<div dir="ltr"><div dir="ltr"><font face="arial, helvetica, sans-serif"><span style="color:rgb(32,33,36);white-space:pre-wrap;background-color:rgb(248,249,250)">Hello,
We have a question regarding the following issue:

We created a role allowing users to modify 4 specific attributes of any user. There are authorizations to modify those attribute and access to GUI screens. This modification triggers a reconcile of the user being modified. Sometimes it generates authorization errors because of missing permissions to read and modify shadows and Lookup tables used in mappings in the Object Template.

We were wondering if there is any way to implicitly give all these "cascade" authorizations to the role without the need to give all of them one by one.</span></font><div><span style="background-color:rgb(248,249,250);color:rgb(32,33,36);white-space:pre-wrap;font-family:arial,helvetica,sans-serif"><br></span></div><div><span style="background-color:rgb(248,249,250);color:rgb(32,33,36);white-space:pre-wrap;font-family:arial,helvetica,sans-serif">Here is the xml of the role:</span></div><div><span style="background-color:rgb(248,249,250);color:rgb(32,33,36);white-space:pre-wrap;font-family:arial,helvetica,sans-serif"><br></span></div><div><font color="#202124" face="arial, helvetica, sans-serif"><span style="white-space:pre-wrap"><role xmlns="<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">http://midpoint.evolveum.com/xml/ns/public/common/common-3</a>" xmlns:apti="<a href="http://midpoint.evolveum.com/xml/ns/public/common/api-types-3">http://midpoint.evolveum.com/xml/ns/public/common/api-types-3</a>" xmlns:c="<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">http://midpoint.evolveum.com/xml/ns/public/common/common-3</a>" xmlns:icfs="<a href="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3">http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3</a>" xmlns:org="<a href="http://midpoint.evolveum.com/xml/ns/public/common/org-3">http://midpoint.evolveum.com/xml/ns/public/common/org-3</a>" xmlns:q="<a href="http://prism.evolveum.com/xml/ns/public/query-3">http://prism.evolveum.com/xml/ns/public/query-3</a>" xmlns:ri="<a href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">http://midpoint.evolveum.com/xml/ns/public/resource/instance-3</a>" xmlns:t="<a href="http://prism.evolveum.com/xml/ns/public/types-3">http://prism.evolveum.com/xml/ns/public/types-3</a>" xmlns:xsi="<a href="http://www.w3.org/2001/XMLSchema-instance">http://www.w3.org/2001/XMLSchema-instance</a>" oid="11111111-1111-1111-0002-000000001040" version="1">
   <name>Telefonia</name>
   <authorization id="1">
      <decision>allow</decision>
      <action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</a></action>
      <object id="2">
         <type>UserType</type>
      </object>
      <c:item>telephoneNumber</c:item>
      <c:item>extension/metaInternoTelefonia</c:item>
      <c:item>extension/metaLoginTelefonia</c:item>
      <c:item>extension/metaCodigoPersonal</c:item>
   </authorization>
   <authorization id="3">
      <action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#usersAll">http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#usersAll</a></action>
   </authorization>
   <authorization>
                <!-- We had to add these authorizations in order for it to work -->
                <action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</a></action>
                <object>
                        <type>LookupTableType</type>
                </object>
   </authorization>
   <authorization>
                <!-- We had to add these authorizations in order for it to work -->
                <action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#search">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#search</a></action>
                <object>
                        <type>UserType</type>
                </object>
   </authorization>
   <authorization>
                <!-- We had to add these authorizations in order for it to work -->
                <action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</a></action>
                <action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</a></action>
                <action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add</a></action>
                <phase>execution</phase>
                <object>
                        <type>ShadowType</type>
                </object>
   </authorization>
</role></span></font><span style="background-color:rgb(248,249,250);color:rgb(32,33,36);white-space:pre-wrap;font-family:arial,helvetica,sans-serif"> </span><br></div><div><font face="arial, helvetica, sans-serif"><span style="color:rgb(32,33,36);white-space:pre-wrap;background-color:rgb(248,249,250)">
Thanks in advance!</span>  </font><div><div>-- <br><div dir="ltr" class="gmail-m_3501518055094351775gmail_signature"><div dir="ltr"><div><font face="arial, helvetica, sans-serif" style="font-size:12.8px"><font style="background-color:rgb(255,255,255)" color="#000000">Javier Martínez</font></font></div><font face="arial, helvetica, sans-serif" style="font-size:12.8px"><font color="#999999">Identicum S.A.</font><br><font color="#999999">Jorge Newbery 3226</font><br><font color="#999999">Tel: +54 (11) 4552-3050</font><br><font color="#999999"><a href="http://www.identicum.com/" style="color:rgb(17,85,204)" target="_blank">www.identicum.com</a></font></font><div style="font-size:12.8px"></div><div><font face="arial, helvetica, sans-serif" style="font-size:12.8px"><br></font></div></div></div></div></div></div></div></div>