[midPoint] Securing the GUI

Pavol Mederly mederly at evolveum.com
Tue Aug 4 19:22:35 CEST 2015 

Hello Pat,

user reconciliation is actually executed as an empty modify action, with 
the option of reconcile=true.

So I would suggest you to set the following authorizations (provided 
that view only access is set up):

<authorization>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</action>
       <phase>execution</phase>
       <object>
          <type>UserType</type>
       </object>
       <object>
          <type>ShadowType</type>
       </object>
</authorization>

This ensures that the user can do any modification that would be 
computed by the reconciliation.

But you need to specify that the user can not request anything 
explicitly. This seems to work:

<authorization>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</action>
       <phase>request</phase>
       <object>
          <type>UserType</type>
       </object>
       <c:item>dummyItem</c:item>
</authorization>

(dummyItem is any non-existing item name - if there were no items 
specified, requester could modify anything)

After applying this, I am able to request a reconciliation of given 
user(s) from the user list page.
Actually I cannot display user details but maybe it's some 
misconfiguration at my side.

Overall, I'm not a big expert in authorizations; maybe someone on this 
list could improve this suggestion. :)

Best regards,
Pavol

> I am looking to secure the GUI and define a role that has view only 
> access, but with the option of performing a reconcile on a user as 
> being allowed. I can get the view only option working, but how can I 
> overlay allowing reconcile? Does this need to be a separate role?
>
> /Pat Schlehuber/
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20150804/cb2427f1/attachment.htm>

More information about the midPoint mailing list