[midPoint] SuperUser Persistence

Seth McCombs seth at sourceclear.com
Tue Jan 23 17:57:45 CET 2018 

Thanks again Paval!

I'm sure there's something weird configured script wise or something, this
is a setup I've inherited, I've only been here for a month, and still
coming up to speed. I'll definitely check audit logs and see!



Seth McCombs
IT Operations Engineer
+1 510.514.5855
seth at sourceclear.com

On Tue, Jan 23, 2018 at 12:55 AM, Pavol Mederly <mederly at evolveum.com>
wrote:

> Seth,
>
> the "role loss" you experience is really strange. It can be caused by
> various factors; although I never heard of something like that :) For
> example, are there any scripting hooks
> <https://wiki.evolveum.com/display/midPoint/Scripting+Hooks> defined? Or,
> are you sure the assignment is really deleted? Isn't it only disabled?
> (Either explicitly or via validTo time?)
>
> Maybe you could have a look into audit log: after the role disappears,
> just look at all changes related to the given user. Maybe there would be
> some hint what has happened.
>
> Best regards,
>
> Pavol Mederly
> Software developerevolveum.com
>
> On 23.01.2018 1:27, Seth McCombs wrote:
>
> Thanks Pavol!
>
> I actually just finished that book today, and am re-reading through the
> XML syntax parts. My MidPoint is 3.4.1, and I need to figure out what my
> next steps are for updating, (our instance is Kubernetes based, so I'll be
> rolling an update). My issue, unless I'm missing it, is that any user
> besides the initially configured super-user (set up at install), all other
> users given the super user role, lose that role after 1-2 days.
>
> Thanks!
>
>
>
> Seth McCombs
> IT Operations Engineer
> +1 510.514.5855 <(510)%20514-5855>
> seth at sourceclear.com
>
> On Mon, Jan 22, 2018 at 4:16 PM, Pavol Mederly <mederly at evolveum.com>
> wrote:
>
>> Hello Seth,
>>
>> what you see is Superuser role. It can be assigned to any account,
>> effectively providing that account with "root" privileges.
>>
>> In fact, there's nothing hardcoded. The role can have any name, any OID.
>> What is important, is
>>
>> <authorization>
>>     <action>http://midpoint.evolveum.com/xml/ns/public/security/
>> authorization-3#all</action>
>> </authorization>
>>
>> (The URI ...#all is a predefined constant in midPoint, giving all access
>> within the system.)
>> ------------------------------
>> Anyway, midPoint is far too complex to be understood by exploring its
>> GUI. I would strongly recommend reading this e-book that will provide you
>> with solid understanding of basic concepts:
>> https://evolveum.com/midpoint/midpoint-guide-about-practical
>> -identity-management/. And, as midPoint in latest version (3.7) is
>> really easy to install, it is the best to install a "playground" midPoint
>> instance and explore it without fear of breaking anything.
>>
>> Pavol Mederly
>> Software developerevolveum.com
>>
>> On 23.01.2018 1:01, Seth McCombs wrote:
>>
>> Hey All,
>>
>> I inherited a running MidPoint install, and while all is working well, I
>> am trying to learn as much about the system as I can. One thing I have
>> found is that when I provide my account with SuperUser access (after
>> logging in as root account), I then log back in a day or two later, and my
>> super user access is gone. I've only just started digging through configs
>> and logs, but I have little idea where to start, one thing I have found is
>> this XML file - (See output below)
>>
>>
>> <role oid=“00000000-0000-0000-0000-000000000004”
>> xmlns=“http://midpoint.evolveum.com/xml/ns/public/common/common-3">
>> <name>Superuser</name>
>> <description>Role that gives user full authorization in
>> MidPoint.</description>
>> <authorization>
>> <action>http://midpoint.evolveum.com/xml/ns/public/security/
>> authorization-3#all</action>
>> </authorization>
>> <roleType>system</roleType>
>> </role>
>>
>> It seems to me that the superuser is possibly hard coded, but I don't
>> know where that above link leads nore how to fix this,
>>
>> Any advice is MUCH appreciated!
>>
>> Cheers!
>>
>> Seth McCombs
>> IT Operations Engineer
>> +1 510.514.5855 <%28510%29%20514-5855>
>> seth at sourceclear.com
>>
>>
>> _______________________________________________
>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180123/9c35789c/attachment.htm>

More information about the midPoint mailing list