<div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div>Hi to all,</div><div>I have faced with authorization problem and can't understand what is wrong.</div><div><br></div><div>I have a mapping in an object template that updates custom field initialPasswordProtected and this field is hidden for a creator. But every time when I create a user (creator has a custom role HelpDesk) I have got an error message</div><div>User not authorized for operation <a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</a> <br></div><div><br></div><div>There is problem mapping (I have Midpoint version 3.7.2)<br></div><div>   <mapping><br>      <description>Copy initial password</description><br>      <tolerant>false</tolerant><br>      <strength>strong</strength><br>      <expression><br>         <script xmlns:xsi="<a href="http://www.w3.org/2001/XMLSchema-instance">http://www.w3.org/2001/XMLSchema-instance</a>"<br>                 xsi:type="c:ScriptExpressionEvaluatorType"><br>            <code><br>                    if(focus!=null &amp;&amp; focus.getCredentials() != null &amp;&amp;  focus.getCredentials().getPassword() !=null){<br>                    return focus.getCredentials().getPassword().getValue();<br>                    }<br>                </code><br>         </script><br>      </expression><br>      <target><br>         <c:path>extension/initialPasswordProtected</c:path><br>      </target><br>   </mapping> <br></div><div><br></div><div>When I <span class="gmail-tlid-translation gmail-translation"><span title="" class="gmail-">simplified</span></span> this mapping (see mapping below), everything works fine.</div><br><div>   <mapping><br>      <description>Copy initial password</description><br>      <tolerant>false</tolerant><br>      <strength>strong</strength><br>      <source>      <br>         <c:path>credentials/password/value</c:path><br>      </source><br>      <target><br>         <c:path>extension/initialPasswordProtected</c:path><br>      </target><br>   </mapping><br></div><div><br></div><div>Helpdesk role has no restriction to modify this attribute in both phases for <br></div><div><action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</a></action></div><div><action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add</a></action><br></div><div><action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</a></action></div><div></div><div><br></div><div>Schema of attribute: <br></div><div>   <mapping><br>      <description>Copy initial password</description><br>      <tolerant>false</tolerant><br>      <strength>strong</strength><br>      <source>      <br>         <c:path>credentials/password/value</c:path><br>      </source><br>      <target><br>         <c:path>extension/initialPasswordProtected</c:path><br>      </target><br>   </mapping><br></div><div><br></div><div><br></div><div><div> </div><div>Please help me to understand what is wrong with authorization.</div><div>Thank you in advance<br></div></div><div><br></div><div><br></div><div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><span style="color:rgb(76,76,76)">Best regards, <br><br><img src="cid:o.nekriach@dynatech.lv1520941785292-7770"> <br><br>Oleksandr Nekriach | Identity and access management engineer <br><br>Dynatech, <a href="https://www.google.com/maps/place/DYNATECH/@56.9575205,24.1107235,17z/data=!3m1!4b1!4m5!3m4!1s0x46eecf5753e42351:0x23b120b9745cae62!8m2!3d56.9575205!4d24.1129122" target="_blank">Jeruzalemes iela 1, Rīga, LV-1010, Latvia</a><br><br><div style="display:inline-block"><a href="tel:+371%2025%20314%20685" value="+37125314685" target="_blank">+37125314685</a></div>,<div style="display:inline-block"><a href="mailto:o.nekriach@dynatech.lv" target="_blank">o.nekriach@dynatech.lv</a></div>|<div style="display:inline-block"><a href="http://www.dynatech.lv" target="_blank">www.dynatech.lv</a></div> <br><br>Stay connected: <br><div style="display:inline-block;margin:5px 5px 0px 0px"><a href="https://www.facebook.com/DynatechLatvia/?ref=br_rs" target="_blank"><img src="cid:o.nekriach@dynatech.lv1520941785292-7771"></a></div><div style="display:inline-block;margin:5px 0px 0px"><a href="https://www.linkedin.com/company-beta/17893047/" target="_blank"><img src="cid:o.nekriach@dynatech.lv1520941785292-7772"></a></div><br><br><span style="font-size:11px;color:rgb(161,161,161)">Confidentiality Notice: This message contains confidential information and is intended only for the named recipient(s). If you are not the addressee you may not copy, distribute or perform any other activities with this information. If you have received this transmission in error, please notify us by e-mail immediately. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses.</span></span></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div>