Hello Andrea,
thank you very much! It would be very helpful to know exactly which entitlements are responsible for which functionality in the Syncope console J It is a kind of guessing game at the moment. Regards, Maria Von: Andrea Patricelli [mailto:andreapatrice...@apache.org] Gesendet: Montag, 10. September 2018 15:17 An: user@syncope.apache.org Betreff: Re: Syncope administrator create realms Hi Maria, Your problem is related to entitlements REALM_DELETE, REALM_UPDATE and REALM_CREATE. If you want to enable realm read/editing you need to add also other entitlements, otherwise remove those three entitlements. This set for example should work: RESOURCE_READ, RELATIONSHIPTYPE_READ, IMPLEMENTATION_READ, REMEDIATION_LIST, TASK_LIST, RELATIONSHIPTYPE_LIST, IMPLEMENTATION_LIST, USER_CREATE, GROUP_SEARCH, RESOURCE_LIST, ANYTYPE_READ, USER_SEARCH, ACCESS_TOKEN_LIST, CONFIGURATION_LIST, ANYTYPECLASS_READ, ROLE_LIST, ANYTYPECLASS_LIST, USER_READ, ROLE_READ, REALM_DELETE, SCHEMA_LIST, USER_DELETE, REALM_UPDATE, SECURITY_QUESTION_READ, REALM_CREATE, ANYTYPE_LIST, USER_UPDATE, POLICY_READ, GROUP_READ, POLICY_LIST, REALM_LIST, TASK_READ, DOMAIN_READ, DYNREALM_READ Best regards, Andrea Il 10/09/2018 12:03, Maria Barth ha scritto: Hello, I am evalueting Syncope as a possible IDM-system for integrating in a new product. One of the requirements is to have an administrator role allowing to perform all actions with all realms, users, groups, roles and able to view access tokens. I have configured a role as following: "entitlements":[ "ACCESS_TOKEN_LIST", "ANYTYPE_LIST", "ANYTYPE_READ", "ANYTYPECLASS_LIST", "ANYTYPECLASS_READ", "DOMAIN_READ", "GROUP_DELETE", "GROUP_UPDATE", "GROUP_CREATE", "GROUP_LIST", "GROUP_READ", "GROUP_SEARCH", "MEMBERSHIP_DELETE", "MEMBERSHIP_UPDATE", "MEMBERSHIP_CREATE", "MEMBERSHIP_LIST", "MEMBERSHIP_READ", "POLICY_READ", "REALM_LIST", "REALM_CREATE", "REALM_DELETE", "REALM_UPDATE", "RELATIONSHIPTYPE_LIST", "RELATIONSHIPTYPE_READ", "RESOURCE_LIST", "RESOURCE_READ", "ROLE_DELETE", "ROLE_UPDATE", "ROLE_CREATE", "ROLE_LIST", "ROLE_READ", "USER_SEARCH", "USER_DELETE", "USER_CREATE", "USER_UPDATE", "USER_READ" ], "realms":["/"], It seems I am still missing some entitlements, because the user needs to login again as soon as he hits - the "Realms" item on the left - the "Details" tab after hitting "Dashboard" - "Users" (see the attachment) - one of the leaves of the realm tree in the right corner after hitting "Dashboard" - "Users". Thank you and regards, Maria Barth Unsere neusten Aktionen rund um unsere Produkte finden Sie unter: http://www.cad-schroer.de/emailaction/ ---------------------------------------------------------------------------- -- CAD Schroer GmbH, Fritz-Peters-Strasse 11, D - 47447 Moers Geschaeftsfuehrer: Michael Schroer, Thomas Schubert. Amtsgericht Kleve HRB 5339 Tel.: +49 2841-9184-0 Fax: +49 2841-9184-44 ---------------------------------------------------------------------------- --Website: http://www.cad-schroer.de -- Dott. Andrea Patricelli Tel. +39 3204524292 Developer @ Tirasa S.r.l. Viale D'Annunzio 267 - 65127 Pescara Tel +39 0859116307 / FAX +39 0859111173 http://www.tirasa.net Apache Syncope PMC Member