
<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

<style type="text/css" style="display:none"><!--P{margin-top:0;margin-bottom:0;} --></style>

</head>

<body dir="ltr" style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">

<p>Hi all,</p>

<p><br>

</p>

<p>I am trying to create a restricted administrator role similar to the call center operator at

</p>

<p><a href="https://wiki.evolveum.com/x/UwDy">https://wiki.evolveum.com/x/UwDy</a></p>

<p><br>

</p>

<p>Below are the authorizations of the role. From the example I would expect that a user with the restricted administrator role would only be able to see and assign roles with roleType 'kapa' to other users, but instead all roles are visible, and the administrator

 can happily make other users superusers. I must be missing something very basic here. My midPoint version is 3.5 if that makes a difference.<br>

</p>

<p><br>

</p>

<p>Thanks, Pertti<br>

</p>

<p><br>

</p>

<p>   <authorization id="2"><br>

      <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#orgAll</action><br>

      <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#usersAll</action><br>

      <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#dashboard</action><br>

   </authorization><br>

   <authorization id="3"><br>

      <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action><br>

      <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</action><br>

      <object><br>

         <type>OrgType</type><br>

      </object><br>

   </authorization><br>

   <authorization id="4"><br>

      <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action><br>

      <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</action><br>

      <object><br>

         <type>UserType</type><br>

      </object><br>

   </authorization><br>

   <authorization id="5"><br>

      <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#assign</action><br>

      <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#unassign</action><br>

      <target><br>

         <type>RoleType</type><br>

         <filter><br>

            <q:equal><br>

               <q:path>roleType</q:path><br>

               <q:value>kapa</q:value><br>

            </q:equal><br>

         </filter><br>

      </target><br>

   </authorization><br>

</p>

</body>

</html>