Customize user lists visibility in GUI

Last modified 22 Jan 2026 16:18 +01:00
Object collection and view feature
This page describes Object collection and view midPoint feature. Please see the feature page for more details.
Table of Contents

Limit which lists users can see in midPoint GUI to avoid confusion, provide more straightforward experience, and keep information visibility on the need-to-know basis.

Use case

There are scenarios when you need to limit the limit the number of objects that users can see. Normally, you would handle such restriction using authorizations. But authorizations have their limits.

For example, you need to allow users to see the basic details of almost all objects because they are referenced by tasks, work item, audit records, and so on. Therefore, users must be authorized to read such objects. On the other hand, you do not want users to list all the objects. But reading an object and seeing the object in a list are both considered to be reading by the authorization subsystem. Therefore, there is no way to disable one and enable the other.

Solution to this are the midPoint GUI authorizations combined with object collections and views.

Outline of the solution

In the example configuration we present here, there are, among others, employees of the Employee archetype. The goal is to hide from them the list of all users while showing them a narrower list of all employees instead.

  1. Add object collection view to the global configuration in order to add a new navigation menu item under Users. Configure this view to only show employees, i.e., the users of the Employee archetype.

  2. Configure authorizations for the employee archetype so that its members only see the user lists they need.

Whatever we do here with archetypes, you can do with roles instead should it better suit your needs. You can also define the employee list object collection view in the archetype or role for employees instead, effectively hiding it from anyone else but the employees themselves.

As a rule of thumb, object collection views you add to the global midPoint configuration are visible to everyone. Once you move an object collection view from the global configuration to an archetype or role, it becomes invisible to anyone but the members of the particular archetype or role.

1. Create object collection view to list employees

Define an object collection view listing all users of the Employee archetype. Put the definition to the system configuration:

  1. In System, select System configuration tile.

  2. Click Edit raw to access the XML configuration.

  3. Add the objectCollectionView element below to the configuration as a direct child of systemConfiguration > adminGuiConfiguration > objectCollectionViews.

Object collection view filtering users by archetype
<objectCollectionView>
    <identifier>employee-view</identifier>
    <description>Employees</description>
    <documentation>This view displays all users with archetype "Employee" archetype</documentation>
    <display>
        <label>Employees</label>
        <singularLabel>Employee</singularLabel>
        <tooltip>All employees in system</tooltip>
        <icon>
            <cssClass>fa fa-circle-user</cssClass>
        </icon>
    </display>
    <displayOrder>10</displayOrder>
    <type>UserType</type>
    <collection>
        <filter>
            <q:text>archetypeRef/@/name = "Employee"</q:text> (1)
        </filter>
    </collection>
</objectCollectionView>
1 Filter selecting only objects of the Employee archetype. To filter users by role, you could use assignment/targetRef/@/name = "role-name".

With the configuration above, you have added the Employee item in the navigation menu. Proceed with the steps below to hide the All users and possibly other lists from employees.

2. Configure archetype authorizations to adjust what employees can view

To fulfil the goal of this exercise, you need to hide the All users list from employees. This you can do using authorizations—do not let users of the Employee archetype view the all users list but let them view the object collections.

Add these authorizations to the Employee archetype. They grant a read-only privilege to see all users and their projections and assignments.
<authorization>
    <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#usersView</action> (1)
    <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#userDetails</action> (2)
</authorization>
<authorization>
    <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action> (3)
    <object>
        <type>UserType</type> (4)
    </object>
    <object>
        <type>ShadowType</type> (5)
    </object>
</authorization>
<authorization>
    <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
</authorization>
1 GUI authorization to show the Users item in the navigation menu.
2 GUI authorization allowing to view other user’s profile. This does not authorize to any changes.
3 Authorization allowing to view other users; without this, users can only see themselves alone in user lists.
4 This limits the authorization to the UserType scope, meaning it allows viewing only focal objects, not shadows. See (4) for details on what it entails.
5 Adds ShadowType to the authorization scope allowing to view not only focal objects, but shadows as well. This gives users the option to view projections, i.e., see on which resources another user has accounts, including the mapped attributes. You can omit this scope specification should you wish to hide this information from employees.

Make sure users of the Employee archetype do not have the http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#usersAll authorization which would show them the All users list in the navigation menu.
User list showing only a selected user collection while the All users navigation item is hidden
Figure 1. User list showing only a selected user collection while the All users navigation item is hidden

3. Bonus point: Hide the Persons view from employees

The last step is to hide the Persons object collection view from users who are not supposed to see it. Your course of action in this regard depends highly on your selection of archetypes.

This Persons view lists users of the Person archetype. The object collection view for the list is identified by <identifier>person-view</identifier> and it is in the midPoint global configuration by default.

Your options regarding the Persons view:

  • Move the object collection view definition from the global configuration to archetypes or roles that are supposed to see it.

  • Delete the view altogether if you do not use the Person archetype or do not need anyone to access the list.

  • You can, of course, leave the view as it is if it suits your configuration requirements.

If you move the definition, put it to the XML definition of the particular archetypes or roles you want to see the Persons list:

Persons object collection view definition excerpt inside a role
<role xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3" ...>
    ...
    <adminGuiConfiguration>
        <objectCollectionViews>
            <objectCollectionView id="80">
                <identifier>person-view</identifier>
                <description>Persons</description>
                ...
            </objectCollectionView>
        </objectCollectionViews>
    </adminGuiConfiguration>
</role

Similarly to the example above, you can define any other object collection views specific for the particular archetype or role.

See also

Was this page helpful?
YES NO
Thanks for your feedback