[midPoint] Authorization role to allow read own managers

Yakov Revyakin yrevyakin at gmail.com
Mon May 15 07:29:10 CEST 2023 

Hi Pavol,
Thanks a lot - runAsRef solved my problem. I completely forgot about this
option.
I remember that could see OrgStructFunctions#getManagersOidsExceptUser with
preauthorized param when debugged and that time didn't understand the
purpose of this option.
Yakov

On Fri, 12 May 2023 at 16:44, Pavol Mederly via midPoint <
midpoint at lists.evolveum.com> wrote:

> Hello Yakov,
>
> you are right. The application of get/search distinction is not sufficient
> here.
>
> There are two options:
>
>    1. You can run the expression under a user with higher privileges
>    (even the administrator) - look for "runAsRef" item. But beware, this
>    incurs a login operation each time the expression is evaluated (could take
>    up to tens of milliseconds).
>    2. You can invoke OrgStructFunctions#getManagersOidsExceptUser
>    directly, with the second parameter ("preAuthorized") set to true. The
>    implementation is really ugly and probably not much tested (I created it
>    many years ago), but nevertheless, it should work.
>
> Option 1 is going to be fixed by something like "runAsPrivileged" coming
> in 4.8. But we're not there yet.
>
> Best regards,
>
> --
> Pavol Mederly
> Software developerevolveum.com
>
> On 12/05/2023 15:35, Yakov Revyakin via midPoint wrote:
>
> Hi Pavol, thanks to your answer I took a step forward in understanding the
> concept. But, still without a final solution.
>
> So, to limit the list of available users during role shopping we limit the
> "search" authorization. For example, to limit this list always by self and
> "test" we need to add one extra authorization in addition to the End-User
> role which provides the following authorization: #read (#search + #get) for
> self, #get for any user).
>
> <authorization>
>     <action>
> http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3
> *#search*
> <http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#search>
> </action>
>     <object>
>         <type>UserType</type>
>         <filter>
>             <q:equal>
>                 <q:path>name</q:path>
>                 <expression>
>                     <value>*test*</value>
>                 </expression>
>             </q:equal>
>         </filter>
>     </object>
> </authorization>
>
> User list shows 2 available users - very nice.
>
> I don't understand how this can help to get a non-empty list with
> "midpoint.getManagersOidsExceptUser(object)"
> To get it I must add #search to "manager" user. This, in its turn, adds an
> additional user to the list and this is not what I expect.
>
> What I missed again?
>
>
>
>
>
> On Wed, 10 May 2023 at 09:24, Pavol Mederly via midPoint <
> midpoint at lists.evolveum.com> wrote:
>
>> Hello Yakov,
>>
>> please check the docs. There's a nice explanation of various flavors of
>> "read" authorization, covering exactly your use case.
>>
>> Best regards,
>>
>> --
>> Pavol Mederly
>> Software developer
>> evolveum.com
>>
>> On 09/05/2023 18:13, Yakov Revyakin via midPoint wrote:
>> > Hi all,
>> > I'm looking for a way to authorize a user to read their own managers.
>> >
>> > In case of a role request for self (with assigned built-in End-User
>> > role) we can see in UI, clicking on button "Requesting for", that
>> > users' list is limited by self.
>> > In metarole I have definition:
>> >
>> >                             <approverExpression>
>> >                                 <script>
>> >                                     <code>
>> >                                         return
>> > midpoint.getManagersOidsExceptUser(object)
>> >                                     </code>
>> >                                 </script>
>> >                             </approverExpression>
>> > <evaluationStrategy>firstDecides</evaluationStrategy>
>> > <outcomeIfNoApprovers>reject</outcomeIfNoApprovers>
>> >
>> > If the user requests a role, getManagersOidsExceptUser() can't return
>> > managers because it is not authorized. This results in automatic
>> > rejection of the request.
>> > If I'm adding something like this:
>> >
>> >     <authorization>
>> >
>> > <action>
>> http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read
>> </action>
>> >         <object>
>> >             <type>UserType</type>
>> >         </object>
>> >     </authorization>
>> >
>> > getManagersOidsExceptUser() returns managers correctly. But, clicking
>> > on the button "Requesting for" I can see all existing users. But I
>> > still want to see only myself in the list.
>> >
>> > How to get the user authorized to read own managers? And, at the same
>> > time, not to break user list under the "Requesting for" button with
>> > extra users?
>> >
>> > Thanks,
>> > Yakov
>> >
>> > _______________________________________________
>> > midPoint mailing list
>> > midPoint at lists.evolveum.com
>> > https://lists.evolveum.com/mailman/listinfo/midpoint
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> https://lists.evolveum.com/mailman/listinfo/midpoint
>>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttps://lists.evolveum.com/mailman/listinfo/midpoint
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20230515/157d7ed2/attachment.htm>

More information about the midPoint mailing list