<div dir="ltr">Thanks again Paval! <div><br></div><div>I'm sure there's something weird configured script wise or something, this is a setup I've inherited, I've only been here for a month, and still coming up to speed. I'll definitely check audit logs and see!</div><div><br></div><div><br></div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">Seth McCombs<div>IT Operations Engineer<br style="font-size:12.8px"><span style="font-size:12.8px"><span></span>+1 510.514.5855<span></span></span></div><div><span style="font-size:12.8px"><a href="mailto:seth@sourceclear.com" target="_blank">seth@sourceclear.com</a></span></div></div></div></div>
<br><div class="gmail_quote">On Tue, Jan 23, 2018 at 12:55 AM, Pavol Mederly <span dir="ltr"><<a href="mailto:mederly@evolveum.com" target="_blank">mederly@evolveum.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<p>Seth,</p>
<p>the "role loss" you experience is really strange. It can be
caused by various factors; although I never heard of something
like that :) For example, are there any <a href="https://wiki.evolveum.com/display/midPoint/Scripting+Hooks" target="_blank">scripting
hooks</a> defined? Or, are you sure the assignment is really
deleted? Isn't it only disabled? (Either explicitly or via validTo
time?)<br>
</p>
<p>Maybe you could have a look into audit log: after the role
disappears, just look at all changes related to the given user.
Maybe there would be some hint what has happened.</p>
<p>Best regards,<br>
</p><span class="">
<pre class="m_6829243605420381357moz-signature" cols="72">Pavol Mederly
Software developer
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
</span><div><div class="h5"><div class="m_6829243605420381357moz-cite-prefix">On 23.01.2018 1:27, Seth McCombs wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Thanks Pavol!
<div><br>
</div>
<div>I actually just finished that book today, and am re-reading
through the XML syntax parts. My MidPoint is 3.4.1, and I need
to figure out what my next steps are for updating, (our
instance is Kubernetes based, so I'll be rolling an update).
My issue, unless I'm missing it, is that any user besides the
initially configured super-user (set up at install), all other
users given the super user role, lose that role after 1-2
days. </div>
<div><br>
</div>
<div>Thanks! <br>
<div><br>
</div>
<div><br>
</div>
</div>
</div>
<div class="gmail_extra"><br clear="all">
<div>
<div class="m_6829243605420381357gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr">Seth McCombs
<div>IT Operations Engineer<br style="font-size:12.8px">
<span style="font-size:12.8px"><span></span>+1
<a href="tel:(510)%20514-5855" value="+15105145855" target="_blank">510.514.5855</a><span></span></span></div>
<div><span style="font-size:12.8px"><a href="mailto:seth@sourceclear.com" target="_blank">seth@sourceclear.com</a></span></div>
</div>
</div>
</div>
<br>
<div class="gmail_quote">On Mon, Jan 22, 2018 at 4:16 PM, Pavol
Mederly <span dir="ltr"><<a href="mailto:mederly@evolveum.com" target="_blank">mederly@evolveum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<p>Hello Seth,</p>
<p>what you see is Superuser role. It can be assigned to
any account, effectively providing that account with
"root" privileges.</p>
<p>In fact, there's nothing hardcoded. The role can have
any name, any OID. What is important, is</p>
<span>
<p><tt><span style="font-size:12.8px"><authorization><br>
<action></span></tt><tt><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#all" style="font-size:12.8px" target="_blank">http://midpoint.evolve<wbr>um.com/xml/ns/public/security/<wbr>authorization-3#all</a></tt><tt><span style="font-size:12.8px"></</span></tt><tt><span style="font-size:12.8px">action><br>
</authorization></span></tt></p>
</span>
<p>(The URI ...#all is a predefined constant in midPoint,
giving all access within the system.)</p>
<hr size="2" width="100%">Anyway, midPoint is far too
complex to be understood by exploring its GUI. I would
strongly recommend reading this e-book that will provide
you with solid understanding of basic concepts: <a href="https://evolveum.com/midpoint/midpoint-guide-about-practical-identity-management/" target="_blank">https://evolveum.com/midpoint/<wbr>midpoint-guide-about-practical<wbr>-identity-management/</a>.
And, as midPoint in latest version (3.7) is really easy to
install, it is the best to install a "playground" midPoint
instance and explore it without fear of breaking anything.
<br>
<div dir="ltr"><span style="font-size:12.8px"></span></div>
<pre class="m_6829243605420381357m_-5541385853206277056moz-signature" cols="72">Pavol Mederly
Software developer
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
<div>
<div class="m_6829243605420381357h5">
<div class="m_6829243605420381357m_-5541385853206277056moz-cite-prefix">On
23.01.2018 1:01, Seth McCombs wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div class="m_6829243605420381357h5">
<div dir="ltr"><span style="font-size:12.8px">Hey
All, </span>
<div style="font-size:12.8px"><br>
</div>
<div style="font-size:12.8px">I inherited a
running MidPoint install, and while all is
working well, I am trying to learn as much about
the system as I can. One thing I have found is
that when I provide my account with SuperUser
access (after logging in as root account), I
then log back in a day or two later, and my
super user access is gone. I've only just
started digging through configs and logs, but I
have little idea where to start, one thing I
have found is this XML file - (See output
below) </div>
<div style="font-size:12.8px"><br>
</div>
<br style="font-size:12.8px">
<span style="font-size:12.8px"><role
oid=“00000000-0000-0000-0000-</span><span style="font-size:12.8px">0<wbr>00000000004”</span><br style="font-size:12.8px">
<span style="font-size:12.8px">xmlns=“</span><a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3" style="font-size:12.8px" target="_blank">http://midpoint.evolveu<wbr>m.com/xml/ns/public/common/com<wbr>mon-3</a><span style="font-size:12.8px">"></span><br style="font-size:12.8px">
<span style="font-size:12.8px"><name>Superuser</name></span><br style="font-size:12.8px">
<span style="font-size:12.8px"><description>Role
that gives user full authorization in
MidPoint.</description></span><br style="font-size:12.8px">
<span style="font-size:12.8px"><authorization></span><br style="font-size:12.8px">
<span style="font-size:12.8px"><action></span><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#all" style="font-size:12.8px" target="_blank">http://midpoint.evolve<wbr>um.com/xml/ns/public/security/<wbr>authorization-3#all</a><span style="font-size:12.8px"></</span><span style="font-size:12.8px">action></span><br style="font-size:12.8px">
<span style="font-size:12.8px"></authorization></span><br style="font-size:12.8px">
<span style="font-size:12.8px"><roleType>system</roleType></span><br style="font-size:12.8px">
<span style="font-size:12.8px"></role></span>
<div style="font-size:12.8px"><br>
</div>
<div style="font-size:12.8px">It seems to me that
the superuser is possibly hard coded, but I
don't know where that above link leads nore how
to fix this, </div>
<div style="font-size:12.8px"><br>
</div>
<div style="font-size:12.8px">Any advice is MUCH
appreciated! </div>
<div style="font-size:12.8px"><br>
</div>
<div style="font-size:12.8px">Cheers! </div>
<div style="font-size:12.8px"><br>
</div>
<div>
<div class="m_6829243605420381357m_-5541385853206277056gmail_signature">
<div dir="ltr">Seth McCombs
<div>IT Operations Engineer<br style="font-size:12.8px">
<span style="font-size:12.8px"><span></span>+1
<a href="tel:%28510%29%20514-5855" value="+15105145855" target="_blank">510.514.5855</a><span></span></span></div>
<div><span style="font-size:12.8px"><a href="mailto:seth@sourceclear.com" target="_blank">seth@sourceclear.com</a></span></div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="m_6829243605420381357m_-5541385853206277056mimeAttachmentHeader"></fieldset>
<br>
</div>
</div>
<pre>______________________________<wbr>_________________
midPoint mailing list
<a class="m_6829243605420381357m_-5541385853206277056moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a class="m_6829243605420381357m_-5541385853206277056moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
</div>
<br>
______________________________<wbr>_________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a><br>
<br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="m_6829243605420381357mimeAttachmentHeader"></fieldset>
<br>
<pre>______________________________<wbr>_________________
midPoint mailing list
<a class="m_6829243605420381357moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a class="m_6829243605420381357moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
</div></div></div>
<br>______________________________<wbr>_________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a><br>
<br></blockquote></div><br></div>