div>Best regards,</div>
<div><br>
</div>
<div>Gustav<br>
<div class="gmail_extra"><br>
<div class="gmail_quote">2017-02-23 15:16 GMT+01:00 Marco
Benucci <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:m.benucci@nsr.it" target="_blank">m.benucci@nsr.it</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0px 0px
0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF">
<p><font face="DejaVu Sans">Hi,</font></p>
<p><font face="DejaVu Sans">I'm on midpoint 3.4.1
and I would like to create a role that grants to
a user to list all other users<br>
and see (only see, not modify) their Basic,
Projection and Assignment tabs.<br>
<br>
I have assigned to this user the role "end user"
and I created the role "Guest" with the<br>
the authorization</font><br>
<a moz-do-not-send="true"
class="gmail-m_897124953619928335moz-txt-link-freetext"
href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#users"
target="_blank">http://midpoint.evolveum.com/<wbr>xml/ns/public/security/<wbr>authorization-ui-3#users</a><br>
and<br>
<a moz-do-not-send="true"
class="gmail-m_897124953619928335moz-txt-link-freetext"
href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#userDetails"
target="_blank">http://midpoint.evolveum.com/<wbr>xml/ns/public/security/<wbr>authorization-ui-3#userDetails</a></p>
<p>but this user can see only himself.<br>
<br>
PS: My other midpoint users do not have the "end
user" role because they do not have to access on
midPoint.<br>
Is this the "problem"?<br>
<br>
</p>
<p>Thank you<br>
</p>
</div>
<br>
______________________________<wbr>_________________<br>
midPoint mailing list<br>
<a moz-do-not-send="true"
href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a moz-do-not-send="true"
href="http://lists.evolveum.com/mailman/listinfo/midpoint"
rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div class="gmail_signature">
<div dir="ltr">
<div>Gustáv Pálos</div>
<div>Identity Engineer</div>
<a moz-do-not-send="true" href="http://evolveum.com/"
rel="noreferrer"
style="color:rgb(17,85,204);font-size:12.8px"
target="_blank">evolveum.com</a><br>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Ivan Noris
Senior Identity Engineer
evolveum.com
</pre>
</body>
</html>