[midPoint] Authorization role to allow read own managers

Pavol Mederly mederly at evolveum.com
Fri May 12 15:44:45 CEST 2023 

Hello Yakov,

you are right. The application of get/search distinction is not 
sufficient here.

There are two options:

 1. You can run the expression under a user with higher privileges (even
    the administrator) - look for "runAsRef" item. But beware, this
    incurs a login operation each time the expression is evaluated
    (could take up to tens of milliseconds).
 2. You can invoke OrgStructFunctions#getManagersOidsExceptUser
    directly, with the second parameter ("preAuthorized") set to true.
    The implementation is really ugly and probably not much tested (I
    created it many years ago), but nevertheless, it should work.

Option 1 is going to be fixed by something like "runAsPrivileged" coming 
in 4.8. But we're not there yet.

Best regards,

-- 
Pavol Mederly
Software developer
evolveum.com

On 12/05/2023 15:35, Yakov Revyakin via midPoint wrote:
> Hi Pavol, thanks to your answer I took a step forward in understanding 
> the concept. But, still without a final solution.
>
> So, to limit the list of available users during role shopping we limit 
> the "search" authorization. For example, to limit this list always by 
> self and "test" we need to add one extra authorization in addition to 
> the End-User role which provides the following authorization: #read 
> (#search + #get) for self, #get for any user).
>
> <authorization>
>     
> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3*#search* 
> <http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#search></action>
>     <object>
>         <type>UserType</type>
>         <filter>
>             <q:equal>
>                 <q:path>name</q:path>
>                 <expression>
>                     <value>*test*</value>
>                 </expression>
>             </q:equal>
>         </filter>
>     </object>
> </authorization>
>
> User list shows 2 available users - very nice.
>
> I don't understand how this can help to get a non-empty list with 
> "midpoint.getManagersOidsExceptUser(object)"
> To get it I must add #search to "manager" user. This, in its turn, 
> adds an additional user to the list and this is not what I expect.
>
> What I missed again?
>
>
>
>
>
> On Wed, 10 May 2023 at 09:24, Pavol Mederly via midPoint 
> <midpoint at lists.evolveum.com> wrote:
>
>     Hello Yakov,
>
>     please check the docs. There's a nice explanation of various
>     flavors of
>     "read" authorization, covering exactly your use case.
>
>     Best regards,
>
>     -- 
>     Pavol Mederly
>     Software developer
>     evolveum.com <http://evolveum.com>
>
>     On 09/05/2023 18:13, Yakov Revyakin via midPoint wrote:
>     > Hi all,
>     > I'm looking for a way to authorize a user to read their own
>     managers.
>     >
>     > In case of a role request for self (with assigned built-in End-User
>     > role) we can see in UI, clicking on button "Requesting for", that
>     > users' list is limited by self.
>     > In metarole I have definition:
>     >
>     >                             <approverExpression>
>     >                                 <script>
>     >                                     <code>
>     >                                         return
>     > midpoint.getManagersOidsExceptUser(object)
>     >                                     </code>
>     >                                 </script>
>     >                             </approverExpression>
>     > <evaluationStrategy>firstDecides</evaluationStrategy>
>     > <outcomeIfNoApprovers>reject</outcomeIfNoApprovers>
>     >
>     > If the user requests a role, getManagersOidsExceptUser() can't
>     return
>     > managers because it is not authorized. This results in automatic
>     > rejection of the request.
>     > If I'm adding something like this:
>     >
>     >     <authorization>
>     >
>     >
>     <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
>     >         <object>
>     >             <type>UserType</type>
>     >         </object>
>     >     </authorization>
>     >
>     > getManagersOidsExceptUser() returns managers correctly. But,
>     clicking
>     > on the button "Requesting for" I can see all existing users. But I
>     > still want to see only myself in the list.
>     >
>     > How to get the user authorized to read own managers? And, at the
>     same
>     > time, not to break user list under the "Requesting for" button with
>     > extra users?
>     >
>     > Thanks,
>     > Yakov
>     >
>     > _______________________________________________
>     > midPoint mailing list
>     > midPoint at lists.evolveum.com
>     > https://lists.evolveum.com/mailman/listinfo/midpoint
>     _______________________________________________
>     midPoint mailing list
>     midPoint at lists.evolveum.com
>     https://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20230512/600e8596/attachment-0001.htm>

More information about the midPoint mailing list