<div dir="ltr">Hi,<div>I do not know your whole aurthorization context, but I would start with this:</div><div><ul><li>if you remove the role from said user, can s/he see all users or no user?</li><li>I would bet for "all users", meaning he has granted broader rights by other means (other role)</li></ul><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><p><span style="font-family:Arial,sans-serif;font-size:10pt">--</span></p><p><span style="font-family:Arial,sans-serif;font-size:10pt">s pozdravem</span></p><div style="color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:13px"><p><strong>Petr Gašparík</strong><br><span style="font-size:11px;color:rgb(128,128,128)">konzultant IT bezpečnosti</span></p></div><p style="color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:11px">gsm: [+420] 603 523 860<br>e‑mail: <a href="mailto:petr.gasparik@ami.cz" target="_blank">petr.gasparik@ami.cz</a></p><p style="color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:11px"><strong>AMI Praha a.s.</strong><br>Pláničkova 11, 162 00 Praha 6</p><p style="color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:11px">tel.: [+420] 274 783 239 | web: <a href="https://www.ami.cz" target="_blank">www.ami.cz</a></p><p style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;margin-top:20px"><img src="http://www.ami.cz/images/podpis/ami_logo.gif" alt="AMI Praha a.s." style="border:0px"></p><p style="font-family:Arial,sans-serif;font-size:11px;color:rgb(170,170,170)">Textem tohoto e‑mailu podepisující neslibuje uzavřít ani neuzavírá za společnost AMI Praha a.s.<br>jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně písemnou formu.<br><span style="font-size:6px"> </span><br>Tento e‑mail je určen výhradně pro potřeby jeho adresáta/ů a může obsahovat důvěrné nebo osobní<br>informace. Nejste‑li zamýšleným příjemcem, je zakázáno jakékoliv zveřejňování, zprostředkování<br>nebo jiné použití těchto informací. Pokud jste obdrželi e‑mail neoprávněně, informujte o tom prosím<br>odesílatele a vymažte neprodleně všechny kopie tohoto e‑mailu včetně všech jeho příloh. Nakládáním<br>s neoprávněně získanými informacemi se vystavujete riziku právního postihu.</p></div></div></div></div></div></div></div></div></div></div></div></div></div></div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">st 21. 10. 2020 v 9:06 odesílatel Tomáš via midPoint <<a href="mailto:midpoint@lists.evolveum.com">midpoint@lists.evolveum.com</a>> napsal:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span style="font-size:10pt;font-family:Consolas">Hallo, together</span>
<br>
<br><span style="font-size:10pt;font-family:Consolas">i have following
trouble</span>
<ol>
<li value="1"><span style="font-size:10pt;font-family:Consolas">i have some
user who act in specific role</span>
</li><li value="2"><span style="font-size:10pt;font-family:Consolas">user's organizationID
is 94270</span>
</li><li value="3"><span style="font-size:10pt;font-family:Consolas">and then
i am trying to grant to the user (trough role) rights to read other users
witch belong to same <i>organizationID</i>(<i>organizationID</i>is extended
attribute)</span>
</li><li value="4"></li></ol><span style="font-size:10pt;font-family:Consolas">I start
to do it according<br>
</span><a href="https://wiki.evolveum.com/display/midPoint/Authorization+Configuration#AuthorizationConfiguration-ObjectSpecification" target="_blank"><span style="font-size:10pt;color:blue;font-family:Consolas">https://wiki.evolveum.com/display/midPoint/Authorization+Configuration#AuthorizationConfiguration-ObjectSpecification</span></a>
<br>
<br><span style="font-size:10pt;font-family:Consolas">and wrote some filtering
inside role-xml <i>(here is simplified one). </i></span>
<br>
<br><span style="font-size:10pt;font-family:Consolas">BUT, </span>
<ol>
<li value="1"><span style="font-size:10pt;font-family:Consolas">when i log
to midpoint as mentioned user, i see all the Users, regardless the value
of <i>organizationID</i>. </span>
</li><li value="2"><span style="font-size:10pt;font-family:Consolas">When i do
in UI filtering on <i>organizationID</i>, it works and i see just users
with asked <i>organizationID</i>, </span>
</li><li value="3"><span style="font-size:10pt;font-family:Consolas">when i add
to object </span><span style="font-size:10pt;color:rgb(64,64,194);font-family:Consolas"><special>self</special>
</span><span style="font-size:10pt;font-family:Consolas">i see that self
is used</span>
</li><li value="4"></li></ol><span style="font-size:10pt;font-family:Consolas">So why
the filter do not work? What I am doing wrong? I tried as well to do it
with script, I logged every user which was filtered. But.. it DO NOT WORK.</span>
<br>
<br><span style="font-size:10pt;font-family:Consolas"> </span><span style="font-size:10pt;color:rgb(0,128,128);font-family:Consolas"><</span><span style="font-size:10pt;color:rgb(63,128,128);font-family:Consolas">authorization</span><span style="font-size:10pt;font-family:Consolas">
</span><span style="font-size:10pt;color:rgb(128,0,128);font-family:Consolas">id</span><span style="font-size:10pt;font-family:Consolas">=</span><span style="font-size:10pt;color:rgb(66,0,255);font-family:Consolas"><i>"25"</i></span><span style="font-size:10pt;color:rgb(0,128,128);font-family:Consolas">></span>
<br><span style="font-size:10pt;font-family:Consolas">
</span><span style="font-size:10pt;color:rgb(0,128,128);font-family:Consolas"><</span><span style="font-size:10pt;color:rgb(63,128,128);font-family:Consolas">name</span><span style="font-size:10pt;color:rgb(0,128,128);font-family:Consolas">></span><span style="font-size:10pt;font-family:Consolas">[<u>Zamestnanec</u>
XY] EXT/TEMP Some user attributes (read)</span><span style="font-size:10pt;color:rgb(0,128,128);font-family:Consolas"></</span><span style="font-size:10pt;color:rgb(63,128,128);font-family:Consolas">name</span><span style="font-size:10pt;color:rgb(0,128,128);font-family:Consolas">></span>
<br><span style="font-size:10pt;font-family:Consolas">
</span><span style="font-size:10pt;color:rgb(0,128,128);font-family:Consolas"><</span><span style="font-size:10pt;color:rgb(63,128,128);font-family:Consolas">description</span><span style="font-size:10pt;color:rgb(0,128,128);font-family:Consolas">></span><span style="font-size:10pt;font-family:Consolas"><u>Alow</u>
visibility of users attributes (EXT/TEMP)</span><span style="font-size:10pt;color:rgb(0,128,128);font-family:Consolas"></</span><span style="font-size:10pt;color:rgb(63,128,128);font-family:Consolas">description</span><span style="font-size:10pt;color:rgb(0,128,128);font-family:Consolas">></span>
<br><span style="font-size:10pt;font-family:Consolas">
</span><span style="font-size:10pt;color:rgb(0,128,128);font-family:Consolas"><</span><span style="font-size:10pt;color:rgb(63,128,128);font-family:Consolas">action</span><span style="font-size:10pt;color:rgb(0,128,128);font-family:Consolas">></span><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read" target="_blank"><span style="font-size:10pt;color:blue;font-family:Consolas">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</span></a><span style="font-size:10pt;color:rgb(0,128,128);font-family:Consolas"></</span><span style="font-size:10pt;color:rgb(63,128,128);font-family:Consolas">action</span><span style="font-size:10pt;color:rgb(0,128,128);font-family:Consolas">></span>
<br><span style="font-size:10pt;font-family:Consolas">
</span><span style="font-size:10pt;color:rgb(0,128,128);font-family:Consolas"><</span><span style="font-size:10pt;color:rgb(63,128,128);font-family:Consolas">object</span><span style="font-size:10pt;font-family:Consolas">
</span><span style="font-size:10pt;color:rgb(128,0,128);font-family:Consolas">id</span><span style="font-size:10pt;font-family:Consolas">=</span><span style="font-size:10pt;color:rgb(66,0,255);font-family:Consolas"><i>"24"</i></span><span style="font-size:10pt;color:rgb(0,128,128);font-family:Consolas">></span>
<br><span style="font-size:10pt;font-family:Consolas">
</span><span style="font-size:10pt;color:rgb(0,128,128);font-family:Consolas"><</span><span style="font-size:10pt;color:rgb(63,128,128);font-family:Consolas">type</span><span style="font-size:10pt;color:rgb(0,128,128);font-family:Consolas">></span><span style="font-size:10pt;font-family:Consolas">UserType</span><span style="font-size:10pt;color:rgb(0,128,128);font-family:Consolas"></</span><span style="font-size:10pt;color:rgb(63,128,128);font-family:Consolas">type</span><span style="font-size:10pt;color:rgb(0,128,128);font-family:Consolas">></span>
<br><span style="font-size:10pt;font-family:Consolas">
</span><span style="font-size:10pt;color:rgb(0,128,128);font-family:Consolas"><</span><span style="font-size:10pt;color:rgb(63,128,128);font-family:Consolas">filter</span><span style="font-size:10pt;color:rgb(0,128,128);font-family:Consolas">></span>
<br><span style="font-size:10pt;font-family:Consolas">
</span><span style="font-size:10pt;color:rgb(0,128,128);font-family:Consolas"><</span><span style="font-size:10pt;color:rgb(63,128,128);font-family:Consolas">q:equal</span><span style="font-size:10pt;color:rgb(0,128,128);font-family:Consolas">></span>
<br><span style="font-size:10pt;font-family:Consolas">
</span><span style="font-size:10pt;color:rgb(0,128,128);font-family:Consolas"><</span><span style="font-size:10pt;color:rgb(63,128,128);font-family:Consolas">q:path</span><span style="font-size:10pt;color:rgb(0,128,128);font-family:Consolas">></span><span style="font-size:10pt;font-family:Consolas">extension/organizationID</span><span style="font-size:10pt;color:rgb(0,128,128);font-family:Consolas"></</span><span style="font-size:10pt;color:rgb(63,128,128);font-family:Consolas">q:path</span><span style="font-size:10pt;color:rgb(0,128,128);font-family:Consolas">></span>
<br><span style="font-size:10pt;font-family:Consolas">
</span><span style="font-size:10pt;color:rgb(0,128,128);font-family:Consolas"><</span><span style="font-size:10pt;color:rgb(63,128,128);font-family:Consolas">q:value</span><span style="font-size:10pt;color:rgb(0,128,128);font-family:Consolas">></span><span style="font-size:10pt;font-family:Consolas">94270</span><span style="font-size:10pt;color:rgb(0,128,128);font-family:Consolas"></</span><span style="font-size:10pt;color:rgb(63,128,128);font-family:Consolas">q:value</span><span style="font-size:10pt;color:rgb(0,128,128);font-family:Consolas">></span>
<br><span style="font-size:10pt;font-family:Consolas">
</span><span style="font-size:10pt;color:rgb(0,128,128);font-family:Consolas"></</span><span style="font-size:10pt;color:rgb(63,128,128);font-family:Consolas">q:equal</span><span style="font-size:10pt;color:rgb(0,128,128);font-family:Consolas">></span>
<br><span style="font-size:10pt;font-family:Consolas">
</span><span style="font-size:10pt;color:rgb(0,128,128);font-family:Consolas"></</span><span style="font-size:10pt;color:rgb(63,128,128);font-family:Consolas">filter</span><span style="font-size:10pt;color:rgb(0,128,128);font-family:Consolas">></span>
<br><span style="font-size:10pt;color:rgb(64,64,194);font-family:Consolas"><!--
<special>self</special>
--></span>
<br><span style="font-size:10pt;font-family:Consolas">
</span><span style="font-size:10pt;color:rgb(0,128,128);font-family:Consolas"></</span><span style="font-size:10pt;color:rgb(63,128,128);font-family:Consolas">object</span><span style="font-size:10pt;color:rgb(0,128,128);font-family:Consolas">></span>
<br><span style="font-size:10pt;font-family:Consolas">
</span><span style="font-size:10pt;color:rgb(0,128,128);font-family:Consolas"><</span><span style="font-size:10pt;color:rgb(63,128,128);font-family:Consolas">c:item</span><span style="font-size:10pt;color:rgb(0,128,128);font-family:Consolas">></span><span style="font-size:10pt;font-family:Consolas">name</span><span style="font-size:10pt;color:rgb(0,128,128);font-family:Consolas"></</span><span style="font-size:10pt;color:rgb(63,128,128);font-family:Consolas">c:item</span><span style="font-size:10pt;color:rgb(0,128,128);font-family:Consolas">></span>
<br><span style="font-size:10pt;font-family:Consolas">
</span><span style="font-size:10pt;color:rgb(0,128,128);font-family:Consolas"><</span><span style="font-size:10pt;color:rgb(63,128,128);font-family:Consolas">c:item</span><span style="font-size:10pt;color:rgb(0,128,128);font-family:Consolas">></span><span style="font-size:10pt;font-family:Consolas"><u>subtype</u></span><span style="font-size:10pt;color:rgb(0,128,128);font-family:Consolas"></</span><span style="font-size:10pt;color:rgb(63,128,128);font-family:Consolas">c:item</span><span style="font-size:10pt;color:rgb(0,128,128);font-family:Consolas">></span>
<br><span style="font-size:10pt;font-family:Consolas">
</span><span style="font-size:10pt;color:rgb(0,128,128);font-family:Consolas"><</span><span style="font-size:10pt;color:rgb(63,128,128);font-family:Consolas">c:item</span><span style="font-size:10pt;color:rgb(0,128,128);font-family:Consolas">></span><span style="font-size:10pt;font-family:Consolas">extension/organizationID</span><span style="font-size:10pt;color:rgb(0,128,128);font-family:Consolas"></</span><span style="font-size:10pt;color:rgb(63,128,128);font-family:Consolas">c:item</span><span style="font-size:10pt;color:rgb(0,128,128);font-family:Consolas">></span>
<br><span style="font-size:10pt;font-family:Consolas"> </span><span style="font-size:10pt;color:rgb(0,128,128);font-family:Consolas"></</span><span style="font-size:10pt;color:rgb(63,128,128);font-family:Consolas">authorization</span><span style="font-size:10pt;color:rgb(0,128,128);font-family:Consolas">></span>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="https://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">https://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
</blockquote></div>