
<html>

  <head>

    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">

  </head>

  <body bgcolor="#FFFFFF" text="#000000">

    <p>Hi,</p>

    <p>has your user assigned just this role, or another one too? More

      specifically does your user has End user as well or not?</p>

    <p>(End user role has privileges to see all roles, for example).</p>

    <p><br>

    </p>

    <p>Ivan<br>

    </p>

    <br>

    <div class="moz-cite-prefix">On 03/14/2017 04:28 PM, Pertti

      Kellomäki wrote:<br>

    </div>

    <blockquote cite="mid:1489501722999.92144@datactica.fi" type="cite">

      <meta http-equiv="Content-Type" content="text/html; charset=utf-8">

      <style type="text/css" style="display:none"><!--P{margin-top:0;margin-bottom:0;} --></style>

      <p>Hi all,</p>

      <p><br>

      </p>

      <p>I am trying to create a restricted administrator role similar

        to the call center operator at

      </p>

      <p><a moz-do-not-send="true"

          href="https://wiki.evolveum.com/x/UwDy">https://wiki.evolveum.com/x/UwDy</a></p>

      <p><br>

      </p>

      <p>Below are the authorizations of the role. From the example I

        would expect that a user with the restricted administrator role

        would only be able to see and assign roles with roleType 'kapa'

        to other users, but instead all roles are visible, and the

        administrator can happily make other users superusers. I must be

        missing something very basic here. My midPoint version is 3.5 if

        that makes a difference.<br>

      </p>

      <p><br>

      </p>

      <p>Thanks, Pertti<br>

      </p>

      <p><br>

      </p>

      <p>   <authorization id="2"><br>

             

<action><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#orgAll">http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#orgAll</a></action><br>

             

<action><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#usersAll">http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#usersAll</a></action><br>

             

<action><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#dashboard">http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#dashboard</a></action><br>

           </authorization><br>

           <authorization id="3"><br>

             

<action><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</a></action><br>

             

<action><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</a></action><br>

              <object><br>

                 <type>OrgType</type><br>

              </object><br>

           </authorization><br>

           <authorization id="4"><br>

             

<action><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</a></action><br>

             

<action><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</a></action><br>

              <object><br>

                 <type>UserType</type><br>

              </object><br>

           </authorization><br>

           <authorization id="5"><br>

             

<action><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#assign">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#assign</a></action><br>

             

<action><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#unassign">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#unassign</a></action><br>

              <target><br>

                 <type>RoleType</type><br>

                 <filter><br>

                    <q:equal><br>

                       <q:path>roleType</q:path><br>

                       <q:value>kapa</q:value><br>

                    </q:equal><br>

                 </filter><br>

              </target><br>

           </authorization><br>

      </p>

      <br>

      <fieldset class="mimeAttachmentHeader"></fieldset>

      <br>

      <pre wrap="">_______________________________________________

midPoint mailing list

<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>

<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>

</pre>

    </blockquote>

    <br>

    <pre class="moz-signature" cols="72">-- 

Ivan Noris

Senior Identity Engineer

evolveum.com

</pre>

  </body>

</html>