[midPoint] Raw Operation Authorization and Reports
Radovan Semancik
radovan.semancik at evolveum.com
Tue Oct 9 17:13:04 CEST 2018
Hi,
GUI should use raw operations only when dealing with raw XML data. All
other operations should be regular (non-raw) ones. Therefore if GUI is
using raw operation to work with reports it is indeed a core bug.
--
Radovan Semancik
Software Architect
evolveum.com
On 10/04/2018 07:50 PM, Brandon Powers wrote:
> Hi all,
> A newer RAW OPERATION authorization was added to midPoint in version
> 3.7
> (https://wiki.evolveum.com/display/midPoint/Authorization+Configuration).
> We are working on upgrading from 3.6 up to 3.8 and encountered an
> issue with this authorization in regards to reports. It seems this
> authorization is required to run reports (or to execute the queries
> for these reports) for object types used in the report.
>
> We have some custom reports, but also found the same issue with stock
> midPoint reports, such as "Users in MidPoint". When executing these
> reports with a user of limited authorizations (not having the
> rawOperation auth for security purposes as documented in wiki), the
> report fails and the following error is logged for the task:
> 1000000000000028753
>
> ReportCreateTaskHandler.run
>
> FATAL_ERROR
>
> com.evolveum.midpoint.util.exception.AuthorizationException: User
> ''<username-redacted>'' not authorized for operation
> http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#rawOperation
> on user:42231112-3639-4a8d-bf86-16b1958deecf(<username-redacted>)
>
> Is this a core bug or report configuration bug? Anyway around this
> without having to grant the rawOperation authorization to these users?
>
> For reference, I found this authorization is being checked
> in com.evolveum.midpoint.model.impl.controller.SchemaTransformer
> :: authorizeOptions method
>
> Any advice is appreciated.
>
> Thanks,
> Brandon
> --
> Brandon Powers
> Exclamation Labs
> 300 Washington Street
> Cumberland, MD 21502
> 888.545.5008 or 301.722.5008 ext 144
> fax 301.722.2183
> brandon at exclamationlabs.com
> www.exclamationlabs.com
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20181009/effe0c37/attachment.htm>
More information about the midPoint
mailing list