<?xml version="1.0" encoding="utf-16"?><html><head><style id="signatureStyle" type="text/css"><!--#x85dd288bd043484 a img
{border: 0px;}
#x85dd288bd043484
{font-family: Tahoma; font-size: 12pt;}
--></style><style id="css_styles" type="text/css"><!--blockquote.cite { margin-left: 5px; margin-right: 0px; padding-left: 10px; padding-right:0px; border-left: 1px solid #cccccc }
blockquote.cite2 {margin-left: 5px; margin-right: 0px; padding-left: 10px; padding-right:0px; border-left: 1px solid #cccccc; margin-top: 3px; padding-top: 0px; }
a img { border: 0px; }
ol, ul { list-style-position: inside }
body { font-family: Tahoma; font-size: 12pt; }--></style></head><body><div>Hello Chris,</div><div><br /></div><div>try this partial example:</div><div><br /></div><div> <authorization id="19"><br /> <decision>allow</decision><br /> <action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#assign">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#assign</a></action><br /> <action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#unassign">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#unassign</a></action><br /> <object><br /> <type>UserType</type><br /> </object><br /> <target><br /> <type>RoleType</type><br /> <filter><br /> <q:equal><br /> <q:path>roleType</q:path><br /> <q:value>login-role</q:value><br /> </q:equal><br /> </filter><br /> </target><br /> </authorization><br /></div><div><br /></div><div>This authorization allows assign and unassign roles with filled attribute roleType=login-role to users.</div><div><br /></div><div>Try this:</div><div><br /></div><div>1) Create new custom role</div><div><br /></div><div>2) in this role set inducement to End user role:</div><div> <inducement id="7"><br /> <targetRef oid="00000000-0000-0000-0000-000000000008" type="c:RoleType"><!-- End user --><br /> <description>Role authorizing end users to log in, change their passwords and review assigned accounts.</description><br /> </targetRef><br /> </inducement><br /></div><div><br /></div><div>3) Add authorization in higher example.</div>
<div><br /></div><div id="signature_old"><div id="x85dd288bd043484"><div style="FONT-SIZE: 12pt; FONT-FAMILY: Tahoma">Resulted custom role (user, who will have assigned this role) will have all credentials from End User role (inducement) and new assign/unassign credentials.</div><div style="FONT-SIZE: 12pt; FONT-FAMILY: Tahoma"><br /></div><div style="FONT-SIZE: 12pt; FONT-FAMILY: Tahoma">Regards</div><div style="FONT-SIZE: 12pt; FONT-FAMILY: Tahoma"><br /></div><div style="FONT-SIZE: 12pt; FONT-FAMILY: Tahoma"><table style="WHITE-SPACE: normal; WORD-SPACING: 0px; BORDER-COLLAPSE: collapse; TEXT-TRANSFORM: none; COLOR: rgb(0,0,0); FONT: medium 'Times New Roman'; WIDOWS: 1; LETTER-SPACING: normal; TEXT-INDENT: 0px; -webkit-text-stroke-width: 0px">
<tbody>
<tr>
<td style="FONT-SIZE: 11px; FONT-FAMILY: Arial, sans-serif; VERTICAL-ALIGN: bottom; COLOR: rgb(0,0,0)" colspan="2">
<p><span style="FONT-SIZE: 14px; FONT-WEIGHT: bold">Roman Pudil</span><br />solution architect<br /><br />gsm: [+420] 775 663 666<br />e-mail:<span class="Apple-converted-space"> </span><a href="mailto:roman.pudil@ami.cz">roman.pudil@ami.cz</a></p></td>
<td style="BORDER-RIGHT: rgb(204,204,204) 1px solid"> </td>
<td> </td>
<td style="FONT-SIZE: 11px; FONT-FAMILY: Arial, sans-serif; VERTICAL-ALIGN: bottom; COLOR: rgb(0,0,0)">
<p>AMI Praha a.s.<br />Pláničkova 11<br />162 00 Praha 6<br />tel./fax: [+420] 274 783 239<br />web:<span class="Apple-converted-space"> </span><a href="http://www.ami.cz">www.ami.cz</a></p></td>
<td style="BORDER-RIGHT: rgb(204,204,204) 1px solid"> </td>
<td> </td>
<td style="FONT-SIZE: 11px; FONT-FAMILY: Arial, sans-serif; COLOR: rgb(0,0,0)">
<p><img title="AMI Praha a.s." border="0" alt="" src="http://www.ami.cz/images/podpis/ami_logo.gif " /></p></td></tr>
<tr>
<td colspan="8"><br /><a href="http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management"><img border="0" alt="" src="http://www.ami.cz/images/podpis/AMI-podpis-IdM_1.png" /></a></td></tr>
<tr>
<td style="FONT-SIZE: 11px; FONT-FAMILY: Arial, sans-serif; COLOR: rgb(128,128,128)" colspan="8"><br />Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za společnost AMI Praha a.s.<br />jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně písemnou formu.</td></tr></tbody></table></div></div></div><div><br /></div>
<div>------ Původní zpráva ------</div>
<div>Od: "Christopher Hoskin" <<a href="mailto:christopher.hoskin@gmail.com">christopher.hoskin@gmail.com</a>></div>
<div>Komu: <a href="mailto:midpoint@lists.evolveum.com">midpoint@lists.evolveum.com</a></div>
<div>Odesláno: 13.12.2017 14:57:05</div>
<div>Předmět: [midPoint] Allowing end users to request association to roles or organisations.</div><div><br /></div>
<div id="xb4fcb13ea3094c2"><blockquote cite="CAEjvcd_=YM3Cn+DfC4SWx+0Q0dn7z2zr5L34LC6RrTk4Bdr5Og@mail.gmail.com" type="cite" class="cite2">
<div dir="ltr"><div><div><div><div><div><div><div>Hello,<br /><br /></div>I'm evaluating MidPoint for my employer.<br /><br /></div>One of the features that we're interested in is allowing end users to request association with a role or organisation. If I log in to the web interface as the administrator, then I can see roles and organisations under 'Request a role'. If I log in as a user with an assignment to the 'End User' role, then I can't see any roles or organisations to request an association with.<br /><br /></div>Doing a little reading, it appears that the user needs a role with the 'selfRequestAssignment' authorization. So I have created a copy of the End User role and added the following authorization:<br /><br /> <authorization id="11"><br /> <action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#selfRequestAssignment">http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#selfRequestAssignment</a></action><br /> <object><br /> <special>self</special><br /> </object><br /> </authorization><br /><br /></div>However, when I log in as a user with this new role, I am still unable to see any roles or organisations to request association with.<br /><br /></div>Have I got something wrong? Is there something else I need to do?<br /><br /></div>Thanks.<br /><br /></div>Christopher Hoskin<br /></div>
</blockquote></div>
</body></html>