[midPoint] SuperUser Persistence

Pavol Mederly mederly at evolveum.com
Tue Jan 23 09:55:33 CET 2018 

Seth,

the "role loss" you experience is really strange. It can be caused by 
various factors; although I never heard of something like that :) For 
example, are there any scripting hooks 
<https://wiki.evolveum.com/display/midPoint/Scripting+Hooks> defined? 
Or, are you sure the assignment is really deleted? Isn't it only 
disabled? (Either explicitly or via validTo time?)

Maybe you could have a look into audit log: after the role disappears, 
just look at all changes related to the given user. Maybe there would be 
some hint what has happened.

Best regards,

Pavol Mederly
Software developer
evolveum.com

On 23.01.2018 1:27, Seth McCombs wrote:
> Thanks Pavol!
>
> I actually just finished that book today, and am re-reading through 
> the XML syntax parts. My MidPoint is 3.4.1, and I need to figure out 
> what my next steps are for updating, (our instance is Kubernetes 
> based, so I'll be rolling an update). My issue, unless I'm missing it, 
> is that any user besides the initially configured super-user (set up 
> at install), all other users given the super user role, lose that role 
> after 1-2 days.
>
> Thanks!
>
>
>
> Seth McCombs
> IT Operations Engineer
> +1 510.514.5855
> seth at sourceclear.com <mailto:seth at sourceclear.com>
>
> On Mon, Jan 22, 2018 at 4:16 PM, Pavol Mederly <mederly at evolveum.com 
> <mailto:mederly at evolveum.com>> wrote:
>
>     Hello Seth,
>
>     what you see is Superuser role. It can be assigned to any account,
>     effectively providing that account with "root" privileges.
>
>     In fact, there's nothing hardcoded. The role can have any name,
>     any OID. What is important, is
>
>     <authorization>
>        
>     <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#all
>     <http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#all></action>
>     </authorization>
>
>     (The URI ...#all is a predefined constant in midPoint, giving all
>     access within the system.)
>
>     ------------------------------------------------------------------------
>     Anyway, midPoint is far too complex to be understood by exploring
>     its GUI. I would strongly recommend reading this e-book that will
>     provide you with solid understanding of basic concepts:
>     https://evolveum.com/midpoint/midpoint-guide-about-practical-identity-management/
>     <https://evolveum.com/midpoint/midpoint-guide-about-practical-identity-management/>.
>     And, as midPoint in latest version (3.7) is really easy to
>     install, it is the best to install a "playground" midPoint
>     instance and explore it without fear of breaking anything.
>
>     Pavol Mederly
>     Software developer
>     evolveum.com <http://evolveum.com>
>
>     On 23.01.2018 1:01, Seth McCombs wrote:
>>     Hey All,
>>
>>     I inherited a running MidPoint install, and while all is working
>>     well, I am trying to learn as much about the system as I can. One
>>     thing I have found is that when I provide my account with
>>     SuperUser access (after logging in as root account), I then log
>>     back in a day or two later, and my super user access is gone.
>>     I've only just started digging through configs and logs, but I
>>     have little idea where to start, one thing I have found is this
>>     XML file - (See output below)
>>
>>
>>     <role oid=“00000000-0000-0000-0000-000000000004”
>>     xmlns=“http://midpoint.evolveum.com/xml/ns/public/common/common-3
>>     <http://midpoint.evolveum.com/xml/ns/public/common/common-3>">
>>     <name>Superuser</name>
>>     <description>Role that gives user full authorization in
>>     MidPoint.</description>
>>     <authorization>
>>     <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#all
>>     <http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#all></action>
>>     </authorization>
>>     <roleType>system</roleType>
>>     </role>
>>
>>     It seems to me that the superuser is possibly hard coded, but I
>>     don't know where that above link leads nore how to fix this,
>>
>>     Any advice is MUCH appreciated!
>>
>>     Cheers!
>>
>>     Seth McCombs
>>     IT Operations Engineer
>>     +1 510.514.5855 <tel:%28510%29%20514-5855>
>>     seth at sourceclear.com <mailto:seth at sourceclear.com>
>>
>>
>>     _______________________________________________
>>     midPoint mailing list
>>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>     http://lists.evolveum.com/mailman/listinfo/midpoint
>>     <http://lists.evolveum.com/mailman/listinfo/midpoint>
>
>
>     _______________________________________________
>     midPoint mailing list
>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>     http://lists.evolveum.com/mailman/listinfo/midpoint
>     <http://lists.evolveum.com/mailman/listinfo/midpoint>
>
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180123/0d14e28d/attachment.htm>

More information about the midPoint mailing list